In my last article here I discussed the Rule of least privilege and how wise it is to disable remote root login and only login with a user with sudo access for security purposes. By disabling root we remove a very easy attack on our Linux machine since every bad guy out there knows of root. Today let's discuss a little bit about User Management
User management
While you disable your root user, you need to create a new user with sudo access.
To create a new user - sudo adduser username
sudo adduser pearl
While creating the user, it will demand you set a password, and some basic other details like Full Name etc, do well to complete the ones you want
Let's now check if this user was created successfully using finger
From the image above, you can see that our new user has been created successfully.
Most of these information are stored inside a file that list information about each user. the /etc/passwd file
let's check it out
sudo cat /etc/passwd
You will see a lot of lines in this pattern, this file stores information about each user in our computer. Each line has an entry for each user and each user has a number of fields on one line. Lets try understanding the lines
student:x:1001:1001:New Student,,,:/home/student:/bin/bash
The 1st field is the username of the user, followed by a letter representing encrypted password, the 3rd and 4th field stores your userid and groupid, the 5th field there is used to show the description of the user - New Student,,, - the last 2 fields represent the users home directory and shell
Now lets try using sudo with the new user created. First I’ll change to the new user using su - username
Here i have logged in with a user I created called pearl
Let's try running a sudo command on this user
sudo cat /etc/passwd
If we notice above it says that our new user pearl is not in the sudeors file and so it does not have sudo access.
Let’s login back as the user with sudo access and fix this error.
All users with sudo access are inside the sudoers file, so let’s read it with cat
If we see the root and sudo users are listed and have access to everything, that’s the reason while sudo can perform all root tasks
If you see below its directing us to check another file /etc/sudoers.d
So what this means is that the system is telling this file to also check what we have in /etc/sudoers.d file and include it in this file as though it were written directly here.
This is a good practice since distribution updates could update our sudoers file, it's good to keep it separately eliminating the risk of loosing your users.
In linux you can give sudo access by creating another file inside your /etc/sudoers.d folder I’m running a debian distro, though it might work on all linux distributions. Let's give sudo access to a new user. Open the sudoers file again using nano
sudo nano /etc/sudoers
Copy the line containing root, paste it on another line and replace it with the new username and save. Now lets try using sudo with the new user created
First I’ll change to the new user using
su - username
then
sudo cat /etc/passwd
This time you will see that the content of /etc/passwd file will be listed because the new user has been given sudo access.
Server Login
You can login into your server with your new user created using ssh
ssh is an application used to connect remotely to the server, 127.0.0.1 is the IP address we want to connect to, this IP address generally represents localhost, that’s the same machine you are sitting on. pearl@127.0.0.1 is saying connect the user to this IP address. -p 2222 is the port we want to connect from
It will request for the password you entered while creating the user.
One way to secure our server is by forcing the user to reset their password whenever they login
sudo passwd -e student
This command sets the user password to expiry
And when you type any other command it requests you change your password, if you try using same command, you get password unchanged.
Summary
We now know how to create a new user on Linux and give it sudo access, the /etc/passwd & /etc/passwd.d and how to set user password to expiry.