[b4b71892] | 1 | <?xml version="1.0" encoding="ISO-8859-1"?>
|
---|
| 2 | <!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
|
---|
| 3 | "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
|
---|
| 4 | <!ENTITY % general-entities SYSTEM "../../general.ent">
|
---|
| 5 | %general-entities;
|
---|
| 6 | ]>
|
---|
| 7 |
|
---|
[96e3995] | 8 | <sect1 id="shadow">
|
---|
[bae6e15] | 9 | <?dbhtml filename="shadow.html"?>
|
---|
[677712e] | 10 | <title>Shadow-&shadow-version;</title>
|
---|
[419dd50] | 11 |
|
---|
[7915966] | 12 | <!--
|
---|
[419dd50] | 13 | <sect2>
|
---|
[f45b1953] | 14 | <title>Configuring shadow</title>
|
---|
| 15 |
|
---|
[22d378f] | 16 | <para>Shadow's Configuration File</para>
|
---|
| 17 |
|
---|
| 18 | <para><userinput>/etc/login.defs</userinput></para>
|
---|
| 19 |
|
---|
[18193a6] | 20 | <para>Enabling <acronym>MD</acronym>5 Passwords</para>
|
---|
[22d378f] | 21 |
|
---|
[971ca3d] | 22 | <para>To enable <acronym>MD</acronym>5 Passwords, modify the line in the
|
---|
[419dd50] | 23 | <filename>login.defs</filename> file that reads:
|
---|
[6ea971be] | 24 | <screen><userinput>#MD5_CRYPT_ENAB no</userinput></screen>
|
---|
[22d378f] | 25 | to read:
|
---|
[c442d19] | 26 | <screen><userinput>MD5_CRYPT_ENAB yes</userinput></screen>
|
---|
[18193a6] | 27 | Passwords created after this change will be encrypted using
|
---|
[666f6de] | 28 | <acronym>MD</acronym>5 (Message-Digest Algorithm) instead of using
|
---|
[18193a6] | 29 | <acronym>DES</acronym> encryption.
|
---|
[419dd50] | 30 | </para>
|
---|
| 31 | </sect2>
|
---|
[7915966] | 32 | -->
|
---|
[b4b71892] | 33 |
|
---|
| 34 |
|
---|
| 35 | <sect2>
|
---|
| 36 | <title>Introduction to <application>Shadow</application></title>
|
---|
| 37 |
|
---|
| 38 | <para>Shadow was indeed installed in <acronym>LFS</acronym> and there is
|
---|
| 39 | no reason to reinstall it unless you installed
|
---|
| 40 | <application>Linux-<acronym>PAM</acronym></application>. If you did,
|
---|
| 41 | this will allow programs like <command>login</command> and
|
---|
| 42 | <command>su</command> to utilize
|
---|
| 43 | <acronym>PAM</acronym>.</para>
|
---|
| 44 |
|
---|
| 45 | <sect3><title>Additional downloads</title>
|
---|
| 46 | <itemizedlist spacing='compact'>
|
---|
| 47 | <listitem><para>Patch to fix linking against PAM:
|
---|
| 48 | <ulink url="&patch-root;/shadow-&shadow-version;-pam-1.patch"/></para></listitem>
|
---|
| 49 | </itemizedlist>
|
---|
| 50 | </sect3>
|
---|
| 51 |
|
---|
| 52 | <sect3><title><application>Shadow</application> dependencies</title>
|
---|
| 53 | <sect4><title>Required</title>
|
---|
| 54 | <para><xref linkend="Linux_PAM"/></para></sect4>
|
---|
| 55 | </sect3>
|
---|
| 56 | </sect2>
|
---|
| 57 |
|
---|
| 58 |
|
---|
| 59 | <sect2>
|
---|
| 60 | <title>Installation of <application>shadow</application></title>
|
---|
| 61 |
|
---|
| 62 | <para>Reinstall shadow by running the following commands:</para>
|
---|
| 63 |
|
---|
| 64 | <screen><userinput><command>patch -Np1 -i ../shadow-&shadow-version;-pam-1.patch &&
|
---|
| 65 | LIBS="-lpam -lpam_misc" ./configure --libdir=/usr/lib \
|
---|
| 66 | --enable-shared --with-libpam --without-libcrack &&
|
---|
| 67 | echo '#define HAVE_SETLOCALE 1' >> config.h &&
|
---|
| 68 | make &&
|
---|
| 69 | make install &&
|
---|
| 70 | mv /bin/sg /usr/bin &&
|
---|
| 71 | mv /bin/vigr /usr/sbin &&
|
---|
| 72 | rm /bin/groups &&
|
---|
| 73 | mv /usr/lib/lib{misc,shadow}.so.0* /lib &&
|
---|
| 74 | ln -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so &&
|
---|
| 75 | ln -sf ../../lib/libmisc.so.0 /usr/lib/libmisc.so</command></userinput></screen>
|
---|
| 76 |
|
---|
| 77 | </sect2>
|
---|
| 78 |
|
---|
| 79 |
|
---|
| 80 | <sect2>
|
---|
| 81 | <title>Command explanations</title>
|
---|
| 82 |
|
---|
| 83 | <para><parameter>--without-libcrack</parameter>: This switch tells shadow
|
---|
| 84 | not to use libcrack. This is desired as
|
---|
| 85 | <application>Linux-<acronym>PAM</acronym></application> already
|
---|
| 86 | contains libcrack.</para>
|
---|
| 87 |
|
---|
| 88 | <!-- Leftover from older instructions????
|
---|
| 89 | <para><command>cp debian/securetty /etc/securetty</command>: This
|
---|
| 90 | command sets the tty's that allow logins through <acronym>PAM</acronym>.</para>
|
---|
| 91 | -->
|
---|
| 92 |
|
---|
| 93 | </sect2>
|
---|
| 94 |
|
---|
| 95 |
|
---|
| 96 | <sect2>
|
---|
| 97 | <title>Configuring <application><acronym>PAM</acronym></application> to work
|
---|
| 98 | with <application>shadow</application></title>
|
---|
| 99 |
|
---|
| 100 | <sect3><title>Config files</title>
|
---|
| 101 | <para><filename>/etc/pam.d/login</filename>,
|
---|
| 102 | <filename>/etc/pam.d/passwd</filename>,
|
---|
| 103 | <filename>/etc/pam.d/su</filename>,
|
---|
| 104 | <filename>/etc/pam.d/shadow</filename>, and
|
---|
| 105 | <filename>/etc/pam.d/useradd</filename></para>
|
---|
| 106 | </sect3>
|
---|
| 107 |
|
---|
| 108 | <sect3><title>Configuration Information</title>
|
---|
| 109 |
|
---|
| 110 | <para>Add the following <application><acronym>PAM</acronym></application>
|
---|
| 111 | configuration files to <filename class="directory">/etc/pam.d</filename> (or add them to
|
---|
| 112 | <filename>/etc/pam.conf</filename> with the additional field for the program).
|
---|
| 113 | </para>
|
---|
| 114 | <screen><userinput><command>cat > /etc/pam.d/login << "EOF"</command>
|
---|
| 115 | # Begin /etc/pam.d/login
|
---|
| 116 |
|
---|
| 117 | auth requisite pam_securetty.so
|
---|
| 118 | auth requisite pam_nologin.so
|
---|
| 119 | auth required pam_env.so
|
---|
| 120 | auth required pam_unix.so
|
---|
| 121 | account required pam_access.so
|
---|
| 122 | account required pam_unix.so
|
---|
| 123 | session required pam_motd.so
|
---|
| 124 | session required pam_limits.so
|
---|
| 125 | session optional pam_mail.so dir=/var/mail standard
|
---|
| 126 | session optional pam_lastlog.so
|
---|
| 127 | session required pam_unix.so
|
---|
| 128 |
|
---|
| 129 | # End /etc/pam.d/login
|
---|
| 130 | <command>EOF
|
---|
| 131 | cat > /etc/pam.d/passwd << "EOF"</command>
|
---|
| 132 | # Begin /etc/pam.d/passwd
|
---|
| 133 |
|
---|
| 134 | password required pam_unix.so md5 shadow
|
---|
| 135 |
|
---|
| 136 | # End /etc/pam.d/passwd
|
---|
| 137 | <command>EOF
|
---|
| 138 | cat > /etc/pam.d/shadow << "EOF"</command>
|
---|
| 139 | # Begin /etc/pam.d/shadow
|
---|
| 140 |
|
---|
| 141 | auth sufficient pam_rootok.so
|
---|
| 142 | auth required pam_unix.so
|
---|
| 143 | account required pam_unix.so
|
---|
| 144 | session required pam_unix.so
|
---|
| 145 | password required pam_permit.so
|
---|
| 146 |
|
---|
| 147 | # End /etc/pam.d/shadow
|
---|
| 148 | <command>EOF
|
---|
| 149 | cat > /etc/pam.d/su << "EOF"</command>
|
---|
| 150 | # Begin /etc/pam.d/su
|
---|
| 151 |
|
---|
| 152 | auth sufficient pam_rootok.so
|
---|
| 153 | auth required pam_unix.so
|
---|
| 154 | account required pam_unix.so
|
---|
| 155 | session required pam_unix.so
|
---|
| 156 |
|
---|
| 157 | # End /etc/pam.d/su
|
---|
| 158 | <command>EOF
|
---|
| 159 | cat > /etc/pam.d/useradd << "EOF"</command>
|
---|
| 160 | # Begin /etc/pam.d/useradd
|
---|
| 161 |
|
---|
| 162 | auth sufficient pam_rootok.so
|
---|
| 163 | auth required pam_unix.so
|
---|
| 164 | account required pam_unix.so
|
---|
| 165 | session required pam_unix.so
|
---|
| 166 | password required pam_permit.so
|
---|
| 167 |
|
---|
| 168 | # End /etc/pam.d/useradd
|
---|
| 169 | <command>EOF
|
---|
| 170 | cat > /etc/pam.d/chage << "EOF"</command>
|
---|
| 171 | # Begin /etc/pam.d/chage
|
---|
| 172 |
|
---|
| 173 | auth sufficient pam_rootok.so
|
---|
| 174 | auth required pam_unix.so
|
---|
| 175 | account required pam_unix.so
|
---|
| 176 | session required pam_unix.so
|
---|
| 177 | password required pam_permit.so
|
---|
| 178 |
|
---|
| 179 | # End /etc/pam.d/chage
|
---|
| 180 | <command>EOF</command></userinput></screen>
|
---|
| 181 |
|
---|
| 182 | <para>Currently, <filename>/etc/pam.d/other</filename> is configured to
|
---|
| 183 | allow anyone with an account on the machine to use programs
|
---|
| 184 | that do not specifically have a configuration file of their own. After
|
---|
| 185 | testing <application><acronym>PAM</acronym></application> for proper
|
---|
| 186 | configuration, it can be changed to the following:</para>
|
---|
| 187 |
|
---|
| 188 | <screen><userinput><command>cat > /etc/pam.d/other << "EOF"</command>
|
---|
| 189 | # Begin /etc/pam.d/other
|
---|
| 190 |
|
---|
| 191 | auth required pam_deny.so
|
---|
| 192 | auth required pam_warn.so
|
---|
| 193 | account required pam_deny.so
|
---|
| 194 | session required pam_deny.so
|
---|
| 195 | password required pam_deny.so
|
---|
| 196 | password required pam_warn.so
|
---|
| 197 |
|
---|
| 198 | # End /etc/pam.d/other
|
---|
| 199 | <command>EOF</command></userinput></screen>
|
---|
| 200 |
|
---|
| 201 | <para>Finally, edit <filename>/etc/login.defs</filename> by adding '#'
|
---|
| 202 | to the beginning of the following lines:</para>
|
---|
| 203 | <screen>LASTLOG_ENAB
|
---|
| 204 | MAIL_CHECK_ENAB
|
---|
| 205 | PORTTIME_CHECKS_ENAB
|
---|
| 206 | CONSOLE
|
---|
| 207 | MOTD_FILE
|
---|
| 208 | NOLOGINS_FILE
|
---|
| 209 | PASS_MIN_LEN
|
---|
| 210 | SU_WHEEL_ONLY
|
---|
| 211 | MD5_CRYPT_ENAB
|
---|
| 212 | CONSOLE_GROUPS
|
---|
| 213 | ENVIRON_FILE</screen>
|
---|
| 214 |
|
---|
| 215 | <para>This stops <command>login</command> from performing these functions, as
|
---|
| 216 | they will now be performed by <acronym>PAM</acronym> modules.</para>
|
---|
| 217 |
|
---|
| 218 | </sect3>
|
---|
| 219 |
|
---|
| 220 | </sect2>
|
---|
[f45b1953] | 221 |
|
---|
| 222 | </sect1>
|
---|