Show Menu
Cheatography

Linux (RHEL) User Management Cheat Sheet by

User management on Red Hat Linux Server

Notice

This inform­ation specif­ically relates to place of employ­ment, but may be useful elsewhere.

User and Group Management

Action
Command
List users configured on local host
awk -F: '/\/home/ {printf "­%s:­%s­\n",$­3,$1}' /etc/p­asswd | sort -n
List groups configured on local host
awk -F: -v id="­999­" '$3 > id' /etc/group
For Users, the assumption is that they are non-system users if they have a /home directory
For Groups, the assumption is that they are non-system groups if gid is greater the 999
Refer to /etc/l­ogi­n.defs

Create User

Create user
useradd -c "­Fir­stname Lastna­me" -d /home/firstn­ame.la­stn­ame.suffix -u <ui­d> -g <gi­d> -m -s /bin/bash firstn­ame.la­stn­ame.suffix
Create user (shorter)
useradd -c "­Fir­stname Lastna­me" -u <ui­d> -g <gi­d> firstn­ame.la­stn­ame.suffix
Set password
passwd firstn­ame.la­stn­ame.suffix
Set account aging policy
chage -M 90 -W 7 -I 30 -d 0 firstn­ame.la­stn­ame.suffix
where -M maximum number of days between password changes, -W number of days warning before password expires, -I inactive days after password expires that account is locked, -d days since password changed (setting to 0 zero forces password change on next logon)
Expire password
(force password change)
chage -d 0 firstn­ame.la­stn­ame.suffix
Expire password and set account expiry­(fo­r co­ntr­actors)
chage -d 0 -E YYYY-MM-DD firstn­ame.la­stn­ame.suffix
List account aging inform­ation
chage -l firstn­ame.la­stn­ame.suffix
User accounts are in: firstn­ame.la­stn­ame.ac­cou­nttype format. These 3 variables are used by the user management scripts. Admin User Account are suffixed with .nalx.
Service Accounts are prefixed with svc.
uid and gid are maintained in a central location to ensure uniformity across server fleet.

Account Management

Disable account
(most effective method)
chage -E0 firstn­ame.la­stn­ame.suffix
Re-enable account
chage -E1 firstn­ame.la­stn­ame.suffix
Lock account
usermod -L username
Check lock status
grep username /etc/s­hadow
single exclam­ation mark before encrypted password means account locked
Lock password
passwd -l username
Unlock password
passwd -u username
Check password status
grep username /etc/s­hadow
two exclam­ation marks before encrypted password means password locked
Check whether password ever set
grep username /etc/s­hadow
two exclam­ation marks with no encrypted password means password has never been set
Extend account expiry
(for contra­ctors)
chage -E YYYY-MM-DD firstn­ame.la­stn­ame.suffix
The recomm­ended method of securing an account is disabling by using the chage command. Locking of accounts by using usermod or passwords by using passwd commands are not as effective. For example, an account which uses SSH does not use passwords.

List Logged On Users

Show who is logged on
who
Show who is logged on and what they are doing
w
Show list of last logged in users who are "­still logged in"
last -F | grep 'still logged in'
Print name of users currently logged in to local host
users

Non-st­andard aliases

Alias
Command
lusers
awk -F: '{ if ($3 > 999 && $3 < 60001) print $1 }' /etc/p­asswd | grep -v suffix | sort
ladmins
awk -F: '{ if ($3 > 999 && $3 < 60001) print $1 }' /etc/p­asswd | grep suffix | sort
These are functions stored in /etc/p­rof­ile.d/­ali­ases.sh. Again, refer to /etc/l­ogi­n.defs for UID_MIN and UID_MAX and GID_MIN and GID_MAX values

Get User Inform­ation Function

# get-us­era­ccounts [Account Type: ALL|no­rma­l|a­dmi­ns|­ser­vice] [Output Format­:na­me|­des­cri­pti­on|­alm­ost­all­|cs­v|t­able] [Addit­ional Info: GROUP|­nog­rou­p|c­omp­lete]
Where group inform­ation is collected from corres­ponding user entry in /etc/group and where addition inform­ation is collated from chage command
Argument order is important (does not use getopt or getopts). Account Type - ALL (is the default option). Output Format: no specific option required. Additional Info - GROUP info (is the default option).
# get-us­era­ccounts
# get-us­era­ccounts service csv group
# get-us­era­ccounts admins tablefull complete
Based on function listusers / get-us­era­ccounts (expanded version of the above custom functions lusers and ladmins). The get-us­era­ccounts alias is in PowerShell (verb-­noun) format so somewhat familiar for Windows Admini­str­ators.
Could be saved as part of a function file or incorp­orated into the system alias file (/etc/p­rof­ile.d/­ali­ases.sh).
           
 

Comments

No comments yet. Add yours below!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets

          *nix users and groups Cheat Sheet
            YUM Command Cheat Sheet by Red Hat

          More Cheat Sheets by PeterCeeAU

          Vim Editor [Yet Another] Cheat Sheet
          Robocopy By Example Cheat Sheet
          NATO Phonetic Alphabet Cheat Sheet