Tanti Technology

My photo
Bangalore, karnataka, India
Multi-platform UNIX systems consultant and administrator in mutualized and virtualized environments I have 4.5+ years experience in AIX system Administration field. This site will be helpful for system administrator in their day to day activities.Your comments on posts are welcome.This blog is all about IBM AIX Unix flavour. This blog will be used by System admins who will be using AIX in their work life. It can also be used for those newbies who want to get certifications in AIX Administration. This blog will be updated frequently to help the system admins and other new learners. DISCLAIMER: Please note that blog owner takes no responsibility of any kind for any type of data loss or damage by trying any of the command/method mentioned in this blog. You may use the commands/method/scripts on your own responsibility. If you find something useful, a comment would be appreciated to let other viewers also know that the solution/method work(ed) for you.

Monday 20 June 2011

USER ADMINISTRATION

USER ADMINISTRATION


Few Restrictions on the User Name:

1. User names cannot start with a
• dash or minus sign(-)
• plus sign (+)
• At symbol (@)
• Tilde (~)
2. User names cannot include
• colon (:)
• single or double quotation marks( ' or ")
• hash symbol (#)
• comma (')
• equal sign
• Back or forward Slashes ( \ or /)
• Question mark (?)
• Back quote (`)
• White space (space or tab)

3. User names cannot be names ALL or default. Becoz those names are reserved for the AIX OS.

4. User names can have max. 8 characters in AIX V 5.2 or earlier. Starting with AIX 5.3, you can have a
max. of 255 characters. You can change this setting by using the below command,

# chdev -l sys0 -a max_logname=255

To view the setting, use any of the below commands

# lsdev -l sys0 -a max_logname
# getconf LOGIN_NAME_MAX


Configuration Files:
/etc/passwd :

Contains the basic user configuration details like user name, password flag, uid, gid, gecos (description), home directory, shell.

/etc/security/.profile :


It is the template for the user's .profile file. It has been copied to the user's home directory when we create the user.

/etc/security/limits :
It contains all the resource limits (ulimits) for the users.

Here are the various ulimit values ...

fsize, fsize_hard - Soft and hard limit for the size of a file a user can create
core, core_hard - Soft and hard limit for the Size of core file a user can create
cpu, cpu_hard - Soft and hard limit for the amount of system time allowed
data, data_hard - Soft and hard limit for the size of the process data segment
stack, stack_hard - Soft and hard limit for the size of the process stack segment
rss, rss_hard - Soft and hard limit for the physical memory allowed
nofiles, nofiles_hard - Soft and hard limit for the number of open file descriptors at one time
nproc, nproc_hard - Soft and hard limit for the number of running processes at one time
/etc/security/passwd :

This file contains the user's password information such as password, lastupdate and flags.

Here are the various flags user

ADMIN - It can be set so that only the root user can change the user's password.

ADMCHG - It can be set so that the user is prompted to change his or her password on the next login/su.

NOCHECK - It can be set so that any additional restrictions in /etc/security/user are ignored.


/etc/security/user : This file contains very very important settings for every user.

Here are the parameters configured in the file for each and every user :

account_locked - To lock the user account. This can takes values TRUE or FALSE

admin - To specify whether the user is admin or not. It can take calues TRUE or FALSE

expires - It is configured to set the expiration date for the user beyond which the user will be locked. It can take values in the format MMDDHHYY.

histexpire - To specify the # of weeks the user can't reuse a password. It can takes values between 0-260

histsize - To specify the # of passwords previously used that can't be reused. It can take values between 0-50

login - To specify whether a user can log in or not. It can take values TRUE or FALSE.

maxage - To specify the # of weeks a password is valid. It can take values between 0-52.
minage - To specify the # of weeks a user must wait before changing his or her password. It can take values between 0-52.

rlogin - To specify whether a user can be accessed remotely via telnet,ssh, ftp. It can take values TRUE or FALSE.

su - To specify whether other user can use su to access this account. It can take values TRUE or FALSE.

/usr/lib/security/mkuser.default : This file contains the default values that are set while creating an user.

/etc/security/login.cfg : This file contains the message that is displayed whenever you login to the system.
You can always change it using chsec command or by editing this file directly in vi editor.


Here are the few attributes of a user which you may be interested.


id - User Identification Number is a unique i dfor every user. root user's id is always 0.

pgrp - Primary Group of a user

groups - Secondary Groups of a user. An user can belong to maximum 128 groups in AIX 5.3 and 6.1.

home - Home directory to store the user's files

shell - Shell that runs when the user login

gecos - Description or some comments about the user


There are 6 main commands used in the administration of user :

mkuser - Add a user
chuser - Change an attribtue of a user
lsuser - List the attribtues of a user
rmuser - Remove a user
passwd - To set password for a user and for various other purposes

These words can also be used as fastpaths for smitty.
For example, # smitty mkuser will open a form to create a user.

For doing the whole user administration, you can use

# smitty user and go thru the menu items for various operations.

Now let us see the commands to administrate users ...

1. To create a user called 'jack' with default settings and allocate the next available uid :

# mkuser jack

2. To create a user with home dir as /opt/$username, primay group as 'dba' :

# mkuser home=/opt/jack pgrp=dba jack

3. To know about the user :

# finger jack

4. To change the primary group for a user :

# chuser pgrp=oracle jack

5. To list the attributes of a user in stanza structure :

# lsuser -f jack

6. To list the attributes of a user delimited by comma :

# lsuser -c jack

7. To list home and shell attributes for the users jack and tom :

# lsuser -a shell home jack,tom

8. To set the password for a newly created user :

# passwd jack

9. To clear the flag ADMCHK for jack :

# pwdadm -c jack

If you dont do this after setting a password for jack, he will be prompted to change his password on the first login.

10. To change the gecoz for a user :

# passwd -f jack

11. To change the shell for a user :

# passwd -s jack

12. To list the last password update date/time and the flags for a user :

# passwd -q jack

13. To set the ADMIN flag for a user :

# passwd -f ADMIN jack

ADMIN flag ensures that only the root user can change the password for Jack.

14. To remove the user :

# rmuser jack

Note: rmsuer doesn't remove the home directory for a user.
You have to remove it may be after the backup.

15. To remove the user along with his password information :

# rmuser -p jack
16. To list the currently logged in users :

# who

Note: This command will show the contents of /etc/utmp which is a binary file.

17. To list the login and logout information for the machine :

# last

Note: This command will show the contents of /var/adm/wtmp file, which is a binary file. Over a period of time, this file will occupy the /var file system a lot. Hence nullify the file once in a 6 months or depending upon the # of login/logout actions in the system.

To clear(nullify) the wtmp file, you can use any of the below commands

# cp /dev/null /var/adm/wtmp
# > /var/adm/wtmp

18. To change the default message(herald) that is shown after user login :

# chsec -f /etc/security/login.cfg -a default -herald

19. As a user, you have to protect (lock) your terminal whenever you go for a coffee break.

# lock -> To lock your telnet or ssh terminal

If you use XWindowsm you can use the below command

# xlock

20. Sometimes you may want to login as root to execute some admin commands. For this you dont have to logout from current user and login as root.You can use su command to swtich user and execute the commands and say 'exit' to come out of the su window.

To su to root, you can use any of the below commands

# su - root
# su -

To su to other user called tom,
# su - tom
These su operations are logged into /var/adm/sulog file. You have to nullify this file on certain period of time to make some space in /var file system.

21. How to disable direct root login via telnet and ssh ?

To disable direct root login thru telnet or ssh, you have to set 'rlogin' attribtue for root user to false.
You can use the below command to do so.

# chuser rlogin=false root

22. How to enforce automatic logoff after certain timeout period ?

To enforce automatic logoff after timeout period of 10 minutes, enter the following line in /etc/security/.profile after the AIX installation.

TMOUT=600 ; TIMEOUT=600 ; export readonly TMOUT TIMEOUT

/usr/bin/mkuser Contains the mkuser command.
/usr/lib/security/mkuser.default
Contains the default values for new users.
/etc/passwd
Contains the basic attributes of users.
/etc/security/user
Contains the extended attributes of users.
/etc/security/user.roles
Contains the administrative role attributes of users.
/etc/security/passwd
Contains password information.
/etc/security/limits
Defines resource quotas and limits for each user.
/etc/security/environ
Contains the environment attributes of users.
/etc/group
Contains the basic attributes of groups.
/etc/security/group
Contains the extended attributes of groups.
/etc/security/.ids Contains standard and administrative user IDs and group IDs.
/usr/bin/passwd Contains the passwd command.
/etc/passwd Contains user IDs, user names, home directories, login shell, and finger information.
/etc/security/passwd Contains encrypted passwords and security information.
/usr/bin/chuser Contains the chuser command.
/etc/passwd
Contains the basic attributes of users.
/etc/group
Contains the basic attributes of groups.
/etc/security/group
Contains the extended attributes of groups.
/etc/security/user
Contains the extended attributes of users.
/etc/security/user.roles
Contains the administrative role attributes of users.
/etc/security/lastlog
Contains the last login attributes of users.
/etc/security/limits
Defines resource quotas and limits for each user.
/etc/security/audit/config
Contains audit configuration information.
/etc/security/environ
Contains the environment attributes of users.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)