Categories
One click apps (20 Articles)
Tutorials about the VPSie app templates
How To’s (168 Articles)
In this category goes all How To’s related to VPSie
PCS( 5 Articles)
Tutorials about different scenarios configuring VPSie private cloud
Mar 1, 2015
FreeBSD add new user and manage existing ones
FreeBSD user accounts – Introduction
Many bare metal machine or virtual private servers (VPS) deployments, especially development servers, require a high number of users to operate and where there are no remote authentication systems available like radius or Ldap, they need to be added manually. This guide discusses the steps to add new users in FreeBSD, delete, change and display their settings. It also discusses the way to enforce password quality control of users’ passwords by using the pam_passwdqc – password quality control PAM module in FreeBSD. FreeBSD uses in interactive method of adding new users adduser and one-command method using pw to create, delete, show and manipulate system users (NIS, LDAP and Radius users are not affected). Before we begin, we need to make sure we have root or sudo access to the system, otherwise FreeBSD does not allow new user creation.FreeBSD add new user – adduser interactive method
First method of adding users in FreeBSD is the adduser interactive command:$ adduser
Username: vpsie1
Full name: Vpsie test user 1
Uid (Leave empty for default): ^C
[[email protected] ~]$ adduser
Username: vpsie1
Full name: FreeBSD VPSie user 1
Uid (Leave empty for default):
Login group [vpsie1]:
Login group is vpsie1. Invite vpsie1 into other groups? []:
Login class [default]:
Shell (sh csh tcsh bash rbash git-shell nologin) [sh]: bash
Home directory [/home/vpsie1]:
Home directory permissions (Leave empty for default):
Use password-based authentication? [yes]:
Use an empty password? (yes/no) [no]:
Use a random password? (yes/no) [no]:
Enter password:
Enter password again:
Lock out the account after creation? [no]:
Username : vpsie1
Password : *****
Full Name : FreeBSD VPSie user 1
Uid : 1004
Class :
Groups : vpsie1
Home : /home/vpsie1
Home Mode :
Shell : /usr/local/bin/bash
Locked : no
OK? (yes/no): y
adduser: INFO: Successfully added (vpsie1) to the user database.
Add another user? (yes/no): n
Goodbye!FreeBSD add new user – one command
The second method is the pw command. Here are all relevant options from man pw:
pw [-V etcdir] useradd [name|uid] [-C config] [-q] [-n name] [-u uid]
[-c comment] [-d dir] [-e date] [-p date] [-g group] [-G grouplist]
[-m] [-M mode] [-k dir] [-w method] [-s shell] [-o] [-L class]
[-h fd | -H fd] [-N] [-P] [-Y]
The following options apply to the useradd and usermod commands:
-n name Specify the user/account name.
-u uid Specify the user/account numeric id.
-c comment This field sets the contents of the passwd GECOS field,
which normally contains up to four comma-separated fields
containing the user's full name, office or location, and
work and home phone numbers.
-d dir This option sets the account's home directory. Normally,
you will only use this if the home directory is to be dif-
ferent from the default determined from /etc/pw.conf - nor-
mally /home with the account name as a subdirectory.
-e date Set the account's expiration date.
-g group Set the account's primary group to the given group. group
may be defined by either its name or group number.
-G grouplist Set additional group memberships for an account. grouplist
is a comma, space or tab-separated list of group names or
group numbers.
-L class This option sets the login class for the user being cre-
ated. See login.conf(5) and passwd(5) for more information
on user login classes.
-m This option instructs pw to attempt to create the user's
home directory.
-s shell Set or changes the user's login shell to shell.
-h fd This option provides a special interface by which interac-
tive scripts can set an account password using pw. Because
the command line and environment are fundamentally insecure
mechanisms by which programs can accept information, pw
will only allow setting of account and group passwords via
a file descriptor (usually a pipe between an interactive
script and the program). sh, bash, ksh and perl all pos-
sess mechanisms by which this can be done. Alternatively,
pw will prompt for the user's password if -h 0 is given,
nominating stdin as the file descriptor on which to read
the password. Note that this password will be read only
once and is intended for use by a script rather than for
interactive use. If you wish to have new password confir-
mation along the lines of passwd(1), this must be imple-
mented as part of an interactive script that calls pw.
$ sudo pw useradd -n newuser -e 01-09-2018 -m -s /usr/local/bin/bash -h 0 -L default -c "New user on FreeBSD"
password for user newuser:Enforce user password policy in FreeBSD
To enforce password strength policy in FreeBSD, we will need to enable and configure PAM pam_passwdqc.so (password quality control) module in file cat /etc/pam.d/passwd by uncommenting it. Before defining a password policy, the man pam_passwdqc should be consulted for more information on how we can build a password policy in FreeBSD. Example below:$ sudo cat /etc/pam.d/passwd
password requisite pam_passwdqc.so min=disabled,disabled,disabled,12,10 similar=deny ask_oldauthtok enforce=users
password required pam_unix.so no_warn try_first_pass nullokFreeBSD: Display user information
$ sudo pw usershow newuser
newuser:*:1005:1005:default:0:1535756400:New user on FreeBSD:/home/newuser:/usr/local/bin/bashLocking and unlocking users in FreeBSD
The fastest way to keep a user from logging into the system is changing his/her password, but the safest approach is to lock the user account without removing it and it’s directory:$ sudo pw lock newuser
$ sudo su - newuser
su: Sorry
newuser:*LOCKED*$6$hjlGF5E0hvR$ sudo pw unlock newuserHow to remove a system user in FreeBSD
There are at least 4 ways to delete system users in FreeBSD, but I will show here an example based on the pw command and the userdel option. If you know the name of the user intended for removal, use the below command:$ sudo pw userdel -n newuserYou can actually create this setup on our platform in few minutes utilizing our PCS (Private Cloud Solution) which allows you to have VPSie(s) on a private network – NAT – Port forward – traffic control for inbound and outbound – multiple gateway IPs which you could use for the load-balancing and failover.