source: postlfs/security/shadow.xml

trunk
Last change on this file was 0509772, checked in by Thomas Trepl <thomas@…>, 2 months ago

Upgrade shadow-4.15.1

  • Property mode set to 100644
File size: 22.4 KB
Line 
1<?xml version="1.0" encoding="UTF-8"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY shadow-download-http "https://github.com/shadow-maint/shadow/releases/download/&shadow-version;/shadow-&shadow-version;.tar.xz">
8 <!ENTITY shadow-download-ftp " ">
9 <!ENTITY shadow-md5sum "006b0856abd49b5e7b45b7cb78ca272a">
10 <!ENTITY shadow-size "1.7 MB">
11 <!ENTITY shadow-buildsize "39 MB">
12 <!ENTITY shadow-time "0.2 SBU">
13]>
14
15<sect1 id="shadow" xreflabel="Shadow-&shadow-version;">
16 <?dbhtml filename="shadow.html"?>
17
18
19 <title>Shadow-&shadow-version;</title>
20
21 <indexterm zone="shadow">
22 <primary sortas="a-Shadow">Shadow</primary>
23 </indexterm>
24
25 <sect2 role="package">
26 <title>Introduction to Shadow</title>
27
28 <para>
29 <application>Shadow</application> was indeed installed in LFS and there is
30 no reason to reinstall it unless you installed
31 <application>CrackLib</application> or
32 <application>Linux-PAM</application> after your LFS system was completed.
33 If you have installed <application>CrackLib</application> after LFS, then
34 reinstalling <application>Shadow</application> will enable strong password
35 support. If you have installed <application>Linux-PAM</application>,
36 reinstalling <application>Shadow</application> will allow programs such as
37 <command>login</command> and <command>su</command> to utilize PAM.
38 </para>
39
40 &lfs121_checked;
41
42 <bridgehead renderas="sect3">Package Information</bridgehead>
43 <itemizedlist spacing="compact">
44 <listitem>
45 <para>
46 Download (HTTP): <ulink url="&shadow-download-http;"/>
47 </para>
48 </listitem>
49 <listitem>
50 <para>
51 Download (FTP): <ulink url="&shadow-download-ftp;"/>
52 </para>
53 </listitem>
54 <listitem>
55 <para>
56 Download MD5 sum: &shadow-md5sum;
57 </para>
58 </listitem>
59 <listitem>
60 <para>
61 Download size: &shadow-size;
62 </para>
63 </listitem>
64 <listitem>
65 <para>
66 Estimated disk space required: &shadow-buildsize;
67 </para>
68 </listitem>
69 <listitem>
70 <para>
71 Estimated build time: &shadow-time;
72 </para>
73 </listitem>
74 </itemizedlist>
75<!--
76 <bridgehead renderas="sect3">Additional Downloads</bridgehead>
77 <itemizedlist spacing="compact">
78 <listitem>
79 <para>
80 Required patch:
81 <ulink url="&patch-root;/shadow-&shadow-version;-useradd_segfault-1.patch"/>
82 </para>
83 </listitem>
84 </itemizedlist>
85-->
86 <bridgehead renderas="sect3">Shadow Dependencies</bridgehead>
87
88 <bridgehead renderas="sect4">Required</bridgehead>
89 <para role="required">
90 <xref linkend="linux-pam"/> or
91 <xref role="nodep" linkend="cracklib"/>
92 </para>
93
94 <bridgehead renderas="sect4">Optional</bridgehead>
95 <para role="optional">
96 <ulink url="https://libbsd.freedesktop.org/wiki/">libbsd</ulink> and
97 <ulink url="https://www.openwall.com/tcb/">tcb</ulink>
98 </para>
99
100 </sect2>
101
102 <sect2 role="installation">
103 <title>Installation of Shadow</title>
104
105 <important>
106 <para>
107 The installation commands shown below are for installations where
108 <application>Linux-PAM</application> has been installed and
109 <application>Shadow</application> is being reinstalled to support the
110 <application>Linux-PAM</application> installation.
111 </para>
112
113 <para>
114 If you are reinstalling <application>Shadow</application> to provide
115 strong password support using the <application>CrackLib</application>
116 library without using <application>Linux-PAM</application>, ensure you
117 add the <parameter>--with-libcrack</parameter> parameter to the
118 <command>configure</command> script below and also issue the following
119 command:
120 </para>
121
122<screen role="nodump"><userinput>sed -i 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' etc/login.defs</userinput></screen>
123 </important>
124
125 <warning>
126 <para>
127 If reinstalling shadow for a version update, be sure to
128 reaccomplish the Linux-PAM configuration below. The installation
129 of shadow overwrites many of the files in
130 <filename class="directory">/etc/pam.d/</filename>.
131 </para>
132 </warning>
133
134 <para>
135 Reinstall <application>Shadow</application> by running the following
136 commands:
137 </para>
138<!--
139<screen><userinput>patch -Np1 -i ../shadow-4.10-useradd_segfault-1.patch &amp;&amp;
140-->
141<screen><userinput>sed -i 's/groups$(EXEEXT) //' src/Makefile.in &amp;&amp;
142
143find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; &amp;&amp;
144find man -name Makefile.in -exec sed -i 's/getspnam\.3 / /' {} \; &amp;&amp;
145find man -name Makefile.in -exec sed -i 's/passwd\.5 / /' {} \; &amp;&amp;
146
147sed -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD YESCRYPT@' \
148 -e 's@/var/spool/mail@/var/mail@' \
149 -e '/PATH=/{s@/sbin:@@;s@/bin:@@}' \
150 -i etc/login.defs &amp;&amp;
151
152./configure --sysconfdir=/etc \
153 --disable-static \
154 --without-libbsd \
155 --with-{b,yes}crypt &amp;&amp;<!--
156This is the default: - -with-group-name-max-length=32 &amp;&amp;-->
157make</userinput></screen>
158
159 <para>
160 This package does not come with a test suite.
161 </para>
162
163 <para>
164 Now, as the <systemitem class="username">root</systemitem> user:
165 </para>
166
167<screen role="root"><userinput>make exec_prefix=/usr pamddir= install</userinput></screen>
168
169 <para>
170 The man pages were installed in LFS, but if reinstallation is
171 desired, run (as the <systemitem class="username">root</systemitem> user):
172 </para>
173
174<screen role="root"><userinput>make -C man install-man</userinput></screen>
175
176 </sect2>
177
178 <sect2 role="commands">
179 <title>Command Explanations</title>
180
181 <para>
182 <command>sed -i 's/groups$(EXEEXT) //' src/Makefile.in</command>: This sed
183 is used to suppress the installation of the <command>groups</command>
184 program as the version from the <application>Coreutils</application>
185 package installed during LFS is preferred.
186 </para>
187
188 <para>
189 <command>find man -name Makefile.in -exec ... {} \;</command>: The
190 first command is used to suppress the installation of the
191 <command>groups</command> man pages so the existing ones installed from
192 the <application>Coreutils</application> package are not replaced.
193 The two other commands prevent installation of manual pages that
194 are already installed by <application>Man-pages</application> in LFS.
195 </para>
196
197 <para>
198 <command>sed -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD YESCRYPT@' -e
199 's@/var/spool/mail@/var/mail@' -e '/PATH=/{s@/sbin:@@;s@/bin:@@}'
200 -i etc/login.defs</command>: Instead of using the default 'DES'
201 method, this command modifies the installation to use the much more
202 secure 'YESCRYPT' method of hashing passwords, which also allows
203 passwords longer than eight characters. The command also changes the
204 obsolete <filename class="directory">/var/spool/mail</filename> location
205 for user mailboxes that <application>Shadow</application> uses by
206 default to the <filename class="directory">/var/mail</filename>
207 location. It also changes the default path to be consistent with that
208 set in LFS.
209 </para>
210
211 <para>
212 <parameter>--without-libbsd</parameter>: Prevents looking for the
213 <command>readpassphrase</command> function, which can be found only in
214 <filename class="libraryfile">libbsd</filename>, which we do not
215 have in BLFS. An internal implementation of
216 <command>readpassphrase</command> is used instead.
217 </para>
218
219 <para>
220 <parameter>pamddir=</parameter>: Prevents installation of the shipped
221 PAM configuration files into
222 <filename class='directory'>/etc/pam.d</filename>. The shipped
223 configuration does not work with the BLFS PAM configuration and we
224 will create these configuration files explicitly.
225 </para>
226
227<!-- This is the default
228 <para>
229 <parameter>-\-with-group-name-max-length=32</parameter>: The maximum
230 user name is 32 characters. Make the maximum group name the same.
231 </para>
232 -->
233<!--
234 <para>
235 <parameter>-\-without-su</parameter>: Don't reinstall
236 <command>su</command> because upstream recommends using the
237 <command>su</command> command from <xref linkend='util-linux'/>
238 when <application>Linux-PAM</application> is available.
239 </para>
240-->
241 </sect2>
242
243<!-- Now, /etc/default/useradd is not reinstalled anymore, and this
244 configuration has been done in lfs
245 <sect2 role="configuration">
246 <title>Configuring Shadow</title>
247
248 <para>
249 <application>Shadow</application>'s stock configuration for the
250 <command>useradd</command> utility may not be desirable for your
251 installation. One default parameter causes <command>useradd</command> to
252 create a mailbox file for any newly created user.
253 <command>useradd</command> will make the group ownership of this file to
254 the <systemitem class="groupname">mail</systemitem> group with 0660
255 permissions. If you would prefer that these mailbox files are not created
256 by <command>useradd</command>, issue the following command as the
257 <systemitem class="username">root</systemitem> user:
258 </para>
259
260<screen role="root"><userinput>sed -i 's/yes/no/' /etc/default/useradd</userinput></screen>
261 </sect2>
262-->
263 <sect2 role="configuration">
264 <title>Configuring Linux-PAM to Work with Shadow</title>
265
266 <note>
267 <para>
268 The rest of this page is devoted to configuring
269 <application>Shadow</application> to work properly with
270 <application>Linux-PAM</application>. If you do not have
271 <application>Linux-PAM</application> installed, and you reinstalled
272 <application>Shadow</application> to support strong passwords via the
273 <application>CrackLib</application> library, no further configuration is
274 required.
275 </para>
276 </note>
277
278 <sect3 id="pam.d">
279 <title>Config Files</title>
280
281 <para>
282 <filename>/etc/pam.d/*</filename> or alternatively
283 <filename>/etc/pam.conf</filename>,
284 <filename>/etc/login.defs</filename> and
285 <filename>/etc/security/*</filename>
286 </para>
287
288 <indexterm zone="shadow pam.d">
289 <primary sortas="e-etc-pam.d">/etc/pam.d/*</primary>
290 </indexterm>
291
292 <indexterm zone="shadow pam.d">
293 <primary sortas="e-etc-pam.conf">/etc/pam.conf</primary>
294 </indexterm>
295
296 <indexterm zone="shadow pam.d">
297 <primary sortas="e-etc-login.defs">/etc/login.defs</primary>
298 </indexterm>
299
300 <indexterm zone="shadow pam.d">
301 <primary sortas="e-etc-security">/etc/security/*</primary>
302 </indexterm>
303 </sect3>
304
305 <sect3>
306 <title>Configuration Information</title>
307
308 <para>
309 Configuring your system to use <application>Linux-PAM</application> can
310 be a complex task. The information below will provide a basic setup so
311 that <application>Shadow</application>'s login and password
312 functionality will work effectively with
313 <application>Linux-PAM</application>. Review the information and links
314 on the <xref linkend="linux-pam"/> page for further configuration
315 information. For information specific to integrating
316 <application>Shadow</application>, <application>Linux-PAM</application>
317 and <application>libpwquality</application>, you can visit the
318 following link:
319 </para>
320
321 <itemizedlist spacing="compact">
322 <listitem>
323 <!-- Old URL redirects to here. -->
324 <para>
325 <ulink url="https://deer-run.com/users/hal/linux_passwords_pam.html"/>
326 </para>
327 </listitem>
328 </itemizedlist>
329
330 <sect4 id="pam-login-defs">
331 <title>Configuring /etc/login.defs</title>
332
333 <para>
334 The <command>login</command> program currently performs many functions
335 which <application>Linux-PAM</application> modules should now handle.
336 The following <command>sed</command> command will comment out the
337 appropriate lines in <filename>/etc/login.defs</filename>, and stop
338 <command>login</command> from performing these functions (a backup
339 file named <filename>/etc/login.defs.orig</filename> is also created
340 to preserve the original file's contents). Issue the following
341 commands as the <systemitem class="username">root</systemitem> user:
342 </para>
343
344 <indexterm zone="shadow pam-login-defs">
345 <primary sortas="e-etc-login.defs">/etc/login.defs</primary>
346 </indexterm>
347
348<screen role="root"><userinput>install -v -m644 /etc/login.defs /etc/login.defs.orig &amp;&amp;
349for FUNCTION in FAIL_DELAY \
350 FAILLOG_ENAB \
351 LASTLOG_ENAB \
352 MAIL_CHECK_ENAB \
353 OBSCURE_CHECKS_ENAB \
354 PORTTIME_CHECKS_ENAB \
355 QUOTAS_ENAB \
356 CONSOLE MOTD_FILE \
357 FTMP_FILE NOLOGINS_FILE \
358 ENV_HZ PASS_MIN_LEN \
359 SU_WHEEL_ONLY \
360 CRACKLIB_DICTPATH \
361 PASS_CHANGE_TRIES \
362 PASS_ALWAYS_WARN \
363 CHFN_AUTH ENCRYPT_METHOD \
364 ENVIRON_FILE
365do
366 sed -i "s/^${FUNCTION}/# &amp;/" /etc/login.defs
367done</userinput></screen>
368 </sect4>
369
370 <sect4>
371 <title>Configuring the /etc/pam.d/ Files</title>
372
373 <para>
374 As mentioned previously in the <application>Linux-PAM</application>
375 instructions, <application>Linux-PAM</application> has two supported
376 methods for configuration. The commands below assume that you've
377 chosen to use a directory based configuration, where each program has
378 its own configuration file. You can optionally use a single
379 <filename>/etc/pam.conf</filename> configuration file by using the
380 text from the files below, and supplying the program name as an
381 additional first field for each line.
382 </para>
383
384 <para>
385 As the <systemitem class="username">root</systemitem> user, create
386 the following <application>Linux-PAM</application> configuration files
387 in the <filename class="directory">/etc/pam.d/</filename> directory
388 (or add the contents to the <filename>/etc/pam.conf</filename> file)
389 using the following commands:
390 </para>
391 </sect4>
392
393 <sect4>
394 <title>'login'</title>
395
396<screen role="root"><userinput>cat &gt; /etc/pam.d/login &lt;&lt; "EOF"
397<literal># Begin /etc/pam.d/login
398
399# Set failure delay before next prompt to 3 seconds
400auth optional pam_faildelay.so delay=3000000
401
402# Check to make sure that the user is allowed to login
403auth requisite pam_nologin.so
404
405# Check to make sure that root is allowed to login
406# Disabled by default. You will need to create /etc/securetty
407# file for this module to function. See man 5 securetty.
408#auth required pam_securetty.so
409
410# Additional group memberships - disabled by default
411#auth optional pam_group.so
412
413# include system auth settings
414auth include system-auth
415
416# check access for the user
417account required pam_access.so
418
419# include system account settings
420account include system-account
421
422# Set default environment variables for the user
423session required pam_env.so
424
425# Set resource limits for the user
426session required pam_limits.so
427
428# Display the message of the day - Disabled by default
429#session optional pam_motd.so
430
431# Check user's mail - Disabled by default
432#session optional pam_mail.so standard quiet
433
434# include system session and password settings
435session include system-session
436password include system-password
437
438# End /etc/pam.d/login</literal>
439EOF</userinput></screen>
440 </sect4>
441
442 <sect4>
443 <title>'passwd'</title>
444
445<screen role="root"><userinput>cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"
446<literal># Begin /etc/pam.d/passwd
447
448password include system-password
449
450# End /etc/pam.d/passwd</literal>
451EOF</userinput></screen>
452 </sect4>
453
454 <sect4>
455 <title>'su'</title>
456
457<screen role="root"><userinput>cat &gt; /etc/pam.d/su &lt;&lt; "EOF"
458<literal># Begin /etc/pam.d/su
459
460# always allow root
461auth sufficient pam_rootok.so
462
463# Allow users in the wheel group to execute su without a password
464# disabled by default
465#auth sufficient pam_wheel.so trust use_uid
466
467# include system auth settings
468auth include system-auth
469
470# limit su to users in the wheel group
471# disabled by default
472#auth required pam_wheel.so use_uid
473
474# include system account settings
475account include system-account
476
477# Set default environment variables for the service user
478session required pam_env.so
479
480# include system session settings
481session include system-session
482
483# End /etc/pam.d/su</literal>
484EOF</userinput></screen>
485 </sect4>
486
487 <sect4>
488 <title>'chpasswd' and 'newusers'</title>
489
490<screen role="root"><userinput>cat &gt; /etc/pam.d/chpasswd &lt;&lt; "EOF"
491<literal># Begin /etc/pam.d/chpasswd
492
493# always allow root
494auth sufficient pam_rootok.so
495
496# include system auth and account settings
497auth include system-auth
498account include system-account
499password include system-password
500
501# End /etc/pam.d/chpasswd</literal>
502EOF
503
504sed -e s/chpasswd/newusers/ /etc/pam.d/chpasswd >/etc/pam.d/newusers</userinput></screen>
505 </sect4>
506
507 <sect4>
508 <title>'chage'</title>
509
510<screen role="root"><userinput>cat &gt; /etc/pam.d/chage &lt;&lt; "EOF"
511<literal># Begin /etc/pam.d/chage
512
513# always allow root
514auth sufficient pam_rootok.so
515
516# include system auth and account settings
517auth include system-auth
518account include system-account
519
520# End /etc/pam.d/chage</literal>
521EOF</userinput></screen>
522 </sect4>
523
524 <sect4>
525 <title>Other shadow utilities</title>
526
527<screen role="root"><userinput>for PROGRAM in chfn chgpasswd chsh groupadd groupdel \
528 groupmems groupmod useradd userdel usermod
529do
530 install -v -m644 /etc/pam.d/chage /etc/pam.d/${PROGRAM}
531 sed -i "s/chage/$PROGRAM/" /etc/pam.d/${PROGRAM}
532done</userinput></screen>
533
534 <warning>
535 <para>
536 At this point, you should do a simple test to see if
537 <application>Shadow</application> is working as expected. Open
538 another terminal and log in as
539 <systemitem class="username">root</systemitem>, and then run
540 <command>login</command> and login as another user. If you do
541 not see any errors, then all is well and you should proceed with
542 the rest of the configuration. If you did receive errors, stop
543 now and double check the above configuration files manually.
544 Any error is the sign of an error in the above procedure.
545 You can also run the
546 test suite from the <application>Linux-PAM</application> package
547 to assist you in determining the problem. If you cannot find and
548 fix the error, you should recompile
549 <application>Shadow</application> adding the
550 <option>--without-libpam</option> switch to the
551 <command>configure</command> command in the above instructions
552 (also move the <filename>/etc/login.defs.orig</filename> backup
553 file to <filename>/etc/login.defs</filename>). If you fail to do
554 this and the errors remain, you will be unable to log into your
555 system.
556 </para>
557 </warning>
558 </sect4>
559
560 <sect4 id="pam-access">
561 <title>Configuring Login Access</title>
562
563 <para>
564 Instead of using the <filename>/etc/login.access</filename> file for
565 controlling access to the system, <application>Linux-PAM</application>
566 uses the <filename class='libraryfile'>pam_access.so</filename> module
567 along with the <filename>/etc/security/access.conf</filename> file.
568 Rename the <filename>/etc/login.access</filename> file using the
569 following command:
570 </para>
571
572 <indexterm zone="shadow pam-access">
573 <primary sortas="e-etc-security-access.conf">/etc/security/access.conf</primary>
574 </indexterm>
575<!-- to editors: it is a common belief that:
576 if <condition>; then <command>; fi
577 is equivalent to:
578 <condition> && <command>
579 This is not true in bash; try:
580 ([ 0 = 1 ] && echo not reachable); echo $? # echoes 1
581 vs
582 (if [ 0 = 1 ]; then echo not reachable; fi); echo $? # echoes 0
583 So in scripts that may call subshells (for example through sudo) and
584 that need error reporting, the outcome _is_ different. In all
585 cases, for bash, the "if" form should be preferred.-->
586<screen role="root"><userinput>if [ -f /etc/login.access ]; then mv -v /etc/login.access{,.NOUSE}; fi</userinput></screen>
587 </sect4>
588
589 <sect4 id="pam-limits">
590 <title>Configuring Resource Limits</title>
591
592 <para>
593 Instead of using the <filename>/etc/limits</filename> file for
594 limiting usage of system resources,
595 <application>Linux-PAM</application> uses the
596 <filename class='libraryfile'>pam_limits.so</filename> module along
597 with the <filename>/etc/security/limits.conf</filename> file. Rename
598 the <filename>/etc/limits</filename> file using the following command:
599 </para>
600
601 <indexterm zone="shadow pam-limits">
602 <primary sortas="e-etc-security-limits.conf">/etc/security/limits.conf</primary>
603 </indexterm>
604
605<screen role="root"><userinput>if [ -f /etc/limits ]; then mv -v /etc/limits{,.NOUSE}; fi</userinput></screen>
606
607 <caution>
608 <para>
609 Be sure to test the login capabilities of the system before logging
610 out. Errors in the configuration can cause a permanent
611 lockout requiring a boot from an external source to correct the
612 problem.
613 </para>
614 </caution>
615
616 </sect4>
617 </sect3>
618
619 </sect2>
620
621 <sect2 role="content">
622 <title>Contents</title>
623
624 <para>
625 A list of the installed files, along with their short descriptions can be
626 found at
627 <ulink url="&lfs-root;/chapter08/shadow.html#contents-shadow"/>.
628 </para>
629
630 </sect2>
631
632</sect1>
Note: See TracBrowser for help on using the repository browser.