[b4b71892] | 1 | <?xml version="1.0" encoding="ISO-8859-1"?>
|
---|
[ff769b8c] | 2 | <!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
---|
| 3 | "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd" [
|
---|
[b4b71892] | 4 | <!ENTITY % general-entities SYSTEM "../../general.ent">
|
---|
| 5 | %general-entities;
|
---|
[17fb537e] | 6 |
|
---|
[364bc5ba] | 7 | <!ENTITY shadow-download-http "http://ftp.pld.org.pl/software/shadow/old/shadow-&shadow-version;.tar.bz2">
|
---|
| 8 | <!ENTITY shadow-download-ftp "ftp://ftp.pld.org.pl/software/shadow/old/shadow-&shadow-version;.tar.bz2">
|
---|
[8f68b03] | 9 | <!ENTITY shadow-md5sum "a0452fa989f8ba45023cc5a08136568e">
|
---|
| 10 | <!ENTITY shadow-size "1.2 MB">
|
---|
| 11 | <!ENTITY shadow-buildsize "15.5 MB">
|
---|
[349b53dd] | 12 | <!ENTITY shadow-time "0.3 SBU">
|
---|
[b4b71892] | 13 | ]>
|
---|
| 14 |
|
---|
[17fb537e] | 15 | <sect1 id="shadow" xreflabel="Shadow-&shadow-version;">
|
---|
[322f172] | 16 | <?dbhtml filename="shadow.html"?>
|
---|
| 17 |
|
---|
| 18 | <sect1info>
|
---|
| 19 | <othername>$LastChangedBy$</othername>
|
---|
| 20 | <date>$Date$</date>
|
---|
| 21 | </sect1info>
|
---|
| 22 |
|
---|
| 23 | <title>Shadow-&shadow-version;</title>
|
---|
| 24 |
|
---|
| 25 | <indexterm zone="shadow">
|
---|
| 26 | <primary sortas="a-Shadow">Shadow</primary>
|
---|
| 27 | </indexterm>
|
---|
| 28 |
|
---|
| 29 | <sect2 role="package">
|
---|
| 30 | <title>Introduction to Shadow</title>
|
---|
| 31 |
|
---|
| 32 | <para><application>Shadow</application> was indeed installed in LFS and
|
---|
| 33 | there is no reason to reinstall it unless you installed
|
---|
[c6bdcb0] | 34 | <application>CrackLib</application> or
|
---|
| 35 | <application>Linux-PAM</application> after your LFS system was completed.
|
---|
| 36 | If you have installed <application>CrackLib</application> after LFS, then
|
---|
| 37 | reinstalling <application>Shadow</application> will enable strong password
|
---|
| 38 | support. If you have installed <application>Linux-PAM</application>,
|
---|
| 39 | reinstalling <application>Shadow</application> will allow programs such as
|
---|
[d8684cbc] | 40 | <command>login</command> and <command>su</command> to utilize PAM.</para>
|
---|
[322f172] | 41 |
|
---|
| 42 | <bridgehead renderas="sect3">Package Information</bridgehead>
|
---|
| 43 | <itemizedlist spacing="compact">
|
---|
| 44 | <listitem>
|
---|
| 45 | <para>Download (HTTP): <ulink url="&shadow-download-http;"/></para>
|
---|
| 46 | </listitem>
|
---|
| 47 | <listitem>
|
---|
| 48 | <para>Download (FTP): <ulink url="&shadow-download-ftp;"/></para>
|
---|
| 49 | </listitem>
|
---|
| 50 | <listitem>
|
---|
| 51 | <para>Download MD5 sum: &shadow-md5sum;</para>
|
---|
| 52 | </listitem>
|
---|
| 53 | <listitem>
|
---|
| 54 | <para>Download size: &shadow-size;</para>
|
---|
| 55 | </listitem>
|
---|
| 56 | <listitem>
|
---|
| 57 | <para>Estimated disk space required: &shadow-buildsize;</para>
|
---|
| 58 | </listitem>
|
---|
| 59 | <listitem>
|
---|
| 60 | <para>Estimated build time: &shadow-time;</para>
|
---|
| 61 | </listitem>
|
---|
| 62 | </itemizedlist>
|
---|
| 63 |
|
---|
[8f68b03] | 64 | <!--
|
---|
[322f172] | 65 | <bridgehead renderas="sect3">Additional Downloads</bridgehead>
|
---|
| 66 | <itemizedlist spacing='compact'>
|
---|
| 67 | <listitem>
|
---|
[d8684cbc] | 68 | <para>Required patch: <ulink
|
---|
| 69 | url="&patch-root;/shadow-&shadow-version;-configure_fix-1.patch"/></para>
|
---|
[322f172] | 70 | </listitem>
|
---|
| 71 | </itemizedlist>
|
---|
[8f68b03] | 72 | -->
|
---|
[322f172] | 73 |
|
---|
| 74 | <bridgehead renderas="sect3">Shadow Dependencies</bridgehead>
|
---|
| 75 |
|
---|
| 76 | <bridgehead renderas="sect4">Required</bridgehead>
|
---|
[c6bdcb0] | 77 | <para role="required"><xref linkend="linux-pam"/> and/or
|
---|
| 78 | <xref linkend="cracklib"/></para>
|
---|
[322f172] | 79 |
|
---|
[3597eb6] | 80 | <para condition="html" role="usernotes">User Notes:
|
---|
| 81 | <ulink url="&blfs-wiki;/shadow"/></para>
|
---|
| 82 |
|
---|
[322f172] | 83 | </sect2>
|
---|
| 84 |
|
---|
| 85 | <sect2 role="installation">
|
---|
| 86 | <title>Installation of Shadow</title>
|
---|
| 87 |
|
---|
[c6bdcb0] | 88 | <important>
|
---|
| 89 | <para>The installation shown below is for a situation where
|
---|
| 90 | <application>Linux-PAM</application> has been installed (with or
|
---|
| 91 | without a <application>CrackLib</application> installation) and
|
---|
| 92 | <application>Shadow</application> is being reinstalled to support the
|
---|
| 93 | <application>Linux-PAM</application> installation. If you are
|
---|
| 94 | reinstalling <application>Shadow</application> to provide strong
|
---|
| 95 | password support via the <application>CrackLib</application> library
|
---|
| 96 | and you have not installed <application>Linux-PAM</application>, ensure
|
---|
[8f68b03] | 97 | you add the <parameter>--with-libcrack</parameter> parameter to the
|
---|
| 98 | <command>configure</command> script below.</para>
|
---|
[c6bdcb0] | 99 | </important>
|
---|
| 100 |
|
---|
[322f172] | 101 | <para>Reinstall <application>Shadow</application> by running the following
|
---|
| 102 | commands:</para>
|
---|
| 103 |
|
---|
[8f68b03] | 104 | <screen><userinput>./configure --libdir=/lib \
|
---|
| 105 | --enable-shared \
|
---|
| 106 | --without-selinux &&
|
---|
[4fcf20a5] | 107 | sed -i 's/groups$(EXEEXT) //' src/Makefile &&
|
---|
[4d3f1239] | 108 | find man -name Makefile -exec sed -i '/groups/d' {} \; &&
|
---|
[8f68b03] | 109 | sed -i -e 's/ ko//' \
|
---|
| 110 | -e 's/ zh_CN zh_TW//' \
|
---|
| 111 | man/Makefile &&
|
---|
| 112 |
|
---|
| 113 | for i in de es fi fr id it pt_BR; do
|
---|
| 114 | convert-mans UTF-8 ISO-8859-1 man/${i}/*.?
|
---|
| 115 | done &&
|
---|
| 116 |
|
---|
| 117 | for i in cs hu pl; do
|
---|
| 118 | convert-mans UTF-8 ISO-8859-2 man/${i}/*.?
|
---|
| 119 | done &&
|
---|
| 120 |
|
---|
| 121 | convert-mans UTF-8 EUC-JP man/ja/*.? &&
|
---|
| 122 | convert-mans UTF-8 KOI8-R man/ru/*.? &&
|
---|
| 123 | convert-mans UTF-8 ISO-8859-9 man/tr/*.? &&
|
---|
| 124 |
|
---|
[322f172] | 125 | make</userinput></screen>
|
---|
[17fb537e] | 126 |
|
---|
[31f3a57] | 127 | <para>This package does not come with a test suite.</para>
|
---|
| 128 |
|
---|
[322f172] | 129 | <para>Now, as the <systemitem class="username">root</systemitem> user:</para>
|
---|
[17fb537e] | 130 |
|
---|
[322f172] | 131 | <screen role="root"><userinput>make install &&
|
---|
[4fcf20a5] | 132 | mv -v /usr/bin/passwd /bin &&
|
---|
| 133 | mv -v /lib/libshadow.*a /usr/lib &&
|
---|
| 134 | rm -v /lib/libshadow.so &&
|
---|
[322f172] | 135 | ln -v -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so</userinput></screen>
|
---|
[b4b71892] | 136 |
|
---|
[322f172] | 137 | </sect2>
|
---|
[b4b71892] | 138 |
|
---|
[322f172] | 139 | <sect2 role="commands">
|
---|
| 140 | <title>Command Explanations</title>
|
---|
[b4b71892] | 141 |
|
---|
[8f68b03] | 142 | <!-- Removed the -with-libpam and -without-libcrack options from the
|
---|
| 143 | default as these are the defaults. Pam will automatically be picked
|
---|
| 144 | up if it is installed, and CrackLib won't be used unless specifically
|
---|
| 145 | requested via -with-libcrack
|
---|
| 146 | <para><parameter>-without-libcrack</parameter>: This switch tells
|
---|
[322f172] | 147 | <application>Shadow</application> not to use
|
---|
| 148 | <filename class='libraryfile'>libcrack</filename>. This is desired as
|
---|
[d8684cbc] | 149 | <application>Linux-PAM</application> will provide
|
---|
| 150 | <filename class='libraryfile'>libcrack</filename> functionality.</para>
|
---|
[8f68b03] | 151 | -->
|
---|
| 152 |
|
---|
| 153 | <para><parameter>--without-selinux</parameter>: Support for selinux is
|
---|
| 154 | enabled by default, but selinux is not built in a base LFS system. The
|
---|
| 155 | <command>configure</command> script will fail if this option is not
|
---|
| 156 | used.</para>
|
---|
| 157 |
|
---|
| 158 | <para><command>sed -i 's/groups$(EXEEXT) //' src/Makefile</command>: This
|
---|
| 159 | command is used to suppress the installation of the
|
---|
| 160 | <command>groups</command> program as the version from the
|
---|
| 161 | <application>Coreutils</application> package installed during LFS is
|
---|
| 162 | preferred.</para>
|
---|
| 163 |
|
---|
| 164 | <para><command>find man -name Makefile -exec ... {} \;</command>: This
|
---|
| 165 | command is used to suppress the installation of the
|
---|
| 166 | <command>groups</command> man pages so the existing ones installed from
|
---|
| 167 | the <application>Coreutils</application> package are not replaced.</para>
|
---|
| 168 |
|
---|
| 169 | <para><command>sed -i -e '...' -e '...' man/Makefile</command>: This
|
---|
| 170 | command disables the installation of Chinese and Korean manual pages, since
|
---|
| 171 | <application>Man-DB</application> cannot format them properly.</para>
|
---|
| 172 |
|
---|
| 173 | <para><command>convert-mans ...</command>: These commands are used to
|
---|
| 174 | convert some of the man pages so that <application>Man-DB</application>
|
---|
[98fa7cc0] | 175 | will display them in the expected encodings.</para>
|
---|
[8f68b03] | 176 |
|
---|
| 177 | <para><command>mv -v /usr/bin/passwd /bin</command>: The
|
---|
| 178 | <command>passwd</command> program may be needed during times when the
|
---|
| 179 | <filename class='directory'>/usr</filename> filesystem is not mounted so
|
---|
| 180 | it is moved into the root partition.</para>
|
---|
| 181 |
|
---|
| 182 | <para><command>mv -v ...; rm -v ...; ln -v ...</command>: These commands
|
---|
| 183 | are used to move the <filename class='libraryfile'>libshadow</filename>
|
---|
| 184 | library to the root partition to support the moving of the
|
---|
| 185 | <command>passwd</command> program earlier.</para>
|
---|
[39975e9] | 186 |
|
---|
[322f172] | 187 | </sect2>
|
---|
[b4b71892] | 188 |
|
---|
[322f172] | 189 | <sect2 role="configuration">
|
---|
| 190 | <title>Configuring Linux-PAM to Work with Shadow</title>
|
---|
[b4b71892] | 191 |
|
---|
[8f68b03] | 192 | <note>
|
---|
[eb2eccc] | 193 | <para>The rest of this page is devoted to configuring
|
---|
[8f68b03] | 194 | <application>Shadow</application> to work properly with
|
---|
| 195 | <application>Linux-PAM</application>. If you do not have
|
---|
| 196 | <application>Linux-PAM</application> installed, and you reinstalled
|
---|
| 197 | <application>Shadow</application> to support strong passwords via
|
---|
| 198 | the <application>CrackLib</application> library, no further configuration
|
---|
| 199 | is required.</para>
|
---|
| 200 | </note>
|
---|
| 201 |
|
---|
[322f172] | 202 | <sect3 id="pam.d">
|
---|
| 203 | <title>Config Files</title>
|
---|
[b4b71892] | 204 |
|
---|
[1ba671c] | 205 | <para><filename>/etc/pam.d/*</filename> or alternatively
|
---|
| 206 | <filename>/etc/pam.conf, /etc/login.defs and
|
---|
| 207 | /etc/security/*</filename></para>
|
---|
[b4b71892] | 208 |
|
---|
[322f172] | 209 | <indexterm zone="shadow pam.d">
|
---|
| 210 | <primary sortas="e-etc-pam.d">/etc/pam.d/*</primary>
|
---|
| 211 | </indexterm>
|
---|
[2197589] | 212 |
|
---|
[322f172] | 213 | <indexterm zone="shadow pam.d">
|
---|
| 214 | <primary sortas="e-etc-pam.conf">/etc/pam.conf</primary>
|
---|
| 215 | </indexterm>
|
---|
[4fcf20a5] | 216 |
|
---|
[1ba671c] | 217 | <indexterm zone="shadow pam.d">
|
---|
| 218 | <primary sortas="e-etc-login.defs">/etc/login.defs</primary>
|
---|
| 219 | </indexterm>
|
---|
| 220 |
|
---|
| 221 | <indexterm zone="shadow pam.d">
|
---|
| 222 | <primary sortas="e-etc-security">/etc/security/*</primary>
|
---|
| 223 | </indexterm>
|
---|
| 224 |
|
---|
[322f172] | 225 | </sect3>
|
---|
| 226 |
|
---|
| 227 | <sect3>
|
---|
| 228 | <title>Configuration Information</title>
|
---|
| 229 |
|
---|
[8f68b03] | 230 | <para>Configuring your system to use <application>Linux-PAM</application>
|
---|
| 231 | can be a complex task. The information below will provide a basic setup
|
---|
| 232 | so that <application>Shadow</application>'s login and password
|
---|
| 233 | functionality will work effectively with
|
---|
| 234 | <application>Linux-PAM</application>. Review the information and links on
|
---|
| 235 | the <xref linkend="linux-pam"/> page for further configuration
|
---|
| 236 | information. For information specific to integrating
|
---|
| 237 | <application>Shadow</application>, <application>Linux-PAM</application>
|
---|
| 238 | and <application>CrackLib</application>, you can visit the following
|
---|
| 239 | links:</para>
|
---|
| 240 |
|
---|
| 241 | <itemizedlist spacing="compact">
|
---|
| 242 | <listitem>
|
---|
| 243 | <para><ulink
|
---|
| 244 | url="http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam-6.html#ss6.3"/></para>
|
---|
| 245 | </listitem>
|
---|
| 246 | <listitem>
|
---|
| 247 | <para><ulink
|
---|
| 248 | url="http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html"/></para>
|
---|
| 249 | </listitem>
|
---|
| 250 | </itemizedlist>
|
---|
| 251 |
|
---|
[1ba671c] | 252 | <sect4 id="pam-login-defs">
|
---|
| 253 | <title>Configuring /etc/login.defs</title>
|
---|
| 254 |
|
---|
| 255 | <para>The <command>login</command> program currently performs many
|
---|
| 256 | functions which <application>Linux-PAM</application> modules should
|
---|
| 257 | now handle. The following <command>sed</command> command will comment
|
---|
| 258 | out the appropriate lines in <filename>/etc/login.defs</filename>, and
|
---|
| 259 | stop <command>login</command> from performing these functions (a backup
|
---|
| 260 | file named <filename>/etc/login.defs.orig</filename> is also created
|
---|
[d8684cbc] | 261 | to preserve the original file's contents). Issue the following commands
|
---|
| 262 | as the <systemitem class="username">root</systemitem> user:</para>
|
---|
[1ba671c] | 263 |
|
---|
| 264 | <indexterm zone="shadow pam-login-defs">
|
---|
| 265 | <primary sortas="e-etc-login.defs">/etc/login.defs</primary>
|
---|
| 266 | </indexterm>
|
---|
| 267 |
|
---|
| 268 | <screen role="root"><userinput>install -v -m644 /etc/login.defs /etc/login.defs.orig &&
|
---|
| 269 | for FUNCTION in LASTLOG_ENAB MAIL_CHECK_ENAB \
|
---|
| 270 | PORTTIME_CHECKS_ENAB CONSOLE \
|
---|
| 271 | MOTD_FILE NOLOGINS_FILE PASS_MIN_LEN \
|
---|
| 272 | SU_WHEEL_ONLY MD5_CRYPT_ENAB \
|
---|
| 273 | CONSOLE_GROUPS ENVIRON_FILE \
|
---|
| 274 | ULIMIT ENV_TZ ENV_HZ ENV_SUPATH \
|
---|
| 275 | ENV_PATH QMAIL_DIR MAIL_DIR MAIL_FILE \
|
---|
[8f68b03] | 276 | CHFN_AUTH FAILLOG_ENAB QUOTAS_ENAB FTMP_FILE \
|
---|
| 277 | OBSCURE_CHECKS_ENAB CRACKLIB_DICTPATH \
|
---|
| 278 | PASS_CHANGE_TRIES PASS_ALWAYS_WARN
|
---|
[1ba671c] | 279 | do
|
---|
[d8684cbc] | 280 | sed -i "s/^$FUNCTION/# &/" /etc/login.defs
|
---|
[1ba671c] | 281 | done</userinput></screen>
|
---|
| 282 |
|
---|
[8f68b03] | 283 | <!-- Moved the commenting of these four parameters into the section
|
---|
| 284 | above. If PAM is installed, it complains if these are not commented
|
---|
| 285 | regardless if CrackLib is installed.
|
---|
| 286 |
|
---|
[1ba671c] | 287 | <para>If you have <application>CrackLib</application> installed,
|
---|
[d8684cbc] | 288 | also comment out four more lines using the following command as the
|
---|
| 289 | <systemitem class="username">root</systemitem> user:</para>
|
---|
[1ba671c] | 290 |
|
---|
| 291 | <screen role="root"><userinput>for FUNCTION in OBSCURE_CHECKS_ENAB CRACKLIB_DICTPATH \
|
---|
| 292 | PASS_CHANGE_TRIES PASS_ALWAYS_WARN
|
---|
| 293 | do
|
---|
[d8684cbc] | 294 | sed -i "s/^$FUNCTION/# &/" /etc/login.defs
|
---|
[1ba671c] | 295 | done</userinput></screen>
|
---|
| 296 |
|
---|
[8f68b03] | 297 | -->
|
---|
| 298 |
|
---|
[1ba671c] | 299 | </sect4>
|
---|
| 300 |
|
---|
| 301 | <sect4>
|
---|
| 302 | <title>Configuring the /etc/pam.d/ Files</title>
|
---|
| 303 |
|
---|
[29f80ebc] | 304 | <para>As mentioned previously in the
|
---|
| 305 | <application>Linux-PAM</application> instructions,
|
---|
| 306 | <application>Linux-PAM</application> has two supported methods for
|
---|
| 307 | configuration. The commands below assume that you've chosen to use
|
---|
| 308 | a directory based configuration, where each program has its own
|
---|
[eb2eccc] | 309 | configuration file. You can optionally use a single
|
---|
[29f80ebc] | 310 | <filename>/etc/pam.conf</filename> configuration file by using the
|
---|
| 311 | text from the files below, and supplying the program name as an
|
---|
[eb2eccc] | 312 | additional first field for each line.</para>
|
---|
| 313 |
|
---|
| 314 | <para>As the <systemitem class="username">root</systemitem> user,
|
---|
| 315 | create the <filename class="directory">/etc/pam.d</filename>
|
---|
| 316 | directory with the following command:</para>
|
---|
| 317 |
|
---|
[4c31e6de] | 318 | <screen role="root"><userinput>install -v -d -m755 /etc/pam.d</userinput></screen>
|
---|
[eb2eccc] | 319 |
|
---|
[29f80ebc] | 320 | <para>While still the <systemitem class="username">root</systemitem>
|
---|
| 321 | user, add the following <application>Linux-PAM</application>
|
---|
[eb2eccc] | 322 | configuration files to the
|
---|
[29f80ebc] | 323 | <filename class="directory">/etc/pam.d/</filename> directory (or
|
---|
| 324 | add the contents to the <filename>/etc/pam.conf</filename> file) with
|
---|
[eb2eccc] | 325 | the following commands:</para>
|
---|
[1ba671c] | 326 |
|
---|
| 327 | </sect4>
|
---|
[322f172] | 328 |
|
---|
| 329 | <sect4>
|
---|
[974951c] | 330 | <title>'login' (with CrackLib)</title>
|
---|
[322f172] | 331 |
|
---|
| 332 | <screen role="root"><userinput>cat > /etc/pam.d/login << "EOF"
|
---|
| 333 | <literal># Begin /etc/pam.d/login
|
---|
[4fcf20a5] | 334 |
|
---|
| 335 | auth requisite pam_securetty.so
|
---|
| 336 | auth requisite pam_nologin.so
|
---|
| 337 | auth required pam_unix.so
|
---|
| 338 | account required pam_access.so
|
---|
| 339 | account required pam_unix.so
|
---|
[7fb0e285] | 340 | session required pam_env.so
|
---|
[4fcf20a5] | 341 | session required pam_motd.so
|
---|
| 342 | session required pam_limits.so
|
---|
| 343 | session optional pam_mail.so dir=/var/mail standard
|
---|
| 344 | session optional pam_lastlog.so
|
---|
| 345 | session required pam_unix.so
|
---|
| 346 | password required pam_cracklib.so retry=3 difok=8 minlen=5 \
|
---|
| 347 | dcredit=3 ocredit=3 \
|
---|
| 348 | ucredit=2 lcredit=2
|
---|
| 349 | password required pam_unix.so md5 shadow use_authtok
|
---|
| 350 |
|
---|
[322f172] | 351 | # End /etc/pam.d/login</literal>
|
---|
| 352 | EOF</userinput></screen>
|
---|
| 353 |
|
---|
| 354 | </sect4>
|
---|
[4fcf20a5] | 355 |
|
---|
[322f172] | 356 | <sect4>
|
---|
[974951c] | 357 | <title>'login' (without CrackLib)</title>
|
---|
[4fcf20a5] | 358 |
|
---|
[322f172] | 359 | <screen role="root"><userinput>cat > /etc/pam.d/login << "EOF"
|
---|
| 360 | <literal># Begin /etc/pam.d/login
|
---|
[b4b71892] | 361 |
|
---|
| 362 | auth requisite pam_securetty.so
|
---|
| 363 | auth requisite pam_nologin.so
|
---|
| 364 | auth required pam_env.so
|
---|
| 365 | auth required pam_unix.so
|
---|
| 366 | account required pam_access.so
|
---|
| 367 | account required pam_unix.so
|
---|
| 368 | session required pam_motd.so
|
---|
| 369 | session required pam_limits.so
|
---|
[4fcf20a5] | 370 | session optional pam_mail.so dir=/var/mail standard
|
---|
[b4b71892] | 371 | session optional pam_lastlog.so
|
---|
| 372 | session required pam_unix.so
|
---|
[4fcf20a5] | 373 | password required pam_unix.so md5 shadow
|
---|
[b4b71892] | 374 |
|
---|
[322f172] | 375 | # End /etc/pam.d/login</literal>
|
---|
| 376 | EOF</userinput></screen>
|
---|
[4fcf20a5] | 377 |
|
---|
[322f172] | 378 | </sect4>
|
---|
[4fcf20a5] | 379 |
|
---|
[322f172] | 380 | <sect4>
|
---|
[974951c] | 381 | <title>'passwd' (with CrackLib)</title>
|
---|
[322f172] | 382 |
|
---|
| 383 | <screen role="root"><userinput>cat > /etc/pam.d/passwd << "EOF"
|
---|
| 384 | <literal># Begin /etc/pam.d/passwd
|
---|
[b4b71892] | 385 |
|
---|
[4fcf20a5] | 386 | password required pam_cracklib.so retry=3 difok=8 minlen=5 \
|
---|
| 387 | dcredit=3 ocredit=3 \
|
---|
| 388 | ucredit=2 lcredit=2
|
---|
| 389 | password required pam_unix.so md5 shadow use_authtok
|
---|
[b4b71892] | 390 |
|
---|
[322f172] | 391 | # End /etc/pam.d/passwd</literal>
|
---|
| 392 | EOF</userinput></screen>
|
---|
| 393 |
|
---|
| 394 | </sect4>
|
---|
[b4b71892] | 395 |
|
---|
[322f172] | 396 | <sect4>
|
---|
[974951c] | 397 | <title>'passwd' (without CrackLib)</title>
|
---|
[4fcf20a5] | 398 |
|
---|
[322f172] | 399 | <screen role="root"><userinput>cat > /etc/pam.d/passwd << "EOF"
|
---|
| 400 | <literal># Begin /etc/pam.d/passwd
|
---|
[4fcf20a5] | 401 |
|
---|
| 402 | password required pam_unix.so md5 shadow
|
---|
[b4b71892] | 403 |
|
---|
[322f172] | 404 | # End /etc/pam.d/passwd</literal>
|
---|
| 405 | EOF</userinput></screen>
|
---|
| 406 |
|
---|
| 407 | </sect4>
|
---|
[4fcf20a5] | 408 |
|
---|
[322f172] | 409 | <sect4>
|
---|
| 410 | <title>'su'</title>
|
---|
[4fcf20a5] | 411 |
|
---|
[322f172] | 412 | <screen role="root"><userinput>cat > /etc/pam.d/su << "EOF"
|
---|
| 413 | <literal># Begin /etc/pam.d/su
|
---|
[b4b71892] | 414 |
|
---|
| 415 | auth sufficient pam_rootok.so
|
---|
| 416 | auth required pam_unix.so
|
---|
| 417 | account required pam_unix.so
|
---|
[4fcf20a5] | 418 | session optional pam_mail.so dir=/var/mail standard
|
---|
[7fb0e285] | 419 | session required pam_env.so
|
---|
[b4b71892] | 420 | session required pam_unix.so
|
---|
| 421 |
|
---|
[322f172] | 422 | # End /etc/pam.d/su</literal>
|
---|
| 423 | EOF</userinput></screen>
|
---|
[b4b71892] | 424 |
|
---|
[322f172] | 425 | </sect4>
|
---|
[b4b71892] | 426 |
|
---|
[322f172] | 427 | <sect4>
|
---|
| 428 | <title>'chage'</title>
|
---|
| 429 |
|
---|
| 430 | <screen role="root"><userinput>cat > /etc/pam.d/chage << "EOF"
|
---|
| 431 | <literal># Begin /etc/pam.d/chage
|
---|
[b4b71892] | 432 |
|
---|
| 433 | auth sufficient pam_rootok.so
|
---|
| 434 | auth required pam_unix.so
|
---|
| 435 | account required pam_unix.so
|
---|
| 436 | session required pam_unix.so
|
---|
| 437 | password required pam_permit.so
|
---|
| 438 |
|
---|
[322f172] | 439 | # End /etc/pam.d/chage</literal>
|
---|
| 440 | EOF</userinput></screen>
|
---|
| 441 |
|
---|
| 442 | </sect4>
|
---|
[b4b71892] | 443 |
|
---|
[322f172] | 444 | <sect4>
|
---|
| 445 | <title>'chpasswd', 'newusers', 'groupadd', 'groupdel',
|
---|
| 446 | 'groupmod', 'useradd', 'userdel', and 'usermod'</title>
|
---|
[39975e9] | 447 |
|
---|
[322f172] | 448 | <screen role="root"><userinput>for PROGRAM in chpasswd newusers groupadd groupdel \
|
---|
[4fcf20a5] | 449 | groupmod useradd userdel usermod
|
---|
| 450 | do
|
---|
[904f31e2] | 451 | install -v -m644 /etc/pam.d/chage /etc/pam.d/$PROGRAM
|
---|
[d8684cbc] | 452 | sed -i "s/chage/$PROGRAM/" /etc/pam.d/$PROGRAM
|
---|
[322f172] | 453 | done</userinput></screen>
|
---|
| 454 |
|
---|
| 455 | <warning>
|
---|
| 456 | <para>At this point, you should do a simple test to see if
|
---|
| 457 | <application>Shadow</application> is working as expected. Open
|
---|
[1ba671c] | 458 | another terminal and log in as a user, then <command>su</command> to
|
---|
[974951c] | 459 | <systemitem class="username">root</systemitem>. If you do not see any
|
---|
| 460 | errors, then all is well and you should proceed with the rest of the
|
---|
[322f172] | 461 | configuration. If you did receive errors, stop now and double check
|
---|
[b65246b] | 462 | the above configuration files manually. You can also run the test
|
---|
| 463 | suite from the <application>Linux-PAM</application> package to assist
|
---|
| 464 | you in determining the problem. If you cannot find and
|
---|
[322f172] | 465 | fix the error, you should recompile <application>Shadow</application>
|
---|
| 466 | replacing <option>--with-libpam</option> with
|
---|
[1ba671c] | 467 | <option>--without-libpam</option> in the above instructions (also move
|
---|
| 468 | the <filename>/etc/login.defs.orig</filename> backup file to
|
---|
| 469 | <filename>/etc/login.defs</filename>). If you
|
---|
[322f172] | 470 | fail to do this and the errors remain, you will be unable to log into
|
---|
| 471 | your system.</para>
|
---|
| 472 | </warning>
|
---|
| 473 |
|
---|
[349b53dd] | 474 | </sect4>
|
---|
| 475 |
|
---|
| 476 | <sect4>
|
---|
| 477 | <title>Other</title>
|
---|
| 478 |
|
---|
[322f172] | 479 | <para>Currently, <filename>/etc/pam.d/other</filename> is configured
|
---|
| 480 | to allow anyone with an account on the machine to use PAM-aware
|
---|
| 481 | programs without a configuration file for that program. After testing
|
---|
| 482 | <application>Linux-PAM</application> for proper configuration, install
|
---|
| 483 | a more restrictive <filename>other</filename> file so that
|
---|
| 484 | program-specific configuration files are required:</para>
|
---|
| 485 |
|
---|
| 486 | <screen role="root"><userinput>cat > /etc/pam.d/other << "EOF"
|
---|
| 487 | <literal># Begin /etc/pam.d/other
|
---|
[b4b71892] | 488 |
|
---|
| 489 | auth required pam_deny.so
|
---|
| 490 | auth required pam_warn.so
|
---|
| 491 | account required pam_deny.so
|
---|
| 492 | session required pam_deny.so
|
---|
| 493 | password required pam_deny.so
|
---|
| 494 | password required pam_warn.so
|
---|
| 495 |
|
---|
[322f172] | 496 | # End /etc/pam.d/other</literal>
|
---|
| 497 | EOF</userinput></screen>
|
---|
[4fcf20a5] | 498 |
|
---|
[b65246b] | 499 | <para>If you preserved the source tree from the
|
---|
| 500 | <application>Linux-PAM</application> package (or you feel like unpacking
|
---|
| 501 | that tarball, then running <command>configure</command> and
|
---|
| 502 | <command>make</command>), now would be a good time to run the test
|
---|
| 503 | suite from this package. This test suite will use the configuration you
|
---|
| 504 | just finished during the tests. All the tests should pass.</para>
|
---|
| 505 |
|
---|
[322f172] | 506 | </sect4>
|
---|
[4fcf20a5] | 507 |
|
---|
[322f172] | 508 | <sect4 id="pam-access">
|
---|
| 509 | <title>Configuring Login Access</title>
|
---|
[4fcf20a5] | 510 |
|
---|
[322f172] | 511 | <para>Instead of using the <filename>/etc/login.access</filename>
|
---|
| 512 | file for controlling access to the system,
|
---|
| 513 | <application>Linux-PAM</application> uses the
|
---|
| 514 | <filename class='libraryfile'>pam_access.so</filename> module along
|
---|
| 515 | with the <filename>/etc/security/access.conf</filename> file. Rename
|
---|
| 516 | the <filename>/etc/login.access</filename> file using the following
|
---|
| 517 | command:</para>
|
---|
| 518 |
|
---|
| 519 | <indexterm zone="shadow pam-access">
|
---|
| 520 | <primary sortas="e-etc-security-access.conf">/etc/security/access.conf</primary>
|
---|
| 521 | </indexterm>
|
---|
| 522 |
|
---|
| 523 | <screen role="root"><userinput>if [ -f /etc/login.access ]; then
|
---|
[4fcf20a5] | 524 | mv -v /etc/login.access /etc/login.access.NOUSE
|
---|
[322f172] | 525 | fi</userinput></screen>
|
---|
| 526 |
|
---|
| 527 | </sect4>
|
---|
| 528 |
|
---|
| 529 | <sect4 id="pam-limits">
|
---|
| 530 | <title>Configuring Resource Limits</title>
|
---|
| 531 |
|
---|
| 532 | <para>Instead of using the <filename>/etc/limits</filename> file
|
---|
| 533 | for limiting usage of system resources,
|
---|
| 534 | <application>Linux-PAM</application> uses the
|
---|
| 535 | <filename class='libraryfile'>pam_limits.so</filename> module along
|
---|
| 536 | with the <filename>/etc/security/limits.conf</filename> file. Rename
|
---|
| 537 | the <filename>/etc/limits</filename> file using the following
|
---|
| 538 | command:</para>
|
---|
| 539 |
|
---|
| 540 | <indexterm zone="shadow pam-limits">
|
---|
| 541 | <primary sortas="e-etc-security-limits.conf">/etc/security/limits.conf</primary>
|
---|
| 542 | </indexterm>
|
---|
| 543 |
|
---|
| 544 | <screen role="root"><userinput>if [ -f /etc/limits ]; then
|
---|
[4fcf20a5] | 545 | mv -v /etc/limits /etc/limits.NOUSE
|
---|
[322f172] | 546 | fi</userinput></screen>
|
---|
| 547 |
|
---|
| 548 | </sect4>
|
---|
[4fcf20a5] | 549 |
|
---|
[7fb0e285] | 550 | <sect4 id="pam-env">
|
---|
| 551 | <title>Configuring Default Environment</title>
|
---|
| 552 |
|
---|
[bccbdaea] | 553 | <para>During previous configuration, several items were removed from
|
---|
[7fb0e285] | 554 | <filename>/etc/login.defs</filename>. Some of these items are now
|
---|
[bccbdaea] | 555 | controlled by the <filename class='libraryfile'>pam_env.so</filename>
|
---|
| 556 | module and the <filename>/etc/security/pam_env.conf</filename>
|
---|
| 557 | configuration file. In particular, the default path has been
|
---|
| 558 | changed. To recover your default path, execute the following
|
---|
[7fb0e285] | 559 | commands:</para>
|
---|
| 560 |
|
---|
[d8684cbc] | 561 | <screen role="root"><userinput>ENV_PATH=`grep '^ENV_PATH' /etc/login.defs.orig | \
|
---|
[7fb0e285] | 562 | awk '{ print $2 }' | sed 's/PATH=//'` &&
|
---|
[d8684cbc] | 563 | echo 'PATH DEFAULT='`echo "${ENV_PATH}"`\
|
---|
| 564 | ' OVERRIDE=${PATH}' \
|
---|
[7fb0e285] | 565 | >> /etc/security/pam_env.conf &&
|
---|
[d8684cbc] | 566 | unset ENV_PATH</userinput></screen>
|
---|
[7fb0e285] | 567 |
|
---|
[d8684cbc] | 568 | <note>
|
---|
[bccbdaea] | 569 | <para>ENV_SUPATH is no longer supported. You must create
|
---|
| 570 | a valid <filename>/root/.bashrc</filename> file to provide a
|
---|
[d8684cbc] | 571 | modified path for the super-user.</para>
|
---|
| 572 | </note>
|
---|
[7fb0e285] | 573 |
|
---|
| 574 | </sect4>
|
---|
| 575 |
|
---|
[322f172] | 576 | </sect3>
|
---|
[b4b71892] | 577 |
|
---|
[322f172] | 578 | </sect2>
|
---|
[f45b1953] | 579 |
|
---|
[322f172] | 580 | <sect2 role="content">
|
---|
| 581 | <title>Contents</title>
|
---|
[17fb537e] | 582 |
|
---|
[322f172] | 583 | <para>A list of the installed files, along with their short descriptions
|
---|
| 584 | can be found at
|
---|
| 585 | <ulink url="&lfs-root;/chapter06/shadow.html#contents-shadow"/>.</para>
|
---|
[17fb537e] | 586 |
|
---|
[322f172] | 587 | </sect2>
|
---|
[17fb537e] | 588 |
|
---|
[f45b1953] | 589 | </sect1>
|
---|