SUSE Linux Enterprise Desktop Documentation
Chapter 8. System Configuration with YaST / 8.9. Security and Users
Prev8.8. AppArmor8.10. VirtualizationNext

Security and Users

A basic aspect of Linux is its multiuser capability. Consequently, several users can work independently on the same Linux system. Each user has a user account identified by a login name and a personal password for logging in to the system. All users have their own home directories where personal files and configurations are stored.

User Management

Create and edit users with Security and Users+User Management. It provides an overview of users in the system, including NIS, LDAP, Samba, and Kerberos users if requested. If you are part of an extensive network, click Set Filter to list all users categorically. You can also customize the filter settings by clicking Customize Filter.

[Tip]Applying Configuration Changes without Closing the Module

Whenever you need to make multiple configuration changes and want to avoid restarting the user and group configuration module for every single one of these changes, use Write Changes Now to save your changes without exiting the configuration module.

Adding Users

To add a new user, proceed as follows:

  1. Click Add.

  2. Enter the necessary data for User Data. If you do not need to adjust any more detailed settings for this new user, proceed to Step 5.

  3. To change a user's ID, home directory name, default home, group, group memberships, directory permissions, or login shell, open the Details tab and change the default values.

  4. To adjust user's password expiration, length, and expiration warnings, use the Password Settings tab.

  5. Write the user account configuration by clicking Accept.

The new user can immediately log in with the created login name and password.

Deleting Users

To delete a user, proceed as follows:

  1. Select the user from the list.

  2. Click Delete.

  3. Determine whether to delete or keep the home directory of the user to delete.

  4. Click Yes to apply your settings.

Changing the Login Configuration

To change the login configuration, proceed as follows:

  1. Select the user from the list.

  2. Click Edit.

  3. Adjust the settings under User Data, Details, and Password Settings.

  4. Save the user account configuration by clicking Accept.

Managing Encrypted Home Directories

You can create an encrypted home directory as part of the user account creation. To create an encrypted home directory for a user, proceed as follows:

  1. Click Add.

  2. Enter the required data for User Data.

  3. In the Details tab, activate Use Encrypted Home Directory.

  4. Apply your settings with Accept.

To create an encrypted home for an existing user, proceed as follows:

  1. Select a user from the list and click Edit.

  2. In the Details tab, enable Use Encrypted Home Directory.

  3. Enter the password of the selected user.

  4. Apply your settings with Accept.

To disable the encryption of home directories, proceed as follows:

  1. Select a user from the list and click Edit.

  2. In the Details tab, disable Use Encrypted Home Directory.

  3. Enter the password of the selected user.

  4. Apply your settings with Accept.

For more information about encrypted homes, see Section 42.2, “Using Encrypted Home Directories”.

Auto Login

[Warning]Using Auto Login

Using the auto login feature on any system that can be physically accessed by more than one person is a potential security risk. Any user accessing this system can manipulate the data on it. If your system contains confidential data, do not use the auto login functionality.

If you are the only user of your system, you can configure auto login. It automatically logs a user into the system after start. Only one selected user can use the auto login function. Auto login works only with KDM or GDM.

To activate auto login, select the user from the list of users and click Expert Options+Login Settings. Then choose Auto Login and click OK.

To deactivate this functionality, select the user and click Expert Options+Login Settings. Then uncheck Auto Login and click OK.

Login without a Password

[Warning]Allowing Login without a Password

Using the passwordless login feature on any system that can be physically accessed by more than one person is a potential security risk. Any user accessing this system can manipulate the data on it. If your system contains confidential data, do not use this functionality.

Login without a password automatically logs a user into the system after the user enters the username in the login manager. It is available to multiple users on a system and works only with KDM or GDM.

To activate the function, select the user from the list of users and click Expert Options+Login Settings. Then choose Passwordless Login and click OK.

To deactivate this function, select the user for whom to disable this functionality from the list of users and click Expert Options+Login Settings. Then uncheck Passwordless Login and click OK.

Disabling User Login

To create a system user that should not be able to log in to the system but under whose identity several system-related tasks should be managed, disable the user login when creating the user account. Proceed as follows:

  1. Click Add.

  2. Enter the required data for User Data.

  3. Check Disable User Login.

  4. Apply your settings with Accept.

To disable login for an existing user, proceed as follows:

  1. Select the user from the list and click Edit.

  2. Check Disable User Login in User Data.

  3. Apply your settings with Accept.

Enforcing Password Policies

On any system with multiple users, it is a good idea to enforce at least basic password security policies. Users should change their passwords regularly and use strong passwords that cannot easily be exploited. For information about how to enforce stricter password rules, refer to Section 8.9.3, “Local Security”. To enforce password rotation, create a password expiration policy.

To configure the password expiration policy for a new user, proceed as follows:

  1. Click Add.

  2. Enter the required data in User Data.

  3. Adjust the values in Password Settings.

  4. Apply your settings with Accept.

To change the password expiration policy for an existing user, proceed as follows:

  1. Select the user from the list and click Edit.

  2. Adjust the values in Password Settings.

  3. Apply your settings with Accept.

You can limit the lifetime of any user account by specifying a date of expiration for this particular account. Specify the Expiration Date in the YYYY-MM-DD format and leave the user configuration. If no Expiration Date is given, the user account never expires.

Changing the Default Settings for New Users

When creating new local users, several defaults settings are used by YaST. You can change these default settings to meet your requirements:

  1. Select Expert Options+Defaults for New Users.

  2. Apply your changes to any or all of the following items:

    • Default Group

    • Secondary Groups

    • Default Login Shell

    • Path Prefix for Home Directory

    • Skeleton for Home Directory

    • Umask for Home Directory

    • Default Expiration Date

    • Days after Password Expiration Login is Usable

  3. Apply your changes with Accept.

Several other security-related default settings can be changed using the Local Security module. Refer to Section 8.9.3, “Local Security” for information.

Changing the Password Encryption

[Note]Note

Changes in password encryption apply only to local users.

SUSE Linux Enterprise can use DES, MD5, or Blowfish for password encryption. The default password encryption method is Blowfish. The encryption method is set during installation of the system, as described in Section 3.11.1, “Password for the System Administrator “root””. To change the password encryption method in the installed system, select Expert Options+Password Encryption.

Changing the Authentication and User Sources

The user administration method (such as NIS, LDAP, Kerberos, or Samba) is set during installation, as described in Section 3.11.6, “Users”. To change the user authentication method in the installed system, select Expert Options+Authentication and User Sources. The module provides a configuration overview and the option to configure the client. Advanced client configuration is also possible using this module.

Group Management

To create and edit groups, select Security and Users+Group Management or click Groups in the user administration module. Both dialogs have the same functionality, allowing you to create, edit, or delete groups.

The module gives an overview of all groups. As in the user management dialog, change filter settings by clicking Set Filter.

To add a group, click Add and enter the appropriate data. Select group members from the list by checking the corresponding box. Click Accept to create the group. To edit a group, select the group to edit from the list and click Edit. Make all necessary changes then save them with Accept. To delete a group, simply select it from the list and click Delete.

Click Expert Options for advanced group management. Find more about these options in Section 8.9.1, “User Management”.

Local Security

To apply a set of security settings to your entire system, use Security and Users+Local Security. These settings include security for booting, login, passwords, user creation, and file permissions. SUSE Linux Enterprise offers three preconfigured security sets: Home Workstation, Networked Workstation, and Network Server. Modify the defaults with Details. To create your own scheme, use Custom Settings.

The detailed or custom settings include:

Password Settings

To have new passwords checked by the system for security before they are accepted, click Check New Passwords and Test for Complicated Passwords. Set the minimum password length for newly created users. Define the period for which the password should be valid and how many days in advance an expiration alert should be issued when the user logs in to the text console.

Boot Settings

Set how the key combination Ctrl+Alt+Del should be interpreted by selecting the desired action. Normally, this combination, when entered in the text console, causes the system to reboot. Do not modify this setting unless your machine or server is publicly accessible and you are afraid someone could carry out this action without authorization. If you select Stop, this key combination causes the system to shut down. With Ignore, this key combination is ignored.

If you use the KDE login manager (KDM), set permissions for shutting down the system in Shutdown Behavior of KDM. Give permission to Only root (the system administrator), All Users, Nobody, or Local Users. If Nobody is selected, the system can only be shut down from the text console.

Login Settings

Typically, following a failed login attempt, there is a waiting period lasting a few seconds before another login is possible. This makes it more difficult for password sniffers to log in. Optionally activate Record Successful Login Attempts. If you suspect someone is trying to discover your password, check the entries in the system log files in /var/log. To grant other users access to your graphical login screen over the network, enable Allow Remote Graphical Login. Because this access possibility represents a potential security risk, it is inactive by default.

User Addition

Every user has a numerical and an alphabetical user ID. The correlation between these is established using the file /etc/passwd and should be as unique as possible. Using the data in this screen, define the range of numbers assigned to the numerical part of the user ID when a new user is added. A minimum of 500 is suitable for users. Automatically generated system users start with 1000. Proceed in the same way with the group ID settings.

Miscellaneous Settings

To use predefined file permission settings, select Easy, Secure, or Paranoid. Easy should be sufficient for most users. The setting Paranoid is extremely restrictive and can serve as the basic level of operation for custom settings. If you select Paranoid, remember that some programs might not work correctly or even at all, because users no longer have permission to access certain files.

Also set which user should launch the updatedb program, if installed. This program, which automatically runs on a daily basis or after booting, generates a database (locatedb) in which the location of each file on your computer is stored. If you select Nobody, any user can find only the paths in the database that can be seen by any other (unprivileged) user. If root is selected, all local files are indexed, because the user root, as superuser, may access all directories. Make sure that the options Current Directory in root's Path and Current Directory in Path of Regular Users are deactivated. Only advanced users should consider using these options because these settings may pose a significant security risk if used incorrectly. To have some control over the system even if it crashes, click Enable Magic SysRq Keys.

Click Finish to complete your security configuration.

Firewall

SuSEfirewall2 can protect your machine against attacks from the Internet. Configure it with Security and Users+Firewall. Find detailed information about SuSEfirewall2 in Chapter 39, Masquerading and Firewalls.

[Tip]Automatic Activation of the Firewall

YaST automatically starts a firewall with suitable settings on every configured network interface. Start this module only if you want to reconfigure the firewall with custom settings or deactivate it.

Prev8.8. AppArmorHome8.10. VirtualizationNext