DragonFly BSD

Users

Users and Basic Account Management

*Contributed by Neil Blakey-Milner. *

Synopsis

Unix, including DragonFly BSD is, as previously explained, a multi-user, multi-tasking system. It is therefore possible, and in fact very common, to have a situation where many users are logged on to one computer, and every one of these users is running many different jobs. Although only one user can physically sit at the computer and use the monitor, keyboard, and mouse connected thereto, others can get their work done by logging in through the network.

After reading this chapter, you will know:

Before reading this chapter, you should:

Introduction

All access to the system is achieved via accounts, and all processes are run by users, so user and account management are of integral importance on DragonFly systems.

Every account on a DragonFly system has certain information associated with it to identify the account.

There are three main types of accounts: the Superuser, system users and user accounts. The Superuser account, usually called root, is used to manage the system with no limitations on privileges. System users run services. Finally, user accounts are used by real people, who log on, read mail, and so forth.

The Superuser Account

The superuser account, usually called root, comes preconfigured to facilitate system administration, and should not be used for day-to-day tasks like sending and receiving mail, general exploration of the system, or programming.

This is because the superuser, unlike normal user accounts, can operate without limits, and misuse of the superuser account may result in spectacular disasters. User accounts are unable to destroy the system by mistake, so it is generally best to use normal user accounts whenever possible, unless you especially need the extra privilege.

You should always double and triple-check commands you issue as the superuser, since an extra space or missing character can mean irreparable data loss.

So, the first thing you should do after reading this chapter is to create an unprivileged user account for yourself for general usage if you have not already. This applies equally whether you are running a multi-user or single-user machine. Later in this chapter, we discuss how to create additional accounts, and how to change between the normal user and superuser.

System Accounts

System users are those used to run services such as DNS, mail, web servers, and so forth. The reason for this is security; if all services ran as the superuser, they could act without restriction.

Examples of system users are daemon, operator, bind (for the Domain Name Service), and news. Often sysadmins create httpd to run web servers they install.

nobody is the generic unprivileged system user. However, it is important to keep in mind that the more services that use nobody, the more files and processes that user will become associated with, and hence the more privileged that user becomes.

User Accounts

User accounts are the primary means of access for real people to the system, and these accounts insulate the user and the environment, preventing the users from damaging the system or other users, and allowing users to customize their environment without affecting others.

Every person accessing your system should have a unique user account. This allows you to find out who is doing what, prevent people from clobbering each others' settings or reading each others' mail, and so forth.

Each user can set up their own environment to accommodate their use of the system, by using alternate shells, editors, key bindings, and language.

Modifying Accounts

There are a variety of different commands available in the UNIX® environment to manipulate user accounts. The most common commands are summarized below, followed by more detailed examples of their usage.

Command Summary
adduser(8) The recommended command-line application for adding new users.
rmuser(8) The recommended command-line application for removing users.
chpass(1) A flexible tool to change user database information.
passwd(1) The simple command-line tool to change user passwords.
pw(8) A powerful and flexible tool to modify all aspects of user accounts.

adduser

adduser(8) is a simple program for adding new users. It creates entries in the system passwd and group files. It will also create a home directory for the new user, copy in the default configuration files (dotfiles) from /usr/share/skel, and can optionally mail the new user a welcome message.

To create the initial configuration file, use adduser -s -config_create. Next, we configure adduser(8) defaults, and create our first user account, since using root for normal usage is evil and nasty.

Example 8-1. Configuring adduser and adding a user

# adduser -v

Use option -silent if you don't want to see all warnings and questions.

Check /etc/shells

Check /etc/master.passwd

Check /etc/group

Enter your default shell: csh date no sh tcsh zsh [sh]: zsh

Your default shell is: zsh -> /usr/local/bin/zsh

Enter your default HOME partition: [/home]:

Copy dotfiles from: /usr/share/skel no [/usr/share/skel]:

Send message from file: /etc/adduser.message no

[/etc/adduser.message]: no

Do not send message

Use passwords (y/n) [y]: y



Write your changes to /etc/adduser.conf? (y/n) [n]: y



Ok, let's go.

Don't worry about mistakes. I will give you the chance later to correct any input.

Enter username [a-z0-9_-]: jru

Enter full name []: J. Random User

Enter shell csh date no sh tcsh zsh [zsh]:

Enter home directory (full path) [/home/jru]:

Uid [1001]:

Enter login class: default []:

Login group jru [jru]:

Login group is ***jru***. Invite jru into other groups: guest no

[no]: wheel

Enter password []:

Enter password again []:



Name:     jru

Password: ****

Fullname: J. Random User

Uid:      1001

Gid:      1001 (jru)

Class:

Groups:   jru wheel

HOME:     /home/jru

Shell:    /usr/local/bin/zsh

OK? (y/n) [y]: y

Added user ***jru***

Copy files from /usr/share/skel to /home/jru

Add another user? (y/n) [y]: n

Goodbye!

#

In summary, we changed the default shell to zsh (an additional shell found in pkgsrc®), and turned off the sending of a welcome mail to added users. We then saved the configuration, created an account for jru, and made sure jru is in wheel group (so that she may assume the role of root with the su(1) command.)

Note: The password you type in is not echoed, nor are asterisks displayed. Make sure you do not mistype the password twice.

Note: Just use adduser(8) without arguments from now on, and you will not have to go through changing the defaults. If the program asks you to change the defaults, exit the program, and try the -s option.

rmuser

You can use rmuser(8) to completely remove a user from the system. rmuser(8) performs the following steps:

  1. Removes the user's crontab(1) entry (if any).

  2. Removes any at(1) jobs belonging to the user.

  3. Kills all processes owned by the user.

  4. Removes the user from the system's local password file.

  5. Removes the user's home directory (if it is owned by the user).

  6. Removes the incoming mail files belonging to the user from /var/mail.

  7. Removes all files owned by the user from temporary file storage areas such as /tmp.

  8. Finally, removes the username from all groups to which it belongs in /etc/group.

    Note: If a group becomes empty and the group name is the same as the username, the group is removed; this complements the per-user unique groups created by adduser(8).

rmuser(8) cannot be used to remove superuser accounts, since that is almost always an indication of massive destruction.

By default, an interactive mode is used, which attempts to make sure you know what you are doing.

Example 8-2. rmuser Interactive Account Removal

# rmuser jru

Matching password entry:

jru:*:1001:1001::0:0:J. Random User:/home/jru:/usr/local/bin/zsh

Is this the entry you wish to remove? y

Remove user's home directory (/home/jru)? y

Updating password file, updating databases, done.

Updating group file: trusted (removing group jru -- personal group is empty) done.

Removing user's incoming mail file /var/mail/jru: done.

Removing files belonging to jru from /tmp: done.

Removing files belonging to jru from /var/tmp: done.

Removing files belonging to jru from /var/tmp/vi.recover: done.

#

chpass

chpass(1) changes user database information such as passwords, shells, and personal information.

Only system administrators, as the superuser, may change other users' information and passwords with chpass(1).

When passed no options, aside from an optional username, chpass(1) displays an editor containing user information. When the user exists from the editor, the user database is updated with the new information.

'Example 8-3. Interactive chpass by Superuser'

#Changing user database information for jru.

Login: jru

Password: *

Uid [#]: 1001

Gid [# or name]: 1001

Change [month day year]:

Expire [month day year]:

Class:

Home directory: /home/jru

Shell: /usr/local/bin/zsh

Full Name: J. Random User

Office Location:

Office Phone:

Home Phone:

Other information:

The normal user can change only a small subset of this information, and only for themselves.

Example 8-4. Interactive chpass by Normal User

#Changing user database information for jru.

Shell: /usr/local/bin/zsh

Full Name: J. Random User

Office Location:

Office Phone:

Home Phone:

Other information:

Note: chfn(1) and chsh(1) are just links to chpass(1), as are ypchpass(1), ypchfn(1), and ypchsh(1). NIS support is automatic, so specifying the yp before the command is not necessary. If this is confusing to you, do not worry, NIS will be covered in [advanced-networking.html Chapter 19].

passwd

passwd(1) is the usual way to change your own password as a user, or another user's password as the superuser.

Note: To prevent accidental or unauthorized changes, the original password must be entered before a new password can be set.

Example 8-5. Changing Your Password

% passwd

Changing local password for jru.

Old password:

New password:

Retype new password:

passwd: updating the database...

passwd: done

'Example 8-6. Changing Another User's Password as the Superuser'

# passwd jru

Changing local password for jru.

New password:

Retype new password:

passwd: updating the database...

passwd: done

Note: As with chpass(1), yppasswd(1) is just a link to passwd(1), so NIS works with either command.

pw

pw(8) is a command line utility to create, remove, modify, and display users and groups. It functions as a front end to the system user and group files. pw(8) has a very powerful set of command line options that make it suitable for use in shell scripts, but new users may find it more complicated than the other commands presented here.

Notes

The -s makes adduser(8) default to quiet. We use -v later when we want to change defaults.

Limiting Users

If you have users, the ability to limit their system use may have come to mind. DragonFly provides several ways an administrator can limit the amount of system resources an individual may use. These limits are divided into two sections: disk quotas, and other resource limits.

Disk quotas limit disk usage to users, and they provide a way to quickly check that usage without calculating it every time. Quotas are discussed in [quotas.html Section 12.12].

The other resource limits include ways to limit the amount of CPU, memory, and other resources a user may consume. These are defined using login classes and are discussed here.

Login classes are defined in /etc/login.conf. The precise semantics are beyond the scope of this section, but are described in detail in the login.conf(5) manual page. It is sufficient to say that each user is assigned to a login class (default by default), and that each login class has a set of login capabilities associated with it. A login capability is a name=value pair, where name is a well-known identifier and value is an arbitrary string processed accordingly depending on the name. Setting up login classes and capabilities is rather straight-forward and is also described in login.conf(5).

Resource limits are different from plain vanilla login capabilities in two ways. First, for every limit, there is a soft (current) and hard limit. A soft limit may be adjusted by the user or application, but may be no higher than the hard limit. The latter may be lowered by the user, but never raised. Second, most resource limits apply per process to a specific user, not the user as a whole. Note, however, that these differences are mandated by the specific handling of the limits, not by the implementation of the login capability framework (i.e., they are not really a special case of login capabilities).

And so, without further ado, below are the most commonly used resource limits (the rest, along with all the other login capabilities, may be found in login.conf(5)).

There are a few other things to remember when setting resource limits. Following are some general tips, suggestions, and miscellaneous comments.

For further information on resource limits and login classes and capabilities in general, please consult the relevant manual pages: cap_mkdb(1), getrlimit(2), login.conf(5).

Personalizing Users

Localization is an environment set up by the system administrator or user to accommodate different languages, character sets, date and time standards, and so on. This is discussed in this chapter.

Groups

A group is simply a list of users. Groups are identified by their group name and GID (Group ID). In DragonFly (and most other UNIX® like systems), the two factors the kernel uses to decide whether a process is allowed to do something is its user ID and list of groups it belongs to. Unlike a user ID, a process has a list of groups associated with it. You may hear some things refer to the group ID of a user or process; most of the time, this just means the first group in the list.

The group name to group ID map is in /etc/group. This is a plain text file with four colon-delimited fields. The first field is the group name, the second is the encrypted password, the third the group ID, and the fourth the comma-delimited list of members. It can safely be edited by hand (assuming, of course, that you do not make any syntax errors!). For a more complete description of the syntax, see the group(5) manual page.

If you do not want to edit /etc/group manually, you can use the pw(8) command to add and edit groups. For example, to add a group called teamtwo and then confirm that it exists you can use:

Example 8-7. Adding a Group Using pw(8)

# pw groupadd teamtwo

# pw groupshow teamtwo

teamtwo:*:1100:

The number 1100 above is the group ID of the group teamtwo. Right now, teamtwo has no members, and is thus rather useless. Let's change that by inviting jru to the teamtwo group.

Example 8-8. Adding Somebody to a Group Using pw(8)

# pw groupmod teamtwo -M jru

# pw groupshow teamtwo

teamtwo:*:1100:jru

The argument to the -M option is a comma-delimited list of users who are members of the group. From the preceding sections, we know that the password file also contains a group for each user. The latter (the user) is automatically added to the group list by the system; the user will not show up as a member when using the groupshow command to pw(8), but will show up when the information is queried via id(1) or similar tool. In other words, pw(8) only manipulates the /etc/group file; it will never attempt to read additionally data from /etc/passwd.

Example 8-9. Using id(1) to Determine Group Membership

% id jru

uid#1001(jru) gid1001(jru) groups=1001(jru), 1100(teamtwo)

As you can see, jru is a member of the groups jru and teamtwo.

For more information about pw(8), see its manual page, and for more information on the format of /etc/group, consult the group(5) manual page.

SSH Server on DragonFly

Unix, including DragonFly BSD is, as previously explained, a multi-user, multi-tasking system. It is therefore possible, and in fact very common, to have a situation where many users are logged on to one computer, and every one of these users is running many different jobs. Although only one user can physically sit at the computer and use the monitor, keyboard, and mouse connected thereto, others can log in through the network.

This document is very detailed so that a new user can be familiar with the environment.

If you try to ssh to a newly installed dfly from another system you will get this error

$ ssh root@172.16.50.62
ssh: connect to host 172.16.50.62 port 22: Connection refused

This is because sshd is not up and running on dfly. At this point if you check /etc/ssh you will only have the following files

# ls /etc/ssh
blacklist.DSA-1024      blacklist.RSA-2048      ssh_config
blacklist.DSA-2048      blacklist.RSA-4096      sshd_config
blacklist.RSA-1024      moduli

You don't have any SSH host keys generated for the system yet!

When you start sshd for the first time it is best to start it through the "/etc/rc.d/sshd" script which will automatically generate the host keys. For this to work right you need to do the following steps (these steps are not essential for DragonFly 2.8.2 since sshd is already enabled in rc.conf)

1) Enable sshd in rc.conf

#echo "sshd_enable=yes" >> /etc/rc.conf

2) Start the sshd server using the rc script

# /etc/rc.d/sshd start
Generating public/private rsa1 key pair.
Your identification has been saved in /etc/ssh/ssh_host_key.
Your public key has been saved in /etc/ssh/ssh_host_key.pub.
The key fingerprint is:
........
Generating public/private dsa key pair.
Your identification has been saved in /etc/ssh/ssh_host_dsa_key.
Your public key has been saved in /etc/ssh/ssh_host_dsa_key.pub.
The key fingerprint is:
........
Starting sshd.

Now if you go back and look in /etc/ssh you will find the SSH host key files too.

# ls /etc/ssh
blacklist.DSA-1024      moduli                  ssh_host_key.pub
blacklist.DSA-2048      ssh_config              ssh_host_rsa_key
blacklist.RSA-1024      ssh_host_dsa_key        ssh_host_rsa_key.pub
blacklist.RSA-2048      ssh_host_dsa_key.pub    sshd_config
blacklist.RSA-4096      ssh_host_key

At this point if you try to ssh to the dfly you will get the following error

$ ssh sgeorge@172.16.50.62
The authenticity of host '172.16.50.62 (172.16.50.62)' can't be established.
RSA key fingerprint is 46:77:28:c2:70:86:93:1a:23:32:5f:01:2c:80:de:de.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.50.62' (RSA) to the list of known hosts.
Permission denied (publickey).

This is because of the following configuration option in the default "/etc/ssh/sshd_config" file.

# To disable tunneled clear text passwords, change to no here!
# We disable cleartext passwords by default
PasswordAuthentication no

Change it to

PasswordAuthentication yes

and reload sshd configuration

# /etc/rc.d/sshd reload
Reloading sshd config files.

Now you can login to the dragonfly system as a normal user.

$ ssh sgeorge@172.16.50.62
sgeorge at 172.16.50.62's password:
Last login: Tue Oct 19 04:17:47 2010
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
        The Regents of the University of California.  All rights reserved.

DragonFly v2.7.3.1283.gfa568-DEVELOPMENT (GENERIC.MP) #3: Thu Oct 14 12:01:24 IST 2010

....

But if you try to login by SSH as root you will get the following error.

$ ssh root at 172.16.50.62
root at 172.16.50.62's password:
Permission denied, please try again.

If you investigate the log of the dragonfly system "/var/log/auth.log" you will find a line similar to

Oct 19 07:29:36 dfly-vmsrv sshd[17269]: Failed password for root from 172.16.2.0 port 56447 ssh2

even if you typed the right password for root.

It is because of the following configuration option in the default "/etc/ssh/sshd_config" file

# only allow root logins via public key pair
PermitRootLogin without-password

which allowes only SSH key based authentication as root.

If you change it to

PermitRootLogin yes

and reload sshd configuration

# /etc/rc.d/sshd reload
Reloading sshd config files.

you can login as root

$ ssh root@172.16.50.62
root at 172.16.50.62's password:
Last login: Fri Oct  8 12:22:40 2010
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
        The Regents of the University of California.  All rights reserved.

DragonFly v2.7.3.1283.gfa568-DEVELOPMENT (GENERIC.MP) #3: Thu Oct 14 12:01:24 IST 2010

Welcome to DragonFly!
......

Now in the *"/var/log/auth.log" * you will find a line similar to

Oct 19 07:30:32 dfly-vmsrv sshd[17894]: Accepted password for root from 172.16.2.0 port 56468 ssh2

WARNING :

* It is not advisable to allow Root Login with password especially if your System is connected to the Internet unless you use Very Strong Passwords. You could be a victim of ssh password based brute force attacks. If you are victim of one such attack you can find entries like the following in your* "/var/log/auth.log file".

Oct 18 18:54:54 cross sshd[9783]: Invalid user maryse from 218.248.26.6
Oct 18 18:54:54 cross sshd[9781]: input_userauth_request: invalid user maryse
Oct 18 18:54:54 cross sshd[9783]: Failed password for invalid user maryse from 218.248.26.6 port 34847 ssh2
Oct 18 18:54:54 cross sshd[9781]: Received disconnect from 218.248.26.6: 11: Bye Bye
Oct 18 18:54:55 cross sshd[27641]: Invalid user may from 218.248.26.6
Oct 18 18:54:55 cross sshd[3450]: input_userauth_request: invalid user may
Oct 18 18:54:55 cross sshd[27641]: Failed password for invalid user may from 218.248.26.6 port 34876 ssh2
Oct 18 18:54:55 cross sshd[3450]: Received disconnect from 218.248.26.6: 11: Bye Bye
Oct 18 18:54:56 cross sshd[8423]: Invalid user admin from 218.248.26.6
Oct 18 18:54:56 cross sshd[3131]: input_userauth_request: invalid user admin
Oct 18 18:54:56 cross sshd[8423]: Failed password for invalid user admin from 218.248.26.6 port 34905 ssh2
Oct 18 18:54:56 cross sshd[3131]: Received disconnect from 218.248.26.6: 11: Bye Bye
Oct 18 18:54:57 cross sshd[7373]: Invalid user admin from 218.248.26.6
Oct 18 18:54:57 cross sshd[28059]: input_userauth_request: invalid user admin
Oct 18 18:54:57 cross sshd[7373]: Failed password for invalid user admin from 218.248.26.6 port 34930 ssh2
Oct 18 18:54:57 cross sshd[28059]: Received disconnect from 218.248.26.6: 11: Bye Bye
Oct 18 18:54:58 cross sshd[12081]: Invalid user admin from 218.248.26.6
Oct 18 18:54:58 cross sshd[22416]: input_userauth_request: invalid user admin
Oct 18 18:54:58 cross sshd[12081]: Failed password for invalid user admin from 218.248.26.6 port 34958 ssh2
Oct 18 18:54:58 cross sshd[22416]: Received disconnect from 218.248.26.6: 11: Bye Bye