source: postlfs/security/linux-pam.xml@ 5c6a906

10.0 10.1 11.0 11.1 7.10 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 krejzi/svn lazarus nosym perl-modules qt5new systemd-11177 systemd-13485 trunk upgradedb xry111/intltool xry111/test-20220226
Last change on this file since 5c6a906 was 5c6a906, checked in by Pierre Labastie <pieere@…>, 8 years ago

Add information about updating or reinstalling PAM, to avoid removing
important configuration files

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@12621 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 12.9 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY linux-pam-download-http "http://linux-pam.org/library/Linux-PAM-&linux-pam-version;.tar.bz2">
8 <!ENTITY linux-pam-download-ftp " ">
9 <!ENTITY linux-pam-md5sum "35b6091af95981b1b2cd60d813b5e4ee">
10 <!ENTITY linux-pam-size "1.1 MB">
11 <!ENTITY linux-pam-buildsize "22 MB">
12 <!ENTITY linux-pam-time "0.3 SBU">
13
14 <!ENTITY linux-pam-docs-download "http://linux-pam.org/documentation/Linux-PAM-&linux-pam-version;-docs.tar.bz2">
15 <!ENTITY linux-pam-docs-md5sum "730895d1c6e1c706dc5ffe2419f9b3f5">
16 <!ENTITY linux-pam-docs-size "148 KB">
17 <!ENTITY debian-pam-docs "http://debian.securedservers.com/kernel/pub/linux/libs/pam">
18]>
19
20<sect1 id="linux-pam" xreflabel="Linux-PAM-&linux-pam-version;">
21 <?dbhtml filename="linux-pam.html"?>
22
23 <sect1info>
24 <othername>$LastChangedBy$</othername>
25 <date>$Date$</date>
26 </sect1info>
27
28 <title>Linux-PAM-&linux-pam-version;</title>
29
30 <indexterm zone="linux-pam">
31 <primary sortas="a-Linux-PAM">Linux-PAM</primary>
32 </indexterm>
33
34 <sect2 role="package">
35 <title>Introduction to Linux PAM</title>
36
37 <para>
38 The <application>Linux PAM</application> package contains
39 Pluggable Authentication Modules used to enable the local
40 system administrator to choose how applications authenticate
41 users.
42 </para>
43
44 &lfs74_checked;
45
46 <bridgehead renderas="sect3">Package Information</bridgehead>
47 <itemizedlist spacing="compact">
48 <listitem>
49 <para>
50 Download (HTTP): <ulink url="&linux-pam-download-http;"/>
51 </para>
52 </listitem>
53 <listitem>
54 <para>
55 Download (FTP): <ulink url="&linux-pam-download-ftp;"/>
56 </para>
57 </listitem>
58 <listitem>
59 <para>
60 Download MD5 sum: &linux-pam-md5sum;
61 </para>
62 </listitem>
63 <listitem>
64 <para>
65 Download size: &linux-pam-size;
66 </para>
67 </listitem>
68 <listitem>
69 <para>
70 Estimated disk space required: &linux-pam-buildsize;
71 </para>
72 </listitem>
73 <listitem>
74 <para>
75 Estimated build time: &linux-pam-time;
76 </para>
77 </listitem>
78 </itemizedlist>
79
80 <bridgehead renderas="sect3">Additional Downloads</bridgehead>
81 <itemizedlist spacing="compact">
82 <title>Optional Documentation</title>
83 <listitem>
84 <para>
85 Download (HTTP): <ulink url="&linux-pam-docs-download;"/>
86 </para>
87 </listitem>
88 <listitem>
89 <para>
90 Download MD5 sum: &linux-pam-docs-md5sum;
91 </para>
92 </listitem>
93 <listitem>
94 <para>
95 Download size &linux-pam-docs-size;
96 </para>
97 </listitem>
98 </itemizedlist>
99
100 <bridgehead renderas="sect3">Linux PAM Dependencies</bridgehead>
101
102 <bridgehead renderas="sect4">Optional</bridgehead>
103 <para role="optional">
104 <xref linkend="db"/>,
105 <xref linkend="cracklib"/>,
106 <xref linkend="libtirpc"/> and
107 <ulink url="http://www.prelude-ids.org/">Prelude</ulink>
108 </para>
109
110 <bridgehead renderas="sect4">Optional (To Rebuild the Documentation)</bridgehead>
111 <para role="optional">
112 <xref linkend="DocBook"/>,
113 <xref linkend="docbook-xsl"/>,
114 <xref linkend="fop"/>,
115 <xref linkend="libxslt"/> and
116 <xref linkend="w3m"/>
117 </para>
118
119 <para condition="html" role="usernotes">User Notes:
120 <ulink url="&blfs-wiki;/linux-pam"/>
121 </para>
122 </sect2>
123
124 <sect2 role="installation">
125 <title>Installation of Linux PAM</title>
126
127 <para>
128 If you downloaded the documentation, unpack the tarball by issuing
129 the following command.
130 </para>
131
132<screen><userinput>tar -xf ../Linux-PAM-&linux-pam-version;-docs.tar.bz2 --strip-components=1</userinput></screen>
133
134 <para>
135 Install <application>Linux PAM</application> by
136 running the following commands:
137 </para>
138
139<screen><userinput>./configure --prefix=/usr \
140 --sysconfdir=/etc \
141 --libdir=/usr/lib \
142 --enable-securedir=/lib/security \
143 --docdir=/usr/share/doc/Linux-PAM-&linux-pam-version; \
144 --disable-nis &amp;&amp;
145make</userinput></screen>
146
147 <para>
148 To test the results, a suitable <filename>/etc/pam.d/other</filename>
149 configuration file must exist.
150 </para>
151
152 <caution>
153 <title>Reinstallation or upgrade of Linux PAM</title>
154 <para>
155 If you have a system with Linux PAM installed and working, be careful
156 when modifying the files in
157 <filename class="directory">/etc/pam.d</filename>, since your system
158 may become totally unusable. If you want to run the tests, you do not
159 need to create another <filename>/etc/pam.d/other</filename> file. The
160 installed one can be used for that purpose.
161 </para>
162
163 <para>
164 You should also be aware that <command>make install</command>
165 overwrites the configuration files in
166 <filename class="directory">/etc/security</filename> as well as
167 <filename>/etc/environment</filename. In case you
168 have modified those files, be sure to backup them.
169 </para>
170 </caution>
171
172 <para>
173 For a first installation, create the configuration file by issuing the
174 following commands as the <systemitem class="username">root</systemitem>
175 user:
176 </para>
177
178<screen role="root"><userinput>install -v -m755 -d /etc/pam.d &amp;&amp;
179
180cat &gt; /etc/pam.d/other &lt;&lt; "EOF"
181auth required pam_deny.so
182account required pam_deny.so
183password required pam_deny.so
184session required pam_deny.so
185EOF</userinput></screen>
186
187 <para>
188 Now run the tests by issuing <command>make check</command>.
189 Ensure there are no errors produced by the tests before continuing the
190 installation.
191 </para>
192
193 <para>
194 Only in case of a first installation, remove the configuration file
195 created earlier by issuing the following command as the
196 <systemitem class="username">root</systemitem> user:
197 </para>
198
199<screen role="root"><userinput>rm -rfv /etc/pam.d</userinput></screen>
200
201 <para>
202 Now, as the <systemitem class="username">root</systemitem>
203 user:
204 </para>
205
206<screen role="root"><userinput>make install &amp;&amp;
207chmod -v 4755 /sbin/unix_chkpwd &amp;&amp;
208
209for file in pam pam_misc pamc
210do
211 mv -v /usr/lib/lib${file}.so.* /lib &amp;&amp;
212 ln -sfv ../../lib/$(readlink /usr/lib/lib${file}.so) /usr/lib/lib${file}.so
213done</userinput></screen>
214
215 </sect2>
216
217 <sect2 role="commands">
218 <title>Command Explanations</title>
219
220 <para>
221 <parameter>--enable-securedir=/lib/security</parameter>:
222 This switch sets install location for the
223 <application>PAM</application> modules.
224 </para>
225
226 <para>
227 <option>--disable-nis</option>: This switch disables building
228 of the Network Information Service/Yellow Pages support in
229 pam_unix and pam_access modules. Remove it if you have installed
230 <xref linkend="libtirpc"/>.
231 </para>
232
233 <para>
234 <command>chmod -v 4755 /sbin/unix_chkpwd</command>:
235 The <command>unix_chkpwd</command> helper program must be setuid
236 so that non-<systemitem class="username">root</systemitem>
237 processes can access the shadow file.
238 </para>
239
240 </sect2>
241
242 <sect2 role="configuration">
243 <title>Configuring Linux-PAM</title>
244
245 <sect3 id="pam-config">
246 <title>Config Files</title>
247
248 <para>
249 <filename>/etc/security/*</filename> and
250 <filename>/etc/pam.d/*</filename>
251 </para>
252
253 <indexterm zone="linux-pam pam-config">
254 <primary sortas="e-etc-security">/etc/security/*</primary>
255 </indexterm>
256
257 <indexterm zone="linux-pam pam-config">
258 <primary sortas="e-etc-pam.d">/etc/pam.d/*</primary>
259 </indexterm>
260
261 </sect3>
262
263 <sect3>
264 <title>Configuration Information</title>
265
266 <para>
267 Configuration information is placed in
268 <filename class="directory">/etc/pam.d/</filename>.
269 Below is an example file:
270 </para>
271
272<screen><literal># Begin /etc/pam.d/other
273
274auth required pam_unix.so nullok
275account required pam_unix.so
276session required pam_unix.so
277password required pam_unix.so nullok
278
279# End /etc/pam.d/other</literal></screen>
280
281 <para>
282 The <application>PAM</application> man page (<command>man
283 pam</command>) provides a good starting point for descriptions
284 of fields and allowable entries. The <ulink
285 url="http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_SAG.html">Linux-PAM
286 System Administrators' Guide</ulink> is recommended for additional
287 information.
288 </para>
289
290 <para>
291 Refer to <ulink url="&debian-pam-docs;/modules.html"/> for a list
292 of various third-party modules available.
293 </para>
294
295 <important>
296 <para>
297 You should now reinstall the <xref linkend="shadow"/>
298 package.
299 </para>
300 </important>
301
302 </sect3>
303
304 </sect2>
305
306 <sect2 role="content">
307 <title>Contents</title>
308
309 <segmentedlist>
310 <segtitle>Installed Program</segtitle>
311 <segtitle>Installed Libraries</segtitle>
312 <segtitle>Installed Directories</segtitle>
313
314 <seglistitem>
315 <seg>
316 mkhomedir_helper, pam_tally, pam_tally2,
317 pam_timestamp_check, unix_chkpwd and
318 unix_update
319 </seg>
320 <seg>
321 libpam.so, libpamc.so and libpam_misc.so
322 </seg>
323 <seg>
324 /etc/security,
325 /lib/security,
326 /usr/include/security and
327 /usr/share/doc/Linux-PAM-&linux-pam-version;
328 </seg>
329 </seglistitem>
330 </segmentedlist>
331
332 <variablelist>
333 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
334 <?dbfo list-presentation="list"?>
335 <?dbhtml list-presentation="table"?>
336
337 <varlistentry id="mkhomedir_helper">
338 <term><command>mkhomedir_helper</command></term>
339 <listitem>
340 <para>
341 is a helper binary that creates home directories.
342 </para>
343 <indexterm zone="linux-pam mkhomedir_helper">
344 <primary sortas="b-mkhomedir_helper">mkhomedir_helper</primary>
345 </indexterm>
346 </listitem>
347 </varlistentry>
348
349 <varlistentry id="pam_tally">
350 <term><command>pam_tally</command></term>
351 <listitem>
352 <para>
353 is used to interrogate and manipulate the login counter file.
354 </para>
355 <indexterm zone="linux-pam pam_tally">
356 <primary sortas="b-pam_tally">pam_tally</primary>
357 </indexterm>
358 </listitem>
359 </varlistentry>
360
361 <varlistentry id="pam_tally2">
362 <term><command>pam_tally2</command></term>
363 <listitem>
364 <para>
365 is used to interrogate and manipulate the login counter file, but
366 does not have some limitations that <command>pam_tally</command>
367 does.
368 </para>
369 <indexterm zone="linux-pam pam_tally2">
370 <primary sortas="b-pam_tally2">pam_tally2</primary>
371 </indexterm>
372 </listitem>
373 </varlistentry>
374
375 <varlistentry id="pam_timestamp_check">
376 <term><command>pam_timestamp_check</command></term>
377 <listitem>
378 <para>
379 is used to check if the default timestamp is valid
380 </para>
381 <indexterm zone="linux-pam pam_timestamp_check">
382 <primary sortas="b-pam_timestamp_check">pam_timestamp_check</primary>
383 </indexterm>
384 </listitem>
385 </varlistentry>
386
387 <varlistentry id="unix_chkpwd">
388 <term><command>unix_chkpwd</command></term>
389 <listitem>
390 <para>
391 is a helper binary that verifies the password of the current user.
392 </para>
393 <indexterm zone="linux-pam unix_chkpwd">
394 <primary sortas="b-unix_chkpwd">unix_chkpwd</primary>
395 </indexterm>
396 </listitem>
397 </varlistentry>
398
399 <varlistentry id="unix_update">
400 <term><command>unix_update</command></term>
401 <listitem>
402 <para>
403 is a helper binary that updates the password of a given user.
404 </para>
405 <indexterm zone="linux-pam unix_update">
406 <primary sortas="b-unix_update">unix_update</primary>
407 </indexterm>
408 </listitem>
409 </varlistentry>
410
411 <varlistentry id="libpam">
412 <term><filename class="libraryfile">libpam.so</filename></term>
413 <listitem>
414 <para>
415 provides the interfaces between applications and the
416 PAM modules.
417 </para>
418 <indexterm zone="linux-pam libpam">
419 <primary sortas="c-libpam">libpam.so</primary>
420 </indexterm>
421 </listitem>
422 </varlistentry>
423
424 </variablelist>
425
426 </sect2>
427
428</sect1>
Note: See TracBrowser for help on using the repository browser.