Linux sysadmin basics: User account management

Linux system administrators face a lot of challenges, and one of the ongoing ones is dealing with user accounts. Onboarding, offboarding, managing passwords, disabling accounts, enabling accounts, preserving home directory contents, and fixing permissions are tasks that must be done but are also tedious to perform. This article provides you with a quick solution to managing user accounts on local systems. Sure, there's Active Directory, LDAP, and NIS+, but what if you're like many of us who don't use those? You have to rely on native methods to handle the job.

Believe it or not, you only need a few commands to handle the bulk of your user management tasks. For example, you use the passwd command to set and change passwords, but it's also used to check the status of a user account, expire a password, set password minimum and maximum lifetimes, disable a user account, and enable a user account. 

Creating user accounts

The useradd command is your command-line friend for creating user accounts. A quick man useradd gives you all of the options you could ever want. I typically only use one option, which is -c (comment), to enter the user's full name. You can optionally set the password and other parameters as well, but I don't because every account is different. I create the account, set the password, set any other options, and then contact the user to inform them that their account is ready.

The syntax is simple:

$ useradd -c "User's Full Name" account_name
$ sudo useradd -c "Mary Jones" mjones$ 
passwd mjones
Changing password for user mjones.
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.

If you use generic passwords for new users that are easy to type, you'll receive a message that warns you that your password doesn't meet standard requirements. Since you're the root user, you can bypass this error, but regular users can't:

$ passwd mjones
Changing password for user mjones.
New password: 
BAD PASSWORD: The password fails the dictionary check - it is based on a dictionary word
Retype new password: 
passwd: all authentication tokens updated successfully.

That's all there is to creating a new user account and assigning a password to it. Check out some passwd command magic in the next section.

Discovering the versatile passwd command

As stated previously, the passwd command does more than simply change passwords. It is one of the more versatile Linux commands available. Here are a handful of useful examples of what passwd can do for user management.

To check the status of a user account, use this format.

$ passwd -S account_name

Example:

$ sudo passwd -S msmith
msmith PS 2019-11-11 0 99999 7 -1 (Password set, SHA512 crypt.)

The PS means that the password for user msmith is set, but you can also see that from the message displayed. Older versions of passwd didn't use the same symbols. For example, the letter P was used by itself for password set. The date shown is the last time the password was changed, or when it was set.

If a password has expired, then you'll see the following message:

$ sudo passwd -S djones
djones PS 1969-12-31 0 99999 7 -1 (Password set, SHA512 crypt.)

You can see that the password now has the last changed time of 1969-12-31. If you know any Linux or UNIX history, you'll recognize that the beginning of the computing world was 1970-01-01, so setting the last changed time to outside of the epoch time expires the password. 

Creating a new user account without changing the account password results in the following password status:

$ sudo passwd -S smithm
smithm LK 2019-11-11 0 99999 7 -1 (Password locked.)

The LK designation means that the account is locked, as the message shows. Again, prior to this latest version of the passwd command, that message didn't exist. In fact, if you use man passwd, you'll also see the old designations: L, NP, and P.

To expire a password:

$ sudo passwd -e msmith
Expiring password for user msmith.
passwd: Success

A status check verifies the expired password for msmith:

$ sudo passwd -S msmith
msmith PS 1969-12-31 0 99999 7 -1 (Password set, SHA512 crypt.)

Once a password has expired, either by policy or by manually expiring it, you can't unexpire it. The system will prompt the user to change passwords upon their next login.

You also can't unlock an account that has no password set. If you create a new user account and don't set the password, the account is locked. To unlock it, you have to set a password.

You can lock a user's account by using the passwd command's -l option: 

$ sudo passwd -S mjones
mjones PS 2019-11-11 0 99999 7 -1 (Password set, SHA512 crypt.)
$ sudo passwd -l mjones
Locking password for user mjones.
passwd: Success
$ sudo passwd -S mjones
mjones LK 2019-11-11 0 99999 7 -1 (Password locked.)

To unlock the account, use the passwd command's -u option:

$ sudo passwd -u mjones
Unlocking password for user mjones.
passwd: Success
$ sudo passwd -S mjones
mjones PS 2019-11-11 0 99999 7 -1 (Password set, SHA512 crypt.)

Use the following flags to set minimum password lifetime (-n), maximum password lifetime (-x), warning before expiration (-w), and inactive to disabled (-i) in days for each. The order of the options doesn't matter:

$ sudo passwd -n 1 -x 90 -w 3 -i 10 djones
Adjusting aging data for user djones.
passwd: Success
$ sudo passwd -S djones
djones PS 2020-12-31 1 90 3 10 (Password set, SHA512 crypt.)

It's good to set the -n to at least one day because this prevents a user from repetitively changing their passwords.

I hope you have a new appreciation for the passwd command. If you've only ever used it to change passwords, you've missed out on a lot of functionality and power.

[Looking for more? You might also be interested in the Linux users and permissions cheat sheet.]

Removing user accounts

Removing user accounts is a bit of a touchy subject. The reason that it's a touchy subject is that removing a user account is permanent. Once removed, it's gone. Generally, the policy in enterprises is to disable the account for a period of time, copy the user's home directory to a secure location for archiving, and then after the wait time, remove the account.

When I remove a user account from a system, all traces are gone. The account is removed from /etc/passwd and the home directory is also removed. To make this sweeping change, I use the userdel command with the -r option in the format:

$ userdel -r account_name

Example:

$ sudo userdel -r djones

In typical UNIX and Linux fashion, there's no dialog to tell you that the account and all traces of the user are now expunged from the system. After the userdel command completes, you're dropped back to a prompt. 

Wrapping up

User account management is but one of the many joys of being a system administrator. It can consume quite a bit of time in busier enterprises. However, in smaller environments, you might soon forget all of the passwd command options and decide to remove accounts manually.

I advise that you keep this article bookmarked and that you do not attempt to remove accounts manually. Chances are good that you'll forget something along the way. There's also a chance that you'll fat-finger a command or two and remove more than you planned on removing. The passwd file and its corresponding /etc/shadow file are too important to leave editing them to chance, no matter how confident you are with your keyboard efficiency.

Takeaways: useradd, userdel, passwd

[Want to try out Red Hat Enterprise Linux? Download it now for free.]