User Accounts Administration

Chapter Objectives
Understand problems associated with the creation of user accounts. Understand tasks required to add a new user account. Understand security issues related to user accounts. Recognize tools available for managing user accounts.
2 2

Users
Many System dministrators rate tasks they have to perform on a !headache" scale. #$ow nasty will the headache be when % have to do task&' ( %nstalling and )S is usually a light headache. ( %nstalling applications is usually a light headache. ( *atches are usually a light headache. ( ccount maintenance is generally a medium sized+nasty headache...

Users
So far, we have discussed( .ooting+$alting a system ( %nstalling an )S ( /ustomizing+*atching the )S ( %nstalling applications ( 0icense managers ( 1ilesystems ( *rocesses

.y now we should have a working system. need is users...

4 4

ll we

Users
Users 2 background information
( 3here are several things to consider before attempting to create+install user accounts on a system.
/reating login names

( $ow is a login constructed&

4 4 4 4 4 4 Users last name? Users first name? Combination of names? Random string? Alphanumeric string? It is best if the site has a policy about login names. Otherwise users will request login names that may not be acceptable (to management society ...!.

Users
Users 2 background information ssigning a homedir
( )n large systems there may be many !user" directories. 3he system administrator needs to think about how users are distributed across these file systems.
4 Space requirements 4 *ro5ect+6ork Unit ssociation 4 )ther considerations #special needs'

Users
Users 2 background information /reating U%78s
( 9ach user must have a unique user2id. Most Uni: systems use integers in the range of ; 2 <==><.
4 re there special #reserved' userids& 4 6hat happens at a large company+university where there are more than <==>< employees& 4 re U%78s reused& 1or e:ample, if an employee leaves the company, is their userid assigned to the ne:t person hired in& 8 8

Users
Users 2 background information
( ssigning a shell

Shells are a very personal choice. .ut the administrator has to assign some shell program to each user.
( sh 2 standard with almost every U?%@ ( csh 2 standard with almost every U?%@ ( bash 2 Standard with 0inu: ( tcsh 2 *opular, but not generally shipped with system. ( ksh 2 used by many install programs
9 9

Users
Users 2 background information
( %n addition to the items above, the administrator may elect #or be forced' to set constraints like( 6hat workstations can the user access ( 6hat hours can the user access the workstation ( ccount e:piration date

( $ow often user must change their password ( 6hat are acceptable passwords
1 1

Users
Users 2 background information
( 1ormat of password file #Uni:' 3he Uni: password file conforms to a very strict format( U"#R$%A""&'$UI'$(I'$(#CO"$)O*#'IR $")#++ ( %f the password file format is incorrect, one of the following situations may occur4 ?obody listed after the error can login. 4 ?obody can login 4 3he password file is automatically truncated by the system to remove the error. 11 11

Users
*assword file fields
( User 2 the login name assigned to the user. ( *assword 2 may be one of the following ?* 2 ?o password assigned A:@B 2 0ook in some alternate location encrypted password ( U%7 2 the U%7 assigned to this user ( C%7 2 the login group this user belongs to
Users may be in other groups #see +etc+group'

12

12

Users
*assword file fields
( C9/)S 2 3his field is a list of comma separated informational items related to this user. Standard format is 1ull name )ffice *hone /omments

13

13

Users
*assword file fields
( $omedir 2 the home directory assigned to this user ( shell 2 the shell program assigned to this user
Make sure it is listed in +etc+shellsD

Sorting the password file

( Some sites want names alphabetically.
*roblem- 6hat happens if an error occurs somewhere before the letter !r" in the password file&

( Some sites want ascending U%78s.

?ot real convenient when searching for a username.

( Some sites have several password files, and use some tool to create password files for individual systems.
14 14

Users
3he principle method by which an operating system determines the authenticity of a user is by a password.
( Cood passwords are essential to the security of all operating systems. ( /hoosing passwords, educating users in the use of passwords, and choosing and employing one or more tools to enhance password security are tasks a sysadmin will face when creating user accounts.

15

15

Users
( .oth 6indows and U?%@ systems employ reusable passwords as their default.
Reusable passwords have several problems. 1irst, they are vulnerable, either through manual or automated brute force attacks, to discovery if unchanged for long periods of time.. Reusable passwords are vulnerable to their own qualityE poorly chosen passwords are more easily guessed. %f the user accesses the system using an insecure connection such as telnet or ftp, the user8s password is transmitted over the connection in clear te:t, which is easily intercepted if an attacker is listening.

16

16

Users
3he first approach to improve password securiy is to educate the users of your systems to the dangers of reusable passwords.
( 9ducation on choosing good passwords and encouragement to change them periodically is universally applicable to all operating systems. ( Cood password construction techniques include assembling passwords from words separated by punctuation characters or numbers, or assembling a password using the first letter of each word in a phrase of the user8s choosing. ( Semester breaks, seasonal changes, and holiday breaks can help provide cues to encourage periodic password changes.

17

17

Users
*assword aging #or password e:piration' is another method to improve password security.
( 3he aging process allows the system manager to enforce the practice of changing account passwords on a regular basis. ( 3he downside to password aging is the psychological factor. Some users dislike changing passwords. ( .eing asked to change with no warning may contribute to a user choosing a simpler, easily guessed password, or simply entering a new password and then changing back to the old password immediately afterward. ( *assword aging is most effective when the account user understands the reasons for periodically changing a password and the elements of a good password, and is given a chance to choose a good password.

18

18

Users
)ther features present in some U?%@ variants are incorrect password attempt counters and account inactivity timers. ( 3hese can be employed to reduce the chances of success by an attacker guessing a user8s password or of an old unused account being e:ploited to gain access to a system. ( password attempt counter records failed attempts to provide the system with a password. 6hen a user attempts to log in, the number of failed password attempts is checked against a set limit. ( 3he user account is disabled if the limit is e:ceeded. 0ikewise, an inactivity timer records the last time an account was used. 19 19

Users
( %n the case of the inactivity timer, when a user attempts to log in, the length of inactivity for the account is compared to a set limit and the account is disabled if it has been inactive for longer than the limit. ( .oth of these tools have the downside of preventing access by valid users and of adding additional work for the system administrator as he spends time resetting password attempt counters or inactivity timers triggered by the forgetful or infrequent user.

Users
3he long2term solution to the problems of reusable passwords is passwords that are used 5ust once and not used again. ( 3hese one2time passwords make use of a shared secret typically held on a secure authentication server and a token held by the user, typically a small calculator or a program on a personal digital assistant #*7 ', such as a *alm *ilot. ( %nstead of requesting a password when accessing a system, under one2time passwords the system responds to a log2in request with a challenge in the form of a string of numbers and letters. 21 21

Users
( 3his string is entered into the token that produces another string, the response. ( 3he response is entered instead of the password to gain access. .oth the challenge and the response are a mi:ture of the shared secret and a continually changing value, usually the current date and time, ensuring that the same combination of challenge and response are never used more than once.

22

22

Users
3his sophisticated and secure scheme is not without its own problems. ?one of the 6indows or U?%@ variants seem to come with one2time passwords built in. 3hey must be added to the system as a separate product. ll users making use of the system will be required to carry a token with them, with the resulting problems of loss and damage to the token and the frustration to the user when they are unable to gain access.

23

23

Users
lternative password token systems are also available. ( *hysical devices such as a smart card or dongle that carry authentication information or provide challenge+response authentication. ( 3he devices are read via special readers #smart cards' or are attached to a system via a connection such as a US. port #dongle'. ( Such devices are generally used in highly secure systems for which the cost of the additional hardware for every user can be 5ustified. ( nother technique is the use of biometric information such as the visual pattern of a fingerprint or the blood vessels in the retina. 24 24

Users
( 3his information is read from the person8s finger or eye via a special2purpose reader.
lthough believed to be very secure, biometrics suffer from problems such as how account revocation is performed, as the information being used for authentication is a permanent feature of the user. s with smart cards and dongles, biometric authentication is only seen in situations for which the cost of the additional hardware can be 5ustified.

25

25

Users
( Under ?3 6orkstation, there is a great point+click interface called the User Manager.
User Manager lets the administrator add one account at a time on individual computers. User Manager lets the administrator force password changes, disable the user, give the user privileges, move the user to a new directory, ... $ow would an administrator #easily' add F; accounts with User Manager&

( Under ?3 Server #or any system participating in an ?3 domain' the application is called User Manager for 7omains.
Same as user manager, but it works with a domain wide account database #registry'.

26

26

Users
( U?%@ suffers from the same account management design problems.
3he standard tools for adding users are not set up to deal with !mass" account changes.

( 3he !old" method for adding+changing user information is to edit the +etc+password file.
4 ,ipw is provided on some versions of U?%@ so the person doing the editing can8t do stupid things. 4 Solaris did away with vipw, so you have to use some other te:t editor if you plan to change the password file manually.

( Solaris provides admintool which can be used like the ?3 User Manager to add+change+delete one user at a time.

27

27

Users
Solaris provides an e:tended version of admintool which can be used like the ?3 User Manager for 7omains to add+change+delete accounts on all systems #one user at a time'.

( *roblem- $ow would the administrator install several hundred #or thousand' accounts on several hundred #or thousand' computers with these systems&
few possible answers-

( very carefully ( very crabbily ( they wouldn8t ( they would find a better way
28 28

Users
( 3o start up admintool, login as root, start )pen6indows, and type

G admintool

29

29

31

31

32

32

Ubuntu!s "U# too$% users&admin

Ubuntu uses users-admin tool G sudo users2admin System2H dministration2HUsers and Croups

33

33

Ubuntu!s "U# too$% users&admin

34

34

Users
ccount Maintenance *ackages
( Several organizations have created account maintenance packages. 3hese packages attempt to solve one or more problems with the standard account installation tools. 9:amine a few of these tools Sun Microsystems 2 I* #Iellow *ages' also known as ?etwork %nformation Service #?%S'. M.%.3. 2 thena Service Management System )regon State 2 smodeus *urdue University 2 /Maint
35 35

'ummar(
3his chapter e:plored the user account. Sysadmins must pay attention to many tasks as part of account creation.
( Site policies regarding user account names, rights, acceptable use, J ( *assword security ( 7isk management ( utomation of account creation process.
36 36

)*ercise% User Account Administration

+ dd user useradd + Modify user usermod + 7elete User userdel

37

37