Category Archives: Linux

chage, usermod, passwd

Both the passwd and usermod command can be used to lock or unlock a user account as well as modifying password ageing information for the account. The chage command however is only able to modify password ageing information, but does have the ability to expire a user account.

chage

Only has the capability to modify a user accounts password expiry information.

[root@server1 ~]# chage -h
Usage: chage [options] LOGIN

Options:
  -d, --lastday LAST_DAY        set date of last password change to LAST_DAY
  -E, --expiredate EXPIRE_DATE  set account expiration date to EXPIRE_DATE
  -h, --help                    display this help message and exit
  -I, --inactive INACTIVE       set password inactive after expiration
                                to INACTIVE
  -l, --list                    show account aging information
  -m, --mindays MIN_DAYS        set minimum number of days before password
                                change to MIN_DAYS
  -M, --maxdays MAX_DAYS        set maximum number of days before password
                                change to MAX_DAYS
  -R, --root CHROOT_DIR         directory to chroot into
  -W, --warndays WARN_DAYS      set expiration warning days to WARN_DAYS

passwd

The passwd command is used to set or modify a users password in addition to being able to modify user account attributes and lock or unlock a users account.

Locking an account will add an “!” to the beginning of the password field in /etc/shadow the corresponding unlock flag will remove this “!” from the field.

Locking a user account with the passwd command is accomplished with the -l flag:

[root@server1 ~]# passwd -l user10
Locking password for user user10.
passwd: Success

[root@server1 ~]# grep user10 /etc/shadow
user10:!!$6$xpkPmLMWCP5NFp/h$VYfghUJGyeRt64nQFaTLNLctrryrawaMeEBc99SpsjJv0U6rr3.nLyDNfbbegB3DtIylnnB1dH.RqQ6IAJHT7.:18743:0:99999:7:::

Unlocking a user account with passwd command with the -u flag, shown below:

[root@server1 ~]# passwd -u user10
Unlocking password for user user10.
passwd: Success

[root@server1 ~]# grep user10 /etc/shadow
user10:$6$xpkPmLMWCP5NFp/h$VYfghUJGyeRt64nQFaTLNLctrryrawaMeEBc99SpsjJv0U6rr3.nLyDNfbbegB3DtIylnnB1dH.RqQ6IAJHT7.:18743:0:99999:7:::

Further usefule information is found in the man files or with the help command:

[root@server1 ~]# passwd --help
Usage: passwd [OPTION...] <accountName>
  -k, --keep-tokens       keep non-expired authentication tokens
  -d, --delete            delete the password for the named account (root only); also removes password lock if any
  -l, --lock              lock the password for the named account (root only)
  -u, --unlock            unlock the password for the named account (root only)
  -e, --expire            expire the password for the named account (root only)
  -f, --force             force operation
  -x, --maximum=DAYS      maximum password lifetime (root only)
  -n, --minimum=DAYS      minimum password lifetime (root only)
  -w, --warning=DAYS      number of days warning users receives before password expiration (root only)
  -i, --inactive=DAYS     number of days after password expiration when an account becomes disabled (root only)
  -S, --status            report password status on the named account (root only)
      --stdin             read new tokens from stdin (root only)

Help options:
  -?, --help              Show this help message
      --usage             Display brief usage message

usermod

The usermod command is for modifying user account attributes but it may also be used to lock or unlock the user account by using the flags -L and -U respectively as seen below:

Locking a user account with the usermod command:

[root@server1 ~]# usermod -L user10
[root@server1 ~]# grep user10 /etc/shadow
user10:!$6$xpkPmLMWCP5NFp/h$VYfghUJGyeRt64nQFaTLNLctrryrawaMeEBc99SpsjJv0U6rr3.nLyDNfbbegB3DtIylnnB1dH.RqQ6IAJHT7.:18743:0:99999:7:::

usermod can unlock an account with the -U flag:

[root@server1 ~]# usermod -U user10
[root@server1 ~]# grep user10 /etc/shadow
user10:$6$xpkPmLMWCP5NFp/h$VYfghUJGyeRt64nQFaTLNLctrryrawaMeEBc99SpsjJv0U6rr3.nLyDNfbbegB3DtIylnnB1dH.RqQ6IAJHT7.:18743:0:99999:7:::

More flags are available for the usermod command and can be discovered via the man pages or with the help command:

[root@server1 ~]# usermod --help
Usage: usermod [options] LOGIN

Options:
  -c, --comment COMMENT         new value of the GECOS field
  -d, --home HOME_DIR           new home directory for the user account
  -e, --expiredate EXPIRE_DATE  set account expiration date to EXPIRE_DATE
  -f, --inactive INACTIVE       set password inactive after expiration
                                to INACTIVE
  -g, --gid GROUP               force use GROUP as new primary group
  -G, --groups GROUPS           new list of supplementary GROUPS
  -a, --append                  append the user to the supplemental GROUPS
                                mentioned by the -G option without removing
                                the user from other groups
  -h, --help                    display this help message and exit
  -l, --login NEW_LOGIN         new value of the login name
  -L, --lock                    lock the user account
  -m, --move-home               move contents of the home directory to the
                                new location (use only with -d)
  -o, --non-unique              allow using duplicate (non-unique) UID
  -p, --password PASSWORD       use encrypted password for the new password
  -R, --root CHROOT_DIR         directory to chroot into
  -P, --prefix PREFIX_DIR       prefix directory where are located the /etc/* files
  -s, --shell SHELL             new login shell for the user account
  -u, --uid UID                 new UID for the user account
  -U, --unlock                  unlock the user account
  -v, --add-subuids FIRST-LAST  add range of subordinate uids
  -V, --del-subuids FIRST-LAST  remove range of subordinate uids
  -w, --add-subgids FIRST-LAST  add range of subordinate gids
  -W, --del-subgids FIRST-LAST  remove range of subordinate gids
  -Z, --selinux-user SEUSER     new SELinux user mapping for the user account

Facebooktwitterlinkedinby feather

w and who

who

The who command displays the users (who) are currently logged into the system, the time the user logged in and the source (remote) IP or tty line the user is connected via.

[user1@server1 ~]$ who
root     pts/0        2021-04-06 06:05 (192.168.122.1)
user1    pts/1        2021-04-06 06:13 (192.168.122.1)
root     tty2         2021-04-06 06:12 (tty2)

w

The w command displays the currently logged in users and what they are doing. For example the w command shows the tty name, login time, idle time, and the command line of the current process.

In addtion the w command displays the JCPU, which is the time used by all processes attached to the tty session and the PCPU time is the time used by the current process in the what field.

Below we can see the first root users current process is bash, user1’s current process is the w command and the second root users current process is /usr/libexec/gsd-disk-utility-notify.

In addition we can see the FROM field lists the remote IP for the first two users and tty2 for the second root user which also indicates that the second root user is logged into the servers console.

[user1@server1 ~]$ w
 06:14:10 up 9 min,  3 users,  load average: 0.31, 0.18, 0.10
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    192.168.122.1    06:05    5:35   0.11s  0.03s -bash
user1    pts/1    192.168.122.1    06:13    1.00s  0.01s  0.00s w
root     tty2     tty2             06:12    9:11   6.34s  0.00s /usr/libexec/gsd-disk-utility-notify

Facebooktwitterlinkedinby feather

last, lastb and lastlog

These three tools outlined below are available in linux to audit user logins, server reboots and failed login attempts.

last

The last command displays a list of users and when they last logged into the system. This includes the psuedo user reboot, which will log an entry each time the system is rebooted. Filtering to a specific user (reboot) as shown below will list all the system reboots since the log file was created.

The last command can be run by normal users and does not require root privileges.

[root@server1 ~]# last reboot
reboot   system boot  4.18.0-240.15.1. Sat Apr  3 20:00   still running
reboot   system boot  4.18.0-240.15.1. Sat Apr  3 19:24 - 19:59  (00:35)
reboot   system boot  4.18.0-240.15.1. Sat Apr  3 07:01 - 19:59  (12:58)
<snip>

wtmp begins Sun Feb 28 12:34:51 2021

The last command reads entries from the file /var/log/wtmp file:

[root@server1 ~]# ls -l /var/log/wtmp
-rw-rw-r--. 1 root utmp 91776 Apr  3 20:00 /var/log/wtmp

lastb

The lastb command is the same as the last command except that it will display the list of failed login attempts. The lastb command requires root privileges in order to run this command:

[root@server1 ~]# lastb root
root     ssh:notty    192.168.122.1    Sat Apr  3 20:47 - 20:47  (00:00)
root     ssh:notty    192.168.122.1    Sat Apr  3 20:47 - 20:47  (00:00)
root     ssh:notty    192.168.122.1    Sat Apr  3 20:10 - 20:10  (00:00)
root     ssh:notty    192.168.122.1    Sat Apr  3 20:10 - 20:10  (00:00)

btmp begins Sat Apr  3 20:10:32 2021

lastb reads entries from the /var/log/btmp file as shown below:

[root@server1 ~]# ls -l /var/log/btmp
-rw-rw----. 1 root utmp 1920 Apr  3 20:10 /var/log/btmp

lastlog

The lastlog command displays the most recent logins for all or a specific user, this includes users with a login shell attached and also system or service accounts. The lastlog command can be executed by normal users.

The file where entries are written and displayed by last log is /var/log/lastlog.

[root@server1 ~]# ls -l /var/log/lastlog
-rw-rw-r--. 1 root utmp 584292 Apr  3 20:00 /var/log/lastlog

For example to display the most recent login for a specific user the -u switch can be used as seen below:

[root@server1 ~]# lastlog -u root
Username         Port     From             Latest
root             pts/1    192.168.122.1    Sat Apr  3 20:00:59 +1100 2021

As mentioned above the three files (listed below) that these commands read from are all located in the /var/log directory and are referred to as database files.

  • wtmp
  • btmp
  • lastlog

If you attempt to use cat to read these files you will just see garbage output echoed to stdout likewise if you attempt to open these files with a tool like less you will receive the warning that the file “may be a binary file. See it anyway?”

Facebooktwitterlinkedinby feather