5.1 Create Users using CLI
For people to connect to Virtual Machines, we do not only need a SSH connection, but also a user to log in as.
Users are added to VM’s in two seperate ways: local users and remote users.
Local users exist on the machine themselves. They exist as entries in the following files:
Type |
File Location |
|---|---|
users |
|
groups |
|
passwords |
|
If you want, you can check what users exist on the local machine by typing:
cat /etc/passwd.
[root@rhcsa ~]# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
systemd-coredump:x:999:997:systemd Core Dumper:/:/sbin/nologin
systemd-resolve:x:193:193:systemd Resolver:/:/sbin/nologin
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
polkitd:x:998:996:User for polkitd:/:/sbin/nologin
geoclue:x:997:995:User for geoclue:/var/lib/geoclue:/sbin/nologin
rtkit:x:172:172:RealtimeKit:/proc:/sbin/nologin
pulse:x:171:171:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
qemu:x:107:107:qemu user:/:/sbin/nologin
usbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin
unbound:x:996:991:Unbound DNS resolver:/etc/unbound:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
gluster:x:995:990:GlusterFS daemons:/run/gluster:/sbin/nologin
chrony:x:994:989::/var/lib/chrony:/sbin/nologin
You see several things here. So, if we take the user Nietzche as example:
nietzche:x:1002:1002:weirdo:/home/nietzche:/bin/bash
User Name |
User Password |
UID |
GID |
Comment |
Home Directory |
Shell |
|---|---|---|---|---|---|---|
nietzche |
x |
1002 |
1002 |
weirdo |
/home/nietzche |
/bin/bash |
The x means the password will be checked in the /etc/shadows file.
Adding users
Let’s become root for this exersize.
su - root
Let’s add the user juliet to the machine.
useradd juliet
The result should look like this:
[root@rhcsa ~]# tail -3 /etc/passwd
greater:x:1001:1001:student User:/home/greater:/bin/bash
nietzche:x:1002:1002:weirdo:/home/nietzche:/bin/bash
juliet:x:1003:1003::/home/juliet:/bin/bash
The user was added on the bottom of the /etc/passwd file. This file stores all the local users.
Setting passwords
Now we must add a password so juliet can login
passwd Juliet
give her the password greater
[root@rhcsa ~]# passwd juliet
Changing password for user juliet.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.
We can see that the password was automaticly added to the /etc/shadow file with the command tail -3 /etc/shadow
[root@rhcsa ~]# tail -3 /etc/shadow
greater:$6$M5Jl6TAJas6cypcv$uho4GpDQXDhYQjVy0mgZ/YDYQgFDhhvGP52Zxa3/x.ko4DBSalr2Kl6yJji8.xrKiRk2XMiJvHNCAVJRi3QDY0:18450:0:99999:7:::
nietzche:!!:18450:0:99999:7:::
juliet:$6$rhfMEVmcT8NGMfRW$uUEpROWY40I/f3Ri93tirTVWIpZ5zqjw3kvPNmWK.AsoXk9i3.sT5wLNm2re62OkGkETARv8aTmsWwKkRhmQT.:18457:0:99999:7:::
Do the same for the user:
Romeo
Users without a shell
Sometimes you want to make a user that has limited acces, e.g. only as a user that can run a process. This is often called a Functional User.
The following users are not allowed to have login shells:
plato
aristotle
You can do this by adding the -s with /sbin/nologin behind it (more info in man useradd).
useradd plato -s /sbin/nologin
The -s switch will edit the shell section of the user. This prevents the user from having an interactive shell.
You can check the differences with:
tail -5 /etc/passwd
result:
[root@rhcsa ~]# tail -5 /etc/passwd
greater:x:1001:1001:student User:/home/greater:/bin/bash
nietzche:x:1002:1002:weirdo:/home/nietzche:/bin/bash
juliet:x:1003:1003::/home/juliet:/bin/bash
plato:x:1004:1004::/home/plato:/sbin/nologin
aristotle:x:1005:1005::/home/aristotle:/sbin/nologin
See that at the end of the line the /sbin/nologin was adjusted.