Icon

Partager Envoyer

(Document) BSD FreeBSD user accounts Users management

Managing User Accounts on a FreeBSD System (System User Accounts, sFTP Only User Accounts, SAMBA 4 User Accounts)

This document presents the basics for users management on a FreeBSD Host: learn how to create, modify and remove accounts.

For the sake of simplicity, three different kinds of User Accounts are presented: standard system Users accounts (POSIX), sFTP only accounts and SAMBA 4 accounts on a standalone server.

 

System User Accounts

Standard POSIX User Accounts are able to log in through PAM or remotely through SSH (ssh user@server)

Add a new user:

adduser USERNAME

Add a new group:

pw groupadd GROUPNAME

On FreeBSD Systems, the pw command handles most operations that can be performed on existing user accounts.

Add user to group:

pw groupmod GROUPNAME -m USERNAME

Show group information:

pw groupshow GROUPNAME

Delete a user:

pw userdell USERNAME || pw userdell UID || rmuser username


Note: if you want to use ‘su -’ to become root, the user must be added to group ‘wheel’.


By default, root does not allow login with SSH, if you want to allow root login, you should modify ‘/etc/ssh/sshd_config’ as follow:

PermitRootLogin yes
PasswordAuthentication yes
AllowUsers root

You should never modify the /etc/passwd and /etc/group Files. If you ever do it, you must then rebuild the passwords Database:

pwd_mkdb -p /etc/master.passwd
 

sFTP Only User Accounts

sFTP only user accounts are special user accounts that are locked in their home directory. They can write only in subdirectories and can only remotely log in with a limited set of commads through the sFTP protocol either in a modern FTP client, like Filezilla or through command line (sftp user@server).

Setup

In order to enable sftp only user accounts, the /etc/ssh/sshd_config file must be modified as follows:

[...]
Subsystem sftp internal-sftp

# This section must be placed at the very end of sshd_config
Match Group sftponly
    ChrootDirectory %h
    ForceCommand internal-sftp
    AllowTcpForwarding no


Once this is done, the sshd service must be restarted:

service sshd restart

All sFTP only User accounts must then be members of the sftponly group. For instance:

root@prod:/usr/local/www/apache24/data # cat /etc/passwd|grep sftp
sftpuser:*:1002:1002:Sample sftp (only) user:/home/sftpuser:/usr/sbin/nologin
root@prod:/usr/local/www/apache24/data # cat /etc/group |grep sftp
sftponly:*:1002:

The home directory of an sFTP only User and its files/ subdirectory (for storing data) must have the following owner and rights:

root@prod:/usr/local/www/apache24/data # ls -al /home/sftpuser
total 54
drwxr-xr-x   3 root      sftponly    11 May 25 12:03 .
drwxr-xr-x  22 root      wheel       22 Jun  4 11:56 ..
[...]
drwxr-xr-x   2 sftpuser  sftponly     2 May 25 12:04 files


An add_sftp_account.sh script can ease the process of setting up such accounts:

#!/bin/sh
if [ ${#} -le 1 ]
then
    echo "This script creates a sFTP user account and allows to set his/her password.
If the account already exists, you'll be prompted for a new password.

Usage: /root/add_sftp_account.sh
                   Login and comment are mandatory!"
    exit 1
fi
if [ ${#} -ne 2 ]
then
    echo "Usage: /root/add_sftp_account.sh
                   Check your parameters!
             If comment has spaces, you must use double quotes around it."
    exit 1
else
    pw user add -n $1 -c $2 -L nologin -d /home/$1 -g sftponly -s /bin/false -w random
    mkdir /home/$1
    chown root:sftponly /home/$1
    mkdir /home/$1/files
    chown $1:sftponly /home/$1/files
    passwd $1

fi

SAMBA Users (on a SAMBA 4 Standalone Server)

On a SAMBA 4 Standalone Server, SAMBA User accounts can be standard System User accounts that are added to the SAMBA Users backend. Here is how to set up such an account:

First add a standard system user account:

adduser marianne

Set up his/her password with:

passwd marianne

Then add this account to SAMBA Users:

smbpasswd -a marianne

Enable it with:

smbpasswd -e marianne

Add it to a SAMBA Users' group with:

pw groupmod fam -m marianne

The following command will list all users who are members of the aforementioned fam group:

pw groupshow fam

Set up the main section of /usr/local/etc/smb4.conf File to enable access per user/per host with the following lines:

obey pam restrictions = yes
security = user
map to guest = Bad Password
passdb backend = tdbsam
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Entersnews*spassword:* %n *Retypesnews*spassword:*        %n *passwordsupdatedssuccessfully* .
pam password change = yes
#Next line will allow guest access to public shares
usershare allow guests = yes
#Next line will restrict access to a list of IPs or a subnetwork
hosts allow = 10.1.1.0/24

Enable access to a protected share for the marianne user.
The full section in /usr/local/etc/smb4.conf should be something like this:

[SHARE]
comment = A sample share
path = /path/to/this/share
read only = no
acl allow execute always = yes
browseable = yes
guest ok = no
write list = marianne
read list = fabrice souheila

Note that users listed under read list will only have read access, whereas users listed under write list will have full access.

Do not forget to restart SAMBA:

/usr/local/etc/rc.d/samba_server restart

You may check that the user can access a protected share with:

smbclient -U marianne //CELEPHAIS/lvl2

How to quickly import user accounts and groups from another server

Copy the user/group entries that you want to replicate from the following files:

/etc/passwd
/etc/group
/etc/master.passwd


Then run the following command to rebuild the password database:

pwd_mkdb -p /etc/master.passwd

Once this is done, the existing home directories can then be copied from one server to the other by preserving their rights and owner.
On source server:

rsync -avz /home/* root@target_server:/home/

Online Accounts: use a PassKeeper

Best practice is to have one different, secure password (i.e. long enough, with a combination of letters/numbers and other chars) for each online account that you own. A PassKeeper may then be used to remember them.

A PassKeeper is a piece of software/hardware that keeps multiple passwords encrypted and allows to unlock them with a key or a single password. It may also provide automated login functions. See for instance https://www.tindie.com/products/stephanelec/mooltipass-mini-offline-password-keeper/


Ce document a été publié le 2019-02-23 20:37:33. (Dernière mise à jour : 2024-06-10 01:08:05.)

À lire ensuite 1




This website uses 'cookies' to enhance user experience and provide authentification. You may change which cookies are set at any time by clicking on more info. Accept
x