Thursday, April 16, 2009

User name alias for unix login

Wonder if we can have user name aliases when one logs in to her unix account.

e.g.
my username on a unix box is user1.
I dont like it (forced by my sysadmin). and I would like to let this account be referred to by the login id user2. (retaining the login id user1)
Theoretically, this seems possible because the user accounts are uniquely identified by the uid(a unique number). So there should be a way to let this number refer to multiple usernames.
Anyone any ideas? Post your comments/solution here.



Here is an interesting extract from

http://www.daniweb.com/forums/thread155228.html


I believe /etc/passwd is 'keyed' on the username, and I believe the system uses only the first instance it finds. So while you can have many users with the same name, only the first entry will be used.

However, you *can* have several user names with the same numerical user ID (UID). For example, you could have users master, alpha and beta all using the same UID, but having different home directories. This would allow you to assign different passwords to each user, but allow them to access the same files. The username associated with all files owned by these users would be the first one in /etc/passwd.

Of course, some will say that this is what groups are for. But groups do not achieve equality as to file ownership. User and group permissions must be the same on all files and directories for access and control to be equally shared; this is not always guaranteed to work and is not always easy to set up.

As to /etc/shadow being more secure, this applies only to the actual passwords; it shadows /etc/passwd and stores the encrypted passwords in a file readable only by root. The system still uses /etc/passwd to find the user name associated with a UID, just as it uses /etc/group to find the group name associated with a GID.

The only utility I could see in having multiple users with the same name is if you had a PAM login module that differentiated logins based on IP address. That is, if a user is authorized to access the system only form a certain set of IP addresses, then logins from anywhere else using that name could be directed to a chroot jail. And if the passwords are different, then the effect of the compromise is lessened. Of course, this is more akin to 'security through obscurity', which never works terribly well.
Posted by at No comments:
Subscribe to: Posts (Atom)