Chris Tyler - Fedora Linux

The root user can also delete a password from an account (so a user can log in with just a username):

# passwd -d jane

Removing password for user jane.

passwd: Success

This must be used carefully because it presents a big security risk. Remember that remote users may be able to connect via SSH, and then they won't need a password either!

To find out the password status of an account, use -S :

# passwd -S jane

Empty password.

# passwd -S chris

Password set, MD5 crypt.

The gpasswd command can be used to set a group password. This is rarely done. However, it is also used to manage groups and, better yet, to delegate group administration to any user.

To specify the members of a group, use the -M option:

# gpasswd -M jane,richard,frank audit

In this case, jane , richard , and frank are made members of the audit group. Any previous memberships in that group will be obliterated, so only these three users will now be in that group. (Other group memberships held by those users will not be affected.)

You can also add or delete individual group users using the -a and -d options:

# gpasswd -a audrey audit

# gpasswd -d frank audit

Those commands add audrey to the group audit , then delete frank .

If you delegate group administration to users, they can use the -a and -d optionsa great labor-saving idea! Delegation is performed with the -A (administrator) option:

# gpasswd -A jane audit

jane$ gpasswd -a matthew audit

User accounts are controlled by the /etc/passwd file, which looks like this:

root:x:0:0:root:/root:/bin/bash

bin:x:1:1:bin:/bin:/sbin/nologin

daemon:x:2:2:daemon:/sbin:/sbin/nologin

adm:x:3:4:adm:/var/adm:/sbin/nologin

...(Lines snipped)...

fax:x:78:78:mgetty fax spool user:/var/spool/fax:/sbin/nologin

nut:x:57:57:Network UPS Tools:/var/lib/ups:/bin/false

privoxy:x:73:73::/etc/privoxy:/sbin/nologin

chris:x:500:500:Chris Tyler:/home/chris:/bin/bash

diane:x:501:501:Diane Tyler:/home/diane:/bin/bash

jane:x:502:502:Jane Smith:/home/jane:/bin/bash

richard:x:503:503:Richard Lee:/home/richard:/bin/bash

The fields in this file are separated by colons. From left to right, they are:

username

The name of the user account, which shows up in ls -l output and is used to log in to the system. This is sometimes (incorrectly) called the user ID.

password

The encrypted password used to be stored in this field. For security, it has now been moved to /etc/shadow .

user ID

The number identifying this user. Process and file ownership is stored as a number; this field is used to cross-reference the number with a username. The user ID is frequently abbreviated to uid . User IDs below 500 are considered system IDs and are reserved for system services.

group ID

The group ID ( gid ) indicates the primary group for this user. It's cross-referenced to a group name through /etc/group .

comment field

This field can be used to store any text associated with the user. On Fedora, it's usually used to store the user's full name; the chfn and finger commands use it to store the user's full name, office location, office phone number, and home phone number, separated by commas.

This field is historically called the gecos or gcos field because it originally cross-referenced user IDs between the Unix and General Electric Comprehensive Operating System (gecos) at Bell Labs. You'll still find this field documented as pw_gecos in Linux library function documentation (for an example, see man getpwent).

home directory

At login, the shell changes to this directory automatically, and the HOME environment variable is set to this value.

shell

This field specifies the user's default shell.

For accounts that require a password but should not permit the user to log in, such as an account used only for file sharing or POP/IMAP email access, use the dummy shell /sbin/nologin. If the user attempts to log in, the message "This account is currently not available" is displayed, and the user is logged out automatically. To use a different message, place the desired text in the file /etc/nologin.txt .

Since /etc/passwd must be readable by everyone so that commands such as ls -l can function correctly, the passwords have been moved to a file that is readable only by root , named /etc/shadow , which looks like this:

root:$1$45ZWBaPE$XvzhGEj/rA4VDJXdQESi0.:13024:0:99999:7:::

bin:*:13024:0:99999:7:::

daemon:*:13024:0:99999:7:::

adm:*:13024:0:99999:7:::

...(Lines snipped)...

fax:!!:13024:0:99999:7:::

nut:!!:13024:0:99999:7:::

privoxy:!!:13024:0:99999:7:::

chris:$1$hUjsHJUHIhUhu889H98hH.8.BGhhY79:13068:0:99999:7:::

diane:$1$97KJHNujHUkh88JHmnjNyu54NUI9JY7:13024:0:99999:7:::

jane:$1$yuaJsudk9jUJHUhJHtgjhytnbYhGJHy:13024:0:99999:7:::

richard:$1$pIjyfRbKo71jntgRFu3duhU97hHygbf:13024:0:99999:7:::

Note that the second field contains an encrypted version of the password. The encryption function, called a hash , is not reversible, so it's not possible to take this data and reconstruct the password. When the user enters his password, it is also encrypted; then the two encrypted values are compared.

The other fields in this file contain information used for password aging (expiry).

In a similar way, /etc/group contains basic information about each group:

root:x:0:root

bin:x:1:root,bin,daemon

daemon:x:2:root,bin,daemon

sys:x:3:root,bin,adm

adm:x:4:root,adm,daemon

...(Lines snipped)...

fax:x:78:

nut:x:57:

privoxy:x:73:

chris:x:500:fen

diane:x:501:

jane:x:502:

richard:x:503:

audit:x:504:jane,richard

soccer:x:505:richard,jake,wilson,audrey,shem,mike,olgovie,newton

toronto:x:506:matthew,jake,wilson,richard,audrey,shem,mike,olgovie,newton,ed,jack

...(Lines snipped)...

The fields here are:

group name

The name assigned to the group.

group password

A password assigned to the group. This is rarely used, because it's just as easy to add a user into a group as it is to give her the password. The actual password values have been moved to /etc/gshadow .

group ID

The numeric value assigned to the group. This file is used to cross-reference group IDs to group names.

supplementary members