Local User Accounts

These are accounts local to the host.

Local account information are stored in two files. 

/etc/passwd 

/etc/shadow

Additionally group information is saved at the following location.

/etc/group

/etc/gshadow

/etc/passwd 1

The /etc/passwd file is a text file. Each line represents information about a single user account. This fields are seperated by a colon (:) symbol. There are seven fields saved in each row 2.

[tlasso@rhel-richmondfc ~]$ cat /etc/passwd | grep tlasso
tlasso:x:1000:1001:tlasso:/home/tlasso:/bin/bash
[tlasso@rhel-richmondfc ~]$
  1. Username: The user name of the user.
  2. Password: An x character indicates that the password is in the /etc/shadow file.
  3. User ID (UID): A unique id assigned to the user
  4. Group ID (GID): The primary group ID.
  5. User ID Info: Additional user information
  6. Home Directory: Home directory of a user
  7. Command/shell: Typically this is a shell. But if an account does not have interactive logon privileges then this can be set to /sbin/nologin

/etc/shadow 3

The /etc/shadow file contains one entry per line for each user account on the system. Each entry consists of several fields separated by colons (:). The fields typically include the username, password hash, and various account-related information such as password expiration, account expiration, and account locking.

The password hash stored in the /etc/shadow file is an encrypted version of the user's password. When a user attempts to log in, the system takes the password entered by the user, applies the same encryption algorithm, and compares the resulting hash with the one stored in the /etc/shadow file. If the hashes match, the user is granted access.

[tlasso@rhel-richmondfc ~]$ sudo cat /etc/shadow | grep tlasso
tlasso:$6$jP1ap6xJUfvAgVjH$JxTdfXUOIqbpa3FpgALilTJvGnUfuUcDn8Qz.cxBf6yrFjo2332IHsCkHtg9QCHM7A4p9EcOZn.tXBWYK3RVO0::0:99999:7:::
  1. Username: The user name of the user.
  2. Password: Encrypted password in hash format.
  3. Last password change date: Data type is Long. 0 indicates that the user must change the password on next logon. Empty value inidcates that feature is disabled. A long value greater than 0 indicates the date of password change expressed in the form of days since Unix epoch.

/etc/group 4

The /etc/group file contains a list of groups, one entry per line. Each line is colon delimited and contains four fields. 

[tlasso@rhel-richmondfc ~]$ sudo cat /etc/group | grep tlasso
wheel:x:10:tlasso
coaching-staff:x:1000:tlasso
  1. Group name: Name of the group
  2. Group Password: When this field is set to x, then a password is required to join the group.
  3. Group Id (GID): A numeric group id
  4. Member List: The list of users that belong to the group. List is comma seperated.

/etc/gshadow 5

The /etc/gshadow file contains the encrypted group password, group membership and administrator information. This file also contains information per group per line. It is colon delimeted and lists the members of the group in a comma seperated list 

[tlasso@rhel-richmondfc ~]$ sudo cat /etc/gshadow | grep tlasso
wheel:::tlasso
coaching-staff:!::tlasso
  1. Group name : Name of the group
  2. Encrypted password: Group password
  3. Group administrators: Comma delimited list of users. Add or remove from this list using gpasswd command.
  4. Group members : Non-admin group members.

/var/log/lastlog

The /var/log/lastlog file contains the list of records for last login times mapped by user ids. The lastlog command may be used to display its contents. 

[tlasso@rhel-richmondfc Documents]$ lastlog
Username         Port     From                                       Latest
root             pts/0                                              Wed Jun 14 02:53:13 -0400 2023
bin                                                                 **Never logged in**
daemon                                                              **Never logged in**
... ... ...
adm                                                                 **Never logged in**
gdm              tty1                                               Sun Jul  2 12:04:28 -0400 2023
tlasso           tty2                                               Sun Jul  2 12:04:37 -0400 2023

The lastlog file, in binary format, stores crucial data about the most recent logon activity of local user accounts. Each logon record within this file is composed of 292 bytes. To parse through this binary data and locate a specific logon record for a user based on the user ID (UID), you'll need to calculate the seek position within the file. For instance, for a user with UID=1000, the seek position is calculated as pos=292*1000, which, in hexadecimal, is 000474a0. This position denotes where the user's logon record begins in the file. The record itself is divided into two segments: the first 32 bytes hold the timestamp of the last logon, and the remaining bytes store information about the host. 

[tlasso@rhel-richmondfc Documents]$ hexdump -C /var/log/lastlog 
00000000  d9 63 89 64 70 74 73 2f  30 00 00 00 00 00 00 00  |.c.dpts/0.......|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00002fe0  00 00 00 00 00 00 00 00  0c a0 a1 64 74 74 79 31  |...........dtty1|
00002ff0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000474a0  15 a0 a1 64 74 74 79 32  00 00 00 00 00 00 00 00  |...dtty2........|
000474b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

User account creation

Please refer to RHEL6 documentation for details and command references for user creation.