Cleaning out users - Redhat

This is a discussion on Cleaning out users - Redhat ; Hi, I'm using Fedora Core 6. As root user, logged in remotely, how do I identify and delete/disable all users with remote access to the machine except user "root" and user "dave"? Thanks, - Dave...

+ Reply to Thread
Results 1 to 8 of 8

Thread: Cleaning out users

  1. Cleaning out users

    Hi,

    I'm using Fedora Core 6. As root user, logged in remotely, how do I
    identify and delete/disable all users with remote access to the
    machine except user "root" and user "dave"?

    Thanks, - Dave

  2. Re: Cleaning out users

    laredotornado wrote:
    > Hi,
    >
    > I'm using Fedora Core 6. As root user, logged in remotely, how do I
    > identify and delete/disable all users with remote access to the
    > machine except user "root" and user "dave"?
    >
    > Thanks, - Dave


    vipw. Don't delete the system/daemon users along with root and dave.

    JR.

    --

    Bill will have to take Linux from my cold, dead flippers.

    -Tux.

  3. Re: Cleaning out users

    Johnny Rebel wrote:
    > laredotornado wrote:
    >> Hi,
    >>
    >> I'm using Fedora Core 6. As root user, logged in remotely, how do I
    >> identify and delete/disable all users with remote access to the
    >> machine except user "root" and user "dave"?
    >>
    >> Thanks, - Dave

    >
    > vipw. Don't delete the system/daemon users along with root and dave.
    >
    > JR.
    >


    Or edit /etc/ssh/sshd_config to restrict access to specific users.

    And *NO*, don't use vipw for this! It's too easy to make mistakes. If you have
    a well-defined set of users to delete, use "userdel".

  4. Re: Cleaning out users

    Nico Kadel-Garcia wrote:
    > Johnny Rebel wrote:
    >> laredotornado wrote:
    >>> Hi,
    >>>
    >>> I'm using Fedora Core 6. As root user, logged in remotely, how do I
    >>> identify and delete/disable all users with remote access to the
    >>> machine except user "root" and user "dave"?
    >>>
    >>> Thanks, - Dave

    >>
    >> vipw. Don't delete the system/daemon users along with root and dave.
    >>
    >> JR.
    >>

    >
    > Or edit /etc/ssh/sshd_config to restrict access to specific users.
    >
    > And *NO*, don't use vipw for this! It's too easy to make mistakes. If
    > you have a well-defined set of users to delete, use "userdel".


    While I understand what you are saying, it does not meet the stated
    requirement of "all users with remote access" - which covers ftp,
    telnet, smb, ssh, etc... vipwd pretty much covers this with the
    exception of 'anonymous' type logons. The only way to deal with this is
    disable the services/config options, and/or put a firewall up.

    JR.


    --

    Bill will have to take Linux from my cold, dead flippers.

    -Tux.

  5. Re: Cleaning out users

    Johnny Rebel wrote:
    > Nico Kadel-Garcia wrote:
    >> Johnny Rebel wrote:
    >>> laredotornado wrote:
    >>>> Hi,
    >>>>
    >>>> I'm using Fedora Core 6. As root user, logged in remotely, how do I
    >>>> identify and delete/disable all users with remote access to the
    >>>> machine except user "root" and user "dave"?
    >>>>
    >>>> Thanks, - Dave
    >>>
    >>> vipw. Don't delete the system/daemon users along with root and dave.
    >>>
    >>> JR.
    >>>

    >>
    >> Or edit /etc/ssh/sshd_config to restrict access to specific users.
    >>
    >> And *NO*, don't use vipw for this! It's too easy to make mistakes. If
    >> you have a well-defined set of users to delete, use "userdel".

    >
    > While I understand what you are saying, it does not meet the stated
    > requirement of "all users with remote access" - which covers ftp,
    > telnet, smb, ssh, etc... vipwd pretty much covers this with the
    > exception of 'anonymous' type logons. The only way to deal with this is
    > disable the services/config options, and/or put a firewall up.
    >
    > JR.


    I'm saying "don't use vipw for this". If you need to delete accounts, use
    "userdel". If you need to lock their shells, use "usermod". Hand-editing
    critical configuration files with vipw is begging for pain in the long term.
    In particular, typos are dangerous, and mere deletion of accounts doesn't yank
    the group names. You'd need to use vigr for that as well: userdel does a more
    thorough and sanity-checked job.

    If Dave is running telnet or rsh for his root account's remote access, he's
    got more serious issues. Those services should *not* allow remote access: they
    should be disabled entirely, and remote root access should only be over ssh.
    In fact, it's generally safer and more trackable to have the user's account
    only set for remote access, and force the use of "sudo" to become root on the
    machine.



  6. Re: Cleaning out users

    Nico Kadel-Garcia wrote:
    > Johnny Rebel wrote:
    >> Nico Kadel-Garcia wrote:
    >>> Johnny Rebel wrote:
    >>>> laredotornado wrote:
    >>>>> Hi,
    >>>>>
    >>>>> I'm using Fedora Core 6. As root user, logged in remotely, how do I
    >>>>> identify and delete/disable all users with remote access to the
    >>>>> machine except user "root" and user "dave"?
    >>>>>
    >>>>> Thanks, - Dave
    >>>>
    >>>> vipw. Don't delete the system/daemon users along with root and dave.
    >>>>
    >>>> JR.
    >>>>
    >>>
    >>> Or edit /etc/ssh/sshd_config to restrict access to specific users.
    >>>
    >>> And *NO*, don't use vipw for this! It's too easy to make mistakes. If
    >>> you have a well-defined set of users to delete, use "userdel".

    >>
    >> While I understand what you are saying, it does not meet the stated
    >> requirement of "all users with remote access" - which covers ftp,
    >> telnet, smb, ssh, etc... vipwd pretty much covers this with the
    >> exception of 'anonymous' type logons. The only way to deal with this
    >> is disable the services/config options, and/or put a firewall up.
    >>
    >> JR.

    >
    > I'm saying "don't use vipw for this". If you need to delete accounts,
    > use "userdel". If you need to lock their shells, use "usermod".
    > Hand-editing critical configuration files with vipw is begging for pain
    > in the long term. In particular, typos are dangerous, and mere deletion
    > of accounts doesn't yank the group names. You'd need to use vigr for
    > that as well: userdel does a more thorough and sanity-checked job.


    I have actually never had any issue doing this by hand. I personally
    find it a lot easier that using numerous other commands to do the same
    thing in one fell swoop of the password and group files. Plus, it is
    more portable across Unix platforms (which I aim for). If you have to
    script things, userdel is useless in a mixed environment. I also don't
    subscribe to 'user groups'. I find them to be a pain in the ass more
    than anything, especially if you are sharing files.


    >
    > If Dave is running telnet or rsh for his root account's remote access,
    > he's got more serious issues. Those services should *not* allow remote
    > access: they should be disabled entirely, and remote root access should
    > only be over ssh. In fact, it's generally safer and more trackable to
    > have the user's account only set for remote access, and force the use of
    > "sudo" to become root on the machine.


    For the most part I agree with you concerning telnet/rsh, but there are
    certainly times you must run them (HACMP for example requires rsh).
    Most people however do not require them. Remote root access should
    never happen without an 'su' for tracking. sudo of course has its
    place, but in large scale systems it is a royal pain to sudo everything
    you do (one normally ends up doing a sudo of bash, so why bother with
    sudo for root anyways.). The use of 'su' to become root is what I use,
    not sudo...

    JR.

    >
    >



    --

    Bill will have to take Linux from my cold, dead flippers.

    -Tux.

  7. Re: Cleaning out users

    Johnny Rebel wrote:
    > Nico Kadel-Garcia wrote:
    >> Johnny Rebel wrote:
    >>> Nico Kadel-Garcia wrote:
    >>>> Johnny Rebel wrote:
    >>>>> laredotornado wrote:
    >>>>>> Hi,
    >>>>>>
    >>>>>> I'm using Fedora Core 6. As root user, logged in remotely, how do I
    >>>>>> identify and delete/disable all users with remote access to the
    >>>>>> machine except user "root" and user "dave"?
    >>>>>>
    >>>>>> Thanks, - Dave
    >>>>>
    >>>>> vipw. Don't delete the system/daemon users along with root and dave.
    >>>>>
    >>>>> JR.
    >>>>>
    >>>>
    >>>> Or edit /etc/ssh/sshd_config to restrict access to specific users.
    >>>>
    >>>> And *NO*, don't use vipw for this! It's too easy to make mistakes.
    >>>> If you have a well-defined set of users to delete, use "userdel".
    >>>
    >>> While I understand what you are saying, it does not meet the stated
    >>> requirement of "all users with remote access" - which covers ftp,
    >>> telnet, smb, ssh, etc... vipwd pretty much covers this with the
    >>> exception of 'anonymous' type logons. The only way to deal with this
    >>> is disable the services/config options, and/or put a firewall up.
    >>>
    >>> JR.

    >>
    >> I'm saying "don't use vipw for this". If you need to delete accounts,
    >> use "userdel". If you need to lock their shells, use "usermod".
    >> Hand-editing critical configuration files with vipw is begging for
    >> pain in the long term. In particular, typos are dangerous, and mere
    >> deletion of accounts doesn't yank the group names. You'd need to use
    >> vigr for that as well: userdel does a more thorough and sanity-checked
    >> job.

    >
    > I have actually never had any issue doing this by hand. I personally
    > find it a lot easier that using numerous other commands to do the same
    > thing in one fell swoop of the password and group files. Plus, it is
    > more portable across Unix platforms (which I aim for). If you have to
    > script things, userdel is useless in a mixed environment. I also don't
    > subscribe to 'user groups'. I find them to be a pain in the ass more
    > than anything, especially if you are sharing files.
    >
    >
    >>
    >> If Dave is running telnet or rsh for his root account's remote access,
    >> he's got more serious issues. Those services should *not* allow remote
    >> access: they should be disabled entirely, and remote root access
    >> should only be over ssh. In fact, it's generally safer and more
    >> trackable to have the user's account only set for remote access, and
    >> force the use of "sudo" to become root on the machine.

    >
    > For the most part I agree with you concerning telnet/rsh, but there are
    > certainly times you must run them (HACMP for example requires rsh). Most
    > people however do not require them. Remote root access should never
    > happen without an 'su' for tracking. sudo of course has its place, but
    > in large scale systems it is a royal pain to sudo everything you do (one
    > normally ends up doing a sudo of bash, so why bother with sudo for root
    > anyways.). The use of 'su' to become root is what I use, not sudo...
    >
    > JR.


    Ahh. I use sudo for that, so that authorized admins can use their own Kerberos
    provided passwords rather than having to have the system root password.

  8. Re: Cleaning out users

    Nico Kadel-Garcia wrote:
    > Johnny Rebel wrote:
    >> Nico Kadel-Garcia wrote:
    >>> Johnny Rebel wrote:
    >>>> Nico Kadel-Garcia wrote:
    >>>>> Johnny Rebel wrote:
    >>>>>> laredotornado wrote:
    >>>>>>> Hi,
    >>>>>>>
    >>>>>>> I'm using Fedora Core 6. As root user, logged in remotely, how do I
    >>>>>>> identify and delete/disable all users with remote access to the
    >>>>>>> machine except user "root" and user "dave"?
    >>>>>>>
    >>>>>>> Thanks, - Dave
    >>>>>>
    >>>>>> vipw. Don't delete the system/daemon users along with root and dave.
    >>>>>>
    >>>>>> JR.
    >>>>>>
    >>>>>
    >>>>> Or edit /etc/ssh/sshd_config to restrict access to specific users.
    >>>>>
    >>>>> And *NO*, don't use vipw for this! It's too easy to make mistakes.
    >>>>> If you have a well-defined set of users to delete, use "userdel".
    >>>>
    >>>> While I understand what you are saying, it does not meet the stated
    >>>> requirement of "all users with remote access" - which covers ftp,
    >>>> telnet, smb, ssh, etc... vipwd pretty much covers this with the
    >>>> exception of 'anonymous' type logons. The only way to deal with
    >>>> this is disable the services/config options, and/or put a firewall up.
    >>>>
    >>>> JR.
    >>>
    >>> I'm saying "don't use vipw for this". If you need to delete accounts,
    >>> use "userdel". If you need to lock their shells, use "usermod".
    >>> Hand-editing critical configuration files with vipw is begging for
    >>> pain in the long term. In particular, typos are dangerous, and mere
    >>> deletion of accounts doesn't yank the group names. You'd need to use
    >>> vigr for that as well: userdel does a more thorough and
    >>> sanity-checked job.

    >>
    >> I have actually never had any issue doing this by hand. I personally
    >> find it a lot easier that using numerous other commands to do the same
    >> thing in one fell swoop of the password and group files. Plus, it is
    >> more portable across Unix platforms (which I aim for). If you have to
    >> script things, userdel is useless in a mixed environment. I also
    >> don't subscribe to 'user groups'. I find them to be a pain in the ass
    >> more than anything, especially if you are sharing files.
    >>
    >>
    >>>
    >>> If Dave is running telnet or rsh for his root account's remote
    >>> access, he's got more serious issues. Those services should *not*
    >>> allow remote access: they should be disabled entirely, and remote
    >>> root access should only be over ssh. In fact, it's generally safer
    >>> and more trackable to have the user's account only set for remote
    >>> access, and force the use of "sudo" to become root on the machine.

    >>
    >> For the most part I agree with you concerning telnet/rsh, but there
    >> are certainly times you must run them (HACMP for example requires
    >> rsh). Most people however do not require them. Remote root access
    >> should never happen without an 'su' for tracking. sudo of course has
    >> its place, but in large scale systems it is a royal pain to sudo
    >> everything you do (one normally ends up doing a sudo of bash, so why
    >> bother with sudo for root anyways.). The use of 'su' to become root
    >> is what I use, not sudo...
    >>
    >> JR.

    >
    > Ahh. I use sudo for that, so that authorized admins can use their own
    > Kerberos provided passwords rather than having to have the system root
    > password.



    Which would explain why I don't - I am the authorized admin.

    JR.

    --

    Bill will have to take Linux from my cold, dead flippers.

    -Tux.

+ Reply to Thread