Creating Users
In order to provide access to Ubuntu server resources all users need to have an account set up for them. The administrator sets up an account using the useradd command and creating a password with the passwd command. The passwords are kept in the /etc/shadow file to make sure they cannot be viewed by anyone except the root user.
useradd joe
This creates a user named joe. However, this does not create a password, a home directory, or any other options. Here are several options:
-u uid user ID specified
-g group specify a group for the user
-G lists groups the user is in
-c comment describe user
-d dir home directory
-m make home directory if it does not exist
-k skel_dir skeleton home directory
-s shell login program, the default is /bin/bash
-e YYYY-MM-DD expiration date account disabled
-p password create password at time of creating user
If you wanted to create joe with a home directory you would use this command:
useradd -m joe
The default home for joe is created in /home/joe. The /home directory is used for all normal users by default. If you wanted to create a special directory with the “-d” option for a user you could follow this pattern:
mkdir /sales
useradd -d /sales john
This information is confirmed when you look at john’s entry in/etc/passwd.
john:x:1003:1003::/sales:/bin/sh
One of the advantages of using the passwd command is that it will automatically run chown and chgrp commands to make sure the permissions are set correctly for the user. If you don’t use useradd you must set these permissions manually. Another advantage of useradd is that it is a command that can be used on all Linux systems to add users.
Files When a User is Created
There are six major files or directories that are involved in the creation of a user.
/etc/passwd – contains user account information, explained above
/etc/shadow – secure user password stored here, only root can read it
/etc/group – group information for user
/etc/default/useradd – default information for adding all users
/etc/login.defs – system default login in settings
/etc/skel – default settings for the home directory.
Shadow Passwords
User and group passwords are encrypted in /etc/shadow and /etc/gshadow. This removes the passwords from the publicly accessible /etc/passwd file. Only the root user is able to access these two files. The result is that users will not be able to attempt to crack other user passwords.
/etc/shadow
When /etc/shadow is used the passwd field in /etc/passwd should have an x, do not leave that space empty as it will allow an account without a password requirement. The /etc/shadow file listed below contains these fields: login name, encrypted password, date of last password change, minimum days between changes, max days between changes, warning advance days, days after password expiration account expires, expiration date, and empty field. The date fields are based on the days from January 1,1970.
This example shows that two users have encrypted passwords. The /etc/login.defs file sets the default encryption method as SHA512 illustrated by the start of each password with “$6$”. Random salt is added to these passwords which means that even if you use the same password for two users it will not look the same as part of each text string representing a password is random.
root$6$iXVPoloN$JCbifzb9KC/ghzp01IuW7wKpjl.9sHqhPT1hkK9Rttz3i1bxq4SqOPlTI7lokHlJBzE/aGs7xrAdnCfAx4KkV1:14691:0:99999:7:::
daemon:*:14691:0:99999:7:::
bin:*:14691:0:99999:7:::
—cut—
libuuid:!:14691:0:99999:7:::
syslog:*:14691:0:99999:7:::
bind:*:14691:0:99999:7:::
landscape:*:14691:0:99999:7:::
mike:$6$610tJ2Jv$OKMNUewb9aKAuZUxWutV8TXhDgeefIPcXArKHXr20Eb8G39TAMGXs2KhGKybaP/
