系統帳號管理

建立系統用帳號
# CentOS/RedHat
groupadd -r asterisk
useradd -r -g asterisk -d /var/lib/asterisk -M asterisk

# Ubuntu/Debian
addgroup --system asterisk
adduser --system --ingroup asterisk --home /var/lib/asterisk --no-create-home --shell /bin/bash asterisk
強制修改密碼

強迫使用者在第一次登入後,修改他們的登入密碼

# 先將帳號鎖定
usermod -L <username>

# 強制第一次登入必須修改密碼
chage -d 0 <username>

# 解除帳號鎖定
usermod -U <username>

# 檢查帳號的期限
chage -l <user-name>
帳號有效期限
# 檢查帳號期限
chage -l <user-name>

# 設定有效期限 
chage -M 10 <user-name>                      ; 10 天後密碼即失效
chage -E "2017-02-20" <user-name>   ; 2017-02-20 以後帳號即鎖定
chage -I 10 <user-name>                         ; 如有設定密碼期限時,當密碼失效啟 10 日後自動鎖定帳號 

# 解除期限
chage -E -1 <user-name>       ; 數字 -1 解除期限設定 
帳號鎖定與解鎖
# 鎖定帳號
usermod -L <user-name>

# 解鎖帳號
usermod -U <user-name>

# 檢查帳號鎖定狀態
grep <user-name> /etc/shadow

dbtest:!$6$hFCW6eI1$kI9J9QrxCjnpvzFPJnxSpNvQ...  # 密碼欄有 ! 符號表示鎖定
修改既有帳號的設定
# change the comment
usermod -c "John" john

# change the shell
usermod -s "/sbin/nologin" alang

# change the home directory
usermod -d /home/new-name new-name

# change the username (NOT uid)
usermod -l new-name old-name
限制某帳號不可遠端登入

限制某帳號不可遠端登入,但可以由其他允許帳號從遠端登入後,執行 su 切換到該帳號。

情境:限制 devrpt 可以從遠端登入,但其他帳號在登入後可以 su 到 devrpt。

方法一: 修改 sshd_config

# Added by Alang
# prevent certain users from using ssh for login
# while retaining the option to 'su username'
#
DenyUsers istdc

方法二: 最快速且容易設定但不適用需要有密碼的帳號

# 刪除 devrpt 的密碼
passwd -d devrpt

方法三: 比較嚴謹的做法

以 CentOS 為例:
1. 編輯 /etc/security/access.conf,加上這幾行

# The line 'cron crond' is required
+:devrpt:cron crond tty1 tty2 tty3 tty4 tty5 tty6
-:devrpt:ALL

TIP:

內容格式為 permission : username: origins
- permission + 允許 或 - 拒絕
- username 帳號
- origins 來源,這可以是 tty 名稱'、主機/網域名稱、IP 。
注意:在此例,必須加上 cron crond 這一行,否則該帳號的 crontab 會無法工作。

2. 對於不同的登入服務,需要修改相應的安全設定檔

  • telnet : /etc/pam.d/remote
    • 修改後立即生效
  • SSH : /etc/pam.d/sshd
    • 修改後需重新載入 SSHD
  • Local 本機登入 : /etc/pam.d/login

視需要將以下內容加入其中一項或多項檔案內

# Limited users for remote login via telnet
# Check the file /etc/security/access.conf
account    required     pam_access.so
鎖定帳號但不移除
# Lock
passwd -l john
chage -E 0 john

# Unlock
passwd -u john
chage -E john

注意:passwd 雖然可以鎖定帳號,但仍可以用 SSH-Key 登入。

重建家目錄
mkhomedir_helper <username>
Group 管理
# Add user i00371 into the group sysadmin
usermod -a -G sysadmin i00371
passwd
# displays the status of user account password settings
passwd -S evans
evans PS 2020-09-07 0 99999 7 -1 (Password set, SHA512 crypt.)

# lock the password of a specified account
passwd -l user1

# unlock the password
passwd -u user2

# delete a password for an account
passwd -d user1

# expire a password for an account
passwd -e user2

# This sets the number of days before a password can be changed. 
# By default, a value of zero is set, which indicates that the user may change 
# their password at any time.
# This means user2 cannot change its own password until 10 days have passed.
passwd -n 10 user2

# To confirm the password setting made with the -n option above, run the following command:
# The value of 10 after the date indicates the minimum number of days 
# until the password can be changed.
passwd -S user1
user1 PS 2020-12-04 10 99999 7 -1 (Password set, SHA512 crypt.)

# This means after 90 days, the password is required to be changed.
passwd -x 90 user2

# This means the user will receive warnings that the password will expire 7 days 
# before the expiration.
passwd -w 7 user2

# This means after a user account has had an expired password for 5 days, 
# the user may no longer sign on to the account.
passwd -i 5 user2

# This command will read from the echo command and pass it to the passwd command. 
# So this will set the user1 password to userpasswd1.
echo "userpasswd1"|passwd --stdin user1

 


Revision #3
Created Sat, Jan 2, 2021 3:10 AM by Admin
Updated Sat, Jan 2, 2021 3:42 AM by Admin