This document presents the basics for users management on a FreeBSD Host: learn how to create, modify and remove accounts.
For the sake of simplicity, three different kinds of User Accounts are presented: standard system Users accounts (POSIX), sFTP only accounts and SAMBA 4 accounts on a standalone server.
System User Accounts
Standard POSIX User Accounts are able to log in through PAM or remotely through SSH (ssh user@server)
Add a new user:
adduser USERNAME
Add a new group:
pw groupadd GROUPNAME
On FreeBSD Systems, the pw command handles most operations that can be performed on existing user accounts.
Add user to group:
pw groupmod GROUPNAME -m USERNAME
Show group information:
pw groupshow GROUPNAME
Delete a user:
pw userdell USERNAME || pw userdell UID || rmuser username
Note: if you want to use ‘su -’ to become root, the user must be added to group ‘wheel’.
By default, root does not allow login with SSH, if you want to allow root login, you should modify ‘/etc/ssh/sshd_config’ as follow:
PermitRootLogin yes
PasswordAuthentication yes
AllowUsers root
You should never modify the /etc/passwd and /etc/group Files. If you ever do it, you must then rebuild the passwords Database:
pwd_mkdb -p /etc/master.passwd
sFTP Only User Accounts
sFTP only user accounts are special user accounts that are locked in their home directory. They can write only in subdirectories and can only remotely log in with a limited set of commads through the sFTP protocol either in a modern FTP client, like Filezilla or through command line (sftp user@server).
Setup
In order to enable sftp only user accounts, the /etc/ssh/sshd_config file must be modified as follows:
[...]
Subsystem sftp internal-sftp
# This section must be placed at the very end of sshd_config
Match Group sftponly
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
Once this is done, the sshd service must be restarted:
service sshd restart
All sFTP only User accounts must then be members of the sftponly group. For instance:
root@prod:/usr/local/www/apache24/data # cat /etc/passwd|grep sftp
sftpuser:*:1002:1002:Sample sftp (only) user:/home/sftpuser:/usr/sbin/nologin
root@prod:/usr/local/www/apache24/data # cat /etc/group |grep sftp
sftponly:*:1002:
The home directory of an sFTP only User and its files/ subdirectory (for storing data) must have the following owner and rights:
root@prod:/usr/local/www/apache24/data # ls -al /home/sftpuser
total 54
drwxr-xr-x 3 root sftponly 11 May 25 12:03 .
drwxr-xr-x 22 root wheel 22 Jun 4 11:56 ..
[...]
drwxr-xr-x 2 sftpuser sftponly 2 May 25 12:04 files
An add_sftp_account.sh script can ease the process of setting up such accounts:
#!/bin/sh
if [ ${#} -le 1 ]
then
echo "This script creates a sFTP user account and allows to set his/her password.
If the account already exists, you'll be prompted for a new password.
Usage: /root/add_sftp_account.sh
Login and comment are mandatory!"
exit 1
fi
if [ ${#} -ne 2 ]
then
echo "Usage: /root/add_sftp_account.sh
Check your parameters!
If comment has spaces, you must use double quotes around it."
exit 1
else
pw user add -n $1 -c $2 -L nologin -d /home/$1 -g sftponly -s /bin/false -w random
mkdir /home/$1
chown root:sftponly /home/$1
mkdir /home/$1/files
chown $1:sftponly /home/$1/files
passwd $1
fi
SAMBA Users (on a SAMBA 4 Standalone Server)
On a SAMBA 4 Standalone Server, SAMBA User accounts can be standard System User accounts that are added to the SAMBA Users backend. Here is how to set up such an account:
First add a standard system user account:
adduser marianne
Set up his/her password with:
passwd marianne
Then add this account to SAMBA Users:
smbpasswd -a marianne
Enable it with:
smbpasswd -e marianne
Add it to a SAMBA Users' group with:
pw groupmod fam -m marianne
The following command will list all users who are members of the aforementioned fam group:
pw groupshow fam
Set up the main section of /usr/local/etc/smb4.conf File to enable access per user/per host with the following lines:
obey pam restrictions = yes security = user map to guest = Bad Password passdb backend = tdbsam unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Entersnews*spassword:* %n *Retypesnews*spassword:* %n *passwordsupdatedssuccessfully* . pam password change = yes #Next line will allow guest access to public shares usershare allow guests = yes #Next line will restrict access to a list of IPs or a subnetwork hosts allow = 10.1.1.0/24
Enable access to a protected share for the marianne user.
The full section in /usr/local/etc/smb4.conf should be something like this:
[SHARE] comment = A sample share path = /path/to/this/share read only = no acl allow execute always = yes browseable = yes guest ok = no write list = marianne read list = fabrice souheila
Note that users listed under read list will only have read access, whereas users listed under write list will have full access.
Do not forget to restart SAMBA:
/usr/local/etc/rc.d/samba_server restart
You may check that the user can access a protected share with:
smbclient -U marianne //CELEPHAIS/lvl2
How to quickly import user accounts and groups from another server
Copy the user/group entries that you want to replicate from the following files:
/etc/passwd
/etc/group
/etc/master.passwd
Then run the following command to rebuild the password database:
pwd_mkdb -p /etc/master.passwd
Once this is done, the existing home directories can then be copied from one server to the other by preserving their rights and owner.
On source server:
rsync -avz /home/* root@target_server:/home/
Online Accounts: use a PassKeeper
Best practice is to have one different, secure password (i.e. long enough, with a combination of letters/numbers and other chars) for each online account that you own. A PassKeeper may then be used to remember them.
A PassKeeper is a piece of software/hardware that keeps multiple passwords encrypted and allows to unlock them with a key or a single password. It may also provide automated login functions. See for instance https://www.tindie.com/products/stephanelec/mooltipass-mini-offline-password-keeper/
(Sujet) 
(Question)