See this page as a slide show
CT320 Accounts
Accounts and Namespaces
Thanks to:
- Dr. James Walden, NKU,
- Russ Wakefield, CSU,
- and Dr. Indrajit Ray, CSU,
for the contents of these slides.
Topics
- UNIX User Accounts
- Passwords
- User Management
- Namespaces
UNIX Accounts
- Account Components
- Username
- UID
- Password
- Home directory
- Account Files
/etc/passwd
/etc/shadow
/etc/group
- Account Management
- Adding users
- Removing and disabling users
- Account/password policies
/etc/passwd, /etc/shadow
Central file(s) describing UNIX user accounts.
/etc/passwd | /etc/shadow |
|---|
| Username | Username |
x | Encrypted password |
| UID | Date of last pw change |
| Default GID | Days until change allowed |
| GCOS | Days until change required |
| Home directory | Expiration warning time |
| Login shell | Expiration date |
/etc/passwd entries
$ getent passwd root
root:x:0:0:root:/root:/bin/bash
$ getent passwd cs160
cs160:$6$nEUJCmhPFNLGLV9A$aWOD7Ha.d14/9Wj9K0zErIpwcQvg8mnidNTD6bBG/RWZLJ4yWaksyTKXn9cXP5omDmGtssYrvMzxoq4ISR91K.:1057:1549:CS160 Instructor:/s/bach/a/class/cs160:/sbin/nologin
$ getent passwd cs160 | tr : '\n'
cs160
$6$nEUJCmhPFNLGLV9A$aWOD7Ha.d14/9Wj9K0zErIpwcQvg8mnidNTD6bBG/RWZLJ4yWaksyTKXn9cXP5omDmGtssYrvMzxoq4ISR91K.
1057
1549
CS160 Instructor
/s/bach/a/class/cs160
/sbin/nologin
Username
- Syntax
- Each username must be unique.
- 8 or fewer chars (32 on some systems)
- Any character except : or newline, theoretically.
- Issues
- Naming standards
applin, j_applin, or neutron?
- How to ensure that usernames are unique?
- System uses UIDs internally
UIDs
- UIDs are 32-bit non-negative integers.
- Standards
- The super-user,
root, is UID 0.
- System accounts have low UIDs (≤1000)
- Uniqueness
- Multiple usernames can have same UID!
- Re-using UIDs may give away files to new user.
- There are billions of 32-bit integers.
- Distributed systems may require unique UIDs across
organizational boundaries.
Password
- Syntax
- Length: 8 chars (crypt), unlimited (MD5, SHA)
- Chars: anything except newline, though certain control
chars (e.g., backspace) may be interpreted by the system.
Spaces are useful for passphrases.
- Stored in “encrypted” (really, hashed) format
Password Field
| Contents | Description | Sanity |
|---|
| x | password is in /etc/shadow | sane |
| * | login forbidden | sane |
| nothing | no password needed | nuts |
| 13-char string | original DES hashing algorithm | nuts |
| $1$salt$hash | MD5 | nuts |
| $2a$salt$hash | Blowfish | nuts |
| $2y$salt$hash | Blowfish with 8-bit support | nuts |
| $3$salt$hash | NT LAN Manager hash algorithm | nuts |
| $4$salt$hash | SHA-1 | nuts |
| $5$salt$hash | SHA-256 | nuts |
| $6$salt$hash | SHA-512 | sane |
Hashing
Good hash algorithms, such as SHA-512, are considered non-reversible,
and return radically different results for small input changes:
| Word
| SHA-512 hash
|
|---|
| escape
|
d412b342e7c8eab0034d26408568938965f8b6bff475381aa7c1e6afce026f29
3e35bdbf40e0c7567a8e006611debe94b3c849bd900e62123b12a40fcb3e620e
|
| escaped
|
bf42edb1581ed28a5b48b4678ab014252b03e729d31b3c5ac1acec1c5727d22a
0265ffee61c02fb7ea7c49fc75d1b97e885973e416ffb8b1de7944927b53d9bd
|
| escapee
|
d056ce4dce966ce111f5304b0bb98568e0a446fd2308119030f8f4d649d632b6
e644322729507b540fc3ad4a7ba80fc6f26e4b81115fd35f4927b2ca5b15a850
|
| escaper
|
341706ac2911fbdfbe0ed9c09a36f2b70f9d9d9585af499568f59124fa4efa96
7460ea99edb81ed0d72373b977f321512c44440c7ea750f02bc04047627c5642
|
| escapes
|
020b71a59aa43d82ec0cd10c49b1a833fd41f088f7845a03ed36d5af29d6d78e
6393d154ca1e892ff560d6fae2b4eb36e7c04853b4dd97297ef6e62f9b0a8521
|
Common passwords
According to Wikipedia,
the most common passwords of 2016 are:
| 123456 | qwerty | login | 121212 | master |
| password | 1234567890 | welcome | flower | hottie |
| 12345 | 1234567 | solo | passw0rd | loveme |
| 12345678 | princess | abc123 | dragon | zaq1zaq1 |
| football | 1234 | admin | sunshine | password1 |
Rainbow Tables
- A simple attack is to use a list of common passwords and try
them for every user. Or, just try every word in the dictionary.
- Unfortunately, this means that you have to hash every word
in the dictionary. Hashing is slow!
- Speed it up by computing, once, hashes for all dictionary words.
We call the precomputed hashes a Rainbow table.
Partial MD5 rainbow table:
e0ebc3c409070d07f1df0f2f4132509e escape
bafbb2fabbff5876f8bf7834f802936b escaped
712f32fc42f27433a6db7cba03a980b3 escapee
1ba8fbf22b249654d5cde753bae85def escaper
f801cba4d35a3da1501ab3162cbb4dee escapes
Salt
- Salt is the cure for this.
- Each line in the password file has some random salt bits.
$1$BTZEc3ZC$OgrtMuWtLyZ.9AbsXGTey0
- 48-bit salt, as used with MD5 & SHA, means 248
(~281 trillion) different hashes for each password.
- Makes pre-computed hash dictionaries impractical.
mkpasswd
mkpasswd can be handy for generating an initial password:
$ mkpasswd
j0Sb?q6Xu
$ mkpasswd
Hei3(uyL2
$ mkpasswd -l 20
bsAtblikuvb~tOs67znx
$ mkpasswd -c 2 -C 2 -s 2 -d 2
HZ42e&+xc
$ mkpasswd -c 10 -C 10 -s 10 -d 10 -l 60
C*jhSb$Vn1Pz7fih4]zPhZQyrep4fV_bbBoc3l"r8@kmh.Ux,dt2v8_w14h>
$ mkpasswd -c 0 -C 0 -d 0 -s 50 -l 50
{^&[;?>:$($]?<=[]~&=$~:$(-<[}!?%=|+_[*~}@|+*<.>.#/
Or, should you let the user choose one?
Password Aging
/etc/login.defs determines password longevity:
$ grep PASS /etc/login.defs
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7
- Is this good, from a security point of view?
- What value is
PASS_MIN_DAYS?
- Pre-expire the password, to force the user to change it:
passwd -e smith
Feedback
$ ssh xyzzy@denver.cs.colostate.edu
xyzzy@denver.cs.colostate.edu's password:
Permission denied, please try again.
xyzzy@denver.cs.colostate.edu's password:
Permission denied, please try again.
xyzzy@denver.cs.colostate.edu's password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
- Which was wrong, the account
xyzzy or the password?
- Why didn’t it tell me which one?
GID
- GIDs are 32-bit non-negative integers.
- Each user has a default GID.
- File group ownership set to default GID
- Temporarily change default GID:
newgrp
- Groups are described in
/etc/group
- Users may belong to multiple groups.
- Format: group name, pw, GID, user list
wheel:x:10:root,waldenj,bergs
GECOS
- Original use
- Data for General Electric Comprehensive Operating System
- Current use
- User information
- Full name, location, phone number, e-mail
Home Directory
- Users CWD at login time
- Typically where user stores all files
Login Shell
- Process started when user logs in
- Typically a shell like bash, tcsh, ksh, or zsh
- System users may be different.
- Disabled accounts have a special “go-away” shell.
$ ssh acushla perl -E \''say $e[8] while @e=getpwent'\' | sort | uniq -c
Host key verification failed.
Changing your Shell
$ cat /etc/shells
/bin/sh
/bin/bash
/usr/bin/sh
/usr/bin/bash
/usr/bin/tmux
/bin/tmux
/usr/bin/zsh
/bin/zsh
/bin/ksh
/bin/rksh
/usr/bin/ksh
/usr/bin/rksh
/bin/csh
/bin/tcsh
/usr/bin/csh
/usr/bin/tcsh
/bin/false
/bin/true
/sbin/nologin
/usr/local/etc/no_access
- The chsh program change your login shell.
- It may restrict your shell to one from
/etc/shells.
- Alas,
chsh fails here, so you have to send email to the sys
admin people. How quaint!
Adding a User
- Create account with useradd.
- Lock account until user arrives.
- User signs account agreement.
- Set password with the passwd command.
- Yes, both
/etc/passwd and /bin/passwd exist.
Adding a User
- Edit
/etc/{passwd,shadow} with vipw.
- Set password with the passwd command.
- Edit
/etc/group to add groups.
- Create user home directory.
mkdir /home/studenta
chown studenta.student /home/studenta
chmod u=rwx,go=rx /home/studenta
- Copy default files from
/etc/skel:
.bashrc, .Xdefaults, .xsession, etc.
- Set e-mail aliases, disk quotas, etc.
- Verify that the account works.
Disabling an Account
- Edit account configuration:
- Place
* in front of encrypted password.
- Replace shell with nologin program.
- Kill active logins and processes.
Removing a User
- Disable account.
- Change shared passwords (root, etc.)
- Why are you using @#!?☠$★ shared passwords‽
- Kill active logins and processes.
- Remove:
- from local databases/files
- from e-mail aliases
- mail spool (backup first)
- crontabs and pending jobs
- temporary files
- home directory (backup first)
- from passwd, shadow, and group
- Or use userdel.
Namespaces
Systems include many namespaces:
- User account names
- Filesystem pathnames
- Hostnames
- Printer names
- Service names
Types of Namespaces
- Flat
- No duplicates may exist.
- Example: usernames in
/etc/passwd
- Hierarchical
- Tree-structured namespace like DNS.
- Duplicates can exist.
- Ex:
www.cs.colostate.edu and www.cs.uidaho.edu
Namespace Problems
- How to select names?
- How to avoid name collisions?
- How to ensure consistency?
- How to distribute names?
Name Selection
- Functional Names
- mail hostname,
~ct320, student account
- Formula-based Names
- cvg0141 hostname, student0148 account
- Themed Names
- constellations (orion, ursa, etc.)
- Use something big. Seven dwarves doesn’t allow for much expansion.
- Steal from another standard (e.g., .us, .fr, .de)
- No Standard
Name Lifetime
- When are names removed?
- Immediately after user leaves organization
- Some fixed time after resource is no longer in use
- When are names re-used?
- Immediately: functional names (postmaster, president)
- Never
- After a while (dangerous)
Namespace Scope
- Geographical scopes
- Local machine (e.g.,
/etc/passwd)
- Local network
- Organization
- Global (e.g., DNS)
- Service scopes
- Single username for UNIX, NT, e-mail
- Transferring scopes
- Difficult without advance planning.
- Some names may have to change.
Key Points
- UNIX accounts use
/etc/passwd
- Password security: shadow, hashing, salts
- User management: add, disable, remove
- Namespaces: flat and hierarchical
- Name selection policies
- Names are valid in specific scopes
