Linux user authentication file learning

one,/etc/sudoers

/etc/sudoersAccess control lists (ACLs) used to manage privileged operations on Linux systems. This file specifies which users, groups, or hosts can execute privileged commands, and what commands they can execute.

# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for the details on how to write a sudoers file.
#

# Override builtin defaults
Defaults    syslog=auth,timestamp_timeout=300,!set_logname
Defaults:admin    lecture=always
Defaults:admin    lecture_file=/etc/sudoers.lecture
Defaults:admin    passwd_timeout=0.5
Defaults:hwnoc !requiretty

# Host alias specification

# Cmnd alias specification
Cmnd_Alias  SHELLS = /bin/sh,/bin/ash,/bin/bsh,/bin/bash,/bin/csh, \
            /bin/ksh,/bin/rsh,/bin/tcsh,/bin/zsh
Cmnd_Alias  VIETC = /usr/sbin/visudo,/usr/sbin/vipw,/usr/sbin/vigr
Cmnd_Alias  USERADD = /usr/sbin/useradd,/usr/sbin/adduser
Cmnd_Alias SUPERMIT = !/usr/bin/sudo *,!/bin/su *,/bin/su -c*,/bin/su [a-zA-Z0-9]*,!/bin/su *root*
Cmnd_Alias SUDOEXEC = /bin/sh [/~.a-zA-z0-9]*, /bin/sh -c*, \
                        /bin/ash [/~.a-zA-z0-9]*, /bin/ash -c*, \
                        /bin/bsh [/~.a-zA-z0-9]*, /bin/bsh -c*, \
                        /bin/bash [/~.a-zA-z0-9]*, /bin/bash -c*, \
                        /bin/csh [/~.a-zA-z0-9]*, /bin/csh -c*, \
                        /bin/ksh [/~.a-zA-z0-9]*, /bin/ksh -c*, \
                        /bin/rsh [/~.a-zA-z0-9]*, /bin/rsh -c*, \
                        /bin/tcsh [/~.a-zA-z0-9]*, /bin/tcsh -c*, \
                        /bin/zsh [/~.a-zA-z0-9]*, /bin/zsh -c*

## settings from ali local

# default
%users  ALL=(users) ALL
root    ALL=(ALL) ALL


Cmnd_Alias WHITELIST1 = /bin/grep
mysql  ALL=(ALL) NOPASSWD:WHITELIST1


Cmnd_Alias WHITELIST2 = /usr/bin/crontab -l -u admin,/usr/bin/crontab -u admin -l
guest  ALL=(ALL) NOPASSWD:WHITELIST2


appadmin  ALL=(ALL) NOPASSWD:ALL,SUPERMIT,!SHELLS,SUDOEXEC,!VIETC,!USERADD

%tbops  ALL=(ALL) ALL,SUPERMIT,!SHELLS,SUDOEXEC

%tbpe  ALL=(ALL) ALL,SUPERMIT,!SHELLS,SUDOEXEC,!VIETC

%tbdba  ALL=(ALL) ALL,SUPERMIT,!SHELLS,SUDOEXEC,!VIETC

%tbnoc  ALL=(ALL) ALL,SUPERMIT,!SHELLS,SUDOEXEC,!VIETC,!USERADD

%tbscm  ALL=(ALL) ALL,SUPERMIT,!SHELLS,SUDOEXEC,!VIETC,!USERADD

%tbdev  ALL=(ALL) ALL,SUPERMIT,!SHELLS,SUDOEXEC,!VIETC,!USERADD

%tbtest  ALL=(ALL) ALL,SUPERMIT,!SHELLS,SUDOEXEC,!VIETC,!USERADD

# Compatible with the /home/staragent/plugins/osteam.src/osteam.cur/account.sh
Cmnd_Alias ALINOC_CMD = /usr/bin/kill,/usr/sbin/shutdown,/usr/sbin/halt,/usr/sbin/reboot,/bin/sh,/bin/ash,/bin/bsh,/bin/bash,/bin/csh,/bin/ksh,/bin/rsh,/bin/tcsh,/bin/zsh,/usr/bin/passwd,/usr/bin/chsh,/usr/bin/chfn,/usr/bin/su,/bin/su,/usr/sbin/su,/usr/sbin/visudo,/usr/sbin/vipw,/usr/sbin/vigr,/usr/sbin/useradd,/usr/sbin/adduser,/user/sbin/userdel,/user/sbin/usermod,/user/sbin/userpasswd,/user/sbin/groupadd,/user/sbin/groupdel,/user/sbin/groupmod,/usr/bin/sudo*,/bin/su*,/bin/su [a-zA-Z0-9]*,/bin/su *root*,/bin/chmod,/bin/chown,/bin/chattr,/bin/rm,/bin/rmdir,/sbin/rmmod,/sbin/insmod
hwnoc  ALL=(ALL) NOPASSWD:ALL,SUPERMIT,!VIETC,!USERADD,!ALINOC_CMD


admin  ALL=(ALL) NOPASSWD:ALL,SUPERMIT,!VIETC,!USERADD

%admin  ALL=(ALL) NOPASSWD:ALL,SUPERMIT,!VIETC,!USERADD

1.1、Defaults

Define default information, including default user, default command, default host, etc.

格式：Defaults parameter=value

Defaults syslog=auth,timestamp_timeout=300,!set_lognameFor example, this rule in the file means that when a user uses the sudo command, the execution information of the sudo command will be recorded in the system's security log, with a timeout of 5 minutes, and the current user's login name information will not be recorded .

• syslog: Specify the log level and device, where auth means to record the execution information of the sudo command in the security log of the system.
• timestamp_timeout: Specify the timeout period of the sudo command, here is 300 seconds, which is 5 minutes.
• !set_logname: Indicates that recording the login name information of the current user is disabled.

格式：Defaults:admin parameter=value
# 针对admin用户设置

Defaults:admin    lecture=always
Defaults:admin    lecture_file=/etc/sudoers.lecture
Defaults:admin    passwd_timeout=0.5

lecture：指定 sudo 命令的提示信息，这里是 always，表示每次使用 sudo 命令时都会提示用户一条信息。
lecture_file：指定 sudo 命令的提示信息来源，这里是 /etc/sudoers.lecture，表示提示信息将从该文件中读取。
passwd_timeout：指定密码的超时时间，这里是 0.5，表示在输入密码后 0.5 秒内必须使用 sudo 命令，否则需要重新输入密码。

# 意味着当名为 admin 的用户使用 sudo 命令时，每次都会收到一条来自 /etc/sudoers.lecture 文件的提示信息，提醒用户操作的风险和注意事项。另外，用户必须在输入密码后 0.5 秒内使用 sudo 命令，否则需要重新输入密码。

Defaults:hwnoc !requiretty

!requiretty：表示不要求用户在 tty 控制台上使用 sudo 命令。

# 通常情况下，sudo 命令要求用户必须在 tty 控制台上输入密码，这样可以确保用户是在本地执行命令，而不是在远程机器上执行。然而，在某些情况下，用户可能需要在无 tty 的情况下使用 sudo 命令，如通过 ssh 等远程连接执行命令。这时就需要通过 !requiretty 参数来禁用 tty 控制台的要求。因此，这条规则意味着当名为 hwnoc 的用户使用 sudo 命令时，不需要在 tty 控制台上输入密码。

1.2、Cmnd_Alias

Define command aliases, which map one or more commands to an alias.

格式：Cmnd_Alias aliasname=command1,command2,...

Similar to this are:

• User_Alias: Define a user alias and map one or more users to an alias.

• Runas_Alias: Define a running user alias and map one or more running users to an alias.

• Host_Alias: Define a host alias and map one or more hosts to an alias.

1.3. Restrictions on permissions of users and user groups

admin  ALL=(ALL) NOPASSWD:ALL,SUPERMIT,!VIETC,!USERADD

explain:

• admin: Specify the user name as admin.
• ALL: Specifies that all hosts are applicable to this rule.
• (ALL): Specifies to execute the command as any user.
• NOPASSWD:ALL: Indicates that no password is required when executing the sudo command.
• SUPERMIT: Specifies the alias of the SUPERMIT command, which can be invoked when executing the sudo command.
• !VIETC: Indicates that VIETC command aliases are not allowed to be executed.
• !USERADD: Indicates that the alias of the USERADD command is not allowed to be executed.

Therefore, this rule means that the user admin can use the sudo command on all hosts to execute any command as any user without entering a password. In addition, the user admin can use the SUPERMIT command alias, but cannot use the VIETC and USERADD command aliases to ensure system security and stability.

%tbops  ALL=(ALL) ALL,SUPERMIT,!SHELLS,SUDOEXEC

This rule means that users in the tbops group can use the sudo command to execute any command as any user on all hosts, and can also use the SUPERMIT command alias and the SUDOEXEC command alias. However, users are not allowed to execute SHELLS command aliases to ensure system security and stability.

two,/etc/passwd

/etc/passwdIt is a system user configuration file that stores the basic information of all users in the system, and all users can perform read operations on this file.
An example file is as follows:

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync

The format is:

用户名:密码:用户标识号:组标识号:注释性描述:主目录:登录 Shell

The specific explanation is as follows:

Field	explain
username	A string representing the user account, usually up to 8 characters in length and consisting of uppercase and lowercase letters and/or numbers
password	Stores the encrypted user password. However, due to security risks, most Linux systems now use shadow technology to store the real encrypted user password in the /etc/shadow file.
UID	An integer used internally by the system to identify the user. In general, it has a one-to-one correspondence with the user name.
GID	Records the user groups to which the user belongs. It corresponds to an entry in the /etc/group file.
User Info	Some personal information of the user is recorded, such as the user's real name, phone number, address, etc. This field has no practical use.
User home directory	The user's initial working directory, that is, the directory where the user is located after logging in to the system.
login shell	A process started after a user logs in, which is the interface between the user and the Linux system.

The difference between password fields xand*

x：表示用户密码已经被加密，实际密码存储在 /etc/shadow 文件中。
*：表示密码字段为空，也就是用户无法通过密码登录，比如系统用户或者没有密码的用户

Differences between the various /etc/passwd

file name	introduce
/etc/passwd	This is the most common /etc/passwd file, which is used to store all user account information, including username, UID, GID, password, user information, home directory, default shell program, etc.
/etc/passwd-	This is a backup file of the /etc/passwd file, usually created automatically by the system when the administrator makes changes to the /etc/passwd file.
/etc/passwd+	This is the /etc/passwd file used by some Linux distributions (such as Gentoo). The format is slightly different from the ordinary /etc/passwd file. It generally includes user name, UID, GID, user information, home directory, etc.
/etc/passwd.org	This is the /etc/passwd file backup of some Linux distributions (such as Debian), usually backed up at the same point in time as the /etc/passwd file when the system was installed.
/etc/passwd-	This is the /etc/passwd file in the AIX operating system. The format is slightly different from the ordinary /etc/passwd file. It generally includes user name, UID, GID, user information, home directory, default shell program and account expiration time, etc. .

Commands for managing /etc/passwd files

useradd
Create the user useradd-test, set the password to 123, and create a user group with the same name as the user's main group

useradd -p 123 -U useradd-test

$ cat /etc/passwd | grep useradd-test
useradd-test:x:1000:1000::/home/useradd-test:/bin/bash

$ cat /etc/shadow | grep useradd-test
useradd-test:123:19562:0:99999:7:::

It can be seen from the above that the password created by useradd is in plain text and cannot be encrypted. The passwd command is required for encryption.

passwd
Change user password

$ sudo passwd useradd-test
Changing password for user useradd-test.
New password: 
BAD PASSWORD: The password fails the dictionary check - it is based on a dictionary word
Retype new password: 
passwd: all authentication tokens updated successfully.

cat /etc/shadow | grep useradd-test
useradd-test:$6$k.sul8dF$pgZaR8zG1BYjIp9vTemeROXhA2npYLqUfblpZnCgChyVtr4yi9QZSyMLOtqyH85b2ONXeMK.RJU1awlDEUMww/:19562:0:99999:7:::

usermodModify properties

$ usermod -c "useradd test" useradd-test

$ cat /etc/passwd | grep useradd-test
useradd-test:x:1000:1000:useradd test:/home/useradd-test:/bin/bash

usermodCommon parameters

parameter	Order	meaning
-l	usermod -l newname oldname	Modify the user's username, where newname is the new username and oldname is the old username.
-c	usermod -c "User Info" username	Modify the user information of the user, where "User Info" is the user information, and username is the name of the user whose information is to be modified.
-g	usermod -g groupname username	Modify the primary group to which the user belongs, where groupname is the name of the user group to be changed, and username is the name of the user to be modified.
-G	usermod -G group1,group2 username	Add users to multiple user groups, where group1 and group2 are the user groups to be added, and username is the user name to be modified.
-s	usermod -s /bin/bash username	Modify the user's default shell program, where /bin/bash is the new shell program, and username is the user name to be modified.
-d	usermod -d /home/newhome username	Modify the user's home directory, where /home/newhome is the new home directory and username is the username to be modified.
-e	usermod -e 2022-12-31 username	Modify the expiration time of the user account, where December 31, 2022 is the date when the account expires, and username is the username to be modified.
-p	usermod -p password username	Modify the user's password, where password is the new password, and username is the name of the user whose password is to be changed. It should be noted that this method cannot encrypt the password, so it is not very secure. It is recommended to use the passwd command to set the password.
-u	usermod -u uid username	Modify the user's UID, where uid is the new user ID and username is the username to be modified.

userdelDelete account

userdel useradd-test

three,/etc/shadow

/etc/shadowA directory is a file directory used to store user password information, also known as a "shadow file". Only the root user has read permission for this directory, and other users cannot directly view or modify files in this directory.
The format is as follows:

用户名:加密密码:最后一次修改时间:最小修改时间间隔:密码有效期:密码需要变更前的警告天数:密码过期后的宽限时间:账号失效时间:保留字段

Specific explanation:

Field	meaning
Username	This field specifies the user's login name.
Encrypted password (Password)	This field stores the user's password, encrypted using an encryption algorithm.
The time when the password was last changed (Last change)	This field specifies when the password was last modified, expressed as the number of days since January 1, 1970.
Minimum password lifetime (Minimum days)	This field specifies how many days must elapse after a password change before the password can be changed again.
Maximum password lifetime (Maximum days)	This field specifies the validity period of the password, indicating how long the password can be kept since it was last modified.
Password expiration warning time (Warning days)	This field specifies the number of days to remind the user before the password expires.
Account expiration time (Inactive days)	This field specifies how many days after the user does not log in to the system, the account will be automatically invalidated.
Account expiration date	This field specifies the end date of the account, which is the number of days since January 1, 1970.

/etc/shadowmiddle *and !!difference

In the /etc/shadow file, the two special characters * and !! both indicate that the user account cannot log into the system, but there are some subtle differences between them.

• *: If the password field in the /etc/shadow file is *, it means that the user account is locked and cannot log in with a password. This situation is usually caused by an administrator manually locking a user account.

• !!: If the password field in the /etc/shadow file is !!, it means that the user account is disabled and cannot log in with a password. This situation is usually due to the system automatically disabling the user account, such as the password expired or the user has not logged in to the system for a long time, etc.

需要注意的是，无论是 * 还是 !!，都表示该用户账户无法登录系统，但它们之间的区别在于，* 表示用户账户是被管理员手动锁定的，而 !! 则表示用户账户是被系统自动禁用的。在实际使用中，管理员需要根据实际情况进行相应的处理，以确保系统的安全性和稳定性。