Shulou(Shulou.com)06/01 Report--

Management of users and groups

The certification adopted is the AAA authentication system developed by Cisco:

Authetication: authenticate and verify that the identity is correct

Authorization: authorization to allocate resources to users who have been verified

Accounting: audit and regulate the use of resources

Linux is a multi-user, multi-tasking system:

The main body of the task that can achieve the use and completion of resources is the application process

The process runs as its initiator; it can be understood that the owner of the process is the initiator; the initiator information is marked on the process

When a process tries to access a resource, the security context compares the relationship between the process's owner and the resource's owner:

First check whether the owner of the process is the owner of the resource, and if so, use the resource according to the authority of the owner

If not, determine whether the owner of the process belongs to the group to which the resource belongs, and if so, use the resource according to the permissions of the array

If not, use other people's access to the resource directly to use the resource

User account: the identity mapping of the computer operator in the operating system; the identity mapping after the authentication conditions are met

User classification:

Super user: (administrator) root

Ordinary users:

System users: in order to ensure security, processes or service processes running in the background must also be run as Philippine administrators; such users generally do not need to log in to the system.

Login user: a user who can use the resources of the whole system normally.

User's identity: user login name

User ID: digital ID for computer system

Superuser: 0

System users: Centos5, Centos6:1~99;Centos7:1~999

Login users: Centos, Centos6:500~60000;Centos7:1000~60000

Name resolution: name UID

Parsing library: / etc/passwd

The system uses the analysis library to complete the authentication mechanism to verify whether the login user is who you claim to be.

Authentication Library:

User's authentication information base: / etc/shadow

Authentication information base of the group: / etc/group

Adopt password authentication mechanism:

Set a general policy for passwords:

1. Try to use random strings as passwords

two。 The password length should not be less than 8 characters.

3. Try to include uppercase letters, lowercase letters, numbers and punctuation marks in passwords, three of the four types of characters

4. Change your password from time to time (it is recommended to change your password within 42 days)

In Linux, the password information saved to the authentication store is encrypted.

Hash one-way encryption algorithm: extract the characteristic information of the original data, data fingerprint

Characteristics of one-way encryption algorithm:

1. As long as the data is the same, the encryption result must be the same.

two。 No matter how large the data is, the encryption result is output with a fixed length.

3. Avalanche effect

4. Irreversible

Common algorithms of one-way encryption: md5, sha1, sha224, sha256, sha384, sha512

To prevent the password from being the same, each user adds a salt and only once

Final validation string: algorithm + salt+ password

User group: a container that connects users with certain identical or similar attributes for centralized authorization

Group category:

Administrators Group:

Normal user groups:

System Group:

Landing Section:

The identification method of the group:

Group name: convenient for operators to use

ID (GID) of the group: bit system provides identity

Administrators group: 0

System group: Centos5, Centos6:1~499;Centos7:1000~60000

Parsing library: / etc/group

The group also needs authentication, and the group also has an authentication library: / etc/gpasswd

Groups also need password protection

If password protection is not set, you cannot join at any time

Classify groups with the user as the core: the user's main group (basic group); the user's additional group (accessory group, extra group)

Divided according to the number of users held by the group: private group, public group

Management of users and families:

The parsing library 1:/etc/passwd:

Format: name:password:UID:GID:GECOS:directory:shell

Name: login name

Password: password field, systems that now use the shadow mechanism, usually using "x" as a placeholder

UID: user's ID

GID: the ID of this user's primary group

GECOS:comment, the information of annotation class, is now generally used to store the user's description information or full name.

Directory: the absolute path of the user's home directory

Shell: the absolute path for users to log in to shell by default

The parsing library 2:/etc/group:

Format: group_name:password:GID:use_list

Group_name: group name

Password: group password placeholder, empty by default

GID: ID of the group

User_lsit: a list of users with this group as an additional group

Authentication Library 1:/etc/shadow:

Login name: login name of the user

Encryted password: encrypted password

Date of last password change: the concept of relative time

Minimum password age: how long will it take to change the password

Maximum password age: how long before the password expires

Password warning period: number of days of friendly reminders before password expiration

Password inactivity period: the grace period after the password expires

Account ecpiration date: the date on which the password of a user account expires

Reserved field: reserved field

Authentication Library 2:/etc/gpasswd:

Format: group name:encrypted password:administrators:members

Group management commands:

Groupadd: create a new group account and add a group

Groupadd [- g gid [- 0]] [- r] [- f] groupname

-g gid: when creating a group account, specify the group account GID;. If you do not use this option to specify, the system will choose to add 1 in the iexi file to GID not greater than 60000 according to Zhennanguan.

-r: create a system group

Groupmod: modify the related properties of a group

Groupmod [options] GROUPNAME

-g gid: ID for modifying the group account

-n NEW_GROUPNSME: modify the group name

Groupdel: delete group account

Groupdel [options] GROUPNAME

Note: if a group is the primary group or private group of a user, the group cannot be deleted

User managed commands:

Useradd: add user account

Useradd [option] login

/ etc/default/useradd

/ etc/login.defs

/ etc/skel

The above three files and directories can help administrators create users and assign default attributes to users when specifying any option

Options:

When creating a COMMENT':, you add comment information to the user, which is usually the full name.

-dmam Murray home / PATH/TO/HOME_DIR: when creating a user, specify the absolute path of the home directory for the user. The specified directory should be a directory that does not exist before.

-GMAE Mermegid GROUPNAME: specify a group directory for the user when creating the user

-Gmam talk groups GROUP1 [, GROUP2,... [, GROUPN]]: add additional groups for users when creating users

-mmam Murtel create home: when creating a user, it is mandatory to create a home directory for the user

-M: when a user is created, the user's home directory is not created, even if the value of CREATE_HOME in / etc/login.defs is yes

-rmaine Melissa system: create system users

-Umam Murray uid UID: when creating a user, specify a UID for the user. This UID can exceed the limit of 6000.

-smam shell / PATH/TO/SHELL: when creating a user, specify the default shell for the user and use the absolute path

-DMAE: show or modify the default attribute values of the user

-s,-- shell / PATH/TO/SHELL: modify the default value of SHELL in the / etc/default/useradd file

Usermod: modify user account information

Usermod [option] login

Options:

-c,-- comment 'COMMENT': modifies the user's comment information

-GMAE Murgid GROUPNAME: modify the main group of the user

-Gmam talk groups GROUP1 [, GROUP2,... [, GROUPN]]: modify the additional group of the user to the group in the list

-amam Meltel append: used in conjunction with the-G option to add new additional groups to users

-dmam Meltel home / PATH/TO/HOME_DIR: modify the user's home directory

-mmam Murtel create home: use with the-d option to move data from the old home directory to the new home.

-PATH/TO/SHELL: modify the login shell of a user's account

-lmam Meltel login NEW_LOGIN: change the login name of a user's account

-Umam Murray UID: modifies a user's UID

-Lmam Mushlock: lock the account password

-Umam Murray unlock: unlock user password

Userdel: delete user account

Userdel [option] login

Options:

-r: clear the user's home directory while deleting the user

Commands related to user authentication:

Passwd: set and view the user's password information:

Passwd [- k] [- l] [- u [- f]] [- d] [- e] [- n mindays] [- x maxdays] [- w warndays] [- I inactivedays] [- S] [--stdin] [username]

1. If the user name is omitted, it means that this changes the password of the currently logged in user

two。 If you specify a user name, change the password of the specified user, which can only be used by root

Options:

-lmage lock: lock the user's password

Unlock user password: unlock user password

Compared with usermod-L |-U, it has a higher priority.

If you use a user password locked by usermod-L, you can unlock it using passwd-u

User passwords locked with passwd-l cannot be unlocked using usermod-U

Delete: delete the user password; clear the second field in the / stc/shadow file

-Small.com: check the password status of the user.

-- stdin: send the input data stream to the passwd command as standard input information through the pipeline

Commands related to group authentication:

Gpasswd:

Gpasswd [options] groupname

Options:

-a user: add user user to a group named mai

-dmam Murray deleteuser: user from a user in a group named group

Other commands:

Su:switch user, switch user identity

Su USERNAME: semi-switching; when switching users, the profile of the target user is not re-read, so the user does not log in, so the work environment is not initialized

Su-USERNAME: login switch, complete handover; when switching users, re-read the target user's configuration file and initialize the working environment; equivalent to su-l USERNAME

-c COMMAND: does not switch user identities, but executes a command as the target user

When using the su command, you need no password to switch from root to other ordinary users, but when ordinary login users switch, you must give the password of the target user.

After the user switch, do not switch continuously, but use the exit command to return to the previous user

Newgrp GROUPNAME: temporarily change the primary group of the currently logged-in user; use exit to return to the previous status

Id: ID that displays real and valid users and groups

Real ID: user's UID and GID defined in / etc/passwd

Valid ID: the UID and GID of the currently effective user

Id [OPTION]... [USER]

-g: displays only the user's valid GID

-u: displays only the user's valid UID

-G: displays the ID of all groups of the user

-n: display by name instead of ID

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.