06 User Management and Authentication

  • List

User and Group Management

User and group management in Linux allows administrators to control user access to the system and resources.

Basic User Management Commands

  1. Creating a New User:

    sudo useradd -m username
sudo passwd username
    • -m: Creates the user's home directory.
    • passwd: Sets the user's password.

  2. Deleting a User:

    sudo userdel -r username
    • -r: Removes the user's home directory.

  3. Modifying User Information:

    sudo usermod -l new_username old_username
sudo usermod -aG groupname username
    • -l: Changes the username.
    • aG: Adds the user to an additional group.

Group Management

  1. Creating a New Group:

    sudo groupadd groupname

  2. Deleting a Group:

    sudo groupdel groupname

  3. Adding a User to a Group:

    sudo usermod -aG groupname username

  4. Viewing User Groups:

    groups username

User and Group Configuration Files

  1. /etc/passwd: Contains basic user information.

  2. /etc/shadow: Stores user password information.

  3. /etc/group: Contains group information.

PAM (Pluggable Authentication Modules) Based Authentication

PAM

PAM is a flexible framework for managing authentication in Linux. With PAM, administrators can control how users are authenticated, granted access, and managed.

PAM Components

  1. Module: .so files that perform authentication tasks.

  2. Configuration File: Located in /etc/pam.d/, defining authentication rules.

PAM Configuration Files

PAM configuration files are located in /etc/pam.d/. Example configuration file:

auth required pam_unix.so
account required pam_unix.so
password required pam_unix.so
session required pam_unix.so

Explanation :

  • auth: Manages authentication.
  • account: Controls account access.
  • password: Handles password changes.
  • session: Manages user sessions.

Example PAM Usage

  1. Setting Password Policies: Edit /etc/security/pwquality.conf

    minlen = 12
dcredit = -1
ucredit = -1

  2. Locking an Account After Failed Logins: Add to /etc/pam.d/common-auth

    auth required pam_tally2.so deny=5 unlock_time=300

LDAP dan Active Directory Integration

LDAP

LDAP (Lightweight Directory Access Protocol) is a protocol for accessing directory information, such as user accounts, groups, and devices.

Integrating LDAP in Linux

  1. Install LDAP Packages:

    sudo zypper install openldap2 nss-pam-ldapd

  2. Configure LDAP: Edit /etc/nslcd.conf

    uri ldap://ldap.example.com
base dc=example,dc=com
binddn cn=admin,dc=example,dc=com
bindpw password

  3. Restart Service:

    sudo systemctl restart nslcd

Integrasi Active Directory

Active Directory (AD) is Microsoft's directory service. Integrating AD with Linux allows AD users to access Linux systems.

  1. Install Samba and Winbind Packages:

    sudo zypper install samba-winbind krb5-client

  2. Configure Kerberos: Edit /etc/krb5.conf:

    [libdefaults]
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
kdc = ad.example.com
    admin_server = ad.example.com
}

  3. Join the Domain:

    sudo net ads join -U Administrator

  4. Restart Service:

    sudo systemctl restart winbind

Single Sign-On (SSO)

SSO allows users to access multiple systems with a single authentication.

Implementing SSO in Linux

  1. Using Kerberos:

    • Kerberos provides centralized authentication for SSO

  2. SSO with LDAP:

    • LDAP can be used alongside Kerberos for SSO.
    • Ensure LDAP is integrated with the Linux system.

  3. SSO with OAuth or SAML:

    • OAuth and SAML are modern protocols for SSO, commonly used in web applications.
    • Third-party applications or middleware like Keycloak or Okta can be used for integration.