aix 用户、组、及安全管理
文件位置
/etc/passwd #存放用户账号
/etc/group #存放组账号
useradd 用法
Syntax
useradd [ -c comment ] [ -d dir ] [ -e expire ] [ -g group ] [ -G
group1,group2 ... ] [ -m [ -k skel_dir ] ] [ -u uid ] [ -s shell ] [ -r
role1,role2 ... ] login
1、创建用户账号
useradd testuser #新增testuser,默认不增加/home/testuser目录
如新增加的用户,但是没有设置密码,/etc/passwd的第二个字段会显示*号, 设置密码后会显示!号
passwd testuser #设置testuser密码
2、创建用户账号并创建home下的用户目录
useradd -m testuser
3 创建用户账号并使用bash为登陆运行的shell(前提已安装bash)
useradd -s /usr/bin/bash testuser
注: 也可以使用smit mkuser 新增用户 smit mkuser
4更改账号
usermod -l newuser username #更改用户名
也可以 smit chuser 命令更改
5、删除用户
userdel -r testuser # -r 指删除用户home目录的用户文件夹
userdel -r
Removes the user's home directory.
smit rmuser
6、显示用户账号
smit lsuser
7、锁定用户账号与解锁
smit lockuser
选择用户后, true锁定用户。 登陆时会有以下提示。
AIX Version 6
Copyright IBM Corporation, 1982, 2009.
login: usert1
usert1's Password:
3004-301 Your account has been locked; please see the system administrator.
组管理
创建新组
smit mkgroup
Add a Group
Type or select values in entry fields.
Press Enter AFTER making all desired changes.
[Entry Fields]
* Group NAME []
ADMINISTRATIVE group? false +
Group ID [] #
USER list [] +
ADMINISTRATOR list [] +
Projects [] +
Initial Keystore Mode [] +
Keystore Encryption Algorithm [] +
Keystore Access [] +
F1=Help F2=Refresh F3=Cancel F4=List
F5=Reset F6=Command F7=Edit F8=Image
F9=Shell F10=Exit Enter=Do
组的更改
smit chgroup
Change Group Attributes
Type or select values in entry fields.
Press Enter AFTER making all desired changes.
[Entry Fields]
Group NAME [groupt]
Group ID [201] #
ADMINISTRATIVE group? false +
USER list [] +
ADMINISTRATOR list [root] +
Projects [] +
Initial Keystore Mode [] +
Keystore Encryption Algorithm [] +
Keystore Access [] +
F1=Help F2=Refresh F3=Cancel F4=List
F5=Reset F6=Command F7=Edit F8=Image
F9=Shell F10=Exit Enter=Do
组的删除
smit rmgroup
查看用户与组状态
显示当前登陆用户状态
-bash-3.2# id
uid=0(root) gid=0(system) groups=2(bin),3(sys),7(security),8(cron),10(audit),11(lp)
查看指定用户的状态
-bash-3.2# id usert
uid=209(usert) gid=1(staff)
查看当前登陆用户信息 who命令
查看系统最近的启动时间
-bash-3.2$ who -b
. system boot Nov 06 14:53
查看当前启动级别
-bash-3.2$ who -r
. run-level 2 Nov 06 14:53 2 0 S
显示标题
-bash-3.2$ who -H
Name Line Time Hostname
kim pts/0 Nov 06 20:12 (99.99.99.254)
显示终端号
-bash-3.2$ who -T
kim + pts/0 Nov 06 20:12
root + pts/1 Nov 06 22:06
kim + pts/2 Nov 06 22:07
-bash-3.2$ w
10:08PM up 7:15, 3 users, load average: 0.03, 0.10, 0.08
User tty login@ idle JCPU PCPU what
kim pts/0 08:12PM 0 3 0 w
root pts/1 10:06PM 2 0 0 -bash
kim pts/2 10:07PM 1 0 0 -bash
查看当前终端所登陆用户的信息(也就是可以确定当前的终端号)
-bash-3.2$ who -m
kim pts/0 Nov 06 20:12 (99.99.99.254)
等同 who am i
-bash-3.2$ who am i ;who -m
root pts/1 Nov 06 22:06 (99.99.99.254)
root pts/1 Nov 06 22:06 (99.99.99.254)
whoami (如果用户su后,所以显示是当前用户,并不是当前终端登陆的用户。)
查看当前用户账号信息
看下面的操作与显示就明白(telnet 时输入的用户名kim)。
-bash-3.2$ who -m ;echo "----";who am i
kim pts/0 Nov 06 22:32 (99.99.99.254)
----
kim pts/0 Nov 06 22:32 (99.99.99.254)
-bash-3.2$ whoami
kim
-bash-3.2$ su - root
root's Password:
-bash-3.2# who -m ;echo "----";who am i
kim pts/0 Nov 06 22:32 (99.99.99.254)
----
kim pts/0 Nov 06 22:32 (99.99.99.254)
-bash-3.2# whoami
root
与其它终端的用户对话
-bash-3.2$ talk kim@localhost pts/2
用户账号切换su
su 的日志文件
-bash-3.2# tail /var/adm/sulog
SU 11/06 19:14 + pts/0 kim-root
SU 11/06 19:16 + pts/0 kim-root
SU 11/06 19:18 + pts/0 kim-root
SU 11/06 20:12 + pts/0 kim-root
SU 11/06 20:18 + pts/0 root-usert5
SU 11/06 22:06 + pts/1 root-kim
SU 11/06 22:15 + pts/1 root-kim
SU 11/06 22:18 + pts/1 root-kim
SU 11/06 22:20 + pts/1 kim-root
SU 11/06 22:33 + pts/0 kim-root
必要时可能清空该文件
>/var/adm/sulog
组,用户安全管理
/etc/security/passwd 文件存放用户账号的密码。
-bash-3.2# head -n 10 /etc/security/passwd
root:
password = xdq5doH57hC6c
lastupdate = 1352230576
daemon:
password = *
passwd -s 更改用户使用的shell
-bash-3.2$ passwd -s
Current available shells:
/usr/bin/bash
/bin/sh
/bin/bsh
/bin/csh
/bin/ksh
/bin/tsh
/bin/ksh93
/usr/bin/sh
/usr/bin/bsh
/usr/bin/csh
/usr/bin/ksh
/usr/bin/tsh
/usr/bin/ksh93
/usr/bin/rksh
/usr/bin/rksh93
/usr/sbin/uucp/uucico
/usr/sbin/sliplogin
/usr/sbin/snappd
kim's current login shell:
/usr/bin/bash
Change (yes) or (no)? > yes
To?>/usr/bin/bash
pwdadm命令的使用
更改用户密码
-bash-3.2# pwdadm usert
Changing password for "usert"
usert's New password:
Enter the new password again:
设置用户自身不能更改密码(属性ADMIN)
-bash-3.2# pwdadm -f ADMIN kim
-bash-3.2# pwdadm -q kim
kim:
lastupdate = 1352236213
flags = ADMIN
-bash-3.2# passwd kim
Changing password for "kim"
kim's New password:
Enter the new password again:
-bash-3.2# su - kim
-bash-3.2$ passwd
Changing password for "kim"
3004-664 You are not authorized to change "kim's" password.
3004-709 Error changing password for "kim" : You do not have permission.
-bash-3.2# pwdadm -c kim
-bash-3.2# pwdadm -q kim
kim:
lastupdate = 1352351804
pwdadm -c user 清除用户所有的密码标志
pwdadm -q user 查询用户密码的状态
pwdadm -f ADMIN|ADMCHG|NOCHECK user 设置用户的三个密码属性
ADMIN 表示用户不能自己设置密码
ADMCHG 强制用户在下次登陆login|su时更改密码
NOCHECK 表示新密码不需要遵/etc/security/user的密码组合规则
pwdck 命令检查本地账户认证信息的正确性
/etc/security/user 文件主要控制用户账号的参数设置,如密码的个数,密码的使用周期,设定umask等 。
default:
admin = false
login = true
su = true #是否可以使用su命令
daemon = true
rlogin = true #是否可以使用telnet 登陆
sugroups = ALL
admgroups =
ttys = ALL
auth1 = SYSTEM
auth2 = NONE
tpath = nosak
umask = 022
expires = 0
/etc/security/group 文件对组进行安全性管理,设置组是否为管理员组。
-bash-3.2# head -n 10 /etc/security/group
system:
admin = true
staff:
admin = false
bin:
admin = true
/etc/security/login.cfg 文件控制用户登陆与身份验证的信息,控制用户登陆使用shell的方式,在多长时间输入密码等。
-bash-3.2# cat /etc/security/login.cfg|grep -v '*'
default:
sak_enabled = false
logintimes =
logindisable = 0
logininterval = 0
loginreenable = 0
logindelay = 0
usw:
shells = /usr/bin/bash,/bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin/ksh,/usr/bin/tsh,/usr/bin/ksh93,/usr/bin/rksh,/usr/bin/rksh93,/usr/sbin/uucp/uucico,/usr/sbin/sliplogin,/usr/sbin/snappd
maxlogins = 32767
logintimeout = 60
maxroles = 8
auth_type = STD_AUTH
/etc/security/limits 为每个用户指定进程资源,如内存,cpu的使用时间等。
-bash-3.2# cat /etc/security/limits|grep -v '*'
default:
fsize = 2097151
core = 2097151
cpu = -1
data = 262144
rss = 65536
stack = 65536
nofiles = 2000
/etc/security/lastlog 主要记录用户账号上次登陆系统的信息。如上次成功登陆的时间,登陆的IP等。
-bash-3.2# cat /etc/security/lastlog |grep -v '*'
root:
time_last_login = 1352261160
tty_last_login = /dev/pts/1
host_last_login = 99.99.99.254
unsuccessful_login_count = 0
time_last_unsuccessful_login = 1352234585
tty_last_unsuccessful_login = /dev/pts/0
host_last_unsuccessful_login = 99.99.99.254
kim:
time_last_login = 1352427960
tty_last_login = /dev/pts/0
host_last_login = 99.99.99.254
unsuccessful_login_count = 0
/etc/motd 显示登陆后的提示信息
本文转自 pk2008 51CTO博客,原文链接:http://blog.51cto.com/837244/1051354
免责申明:文章和图片全部来源于公开网络,如有侵权,请通知删除 server@dude6.com