source: postlfs/security/shadow.xml@ 8db3c97

10.0 10.1 11.0 11.1 11.2 11.3 12.0 12.1 12.2 6.0 6.1 6.2 6.2.0 6.2.0-rc1 6.2.0-rc2 6.3 6.3-rc1 6.3-rc2 6.3-rc3 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gimp3 gnome kde5-13430 kde5-14269 kde5-14686 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts krejzi/svn lazarus lxqt nosym perl-modules plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition systemd-11177 systemd-13485 trunk upgradedb xry111/for-12.3 xry111/intltool xry111/llvm18 xry111/soup3 xry111/spidermonkey128 xry111/test-20220226 xry111/xf86-video-removal
Last change on this file since 8db3c97 was 5cd0959d, checked in by Archaic <archaic@…>, 20 years ago

Resetting keywords

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@2592 af4574ff-66df-0310-9fd7-8a98e5e911e0
  • Property mode set to 100644
File size: 8.0 KB
RevLine 
[b4b71892]1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
3 "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6]>
7
[96e3995]8<sect1 id="shadow">
[a0f03b0]9<sect1info>
[5cd0959d]10<othername>$LastChangedBy$</othername>
11<date>$Date$</date>
[a0f03b0]12</sect1info>
[bae6e15]13<?dbhtml filename="shadow.html"?>
[677712e]14<title>Shadow-&shadow-version;</title>
[419dd50]15
[7915966]16<!--
[419dd50]17<sect2>
[f45b1953]18<title>Configuring shadow</title>
19
[22d378f]20<para>Shadow's Configuration File</para>
21
22<para><userinput>/etc/login.defs</userinput></para>
23
[18193a6]24<para>Enabling <acronym>MD</acronym>5 Passwords</para>
[22d378f]25
[971ca3d]26<para>To enable <acronym>MD</acronym>5 Passwords, modify the line in the
[419dd50]27<filename>login.defs</filename> file that reads:
[6ea971be]28<screen><userinput>#MD5_CRYPT_ENAB no</userinput></screen>
[22d378f]29to read:
[c442d19]30<screen><userinput>MD5_CRYPT_ENAB yes</userinput></screen>
[18193a6]31Passwords created after this change will be encrypted using
[666f6de]32<acronym>MD</acronym>5 (Message-Digest Algorithm) instead of using
[18193a6]33<acronym>DES</acronym> encryption.
[419dd50]34</para>
35</sect2>
[7915966]36-->
[b4b71892]37
38<sect2>
39<title>Introduction to <application>Shadow</application></title>
40
41<para>Shadow was indeed installed in <acronym>LFS</acronym> and there is
42no reason to reinstall it unless you installed
43<application>Linux-<acronym>PAM</acronym></application>. If you did,
44this will allow programs like <command>login</command> and
45<command>su</command> to utilize
46<acronym>PAM</acronym>.</para>
47
48<sect3><title>Additional downloads</title>
49<itemizedlist spacing='compact'>
50<listitem><para>Patch to fix linking against PAM:
51<ulink url="&patch-root;/shadow-&shadow-version;-pam-1.patch"/></para></listitem>
52</itemizedlist>
53</sect3>
54
55<sect3><title><application>Shadow</application> dependencies</title>
56<sect4><title>Required</title>
57<para><xref linkend="Linux_PAM"/></para></sect4>
58</sect3>
59</sect2>
60
61<sect2>
[2197589]62<title>Installation of <application>Shadow</application></title>
[b4b71892]63
[2197589]64<para>Reinstall <application>Shadow</application> by running the following
65commands:</para>
[b4b71892]66
67<screen><userinput><command>patch -Np1 -i ../shadow-&shadow-version;-pam-1.patch &amp;&amp;
68LIBS="-lpam -lpam_misc" ./configure --libdir=/usr/lib \
69 --enable-shared --with-libpam --without-libcrack &amp;&amp;
70echo '#define HAVE_SETLOCALE 1' >> config.h &amp;&amp;
[39975e9]71sed -i '/extern char/d' libmisc/xmalloc.c &amp;&amp;
[b4b71892]72make &amp;&amp;
73make install &amp;&amp;
74mv /bin/sg /usr/bin &amp;&amp;
75mv /bin/vigr /usr/sbin &amp;&amp;
[39975e9]76mv /usr/bin/passwd /bin &amp;&amp;
[b4b71892]77rm /bin/groups &amp;&amp;
78mv /usr/lib/lib{misc,shadow}.so.0* /lib &amp;&amp;
79ln -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so &amp;&amp;
80ln -sf ../../lib/libmisc.so.0 /usr/lib/libmisc.so</command></userinput></screen>
81
82</sect2>
83
84<sect2>
85<title>Command explanations</title>
86
[2197589]87<para><parameter>--without-libcrack</parameter>: This switch tells
88<application>Shadow</application> not to use
89<filename class='libraryfile'>libcrack</filename>. This is desired as
90<application>Linux-<acronym>PAM</acronym></application> already contains
91<filename class='libraryfile'>libcrack</filename>.</para>
[b4b71892]92
[39975e9]93<para><command>sed -i '/extern char/d' libmisc/xmalloc.c</command>: This
94fixes a compilation problem when using <application>GCC</application>-3.4.x.
95</para>
96
[b4b71892]97<!-- Leftover from older instructions????
98<para><command>cp debian/securetty /etc/securetty</command>: This
99command sets the tty's that allow logins through <acronym>PAM</acronym>.</para>
100-->
101
102</sect2>
103
104<sect2>
[2197589]105<title>Configuring <application>Linux-<acronym>PAM</acronym></application> to work
106with <application>Shadow</application></title>
[b4b71892]107
108<sect3><title>Config files</title>
109<para><filename>/etc/pam.d/login</filename>,
110<filename>/etc/pam.d/passwd</filename>,
111<filename>/etc/pam.d/su</filename>,
[2197589]112<filename>/etc/pam.d/shadow</filename>,
113<filename>/etc/pam.d/useradd</filename>, and
114<filename>/etc/pam.d/chage</filename> &ndash;
115alternatively, <filename>/etc/pam.conf</filename></para>
[b4b71892]116</sect3>
117
118<sect3><title>Configuration Information</title>
119
[2197589]120<para>Add the following <application>Linux-<acronym>PAM</acronym></application>
121configuration files to <filename class="directory">/etc/pam.d/</filename> (or
122add them to <filename>/etc/pam.conf</filename> with the additional field for
123the program).</para>
124
[b4b71892]125<screen><userinput><command>cat &gt; /etc/pam.d/login &lt;&lt; "EOF"</command>
126# Begin /etc/pam.d/login
127
128auth requisite pam_securetty.so
129auth requisite pam_nologin.so
130auth required pam_env.so
131auth required pam_unix.so
132account required pam_access.so
133account required pam_unix.so
134session required pam_motd.so
135session required pam_limits.so
136session optional pam_mail.so dir=/var/mail standard
137session optional pam_lastlog.so
138session required pam_unix.so
139
140# End /etc/pam.d/login
141<command>EOF
142cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"</command>
143# Begin /etc/pam.d/passwd
144
145password required pam_unix.so md5 shadow
146
147# End /etc/pam.d/passwd
148<command>EOF
149cat &gt; /etc/pam.d/shadow &lt;&lt; "EOF"</command>
150# Begin /etc/pam.d/shadow
151
152auth sufficient pam_rootok.so
153auth required pam_unix.so
154account required pam_unix.so
155session required pam_unix.so
156password required pam_permit.so
157
158# End /etc/pam.d/shadow
159<command>EOF
160cat &gt; /etc/pam.d/su &lt;&lt; "EOF"</command>
161# Begin /etc/pam.d/su
162
163auth sufficient pam_rootok.so
164auth required pam_unix.so
165account required pam_unix.so
166session required pam_unix.so
167
168# End /etc/pam.d/su
169<command>EOF
170cat &gt; /etc/pam.d/useradd &lt;&lt; "EOF"</command>
171# Begin /etc/pam.d/useradd
172
173auth sufficient pam_rootok.so
174auth required pam_unix.so
175account required pam_unix.so
176session required pam_unix.so
177password required pam_permit.so
178
179# End /etc/pam.d/useradd
180<command>EOF
181cat &gt; /etc/pam.d/chage &lt;&lt; "EOF"</command>
182# Begin /etc/pam.d/chage
183
184auth sufficient pam_rootok.so
185auth required pam_unix.so
186account required pam_unix.so
187session required pam_unix.so
188password required pam_permit.so
189
190# End /etc/pam.d/chage
191<command>EOF</command></userinput></screen>
192
[39975e9]193<note><para>If you've installed <application>cracklib</application>, replace
194<filename>/etc/pam.d/passwd</filename> with the following:</para></note>
195<screen><userinput><command>cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"</command>
196# Begin /etc/pam.d/passwd
197
198password required pam_cracklib.so \
199 retry=3 difok=8 minlen=5 dcredit=3 ocredit=3 ucredit=2 lcredit=2
200password required pam_unix.so md5 shadow use_authtok
201
202# End /etc/pam.d/passwd
203<command>EOF</command></userinput></screen>
204
[b4b71892]205<para>Currently, <filename>/etc/pam.d/other</filename> is configured to
206allow anyone with an account on the machine to use programs
207that do not specifically have a configuration file of their own. After
[2197589]208testing <application>Linux-<acronym>PAM</acronym></application> for proper
[b4b71892]209configuration, it can be changed to the following:</para>
210
211<screen><userinput><command>cat &gt; /etc/pam.d/other &lt;&lt; "EOF"</command>
212# Begin /etc/pam.d/other
213
214auth required pam_deny.so
215auth required pam_warn.so
216account required pam_deny.so
217session required pam_deny.so
218password required pam_deny.so
219password required pam_warn.so
220
221# End /etc/pam.d/other
222<command>EOF</command></userinput></screen>
223
224<para>Finally, edit <filename>/etc/login.defs</filename> by adding '#'
225to the beginning of the following lines:</para>
226<screen>LASTLOG_ENAB
227MAIL_CHECK_ENAB
228PORTTIME_CHECKS_ENAB
229CONSOLE
230MOTD_FILE
231NOLOGINS_FILE
232PASS_MIN_LEN
233SU_WHEEL_ONLY
234MD5_CRYPT_ENAB
235CONSOLE_GROUPS
236ENVIRON_FILE</screen>
237
238<para>This stops <command>login</command> from performing these functions, as
[39975e9]239they will now be performed by <acronym>PAM</acronym> modules. Additionally,
240add a '#' to the beginning of the following lines if you've installed
241<application>cracklib</application>:</para>
242<screen>OBSCURE_CHECKS_ENAB
243CRACKLIB_DICTPATH
244PASS_CHANGE_TRIES
245PASS_ALWAYS_WARN</screen>
[b4b71892]246
247</sect3>
248
249</sect2>
[f45b1953]250
251</sect1>
Note: See TracBrowser for help on using the repository browser.