lab4 oracle linux 6 user group administration
TRANSCRIPT
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
1/59
Oracle Linux 6 Boot Camp
Oracle Linux 6 Lab Exercise
Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for
information purposes only, and may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality, and should not be relied
upon in making purchasing decisions.
The development, release, and timing of any features or functionality described for
Oracles products remains at the sole discretion of Oracle.
Oracle Training Materials Usage Agreement
Use of this Site (Site) or Materials constitutes agreement with the following termsand conditions:
1. Oracle Corporation (Oracle) is pleased to allow its business partner (Partner)
to download and copy the information, documents, and the online training courses
(collectively, Materials") found on this Site. The use of the Materials is restricted to
the non-commercial, internal training of the Partners employees only. TheMaterials may not be used for training, promotion, or sales to customers or other
partners or third parties.
2. All the Materials are trademarks of Oracle and are proprietary information of
Oracle. Partner or other third party at no time has any right to resell, redistribute or
create derivative works from the Materials.
3. Oracle disclaims any warranties or representations as to the accuracy or
completeness of any Materials. Materials are provided "as is" without warranty of
any kind, either express or implied, including without limitation warranties of
merchantability, fitness for a particular purpose, and non-infringement.
4. Under no circumstances shall Oracle or the Oracle Authorized Delivery Partner be
liable for any loss, damage, liability or expense incurred or suffered which is claimed
to have resulted from use of this Site of Materials. As a condition of use of theMaterials, Partner agrees to indemnify Oracle from and against any and all actions,
claims, losses, damages, liabilities and expenses (including reasonable attorneys'
fees) arising out of Partners use of the Materials.
5. Reference materials including but not limited to those identified in the Boot Camp
manifest cannot be redistributed in any format without Oracle written consent.
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
2/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 2OL 6 - Lab 04
Oracle Linux Users and Groups
AdministrationV1.0 January 2013
1 Introduction
Participants will gain example-led awareness and understanding of the Linux Users
and Groups Administrative tasks.
With a few basic exercises we will introduce the learner to some ways to perform
Linux Users and Groups creation and administration in Oracle Linux 6. We will also
introduce you to LDAP and NIS authentication options and discuss Pluggable
Authentication Modules (PAM). Upon completion of this lab, participants will have
learned how to do Users and Groups Administration on Oracle Linux 6.
2Overview
In this lab well be practicing User and Group Administration on Oracle Linux 6.
Well briefly review some of the advanced concepts like LDAP and NISAuthentication and PAM configuration.
Some of the commands and concepts well review are listed below.
Creating Users and Groups using User Manager GUI Tool
Users and Groups Administration using Command-Line Utilities
Configure Password Aging
Describe LDAP and NIS authentication options(no lab)
Introduction to Pluggable Authentication Modules (PAM)(no lab)
This practice can be accomplished with a single VirtualBox Oracle Linux 6.3
instance. You must have a working instance of Oracle Linux 6.3 running in your
VirtualBox environment to perform this lab.
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
3/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 3OL 6 - Lab 04
3Pre-requisites
This lab requires the use of the following elements:
A current 64 bit laptop with at least 2GB RAM and 20GB free disk space
Operating system: A 64-bitversion of Microsoft Windows, Mac OS X, Linux
or Solaris. Alternatively, a 32-bit host OS installed on a 64-bit CPU with VT-x/AMD-V enabled in the BIOS.
Oracle VirtualBox Software 4.2.6 or later (4.2 with Extension Pack installed)
Oracle Linux 6.3 instance running inside VirtualBox:
o VM Image Provided by instructor or downloaded on your owno Installed in Lab 1 of Oracle Linux 6 Boot camp
The following assumptions have been made regarding the environment where this
lab is being performed:
1.
Network connectivity to the Internet is available
2.
Your Oracle Linux 6.3 VirtualBox instance has been installed and youveassigned a normal user/password and a root user password.
a. The recommended user name is student1b.
The recommended password is oraclec.
The recommended root password is oracle
4VirtualBox lab setup
If you already have an instance of Oracle Linux 6.3 installed in VirtualBox or havealready imported the Oracle Linux 6.3 image, you can skip this section and proceed
to the Labs in Section 5. If you need to import the Oracle Linux 6.3 appliance (image
in ova file provided for this training) then complete the steps in this section before
you start with the Labs.
1 - In the VirtualBox
main window choose
File > Import
Appliance
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
4/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 4OL 6 - Lab 04
2 - From the Appliance
Import Wizard click the
Open appliance..
button and navigate to
the
Oracle_Linux_6_Bootcamp.ovafile which is the
pre-built Oracle Linux
6.3 VM image you
downloaded or obtained
from the instructor
3 - Navigate to the folder
where you downloaded
or copied the Oracle
Linux 6.3 Prebuilt image
and click Open. The file
is named
Oracle_Linux_6_Bootca
mp.ova.
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
5/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 5OL 6 - Lab 04
4 - Choose Next on theAppliance to import
screen
5 - Confirm the default
settings and choose
Import to beginimporting the virtual
image. If you see a
License Agreement
window, read and accept
the license.
6 - The progress bar will
show the importprogress. Usually looks
slow in the beginning
but this shouldnt takemore than a few
minutes.
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
6/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 6OL 6 - Lab 04
7 - Your new image has
been imported and is
ready for use. Select the
Oracle Linux 6
Bootcamp image.
8 - After your image has
finished importing select
it in the VB application
and choose Settingsand review settings.
Once you have reviewed
the settings, you canselect the image and
click the Startbutton to
boot Oracle Linux 6.
After booting, login as
root user and activate
your network
connection to start using
the image.
The following video demonstrates how to import an appliance:
Importing Oracle Linux VM Appliance Video
http://www.youtube.com/watch?v=nrH6ZBYfSc0&feature=player_embeddedhttp://www.youtube.com/watch?v=nrH6ZBYfSc0&feature=player_embeddedhttp://www.youtube.com/watch?v=nrH6ZBYfSc0&feature=player_embedded -
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
7/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 7OL 6 - Lab 04
5Lab Exercises
5.1 Creating Users and Groups using User Manager GUI Tool
In this lab, we will learn how to create Users and Groups in Oracle Linux 6 using the
User Manager Tool. The User Manager GUI tool is a simple application that allows
you to view, modify, add, and delete local users and groups.
To start User Manager tool from the command line, you can use system-config-
users command:
[root@examplehost /]# system-config-users
Alternatively, you can start this application by selecting the System-
>Administration->Users and Groupsoption from the Desktop menu panel. The
screenshot below shows how to start the start the User Tool Manager using the
Desktop panel.
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
8/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 8OL 6 - Lab 04
Note that if you run the application as a regular Linux user, the application will
prompt you to authenticate as rootuser.
Once the User Manager Tool has launched, you should see the following GUI
window. You should be able to see student1 user listed under the Users tab. Thisis the user that was created during installation of Oracle Linux 6 along with the
root user.
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
9/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 9OL 6 - Lab 04
By default, the Users and Groups listed in the User Manager Application do not
include the system users and groups. If you want to see the system users andgroups, you can click Edit->Preferencesand then uncheck the Hide system users
and groups option.
Create a new user by clicking the Add Userbutton in the User Manager Tool. In the
Add New Userwindow, create a user with username as student2 as shown in thescreenshot below. Notice, you can define the login shell for the user in this window.
We will use the default bash shell for this student2 user from the choice list.
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
10/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 10OL 6 - Lab 04
In the lower section of the Add New User window, you can decide whether youwant to create a home directory for the user and also the location of the home
directory. Oracle Linux 6 uses a User Private Group (UPG) scheme by default. A User
Private Group is created whenever a new user is added to the system. It has the
same name as the user for which it was created and that user is the only member of
the user private group. User private groups make it safe to set default permissions
for a newly created file or directory, allowing both the user and thegroup of that
user to make modifications to the file or directory. This helps to make Linux groups
easier to use and manage.
Notice, you can also specify the Group ID (GID) and User ID (UID) manually by
entering a value. By default Oracle Linux and RHEL reserve UIDs and GIDs below500 for system users and groups. We will assign /home/student2 as the home
directory for student2 user and let the system pick the UID and GID values. Clickthe OK button to create the user.
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
11/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 11OL 6 - Lab 04
Once the user student2 has been created, you should see it listed under the Users
tab of the application window. Select the student2
Select the student2 user and click the Properties button.
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
12/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 12OL 6 - Lab 04
Notice that under Account Info, you can enable account expiration and also lock the
password. Do not make any changes, just review the tabs and get familiarized.
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
13/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 13OL 6 - Lab 04
Under Password Info, you can enable password expiration and then set the
parameters/criteria for password expiration.
And under the Groups tab, you will notice that by default student2 is a member ofthe student2 group. This is as per the UPG scheme. Click Cancel to close this
window.
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
14/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 14OL 6 - Lab 04
Now that we have created a student2, let us understand the file changes that occurwhen you create a user on Linux. When you created the user student2, an entry for
that user was created in the /etc/passwd, /etc/shadow and /etc/group files onthe system.
Examine the entry for the user student2 in the /etc/passwd file and the
/etc/group file. You can use the cat /etc/passwd | grep -i student2 command or
the grep -i student2 /etc/passwdcommand to examine the entry.
[root@examplehost /]# cat /etc/passwd | grep -i student2student2:x:502:502:student2 user2:/home/student2:/bin/bash[root@examplehost /]#[root@examplehost /]# cat /etc/group | grep -i student2student2:x:502:[root@examplehost /]#
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
15/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 15OL 6 - Lab 04
Heres how you can read the line entry for student2 user in the /etc/passwd file.Each field is separated by a : delimiter.
Username:student2
Shadow passwd:indicated by x
UID:502GID:502
GECOS information (name etc):student2 user2
Home directory:/home/student2
Default Shell:/bin/bash
Heres how you can read the line entry for student2 user in the /etc/group file.Each field is separated by a : delimiter.
Group name:student2
Shadow passwd:indicated by x
GID:502 is the GID
The /etc/shadow file is used for user shadow passwords. The user passwords are
hashed and stored in the /etc/shadow file. This file also contains information about
password aging and security policies defined in the /etc/login.defs file.
[root@examplehost /]# cat /etc/shadow | grep student2student2:$6$1cLhy/ZiwTsQkEJX$.Ho7T0WFlO3B.E.b0nGs52LENLyTiCZkNvj1Da8xABBcvVxRHcuPRjBfVRQQL7fEeIwER6kKvmvNwlXpfnlQg0:15
756:0:99999:7:::[root@examplehost /]#
Log out of the Desktop GUI and log back in as student2 user to confirm that the
user that we created can login properly.
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
16/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 16OL 6 - Lab 04
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
17/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 17OL 6 - Lab 04
After logging in as student2 user, open a terminal window and see that a homedirectory /home/student2 was created for this user. It already has a predefineddirectory structure that you can check using the ls command.
[student2@examplehost ~]$ pwd/home/student2[student2@examplehost ~]$ ls -ltotal 32drwxr-xr-x. 2 student2 student2 4096 Feb 20 14:14 Desktop
drwxr-xr-x. 2 student2 student2 4096 Feb 20 14:14 Documentsdrwxr-xr-x. 2 student2 student2 4096 Feb 20 14:14 Downloadsdrwxr-xr-x. 2 student2 student2 4096 Feb 20 14:14 Musicdrwxr-xr-x. 2 student2 student2 4096 Feb 20 14:14 Picturesdrwxr-xr-x. 2 student2 student2 4096 Feb 20 14:14 Publicdrwxr-xr-x. 2 student2 student2 4096 Feb 20 14:14 Templatesdrwxr-xr-x. 2 student2 student2 4096 Feb 20 14:14 Videos[student2@examplehost ~]$
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
18/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 18OL 6 - Lab 04
You may verify the directory is usable by the student2 user by creating a fileusing
the touch commandin this directory.
[student2@examplehost ~]$ pwd/home/student2[student2@examplehost ~]$ touch student2file2
[student2@examplehost ~]$ ls -l student2file2-rw-rw-r--. 1 student2 student2 0 Feb 20 14:17 student2file2[student2@examplehost ~]$
The id command is a good tool to print the user and group information for thespecified user. Read the man page of the id command thenrun the id command
with options shown below. The id command output below tells you that student2user has a UID of 502 and a GID of 502. The student2 user belongs to only one
group and that is the student2 group. Using the g flag, you can print only the
effective group ID of the user and using the ng option will give you the name of theeffective group that the user belongs to. The G option prints all group IDs of a user.
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
19/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 19OL 6 - Lab 04
[student2@examplehost ~]$ iduid=502(student2) gid=502(student2) groups=502(student2)context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023[student2@examplehost ~]$
[student2@examplehost ~]$ id -g502[student2@examplehost ~]$[student2@examplehost ~]$ id -gnstudent2[student2@examplehost ~]$[student2@examplehost ~]$ id -G502[student2@examplehost ~]$
Log out from the system as student2 user and log back in as root user. We will
now look at the User Manager Tool for the Groups administration. As root user, start
the User Manager Tool and click on the Groups tab. Notice the groups that are thereon this system. Select the student2 group and then click the Properties button.
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
20/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 20OL 6 - Lab 04
In the Group properties window, click the Group Users tab and verify that thisgroup has student2 as a member. Remember this student2 user was added to this
group because of the UPG scheme. Click the Cancel button to close this window.
We will now create a new group. Click the Add Group button to create a new group.
In the Add New Group window, create a new students group as shown below.
Specify the GID to be 550 and click the OK button.
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
21/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 21OL 6 - Lab 04
You should now see the students2 group. Select this student2 group and click theProperties button.
In the GroupProperties window, select the student2 user to add this user to this
group and then click the OK button.
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
22/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 22OL 6 - Lab 04
If you now see the Properties of student2 user under the Users tab, you will
notice that the student2 user is now a member of 2 groups (student2, students).
Select student2 user and then click the Properties button.
Under the Groups tab of the User Properties window, you will now see that
student2 is a member of two groups. Click the Cancel button to close the window.
You can also run the id command again as student2 user and see the results. Seeexamples below. You can see that the G option of the id command lists the 2
groups that the user student2 belongs to.
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
23/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 23OL 6 - Lab 04
[root@examplehost Desktop]# su - student2[student2@examplehost ~]$[student2@examplehost ~]$ whoamistudent2[student2@examplehost ~]$
[student2@examplehost ~]$ iduid=502(student2) gid=502(student2)groups=502(student2),550(students)context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023[student2@examplehost ~]$[student2@examplehost ~]$ id -G502 550[student2@examplehost ~]$ id -Gnstudent2 students[student2@examplehost ~]$
This concludes the simple lab of creating users and groups using the User Manager
GUI Tool.
5.2 Users and Groups Administration using Command-Line Utilities
In this lab exercise, we will learn how to create/modify/delete users and groupsusing command line utilities. We will also look at some of the files associated with
user/group administration.
Before we learn how to create/modify/delete users and groups we will look at some
of the important files related to user/group administration. We will start by looking
at the /etc/default/useraddfile on our Oracle Linux 6 systems.
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
24/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 24OL 6 - Lab 04
[root@examplehost ~]# cd /etc/default[root@examplehost default]#[root@examplehost default]# pwd/etc/default[root@examplehost default]# ls -l useradd-rw-------. 1 root root 119 Oct 12 2011 useradd[root@examplehost default]#
Examine the /etc/default/useradd file on your system using the cat command.
[root@examplehost /]# cat /etc/default/useradd# useradd defaults fileGROUP=100HOME=/homeINACTIVE=-1
EXPIRE=SHELL=/bin/bashSKEL=/etc/skelCREATE_MAIL_SPOOL=yes[root@examplehost /]#
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
25/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 25OL 6 - Lab 04
Or you can run the useradd D command to see the default values. We will look at
the useradd command in more details later in this lab.
This /etc/default/useradd file is used to specify default settings when creating a
user account. As you can see, by default the user home directories are created under
the /home directory, the default user shell is /bin/bash and a mail spool directory
will be created for every user that is created. The SKELvariable points to/etc/skel/ directory by default. The contents ofthe directory specified by the SKEL
variable are copied to a users home directory when the user is created.
[root@examplehost /]# ls -al /etc/skeltotal 36drwxr-xr-x. 4 root root 4096 Dec 10 14:06 .drwxr-xr-x. 113 root root 12288 Feb 20 14:24 ..-rw-r--r--. 1 root root 18 May 10 2012 .bash_logout-rw-r--r--. 1 root root 176 May 10 2012 .bash_profile-rw-r--r--. 1 root root 124 May 10 2012 .bashrcdrwxr-xr-x. 2 root root 4096 Nov 20 2010 .gnome2drwxr-xr-x. 4 root root 4096 Dec 10 14:01 .mozilla[root@examplehost /]#
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
26/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 26OL 6 - Lab 04
Create a file using an editor (eg. vi editor) in the /etc/skel directory and call this
file Readme.txt.
[root@examplehost /]# vi /etc/skel/Readme.txt
Enter some text into the Readmefile.txt file and save and quit the editor. Later inthis lab, we will later create a Linux user student3. When that user is created, we
will notice that the home directory contains this Readme.txt file automatically. Thisis because this file is created in the /etc/skel directory whose contents
automatically get copied into a users home directory upon creation.
[root@examplehost /]# cat /etc/skel/Readme.txtRead this file first.[root@examplehost /]#
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
27/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 27OL 6 - Lab 04
Another file that we will now look at is the /etc/login.defs file.
[root@examplehost /]# ls -l /etc/login.defs-rw-r--r--. 1 root root 1816 Oct 12 2011 /etc/login.defs[root@examplehost /]#
The /etc/login.defs file defines the configuration for the shadow password suite. Itis a readable text file that describes the various configuration parameters associated
with shadow password. It contains information about things like password aging,option to remove user groups if no user exists, encryption method for the password
etc. You can read the man pages of login.defs to understand the variousparameters. Enclosed below is sample output of this file.
[root@examplehost /]# more /etc/login.defs
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
28/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 28OL 6 - Lab 04
This file also defines the min/max values for automatic GID selection for thegroupaddcommand.
[root@examplehost /]# cat /etc/login.defs | grep GIDGID_MIN 500GID_MAX 60000[root@examplehost /]#
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
29/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 29OL 6 - Lab 04
Enclosed below is a table with some of the common command line utilities related
to user/group administration in Oracle Linux 6. We will use some of these
commands below in our lab exercise and you can explore the remaining commands
on your own.
Command/Utility Purpose
useradd Add user accounts
usermod Modify user accounts
userdel Delete user accounts
users Print the user names of users logged in on the host
sudo Execute a command as another user
groupadd Add groups
groupmod Modify groups
groupdel Delete groups
groups Print the groups a user is in
gpasswd Administer /etc/gshadow and /etc/group files
pwck, grpck Verification of the password, group, and associated
shadow files
Start by reading the man page of useradd command.
[root@examplehost /]# man useradd
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
30/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 30OL 6 - Lab 04
We will now create a user with username student3 using the useradd command
line utility. The c option in the command below is used to provide the GECOS
information (name etc). This command will create a student3 user using the
default settings specified in the /etc/default/useradd file.
[root@examplehost /]# useradd -c "student3 user3" student3[root@examplehost /]#
Once the student3 user has been created on the system, you can check the entriesadded in the /etc/passwd and the /etc/group files for this user. See examplescreenshot below.
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
31/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 31OL 6 - Lab 04
[root@examplehost /]# cat /etc/passwd | grep -i student3student3:x:503:503:student3 user3:/home/student3:/bin/bash[root@examplehost /]#[root@examplehost /]# cat /etc/group | grep student3student3:x:503:
[root@examplehost /]#
You can also login as student3 using the su student3 command. After logging in,
you will find a Readme.txt file was created for this user. This is the file we created
in the /etc/skell directory earlier in the lab.
[root@examplehost /]# su - student3[student3@examplehost ~]$[student3@examplehost ~]$ whoamistudent3
[student3@examplehost ~]$
[student3@examplehost ~]$ pwd/home/student3[student3@examplehost ~]$ ls -ltotal 4-rw-r--r--. 1 student3 student3 22 Feb 20 14:57 Readme.txt[student3@examplehost ~]$[student3@examplehost ~]$ cat Readme.txtRead this file first.[student3@examplehost ~]$
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
32/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 32OL 6 - Lab 04
If you want, you can set the password for this student3 user using the passwdcommand as shown below. In the example below, we run the passwd command asroot user to set the password of student3 userto oracle.
[root@examplehost /]# passwd student3Changing password for user student3.New password:Retype new password:passwd: all authentication tokens updated successfully.[root@examplehost /]#
You can also check the entry created for this student3 user in the /etc/shadowfile.
[root@examplehost /]# cat /etc/shadow | grep student3student3:$6$tlj4yP0T$09INZnAkSqNuf4c/dCE0KSWEq3NbWQbwdV6Aa5gB3pW/vK1l8.7wSVcAVcRbUBGZjhKl2Ok/dP/ojg7tGsc.a/:15756:0:99999:7:::
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
33/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 33OL 6 - Lab 04
Looking at the /etc/passwd file, we see that student3 has /bin/bash as thedefault shell. The default shell is specified in the /etc/default/useradd file.
[root@examplehost /]# cat /etc/passwd | grep -i student3student3:x:503:503:student3 user3:/home/student3:/bin/bash[root@examplehost /]#
If you want to create a Linux user but prevent that user from logging in to the
system, then you can set the user shell to /sbin/nologin. For example, to create a
user named reports_user, you can run the following command:
[root@examplehost ~]# useradd -s /sbin/nologin reports_user
Now if you try to login as reports_user it will log a message saying - This account iscurrently not available. This means that although the user exists on the system butit is not allowed to login because the user does not have a shell.
[root@examplehost ~]# su - reports_user
This account is currently not available.
[root@examplehost ~]#
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
34/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 34OL 6 - Lab 04
We will now look at the usermod command which can be used to modify anexisting Linux user. Simply typing the usermod command will list out the optionsavailable for this command.
[root@examplehost ~]# usermod
Usage: usermod [options] LOGIN
Options:
-c, --comment COMMENT new value of the GECOS field
-d, --home HOME_DIR new home directory for theuser account
-e, --expiredate EXPIRE_DATE set account expiration dateto EXPIRE_DATE
-f, --inactive INACTIVE set password inactive afterexpiration to INACTIVE
-g, --gid GROUP force use GROUP as newprimary group
-G, --groups GROUPS new list of supplementaryGROUPS
-a, --append append the user to thesupplemental GROUPS mentioned by the -G option withoutremoving him/her from other groups
-h, --help display this help message.....
.....
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
35/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 35OL 6 - Lab 04
The list of shells available on the system is specified in the /etc/shells file. Examine
the /etc/shells file on your Oracle Linux 6 system.[root@examplehost /]# cat /etc/shells/bin/sh/bin/bash/sbin/nologin/bin/tcsh/bin/csh[root@examplehost /]#
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
36/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 36OL 6 - Lab 04
We will now run the usermod command to change the default shell of thestudent3 user from /bin/bash shell to /bin/csh shell. The shell can be changedusing the s flag of the usermod command.
[root@examplehost /]# usermod -s /bin/csh student3[root@examplehost /]#
[root@examplehost /]# cat /etc/passwd | grep student3student3:x:503:503:student3 user3:/home/student3:/bin/csh[root@examplehost /]#
You can verify by both checking the /etc/passwd file and by logging in as student3
to confirm the shell has been changed to /bin/csh.
[root@examplehost /]# su - student3[student3@examplehost ~]$[student3@examplehost ~]$ psPID TTY TIME CMD7243 pts/4 00:00:00 csh7258 pts/4 00:00:00 ps[student3@examplehost ~]$
The next command we will look at is the groupadd command to create groups on
the system. Again, simply typing the groupadd command will show the options
available for this command.
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
37/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 37OL 6 - Lab 04
Let us check the group information for student3 using the id command as shownbelow. Notice that the student3 user belongs to one group called student3 with aGID of 503.
[root@examplehost /]# su - student3[student3@examplehost ~]$[student3@examplehost ~]$ id -Gnstudent3
[student3@examplehost ~]$ id -G503[student3@examplehost ~]$
As root user, run the groupadd command to create a new support group.
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
38/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 38OL 6 - Lab 04
[root@examplehost /]# whoamiroot[root@examplehost /]# groupadd support[root@examplehost /]#
Verify that the new group support has been created by examining the /etc/group
file. Also, note the GID of the support group. In the example below, the GID is 551.
[root@examplehost /]# cat /etc/group | grep supportsupport:x:551:[root@examplehost /]#
Modify the student3 group membership. We will make student3 a member of thisnew support group. Run the usermod command to append (-a) and add support
group (-G) as shown below.
[root@examplehost /]# usermod -a -G support student3[root@examplehost /]#
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
39/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 39OL 6 - Lab 04
Login (su) as student3 user and confirm that the student3 user is now a memberof two groups student3 and support. Note the GIDs of the two groups.
[root@examplehost /]# su - student3[student3@examplehost ~]$[student3@examplehost ~]$ iduid=503(student3) gid=503(student3)groups=503(student3),551(support)context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023[student3@examplehost ~]$[student3@examplehost ~]$ id -Gnstudent3 support[student3@examplehost ~]$ id -G503 551[student3@examplehost ~]$
The groupmod command can be used to modify a group. Typing the groupmodcommand will list out the options available for this command.
[root@examplehost /]# groupmodUsage: groupmod [options] GROUP
Options:-g, --gid GID change the group ID to GID
-h, --help display this help message..
..
.
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
40/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 40OL 6 - Lab 04
Use the groupmod command to change the group name. Running the groupmodcommand with n option, as shown below, will change the group name to staff
from the old name support. You can check the /etc/group file to confirm that thename has been changed. Note the GID remains same as the old name.
[root@examplehost /]# groupmod -n staff support[root@examplehost /]#[root@examplehost /]# cat /etc/group | grep staffstaff:x:551:student3[root@examplehost /]#
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
41/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 41OL 6 - Lab 04
The userdel command can be used to delete users from the system. As with other
commands, typing the userdel command will show the available options.
We will now remove the student3 user from the system and also make sure the
home directory of this user is removed. Run the userdel command with the r
option as shown below to delete student3 user.You can verify by examining the/etc/passwd file that the user has been deleted.
[root@examplehost /]# userdel -r student3[root@examplehost /]#
[root@examplehost /]# cat /etc/passwd | grep student3[root@examplehost /]#[root@examplehost /]# ls /home/student1 student2[root@examplehost /]#
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
42/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 42OL 6 - Lab 04
If you have a use case where you want the users creating files in a directory such
that the files created by those users are owned by group which owns the directory
then you would use the setgid bit. The setgid bit makes managing group projects
that share a common directory very simple because any files a user creates within
the directory are owned by the group which owns the directory.
Lets say a group of people(john and jack in development group)need to workon files in the /home/developmentdirectory. Some people (john, jack)are
trusted to modify this directory, but not everyone. To achieve this requirement, you
would run the following commands:
# groupadd development
# mkdir /home/development
# chown R root.development /home/development
# gasswd a john development
# gpasswd a jack development# chmod 2775 /home/development
Once you run the above commands, files created by users john or jack in the/home/development directory will get the same group permission as that
directory itself. In the above example, the chmod command sets the setgid bit,which assigns everything created in the directory the same group permission as the
directory itself.
5.3 Configure Password Aging
In this lab, we will learn how to configure password aging. Password aging is
another technique used by system administrators to defend against bad passwords
within an organization. Password aging means that after a set amount of time the
user is prompted to create a new password.
There are two ways used to specify password aging in Oracle Linux 6. The first way
is the chagecommand and the second way is using the User Manager Tool
(system-config-users command) application. We will look at the chage commandin this small lab.
Type the chage command to list out the available options. You may also read theman pages of this command.
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
43/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 43OL 6 - Lab 04
Examine the /etc/shadow file and look at the entry for any one user. In theexample below, we look at the student2 user. The fields towards the end of this fileare the password aging related parameters.
[root@examplehost /]# cat /etc/shadow | grep student2student2:$6$1cLhy/ZiwTsQkEJX$.Ho7T0WFlO3B.E.b0nGs52LENLyTiCZkNvj1Da8xABBcvVxRHcuPRjBfVRQQL7fEeIwER6kKvmvNwlXpfnlQg0:15
756:0:99999:7:::[root@examplehost /]#
You can read the values of the password aging parameter using the chage lcommand as shown below. It is easier to understand it using this listing than by
examining the entry in the /etc/shadow file but that file is where the values are
updated.
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
44/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 44OL 6 - Lab 04
[root@examplehost /]# chage -l student2Last password change : Feb 20, 2013Password expires : never
Password inactive : neverAccount expires : neverMinimum number of days between password change : 0Maximum number of days between password change : 99999Number of days of warning before password expires : 7[root@examplehost /]#
Let us change the minimum password age to 10, maximum password age to 30, and
the password expiration warning to 10 days. This can be done using the chagecommand as shown below.
[root@examplehost /]# chage student2Changing the aging information for student2Enter the new value, or press ENTER for the default
Minimum Password Age [0]: 10Maximum Password Age [99999]: 30Last Password Change (YYYY-MM-DD) [2013-02-20]:Password Expiration Warning [7]: 10Password Inactive [-1]:Account Expiration Date (YYYY-MM-DD) [1969-12-31]:
[root@examplehost /]#
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
45/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 45OL 6 - Lab 04
You can verify using the l option that the password aging parameters have been
changed as shown below.
[root@examplehost /]# chage -l student2Last password change : Feb 20, 2013Password expires : Mar 22, 2013Password inactive : neverAccount expires : neverMinimum number of days between password change : 10Maximum number of days between password change : 30Number of days of warning before password expires : 10[root@examplehost /]#
Also, observe the /etc/shadow file password aging related fields have beenupdated.
[root@examplehost /]# cat /etc/shadow | grep student2student2:$6$1cLhy/ZiwTsQkEJX$.Ho7T0WFlO3B.E.b0nGs52LENLyTiCZkNvj1Da8xABBcvVxRHcuPRjBfVRQQL7fEeIwER6kKvmvNwlXpfnlQg0:15756:10:30:10:::[root@examplehost /]#
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
46/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 46OL 6 - Lab 04
To force a user to change his/her password immediately upon the next login, you
can run the chage command with the d option.
[root@examplehost /]# chage d 0 student2
Log out as root user and use the switch user option to log back in as student2 user.
When you enter the password for the student2 user, you will be prompted to enterthe current password.
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
47/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 47OL 6 - Lab 04
After entering the current password, you will be prompted to enter a new password
because we used the chage command with d and specified 0 to force a password
change.
This concludes the short and simple lab exercise.
5.4 Describe LDAP and NIS authentication options
Before we discuss LDAP and NIS, we will briefly talk about authentication.Authentication is the way that a user is identified and verified to a system. The
authentication process requires presenting some sort of identity and credentials,
like a username and password. The credentials are then compared to information
stored in some data store on the system.
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
48/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 48OL 6 - Lab 04
Till now, we talked about local authentication which relied on local /etc/passwdand /etc/shadow files for authenticating users on Oracle Linux system. We willnow look at two other options available for authentication. The two authentication
mechanisms we will discuss are:
1.
NIS (Network Information Service)2. LDAP (Lightweight Directory Access Protocol)
NIS: PerWikipediaThe Network Information Service or NIS (originally calledYellow Pages or YP) is a clientserver directory service protocol for distributing
system configuration data such as user and host names between computers on a
computer network. Sun Microsystems developed the NIS; the technology is licensed
to virtually all other Unix vendors.
A NIS/YP system maintains and distributes a central directory of user and group
information, hostnames, e-mail aliases and other text-based tables of information ina computer network. There is a NIS server that is used by the NIS clients for
authentication. So, Linux systems can be configured to talk to a central NIS Server
for authentication.
LDAP: LDAP is an Internet standard protocol used by applications to access
information in a directory. LDAP is based on a client-server model. LDAP servers
provide the directory service, and LDAP clients use the directory service to access
entries and attributes. An LDAP client starts an LDAP session by connecting to an
LDAP server that listens by default on TCP port 389. The client then sends an
operation request to the server, and the server sends responses in return.
We will not be configuring LDAP/NIS authentications in this lab. We will just
introduce you to some basic concepts about configuring LDAP/NIS authentication
on Oracle Linux 6 systems.
Configuring Authentication:
Oracle Linux includes a tool to select the authentication databases and configure
associated authentication options. This tool is called the Authentication
Configuration Tool. The Authentication Configuration Tool has both GUI and
command-line options to configure any user data stores.
You can launch the Authentication Configuration Tool by clicking the System ->
Administration -> Authenticationmenu option.
http://en.wikipedia.org/wiki/Network_Information_Servicehttp://en.wikipedia.org/wiki/Network_Information_Servicehttp://en.wikipedia.org/wiki/Network_Information_Servicehttp://en.wikipedia.org/wiki/Network_Information_Service -
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
49/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 49OL 6 - Lab 04
Alternatively, you can run the Authentication Configuration Tool from the command
line by using system-config-authentication command as shown below.
The Authentication Configuration Tool will launch the GUI application. There are
two tabs in this application window:
Identity & Authentication
Advanced Options
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
50/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 50OL 6 - Lab 04
The Identity & Authentication tab helps configure the resource used as the identitystore. You can define how users should be authenticated. Under the User AccountConfiguration section, you can select the User Account Database to be used for
authentication. The choices available are:
Local accounts only: local /etc/passwd and /etc/shadow files
LDAP LDAP server and base DN configuration
NIS - NIS Server and domain configuration
Winbind - Winbind authentication requires samba-winbind package
IPAv2 IPA Domain, server, realm configuration
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
51/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 51OL 6 - Lab 04
We will only look at NIS and LDAP authentication in this training.
The Advanced Options tab allows authentication methods other than passwords orcertificates, like smart cards and fingerprint. You can also enable local access control
and that is managed by the /etc/security/access.conf file.
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
52/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 52OL 6 - Lab 04
Configuring NIS Authentication:
NIS Authentication requires the ypbind and yp-tools packages on the clientsystems. When the ypbind service is installed and configured, the portmap and
ypbind services are started and enabled to start at boot time. We will not be
actually doing any NIS authentication since we do not have a NIS Server configured.
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
53/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 53OL 6 - Lab 04
In the Authentication Configuration Tool, on the Identity & Authentication tab, youcan select NIS as the User Account database. Next you can enter your NIS domain
and NIS server information. In the lower section, you can configure the
Authentication method to be NIS Password or Kerberos password. See example
screenshot below. Since we do not have any NIS server available for this training, wewill not make any changes. Cancel and quit this tool without making any changes.
On the NIS server side, you will need to install the ypserv package and thenconfigure the server. That involves several things like NIS Domain,
/etc/ypserv.conf configuration, NIS maps etc. Refer to the Linux documentation for
complete details.
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
54/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 54OL 6 - Lab 04
Configuring LDAP Authentication:
Launch the Authentication Configuration Tool and select LDAP as the user account
database to configure LDAP Authentication. You will have to define the LDAP Search
Base DN and LDAP Server. You can define LDAP or LDAPS (secure) servers. For
Authentication method, you can choose LDAP Password or Kerberos password. Seeexample screenshot below. We will not make any changes since we do not have a
LDAP server available for this training. Just review and familiarize with the available
configuration options.
The packages needed for LDAP server/client configuration include:
openldap-clients Open LDAP Client utilities
openldap-servers server package
openldap Open LDAP support libraries
nss-pam-ldapd nsswitch module which uses directory servers
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
55/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 55OL 6 - Lab 04
Configuring Authentication from the Command Line:
The authconfigcommand-line tool updates all of the configuration files and
services required for system authentication, according to the settings passed to the
script. Along with allowing all the identity and authentication configuration options
that can be set through the UI, the authconfigtool can also be used to create backup
and kickstart files. For a complete list of authconfig commandoptions, check thehelp output and the man page.
For the authconfigcommand, you can use either the --updateor --testoption.One of those options is required for the command to run successfully. Using --
updatewrites the configuration changes. And, the --testoption prints the changes
to stdout but does not apply the changes to the configuration.
Example: To print the password hashing algorithm, you can use the authconfig
command with the --test option as shown below.
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
56/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 56OL 6 - Lab 04
To update the hash/crypt algorithm for new passwords, you can use the authconfigcommand with the passalgo option.
# authconfig passalgo=sha256 --update
You can also enable and configure LDAP from the command line using the
authconfig command. To use an LDAP identity store, you can use the --enableldap
option. To use LDAP as the authentication source, you can use the --enableldapauthoption and then provide information like the LDAP server name, base DN for the
user suffix etc. Example screenshot is provided below.
# authconfig --enableldap --enableldapauth --
ldapserver=ldap://host:port ldapbasedn=base dn update
Similarly, NIS configuration can be done using the authconfig command. The syntax
is as follows:
# authconfig --enablenis --nisdomain --nisserver -update
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
57/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 57OL 6 - Lab 04
Well, that completes this introductory lab exercise on authentication.
5.5 Introduction to Pluggable Authentication Modules (PAM)
PerWikipediaPluggable authentication modules (PAM) are a mechanism to
integrate multiple low-level authentication schemes into a high-level application
programming interface (API). It allows programs that rely on authentication to be
written independent of the underlying authentication scheme.
Pluggable Authentication Modules are a common framework for authentication andsecurity. Basically, PAM authentication mechanism allows you to configure how
applications can use authentication to verify the identity of users.
The PAM Configuration files are in the /etc/pam.d directory and it contains the
configuration files for each PAM aware application. Each PAM-aware application has
a file in the /etc/pam.d/directory and usually has the same name as the service to
which it controls access. The PAM-aware program/application is responsible for
defining its service name and installing its own PAM configuration file in the
/etc/pam.d/directory. For example, the loginprogram defines its service name as
login and installs the /etc/pam.d/loginPAM configuration file.
http://en.wikipedia.org/wiki/Pluggable_authentication_modulehttp://en.wikipedia.org/wiki/Pluggable_authentication_modulehttp://en.wikipedia.org/wiki/Pluggable_authentication_modulehttp://en.wikipedia.org/wiki/Pluggable_authentication_module -
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
58/59
OL 6 Users & Groups Admin Lab 4
For Oracle employees and authorized partners only. Do
not distribute to third parties. 2013 Oracle Corporation
Page 58OL 6 - Lab 04
Each PAM configuration file contains a group of directives that define the module
and any controls or arguments with it. The directives are:
module_interface auth, account, password, session
control_flag required, requisite, sufficient, optional, include
module_name pam_unix.so, pam_wheel.so are couple of examples module_arguments some modules need arguments
For example, in the following line, the module_interface is auth, the control_flag isrequired and the module name is pam_unix.so
auth required pam_unix.so
Take a look at the /etc/pam.d/xserver PAM configuration file. In this file, each linestarts with the module_interface name, next is the control_flag, third field is the
module name and the last field (optional) is the arguments for the module.
[root@examplehost pam.d]# pwd/etc/pam.d[root@examplehost pam.d]# cat xserver#%PAM-1.0auth sufficient pam_rootok.soauth required pam_console.soaccount required pam_permit.sosession optional pam_keyinit.so force revoke
[root@examplehost pam.d]#
In the above example, the first line uses the pam_rootok.somodule to checkwhether the current user is rootby verifying that their UID is 0. If this test
succeeds, no other modules are consulted and the command is executed. If this test
fails, the next module line is checked. This is how the configuration files are used in
PAM authentication mechanism.
-
8/9/2019 Lab4 Oracle Linux 6 User Group Administration
59/59
OL 6 Users & Groups Admin Lab 4
New PAM modules can be created or added at any time for use by PAM-aware
applications. Documentation on writing modules is included in the
/usr/share/doc/pam-version#directory.
We will not be developing any PAM modules or doing any lab exercise on PAM in
this training.
6Lab Summary
In this lab, you learned how to create/modify/delete users and groups on Oracle
Linux 6 systems. You learned how to do user and group administration using boththe User Manager GUI Tool and command line utilities. You also learned about
password aging configuration. We introduced you to NIS and LDAP Authentication
mechanisms and learned about the Authentication Configuration Tool and the
command line authconfig tool. We ended this lab with a short discussion aboutPluggable Authentication Modules (PAM).
7References
For more information and next steps, please consult additional resources: Click the
hyperlinks to access the resource.
Deployment GuideChapter 3 (Users and Groups Administration)
http://linux.oracle.com/documentation/OL6/Red_Hat_Enterprise_Linux-6-Deployment_Guide-en-US.pdfhttp://linux.oracle.com/documentation/OL6/Red_Hat_Enterprise_Linux-6-Deployment_Guide-en-US.pdfhttp://linux.oracle.com/documentation/OL6/Red_Hat_Enterprise_Linux-6-Deployment_Guide-en-US.pdf