Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

NOTE: CentOS Enterprise Linux is built from the Red Hat Enterprise Linux source code. Other than logo and name changes CentOS Enterprise Linux is compatible with the equivalent Red Hat version. This document applies equally to both Red Hat and CentOS Enterprise Linux.
Red Hat Enterprise Linux 4: System Administration Guide
Prev Chapter 33. User and Group Configuration Next

33.5. Command Line Configuration

If you prefer command line tools or do not have the X Window System installed, use this section to configure users and groups.

33.5.1. Adding a User

To add a user to the system:

  1. Issue the useradd command to create a locked user account:

    useradd <username>

  2. Unlock the account by issuing the passwd command to assign a password and set password aging guidelines:

    passwd <username>

Command line options for useradd are detailed in Table 33-1.

Option Description
-c comment Comment for the user
-d home-dir Home directory to be used instead of default /home/username/
-e date Date for the account to be disabled in the format YYYY-MM-DD
-f days Number of days after the password expires until the account is disabled. (If 0 is specified, the account is disabled immediately after the password expires. If -1 is specified, the account is not be disabled after the password expires.)
-g group-name Group name or group number for the user's default group (The group must exist prior to being specified here.)
-G group-list List of additional (other than default) group names or group numbers, separated by commas, of which the user is a member. (The groups must exist prior to being specified here.)
-m Create the home directory if it does not exist
-M Do not create the home directory
-n Do not create a user private group for the user
-r Create a system account with a UID less than 500 and without a home directory
-p password The password encrypted with crypt
-s User's login shell, which defaults to /bin/bash
-u uid User ID for the user, which must be unique and greater than 499

Table 33-1. useradd Command Line Options

33.5.2. Adding a Group

To add a group to the system, use the command groupadd:

groupadd <group-name>

Command line options for groupadd are detailed in Table 33-2.

Option Description
-g gid Group ID for the group, which must be unique and greater than 499
-r Create a system group with a GID less than 500
-f Exit with an error if the group already exists (The group is not altered.) If -g and -f are specified, but the group already exists, the -g option is ignored

Table 33-2. groupadd Command Line Options

33.5.3. Password Aging

For security reasons, it is good practice to require users to change their passwords periodically. This can be done when adding or editing a user on the Password Info tab of the User Manager.

To configure password expiration for a user from a shell prompt, use the chage command, followed by an option from Table 33-3, followed by the username of the user.

Important Important
 

Shadow passwords must be enabled to use the chage command.
Option Description
-m days Specify the minimum number of days between which the user must change passwords. If the value is 0, the password does not expire.
-M days Specify the maximum number of days for which the password is valid. When the number of days specified by this option plus the number of days specified with the -d option is less than the current day, the user must change passwords before using the account.
-d days Specify the number of days since January 1, 1970 the password was changed.
-I days Specify the number of inactive days after the password expiration before locking the account. If the value is 0, the account is not locked after the password expires.
-E date Specify the date on which the account is locked, in the format YYYY-MM-DD. Instead of the date, the number of days since January 1, 1970 can also be used.
-W days Specify the number of days before the password expiration date to warn the user.

Table 33-3. chage Command Line Options

Tip Tip
 

If the chage command is followed directly by a username (with no options), it displays the current password aging values and allows them to be changed.

If a system administrator wants a user to set a password the first time the user log in, the user's initial or null password can be set to expire immediately, forcing the user to change it immediately after logging in for the first time.

To force a user to configure a password the first time the user logs in at the console, follow these steps. Note, this process does not work if the user logs in using the SSH protocol.

  1. Lock the user's password — If the user does not exist, use the useradd command to create the user account, but do not give it a password so that it remains locked.

    If the password is already enabled, lock it with the command:

    usermod -L username

  2. Force immediate password expiration — Type the following command:

    chage -d 0 username

    This command sets the value for the date the password was last changed to the epoch (January 1, 1970). This value forces immediate password expiration no matter what password aging policy, if any, is in place.

  3. Unlock the account — There are two common approaches to this step. The administrator can assign an initial password or assign a null password.

    Warning Warning
     

    Do not use the passwd command to set the password as it disables the immediate password expiration just configured.

    To assign an initial password, use the following steps:

    • Start the command line Python interpreter with the python command. It displays the following:

      Python 2.2.2 (#1, Dec 10 2002, 09:57:09)
[GCC 3.2.1 20021207 (Red Hat Enterprise Linux 4 3.2.1-2)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>>

    • At the prompt, type the following (replacing password with the password to encrypt and salt with a combination of exactly 2 upper or lower case alphabetic characters, digits, the dot (.) character, or the slash (/) character such as ab or 12):

      import crypt; print crypt.crypt("password","salt")

      The output is the encrypted password, similar to 12CsGd8FRcMSM.

    • Type [Ctrl]-[D] to exit the Python interpreter.

    • Cut and paste the exact encrypted password output, without a leading or trailing blank space, into the following command:

      usermod -p "encrypted-password" username

    Instead of assigning an initial password, a null password can be assigned using the following command:

    usermod -p "" username
    Caution Caution
     

    While using a null password is convenient for both the user and the administrator, there is a slight risk that a third party can log in first and access the system. To minimize this threat, it is recommended that the administrator verifies that the user is ready to log in when the account is unlocked.

    In either case, upon initial log in, the user is prompted for a new password.

Prev Home Next
Modifying Group Properties Up Explaining the Process

 
 
  Published under the terms of the GNU General Public License Design by Interspire