Without going into the details of commands and syntax, here are some helpful points to remember about user management:
-/etc/passwd is afterall a database for small or standalone systems.
-Directory services (eg nis, ldap) replace it for user mgmt in bigger installs.
-/etc/passwd has seven colon delimited fields for each line entry.
-passwd encryption algorithms are set in /etc/login.defs file. the default algorithm is called 'crypt'.
-this file (/etc/login.defs) also sets the password policy (eg length, age, expiry etc).
-if you put a * or an x in the password field in /etc/passwd, it forces new users to set a passwd at first login.
-never ever leave this field empty--big security hole.
-if you have a fake login shell in the /etc/passwd file (eg /bin/false) then login as that user is not allowed.
-bash is from gnu.
-when people leave an org, it is not a good idea to recycle uids. bec if you restore from backups, wrong uids will be restored.
-uid and gid are 32 bit integers.
-the default gid is not used to determine access (unlike uid), it is only used during new file/dir creation.
-if home dir field is empty in /etc/passwd, it puts user in /. but if /etc/login.defs sets default_home=no, login is disallowed.
-before creating users on a system, get people to read, sign and date user agreement/policy docs.
-To create users in bulk, linux provides the utility called 'newusers'.
-To lock accounts usermod -L; to unlock accounts usermod -U.
-The -L puts an '!' in front of the encrypted passwd in /etc/shadow, -U removes it.
-Microsofts Active Directory is based on ldap and kerberos. it tries to be the boss in a heteregenous env.
-in heterogenous env having msft and linux, active dir is easier to be set as the primary and linux ldap dbs as secondary.
-several opensource sso systems exist like josso, cas, likewise open etc.
No comments:
Post a Comment