User Administration in HP-UX 11 i v3

Use the id command to determine a user’s UID and primary group membership.

# id user1

uid=301(user1) gid=301(class)

Use the groups command to determine a user’s secondary group memberships.

# groups user1

class class2 users

Three Key Files in User Administration

/etc/passwd

/etc/group

/etc/shadow – by default disabled.

To edit /etc/passwd file

#/usr/sbin/vipw

Use /usr/sbin/pwck to check the /etc/passwd file syntax.

 

Enable Long Username in HP-UX11.31

11i v3 supports usernames up to 255 characters in length. However, this

functionality must be manually enabled by temporarily stopping the pwgrd

password hashing daemon, executing the lugadmin (long username

groupname) command, and restarting pwgrd.

# /sbin/init.d/pwgr stop

pwgrd stopped

# lugadmin –e

Warning: Long user/group name once enabled cannot

be disabled in future.

Do you want to continue [yY]: y

lugadmin: Note: System is enabled for

long user/group name

# /sbin/init.d/pwgr start

pwgrd started

To determine if long usernames are enabled, execute lugadmin –l. 64

indicates that the maximum username length is 8 characters. 256 indicates

that long usernames are enabled.

# lugadmin –l

256

 

To determine your system’s maximum UID, check the MAXUID

parameter in /usr/include/sys/param.h.

 

Configuring Shadow Passwords:

By default, the /etc/shadow file doesn’t exist. Use the cookbook below to convert to a

shadow password system:

  1. Shadow password support is included by default in 11i v2 and v3. HP-UX 11i v1

administrators, however, must download and install the ShadowPassword patch bundle

from http://software.hp.com/. Use the swlist command to determine if the

product has already been installed.

# swlist ShadowPassword

  1. Run pwck to verify that there aren’t any syntax errors in your existing /etc/passwd file.

# pwck

  1. Use the pwconv command to move your passwords to the /etc/shadow file.

# pwconv

  1. Verify that the conversion succeeded. The /etc/passwd file should remain worldreadable,

but the /etc/shadow file should only be readable by root. The encrypted

passwords in /etc/passwd should have been replaced by “x”s.

# ll /etc/passwd /etc/shadow

-r–r–r– 1 root sys 914 May 18 14:35 /etc/passwd

-r——– 1 root sys 562 May 18 14:35 /etc/shadow

  1. You can revert to the traditional non-shadowed password functionality at any time via the

pwunconv command.

# pwunconv

 

Enabling SHA-512 Passwords in /etc/shadow:

Traditionally, HP-UX has used a variation of the DES encryption algorithm to encrypt user

passwords in /etc/passwd. HP-UX 11i v2 and v3 now support the more secure SHA-512

algorithm if you install the Password Hashing Infrastructure patch bundle from

http://software.hp.com. HP-UX 11i v3 also supports long passwords up to 255

characters if you add the LongPass11i3 patch bundle, too. Use the following commands to

determine if your system has these patch bundles:

In 11i v2:

# swlist SHA

In 11i v3:

# swlist PHI11i3 LongPass11i3

These patches are not available for 11i v1.

After installing the software, add the following two lines to /etc/default/security to

enable SHA512 password hashing:

# vi /etc/default/security

CRYPT_DEFAULT=6

CRYPT_ALGORITHMS_DEPRECATE=__unix__

 

Enabling Long Passwords in /etc/shadow:

On 11i v3 systems, you can also enable long passwords up to 255 characters in length by

adding this line to /etc/default/security:

# vi /etc/default/security

CRYPT_DEFAULT=6

CRYPT_ALGORITHMS_DEPRECATE=__unix__

LONG_PASSWORD=1

 

Creating User Accounts:

# useradd –o \ # allow a duplicate UID

-u 101 \ # define the UID

-g users \ # define the primary group

-G class,training \ # define secondary groups

-c “student user” \ # define the comment field

–m –d /home/user1 \ # make a home directory for the user

–s /usr/bin/sh \ # define the default shell

-e 1/2/09 \ # define an account expiration date

-p fnnmD.DGyptLU \ # specify an encrypted password

-t /etc/default/useradd \ # specify a template

user1 # define the username

 

Interactively set a password for the new account:

# passwd user1 # interactively specify a password or…

# passwd –d user1 # set a null password

# passwd –f user1 # force a password change at first login

 

Creating useradd Templates in /etc/default/

Administrators who manage many user accounts often configure useradd template files in

the /etc/default/ directory.

# useradd –D \ # update defaults for a template

-t /etc/default/useradd.cusers \ # template file location

-b /home \ # base for home directories

-c “C programmer” \ # comment

-g developer \ # primary group

-s /usr/bin/csh # default shell

 

To verify that the template was created, execute useradd with just the –D and –t options,

or simply cat the file.

# useradd -D -t /etc/default/useradd.cusers

GROUPID 20

BASEDIR /home

SKEL /etc/skel

SHELL /usr/bin/csh

INACTIVE -1

EXPIRE

COMMENT programmer

CHOWN_HOMEDIR no

CREAT_HOMEDIR no

ALLOW_DUP_UIDS no

 

The example below uses the new template to create a user account. Recall that –m creates a

home directory for the new user.

# useradd –m -t /etc/default/useradd.cusers user1

# tail -1 /etc/passwd

user1:*:101:20:programmer:/home/user1:/usr/bin/csh

 

Modifying User Accounts:

Modify a user account (Administrators):

# usermod –l user01 user1 # change the user’s username

# usermod –o -u 101 user1 # change the user’s UID

# usermod -g users user1 # change the user’s primary group

# usermod -G class,training user1 # change the user’s secondary group(s)

# usermod -c “student” user1 # change the user’s comment field

# usermod –m -d /home/user01 user1 # move the user’s home directory

# usermod –s /usr/bin/ksh user1 # change the user’s default shell

# usermod –e 1/3/09 user1 # change the user’s account expiration

# usermod -p fnnmD.DGyptLU user1 # non-interactively change a password

 

Modify a user password (Administrators):

# passwd user1 # interactively change a password

Modify a user account or password (Users):

$ passwd # change the user’s password

$ chsh user1 /usr/bin/ksh # change the user’s shell

$ chfn user1 # change the user’s comment field

 

Deactivate a user account

# passwd –l user1

Reactivate a user account

# passwd user1

Remove a user’s home directory

# rm –rf /home/user1

Or… Remove the user’s files from every directory

# find / -user user1 –type f –exec rm –i +

# find / -user user1 –type d –exec rmdir +

Or… Transfer ownership to a different user

# find / -user user1 –exec chown user2 +

 

Delete a user account, but leave the user’s files untouched

# userdel user1

Delete a user account and remove the user’s home directory

# userdel –r user1

Or… Remove the user’s files from every directory

# find / -user user1 –type f –exec rm –i +

# find / -user user1 –type d –exec rmdir +

Or… Transfer ownership to a different user

# find / -user user1 –exec chown user2 +

 

Find files owned by non-existent users or groups

# find / -nouser –exec ll –d +

# find / -nogroup –exec ll -d +

 

Configuring Password Aging:

Password aging may be enabled via the /usr/bin/passwd command:

# passwd -n 7 -x 70 –w 14 user1

<min> argument rounded up to nearest week

<max> argument rounded up to nearest week

<warn> argument rounded up to nearest week

 

You can check the password status of a user’s account with the -s option.

# passwd -s user1

user1 PS 03/21/05 7 70 14

# passwd -sa

user1 PS 03/21/05 7 70 14

user2 PS

user3 PS

Configuring Password Policies:

 

# vi /etc/default/security

MIN_PASSWORD_LENGTH=

PASSWORD_MIN_UPPER_CASE_CHARS=

PASSWORD_MIN_LOWER_CASE_CHARS=

PASSWORD_MIN_DIGIT_CHARS=

PASSWORD_MIN_SPECIAL_CHARS=

PASSWORD_MAXDAYS=

PASSWORD_MINDAYS=

PASSWORD_WARNDAYS=

 

Managing Groups:

Create a new group

# groupadd -g 200 accts

Change a group name

# groupmod -n accounts accts

 

Add, modify, or delete a list of users to or from a group:

# groupmod –a –l user1,user2 accounts add a list of users to a group

# groupmod –m –l user3,user4 accounts replace the list of users in a group

# groupmod –d –l user3,user4 accounts delete a list of users from a group

 

Delete a group:

# groupdel accounts

Change a specific user’s primary and secondary group membership:

# usermod –g users user1

# usermod –G class,training user1

 

View a user’s group memberships:

# groups user1

Automating User Account Creation:

write a simple shell script to automatically create the user accounts. Initially, you can assign the null passwords, but force them to change their

passwords after their first successful login. Assign /usr/bin/sh as the users’ startup

shell.

Create a Shell script useradd_stud_accts.sh

#!/usr/bin/sh

n=1

while ((n<=50))

do

echo stud$n

useradd –m –s /usr/bin/sh stud$n

passwd –d –f stud$n

((n=n+1))

done

 

Make script executable and run:

# chmod +x useradd_stud_accts.sh

# ./useradd_stud_accts.sh

 

To clean up the accounts, create script userdel_stud_accts.sh.

#!/usr/bin/sh

n=1

while ((n<=50))

do

echo stud$n

userdel stud$n

rm -rf /home/stud$n

((n=n+1))

done

 

Managing Users and Groups via the SMH:

# smh -> Accounts for Users and Groups or…

# ugweb

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s