In this, the first installment of my new Linux/Unix column for CertCities.com, we’re going to focus on issues related to user passwords. Knowing the tools that are at your disposal and knowing as much as you can about how the system keeps these values will help you solve many a problem and keep a little bit of that smile in place. Let's start with the basics of files and creating user accounts, then move on to more advanced concepts.

File Basics
The first file of importance is the /etc/passwd file. Fields are delimited by colons and some of the entries will resemble the following:

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
ftp:x:14:50:FTP User:/home/ftp:
mysql:x:18:18:MySQL User:/var/lib/mysql:/bin/false
edulaney:x:501:100:emmett:/home/edulaney:/bin/bash
kdulaney:x:502:100:karen:/home/kdulaney:/bin/tcsh
sdulaney:x:503:100:spencer:/home/sdulaney:/bin/zsh

The seven fields can be broken into:

• Login name of the user: This must be unique per system, but it is free text and can be edited and modified with any editor at any time. Among the entries shown in the example, bin is the owner of executables and daemon is used for system services. Other entries are for users (such as edulaney) or individual services (such as ftp).
  
• Password: This can be an encrypted entry or an "x." In the case of the latter, the single character merely indicates that the values are stored elsewhere in the /etc/shadow file.

NOTE: Placing the passwords in the shadow file adds additional security. Everyone can read the passwd file, but only the root user can read the shadow file.

• Numerical userid (UID): This is an incremental number unique for every user and is how the operating system truly references the user (remember, the login name is changeable text). The root user is always number 0, and maintenance/service accounts use small numbers (typically up to 99). Regular user accounts typically start at 500 (but differ per Linux vendor) and go up incrementally from there. For security reasons, you can rename the root to any other text value, but the number 0 is always the identifier.
  
• Numerical groupid (GID): This identifies the default group associated with the user. 0 is always the root group, and lower numbers are used for system groups. Regular users are assigned groups at a beginning number listed in the /etc/login.defs file.
  
• Free text used for descriptive purposes: One of the main utilities looking at this field is finger, which simply returns information about a user to anyone querying.
  
• Home directory of the user: This is where users start when they login and where files are held to define their environmental variables.
  
• The shell to use for the user: If nothing is here, the default shell is used.

The /etc/shadow file is used to hold the password and information about the aging parameters. An example would be:

root:awYeiEwzMpfo6:11144:0::7:7::
bin:*:10547:0::7:7::
daemon:*:10547:0::7:7::
ftp:*:10547:0::7:7::
mysql:*:10547:0::7:7::
edulaney:aw0VvUAsWpigo:11144:0::7:7::
kdulaney:awzIG94wrzGqY:11144:0::7:7::

The eight fields are:

• Login name of the user: The only fields that must match with the /etc/passwd file.
  
• Encrypted hash of the password: If no password has been defined, then an asterisk (*) is used. Under no conditions can this field be left blank for a functioning user.
  
• Day the password was last changed: Expressed in the number of days that have passed since 1/1/1970.
  
• Minimum password age: Expressed in how many days a user must wait between being allowed to make password changes.
  
• Maximum password age: Expressed in how many days a user is allowed to keep this password.

NOTE: An empty field indicates there is no restriction.

• Number of days before the password expires a warning appears to inform the user to change his/her password.
  
• Number of days after the password expires to wait before disabling the account.
  
• Expiration date for the password: In days since 1/1/1970.

Creating a User
New users can be created manually or by using utilities. To do so manually, simply append an entry to the /etc/passwd file (it is strongly recommended that you make a backup copy of the file before changing). You can leave the password field blank and then assign a password using the passwd utility. If you simply leave it blank, then it is a valid account without a password:

$ cat >> /etc/passwd
evan::504:100:EvanD:/home/evan:/bin/bash
{press Ctrl+D}
$
$ passwd evan
New user password: {enter password}
Retype new user password: {enter password again}
passwd: all authentication tokens updated successfully
$
$ tail -1 /etc/passwd
evan:petKv.fLWG/Ig:504:100/home/evan:/bin/bash
$

NOTE: Any user can use the passwd utility to change their password. Only the root user, however, can use it to change the password of another user.

Notice that this method places the encrypted password in the /etc/passwd file itself, and does not utilize the /etc/shadow file. Provided the home directory exists and the user is the owner of it, the user can now be an authenticated user.

A utility provided with Linux (most vendors also have their own utilities, as well) to simplify this process is useradd. You must use options with the utility, and a key one is -D to display default settings. Here's an example:

$ useradd -D
GROUP=100
HOME=/home/%s
SHELL=/bin/bash
SKEL=/etc/skel
PASS_MIN_DAYS=0
PASS_MAX_DAYS=-1
PASS_WARN_DAYS=7
PASS_INACTIVE=-1
PASS_EXPIRE=-1
$

These are the defaults that will be used when a new user is created with this utility. The defaults come from the text file /etc/login.defs. Therefore, the following sequence is possible:

$ useradd kerby
$ tail -1 /etc/passwd
kerby:x:508:100:Sample User:/home/kerby:/bin/bash
$ tail -1 /etc/shadow
kerby:*not set*:11213:0:-1:7:-1:-1:
$
$ passwd kerby
New user password: {enter password}
Retype new user password: {enter password again}
passwd: all authentication tokens updated successfully
$ tail -1 /etc/shadow
kerby:M3cMnQDwHjRD6:11213:0:-1:7:-1:-1:
$

Note that the /etc/shadow file is used, and the values used to create the entries in the two files come directly from the defaults:

Default File Result:

• GROUP becomes the fourth field of passwd
• HOME becomes the sixth field of passwd, with the %s variable becoming the name given on the command line (which becomes the first field of both passwd and shadow)
• SHELL becomes the seventh field of passwd
• PASS variables Entered into appropriate fields of shadow

The SKEL variable was not used in this example. By default, useradd will make the entries in the passwd and shadow files, but it will not create the home directory for the user. If you use the -m option, useradd will also create the home directory for the user and copy files from the SKEL location (a skeleton, or template, of files that you want copied for every new user) into the new directory. In typical implementations, /etc/skel holds the following files:

• .bash_logout
• .bashrc
• .cshrc
• .inputrc
• .login
• .logout
• .profile
• .seyon
• .tcshrc

All the files are hidden files used for processing (setting up variables, environment, etc.) with the various shells.
There are a number of options that can be used with useradd to override default settings, and they include:

• -c to specify the free text (fifth field of passwd) associated with the user. Most Linux implementations default to an empty entry here or a deviation of their name.
• -d to specify a home directory different than /home/{username}.
• -e to change expiration date (format: mm/dd/yyyy).
• -f for the variable defining how many days after expiration the account becomes disabled. The default of -1 prevents it from being disabled even after expiration.
• -g to specify a different GID.
• -r for a root directory.
• -s to choose a different shell.
• -u to specify a UID. By default, the next available number is used. If you try to use a number that is already in use, the utility fails and identifies which user already has that number.

Beyond the Basics
So we've covered the basics of passwords: files and users. Now we'll get into more intermediate skills, including switching between passwd and shadow, using su and managing user accounts.

Passwrd and Shadow
In the manual example for creating a new user above, the encrypted password appears in the /etc/passwd file and not the /etc/shadow file. If you want to do manual additions and still use /etc/shadow, the pwconv utility can be irreplaceable. This utility reads the entire passwd file and converts new entries into shadow file entries.

The opposite of pwconv is pwunconv, which takes entries from the shadow file and places them in the appropriate format in the passwd file. As a final step, pwunconv removes the shadow file completely.

Using Su
The entries in the passwd file represent valid accounts that can log in. Any user can sit at the system and give the correct username and password combination to login as that user. Any user already logged in can also use the su utility to change identity to another user if they know the other user's password. This creates a subshell, if you will, where one user becomes another and can revert back to their own identity by typing exit.

While there are dozens of harmful reasons why a user might want to become another, there are also very legitimate reasons as well. If su is given without a user name following it, it tries to make the user the superuser (root) and requiring the password for that account. Therefore, as an administrator, it is possible for you to login as a typical user without root permissions and begin your day. The lack of root permissions can be a blessing, as it can keep you from deleting entries you unintentionally typed.

When a user comes up with a problem, you can use su to become root with all rights and privileges as if you had logged in as such, fix their problem, and then exit back to your regular account again.

Managing Accounts
Once an account has been created, you can manage and modify it manually or through the use of utilities. For example, if a user named Karen Dulaney becomes married and her name changes to Karen Brooks, you can edit the passwd and shadow files and change the first field of each from kdulaney to kbrooks. Since the same UID is in place, all files and such associated with her continue to remain so. The home directory can be renamed and the change made in passwd as well (it is always recommended that the home directory and username match for administrative purposes).

As another example, if Karen gets promoted to administration, it may be necessary to remove her from the users group and place her in the root group. This can also be accomplished by manually editing the /etc/passwd file and changing the GID field. Similar changes can be made for each field within the files.

Just as useradd is intended to simplify the addition of users to the system and avoid manual entries, usermod is meant to simplify changing existing values. Options/flags must be used with the utility, and the possibilities are:

• -c replace the descriptive text with a new value.
• -d to alter the home directory.
• -e change the password expiration date.
• -f set the inactive parameter.
• -G to change secondary group membership. More than one group can be given as long as commas separate entries.
• -g to change the GID.
• -l change the login name.
• -m (must be used with -d) will make the new home directory.
• -p change the password.
• -s for a different shell.
• -u to change the UID.

Aside from the text description, most of the values require the user to not be logged in while the change is made. An example of a change would be:

$ grep krist /etc/passwd
kristin:petKv.fLWG/Ig:506:100:kristin:/home/kristin:/bin/bash
$ usermod -l kristen kristin
$ grep krist /etc/passwd
kristen:petKv.fLWG/Ig:506:100:kristin:/home/kristin:/bin/bash
$ ls -l /home
drwxr-xr-x 4 evan users 1024 Jul 6 11:16 evan
drwxr-xr-x 4 kristin users 1024 Aug 8 10:29 kristin
drwxr-xr-x 4 spencer users 1024 Jul 6 11:16 spencer
$ usermod -d /home/kristen -m kristen
$ ls -l /home
drwxr-xr-x 4 evan users 1024 Jul 6 11:16 evan
drwxr-xr-x 4 kristen users 1024 Aug 8 10:29 kristen
drwxr-xr-x 4 spencer users 1024 Jul 6 11:16 spencer
$ grep krist /etc/passwd
kristen:petKv.fLWG/Ig:506:100:kristin:/home/kristen:/bin/bash
$

The usermod utility has the -p option to allow for the changing of passwords, but that can be accomplished more commonly with the passwd utility discussed earlier. The standalone utility is safer in that it requires you to enter the value twice, and thus help prevent entering a value that is off by one character from what you were thinking of, which otherwise would have prevented you from logging in.

If there are a large number of passwords that need to be changed (think system break-in), you can do a batch change with the chpasswd utility. To use it, create a text file with one entry per line. Each line consists of the username and its new password, separated by a colon. For example:

$ cat > changes
kristen:spea23ker
evan:pho78ne
kdulaney:fla98sh
{Ctrl+D}
$
$ chpasswd < changes
$

The passwords are in clear text, and for that reason, you will want to remove the batch file from your system as soon as possible. An alternative is to use encrypted passwords and use the -e option with chpasswd.

NOTE: It is a good idea to encourage users to use good passwords. Good passwords are those that consist of at least six characters, mix letters, characters and numbers, and cannot be easily guessed.

More Advanced Skills
Here we'll get into the slightly more advanced chores of removing user accounts and troubleshooting problems.

Removing User Accounts
When a user account is no longer needed, there are a number of ways you can deal with the situation. The first question you have to address is why the account is no longer needed. Once you know that, then you can formulate a plan for dealing with it.

The following three common reasons for not needing an account offer some scenarios and methods of proceeding:

1. User has been temporarily transferred to Siberia: If it is a temporary situation, you do not want to delete the account; doing so will remove all references that may be needed later. To temporarily disable the account, edit the /etc/passwd file and place a pound sign (#) as the beginning of the line. This will make the entire line a comment and disable the account.

2. User's password has been jeopardized by a hacker: Change the password to another value to keep the other party out. For further security, rename the login name and home directory.

3. User has left the organization: Remove the account from /etc/passwd, /etc/shadow and delete the home directory.

The userdel utility can also be used to remove the user. This utility removes the user from system files (passwd and shadow), but you must still remove any files associated with them.

Troubleshooting Password Issues
When it comes to password troubleshooting issues, there are several possibilities that can occur. The following offers some scenarios and methods of proceeding:

1. The user has forgotten their password completely: You can change it to a new value with the passwd utility or edit the /etc/passwd file and remove the second field (then have them assign a new value using the passwd utility).

2. The administrator quit and won’t tell anyone the password for root: Assuming that you cannot just edit the /etc/passwd file (preferred method), on many systems you can reboot the machine and enter single user mode (type linux single or follow other procedures as you prefer). At the prompt, type passwd root and enter the new password.

Most other issues that crop up can be addressed with the tools already discussed.

Go Forth and Secure
Knowing as much as you can about passwords, the files that store them, and the way they interact with the system, can go a long way toward helping you solve user problems. Down the road, we’ll examine groups with a similar approach and see what issues there are related to them.

Questions? Comments? Post your thoughts below!