User Management

From Kicksecure
Jump to navigation Jump to search

This guide provides step-by-step instructions for managing user accounts in Kicksecure, enhancing system security and facilitating multi-user environments.

Add a New User[edit]

Optional!

To create a new user account named user2, execute the following command:

Note: Replace user2 with the desired username for the new account.

sudo adduser user2

This command will prompt you to set a password and fill in additional information for the new user. Ensuring each user has a unique account helps maintain system security and organizes user-specific configurations.

Allow New User to Login to Virtual Console[edit]

Optional!

This step is necessary only if the new user account should have access to the Virtual Console for direct system interaction without a graphical interface. This can be useful for users that will also be members of the sudo group for purposes of recovery.

(This is related to security feature Console Lockdown.)

sudo adduser user2 console

Allow New User Sudo Access[edit]

Optional!

If you want user2 to perform administrative tasks with elevated privileges, add them to the sudo group.

See also Safely Use Root Commands for best practices when executing commands as root.

sudo adduser user2 sudo

Adding user2 to the sudo group enables them to execute commands with root privileges by prefacing commands with sudo. Use this responsibly to prevent unintended system changes.

Switch User[edit]

To switch to the new user account, follow these steps:

Start menu → Log Out or Switch User → login

  • Username: user2
  • Password: The password set during the creation of user2.

See also:

User Restrictions[edit]

TODO: document topics not covered yet

  • restricted shell (any secure available?)
  • libpam-chroot (might be weak?)
  • /etc/security/limits.conf
  • file system quotas
  • snoopy
  • Logging off idle users

Meanings of Special Characters in the Password Field of /etc/shadow File[edit]

In case you are not using Kicksecure, it is advisable to consult your OS documentation, as special characters might be different and have different meanings depending on the build flags passed by the package maintainer or yourself when compiling OpenSSH server.

The shadowed password file has fields delimited by :. The file stores user passwords in the second field, almost always hashed unless the user set the password manually with a tool that doesn't hash the password.

Behind the scenes, shadow(5) interacts with crypt(3) for password manipulation. crypt(3) generates the hashed password, which is always entirely printable ASCII and does not contain whitespace, !, *, :, ;, or \. These characters are reserved for special meanings to be used by interacting tools such as passwd(5) and shadow(5). The usage of ; and \ in the shadow password field is undocumented and possibly dependent on the passwd(5) implementation, using them is discouraged, as programs that read the shadowed password file might not understand their meaning and ignore or break the login.

Table: /etc/shadow Special Characters Comparison Table[edit]

Special Characters in the Password Field
Symbol Field Meaning Explanation
! First character Locked password The account is locked, and the user cannot authenticate using a password. SSHD prohibits all forms of authentication when sshd_config has UsePAM yes.
* First character or after ! Disabled password The account is disabled, and the user cannot authenticate using a password. SSHD permits authentication when it is not by password.
$PREF$PASS After password state symbols if present Hashing scheme and hashed passphrase The example uses PREF for the hashing scheme and PASS for the hashed passphrase.

There is no standard meaning of the states of locking and disabling a password, their interpretation depends on the tool that is being used for authentication. Not all operating systems have both modes, some only have the locking mode.

Fields can coexist and evaluation of characters is done left to right. Here are some examples:

! # password empty, locked !! # password empty, never set (Red Hat syntax), unlocked !* # password empty, locked and disabled * # password empty, disabled $PREF$PASS # password set !$PREF$PASS # password set, locked !*$PREF$PASS # password set, locked and disabled *$PREF$PASS # password set, disabled

The combination !* is the sum of ! and *, which appears on the password field of system users polkitd and systemd-coredump. By default, systemd-sysusers creates accounts disabled using the aforementioned combination. There is no documentation on why this combination is used besides the phrase in sysusers.d(5): The account will be created disabled, so that logins are not allowed. We consider it as a way to emphasize the account shouldn't be ever considered of being logon to.

The combination !! is done automatically on some Red Hat's developed operating systems when the user account was created but no password was set, as a way to emphasize for programs reading the shadowed password file that a password should/must still be set and possibly notify the user from time to time to set a password. On other Linux systems, the presence of at least one ! symbol considers the password locked and more than one shouldn't cause any problems or benefits.

Different operating systems consider different symbols for locking. This is a non-exhaustive table of discrepancies of locking symbols per operating system:

Symbol of Locked Password per Operating System
Symbol OS
! linux, k*bsd*-gnu and kopensolaris*-gnu
* openbsd
*LOCKED* freebsd
*LK* solaris, irix5, irix6, sysv4.2 and sysv5
Nologin dec-osf

Tools to Manage an Account's Password State[edit]

Do not edit the /etc/shadow file directly. Instead, use proper tools to interact with it, relevant ones will be listed below by order of recommendation accompanied by their disadvantages. Please note that different operating systems have different options, the options below were only tested on Kicksecure.

Locking a Password[edit]

"Locking a password". Does that mean the user cannot change their password anymore? No. It means, the user cannot login anymore using the password.

The user might still be able to login if a SSH server is installed and the user has set up public key authentication. See also SSH wiki page chapter SSH Login Comparison Table.

Locking a Password
Tool Disadvantages
passwd -l,--lock None.
usermod -L,--lock None.
usermod -p '!' Substitutes everything for !.
printf '%s' "USER:!" | chpasswd -c NONE Substitutes everything for !.
useradd Cannot modify existing user's password. Only works when no password is set with -p,--password PASSWORD.
adduser --disabled-login Cannot modify existing user's password. May also change the shell to /usr/sbin/nologin if --system is used.

Setting the user accounts's shell to nologin might be a good additional measurement for preventing logins using any method. This can be done with the following command.

Note: Replace <username> with the actual account name.

sudo chsh --shell /usr/sbin/nologin <username>

Unlocking a Password[edit]

Unlocking a Password
Tool Disadvantages
passwd -u,--unlock Cannot unlock when password is empty.
passwd -d,--delete Deletes the password entirely, allowing passwordless login
usermod -U,--unlock Cannot unlock when password is empty.

Disabling a Password[edit]

Disabling a Password
Tool Disadvantages
usermod -p '*' Substitutes everything for *.
printf '%s' "USER:*" | chpasswd -c NONE Substitutes everything for *.
adduser --disabled-password Cannot modify existing user's password.

Setting a Password[edit]

Setting a Password
Tool Disadvantages
printf '%s' "USER:PASS" | chpasswd None.
passwd Requires a terminal (unless it has the --stdin option).
adduser Cannot modify existing user's password. Requires interaction.
useradd -p,--password PASSWORD Cannot modify existing user's password. Expect the password to be already encrypted. Password will be visible in the process list. Cannot lock and set a password with a single command.
usermod -p,--password PASSWORD Expect the password to be already encrypted. Password will be visible in the process list. Cannot lock and set a password with a single command.

Enable a Password or Unlock an Empty Password[edit]

There isn't a tool with an option to enable the password (remove the * prefix) or unlock a password (remove the ! prefix) if the password is empty. In these situations, you must either set a new password for the account, or delete the password entirely. Deleting the password will leave the password field empty, which is dangerous and should not be considered in most instances as it allows passwordless login using only the account name.

Attribution[edit]

Kicksecure is an Implementation of the Securing Debian Manual. This chapter has been inspired by: Securing Debian Manualarchive.org, chapter Limiting resource usage: the limits.conf filearchive.org

Kicksecure is an Implementation of the Securing Debian Manual. This chapter has been inspired by: Securing Debian Manualarchive.org, chapter Restricting users's accessarchive.org

Kicksecure is an Implementation of the Securing Debian Manual. This chapter has been inspired by: Securing Debian Manualarchive.org, chapter User auditingarchive.org

Kicksecure is an Implementation of the Securing Debian Manual. This chapter has been inspired by: Securing Debian Manualarchive.org, chapter File system limits and control, Using quotasarchive.org

Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!

Retrieved from "https://www.kicksecure.com/w/index.php?title=User&oldid=90035"