thelinuxvault blog

Log in and switch users in multiuser targets – RHCSA Objective Preparation

As a Linux system administrator, mastering user management and login procedures is foundational to maintaining security, efficiency, and compliance—especially in multiuser environments. For the Red Hat Certified System Administrator (RHCSA) exam, "Logging in and switching users in multiuser targets" is a critical objective. This blog will break down the concepts, tools, and best practices you need to know to ace this topic, whether you’re preparing for the exam or building real-world admin skills.

We’ll start by understanding multiuser targets (systemd runlevels), then dive into local/remote login methods, user switching with su and sudo, security best practices, and RHCSA-specific tips. Let’s get started!

2026-02

Table of Contents#

  1. Introduction to Multiuser Targets

    • 1.1 What Are Systemd Targets?
    • 1.2 Key Multiuser Targets
    • 1.3 Managing Targets

  2. Logging Into a Linux System

    • 2.1 Local Login (Console and Graphical)
    • 2.2 Remote Login (SSH)
    • 2.3 Authentication Fundamentals (PAM, /etc/passwd, /etc/shadow)

  3. Switching Users in Linux

    • 3.1 The su Command
    • 3.2 The sudo Command
    • 3.3 su vs. sudo: Key Differences

  4. Best Practices for User Switching and Login

    • 4.1 Security: Avoid Direct Root Login
    • 4.2 Audit and Logging
    • 4.3 Sudoers Configuration Tips

  5. RHCSA Exam Tips

    • 5.1 Common Scenarios
    • 5.2 Troubleshooting Login Issues

  6. Summary

  7. References

1. Introduction to Multiuser Targets#

Before diving into login procedures, it’s essential to understand multiuser targets—the operational modes of a Linux system that support multiple simultaneous users.

1.1 What Are Systemd Targets?#

Modern Linux distributions (including RHEL 8/9) use systemd as the init system, replacing the legacy SysVinit. Systemd "targets" are groups of services that define the system’s state, analogous to SysVinit "runlevels." Targets determine which services (e.g., networking, SSH, GUI) start at boot.

1.2 Key Multiuser Targets#

For RHCSA, focus on these critical targets:

TargetDescriptionLegacy Runlevel Equivalent
multi-user.targetNon-graphical multiuser mode: Supports multiple users via console/SSH, no GUI.Runlevel 3
graphical.targetGraphical multiuser mode: Includes multi-user.target plus a display manager (e.g., GDM) and GUI.Runlevel 5

1.3 Managing Targets#

To work with targets, use systemctl commands:

  • Check the current default target:

    systemctl get-default

    Output (example): multi-user.target

  • Set a default target (persists across reboots):

    sudo systemctl set-default graphical.target  # Switch to GUI by default

  • Temporarily switch targets (without changing default):

    sudo systemctl isolate multi-user.target  # Switch to non-graphical mode now

2. Logging Into a Linux System#

Logging in is the first step to interacting with a Linux system. Methods vary by environment (local vs. remote).

2.1 Local Login#

Local login occurs directly on the system’s physical console or attached display.

Console Login (Non-Graphical)#

Linux provides 6 virtual consoles (ttys) for local text-based login:

  • Access via Ctrl+Alt+F1 (tty1) to Ctrl+Alt+F6 (tty6).
  • Log in with username/password; exit with exit or Ctrl+D.

Graphical Login#

If graphical.target is active, a display manager (e.g., GDM for GNOME, LightDM) presents a login screen. Enter your username/password to access the desktop environment.

2.2 Remote Login#

Remote login is critical for managing headless servers or systems over a network. The primary tool is SSH (Secure Shell).

SSH Login Basics#

SSH encrypts traffic, making it secure for remote access:

ssh username@remote_host  # Login as "username" to "remote_host"

  • Key-Based Authentication (Recommended): Use SSH keys instead of passwords for better security. Generate keys with:

    ssh-keygen -t ed25519  # Generate an Ed25519 key pair  
ssh-copy-id username@remote_host  # Copy public key to remote host

    Now log in without a password: ssh username@remote_host.

  • Disable Password Login (For Security): Edit /etc/ssh/sshd_config on the remote host:

    PasswordAuthentication no

    Restart SSH: sudo systemctl restart sshd.

2.3 Authentication Fundamentals#

Linux uses these components to verify user identity during login:

  • /etc/passwd: Stores user account details (username, UID, home directory, default shell). Example entry:

    jane:x:1001:1001:Jane Doe:/home/jane:/bin/bash

    (The x indicates the password is stored in /etc/shadow.)

  • /etc/shadow: Securely stores hashed passwords and account metadata (expiry, lock status). Only root can read it.

  • PAM (Pluggable Authentication Modules): Controls login rules (e.g., password complexity, 2FA) via /etc/pam.d/ configuration files (e.g., /etc/pam.d/login for console logins).

3. Switching Users in Linux#

Once logged in, you may need to switch to another user (e.g., to run admin commands as root or test a user’s permissions). Use su or sudo.

3.1 The su Command#

su (substitute user) switches to another user’s account.

Basic Usage#

su username  # Switch to "username"; prompts for their password

Key Flags#

  • - or --login: Starts a login shell, loading the target user’s environment (.bash_profile, .bashrc, PATH): 
    su - jane  # Switch to jane with login shell (recommended)
  • -c: Run a single command as the target user: 
    su - jane -c "ls -la /home/jane"  # List jane's home as jane
  • Switch to root: 
    su -  # Equivalent to "su - root"; prompts for root password

3.2 The sudo Command#

sudo (superuser do) lets users run commands as another user (typically root) without knowing their password, using their own credentials.

Prerequisites: Configure sudoers#

sudo relies on /etc/sudoers, edited only with visudo (prevents syntax errors).

  • Allow a user to run all commands as root:

    sudo visudo  # Open sudoers in safe edit mode

    Add:

    jane ALL=(ALL) ALL  # Jane can run any command as any user

  • Allow a group (e.g., wheel):

    %wheel ALL=(ALL) ALL  # Members of "wheel" group can use sudo

    Add users to wheel with:

    sudo usermod -aG wheel jane

  • Passwordless sudo for specific commands:

    jane ALL=(root) NOPASSWD: /bin/systemctl restart httpd  # Jane restarts Apache without password

Common sudo Commands#

  • Run a command as root: 
    sudo systemctl restart sshd  # Restart SSH as root
  • Get an interactive root shell: 
    sudo -i  # Equivalent to "su -"; loads root's environment
  • List allowed commands: 
    sudo -l  # Show user's sudo privileges

3.3 su vs. sudo: Key Differences#

susudo
Requires target user’s passwordUses user’s own password
Switches to a new shell by defaultRuns a single command (unless sudo -i)
No built-in logging (use su -c logs)Logs all commands to /var/log/secure

4. Best Practices for User Switching and Login#

4.1 Security: Avoid Direct Root Login#

  • Disable root SSH login: Edit /etc/ssh/sshd_config: 
    PermitRootLogin no  # Prevent root from logging in via SSH
  • Use sudo instead of su - root for admin tasks (reduces risk of accidental damage).

4.2 Audit and Logging#

  • Track sudo usage: Logs are stored in /var/log/secure (RHEL) or /var/log/auth.log (Debian): 
    grep sudo /var/log/secure  # View sudo commands
  • Monitor logins: Use last (recent logins) or lastb (failed logins): 
    last jane  # Show jane's login history

4.3 Sudoers Configuration Tips#

  • Limit privileges: Restrict users to specific commands (e.g., systemctl restart httpd) instead of ALL=(ALL) ALL.
  • Use groups: Manage sudo access via groups (e.g., %wheel) for easier administration.

5. RHCSA Exam Tips#

5.1 Common Scenarios#

  • Switch users: Use su - username or sudo -i.
  • Configure sudo: Add a user to sudoers with visudo (e.g., user ALL=(ALL) /bin/systemctl restart nginx).
  • Set default target: systemctl set-default multi-user.target.

5.2 Troubleshooting Login Issues#

  • User can’t log in?
    • Check if the account is locked: passwd -S username (look for L in output).
    • Verify home directory permissions: Must be owned by the user (chown username:username /home/username) with mode 700.
    • Check shell validity: Ensure the shell in /etc/passwd exists in /etc/shells.

6. Summary#

Mastering login and user switching in multiuser targets is critical for RHCSA success and real-world admin work. Key takeaways:

  • Use systemctl to manage multiuser targets (multi-user.target, graphical.target).
  • Log in locally (console/GUI) or remotely (SSH with key-based auth).
  • Switch users with su - username (requires target password) or sudo (configure via visudo).
  • Prioritize security: Avoid root login, use sudo, and audit with logs.

7. References#

Let me know if you need further clarification on any topic—happy studying for your RHCSA! 🚀