Show Menu
Cheatography
  1. Home >
  2. Software >

Linux (RHEL) User Management Cheat Sheet by

User management on Red Hat Linux Server

Notice

This inform­ation specif­ically relates to place of employ­ment, but may be useful elsewhere.

User and Group Management

Action
Command
List users configured on local host
 
awk -F: '/\/home/ {printf "­%s:­%s­\n",$­3,$1}' /etc/p­asswd | sort -n
List groups configured on local host
 
awk -F: -v id="­999­" '$3 > id' /etc/group
For Users, the assumption is that they are non-system users if they have a 
/home
directory
For Groups, the assumption is that they are non-system groups if gid is greater the 999
Refer to 
/etc/l­ogi­n.defs

Create User

Create user
 
useradd -c "­Fir­stname Lastna­me" -d /home/firstn­ame.la­stn­ame.suffix -u <ui­d> -g <gi­d> -m -s /bin/bash firstn­ame.la­stn­ame.suffix
Create user (shorter)
 
useradd -c "­Fir­stname Lastna­me" -u <ui­d> -g <gi­d> firstn­ame.la­stn­ame.suffix
Set password
 
passwd firstn­ame.la­stn­ame.suffix
Set account aging policy
 
chage -M 90 -W 7 -I 30 -d 0 firstn­ame.la­stn­ame.suffix
where -M maximum number of days between password changes, -W number of days warning before password expires, -I inactive days after password expires that account is locked, -d days since password changed (setting to 0 zero forces password change on next logon)
Expire password
(force password change)
 
chage -d 0 firstn­ame.la­stn­ame.suffix
Expire password and set account expiry­(fo­r co­ntr­actors)
 
chage -d 0 -E YYYY-MM-DD firstn­ame.la­stn­ame.suffix
List account aging inform­ation
 
chage -l firstn­ame.la­stn­ame.suffix
User accounts are in: firstn­ame.la­stn­ame.ac­cou­nttype format. These 3 variables are used by the user management scripts. Admin User Account are suffixed with .nalx.
Service Accounts are prefixed with svc.
uid and gid are maintained in a central location to ensure uniformity across server fleet.

Account Management

Disable account
(most effective method)
 
chage -E0 firstn­ame.la­stn­ame.suffix
Re-enable account
 
chage -E1 firstn­ame.la­stn­ame.suffix
Lock account
 
usermod -L username
Check lock status
 
grep username /etc/s­hadow

single exclam­ation mark before encrypted password means account locked
Lock password
 
passwd -l username
Unlock password
 
passwd -u username
Check password status
 
grep username /etc/s­hadow

two exclam­ation marks before encrypted password means password locked
Check whether password ever set
 
grep username /etc/s­hadow

two exclam­ation marks with no encrypted password means password has never been set
Extend account expiry
(for contra­ctors)
 
chage -E YYYY-MM-DD firstn­ame.la­stn­ame.suffix
The recomm­ended method of securing an account is disabling by using the 
chage
command. Locking of accounts by using 
usermod
or passwords by using 
passwd
commands are not as effective. For example, an account which uses SSH does not use passwords.

List Logged On Users

Show who is logged on
 
who
Show who is logged on and what they are doing
 
w
Show list of last logged in users who are "­still logged in"
 
last -F | grep 'still logged in'
Print name of users currently logged in to local host
 
users

Non-st­andard aliases

Alias
Command
 
lusers
 
awk -F: '{ if ($3 > 999 && $3 < 60001) print $1 }' /etc/p­asswd | grep -v suffix | sort
 
ladmins
 
awk -F: '{ if ($3 > 999 && $3 < 60001) print $1 }' /etc/p­asswd | grep suffix | sort
These are functions stored in 
/etc/p­rof­ile.d/­ali­ases.sh
. Again, refer to 
/etc/l­ogi­n.defs
for UID_MIN and UID_MAX and GID_MIN and GID_MAX values

Get User Inform­ation Function

# get-us­era­ccounts [Account Type: ALL|no­rma­l|a­dmi­ns|­ser­vice] [Output Format­:na­me|­des­cri­pti­on|­alm­ost­all­|cs­v|t­able] [Addit­ional Info: GROUP|­nog­rou­p|c­omp­lete]
Where group inform­ation is collected from corres­ponding user entry in 
/etc/group
and where addition inform­ation is collated from 
chage
command
Argument order is important (does not use 
getopt
or 
getopts
). Account Type - ALL (is the default option). Output Format: no specific option required. Additional Info - GROUP info (is the default option).
 
# get-us­era­ccounts
 
# get-us­era­ccounts service csv group
 
# get-us­era­ccounts admins tablefull complete
Based on function listusers / get-us­era­ccounts (expanded version of the above custom functions 
lusers
and 
ladmins
). The 
get-us­era­ccounts
alias is in PowerShell (verb-­noun) format so somewhat familiar for Windows Admini­str­ators.
Could be saved as part of a function file or incorp­orated into the system alias file (
/etc/p­rof­ile.d/­ali­ases.sh
).
           
 

Metadata

  • Languages:
  • Published: 6th September, 2021

Comments

No comments yet. Add yours below!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets

          *nix users and groups Cheat Sheet
          Vim Editor [Yet Another] Cheat Sheet

          More Cheat Sheets by PeterCeeAU

          Vim Editor [Yet Another] Cheat Sheet
          Robocopy By Example Cheat Sheet
          NATO Phonetic Alphabet Cheat Sheet