# 5.1 Create Users using CLI For people to connect to Virtual Machines, we do not only need a SSH connection, but also a user to log in as. Users are added to VM's in two seperate ways: local users and remote users. Local users exist on the machine themselves. They exist as entries in the following files: |Type |File Location | |:--------|:----------------| |users |```/etc/passwd```| |groups |```/etc/group``` | |passwords|```/etc/shadow```| If you want, you can check what users exist on the local machine by typing: ```cat /etc/passwd```. ```bash [root@rhcsa ~]# cat /etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin systemd-coredump:x:999:997:systemd Core Dumper:/:/sbin/nologin systemd-resolve:x:193:193:systemd Resolver:/:/sbin/nologin tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin polkitd:x:998:996:User for polkitd:/:/sbin/nologin geoclue:x:997:995:User for geoclue:/var/lib/geoclue:/sbin/nologin rtkit:x:172:172:RealtimeKit:/proc:/sbin/nologin pulse:x:171:171:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin qemu:x:107:107:qemu user:/:/sbin/nologin usbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin unbound:x:996:991:Unbound DNS resolver:/etc/unbound:/sbin/nologin rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin gluster:x:995:990:GlusterFS daemons:/run/gluster:/sbin/nologin chrony:x:994:989::/var/lib/chrony:/sbin/nologin ``` You see several things here. So, if we take the user Nietzche as example: ```nietzche:x:1002:1002:weirdo:/home/nietzche:/bin/bash``` |User Name|User Password|UID|GID|Comment|Home Directory|Shell| |:-:|:-:|:-:|:-:|:-:|:-:|:-:| |nietzche|x|1002|1002|weirdo|/home/nietzche|/bin/bash| The ```x``` means the password will be checked in the ```/etc/shadows``` file. ### Adding users Let's become root for this exersize. ```bash su - root ``` Let's add the user **juliet** to the machine. ```bash useradd juliet ``` The result should look like this: ```bash [root@rhcsa ~]# tail -3 /etc/passwd greater:x:1001:1001:student User:/home/greater:/bin/bash nietzche:x:1002:1002:weirdo:/home/nietzche:/bin/bash juliet:x:1003:1003::/home/juliet:/bin/bash ``` The user was added on the bottom of the /etc/passwd file. This file stores all the local users. ### Setting passwords Now we must add a password so **juliet** can login ```bash passwd Juliet ``` give her the password **greater** ```bash [root@rhcsa ~]# passwd juliet Changing password for user juliet. New password: BAD PASSWORD: The password is shorter than 8 characters Retype new password: passwd: all authentication tokens updated successfully. ``` We can see that the password was automaticly added to the ```/etc/shadow``` file with the command ```tail -3 /etc/shadow``` ```bash [root@rhcsa ~]# tail -3 /etc/shadow greater:$6$M5Jl6TAJas6cypcv$uho4GpDQXDhYQjVy0mgZ/YDYQgFDhhvGP52Zxa3/x.ko4DBSalr2Kl6yJji8.xrKiRk2XMiJvHNCAVJRi3QDY0:18450:0:99999:7::: nietzche:!!:18450:0:99999:7::: juliet:$6$rhfMEVmcT8NGMfRW$uUEpROWY40I/f3Ri93tirTVWIpZ5zqjw3kvPNmWK.AsoXk9i3.sT5wLNm2re62OkGkETARv8aTmsWwKkRhmQT.:18457:0:99999:7::: ``` Do the same for the user: - Romeo ### Users without a shell Sometimes you want to make a user that has limited acces, e.g. only as a user that can run a process. This is often called a **Functional User**. The following users are not allowed to have login shells: - plato - aristotle You can do this by adding the -s with /sbin/nologin behind it (more info in ```man useradd```). ```bash useradd plato -s /sbin/nologin ``` The ```-s``` switch will edit the shell section of the user. This prevents the user from having an interactive shell. You can check the differences with: ```bash tail -5 /etc/passwd ``` result: ```bash [root@rhcsa ~]# tail -5 /etc/passwd greater:x:1001:1001:student User:/home/greater:/bin/bash nietzche:x:1002:1002:weirdo:/home/nietzche:/bin/bash juliet:x:1003:1003::/home/juliet:/bin/bash plato:x:1004:1004::/home/plato:/sbin/nologin aristotle:x:1005:1005::/home/aristotle:/sbin/nologin ``` See that at the end of the line the ```/sbin/nologin``` was adjusted.