Managing users on Linux environments is a crucial responsibility. Configuring accessible yet restricted accounts has formed the cornerstone of Linux security for decades.
Over time, Linux has evolved robust controls around granular privileges, hardening user identities, monitoring account activity, and flexibly adding/deleting users.
This article will make you an expert at wielding the full power of user administration across local Linux and directory services like LDAP. I‘ll explain adding users, modifying existing accounts, account security enhancements, auditing, and removal best practices.
A Brief History of Linux User Management
In the early days of Unix and Linux, user accounts were rudimentary – you added accounts to the /etc/passwd file and set the shell. But the model quickly advanced to incorporate concepts like:
- Password protected accounts
- Encrypted credentials via hashes
- User ID and Group ID assignments
- Locking disabled accounts
- Restricting access to binaries
- File permissions tied to user and group
Fast forward to today, where we have extremely robust controls like:
- Password complexity requirements
- Multi-factor authentication
- Sudo for granular privileges
- User profiles for security limits
- Sophisticated user account reporting
Now let‘s break down the major categories of user accounts within the Linux environment today…
Types of User Accounts
There are a few core types of users to be aware of in Linux:
Root: The "superuser" account equivalent to the Windows administrator. Root can override all restrictions and has full control.
Service Accounts: Predefined accounts used to run network services like SSH that do not allow interactive shell access and aren‘t tied to individuals.
Generic Users: Default user accounts allocated for everyday users like employees, developers, support teams, etc. Almost always limited through permissions, groups, profiles, etc.
Proper user account administration means granting enough access for productivity without opening unnecessary security holes. This concept of restricting privileges based purely on specific needs is referred to as "Principle of Least Privilege".
Now let‘s jump into the commands that enable creating, customizing and removing Linux users!
Adding Brand New User Accounts
When onboarding a new team member or standing up an application, you‘ll need to safely append a shiny new user account fit for purpose.
The adduser interactive script makes it straightforward:
# adduser johnYou‘ll be prompted for key details like the password, shell access, username, etc. This simplifies user creation without having to memorize command arguments for parameters.
Under the hood adduser invokes Linux‘s useradd command. Let‘s walk through some handy useradd switches:
| Option | Description |
|---|---|
-c |
Comment/description for user |
-d |
Home directory location |
-g |
Primary group (by name/ID) |
-G |
Supplementary groups |
-m |
Create home folder if doesn‘t exist |
-p |
Encrypted password |
-r |
Create system account |
-s |
Default shell |
-u |
Custom user ID instead of default |
For example, to build john a customized home folder with zsh shell and add secondary docker group:
# useradd -m -d /home/john -s /bin/zsh -G docker john Pro Tip: Always manually set a strong password after account creation instead of passing one on the command line!
No matter which command you leverage, be sure to check that everything looks right afterward:
# id john
uid=1107(john) gid=1107(john) groups=1107(john),999(docker)Also validate the permissions fit your environment‘s policies:
# ls -ld /home/john
drwx------ 2 john john 4096 Feb 21 17:32 /home/johnSetting up user accounts securely from day one prevents headaches down the road!
Modifying User Accounts
Reasons you may need to tweak user properties include new access requirements, migrations to central authentication (LDAP/AD), or system changes.
Altering Passwords
Start by enforcing strong passwords leveraging Linux‘s pam_cracklib module. Set a minimum length, complexity, disallow common strings, etc:
password requisite pam_cracklib.so minlen=15 ucredit=-1 dcredit=-1 maxrepeat=3 reject_username difok=7 enforce_for_rootYou can force password changes with chage which is useful for rotational compliance.
Switching Default Shell
Switch the shell that initializes upon login like so:
# usermod -s /bin/zsh johnShell paths depend on your environment, some common options are bash,csh, ksh, zsh and tcsh.
Transition Home Folder
To smoothly transfer john‘s home directory while retaining permissions and attributes:
# usermod -d /new/john john
# cp -ax /home/john/. /new/john
# chown -R john:john /new/johnTest functionality before deleting originals!
Add/Remove Group Associations
Supplementary groups allow access to shared resources. Append groups safely:
# usermod -aG docker,apps johnAnd remove associations without modifying files:
# gpasswd -d john docker Enhance Sudo Privileges
Sudo is preferred over direct root for more control and visibility. Stay secure while expanding access with included/excluded sudo permission specifications inside /etc/sudoers.
Deleting Users and Disabling Logins
Removing access needs to disable both login and filesystem reach. Let‘s review smart methods for dropping users.
Temporarily Locking Accounts
To quickly revoke interactivity you can lock user credentials:
# passwd -l john This prevents login while data remains available to proper channels.
Deleting a User
When it‘s time for complete removal, userdel erases accounts:
# userdel -r johnThe -r recursive flag wipes all owned files which is critical to cutting off access vectors.
Always backup user data before outright deletion in case recovery is ever needed!
Auditing User Account Activity
Monitoring account alterations and authentication events is pivotal for security and compliance.
Centralized log aggregation coupled with startled reports ensures you capture events like:
- New user creation
- Changes made to accounts/groups
- Authentication successes and failures
- Privilege escalations
Alert aggressively on anomalies associated with administrative activity.
Hardening All User Accounts
Finally, let‘s review some universal precautions relevant to all user identities:
Password Complexity
Configure Linux‘s PAM modules to enforce password strength across environments:
minlen=14 \
dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 \
maxrepeat=3 \
reject_username difok=7 enforce_for_rootMulti-factor Authentication
Require a secondary form of identity verification before allowing access using methods like Duo, Yubikey, SMS tokens, etc.
Frequency of Rotation
Force password refreshes regularly to limit exchange duration. But strike a balance, as frequent changes encourage weak passwords.
Common Passwords
Block the most common strings and dictionary words from being used with PAM integration.
Following identity hardening guides like NIST 800-63B framework is highly recommended.
Conclusion
This guide just scratched the surface for flexible Linux user management. Follow best practices around least privilege, complex credentials, and monitoring to avoid mistakes.
Implement controls tailored to your organizational compliance and security posture. Audit access, lock unused accounts, require MFA, enforce frequent rotation for sensitive systems.
Mastering native Linux user administration sets the foundation for safely onboarding users and restricting dangers. Plus skills translate to central services like LDAP and RedHat IDM as your infrastructure evolves.
Let me know if you have any other questions!
