Taking Control of User Account Files

We need to take control of the user accounts at our site. Every site eventually needs a centralized mechanism the SA staff can use to create and delete accounts, lock them out after a designated number of failed logins, and log user access. This will be usually a system such as NIS/NIS+, LDAP, or perhaps LDAP combined with Kerberos.

At this point, we're not talking about setting up a network-based authentication system—we're not ready for that yet. First, we need to take control of our local account files: /etc/passwd, /etc/shadow, and /etc/group. Even if we already had LDAP deployed at our site and all our users had accounts only in the LDAP directory, we would need to be able to change the local root account password across all our systems on a regular basis. In addition, we normally change the default shell on many system accounts that come with the system, for added security. Allowing local account files to go unmanaged is a security risk.