This article provides a solution to managing user accounts on local systems with the use of a few commands. Although one can use LDAP(Lightweight directory access protocol) and Active directory, learning the native ways is critical for success in Linux administration. Life is like a sandwich, either way the bread comes first.
useradd command is used to create user accounts while man useradd provides the manual for the command with all options that could be used with the command. Check below to see what man useradd command's output is;
NAME
useradd - create a new user or update default new user information
SYNOPSIS
useradd [options] LOGIN
useradd -D
useradd -D [options]
DESCRIPTION
useradd is a low level utility for adding users. On Debian, administrators should
usually use adduser(8) instead.
When invoked without the -D option, the useradd command creates a new user account
using the values specified on the command line plus the default values from the
system. Depending on command line options, the useradd command will update system
files and may also create the new user's home directory and copy initial files.
By default, a group will also be created for the new user (see -g, -N, -U, and
USERGROUPS_ENAB).
OPTIONS
The options which apply to the useradd command are:
--badname
Allow names that do not conform to standards.
-b, --base-dir BASE_DIR
The default base directory for the system if -d HOME_DIR is not specified.
BASE_DIR is concatenated with the account name to define the home directory. If
the -m option is not used, BASE_DIR must exist.
If this option is not specified, useradd will use the base directory specified by
the HOME variable in /etc/default/useradd, or /home by default.
Manual page useradd(8) line 1 (press h for help or q to quit)
passwd is a versatile command used to set and change passwords, check the status of a user account, expire a password, set password minimum and maximum lifetimes, disable a user account, and enable a user account. Check below to see how passwd is used with different flags to achieve this.
passwd -S is used to check the status of user account.
┌──(root㉿kali)-[~]
└─# passwd -S delashoo
delashoo P 2022-05-12 0 99999 7 -1
P is used to show the password for user account delashoo was set on the date shown.
A user account can be locked by using passwd -l as shown below;
┌──(root㉿kali)-[~]
└─# passwd -l delashoo
passwd: password changed.
┌──(root㉿kali)-[~]
└─# passwd -S delashoo
delashoo L 2022-05-12 0 99999 7 -1
The L designation displayed after checking status shows that the user account is locked. To unlock a user account, one uses passwd -u as shown below;
┌──(root㉿kali)-[~]
└─# passwd -u delashoo
passwd: password changed.
┌──(root㉿kali)-[~]
└─# passwd -S delashoo
delashoo P 2022-05-12 0 99999 7 -1
Apart from the above, one can also expire a user account's password by using passwd -e. This sets the last changed time to outside the Unix epoch time thus expiring the user account.
┌──(root㉿kali)-[~]
└─# passwd -e delashoo
passwd: password changed.
┌──(root㉿kali)-[~]
└─# passwd -S delashoo
delashoo P 1970-01-01 0 99999 7 -1
The date shown after P is the Unix epoch time thus setting the time before that expires the user account. Once a password has expired you cannot undo that, however, the system will prompt the user to change passwords upon their next login.
Finally, one could also set minimum password lifetime, maximum password lifetime, warning before expiration and inactive to be disabled in days using the following flags respectively; -n, -x, -w and -i. Check below to see;
$ sudo passwd -n 1 -x 90 -w 3 -i 10 delashoo
Adjusting aging data for user delashoo
passwd: password changed
$ sudo passwd -S delashoo
delashoo PS 2020-12-31 1 90 3 10