Chapter 2. System Configuration with YaST / 2.6. Security and Users | ||||
|---|---|---|---|---|
 | 2.5. Network Services | 2.7. System |  | |
Chapter 2. System Configuration with YaST / 2.6. Security and Users | ||||
|---|---|---|---|---|
| 2.5. Network Services | 2.7. System | | |
A basic aspect of Linux is its multiuser capability. Consequently, several users can work independently on the same Linux system. Each user has a user account identified by a login name and a personal password for logging in to the system. All users have their own home directories where personal files and configurations are stored.
After you select to edit users, YaST provides an overview of all local
users in the system. If you are part of an extensive network, click
to list all system users (for example,
root) or NIS users. You can also create custom
filter settings. Instead of switching between individual user groups,
combine them according to your needs. To add new users, fill in the
required blanks in the following screen. Subsequently, the new user can
log in to the host with the login name and password. The user profile
can be fine-tuned with . You can manually set
the user ID, the home directory, and the default login shell. Assign the
new user to specific groups. Configure the validity of the password in
. Click to
change these settings whenever necessary. To delete a user, select the
user from the list and click .
For advanced network administration, use to define the default settings for the creation of new users. Select the authentication method (NIS, LDAP, Kerberos, or Samba) and the algorithm for the password encryption. These settings are relevant for large networks.
Start the group administration module from the YaST Control Center or click in the user administration. Both dialogs have the same functionality, allowing you to create, edit, or delete groups.
YaST provides a list of all groups. To delete a group, select it from the list and click . Under and , enter the name, group ID (gid), and members of the group in the respective YaST screen. If desired, set a password for the change to this group. The filter settings are the same as in the dialog.
In , which can be accessed under , select one of the following four options: Level 1 is for stand-alone computers. Level 2 is for workstations with a network. Level 3 is for a server with a network. Use for your own configuration.
If you click one of the first three items, you will activate one of the levels of preconfigured system security options, as soon as you click . Under , access the individual settings that can be modified. If you choose , proceed to the different dialogs with . Here, find the default installation values.
For new passwords to be checked by the system before they are accepted, mark and . Set the minimum and maximum length of passwords for newly created users. Define the period for which the password should be valid and how many days in advance an expiration alert should be issued when the user logs in to the text console.
Specify how the key combination Ctrl-Alt-Del should be interpreted by selecting the desired action. Usually, this combination, entered in the text console, causes the system to reboot. Do not modify this setting unless your machine or server is publicly accessible and you are afraid someone could carry out this action without authorization. If you select , this key combination causes the system to shut down. With , this key combination is ignored.
Specify the by granting permission to shut down the system from the KDE display manager, the graphical login of KDE. Give permission to (the system administrator), , , or . If is selected, the system can only be shut down via the text console.
Typically, following a failed login attempt, there is a waiting
period lasting a few seconds before another login is possible. This
makes it more difficult for password sniffers to log in. Optionally
activate and
. If you suspect
someone is trying to discover your password, check the entries in the
system log files in /var/log. With
, other users are
granted access to your graphical login screen via the network.
Because this access possibility represents a potential security risk,
it is inactive by default.
Every user has a numerical and an alphabetical user ID. The
correlation between these is established via the file
/etc/passwd and should be as unique as possible.
Using the data in this screen, define the range of numbers assigned
to the numerical part of the user ID when a new user is added. A
minimum of 500 is suitable for users. Automatically generated
system users start with
1000. Proceed in the same way with the group ID settings.
For , there are three selection options: , , and . The first one should be sufficient for most users. The YaST help text provides information about the three security levels. The setting is extremely restrictive and can serve as the basic level of operation for system administrator settings. If you select , remember that some programs might not work or not work correctly, because users no longer have permission to access certain files.
In this dialog, also define which user should start the
updatedb program.
This program, which automatically runs on a daily basis or after
booting, generates a database (locatedb) in which the location of
each file on your computer is stored. If you select
, any user can find only the paths in the
database that can be seen by any other (unprivileged) user. If
root is selected, all local
files are indexed, because the user
root, as superuser, may
access all directories. Finally, make sure that the option
is deactivated
(default).
Press to complete your security configuration.
Use this module to configure SuSEfirewall2 to protect your machine against attacks from the Internet. Detailed information about SuSEfirewall2 can be found in Section 34.1, “Masquerading and Firewalls”.
![[Tip]](admon/tip.png) | Automatic Activation of the Firewall |
|---|---|
YaST automatically starts a firewall with suitable settings on every configured network interface. You only need to start this module if you want to reconfigure the firewall with custom settings or deactivate it. | |
