Scribd
Upload
47 views

Managing Users: CSCI N321 - System and Network Administration

Uploaded by

hradiya
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
47 views

Managing Users: CSCI N321 - System and Network Administration

Uploaded by

hradiya
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 25

Managing Users

CSCI N321 – System and Network Administration

Copyright © 2000, 2010 by Scott Orr


and the Trustees of Indiana University
Section Overview

Users and groups


System Accounts
Account Management
System Administration Access
References

CQU 85321 System Administration Course


Textbook Lectures
Chapter 9 2003 #9
Purposes of accounts

Audit

Access Control

Authentication
Identity and Authentication
Why usernames?
 Grant access to system
 Control access to resources
 Accountability
Passwords
 Prove you are who you say you are
 Often weakest link in system security
User Accounts

UserID
User’s Full Name
Password
Home Directory
Groups
System Interface?
Username Selection
Must be unique
Max of 8 characters
Should be in all lower-case
Easy to remember
Set format
 Combination of first & last name
 No nicknames
Components of an Account
Username GECOS
Password Home Directory
UID Default Shell
GID

Stored in /etc/passwd

sorr:lYi8.KpsFAb9M:126:10:Scott Orr:/home/sorr:/bin/csh
Microsoft Security Identifiers
Created for every user, group, and
machine
Never reused
S-1-5-21-D1-D2-D3-RID
 S-1-5-21: Standard prefix for NT
 D1-D2-D3: Local or domain identifier
 RID (Relative ID): Unique part of SID
Weak Passwords
No passwords used
Smoking Joes
Information about user
Dictionary Attacks
 Modification of user ID or name
 Modification of dictionary(s) word(s)
 Keyboard patterns
 Any systematic, algorithmic generator
Selecting Strong Passwords
At least 14 characters in length
Mix of case, numbers and special
characters
Something you can remember
Techniques
 License plating (becoming weaker)
 Acronyms from phrases
 Passphrases
Pass Phrase Examples
 smo11012006
 Poor
 ardl79BEf76357
 14 spaces
 Hard to remember
 Good
 MydogSkiplovestoplayfetcheveryday
 33 spaces
 Easier to remember
 Better
 Myd0gSkipluvs2playfetchev3ryday
 31 spaces
 Easier to remember
 Limit Duplicate letters –substitute with numbers, punctuation, or
special characters
 Best
UNIX Password Storage
Uses a One-Way Hash Encryption
 Based on DES
 Uses a 2 character “salt”
 MD5/SHA1 – More secure replacement
‘*’ Used to lock accounts
Readability Issue
UNIX Password Encryption
Password balloons Salt Vs

0x00000000 DES
One-way
Hash
Randomize

25 times

VsjqYhTwQiJPw
Asciify

Newer systems use MD5/SHA1 now Valid: A-Za-z0-9./


/etc/shadow
Password field in /etc/passwd
replaced with ‘x’
Readable only by superuser
Contents
 Username
 Password
 Password aging information
Lan Manager Password Encryption
Password 14charpassword

14CHARP P ASSWORD P

DES DES
0xAAD3B435B51404EE One-way One-way
Hash Hash

0xE79E56A8E5C6F8FE 0xAAD3B435B51404EE
Windows Password Encryption

16-bit character MD4


Password
Unicode One-way Hash

• 6-14 character passwords SAM


• Stored in registry and files
• Backwards compatible with
LAN Manager (2nd entry)
Special Users
Guest
System Accounts
Superuser / Administrator
 Full Access to all system resources
 Superuser Equivalency

“Principle of Least Privilege”


Linux System Accounts
root
 System Administration account
 UID of 0
bin – Owner of standard system programs
daemon – Owner of (most) system daemons
mail – Owner of mail system
nobody – Unprivileged system account
Linux Groups
Stored in /etc/group
 Group Name
 Password (rarely used)
 Group ID Number (GID)
 List of members
newgrp – Change default group
sysadmin:*:14:root,sorr
Common Windows Groups
Administrators
Backup Operators
Power Users
Network Configuration Operators
Remote Desktop Users
Users

Role Based Model


Linux User Account Creation
Add entry to /etc/passwd
Create initial password (/etc/shadow)
Add entry to /etc/group (optional)
Create home directory & copy startup
files into it
Create mail file (optional)
Test!!!
Account Creation Tools
Manual Creation
 vipw / vigr
 passwd user
 Default scripts found in /etc/skel
useradd
GUI Tools
 Linux Web-based tools (e.g. Webmin)
 Windows: Computer->Manage->Local Users
and groups
Account Modification Tools
passwd – Change password
chfn – Change GECOS entry
chsh – Change default shell
(Listed in /etc/shells)
usermod & GUI tools
Disabling accounts
 Locking password (‘*’ as first character)
 Change shell to /bin/nologin
Removing an Account
Kill any processes owned by user
Remove all files owned by user
Remove account entries (Linux)
 /etc/passwd
 /etc/shadow
 /etc/group
userdel & GUI tools

You might also like