LPI 010-160 – User Accounts and Groups part 2
- Creating Accounts from the Shell
In this lesson, I want to show you how to create a new user account from within your shell. So I’m already logged into my terminal here as my standard user of deon training. If I want to create a new user, I have to do that using sudo because I have to be a root or an admin to create new users on a system. So let’s go ahead and use pseudo. We’re going to use add user, which is the command we want to use, and the person’s name that we want to add, let’s say wanted to add jason deon as a new account on this system. I can go ahead and do that and hit enter and up it’s going to ask for a new unix password. What is the password I want jason dion to log in with? So I’m just going to go ahead and type in password and I’m going to go ahead and type in password again.
You could choose whatever password you want and hopefully it’s something big and long and strong. Now by doing that, I’ve changed the user information for jason dion. Now I can go ahead and put some other information into the directory for him. What is his full name? Well, it’s jason dion. What is his room number? Maybe he’s in office one. What is his work number? 55555. And what’s his home phone number? 555555. And any other information I want. Jason is the CEO. Is this information information correct? Yes, it is. Hit enter. That’s it. We just created a new user. And you can see here we added user jason dion into a new group called jason dion, and we add that new user with group jason dion.
We created his home directory as home jason dion. And we also copied files from the skeletc scale, which is the skeleton or the shape of what a normal user’s home drive would be into that new home jason dion area. We gave him a password and we gave him some information. This is how you create a basic user on an account like this. Now, if we want to verify that this actually worked, how can we do that? Well, there’s this password file located in the etsypassword file. And if we display it to the screen using something like cat, we’re going to be able to see if jason dion is listed as one of those users. So if I go through here, this has all of the different users on the system.
And you’ll see the last user there is jason dion. You’ll see it says jason dion x, which is where they store the password, which is stored in a different area. You’ll see his user ID. And his group number. You’ll see his name, his office, his phone number, his home phone number, the comments we made, his directory, and what his default shell is. In this case, bin bash. If you go up a couple of lines higher, you’ll see Deon Training, which is the user account I’m using right now. And again you’ll see the information about that person. In that case it was owned by Jason Dion as well. He has a home directory of Deon Training and he’s bin Bash, as you can see right here on this line.
And so you can see that and you can see here the new Json account. So we have created that person effectively and correctly.Now on a system that has thousands and thousands of users like a Linux server might, there’s got to be a better way than searching through with your eyes. Well there is if you remember we learned about Grep, right? And so we can use Grep and we can find something that begins with the word Jason Dion because that’s the user we’re looking for, that first line that has Jason Dion. If we do that we’re going to find that inside the etsy password file and hit enter. And here you go, we found that one line.
Now if I wanted to figure out what user number he was, I can actually go ahead and use the ANU as well and I get the number right there and that gives me he was on line 43 of the password file and there is the information on Jason. Now that’s one way to create our user using that add user command. And again, if you want to learn more about AG user, go ahead and type man AG user and you’ll get all the information here as you go through the pages of the man doc. But there’s other ways to do adding users as well. One way is to use a low level utility that’s in Ubuntu called User add. To do this we’re going to use pseudo user ads, give them the path to the shell that you want to assign.
So if you didn’t want bin Bash you could use something else. I still like bin Bash, so I’m going to use that. You’re going to give them the directory you want. In our case we want home jason and then we’re going to give them what group it’s going to be in. Let’s call it the Json group and the username of Jason. And so then we’re going to go ahead and hit enter and it says group jason doesn’t exist. Well of course it doesn’t because we haven’t created it yet. Right. So we have to create it or we could put them into the other group which was Jason Dion that was just added. So we’ll go ahead and do that and there we go. So now we have with the super user, we’ve added a new user named Jason.
So now I have three users on the system, dion training, Jason Dion and Jason. Now if I want to set the password for this new user, how would I do that because I haven’t set it yet. Well, I’m going to use pseudo password and then the name of the account Jason. Hit enter. And now you’re going to give him a new password. There we go. Now, if we want to verify that that new account Jason has been created, how will we do that? Well, let’s go ahead and use that grep command we were using before. But instead of searching for Jason Dion, let’s search for Jason. Now, I should get back two things here, right? I should get the Json. Dion account and the Json account we just created.
And there we go. 43 is the one that we created using the AG user command at the beginning. And 44 is the one we just did using the user AG command that we just did. As you can see in Linux, there’s lots of different ways to do lots of different things. Personally, I like the AG user command better. It’s a little bit more interactive. It asks you more questions along the way and lets you put in the additional information that you may need, such as the phone numbers, the office number, and information like that. But both of these will work, and both of these will create a new user for you. It just depends which one you like better.
- Modifying and Deleting Accounts
In this lesson we’re going to talk about modifying and deleting accounts. So in our last lesson, I created two new accounts, as we saw by going through and we created Jason Dion and Jason, as you see here on the screen. Now. What if Jason or Jason Dion forgot their password? How can we reset that? Well, if we’re the system administrator, we can do that for them. To do that, we are going to use suit to run the command as root. We’re going to use the password command and then if we give it an argument, we can change the password for that person. So for example, I want to change the password for Jason. I can go ahead and type in Jason, enter the new password, I can set it to whatever I want.
12345, what’s his new password? 12345 and hit enter. His password has now been reset to 12345. Notice the power here. As the root user, I didn’t even need to know what his old password was. I can just overwrite it with a new password whenever I feel like. This is something that’s very powerful and something you need to remember as a system admin. Now, the password command has a lot of other features there too. For example, we can get information about that user’s account as well. Let’s go ahead and take a look at the password for Jason. So if we use Jason and we put S, that’s going to give us the status of this user Jason’s account in terms of his password security.
So here we get a line that comes up. You can see I have Jason, which is the user. I have P. That P indicates this user account has a locked password, no password or a usable password. The fact that he has P means he has a valid good password. If he had NP, that means there was no password assigned. And if he had something that said L, that means that he’s been locked out of his account because he forgot his password and entered it in wrong too many times. Next you’ll see the date of the last password change. In this case, I just changed it about 2 seconds ago. So it’s today’s date, 921 2019. After that, you’ll see the minimum password expiry age. In my case, it’s set to zero.
That means this person can have their password and change it as many times as they want, as frequently as they want. Next you’ll see nine, nine, nine. That says that’s the maximum age that this password can be that’s set in days. So this person Jason can keep the same password I just set for 99,999 days, pretty much forever. After that, you’ll see the password expiry warning. This is seven days. So a week before it expires. So in this case, 99,992 days from now, it will say, hey Jason, your password is about to expire. You might want to change it. And the last thing you see here is this negative one. This is the inactivity period for this password. Now, to get more information in an easier to read format, we can use the Ch age command.
And again, I need to do this as the root user. So I’m using pseudo. Then I’m going to do L to list out the information for Jason. Go ahead and hit enter. And there we go. We can now read this in a much easier format. You can see the last password change was today. The password expires never. It’s inactive, never. It expires never. The minimum number between password changes zero. The maximum number 99,999 days and the days of warning will be seven days. Same information we had on that single line. But it’s a lot easier to read this way. Now, I would recommend going in and doing a quick man on each of these commands and learn a little bit about them.
For instance, the change ad is going to change your user’s password expiry information. And as you can see here, we have a lot of ability to change those different pieces of information in regards to the user’s password. This is really important from a security aspect because these basic settings of being able to change the password as much as you want and keep that password forever essentially is not good for security. Instead, as a system administrator, when you create somebody’s account, you should go in and set when that password will expire. Generally, we’re going to expire about 60 days from creation and warn them one to two weeks before that expiration date that they need to change their password.
So again, using man, you can go through and see that you can do that using the D option, the E option, the I option, the M option or the W option. So that’s how you can modify the information about a password in a system. But how can we change or rename a username if we needed to? For instance, maybe I typed Jason’s name wrong. Maybe his name was actually Jayson or J a sen. I don’t know. We want to go ahead and change this person’s name. Can we do that? Well, certainly we can. Just like in Windows, you can rename a user if you need to. So to do this, we’re going to use a couple of commands. We’re going to use the ID command and the usermod command.
The first one is ID. So if I ID jason, what do I see? Well, I get his user ID, his group ID, the groups he’s a member of and that type of information. So right here I see that Jason is the user ID 1002. His group ID is 1002, also known as Jason. He’s in two groups. He’s in Jason and Jason Dion. So these are a couple of things that we’re going to want to mess with. First, we’re going to use user mod L and we’re going to put the name we want to go to and the name we want to go from. For instance, maybe we want to have janssen instead of Jason. And it came from the Json account, go ahead and hit enter. Permission denied. Why is that? Because we’re not the root user.
To make changes to any user on the system, you have to be the root user.So we need to go ahead and use pseudo pseudo usermodel janssen jason. There we go. And so now if I do ID jason, what’s going to happen? Well, I should get an error because there is no user jason anymore. Instead, I now have a user named Janssen. Now, if I want to go ahead and check Jansen’s information, his information should look a lot like jason’s old information, meaning he’s still user ID 1002, but his name has been changed to Jansen. His group though, is still Jason. Why? Because I only changed his user information, I didn’t change his group information. Right. Now the other thing we can do is we can look at the directory.
And so if we do an Lsldhome jason, which was his original home directory, what do we get? We get the information that the home directory hasn’t changed the name but the owner has changed. Notice the owner is now Jansen because again, all I did was rename jason to Jansen. So how can I change that group ID this g ID 1002 to go to be Janssen as well. Well, there’s a command for that. And so we’re going to do ID jason and here we see there’s no such user, right? But if we do ID janssen, we’ll see there is a user. And so if we want to modify the group, we’re going to do pseudo groupmodn janssen jason. What that’s saying is change it from jason to jansen for the group. Go ahead and hit enter.
Now, to verify that happened correctly, we’ll do Jansen. And you can see now that my group ID has changed from jason to Jansen. So what do we learn here? We learned that we can change names and groups. Names are done using user mod, groups are done using group mod. And again, like everything else, I’ve told you, go ahead and open up the man for user mod or group mod and learn a little bit about it. You’ll notice that you can change information and you can add them to different groups. You can change their names, you can add comments, you can change their home directory. You can do this as an inactive user to turn their account off so they can’t log in, you can expire their account.
There’s lots of different things that you can do from within this program. So I recommend you play with it a little bit and get comfortable with it as assistant administrator, user mod and group mod are going to be something you’re going to use a lot. Now, let’s say we didn’t want to modify this user anymore. We’ve changed our name, we’ve changed our group. We’ve even gone in and used the D command maybe, and we’ve changed their home directory. But now that person doesn’t work for us anymore. Jansen just got fired. So Janssen is going to go home. We want to turn off his account and we want to delete the account because we don’t need it on the server anymore.
Well, we can do that as well. And we can use a command called Dell user. To do that. We simply run sudo, the pseudo command again, use Dell user which is delete the user. We’re going to do Remove home, which says remove their home directory and then the name of the user, in this case Janssen. So if I do that, I can go ahead and hit enter and you’ll see that it’s looking for any files to backup or remove. It removes the files, it removes the user. And it now says that group Janssen has no more members because I deleted the user, but I didn’t delete the group. So if I arrow up again, I can bring back that old Grep command we used. And in this case, I’m just going to look for Ja at the beginning of the line to see if I can find Jason or Jansen.
What do I find? I only find Jason because line 44 with Jansen is no longer in there. We’ve deleted that user. Now there is a second way to delete a user and I’m going to use this to delete this Jason Deon user to show you that as well. Go ahead and clear my screen. And what we’re going to do is we are going to use the user Dell command. So if we do pseudo userdell R and then the name of the person we want to remove, in this case Jason Dion, if we do that and hit Enter, what are we going to see? We get an error saying that Jason Dion mail spool didn’t exist. That’s okay because we didn’t set up mail for that user. But if we go ahead and do our grip again, let’s see, if we find it, we find nothing for Jason.
If we do an ID for Janssen, he’s been gone. If we do an ID for Jason Deon, he’s gone as well. We’ve deleted both those users and now we’ve verified it. Now the nice thing about Ubuntu is it also will keep a log of every account that’s been created or deleted. And if you want to check that log and see who’s been deleted recently, we can do that too. To do that, we need to look at the log that’s located in Varlogauth log. This is our authentication log. Now we can use Grep, we can use Cat, whichever one we want to do. The problem is if we use something like cat, we’re going to see the entire file and this could be really long, especially on a big server.
But if we just deleted somebody recently, they should be right at the end of that file, right? Because Tail will show us the last couple of things that happened. So let’s do a tail of the last 15 lines of this logvarlogauth log. There we go. On the screen, we can see the last 15 lines. And if you look, the last couple of things that happened specifically at 1641 seven was that we deleted a user, Jason Dion. If you go up a little bit higher, you’ll see at 1639 and 35 seconds that we deleted user janssen. We deleted Janssen from the group Jason Dion, and we removed the group Jansen that was owned by Janssen. So you can see here that these people have been deleted.
This is really useful, especially as a cybersecurity analyst, because you can find out if people have been messing with your system. Now, another way you could have done this is by using your Grep command. So if I go ahead and look at Grep and I look for the word user dell to see if anybody has run the user delete command, I can do that against this log as well. And there you go. You can see everything that’s been deleted recently by the user delete command within that log file. Not just within the last 15 lines like Tail showed us, but the entire log file. And because we’ve only deleted two users, we only see two of them shown here on the screen.