Red Hat Enterprise Linux 9 Essentials Book now available.
Purchase a copy of Red Hat Enterprise Linux 9 (RHEL 9) Essentials
Red Hat Enterprise Linux 9 Essentials Print and eBook (PDF) editions contain 34 chapters and 298 pages
32.2. User and Group Management Tools
Managing users and groups can be a tedious task; this is why Red Hat Enterprise Linux provides tools and conventions to make them easier to manage.
The easiest way to manage users and groups is through the graphical application, User Manager (system-config-users). For more information on User Manager, refer to Section 32.1, “User and Group Configuration”.
The following command line tools can also be used to manage users and groups:
useradd, usermod, and userdel — Industry-standard methods of adding, deleting and modifying user accounts
groupadd, groupmod, and groupdel — Industry-standard methods of adding, deleting, and modifying user groups
gpasswd — Industry-standard method of administering the /etc/group file
pwck, grpck — Tools used for the verification of the password, group, and associated shadow files
pwconv, pwunconv — Tools used for the conversion of passwords to shadow passwords and back to standard passwords
32.2.1. Command Line Configuration
If you prefer command line tools or do not have the X Window System installed, use this section to configure users and groups.
32.2.2. Adding a User
To add a user to the system:
Issue the useradd command to create a locked user account:
useradd <username>
Unlock the account by issuing the passwd command to assign a password and set password aging guidelines:
<comment> can be replaced with any string. This option is generally used to specify the full name of a user.
-d<home-dir>
Home directory to be used instead of default /home/<username>/
-e<date>
Date for the account to be disabled in the format YYYY-MM-DD
-f<days>
Number of days after the password expires until the account is disabled. If 0 is specified, the account is disabled immediately after the password expires. If -1 is specified, the account is not be disabled after the password expires.
-g<group-name>
Group name or group number for the user's default group. The group must exist prior to being specified here.
-G<group-list>
List of additional (other than default) group names or group numbers, separated by commas, of which the user is a member. The groups must exist prior to being specified here.
-m
Create the home directory if it does not exist.
-M
Do not create the home directory.
-n
Do not create a user private group for the user.
-r
Create a system account with a UID less than 500 and without a home directory
-p<password>
The password encrypted with crypt
-s
User's login shell, which defaults to /bin/bash
-u<uid>
User ID for the user, which must be unique and greater than 499
Table 32.1. useradd Command Line Options
32.2.3. Adding a Group
To add a group to the system, use the command groupadd:
Group ID for the group, which must be unique and greater than 499
-r
Create a system group with a GID less than 500
-f
When used with -g<gid> and <gid> already exists, groupadd will choose another unique <gid> for the group.
Table 32.2. groupadd Command Line Options
32.2.4. Password Aging
For security reasons, it is advisable to require users to change their passwords periodically. This can be done when adding or editing a user on the Password Info tab of the User Manager.
To configure password expiration for a user from a shell prompt, use the chage command, followed by an option from Table 32.3, “chage Command Line Options”, followed by the username of the user.
Important
Shadow passwords must be enabled to use the chage command.
Option
Description
-m<days>
Specifies the minimum number of days between which the user must change passwords. If the value is 0, the password does not expire.
-M<days>
Specifies the maximum number of days for which the password is valid. When the number of days specified by this option plus the number of days specified with the -d option is less than the current day, the user must change passwords before using the account.
-d<days>
Specifies the number of days since January 1, 1970 the password was changed
-I<days>
Specifies the number of inactive days after the password expiration before locking the account. If the value is 0, the account is not locked after the password expires.
-E<date>
Specifies the date on which the account is locked, in the format YYYY-MM-DD. Instead of the date, the number of days since January 1, 1970 can also be used.
-W<days>
Specifies the number of days before the password expiration date to warn the user.
Table 32.3. chage Command Line Options
Tip
If the chage command is followed directly by a username (with no options), it displays the current password aging values and allows them to be changed.
You can configure a password to expire the first time a user logs in. This forces users to change passwords the first time they log in.
Note
This process will not work if the user logs in using the SSH protocol.
Lock the user password — If the user does not exist, use the useradd command to create the user account, but do not give it a password so that it remains locked.
If the password is already enabled, lock it with the command:
usermod -L username
Force immediate password expiration — Type the following command:
chage -d 0 username
This command sets the value for the date the password was last changed to the epoch (January 1, 1970). This value forces immediate password expiration no matter what password aging policy, if any, is in place.
Unlock the account — There are two common approaches to this step. The administrator can assign an initial password or assign a null password.
Warning
Do not use the passwd command to set the password as it disables the immediate password expiration just configured.
To assign an initial password, use the following steps:
Start the command line Python interpreter with the python command. It displays the following:
Python 2.4.3 (#1, Jul 21 2006, 08:46:09)
[GCC 4.1.1 20060718 (Red Hat 4.1.1-9)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>>
At the prompt, type the following commands. Replace <password> with the password to encrypt and <salt> with a random combination of at least 2 of the following: any alphanumeric character, the slash (/) character or a dot (.):
The output is the encrypted password, similar to '12CsGd8FRcMSM'.
Press Ctrl-D to exit the Python interpreter.
At the shell, enter the following command (replacing <encrypted-password> with the encrypted output of the Python interpreter):
usermod -p "<encrypted-password>" <username>
Alternatively, you can assign a null password instead of an initial password. To do this, use the following command:
usermod -p "" username
Caution
Using a null password, while convenient, is a highly unsecure practice, as any third party can log in first an access the system using the unsecure username. Always make sure that the user is ready to log in before unlocking an account with a null password.
In either case, upon initial log in, the user is prompted for a new password.
32.2.5. Explaining the Process
The following steps illustrate what happens if the command useradd juan is issued on a system that has shadow passwords enabled:
A new line for juan is created in /etc/passwd. The line has the following characteristics:
It begins with the username juan.
There is an x for the password field indicating that the system is using shadow passwords.
A UID greater than 499 is created. (Under Red Hat Enterprise Linux, UIDs and GIDs below 500 are reserved for system use.)
A GID greater than 499 is created.
The optional GECOS information is left blank.
The home directory for juan is set to /home/juan/.
The default shell is set to /bin/bash.
A new line for juan is created in /etc/shadow. The line has the following characteristics:
It begins with the username juan.
Two exclamation points (!!) appear in the password field of the /etc/shadow file, which locks the account.
Note
If an encrypted password is passed using the -p flag, it is placed in the /etc/shadow file on the new line for the user.
The password is set to never expire.
A new line for a group named juan is created in /etc/group. A group with the same name as a user is called a user private group. For more
information on user private groups, refer to Section 32.1.1, “Adding a New User”.
The line created in /etc/group has the following characteristics:
It begins with the group name juan.
An x appears in the password field indicating that the system is using shadow group passwords.
The GID matches the one listed for user juan in /etc/passwd.
A new line for a group named juan is created in /etc/gshadow. The line has the following characteristics:
It begins with the group name juan.
An exclamation point (!) appears in the password field of the /etc/gshadow file, which locks the group.
All other fields are blank.
A directory for user juan is created in the /home/ directory. This directory is owned by user juan and group
juan. However, it has read, write, and execute privileges only for the user juan. All other permissions are denied.
The files within the /etc/skel/ directory (which contain default user settings) are copied into the new /home/juan/ directory.
At this point, a locked account called juan exists on the system. To activate it, the administrator must next assign a password to the account using the passwd command
and, optionally, set password aging guidelines.