[b4b71892] | 1 | <?xml version="1.0" encoding="ISO-8859-1"?>
|
---|
[6732c094] | 2 | <!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
---|
| 3 | "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
---|
[b4b71892] | 4 | <!ENTITY % general-entities SYSTEM "../../general.ent">
|
---|
| 5 | %general-entities;
|
---|
[17fb537e] | 6 |
|
---|
[24c3176] | 7 | <!ENTITY shadow-download-http "https://github.com/shadow-maint/shadow/releases/download/&shadow-version;/shadow-&shadow-version;.tar.xz">
|
---|
[fb89293] | 8 | <!ENTITY shadow-download-ftp " ">
|
---|
[e6527c7d] | 9 | <!ENTITY shadow-md5sum "bb0166bebc24db9003bb77bfd1359042">
|
---|
[24c3176] | 10 | <!ENTITY shadow-size "1.7 MB">
|
---|
[e6527c7d] | 11 | <!ENTITY shadow-buildsize "49 MB">
|
---|
[f7fe3e6] | 12 | <!ENTITY shadow-time "less than 0.1 SBU (with parallelism=4)">
|
---|
[b4b71892] | 13 | ]>
|
---|
| 14 |
|
---|
[17fb537e] | 15 | <sect1 id="shadow" xreflabel="Shadow-&shadow-version;">
|
---|
[322f172] | 16 | <?dbhtml filename="shadow.html"?>
|
---|
| 17 |
|
---|
| 18 |
|
---|
| 19 | <title>Shadow-&shadow-version;</title>
|
---|
| 20 |
|
---|
| 21 | <indexterm zone="shadow">
|
---|
| 22 | <primary sortas="a-Shadow">Shadow</primary>
|
---|
| 23 | </indexterm>
|
---|
| 24 |
|
---|
| 25 | <sect2 role="package">
|
---|
| 26 | <title>Introduction to Shadow</title>
|
---|
| 27 |
|
---|
[9a3142c] | 28 | <para>
|
---|
| 29 | <application>Shadow</application> was indeed installed in LFS and there is
|
---|
| 30 | no reason to reinstall it unless you installed
|
---|
| 31 | <application>CrackLib</application> or
|
---|
| 32 | <application>Linux-PAM</application> after your LFS system was completed.
|
---|
| 33 | If you have installed <application>CrackLib</application> after LFS, then
|
---|
| 34 | reinstalling <application>Shadow</application> will enable strong password
|
---|
| 35 | support. If you have installed <application>Linux-PAM</application>,
|
---|
| 36 | reinstalling <application>Shadow</application> will allow programs such as
|
---|
| 37 | <command>login</command> and <command>su</command> to utilize PAM.
|
---|
| 38 | </para>
|
---|
[322f172] | 39 |
|
---|
[2314cd7] | 40 | &lfs120_checked;
|
---|
[f4797d2] | 41 |
|
---|
[322f172] | 42 | <bridgehead renderas="sect3">Package Information</bridgehead>
|
---|
| 43 | <itemizedlist spacing="compact">
|
---|
| 44 | <listitem>
|
---|
[9a3142c] | 45 | <para>
|
---|
| 46 | Download (HTTP): <ulink url="&shadow-download-http;"/>
|
---|
| 47 | </para>
|
---|
[322f172] | 48 | </listitem>
|
---|
[29d1c248] | 49 | <listitem>
|
---|
[9a3142c] | 50 | <para>
|
---|
| 51 | Download (FTP): <ulink url="&shadow-download-ftp;"/>
|
---|
| 52 | </para>
|
---|
[29d1c248] | 53 | </listitem>
|
---|
[322f172] | 54 | <listitem>
|
---|
[9a3142c] | 55 | <para>
|
---|
| 56 | Download MD5 sum: &shadow-md5sum;
|
---|
| 57 | </para>
|
---|
[322f172] | 58 | </listitem>
|
---|
| 59 | <listitem>
|
---|
[9a3142c] | 60 | <para>
|
---|
| 61 | Download size: &shadow-size;
|
---|
| 62 | </para>
|
---|
[322f172] | 63 | </listitem>
|
---|
| 64 | <listitem>
|
---|
[9a3142c] | 65 | <para>
|
---|
| 66 | Estimated disk space required: &shadow-buildsize;
|
---|
| 67 | </para>
|
---|
[322f172] | 68 | </listitem>
|
---|
| 69 | <listitem>
|
---|
[9a3142c] | 70 | <para>
|
---|
| 71 | Estimated build time: &shadow-time;
|
---|
| 72 | </para>
|
---|
[322f172] | 73 | </listitem>
|
---|
| 74 | </itemizedlist>
|
---|
[07be534] | 75 | <!--
|
---|
[922e013] | 76 | <bridgehead renderas="sect3">Additional Downloads</bridgehead>
|
---|
| 77 | <itemizedlist spacing="compact">
|
---|
| 78 | <listitem>
|
---|
| 79 | <para>
|
---|
| 80 | Required patch:
|
---|
| 81 | <ulink url="&patch-root;/shadow-&shadow-version;-useradd_segfault-1.patch"/>
|
---|
| 82 | </para>
|
---|
| 83 | </listitem>
|
---|
| 84 | </itemizedlist>
|
---|
[07be534] | 85 | -->
|
---|
[322f172] | 86 | <bridgehead renderas="sect3">Shadow Dependencies</bridgehead>
|
---|
| 87 |
|
---|
| 88 | <bridgehead renderas="sect4">Required</bridgehead>
|
---|
[9a3142c] | 89 | <para role="required">
|
---|
| 90 | <xref linkend="linux-pam"/> or
|
---|
[19d6c39] | 91 | <xref role="nodep" linkend="cracklib"/>
|
---|
[9a3142c] | 92 | </para>
|
---|
| 93 |
|
---|
[e6527c7d] | 94 | <bridgehead renderas="sect4">Optional</bridgehead>
|
---|
| 95 | <para role="optional">
|
---|
| 96 | <ulink url="https://libbsd.freedesktop.org/wiki/">libbsd</ulink> and
|
---|
| 97 | <ulink url="https://www.openwall.com/tcb/">tcb</ulink>
|
---|
| 98 | </para>
|
---|
| 99 |
|
---|
[322f172] | 100 | </sect2>
|
---|
| 101 |
|
---|
| 102 | <sect2 role="installation">
|
---|
| 103 | <title>Installation of Shadow</title>
|
---|
| 104 |
|
---|
[c6bdcb0] | 105 | <important>
|
---|
[9a3142c] | 106 | <para>
|
---|
| 107 | The installation commands shown below are for installations where
|
---|
[19d6c39] | 108 | <application>Linux-PAM</application> has been installed and
|
---|
[9a3142c] | 109 | <application>Shadow</application> is being reinstalled to support the
|
---|
| 110 | <application>Linux-PAM</application> installation.
|
---|
| 111 | </para>
|
---|
| 112 |
|
---|
| 113 | <para>
|
---|
| 114 | If you are reinstalling <application>Shadow</application> to provide
|
---|
| 115 | strong password support using the <application>CrackLib</application>
|
---|
| 116 | library without using <application>Linux-PAM</application>, ensure you
|
---|
| 117 | add the <parameter>--with-libcrack</parameter> parameter to the
|
---|
| 118 | <command>configure</command> script below and also issue the following
|
---|
| 119 | command:
|
---|
| 120 | </para>
|
---|
[bca744f] | 121 |
|
---|
[cac7f93] | 122 | <screen role="nodump"><userinput>sed -i 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' etc/login.defs</userinput></screen>
|
---|
[c6bdcb0] | 123 | </important>
|
---|
| 124 |
|
---|
[9a3142c] | 125 | <para>
|
---|
| 126 | Reinstall <application>Shadow</application> by running the following
|
---|
| 127 | commands:
|
---|
| 128 | </para>
|
---|
[07be534] | 129 | <!--
|
---|
[7af20d4] | 130 | <screen><userinput>patch -Np1 -i ../shadow-4.10-useradd_segfault-1.patch &&
|
---|
[07be534] | 131 | -->
|
---|
| 132 | <screen><userinput>sed -i 's/groups$(EXEEXT) //' src/Makefile.in &&
|
---|
[4af9931] | 133 |
|
---|
| 134 | find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; &&
|
---|
[dcf64b5f] | 135 | find man -name Makefile.in -exec sed -i 's/getspnam\.3 / /' {} \; &&
|
---|
| 136 | find man -name Makefile.in -exec sed -i 's/passwd\.5 / /' {} \; &&
|
---|
[e5b9fc73] | 137 |
|
---|
[c0464a8] | 138 | sed -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD YESCRYPT@' \
|
---|
| 139 | -e 's@/var/spool/mail@/var/mail@' \
|
---|
| 140 | -e '/PATH=/{s@/sbin:@@;s@/bin:@@}' \
|
---|
| 141 | -i etc/login.defs &&
|
---|
[5443006d] | 142 |
|
---|
[e6527c7d] | 143 | ./configure --sysconfdir=/etc \
|
---|
| 144 | --disable-static \
|
---|
| 145 | --without-libbsd \
|
---|
| 146 | --with-{b,yes}crypt &&<!--
|
---|
| 147 | This is the default: - -with-group-name-max-length=32 &&-->
|
---|
[322f172] | 148 | make</userinput></screen>
|
---|
[17fb537e] | 149 |
|
---|
[9a3142c] | 150 | <para>
|
---|
| 151 | This package does not come with a test suite.
|
---|
| 152 | </para>
|
---|
[31f3a57] | 153 |
|
---|
[9a3142c] | 154 | <para>
|
---|
| 155 | Now, as the <systemitem class="username">root</systemitem> user:
|
---|
| 156 | </para>
|
---|
[17fb537e] | 157 |
|
---|
[dba76a7] | 158 | <screen role="root"><userinput>make exec_prefix=/usr install</userinput></screen>
|
---|
[8558044] | 159 |
|
---|
[5b01088] | 160 | <para>
|
---|
[7a9a7b26] | 161 | The man pages were installed in LFS, but if reinstallation is
|
---|
[5b01088] | 162 | desired, run (as the <systemitem class="username">root</systemitem> user):
|
---|
| 163 | </para>
|
---|
| 164 |
|
---|
| 165 | <screen role="root"><userinput>make -C man install-man</userinput></screen>
|
---|
| 166 |
|
---|
[322f172] | 167 | </sect2>
|
---|
[b4b71892] | 168 |
|
---|
[322f172] | 169 | <sect2 role="commands">
|
---|
| 170 | <title>Command Explanations</title>
|
---|
[b4b71892] | 171 |
|
---|
[9a3142c] | 172 | <para>
|
---|
| 173 | <command>sed -i 's/groups$(EXEEXT) //' src/Makefile.in</command>: This sed
|
---|
| 174 | is used to suppress the installation of the <command>groups</command>
|
---|
| 175 | program as the version from the <application>Coreutils</application>
|
---|
| 176 | package installed during LFS is preferred.
|
---|
| 177 | </para>
|
---|
| 178 |
|
---|
| 179 | <para>
|
---|
[07be534] | 180 | <command>find man -name Makefile.in -exec ... {} \;</command>: The
|
---|
| 181 | first command is used to suppress the installation of the
|
---|
[9a3142c] | 182 | <command>groups</command> man pages so the existing ones installed from
|
---|
| 183 | the <application>Coreutils</application> package are not replaced.
|
---|
[07be534] | 184 | The two other commands prevent installation of manual pages that
|
---|
| 185 | are already installed by <application>Man-pages</application> in LFS.
|
---|
[9a3142c] | 186 | </para>
|
---|
| 187 |
|
---|
| 188 | <para>
|
---|
[c0464a8] | 189 | <command>sed -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD YESCRYPT@' -e
|
---|
[4635a45d] | 190 | 's@/var/spool/mail@/var/mail@' -e '/PATH=/{s@/sbin:@@;s@/bin:@@}'
|
---|
| 191 | -i etc/login.defs</command>: Instead of using the default 'DES'
|
---|
[c0464a8] | 192 | method, this command modifies the installation to use the much more
|
---|
| 193 | secure 'YESCRYPT' method of hashing passwords, which also allows
|
---|
| 194 | passwords longer than eight characters. The command also changes the
|
---|
[4635a45d] | 195 | obsolete <filename class="directory">/var/spool/mail</filename> location
|
---|
| 196 | for user mailboxes that <application>Shadow</application> uses by
|
---|
| 197 | default to the <filename class="directory">/var/mail</filename>
|
---|
| 198 | location. It also changes the default path to be consistent with that
|
---|
| 199 | set in LFS.
|
---|
[9a3142c] | 200 | </para>
|
---|
[e6527c7d] | 201 |
|
---|
[9a3142c] | 202 | <para>
|
---|
[e6527c7d] | 203 | <parameter>--without-libbsd</parameter>: Prevents looking for the
|
---|
| 204 | <command>readpassphrase</command> function, which can be found only in
|
---|
| 205 | <filename class="libraryfile">libbsd</filename>, which we do not
|
---|
| 206 | have in BLFS. An internal implementation of
|
---|
| 207 | <command>readpassphrase</command> is used instead.
|
---|
[9a3142c] | 208 | </para>
|
---|
[e6527c7d] | 209 | <!-- This is the default
|
---|
[49ee2def] | 210 | <para>
|
---|
[e6527c7d] | 211 | <parameter>-\-with-group-name-max-length=32</parameter>: The maximum
|
---|
[f1d7196] | 212 | user name is 32 characters. Make the maximum group name the same.
|
---|
[49ee2def] | 213 | </para>
|
---|
[e6527c7d] | 214 | -->
|
---|
[7af20d4] | 215 | <!--
|
---|
[cacd76ad] | 216 | <para>
|
---|
[7af20d4] | 217 | <parameter>-\-without-su</parameter>: Don't reinstall
|
---|
[8ddd8400] | 218 | <command>su</command> because upstream recommends using the
|
---|
[cacd76ad] | 219 | <command>su</command> command from <xref linkend='util-linux'/>
|
---|
| 220 | when <application>Linux-PAM</application> is available.
|
---|
| 221 | </para>
|
---|
[7af20d4] | 222 | -->
|
---|
[322f172] | 223 | </sect2>
|
---|
[b4b71892] | 224 |
|
---|
[1189cb89] | 225 | <!-- Now, /etc/default/useradd is not reinstalled anymore, and this
|
---|
| 226 | configuration has been done in lfs
|
---|
[e807ae1d] | 227 | <sect2 role="configuration">
|
---|
| 228 | <title>Configuring Shadow</title>
|
---|
| 229 |
|
---|
[9a3142c] | 230 | <para>
|
---|
| 231 | <application>Shadow</application>'s stock configuration for the
|
---|
| 232 | <command>useradd</command> utility may not be desirable for your
|
---|
| 233 | installation. One default parameter causes <command>useradd</command> to
|
---|
| 234 | create a mailbox file for any newly created user.
|
---|
| 235 | <command>useradd</command> will make the group ownership of this file to
|
---|
| 236 | the <systemitem class="groupname">mail</systemitem> group with 0660
|
---|
| 237 | permissions. If you would prefer that these mailbox files are not created
|
---|
| 238 | by <command>useradd</command>, issue the following command as the
|
---|
| 239 | <systemitem class="username">root</systemitem> user:
|
---|
| 240 | </para>
|
---|
[e807ae1d] | 241 |
|
---|
[bca744f] | 242 | <screen role="root"><userinput>sed -i 's/yes/no/' /etc/default/useradd</userinput></screen>
|
---|
[e807ae1d] | 243 | </sect2>
|
---|
[1189cb89] | 244 | -->
|
---|
[322f172] | 245 | <sect2 role="configuration">
|
---|
| 246 | <title>Configuring Linux-PAM to Work with Shadow</title>
|
---|
[b4b71892] | 247 |
|
---|
[8f68b03] | 248 | <note>
|
---|
[9a3142c] | 249 | <para>
|
---|
| 250 | The rest of this page is devoted to configuring
|
---|
| 251 | <application>Shadow</application> to work properly with
|
---|
| 252 | <application>Linux-PAM</application>. If you do not have
|
---|
| 253 | <application>Linux-PAM</application> installed, and you reinstalled
|
---|
| 254 | <application>Shadow</application> to support strong passwords via the
|
---|
| 255 | <application>CrackLib</application> library, no further configuration is
|
---|
| 256 | required.
|
---|
| 257 | </para>
|
---|
[8f68b03] | 258 | </note>
|
---|
| 259 |
|
---|
[322f172] | 260 | <sect3 id="pam.d">
|
---|
| 261 | <title>Config Files</title>
|
---|
[b4b71892] | 262 |
|
---|
[9a3142c] | 263 | <para>
|
---|
| 264 | <filename>/etc/pam.d/*</filename> or alternatively
|
---|
| 265 | <filename>/etc/pam.conf</filename>,
|
---|
| 266 | <filename>/etc/login.defs</filename> and
|
---|
| 267 | <filename>/etc/security/*</filename>
|
---|
| 268 | </para>
|
---|
[b4b71892] | 269 |
|
---|
[322f172] | 270 | <indexterm zone="shadow pam.d">
|
---|
| 271 | <primary sortas="e-etc-pam.d">/etc/pam.d/*</primary>
|
---|
| 272 | </indexterm>
|
---|
[2197589] | 273 |
|
---|
[322f172] | 274 | <indexterm zone="shadow pam.d">
|
---|
| 275 | <primary sortas="e-etc-pam.conf">/etc/pam.conf</primary>
|
---|
| 276 | </indexterm>
|
---|
[4fcf20a5] | 277 |
|
---|
[1ba671c] | 278 | <indexterm zone="shadow pam.d">
|
---|
| 279 | <primary sortas="e-etc-login.defs">/etc/login.defs</primary>
|
---|
| 280 | </indexterm>
|
---|
| 281 |
|
---|
| 282 | <indexterm zone="shadow pam.d">
|
---|
| 283 | <primary sortas="e-etc-security">/etc/security/*</primary>
|
---|
| 284 | </indexterm>
|
---|
[322f172] | 285 | </sect3>
|
---|
| 286 |
|
---|
| 287 | <sect3>
|
---|
| 288 | <title>Configuration Information</title>
|
---|
| 289 |
|
---|
[9a3142c] | 290 | <para>
|
---|
| 291 | Configuring your system to use <application>Linux-PAM</application> can
|
---|
| 292 | be a complex task. The information below will provide a basic setup so
|
---|
| 293 | that <application>Shadow</application>'s login and password
|
---|
| 294 | functionality will work effectively with
|
---|
| 295 | <application>Linux-PAM</application>. Review the information and links
|
---|
| 296 | on the <xref linkend="linux-pam"/> page for further configuration
|
---|
| 297 | information. For information specific to integrating
|
---|
| 298 | <application>Shadow</application>, <application>Linux-PAM</application>
|
---|
[19d6c39] | 299 | and <application>libpwquality</application>, you can visit the
|
---|
| 300 | following link:
|
---|
[9a3142c] | 301 | </para>
|
---|
[8f68b03] | 302 |
|
---|
| 303 | <itemizedlist spacing="compact">
|
---|
[9a3142c] | 304 | <listitem>
|
---|
[cd29bc9] | 305 | <!-- Old URL redirects to here. -->
|
---|
[9a3142c] | 306 | <para>
|
---|
[cd29bc9] | 307 | <ulink url="https://deer-run.com/users/hal/linux_passwords_pam.html"/>
|
---|
[9a3142c] | 308 | </para>
|
---|
| 309 | </listitem>
|
---|
[8f68b03] | 310 | </itemizedlist>
|
---|
| 311 |
|
---|
[1ba671c] | 312 | <sect4 id="pam-login-defs">
|
---|
| 313 | <title>Configuring /etc/login.defs</title>
|
---|
| 314 |
|
---|
[9a3142c] | 315 | <para>
|
---|
| 316 | The <command>login</command> program currently performs many functions
|
---|
| 317 | which <application>Linux-PAM</application> modules should now handle.
|
---|
| 318 | The following <command>sed</command> command will comment out the
|
---|
| 319 | appropriate lines in <filename>/etc/login.defs</filename>, and stop
|
---|
| 320 | <command>login</command> from performing these functions (a backup
|
---|
| 321 | file named <filename>/etc/login.defs.orig</filename> is also created
|
---|
| 322 | to preserve the original file's contents). Issue the following
|
---|
| 323 | commands as the <systemitem class="username">root</systemitem> user:
|
---|
| 324 | </para>
|
---|
[1ba671c] | 325 |
|
---|
| 326 | <indexterm zone="shadow pam-login-defs">
|
---|
| 327 | <primary sortas="e-etc-login.defs">/etc/login.defs</primary>
|
---|
| 328 | </indexterm>
|
---|
| 329 |
|
---|
| 330 | <screen role="root"><userinput>install -v -m644 /etc/login.defs /etc/login.defs.orig &&
|
---|
[265c7da] | 331 | for FUNCTION in FAIL_DELAY \
|
---|
| 332 | FAILLOG_ENAB \
|
---|
| 333 | LASTLOG_ENAB \
|
---|
| 334 | MAIL_CHECK_ENAB \
|
---|
| 335 | OBSCURE_CHECKS_ENAB \
|
---|
| 336 | PORTTIME_CHECKS_ENAB \
|
---|
| 337 | QUOTAS_ENAB \
|
---|
| 338 | CONSOLE MOTD_FILE \
|
---|
| 339 | FTMP_FILE NOLOGINS_FILE \
|
---|
| 340 | ENV_HZ PASS_MIN_LEN \
|
---|
| 341 | SU_WHEEL_ONLY \
|
---|
| 342 | CRACKLIB_DICTPATH \
|
---|
| 343 | PASS_CHANGE_TRIES \
|
---|
| 344 | PASS_ALWAYS_WARN \
|
---|
[574d896d] | 345 | CHFN_AUTH ENCRYPT_METHOD \
|
---|
| 346 | ENVIRON_FILE
|
---|
[1ba671c] | 347 | do
|
---|
[9a3142c] | 348 | sed -i "s/^${FUNCTION}/# &/" /etc/login.defs
|
---|
[1ba671c] | 349 | done</userinput></screen>
|
---|
| 350 | </sect4>
|
---|
| 351 |
|
---|
| 352 | <sect4>
|
---|
| 353 | <title>Configuring the /etc/pam.d/ Files</title>
|
---|
| 354 |
|
---|
[9a3142c] | 355 | <para>
|
---|
| 356 | As mentioned previously in the <application>Linux-PAM</application>
|
---|
| 357 | instructions, <application>Linux-PAM</application> has two supported
|
---|
| 358 | methods for configuration. The commands below assume that you've
|
---|
| 359 | chosen to use a directory based configuration, where each program has
|
---|
| 360 | its own configuration file. You can optionally use a single
|
---|
| 361 | <filename>/etc/pam.conf</filename> configuration file by using the
|
---|
| 362 | text from the files below, and supplying the program name as an
|
---|
| 363 | additional first field for each line.
|
---|
| 364 | </para>
|
---|
[1ba671c] | 365 |
|
---|
[9a3142c] | 366 | <para>
|
---|
[bd2412e] | 367 | As the <systemitem class="username">root</systemitem> user, create
|
---|
[9a3142c] | 368 | the following <application>Linux-PAM</application> configuration files
|
---|
| 369 | in the <filename class="directory">/etc/pam.d/</filename> directory
|
---|
| 370 | (or add the contents to the <filename>/etc/pam.conf</filename> file)
|
---|
| 371 | using the following commands:
|
---|
| 372 | </para>
|
---|
[1ba671c] | 373 | </sect4>
|
---|
[322f172] | 374 |
|
---|
| 375 | <sect4>
|
---|
[3e8fb4c] | 376 | <title>'login'</title>
|
---|
| 377 |
|
---|
| 378 | <screen role="root"><userinput>cat > /etc/pam.d/login << "EOF"
|
---|
| 379 | <literal># Begin /etc/pam.d/login
|
---|
| 380 |
|
---|
| 381 | # Set failure delay before next prompt to 3 seconds
|
---|
| 382 | auth optional pam_faildelay.so delay=3000000
|
---|
| 383 |
|
---|
| 384 | # Check to make sure that the user is allowed to login
|
---|
| 385 | auth requisite pam_nologin.so
|
---|
| 386 |
|
---|
[0d7900a] | 387 | # Check to make sure that root is allowed to login
|
---|
[d265d4c] | 388 | # Disabled by default. You will need to create /etc/securetty
|
---|
| 389 | # file for this module to function. See man 5 securetty.
|
---|
| 390 | #auth required pam_securetty.so
|
---|
[3e8fb4c] | 391 |
|
---|
| 392 | # Additional group memberships - disabled by default
|
---|
| 393 | #auth optional pam_group.so
|
---|
| 394 |
|
---|
[a5b9f1e] | 395 | # include system auth settings
|
---|
[3e8fb4c] | 396 | auth include system-auth
|
---|
| 397 |
|
---|
| 398 | # check access for the user
|
---|
| 399 | account required pam_access.so
|
---|
| 400 |
|
---|
[a5b9f1e] | 401 | # include system account settings
|
---|
[3e8fb4c] | 402 | account include system-account
|
---|
| 403 |
|
---|
| 404 | # Set default environment variables for the user
|
---|
| 405 | session required pam_env.so
|
---|
| 406 |
|
---|
| 407 | # Set resource limits for the user
|
---|
| 408 | session required pam_limits.so
|
---|
| 409 |
|
---|
| 410 | # Display the message of the day - Disabled by default
|
---|
| 411 | #session optional pam_motd.so
|
---|
| 412 |
|
---|
| 413 | # Check user's mail - Disabled by default
|
---|
| 414 | #session optional pam_mail.so standard quiet
|
---|
| 415 |
|
---|
[a5b9f1e] | 416 | # include system session and password settings
|
---|
[3e8fb4c] | 417 | session include system-session
|
---|
| 418 | password include system-password
|
---|
| 419 |
|
---|
| 420 | # End /etc/pam.d/login</literal>
|
---|
| 421 | EOF</userinput></screen>
|
---|
| 422 | </sect4>
|
---|
| 423 |
|
---|
| 424 | <sect4>
|
---|
| 425 | <title>'passwd'</title>
|
---|
[4fcf20a5] | 426 |
|
---|
[322f172] | 427 | <screen role="root"><userinput>cat > /etc/pam.d/passwd << "EOF"
|
---|
| 428 | <literal># Begin /etc/pam.d/passwd
|
---|
[4fcf20a5] | 429 |
|
---|
[3e8fb4c] | 430 | password include system-password
|
---|
[b4b71892] | 431 |
|
---|
[322f172] | 432 | # End /etc/pam.d/passwd</literal>
|
---|
| 433 | EOF</userinput></screen>
|
---|
| 434 | </sect4>
|
---|
[4fcf20a5] | 435 |
|
---|
[922e013] | 436 | <sect4>
|
---|
| 437 | <title>'su'</title>
|
---|
| 438 |
|
---|
[7af20d4] | 439 | <screen role="root"><userinput>cat > /etc/pam.d/su << "EOF"
|
---|
[922e013] | 440 | <literal># Begin /etc/pam.d/su
|
---|
| 441 |
|
---|
| 442 | # always allow root
|
---|
| 443 | auth sufficient pam_rootok.so
|
---|
| 444 |
|
---|
| 445 | # Allow users in the wheel group to execute su without a password
|
---|
| 446 | # disabled by default
|
---|
| 447 | #auth sufficient pam_wheel.so trust use_uid
|
---|
| 448 |
|
---|
| 449 | # include system auth settings
|
---|
| 450 | auth include system-auth
|
---|
| 451 |
|
---|
| 452 | # limit su to users in the wheel group
|
---|
[d32d872] | 453 | # disabled by default
|
---|
| 454 | #auth required pam_wheel.so use_uid
|
---|
[922e013] | 455 |
|
---|
| 456 | # include system account settings
|
---|
| 457 | account include system-account
|
---|
| 458 |
|
---|
| 459 | # Set default environment variables for the service user
|
---|
| 460 | session required pam_env.so
|
---|
| 461 |
|
---|
| 462 | # include system session settings
|
---|
| 463 | session include system-session
|
---|
| 464 |
|
---|
| 465 | # End /etc/pam.d/su</literal>
|
---|
| 466 | EOF</userinput></screen>
|
---|
| 467 | </sect4>
|
---|
| 468 |
|
---|
[bc7e5a7] | 469 | <sect4>
|
---|
| 470 | <title>'chpasswd' and 'newusers'</title>
|
---|
| 471 |
|
---|
| 472 | <screen role="root"><userinput>cat > /etc/pam.d/chpasswd << "EOF"
|
---|
| 473 | <literal># Begin /etc/pam.d/chpasswd
|
---|
| 474 |
|
---|
| 475 | # always allow root
|
---|
| 476 | auth sufficient pam_rootok.so
|
---|
| 477 |
|
---|
| 478 | # include system auth and account settings
|
---|
| 479 | auth include system-auth
|
---|
| 480 | account include system-account
|
---|
| 481 | password include system-password
|
---|
| 482 |
|
---|
| 483 | # End /etc/pam.d/chpasswd</literal>
|
---|
| 484 | EOF
|
---|
| 485 |
|
---|
[c26cfe08] | 486 | sed -e s/chpasswd/newusers/ /etc/pam.d/chpasswd >/etc/pam.d/newusers</userinput></screen>
|
---|
[bc7e5a7] | 487 | </sect4>
|
---|
| 488 |
|
---|
[322f172] | 489 | <sect4>
|
---|
| 490 | <title>'chage'</title>
|
---|
| 491 |
|
---|
| 492 | <screen role="root"><userinput>cat > /etc/pam.d/chage << "EOF"
|
---|
[2f12da13] | 493 | <literal># Begin /etc/pam.d/chage
|
---|
[3e8fb4c] | 494 |
|
---|
| 495 | # always allow root
|
---|
| 496 | auth sufficient pam_rootok.so
|
---|
| 497 |
|
---|
[bc7e5a7] | 498 | # include system auth and account settings
|
---|
[3e8fb4c] | 499 | auth include system-auth
|
---|
| 500 | account include system-account
|
---|
[b4b71892] | 501 |
|
---|
[322f172] | 502 | # End /etc/pam.d/chage</literal>
|
---|
| 503 | EOF</userinput></screen>
|
---|
| 504 | </sect4>
|
---|
[b4b71892] | 505 |
|
---|
[322f172] | 506 | <sect4>
|
---|
[bc7e5a7] | 507 | <title>Other shadow utilities</title>
|
---|
[39975e9] | 508 |
|
---|
[bc7e5a7] | 509 | <screen role="root"><userinput>for PROGRAM in chfn chgpasswd chsh groupadd groupdel \
|
---|
| 510 | groupmems groupmod useradd userdel usermod
|
---|
[4fcf20a5] | 511 | do
|
---|
[9a3142c] | 512 | install -v -m644 /etc/pam.d/chage /etc/pam.d/${PROGRAM}
|
---|
| 513 | sed -i "s/chage/$PROGRAM/" /etc/pam.d/${PROGRAM}
|
---|
[322f172] | 514 | done</userinput></screen>
|
---|
| 515 |
|
---|
| 516 | <warning>
|
---|
[9a3142c] | 517 | <para>
|
---|
| 518 | At this point, you should do a simple test to see if
|
---|
| 519 | <application>Shadow</application> is working as expected. Open
|
---|
[cacd76ad] | 520 | another terminal and log in as
|
---|
| 521 | <systemitem class="username">root</systemitem>, and then run
|
---|
| 522 | <command>login</command> and login as another user. If you do
|
---|
| 523 | not see any errors, then all is well and you should proceed with
|
---|
| 524 | the rest of the configuration. If you did receive errors, stop
|
---|
| 525 | now and double check the above configuration files manually.
|
---|
| 526 | Any error is the sign of an error in the above procedure.
|
---|
[e6ae99a] | 527 | You can also run the
|
---|
[cacd76ad] | 528 | test suite from the <application>Linux-PAM</application> package
|
---|
| 529 | to assist you in determining the problem. If you cannot find and
|
---|
| 530 | fix the error, you should recompile
|
---|
| 531 | <application>Shadow</application> adding the
|
---|
| 532 | <option>--without-libpam</option> switch to the
|
---|
| 533 | <command>configure</command> command in the above instructions
|
---|
| 534 | (also move the <filename>/etc/login.defs.orig</filename> backup
|
---|
| 535 | file to <filename>/etc/login.defs</filename>). If you fail to do
|
---|
| 536 | this and the errors remain, you will be unable to log into your
|
---|
| 537 | system.
|
---|
[9a3142c] | 538 | </para>
|
---|
[322f172] | 539 | </warning>
|
---|
[349b53dd] | 540 | </sect4>
|
---|
| 541 |
|
---|
[322f172] | 542 | <sect4 id="pam-access">
|
---|
| 543 | <title>Configuring Login Access</title>
|
---|
[4fcf20a5] | 544 |
|
---|
[9a3142c] | 545 | <para>
|
---|
| 546 | Instead of using the <filename>/etc/login.access</filename> file for
|
---|
| 547 | controlling access to the system, <application>Linux-PAM</application>
|
---|
| 548 | uses the <filename class='libraryfile'>pam_access.so</filename> module
|
---|
| 549 | along with the <filename>/etc/security/access.conf</filename> file.
|
---|
| 550 | Rename the <filename>/etc/login.access</filename> file using the
|
---|
| 551 | following command:
|
---|
| 552 | </para>
|
---|
[322f172] | 553 |
|
---|
| 554 | <indexterm zone="shadow pam-access">
|
---|
| 555 | <primary sortas="e-etc-security-access.conf">/etc/security/access.conf</primary>
|
---|
| 556 | </indexterm>
|
---|
[ae27cdc] | 557 | <!-- to editors: it is a common belief that:
|
---|
| 558 | if <condition>; then <command>; fi
|
---|
| 559 | is equivalent to:
|
---|
| 560 | <condition> && <command>
|
---|
| 561 | This is not true in bash; try:
|
---|
| 562 | ([ 0 = 1 ] && echo not reachable); echo $? # echoes 1
|
---|
| 563 | vs
|
---|
| 564 | (if [ 0 = 1 ]; then echo not reachable; fi); echo $? # echoes 0
|
---|
| 565 | So in scripts that may call subshells (for example through sudo) and
|
---|
| 566 | that need error reporting, the outcome _is_ different. In all
|
---|
| 567 | cases, for bash, the "if" form should be preferred.-->
|
---|
| 568 | <screen role="root"><userinput>if [ -f /etc/login.access ]; then mv -v /etc/login.access{,.NOUSE}; fi</userinput></screen>
|
---|
[322f172] | 569 | </sect4>
|
---|
| 570 |
|
---|
| 571 | <sect4 id="pam-limits">
|
---|
| 572 | <title>Configuring Resource Limits</title>
|
---|
| 573 |
|
---|
[9a3142c] | 574 | <para>
|
---|
| 575 | Instead of using the <filename>/etc/limits</filename> file for
|
---|
| 576 | limiting usage of system resources,
|
---|
| 577 | <application>Linux-PAM</application> uses the
|
---|
| 578 | <filename class='libraryfile'>pam_limits.so</filename> module along
|
---|
| 579 | with the <filename>/etc/security/limits.conf</filename> file. Rename
|
---|
| 580 | the <filename>/etc/limits</filename> file using the following command:
|
---|
| 581 | </para>
|
---|
[322f172] | 582 |
|
---|
| 583 | <indexterm zone="shadow pam-limits">
|
---|
| 584 | <primary sortas="e-etc-security-limits.conf">/etc/security/limits.conf</primary>
|
---|
| 585 | </indexterm>
|
---|
| 586 |
|
---|
[ae27cdc] | 587 | <screen role="root"><userinput>if [ -f /etc/limits ]; then mv -v /etc/limits{,.NOUSE}; fi</userinput></screen>
|
---|
[74f20a1] | 588 |
|
---|
[bd2412e] | 589 | <caution>
|
---|
| 590 | <para>
|
---|
| 591 | Be sure to test the login capabilities of the system before logging
|
---|
| 592 | out. Errors in the configuration can cause a permanent
|
---|
| 593 | lockout requiring a boot from an external source to correct the
|
---|
| 594 | problem.
|
---|
| 595 | </para>
|
---|
| 596 | </caution>
|
---|
[74f20a1] | 597 |
|
---|
[322f172] | 598 | </sect4>
|
---|
| 599 | </sect3>
|
---|
[74f20a1] | 600 |
|
---|
[322f172] | 601 | </sect2>
|
---|
[f45b1953] | 602 |
|
---|
[322f172] | 603 | <sect2 role="content">
|
---|
| 604 | <title>Contents</title>
|
---|
[17fb537e] | 605 |
|
---|
[9a3142c] | 606 | <para>
|
---|
| 607 | A list of the installed files, along with their short descriptions can be
|
---|
[f586237] | 608 | found at
|
---|
[50836740] | 609 | <ulink url="&lfs-root;/chapter08/shadow.html#contents-shadow"/>.
|
---|
[9a3142c] | 610 | </para>
|
---|
[c627795] | 611 |
|
---|
[322f172] | 612 | </sect2>
|
---|
[c627795] | 613 |
|
---|
[f45b1953] | 614 | </sect1>
|
---|