Issue the useradd command to create a locked
user account:
useradd <username>
Unlock the account by issuing the passwd
command to assign a password and set password aging
guidelines:
passwd <username>
Command line options for useradd are detailed in Table 33-1.
Option
Description
-ccomment
Comment for the user
-dhome-dir
Home directory to be used instead of default
/home/username/
-edate
Date for the account to be disabled in the
format YYYY-MM-DD
-fdays
Number of days after the password expires until the
account is disabled. (If 0 is specified,
the account is disabled immediately after the password
expires. If -1 is specified, the
account is not be disabled after the password
expires.)
-ggroup-name
Group name or group number for the user's default group
(The group must exist prior to being specified here.)
-Ggroup-list
List of
additional (other than default) group names or group numbers,
separated by commas, of which the user is a member. (The groups
must exist prior to being specified here.)
-m
Create the home directory if it does not exist
-M
Do not create the home directory
-n
Do not create a user private group for the user
-r
Create a system account with a UID less than 500 and
without a home directory
-ppassword
The password encrypted with crypt
-s
User's login shell, which defaults to
/bin/bash
-uuid
User ID for the user, which must be unique and greater
than 499
To add a group to the system, use the command groupadd:
groupadd <group-name>
Command line options for groupadd are detailed in Table 33-2.
Option
Description
-ggid
Group ID for the group, which must be unique and greater
than 499
-r
Create a system group with a GID less than 500
-f
Exit with an error if the group already exists (The group
is not altered.) If -g and -f
are specified, but the group already exists, the
-g option is ignored
For security reasons, it is good practice to require users to change
their passwords periodically. This can be done when adding or editing a
user on the Password Info tab of the
User Manager.
To configure password expiration for a user from a shell prompt, use
the chage command, followed by an option from Table 33-3, followed by the username of the user.
Important
Shadow passwords must be enabled to use the chage
command.
Option
Description
-mdays
Specify the minimum number of days between which the user
must change passwords. If the value is 0, the password does
not expire.
-Mdays
Specify the maximum number of days for which the password
is valid. When the number of days specified by this option
plus the number of days specified with the -d
option is less than the current day, the user must change
passwords before using the account.
-ddays
Specify the number of days since January 1, 1970 the
password was changed.
-Idays
Specify the number of inactive days after the password
expiration before locking the account. If the value is 0, the
account is not locked after the password expires.
-Edate
Specify the date on which the account is locked, in the
format YYYY-MM-DD. Instead of the date, the number of days since
January 1, 1970 can also be used.
-Wdays
Specify the number of days before the password expiration
date to warn the user.
Table 33-3. chage Command Line Options
Tip
If the chage command is followed directly by a
username (with no options), it displays the current password aging
values and allows them to be changed.
If a system administrator wants a user to set a password the first
time the user log in, the user's initial or null password can be set
to expire immediately, forcing the user to change it immediately after
logging in for the first time.
To force a user to configure a password the first time the user logs
in at the console, follow these steps. Note, this process does not
work if the user logs in using the SSH protocol.
Lock the user's password — If the
user does not exist, use the useradd command to
create the user account, but do not give it a password so that it
remains locked.
If the password is already enabled, lock it with the command:
usermod -L username
Force immediate password expiration
— Type the following command:
chage -d 0 username
This command sets the value for the date the password was last
changed to the epoch (January 1, 1970). This value forces
immediate password expiration no matter what password aging
policy, if any, is in place.
Unlock the account — There are two
common approaches to this step. The administrator can assign an
initial password or assign a null password.
Warning
Do not use the passwd command to set the
password as it disables the immediate password expiration
just configured.
To assign an initial password, use the following steps:
Start the command line Python interpreter with the
python command. It displays the
following:
Python 2.2.2 (#1, Dec 10 2002, 09:57:09)
[GCC 3.2.1 20021207 (Red Hat Enterprise Linux 4 3.2.1-2)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>>
At the prompt, type the following (replacing
password with the password to encrypt
and salt with a combination of
exactly 2 upper or lower case alphabetic characters, digits, the
dot (.) character, or the slash (/) character such as
ab or
12):
The output is the encrypted password, similar to
12CsGd8FRcMSM.
Type [Ctrl]-[D] to exit the
Python interpreter.
Cut and paste the exact encrypted password output, without
a leading or trailing blank space, into the
following command:
usermod -p "encrypted-password" username
Instead of assigning an initial password, a null password can
be assigned using the following command:
usermod -p "" username
Caution
While using a null password is convenient for both the user
and the administrator, there is a slight risk that a third party
can log in first and access the system. To minimize this threat,
it is recommended that the administrator verifies that the user
is ready to log in when the account is unlocked.
In either case, upon initial log in, the user is prompted for
a new password.
