I was a bit surprised by the fact that a user can still have ssh access to a Linux machine (Ubuntu 18.04.6 LTS) where their account has expired. I set up the account expiration date with chage:

sudo chage -l xxxx
Last password change					: Oct 10, 2024
Password expires					: never
Password inactive					: never
Account expires						: Nov 05, 2024
Minimum number of days between password change		: 0
Maximum number of days between password change		: 99999
Number of days of warning before password expires	: 7

The account expired on 2024-11-05, but the user can still ssh to it. Is there any configuration in the sshd server or PAM to enforce the account expiration? As far as I can tell, sshd has UsePAM yes and PAM should prevent the login but the only thing it does is to print a Your account has expired; please contact your system administrator in the ssh banner. I get the same if I do sudo su xxxx, I do get a Your account has expired; please contact your system administrator but I get the shell prompt anyway.

I need to lock some user accounts, without messing with their HOME, if at all possible. Normal way would be usermod -L user but it seems to leave open ssh login with public key authentication (routinely used on this server). I know I could just mv /home/user/.ssh /home/user/_ssh or something similar, but is that the right way of doing this? What am I missing?

For compliance purposes there is the need to fetch information regarding local (user and non-user) accounts creation date on UNIX machines. Is there any way (even if it's not the most reliable or accurate method) for collecting that kind of information? For instance, as an alternative, I went searching for home directory creation date (for user accounts), but I discovered that for POSIX-compliant systems timestamps for file creation are not available.

I have created a user. useradd -M -d /usr/my_user my_user chown -R my_user. /usr/my_user Now as a root I can type: su - my_user -c /usr/my_user/some_dir/script.sh but if I want to do more complicated things, for example navigate between **my_user** folders I have to type the su - my_user pattern every time. Otherwise it states that I do not have permissions. How can I make my life easier and not type the su every time?

I tried installing zsh on ubuntu ( 14.04). When I switched to zsh, I was unable to go into super user mode.
If I do a su it asks for passwd and on entering the correct password, it says: Cannot execute which zsh: No such file or directory But when I enter an incorrect password and press enter 4-5 times, it shows nothing. On checking my /etc/passwd file, it showed: root:x:0:0:root:/root:which zsh I tried to edit the file and save but it shows Unable to save /etc/passwd I have tried to change the runlevel to 1 via grub, but it results in an error: APCI PCC probe failed I am running Ubuntu on VirtualBox.

I teach a programming course with over 40 students. I want them to upload their projects to a Linux web server that I rent. So I want each student to create a user account on the server. I do not want to create each and every user manually by adduser. Is it possible to let students create their own accounts, without giving them root access?

I'm using a server that is shared with about 7 other people. We each have our own user account, but they don't have permissions to access most of what we need, so they're essentially useless other than for authentication. Instead, we use sudo to become a different user (called 'dev'). The dev account is shared by everyone on the team, and a few others from a different team. Considering that this is the only account we have access to that has enough privileges to actually do work, it's very frustrating having to share it. I have my own directory under dev's home directory. What I would like to do is be able to open a new shell session with my subdir as HOME, and source dotfiles from my subdir rather than from dev's HOME. That way I could have my own settings (.bashrc, .vimrc, etc.), I wouldn't be digging through other people's .bash_history when I press up and they wouldn't dig though mine. I know I can kind of fake this by changing the HOME directory and sourcing dotfiles as needed, but I'd like a way to do this automatically when I sudo to the shared account, something like: sudo -ui dev HOME=/users/dev/me bash (this doesn't work as-is). Is there a way to do this? I know the 'correct' solution is to not use a shared account in the first place, and give proper permissions to each user's account, but the server is owned and operated by a separate company, and their sysadmins have been adversarial to changes suggested by our group. We actually used to have a lot more access and tools available, but it was stripped when they found out that we were doing things they didn't want us to (nothing against contract or even unusual - the sysadmin is just petty)

**Scenario:** We have a couple of Ubuntu servers, each with a single user. The user account has some specific software that bind to the host IP address and a specific port (we cannot change the port number, as it is a standard). We have multiple users, who want to use the software. For now, everyone is using the same account (over SSH), and we check if the others are using it before running it ourself, so that there is no conflict. I'm wondering what is the best way to handle this scenario? We could have multiple users, but that would still not solve the issue where the port is in-use. It would be great if there's a way to tell if someone else is using the machine, when we log in. Any ideas are appreciated, thanks!

My HP laptop fails to load the login screen after saying > [FAILED] Failed to start Accounts Service There's an error concerning the partition of a disk that keeps showing up. > BTRFS critical (device sda3): corrupt node: root=5 ......... When I launch the terminal on non graphical mode and try to type apt-get update for instance, it does not recognize the command and also keeps display > BTRFS critical (device sda3): corrupt node: root=5 ......... Running systemctl status accounts-daemon.service > Active: failed code=exited,status=127 Anyone knows how to fix this and whether there's a workaround this?

My computer (Ubuntu 22.04.1 LTS), does not remember my business Microsoft account and I need to Login and 2FA each time. Is there a way to remember my Microsoft account?

I've read that it is the best practive to create seperate system accounts for each application, so in case of a security breach the attacker is isolated inside the specific account and cannot do any more harm. I would like to inquire what the best practice concerning home directories, and the number of system users is. I have several Node.js applications, but they all run on the one user account that my server has. Should I create a user for each application and have their relevant files stored in their home directory, or one user for all node.js applications? Should I **not** create home directories and have every application in one system directory? Any pointers* would be greatly appreciated.

Need to create a bash script to create a username from a file which contains below (username home directory full name) drs /home/drs Paranas Theruwalan My script: !#/bin/bash #call data from file file="file.txt" USERNAME=$(cat file.txt | cut -d: -f1) USER_FULLNAME=$(cat file.txt | cut -d: -f2) useradd -m ($USERNAME) -c ($USER_FULNAME) I getting invalid username error.

My main user account (sebastian) ended up seriously crippled and I wanted to create a new user to look for differences, but: - When logged in to tty as a new non-root user (e.g. guest), echo **$USER outputs root** - Cannot login in to GUI (xfce), since all user files system seeks in /root/ folder (where they dont exist), instead of the user folder, e.g.: - /root/.bash_profile: Permission denied - /root/.config/autostart failed, ignoring: Permission denied - /root/.config/systemd/user.control, ignoring: Permission denied - /root/.config/systemd/user, ignoring: Permission denied - /root/.local/share/systemd/user, ignoring: Permission denied - Invalid XDG_CONFIG_HOME directory /root/.config, program may behave incorrectly. - It happens to freshly created users (such as guest), while my main user is able to log into GUI (echo $USER returns correctly the user) Where can possibly be the problem? - /etc/profile is default, -rw-r--r-- root root - /etc/bash.bashrc is default, -rw-r--r-- root root - id: uid=0(root) gid=0(root) groups=0(root) - id guest: uid=1002(guest) gid=1004(guest) groups=1004(guest) - getent passwd guest: guest:x:1002:1004::/home/guest:/bin/bash - echo $HOME: /root (account was created by useradd -m guest, folder /home/guest was created automatically) - grep ^guest /etc/passwd: guest:x:1002:1004::/home/guest:/bin/bash - ls -l /etc/passwd: -rw-r--r-- 1 root root 2002 Aug 13 15:43 /etc/passwd - paccheck --file-properties --quiet | grep permission: shadow: /usr/bin/newuidmap permission mismatch (expedted 4755) - Arch linux, xfce, Intel CPU/GPU

I have a question regarding Linux and Unix non-user service accounts. We know there are user accounts in Linux , what are (non-user) service accounts such as daemon,news, bin, etc used for? $cat /etc/passwd | more reveals all the user and non-user accounts. Why has bin has been assigned service account? Is this by design, or it serves a special purpose? **Last question** Is this true in Microsoft operating system environment( Server 2003, or 2008).?

I need to set up an account inactivity expiration date (es. 1 year). As shown in some tutorials , a way of doing so is to use the usermod command. Due to some constraints, I need to do so offline, modifying some configuration file before running my embedded (poky) distro. What changes in which configuration file should I apply to have the same effects of such usermod command?

I have a RHEL 7.9 system which currently has identical system-auth and password-auth files located under /etc/pam.d/. That file is auth required pam_faillock.so preauth audit deny=3 even_deny_root fail_interval=900 unlock_time=900 auth sufficient pam_unix.so try_first_pass auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth sufficient pam_unix.so try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_deny.so account required pam_faillock.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account required pam_permit.so #password requisite pam_pwquality.so local_users_only retry=3 minlen=12 gecoscheck maxrepeat=3 password requisite pam_pwquality.so local_users_only retry=3 gecoscheck maxrepeat=3 password required pam_pwhistory.so remember=5 use_authtok password sufficient pam_unix.so sha512 shadow use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so - can someone explain in understandable English what all is really happening? - is there any bad or incorrect items? - is the minlen=12 and maxrepeat=3 of any purpose when they are defined in /etc/security/pwquality.conf { and /etc/login.defs for minlen } ?

It's pretty simple. I would like to figure out what combination of changes in /etc/login.defs and/or /etc/pam.d/system-auth-ac. I would need to perform to allow the following behavior: - I want a user's password to be valid for 60 days. - After 60 days, the system needs to yell at the user when they log in, telling them they need to change their password ASAP. - The system must not impede the user's access to the system. - This must apply to existing users (non-system accounts, UID >=500) as well as any newly-created users. Rationale: Limited users will not be managing the system account passwords, only system admin(s). Therefore, users should not have their access to the system impeded because the admin missed a password change. The number of accounts is rather small (maybe 9 or 10), but we're all human and we forget to do stuff from time to time. I'm not sure if login.defs or PAM offer this. The documentation leads me to believe that you can either have the system force the user to change their password when it expires, or you can have the password not age at all. A third option is to have the password age limit set to some huge amount, like 9,999 days, and then start warning the user that their password will expire in 9,936 days, but that's not really what I need either. I've done other kinds of PAM configuration, so it's not my first trip around the block. I'm just stuck on this problem. So, can this be done with PAM/login.defs, or do I need another utility that can take their place?

in RHEL 7.9, I do passwd -S on all accounts in /etc/passwd as part of checking user accounts. # passwd -S root PS 1969-12-30 0 99999 7 -1 (Password set, SHA512 crypt.) bin LK 2019-08-22 0 99999 7 -1 (Alternate authentication scheme in use.) daemon LK 2019-08-22 0 99999 7 -1 (Alternate authentication scheme in use.) adm LK 2019-08-22 0 99999 7 -1 (Alternate authentication scheme in use.) lp LK 2019-08-22 0 99999 7 -1 (Alternate authentication scheme in use.) sync LK 2019-08-22 0 99999 7 -1 (Alternate authentication scheme in use.) shutdown LK 2019-08-22 0 99999 7 -1 (Alternate authentication scheme in use.) halt LK 2019-08-22 0 99999 7 -1 (Alternate authentication scheme in use.) mail LK 2019-08-22 0 99999 7 -1 (Alternate authentication scheme in use.) operator LK 2019-08-22 0 99999 7 -1 (Alternate authentication scheme in use.) games LK 2019-08-22 0 99999 7 -1 (Alternate authentication scheme in use.) ftp LK 2019-08-22 0 99999 7 -1 (Alternate authentication scheme in use.) nobody LK 2019-08-22 0 99999 7 -1 (Alternate authentication scheme in use.) systemd-network LK 2021-06-10 -1 -1 -1 -1 (Password locked.) dbus LK 2021-06-10 -1 -1 -1 -1 (Password locked.) polkitd LK 2021-06-10 -1 -1 -1 -1 (Password locked.) libstoragemgmt LK 2021-06-10 -1 -1 -1 -1 (Password locked.) ron PS 2021-09-06 1 90 14 5 (Password set, SHA512 crypt.) This is a clean install of RHEL 7.9 x86-64 from dvd. Above is an excerpt from doing passwd -S on all accounts in /etc/passwd. Can someone enlighten me what (Alternate authentication scheme in use.) means and if it would be prudent to perform some kind of passwd or chage command (and if so what) on those accounts? Basically I am anticipating during an audit the *show me how you secure and manage user accounts* question so I explain *I do passwd -S on all accounts in /etc/passwd* but how do I explain away the *Alternate authentication scheme in use*? fwiw, I am doing chage -m 1 -M 90 -W 14 -I 5 on all my regular user accounts.

What can the id_rsa.pub file be used for? I am working in machine A. I need to have an account in machine B. Another user from my team asked me for my id_rsa.pub (from machine A I suppose) so that he can create a user for me in machine B. Does this make sense? Is id_rsa.pub necessary for this? If so, what does it do?

As system administrator it is necessary to lock / unlock users or to reset failed login count. let's look how we can perform lock / unlock users or to reset on UNIX/AIX