User Management- OpenBSD

From Free Knowledge Base- The DUCK Project: information for everyone
Jump to: navigation, search

I edited /etc/passwd, but the changes didn't seem to take place. Why?

If you edit /etc/passwd directly, your changes will be lost. OpenBSD generates /etc/passwd dynamically with pwd_mkdb(8). The main password file in OpenBSD is /etc/master.passwd. According to pwd_mkdb(8),

   FILES
        /etc/master.passwd  current password file
        /etc/passwd         a 6th Edition-style password file
        /etc/pwd.db         insecure password database file
        /etc/pwd.db.tmp     temporary file
        /etc/spwd.db        secure password database file
        /etc/spwd.db.tmp    temporary file

In a traditional Unix password file, such as /etc/passwd, everything including the user's encrypted password is available to anyone on the system (and is a prime target for programs such as Crack). 4.4BSD introduced the master.passwd file, which has an extended format (with additional options beyond those provided by /etc/passwd) and is only readable by root. For faster access to data, the library calls which access this data normally read /etc/pwd.db and /etc/spwd.db.

OpenBSD does come with a tool with which you should edit your password file. It is called vipw(8). Vipw will use vi (or your favourite editor defined per $EDITOR) to edit /etc/master.passwd. After you are done editing, it will re-create /etc/passwd, /etc/pwd.db, and /etc/spwd.db as per your changes. Vipw also takes care of locking these files, so that if anyone else attempts to change them at the same time, they will be denied access.

What is the best way to add and delete users?

OpenBSD provides two commands for easily adding users to the system:

  • adduser(8)
  • user(8)

You can also add users by hand, using vipw(8), but this is more difficult for most operations.

The easiest way to add a user in OpenBSD is to use the adduser(8) script. You can configure adduser(8) by editing /etc/adduser.conf. adduser(8) allows for consistency checks on /etc/passwd, /etc/group, and shell databases. It will create the entries and $HOME directories for you. It can even send a message to the user welcoming them. Here is an example user, testuser, being added to a system. He/she will be given the $HOME directory /home/testuser, made a member of the group guest, and given the shell /bin/ksh.

    # adduser
    Use option ``-silent'' if you don't want to see all warnings and
questions.

    Reading /etc/shells
    Reading /etc/login.conf
    Check /etc/master.passwd
    Check /etc/group

    Ok, let's go.
    Don't worry about mistakes. I will give you the chance later to correct any input.
    Enter username []: testuser
    Enter full name []: Test FAQ User
    Enter shell csh ksh nologin sh [sh]: ksh
    Uid [1002]: Enter
    Login group testuser [testuser]: guest
    Login group is ``guest''. Invite testuser into other groups: guest no 
    [no]: no
    Login class auth-defaults auth-ftp-defaults daemon default staff 
    [default]: Enter
    Enter password []: Type password, then Enter
    Enter password again []: Type password, then Enter

    Name:        testuser
    Password:    ****
    Fullname:    Test FAQ User
    Uid:         1002
    Gid:         31 (guest)
    Groups:      guest
    Login Class: default
    HOME:        /home/testuser
    Shell:       /bin/ksh
    OK? (y/n) [y]: y
    Added user ``testuser''
    Copy files from /etc/skel to /home/testuser
    Add another user? (y/n) [y]: n
    Goodbye!

To delete users you should use the rmuser(8) utility. This will remove all existence of a user. It will remove any crontab(1) entries, their $HOME dir (if it is owned by the user), and their mail. Of course it will also remove their /etc/passwd and /etc/group entries. Next is an example of removing the user that was added above. Notice you are prompted for the name, and whether or not to remove the user's home directory.

    # rmuser
    Enter login name for user to remove: testuser
    Matching password entry:

    testuser:$2a$07$ZWnBOsbqMJ.ducQBfsTKUe3PL97Ve1AHWJ0A4uLamniLNXLeYrEie:1002
    :31::0:0:Test FAQ User:/home/testuser:/bin/ksh

    Is this the entry you wish to remove? y
    Remove user's home directory (/home/testuser)? y
    Updating password file, updating databases, done.
    Updating group file: done.
    Removing user's home directory (/home/testuser): done.

Adding users via user(8)

These tools are less interactive than the adduser(8) command, which makes them easier to use in scripts.

The full set of tools is:

  • group(8)
  • groupadd(8)
  • groupdel(8)
  • groupinfo(8)
  • groupmod(8)
  • user(8)
  • useradd(8)
  • userdel(8)
  • userinfo(8)
  • usermod(8)

Actually adding users

Being that user(8) is not interactive, the easiest way to add users efficiently is to use the adduser(8) command. The actual command /usr/sbin/user is just a frontend to the rest of the /usr/sbin/user* commands. Therefore, the following commands can be added by using user add or useradd, its your choice as to what you want, and doesn't change the use of the commands at all.

In this example, we are adding the same user with the same specifications as the user that was added above. useradd(8) is much easier to use if you know the default setting before adding a user. These settings are located in /etc/usermgmt.conf and can be viewed by doing so:

    $ user add -D
    group           users
    base_dir        /home
    skel_dir        /etc/skel
    shell           /bin/csh
    inactive        0
    expire          Null (unset)
    range           1000..60000

The above settings are what will be set unless you specify different with command line options. For example, in our case, we want the user to go to the group guest, not users. One more little hurdle with adding users, is that passwords must be specified on the commandline. This is, the encrypted passwords, so you must first use the encrypt(1) utility to create the password. For example: OpenBSD's passwords by default use the Blowfish algorithm for 6 rounds. Here is an example line to create an encrypted password to specify to useradd(8).

    $ encrypt -p -b 6
    Enter string:
    $2a$06$YOdOZM3.4m6MObBXjeZtBOWArqC2.uRJZXUkOghbieIvSWXVJRzlq

Now that we have our encrypted password, we are ready to add the user.

    # user add -p '$2a$06$YOdOZM3.4m6MObBXjeZtBOWArqC2.uRJZXUkOghbieIvSWXVJRzlq' -u 1002 \
    -s /bin/ksh -c "Test FAQ User" -m -g guest testuser

Note: Make sure to use ' ' (single quotes) around the password string, not " " (double quotes) as the shell will interpret these before sending it to user(8). In addition to that, make sure you specify the -m option if you want the user's home directory created and the files from /etc/skel copied over.

To see that the user was created correctly, we can use many different utilities. Below are a few commands you can use to quickly check that everything was created correctly.

   $ ls -la /home
   total 14
   drwxr-xr-x   5 root      wheel   512 May 12 14:29 .
   drwxr-xr-x  15 root      wheel   512 Apr 25 20:52 ..
   drwxr-xr-x  24 ericj     wheel  2560 May 12 13:38 ericj
   drwxr-xr-x   2 testuser  guest   512 May 12 14:28 testuser
   $ id testuser
   uid=1002(testuser) gid=31(guest) groups=31(guest)
   $ finger testuser
   Login: testuser                         Name: Test FAQ User
   Directory: /home/testuser               Shell: /bin/ksh
   Last login Sat Apr 22 16:05 (EDT) on ttyC2
   No Mail.
   No Plan.

In addition to these commands, user(8) provides its own utility to show user characteristics, called userinfo(8).

   $ userinfo testuser
   login   testuser
   passwd  *
   uid     1002
   groups  guest
   change  Wed Dec 31 19:00:00 1969
   class
   gecos   Test FAQ User
   dir     /home/testuser
   shell   /bin/ksh
   expire  Wed Dec 31 19:00:00 1969

Removing users

To remove users with the user(8) hierarchy of commands, you will use userdel(8). This is a very simple, yet usable command. To remove the user created in the last example, simply:

   # userdel -r testuser

Notice the -r option, which must be specified if you want the users home directory to be deleted as well. Alternatively, you can specify -p and not -r and this will lock the user's account, but not remove any information.

How do I create an ftp-only account (not anonymous FTP!)?

There are a few ways to do this, but a very common way to do such is to add "/usr/bin/false" into "/etc/shells". Then when you set a users shell to "/usr/bin/false", they will not be able log in interactively, but will be able to use ftp capabilities. You may also want to restrict access by Confining users to their home directory in ftpd.

Setting up Quotas

Quotas are used to limit user's space that they have available to them on your disk drives. It can be very helpful in situations where you have limited resources. Quotas can be set by user and/or by group.

The first step to setting up quotas is to make sure that "option QUOTA" is in your Kernel Configuration. This option is in the GENERIC kernel. After this, you need to mark in /etc/fstab the filesystems which will have quotas enabled. The keywords userquota and groupquota should be used to mark each filesystem that you will be using quotas on. By default, the files quota.user and quota.group will be created at the root of that filesystem to hold the quota information. This default can be overridden by specifying the file name with the quota option in /etc/fstab, such as "userquota=/var/quotas/quota.user". Here is an example /etc/fstab that has one filesystem with userquotas enabled, and the quota file in a non-standard location:

   /dev/wd0a / ffs rw,userquota=/var/quotas/quota.user 1 1

Now it's time to set the user's quotas. To do so you use the utility edquota(8). A simple use is just "edquota <user>". edquota(8) will use vi(1) to edit the quotas unless the environmental variable EDITOR is set to a different editor. For example:

   # edquota ericj

This will give you output similar to this:

   Quotas for user ericj:
   /: blocks in use: 62, limits (soft = 0, hard = 0)
           inodes in use: 25, limits (soft = 0, hard = 0)

To add limits, edit it to give results like this:

   Quotas for user ericj:
   /: blocks in use: 62, limits (soft = 1000, hard = 1050)
           inodes in use: 25, limits (soft = 0, hard = 0)

Note that the quota allocation is in 1k blocks. In this case, the softlimit is set to 1000k, and the hardlimit is set to 1050k. A softlimit is a limit where the user is just warned when they cross it and have until their grace period is up to get their disk usage below their limit. Grace periods can be set by using the -t option on edquota(8). After the grace period is over the softlimit is handled as a hardlimit. This usually results in an allocation failure.

Now that the quotas are set, you need to turn the quotas on. To do this use quotaon(8). For example:

   # quotaon -a

This will go through /etc/fstab to turn on the filesystems with quota options. Now that quotas are up and running, you can view them using quota(1). Using a command of "quota <user>" will give that user's information. When called with no arguments, the quota(1) command will give your quota statistics. For example:

   # quota ericj

Will result in output similar to this:

   Disk quotas for user ericj (uid 1001): 
        Filesystem  blocks   quota   limit   grace   files   quota   limit   grace
                 /      62    1000    1050              27       0       0        

By default quotas set in /etc/fstab will be started on boot. To turn them off use

   # quotaoff -a