FreeBSD user accounts – Introduction.
Many bare metal machine or virtual private servers (VPS) deployments, especially development servers, require many users to operate. Where no remote authentication systems are available, like radius or Ldap, they need to be added manually.
This guide discusses adding new users in FreeBSD and deleting, changing, and displaying their settings. It also discusses how to enforce password quality control of users’ passwords using the pam_passwdqc – password quality control PAM module in FreeBSD.
FreeBSD uses an interactive method of adding new users adduser and a one-command method using pw to create, delete, show, and manipulate system users (NIS, LDAP, and Radius users are unaffected).
Before we begin, we must ensure root or sudo access to the system; otherwise, FreeBSD does not allow new user creation.
FreeBSD adds a new user – adduser interactive method.
The first method of adding users in FreeBSD is the adduser interactive command:
$ adduser Username: vpsie1 Full name: Vpsie test user 1 Uid (Leave empty for default): ^C [[email protected] ~]$ adduser Username: vpsie1 Full name: FreeBSD VPSie user 1 Uid (Leave empty for default): Login group [vpsie1]: Login group is vpsie1. Invite vpsie1 into other groups? : Login class [default]: Shell (sh csh tcsh bash rbash git-shell nologin) [sh]: bash Home directory [/home/vpsie1]: Home directory permissions (Leave empty for default): Use password-based authentication? [yes]: Use an empty password? (yes/no) [no]: Use a random password? (yes/no) [no]: Enter password: Enter password again: Lock out the account after creation? [no]: Username : vpsie1 Password : ***** Full Name : FreeBSD VPSie user 1 Uid : 1004 Class : Groups : vpsie1 Home : /home/vpsie1 Home Mode : Shell : /usr/local/bin/bash Locked : no OK? (yes/no): y adduser: INFO: Successfully added (vpsie1) to the user database. Add another user? (yes/no): n Goodbye!
Let’s look at the options we have when we add a new FreeBSD user with the adduser command:
Full name of the new user.
User ID. If left blank, it will be assigned its uid starting in the range 1000+.
User login group. At this step, the new user can be added to an existing login group or, if left blank, a new group having the same name as the user. We also can add new users to other groups.
Login class. FreeBSD login classes are restrictive security groups that limit users’ utilized resources, password format, and more. For more details, look at /etc/login—conf file or man login. Conf.
The following options are self-explanatory, but they still need to be read carefully.
FreeBSD adds a new user – one command.
The second method is the pw command. Here are all suitable options from man pw:
pw [-V etcdir] useradd [name|uid] [-C config] [-q] [-n name] [-u uid] [-c comment] [-d dir] [-e date] [-p date] [-g group] [-G grouplist] [-m] [-M mode] [-k dir] [-w method] [-s shell] [-o] [-L class] [-h fd | -H fd] [-N] [-P] [-Y] The following options apply to the useradd and usermod commands: -n name Specify the user/account name. -u uid Specify the user/account numeric id. -c comment This field sets the contents of the passwd GECOS field, which normally contains up to four comma-separated fields containing the user's full name, office or location, and work and home phone numbers. -d dir This option sets the account's home directory. Normally, you will only use this if the home directory is to be dif- ferent from the default determined from /etc/pw.conf - nor- mally /home with the account name as a subdirectory. -e date Set the account's expiration date. -g group Set the account's primary group to the given group. group may be defined by either its name or group number. -G grouplist Set additional group memberships for an account. grouplist is a comma, space or tab-separated list of group names or group numbers. -L class This option sets the login class for the user being cre- ated. See login.conf(5) and passwd(5) for more information on user login classes. -m This option instructs pw to attempt to create the user's home directory. -s shell Set or changes the user's login shell to shell. -h fd This option provides a special interface by which interac- tive scripts can set an account password using pw. Because the command line and environment are fundamentally insecure mechanisms by which programs can accept information, pw will only allow setting of account and group passwords via a file descriptor (usually a pipe between an interactive script and the program). sh, bash, ksh and perl all pos- sess mechanisms by which this can be done. Alternatively, pw will prompt for the user's password if -h 0 is given, nominating stdin as the file descriptor on which to read the password. Note that this password will be read only once and is intended for use by a script rather than for interactive use. If you wish to have new password confir- mation along the lines of passwd(1), this must be imple- mented as part of an interactive script that calls pw.
Let’s construct the one-line command for adding the new user:
$ sudo pw useradd -n newuser -e 01-09-2018 -m -s /usr/local/bin/bash -h 0 -L default -c "New user on FreeBSD" password for user newuser:
You will be prompted to provide the new user’s password.
Enforce user password policy in FreeBSD.
To enforce the password strength policy in FreeBSD, we must enable and configure PAM pam_passwdqc.so (password quality control) module in file cat /etc/pam.d/passwd by uncommenting it. Before defining a password policy, the man pam_passwdqc should be consulted for more information on building a password policy in FreeBSD. Example below:
$ sudo cat /etc/pam.d/passwd password requisite pam_passwdqc.so min=disabled,disabled,disabled,12,10 similar=deny ask_oldauthtok enforce=users password required pam_unix.so no_warn try_first_pass nullok
The above enforces the following:
– forces old passwords to be entered AND
– 12 characters if they are from 3 character classes OR
– 10 characters if they are from 4 character classes AND
– denies new password if it is similar to old one AND
– enforce the above restrictions for non-root users.
FreeBSD: Display user information
$ sudo pw usershow newuser newuser:*:1005:1005:default:0:1535756400:New user on FreeBSD:/home/newuser:/usr/local/bin/bash
Locking and unlocking users in FreeBSD
The fastest way to keep a user from logging into the system is changing their password, but the safest approach is to lock the user account without removing it, and it’s a directory:
$ sudo pw lock newuser $ sudo su - newuser su: Sorry
FreeBSD passwords are kept in /etc/master. passwd file. By sealing a user, the system will add a *LOCKED* string in front of the password hash:
Similarly, to unlock the user:
$ sudo pw unlock newuser
How to remove a system user in FreeBSD
There are at least four ways to delete system users in FreeBSD, but I will show here an example based on the pw command and the user del option. If you know the name of the user intended for removal, use the below command:
$ sudo pw userdel -n newuser
This should provide a basic understanding of user management under FreeBSD. Please post your comments if you disagree or wish to request a tutorial.
You can create this setup on our platform in a few minutes utilizing our PCS (Private Cloud Solution), which allows you to have VPSie(s) on a private network – NAT – Port forward – traffic control for inbound and outbound – multiple gateway IPs which you could use for the load-balancing and failover.
Linux wget and HTTP authentication
To add a new user in FreeBSD, you can use the add-user command. For example, to add a user named “jdoe,” you would enter adduser jdoe. The command will prompt you to enter information like the user’s full name, password, and group membership.
To change a user’s password in FreeBSD, you can use the passwd command followed by the username. For example, to change the password for the user “jdoe”, you would enter passwd jdoe. You will be prompted to enter and confirm the new password.
To delete a user in FreeBSD, you can use the pw command followed by the delete option and the username. For example, to delete the user “jdoe,” you would enter pw delete jdoe. Note that this will also delete the user’s home directory and any files owned by the user.
To change a user’s group membership in FreeBSD, you can use the pw command followed by the usermod option, the -G option, and a comma-separated list of groups. For example, to add the user “jdoe” to the “wheel” and “staff” groups, you would enter pw usermod jdoe -G wheel, staff.
To list all users in FreeBSD, you can use the pw command followed by the usershow option and the -a option. For example, to list all users, you would enter pw usershow -a. This will display user information, including usernames, UIDs, home directories, and group membership.
To change a user’s shell in FreeBSD, you can use the chsh command followed by the username. For example, to change the shell for the user “jdoe” to the “tcsh” shell, you would enter chsh -s /usr/local/bin/tcsh jdoe. Note that you may need to install the desired shell first if it still needs to be installed.