Users and authentication
Learn about elevated privileges (sudo mode), users, groups and user authentication.
Elevated privileges & switching users
sudo commands are only allowed for users listed in /etc/sudoers (or, by default, in the wheels group).
sudo <command>: run command with elevated privilegessudo -s: open shell as root usersudo -i: open login shell as root user (with root’s environment)su <user>: substitute user / open an interactive shell as the specified user (You need to know the user’s password!)sudo su <user>: same as above, but without knowing the user’s password
Users
Users are stored in the /etc/passwd file.
who: see all currently logged in userswhoami: find out who’s currently logged inuseradd <name>: create a user-c <comment>--home <dir>--no-create-home--gid <group id>--shell <shell>--disabled-login--disabled-passord
userdel <name>: delete a useruserdel <name> <group>: remove user from a groupusermod <name>: modify a userid [user]: get information about the current (a specific) user
The alternatives adduser and deluser have more prompts but do more or less the same.
Understanding /etc/passwd
rafael:x:1001:1001:rafael,,,:/home/rafael:/bin/bash
[----] - [--] [--] [-------] [----------] [-------]
| | | | | | |
| | | | | | +------> 7. Login shell
| | | | | +----------------> 6. Home directory
| | | | +---------------------------> 5. GECOS (user infos)
| | | +----------------------------------> 4. GID (group id)
| | +---------------------------------------> 3. UID (user id)
| +-------------------------------------------> 2. Password (nowadays "x"; password in /etc/shadow)
+--------------------------------------------------> 1. Username
getent passwd <username>: get the line in/etc/passwdfor the specified username
Deactivate login for user: Set login shell to /usr/sbin/nologin setzen.
Groups
Groups are stored in the /etc/group file.
groups [username]: view which groups the current (a specific) user is member ofgroupadd <name>: create a groupgroupdel <name>: delete a group
Manage group membership:
usermod -aG <groupname> <username>: add user to group (a = append)gpasswd -a <user> <group>: add user to groupgpasswd -d <user> <group>: remove user from group (d = delete)
Commands available on some distros:
usermod -rG <groupname> <username>: remove user from group (r = remove)useradd <name> <group>: add user to a groupuserdel <name> <group>: add user to a group
Understanding /etc/group
wheel:x:10:rafael,fritz
[---] - -- [----------]
| | | |
| | | +------> 4. Members (comma separated)
| | +-------------> 3. GID (group id)
| +----------------> 2. Password (nowadays "x"; password in /etc/gshadow)
+----------------------> 1. Group name
Group passwords are usually not used.
getent group <groupname>: get the line in/etc/groupfor the specified group
Password authentication
Info about user and group authentication is stored in /etc/shadow and /etc/gshadow.
Note: Group passwords are not really used anymore.
Understanding /etc/shadow and /etc/gshadow
sudo getent shadow <username>: get the line in/etc/shadowfor the specified usersudo getent gshadow <groupname>: get the line in/etc/gshadowfor the specified group
Encryption algorithms
- MD5
- bcrypt
- -
- -
- sha256
- sha512
Passwords
passwd [user]: change own or user’s passwordpasswd -S <user>: get user statuspasswd -l <user>: lock userpasswd -u <user>: unlock usergpasswd: change/manage group passwords
SSH
ssh-keygen -b <bits>: generate a new keypair with the length of b bits
Generated keys are stored in ~/.ssh/ with the names ...id_rsa and ...id_rsa.pub (name changes depending on options).
ssh-copy-id -i ~/.ssh/id_rsa <username>@<hostname>: upload the public key to a server
Authorized keys are stored in ~/.ssh/authorized_keys.
ssh <username>@<hostname> [command]: start an ssh session (and run a command and exit)ssh-keygen -f "/home/<username>/.ssh/known_hosts" -R "<hostname>": remove server from known_hosts file
SSH Config
File: ~/.ssh/config
Example content:
Host *
ForwardX11 no
Host prod-de-1
HostName 192.168.1.125
User admin
IdentityFile ~/.ssh/work_key
Port 2222