/etc/passwd
The password file is arguably the most critical system file in Linux (and most other unices). It contains the mappings of username, user ID and the primary group ID that person belongs to. It may also contain the actual password however it is more likely (and much more secure) to use shadow passwords to keep the passwords in /etc/shadow. This file MUST be world readable, otherwise commands even as simple as ls will fail to work properly. The GECOS field can contain such data as the real name, phone number and the like for the user, the home directory is the default directory the user gets placed in if they log in interactively, and the login shell must be an interactive shell (such as bash, or a menu program) and listed in /etc/shells for the user to log in. The format is:
username:password:UID:GID:GECOS_field:home_directory:login_shell
/etc/shadow
The shadow file holes the username and password pairs, as well as account information such as expiry date, and any other special fields. This file should be protected at all costs.
/etc/groups
The groups file contains all the group membership information, and optional items such as group password (typically stored in gshadow on current systems), this file to must be world readable for the system to behave correctly. The format is:
groupname:password:GID:member,member,member
A group may contain no members (i.e. it is unused), a single member or multiple members, and the password is optional.
/etc/gshadow
Similar to the password shadow file, this file contains the groups, password and members.
/etc/login.defs
This file (/etc/logins.def) allows you to define some useful default values for various programs such as useradd and password expiry. It tends to vary slightly across distributions and even versions, but typically is well commented and tends to contain sane default values.
/etc/shells
The shells file contains a list of valid shells, if a user’s default shell is not listed here they may not log in interactively. See the section on Telnetd for more information.
/etc/securetty
This file contains a list of tty’s that root can log in from. Console tty’s are usually /dev/tty1 through /dev/tty6. Serial ports (if you want to log in as root over a modem say) are /dev/ttyS0 and up typically. If you want to allow root to login via the network (a very bad idea, use sudo) then add /dev/ttyp1 and up (if 30 users login and root tries to login root will be coming from /dev/ttyp31). Generally you should only allow root to login from /dev/tty1, and it is advisable to disable the root account altogether.
