Removing User Accounts

Part of any security policy is the timely removal of user accounts. You can do this with rmuser(8). It will ask me to confirm both the account name and that I want to delete the user's home directory. Rmuser will also delete any cron jobs belonging to the user, as well as that user's mail spool. For example, if Chris no longer has access to the system, I can delete him like this:

 # rmuser chris Matching password entry: chris:*:1002:1002::0:0:Chris S.:/customers/chris:/usr/local/bin/tcsh Is this the entry you wish to remove? y Remove user's home directory (/customers/chris)? y Updating password file, updating databases, done. Updating group file:Removing group chris -- personal group is empty  done. Removing user's home directory (/customers/chris): done. # 

Editing Users

OpenBSD supports the classic vipw(8) tool that allows an administrator to directly edit /etc/master.passwd, but for most cases chpass(1) will do everything you need in a much more friendly way. The only real need for vipw(8) is if you have damaged the password file somehow.

Any shell user can use chpass(1) to edit their own account information. You might not want to allow users to do this, however, as one piece of information that chpass(1) allows them to alter is their hashed password. Many regular users are not equipped to recognize a hashed password; I've seen people whom I believed Should Have Known Better try to change their password by entering it in the hashed password field. This locks them out until a sysadmin resets their password to a known value. While you might expect that an ignorant user would be intimidated by that long string of garbage, and hence decide to not touch it, that doesn't seem to be the case. I have yet to see anyone who is not intimidated by it a second time, however! As chpass(1) also allows them to change things such as their phone number and office location, however, you frequently cannot get away with disallowing use by regular users.

As root, you can edit any user's account information by running "chpass username." This brings up a text editor that displays the account information from /etc/master.passwd. For example, if I run "chpass chris" as root, here's what I get:

 Changing user database information for chris. Login: chris Encrypted password:$2a$06$3M22I/s4FC8Mv80Q00sPRed9KhzIUUrBD17pOW66TK.BInzP Uid [#]: 1002 Gid [# or name]: 1002 Change [month day year]: Expire [month day year]: Class: Home directory: /home/chris Shell: /usr/local/bin/tcsh Full Name: Chris B. Office Location: Office Phone: Home Phone: 

You can make any changes you need here, and they will be reflected appropriately in /etc/master.passwd and /etc/passwd. Chpass(1) doesn't change anything except those files. This means that if you move an account's home directory in chpass(1), you'll need to manually move the actual home directory. Otherwise, the user will get an unpleasant surprise when they try to log in!

User Editing Caveats

On OpenBSD systems, /etc/passwd is automatically generated from /etc/ master.passwd via pwd_mkdb(8). Tools such as chpass(1) and vipw(8) do this automatically. If you're familiar with UNIX versions that allow you to directly edit /etc/passwd, you need to retrain yourself when working on OpenBSD. Not only is your chance of making a mistake high, but your changes will be overwritten the next time someone uses a standard tool to change user information.