source: postlfs/security/shadow.xml

trunk
Last change on this file was cd29bc9, checked in by Xi Ruoyao <xry111@…>, 3 weeks ago

postlfs: URL updates

  • Property mode set to 100644
File size: 21.1 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY shadow-download-http "https://github.com/shadow-maint/shadow/releases/download/&shadow-version;/shadow-&shadow-version;.tar.xz">
8 <!ENTITY shadow-download-ftp " ">
9 <!ENTITY shadow-md5sum "710bcc89c39683609aacfef9f08bd854">
10 <!ENTITY shadow-size "1.7 MB">
11 <!ENTITY shadow-buildsize "36 MB">
12 <!ENTITY shadow-time "0.2 SBU">
13]>
14
15<sect1 id="shadow" xreflabel="Shadow-&shadow-version;">
16 <?dbhtml filename="shadow.html"?>
17
18 <sect1info>
19 <date>$Date$</date>
20 </sect1info>
21
22 <title>Shadow-&shadow-version;</title>
23
24 <indexterm zone="shadow">
25 <primary sortas="a-Shadow">Shadow</primary>
26 </indexterm>
27
28 <sect2 role="package">
29 <title>Introduction to Shadow</title>
30
31 <para>
32 <application>Shadow</application> was indeed installed in LFS and there is
33 no reason to reinstall it unless you installed
34 <application>CrackLib</application> or
35 <application>Linux-PAM</application> after your LFS system was completed.
36 If you have installed <application>CrackLib</application> after LFS, then
37 reinstalling <application>Shadow</application> will enable strong password
38 support. If you have installed <application>Linux-PAM</application>,
39 reinstalling <application>Shadow</application> will allow programs such as
40 <command>login</command> and <command>su</command> to utilize PAM.
41 </para>
42
43 &lfs112_checked;
44
45 <bridgehead renderas="sect3">Package Information</bridgehead>
46 <itemizedlist spacing="compact">
47 <listitem>
48 <para>
49 Download (HTTP): <ulink url="&shadow-download-http;"/>
50 </para>
51 </listitem>
52 <listitem>
53 <para>
54 Download (FTP): <ulink url="&shadow-download-ftp;"/>
55 </para>
56 </listitem>
57 <listitem>
58 <para>
59 Download MD5 sum: &shadow-md5sum;
60 </para>
61 </listitem>
62 <listitem>
63 <para>
64 Download size: &shadow-size;
65 </para>
66 </listitem>
67 <listitem>
68 <para>
69 Estimated disk space required: &shadow-buildsize;
70 </para>
71 </listitem>
72 <listitem>
73 <para>
74 Estimated build time: &shadow-time;
75 </para>
76 </listitem>
77 </itemizedlist>
78<!--
79 <bridgehead renderas="sect3">Additional Downloads</bridgehead>
80 <itemizedlist spacing="compact">
81 <listitem>
82 <para>
83 Required patch:
84 <ulink url="&patch-root;/shadow-&shadow-version;-useradd_segfault-1.patch"/>
85 </para>
86 </listitem>
87 </itemizedlist>
88-->
89 <bridgehead renderas="sect3">Shadow Dependencies</bridgehead>
90
91 <bridgehead renderas="sect4">Required</bridgehead>
92 <para role="required">
93 <xref linkend="linux-pam"/> or
94 <xref role="nodep" linkend="cracklib"/>
95 </para>
96
97 <para condition="html" role="usernotes">
98 User Notes: <ulink url="&blfs-wiki;/shadow"/>
99 </para>
100 </sect2>
101
102 <sect2 role="installation">
103 <title>Installation of Shadow</title>
104
105 <important>
106 <para>
107 The installation commands shown below are for installations where
108 <application>Linux-PAM</application> has been installed and
109 <application>Shadow</application> is being reinstalled to support the
110 <application>Linux-PAM</application> installation.
111 </para>
112
113 <para>
114 If you are reinstalling <application>Shadow</application> to provide
115 strong password support using the <application>CrackLib</application>
116 library without using <application>Linux-PAM</application>, ensure you
117 add the <parameter>--with-libcrack</parameter> parameter to the
118 <command>configure</command> script below and also issue the following
119 command:
120 </para>
121
122<screen role="nodump"><userinput>sed -i 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' etc/login.defs</userinput></screen>
123 </important>
124
125 <para>
126 Reinstall <application>Shadow</application> by running the following
127 commands:
128 </para>
129<!--
130<screen><userinput>patch -Np1 -i ../shadow-4.10-useradd_segfault-1.patch &amp;&amp;
131
132sed -i "224s/rounds/min_rounds/" libmisc/salt.c &amp;&amp;
133-->
134<screen><userinput>sed -i 's/groups$(EXEEXT) //' src/Makefile.in &amp;&amp;
135
136find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; &amp;&amp;
137find man -name Makefile.in -exec sed -i 's/getspnam\.3 / /' {} \; &amp;&amp;
138find man -name Makefile.in -exec sed -i 's/passwd\.5 / /' {} \; &amp;&amp;
139
140sed -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \
141 -e 's@/var/spool/mail@/var/mail@' \
142 -e '/PATH=/{s@/sbin:@@;s@/bin:@@}' \
143 -i etc/login.defs &amp;&amp;
144
145./configure --sysconfdir=/etc \
146 --disable-static \
147 --with-group-name-max-length=32 &amp;&amp;
148make</userinput></screen>
149
150 <para>
151 This package does not come with a test suite.
152 </para>
153
154 <para>
155 Now, as the <systemitem class="username">root</systemitem> user:
156 </para>
157
158<screen role="root"><userinput>make exec_prefix=/usr install</userinput></screen>
159
160 <para>
161 The man pages were installed in LFS, but if reinstallation is
162 desired, run (as the <systemitem class="username">root</systemitem> user):
163 </para>
164
165<screen role="root"><userinput>make -C man install-man</userinput></screen>
166
167 </sect2>
168
169 <sect2 role="commands">
170 <title>Command Explanations</title>
171
172 <para>
173 <command>sed -i 's/groups$(EXEEXT) //' src/Makefile.in</command>: This sed
174 is used to suppress the installation of the <command>groups</command>
175 program as the version from the <application>Coreutils</application>
176 package installed during LFS is preferred.
177 </para>
178
179 <para>
180 <command>find man -name Makefile.in -exec ... {} \;</command>: The
181 first command is used to suppress the installation of the
182 <command>groups</command> man pages so the existing ones installed from
183 the <application>Coreutils</application> package are not replaced.
184 The two other commands prevent installation of manual pages that
185 are already installed by <application>Man-pages</application> in LFS.
186 </para>
187
188 <para>
189 <command>sed -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' -e
190 's@/var/spool/mail@/var/mail@' -e '/PATH=/{s@/sbin:@@;s@/bin:@@}'
191 -i etc/login.defs</command>: Instead of using
192 the default 'DES' method, this command modifies the installation to use
193 the more secure 'SHA512' method of hashing passwords, which also allows
194 passwords longer than eight characters. It also changes the obsolete
195 <filename class="directory">/var/spool/mail</filename> location for user
196 mailboxes that <application>Shadow</application> uses by default to the
197 <filename class="directory">/var/mail</filename> location. It also
198 changes the default path to be consistent with that set in LFS.
199 </para>
200<!--
201 <para>
202 <command>sed ... libmisc/salt.c</command> and
203 <command>sed ... libsubid/Makefile.am</command>: Fix a couple of errors
204 that were found after the package was released.
205 </para>
206-->
207 <para>
208 <parameter>--with-group-name-max-length=32</parameter>: The maximum
209 user name is 32 characters. Make the maximum group name the same.
210 </para>
211<!--
212 <para>
213 <parameter>-\-without-su</parameter>: Don't reinstall
214 <command>su</command> because upstream recommends using the
215 <command>su</command> command from <xref linkend='util-linux'/>
216 when <application>Linux-PAM</application> is available.
217 </para>
218-->
219 </sect2>
220
221<!-- Now, /etc/default/useradd is not reinstalled anymore, and this
222 configuration has been done in lfs
223 <sect2 role="configuration">
224 <title>Configuring Shadow</title>
225
226 <para>
227 <application>Shadow</application>'s stock configuration for the
228 <command>useradd</command> utility may not be desirable for your
229 installation. One default parameter causes <command>useradd</command> to
230 create a mailbox file for any newly created user.
231 <command>useradd</command> will make the group ownership of this file to
232 the <systemitem class="groupname">mail</systemitem> group with 0660
233 permissions. If you would prefer that these mailbox files are not created
234 by <command>useradd</command>, issue the following command as the
235 <systemitem class="username">root</systemitem> user:
236 </para>
237
238<screen role="root"><userinput>sed -i 's/yes/no/' /etc/default/useradd</userinput></screen>
239 </sect2>
240-->
241 <sect2 role="configuration">
242 <title>Configuring Linux-PAM to Work with Shadow</title>
243
244 <note>
245 <para>
246 The rest of this page is devoted to configuring
247 <application>Shadow</application> to work properly with
248 <application>Linux-PAM</application>. If you do not have
249 <application>Linux-PAM</application> installed, and you reinstalled
250 <application>Shadow</application> to support strong passwords via the
251 <application>CrackLib</application> library, no further configuration is
252 required.
253 </para>
254 </note>
255
256 <sect3 id="pam.d">
257 <title>Config Files</title>
258
259 <para>
260 <filename>/etc/pam.d/*</filename> or alternatively
261 <filename>/etc/pam.conf</filename>,
262 <filename>/etc/login.defs</filename> and
263 <filename>/etc/security/*</filename>
264 </para>
265
266 <indexterm zone="shadow pam.d">
267 <primary sortas="e-etc-pam.d">/etc/pam.d/*</primary>
268 </indexterm>
269
270 <indexterm zone="shadow pam.d">
271 <primary sortas="e-etc-pam.conf">/etc/pam.conf</primary>
272 </indexterm>
273
274 <indexterm zone="shadow pam.d">
275 <primary sortas="e-etc-login.defs">/etc/login.defs</primary>
276 </indexterm>
277
278 <indexterm zone="shadow pam.d">
279 <primary sortas="e-etc-security">/etc/security/*</primary>
280 </indexterm>
281 </sect3>
282
283 <sect3>
284 <title>Configuration Information</title>
285
286 <para>
287 Configuring your system to use <application>Linux-PAM</application> can
288 be a complex task. The information below will provide a basic setup so
289 that <application>Shadow</application>'s login and password
290 functionality will work effectively with
291 <application>Linux-PAM</application>. Review the information and links
292 on the <xref linkend="linux-pam"/> page for further configuration
293 information. For information specific to integrating
294 <application>Shadow</application>, <application>Linux-PAM</application>
295 and <application>libpwquality</application>, you can visit the
296 following link:
297 </para>
298
299 <itemizedlist spacing="compact">
300 <listitem>
301 <!-- Old URL redirects to here. -->
302 <para>
303 <ulink url="https://deer-run.com/users/hal/linux_passwords_pam.html"/>
304 </para>
305 </listitem>
306 </itemizedlist>
307
308 <sect4 id="pam-login-defs">
309 <title>Configuring /etc/login.defs</title>
310
311 <para>
312 The <command>login</command> program currently performs many functions
313 which <application>Linux-PAM</application> modules should now handle.
314 The following <command>sed</command> command will comment out the
315 appropriate lines in <filename>/etc/login.defs</filename>, and stop
316 <command>login</command> from performing these functions (a backup
317 file named <filename>/etc/login.defs.orig</filename> is also created
318 to preserve the original file's contents). Issue the following
319 commands as the <systemitem class="username">root</systemitem> user:
320 </para>
321
322 <indexterm zone="shadow pam-login-defs">
323 <primary sortas="e-etc-login.defs">/etc/login.defs</primary>
324 </indexterm>
325
326<screen role="root"><userinput>install -v -m644 /etc/login.defs /etc/login.defs.orig &amp;&amp;
327for FUNCTION in FAIL_DELAY \
328 FAILLOG_ENAB \
329 LASTLOG_ENAB \
330 MAIL_CHECK_ENAB \
331 OBSCURE_CHECKS_ENAB \
332 PORTTIME_CHECKS_ENAB \
333 QUOTAS_ENAB \
334 CONSOLE MOTD_FILE \
335 FTMP_FILE NOLOGINS_FILE \
336 ENV_HZ PASS_MIN_LEN \
337 SU_WHEEL_ONLY \
338 CRACKLIB_DICTPATH \
339 PASS_CHANGE_TRIES \
340 PASS_ALWAYS_WARN \
341 CHFN_AUTH ENCRYPT_METHOD \
342 ENVIRON_FILE
343do
344 sed -i "s/^${FUNCTION}/# &amp;/" /etc/login.defs
345done</userinput></screen>
346 </sect4>
347
348 <sect4>
349 <title>Configuring the /etc/pam.d/ Files</title>
350
351 <para>
352 As mentioned previously in the <application>Linux-PAM</application>
353 instructions, <application>Linux-PAM</application> has two supported
354 methods for configuration. The commands below assume that you've
355 chosen to use a directory based configuration, where each program has
356 its own configuration file. You can optionally use a single
357 <filename>/etc/pam.conf</filename> configuration file by using the
358 text from the files below, and supplying the program name as an
359 additional first field for each line.
360 </para>
361
362 <para>
363 As the <systemitem class="username">root</systemitem> user, create
364 the following <application>Linux-PAM</application> configuration files
365 in the <filename class="directory">/etc/pam.d/</filename> directory
366 (or add the contents to the <filename>/etc/pam.conf</filename> file)
367 using the following commands:
368 </para>
369 </sect4>
370
371 <sect4>
372 <title>'login'</title>
373
374<screen role="root"><userinput>cat &gt; /etc/pam.d/login &lt;&lt; "EOF"
375<literal># Begin /etc/pam.d/login
376
377# Set failure delay before next prompt to 3 seconds
378auth optional pam_faildelay.so delay=3000000
379
380# Check to make sure that the user is allowed to login
381auth requisite pam_nologin.so
382
383# Check to make sure that root is allowed to login
384# Disabled by default. You will need to create /etc/securetty
385# file for this module to function. See man 5 securetty.
386#auth required pam_securetty.so
387
388# Additional group memberships - disabled by default
389#auth optional pam_group.so
390
391# include system auth settings
392auth include system-auth
393
394# check access for the user
395account required pam_access.so
396
397# include system account settings
398account include system-account
399
400# Set default environment variables for the user
401session required pam_env.so
402
403# Set resource limits for the user
404session required pam_limits.so
405
406# Display date of last login - Disabled by default
407#session optional pam_lastlog.so
408
409# Display the message of the day - Disabled by default
410#session optional pam_motd.so
411
412# Check user's mail - Disabled by default
413#session optional pam_mail.so standard quiet
414
415# include system session and password settings
416session include system-session
417password include system-password
418
419# End /etc/pam.d/login</literal>
420EOF</userinput></screen>
421 </sect4>
422
423 <sect4>
424 <title>'passwd'</title>
425
426<screen role="root"><userinput>cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"
427<literal># Begin /etc/pam.d/passwd
428
429password include system-password
430
431# End /etc/pam.d/passwd</literal>
432EOF</userinput></screen>
433 </sect4>
434
435 <sect4>
436 <title>'su'</title>
437
438<screen role="root"><userinput>cat &gt; /etc/pam.d/su &lt;&lt; "EOF"
439<literal># Begin /etc/pam.d/su
440
441# always allow root
442auth sufficient pam_rootok.so
443
444# Allow users in the wheel group to execute su without a password
445# disabled by default
446#auth sufficient pam_wheel.so trust use_uid
447
448# include system auth settings
449auth include system-auth
450
451# limit su to users in the wheel group
452# disabled by default
453#auth required pam_wheel.so use_uid
454
455# include system account settings
456account include system-account
457
458# Set default environment variables for the service user
459session required pam_env.so
460
461# include system session settings
462session include system-session
463
464# End /etc/pam.d/su</literal>
465EOF</userinput></screen>
466 </sect4>
467
468 <sect4>
469 <title>'chpasswd' and 'newusers'</title>
470
471<screen role="root"><userinput>cat &gt; /etc/pam.d/chpasswd &lt;&lt; "EOF"
472<literal># Begin /etc/pam.d/chpasswd
473
474# always allow root
475auth sufficient pam_rootok.so
476
477# include system auth and account settings
478auth include system-auth
479account include system-account
480password include system-password
481
482# End /etc/pam.d/chpasswd</literal>
483EOF
484
485sed -e s/chpasswd/newusers/ /etc/pam.d/chpasswd >/etc/pam.d/newusers</userinput></screen>
486 </sect4>
487
488 <sect4>
489 <title>'chage'</title>
490
491<screen role="root"><userinput>cat &gt; /etc/pam.d/chage &lt;&lt; "EOF"
492<literal># Begin /etc/pam.d/chage
493
494# always allow root
495auth sufficient pam_rootok.so
496
497# include system auth and account settings
498auth include system-auth
499account include system-account
500
501# End /etc/pam.d/chage</literal>
502EOF</userinput></screen>
503 </sect4>
504
505 <sect4>
506 <title>Other shadow utilities</title>
507
508<screen role="root"><userinput>for PROGRAM in chfn chgpasswd chsh groupadd groupdel \
509 groupmems groupmod useradd userdel usermod
510do
511 install -v -m644 /etc/pam.d/chage /etc/pam.d/${PROGRAM}
512 sed -i "s/chage/$PROGRAM/" /etc/pam.d/${PROGRAM}
513done</userinput></screen>
514
515 <warning>
516 <para>
517 At this point, you should do a simple test to see if
518 <application>Shadow</application> is working as expected. Open
519 another terminal and log in as
520 <systemitem class="username">root</systemitem>, and then run
521 <command>login</command> and login as another user. If you do
522 not see any errors, then all is well and you should proceed with
523 the rest of the configuration. If you did receive errors, stop
524 now and double check the above configuration files manually.
525 Any error is the sign of an error in the above procedure.
526 You can also run the
527 test suite from the <application>Linux-PAM</application> package
528 to assist you in determining the problem. If you cannot find and
529 fix the error, you should recompile
530 <application>Shadow</application> adding the
531 <option>--without-libpam</option> switch to the
532 <command>configure</command> command in the above instructions
533 (also move the <filename>/etc/login.defs.orig</filename> backup
534 file to <filename>/etc/login.defs</filename>). If you fail to do
535 this and the errors remain, you will be unable to log into your
536 system.
537 </para>
538 </warning>
539 </sect4>
540
541 <sect4 id="pam-access">
542 <title>Configuring Login Access</title>
543
544 <para>
545 Instead of using the <filename>/etc/login.access</filename> file for
546 controlling access to the system, <application>Linux-PAM</application>
547 uses the <filename class='libraryfile'>pam_access.so</filename> module
548 along with the <filename>/etc/security/access.conf</filename> file.
549 Rename the <filename>/etc/login.access</filename> file using the
550 following command:
551 </para>
552
553 <indexterm zone="shadow pam-access">
554 <primary sortas="e-etc-security-access.conf">/etc/security/access.conf</primary>
555 </indexterm>
556
557<screen role="root"><userinput>[ -f /etc/login.access ] &amp;&amp; mv -v /etc/login.access{,.NOUSE}</userinput></screen>
558 </sect4>
559
560 <sect4 id="pam-limits">
561 <title>Configuring Resource Limits</title>
562
563 <para>
564 Instead of using the <filename>/etc/limits</filename> file for
565 limiting usage of system resources,
566 <application>Linux-PAM</application> uses the
567 <filename class='libraryfile'>pam_limits.so</filename> module along
568 with the <filename>/etc/security/limits.conf</filename> file. Rename
569 the <filename>/etc/limits</filename> file using the following command:
570 </para>
571
572 <indexterm zone="shadow pam-limits">
573 <primary sortas="e-etc-security-limits.conf">/etc/security/limits.conf</primary>
574 </indexterm>
575
576<screen role="root"><userinput>[ -f /etc/limits ] &amp;&amp; mv -v /etc/limits{,.NOUSE}</userinput></screen>
577
578 <caution>
579 <para>
580 Be sure to test the login capabilities of the system before logging
581 out. Errors in the configuration can cause a permanent
582 lockout requiring a boot from an external source to correct the
583 problem.
584 </para>
585 </caution>
586
587 </sect4>
588 </sect3>
589
590 </sect2>
591
592 <sect2 role="content">
593 <title>Contents</title>
594
595 <para>
596 A list of the installed files, along with their short descriptions can be
597 found at
598 <ulink url="&lfs-root;/chapter08/shadow.html#contents-shadow"/>.
599 </para>
600
601 </sect2>
602
603</sect1>
Note: See TracBrowser for help on using the repository browser.