The Process of Creating User Accounts

When you create a user account using the User Manager application, you can manage all aspects of the user account. For detailed instructions on using User Manager, see the chapter titled User and Group Configuration in the Official Red Hat Linux Customization Guide. This section will highlight the multi-step user creation process necessary when using the command line tools.

There are two steps to creating a user with the command line tools included with Red Hat Linux:

Issue the useradd command to create a locked user account.
Unlock the account by issuing the passwd command to assign a password and set password aging guidelines.

The following steps illustrate what happens if the command /usr/sbin/useradd juan is issued on a system that has shadow passwords enabled:

A new line for juan is created in /etc/passwd. The line has the following characteristics:
- It begins with the username, juan.
- There is an x for the password field indicating that the system is using shadow passwords.
- A UID at or above 500 is created. (Under Red Hat Linux UIDs and GIDs below 500 are reserved for system use.)
- A GID at or above 500 is created.
- The optional GECOS information is left blank.
- The home directory (/home/juan/) is specified.
- The default shell is set to /bin/bash.
A new line for a group named juan is created in /etc/shadow. The line has the following characteristics:
- It begins with the username, juan.
- Two exclamation points (!!) appear in the password field of the /etc/shadow file, which locks the account.
- The password is set to never expire.
A new line for a group named juan is created in /etc/group. A group bearing the same name as a user is called a user private group. For more information on user private groups, see the chapter titled Users and Groups in the Official Red Hat Linux Reference Guide.
The line created in /etc/group has the following characteristics:
- It begins with the group name, juan.
- An x appears in the password field indicating that the system is using shadow group passwords.
- The GID matches the one listed for user juan in /etc/passwd.
A new line for a group named juan is created in /etc/gshadow. The line has the following characteristics:
- It begins with the group name, juan.
- Two exclamation points (!!) appear in the password field of the /etc/gshadow file, which locks the group.
- All other fields are blank.
A directory for user juan is created in the /home/ directory. This directory is owned by user juan and group juan. However, it has read, write, and execute privileges only for the user juan. All other permissions are denied.
The files within the /etc/skel/ directory (which contain default user settings) are copied into the new /home/juan/ directory.

At this point, a locked account called juan exists on the system. To activate it, the administrator must next assign a password to the account using the passwd command and, optionally, set password aging guidelines.

It is also possible to configure the account so that during the first log in, the user is asked to create a password. See the Section called New User Passwords.

Password Security

Creating strong passwords is important for the security of the organization. There are two options available to enforce the use of good passwords:

The system administrator can create passwords for all users.
The system administrator can let the users create their own passwords, while verifying that the passwords are of acceptable quality.

Creating passwords for the users ensures that the passwords are good, but it becomes a daunting task as the organization grows.

It also increases the risk of users writing their passwords down.

For these reasons, system administrators prefer to have the user create their own passwords. However, a good system administrator actively verifies that the passwords are good and, in some cases, forces users to change their passwords periodically through password aging.

For guidelines on how to create strong passwords and how to set password aging policies, see the chapter titled Workstation Security in the Official Red Hat Linux Security Guide.

New User Passwords

If passwords within an organization are created centrally by the administrator, adding new users to the organization means the administrators must configure the account so the user is asked to create a password when logging in for the first time.

To configure a user account in this manner, follow these steps:

Create the user account using the useradd command. — At this point the account is created, but locked.
Force immediate password expiration — To do this. type the following command:
chage -d 0
This sets the value for the date the password was last changed to the epoch (January 1, 1970). This value forces immediate password expiration no matter what password aging policy, if any, is in place.

Unlock the account — There are two common approaches to this. The administrator can assign an initial password:

/usr/sbin/usermod -p "<password>"

In the above command, replace <password> with the initial password.

Or, the administrator can assign a null password:

/usr/sbin/usermod -p ""

	Caution
	While using a null password is convenient for both the user and the administrator, there is a slight risk that a third party can log in first and access the system. To minimize this threat, it is recommended that administrators verify that user is ready to log in when they unlock the account.

In either case, upon initial log in, the user is prompted for a new password.