[b4b71892] | 1 | <?xml version="1.0" encoding="ISO-8859-1"?>
|
---|
[6732c094] | 2 | <!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
---|
| 3 | "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
---|
[b4b71892] | 4 | <!ENTITY % general-entities SYSTEM "../../general.ent">
|
---|
| 5 | %general-entities;
|
---|
[17fb537e] | 6 |
|
---|
[81d1117] | 7 | <!ENTITY shadow-download-http "https://github.com/shadow-maint/shadow/releases/download/&shadow-version;/shadow-&shadow-version;.tar.xz">
|
---|
[fb89293] | 8 | <!ENTITY shadow-download-ftp " ">
|
---|
[a83fdb2] | 9 | <!ENTITY shadow-md5sum "4b05eff8a427cf50e615bda324b5bc45">
|
---|
[fbb96eb6] | 10 | <!ENTITY shadow-size "1.5 MB">
|
---|
[a83fdb2] | 11 | <!ENTITY shadow-buildsize "33 MB">
|
---|
[d64103f] | 12 | <!ENTITY shadow-time "0.2 SBU">
|
---|
[b4b71892] | 13 | ]>
|
---|
| 14 |
|
---|
[17fb537e] | 15 | <sect1 id="shadow" xreflabel="Shadow-&shadow-version;">
|
---|
[322f172] | 16 | <?dbhtml filename="shadow.html"?>
|
---|
| 17 |
|
---|
| 18 | <sect1info>
|
---|
| 19 | <othername>$LastChangedBy$</othername>
|
---|
| 20 | <date>$Date$</date>
|
---|
| 21 | </sect1info>
|
---|
| 22 |
|
---|
| 23 | <title>Shadow-&shadow-version;</title>
|
---|
| 24 |
|
---|
| 25 | <indexterm zone="shadow">
|
---|
| 26 | <primary sortas="a-Shadow">Shadow</primary>
|
---|
| 27 | </indexterm>
|
---|
| 28 |
|
---|
| 29 | <sect2 role="package">
|
---|
| 30 | <title>Introduction to Shadow</title>
|
---|
| 31 |
|
---|
[9a3142c] | 32 | <para>
|
---|
| 33 | <application>Shadow</application> was indeed installed in LFS and there is
|
---|
| 34 | no reason to reinstall it unless you installed
|
---|
| 35 | <application>CrackLib</application> or
|
---|
| 36 | <application>Linux-PAM</application> after your LFS system was completed.
|
---|
| 37 | If you have installed <application>CrackLib</application> after LFS, then
|
---|
| 38 | reinstalling <application>Shadow</application> will enable strong password
|
---|
| 39 | support. If you have installed <application>Linux-PAM</application>,
|
---|
| 40 | reinstalling <application>Shadow</application> will allow programs such as
|
---|
| 41 | <command>login</command> and <command>su</command> to utilize PAM.
|
---|
| 42 | </para>
|
---|
[322f172] | 43 |
|
---|
[66c4901f] | 44 | &lfs91_checked;
|
---|
[f4797d2] | 45 |
|
---|
[322f172] | 46 | <bridgehead renderas="sect3">Package Information</bridgehead>
|
---|
| 47 | <itemizedlist spacing="compact">
|
---|
| 48 | <listitem>
|
---|
[9a3142c] | 49 | <para>
|
---|
| 50 | Download (HTTP): <ulink url="&shadow-download-http;"/>
|
---|
| 51 | </para>
|
---|
[322f172] | 52 | </listitem>
|
---|
[29d1c248] | 53 | <listitem>
|
---|
[9a3142c] | 54 | <para>
|
---|
| 55 | Download (FTP): <ulink url="&shadow-download-ftp;"/>
|
---|
| 56 | </para>
|
---|
[29d1c248] | 57 | </listitem>
|
---|
[322f172] | 58 | <listitem>
|
---|
[9a3142c] | 59 | <para>
|
---|
| 60 | Download MD5 sum: &shadow-md5sum;
|
---|
| 61 | </para>
|
---|
[322f172] | 62 | </listitem>
|
---|
| 63 | <listitem>
|
---|
[9a3142c] | 64 | <para>
|
---|
| 65 | Download size: &shadow-size;
|
---|
| 66 | </para>
|
---|
[322f172] | 67 | </listitem>
|
---|
| 68 | <listitem>
|
---|
[9a3142c] | 69 | <para>
|
---|
| 70 | Estimated disk space required: &shadow-buildsize;
|
---|
| 71 | </para>
|
---|
[322f172] | 72 | </listitem>
|
---|
| 73 | <listitem>
|
---|
[9a3142c] | 74 | <para>
|
---|
| 75 | Estimated build time: &shadow-time;
|
---|
| 76 | </para>
|
---|
[322f172] | 77 | </listitem>
|
---|
| 78 | </itemizedlist>
|
---|
| 79 |
|
---|
| 80 | <bridgehead renderas="sect3">Shadow Dependencies</bridgehead>
|
---|
| 81 |
|
---|
| 82 | <bridgehead renderas="sect4">Required</bridgehead>
|
---|
[9a3142c] | 83 | <para role="required">
|
---|
| 84 | <xref linkend="linux-pam"/> or
|
---|
| 85 | <xref linkend="cracklib"/>
|
---|
| 86 | </para>
|
---|
| 87 |
|
---|
| 88 | <para condition="html" role="usernotes">
|
---|
| 89 | User Notes: <ulink url="&blfs-wiki;/shadow"/>
|
---|
| 90 | </para>
|
---|
[322f172] | 91 | </sect2>
|
---|
| 92 |
|
---|
| 93 | <sect2 role="installation">
|
---|
| 94 | <title>Installation of Shadow</title>
|
---|
| 95 |
|
---|
[c6bdcb0] | 96 | <important>
|
---|
[9a3142c] | 97 | <para>
|
---|
| 98 | The installation commands shown below are for installations where
|
---|
| 99 | <application>Linux-PAM</application> has been installed (with or
|
---|
| 100 | without a <application>CrackLib</application> installation) and
|
---|
| 101 | <application>Shadow</application> is being reinstalled to support the
|
---|
| 102 | <application>Linux-PAM</application> installation.
|
---|
| 103 | </para>
|
---|
| 104 |
|
---|
| 105 | <para>
|
---|
| 106 | If you are reinstalling <application>Shadow</application> to provide
|
---|
| 107 | strong password support using the <application>CrackLib</application>
|
---|
| 108 | library without using <application>Linux-PAM</application>, ensure you
|
---|
| 109 | add the <parameter>--with-libcrack</parameter> parameter to the
|
---|
| 110 | <command>configure</command> script below and also issue the following
|
---|
| 111 | command:
|
---|
| 112 | </para>
|
---|
[bca744f] | 113 |
|
---|
[cac7f93] | 114 | <screen role="nodump"><userinput>sed -i 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' etc/login.defs</userinput></screen>
|
---|
[c6bdcb0] | 115 | </important>
|
---|
| 116 |
|
---|
[9a3142c] | 117 | <para>
|
---|
| 118 | Reinstall <application>Shadow</application> by running the following
|
---|
| 119 | commands:
|
---|
| 120 | </para>
|
---|
[322f172] | 121 |
|
---|
[5443006d] | 122 | <screen><userinput>sed -i 's/groups$(EXEEXT) //' src/Makefile.in &&
|
---|
[4af9931] | 123 |
|
---|
| 124 | find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; &&
|
---|
[dcf64b5f] | 125 | find man -name Makefile.in -exec sed -i 's/getspnam\.3 / /' {} \; &&
|
---|
| 126 | find man -name Makefile.in -exec sed -i 's/passwd\.5 / /' {} \; &&
|
---|
[e5b9fc73] | 127 |
|
---|
[a83fdb2] | 128 | sed -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \
|
---|
| 129 | -e 's@/var/spool/mail@/var/mail@' \
|
---|
| 130 | -i etc/login.defs &&
|
---|
[5443006d] | 131 |
|
---|
[a83fdb2] | 132 | sed -i 's/1000/999/' etc/useradd &&
|
---|
[8f68b03] | 133 |
|
---|
[49ee2def] | 134 | ./configure --sysconfdir=/etc --with-group-name-max-length=32 &&
|
---|
[322f172] | 135 | make</userinput></screen>
|
---|
[17fb537e] | 136 |
|
---|
[9a3142c] | 137 | <para>
|
---|
| 138 | This package does not come with a test suite.
|
---|
| 139 | </para>
|
---|
[31f3a57] | 140 |
|
---|
[9a3142c] | 141 | <para>
|
---|
| 142 | Now, as the <systemitem class="username">root</systemitem> user:
|
---|
| 143 | </para>
|
---|
[17fb537e] | 144 |
|
---|
[fbb96eb6] | 145 | <screen role="root"><userinput>make install</userinput></screen>
|
---|
| 146 |
|
---|
[322f172] | 147 | </sect2>
|
---|
[b4b71892] | 148 |
|
---|
[322f172] | 149 | <sect2 role="commands">
|
---|
| 150 | <title>Command Explanations</title>
|
---|
[b4b71892] | 151 |
|
---|
[9a3142c] | 152 | <para>
|
---|
| 153 | <command>sed -i 's/groups$(EXEEXT) //' src/Makefile.in</command>: This sed
|
---|
| 154 | is used to suppress the installation of the <command>groups</command>
|
---|
| 155 | program as the version from the <application>Coreutils</application>
|
---|
| 156 | package installed during LFS is preferred.
|
---|
| 157 | </para>
|
---|
| 158 |
|
---|
| 159 | <para>
|
---|
| 160 | <command>find man -name Makefile.in -exec ... {} \;</command>: This
|
---|
| 161 | command is used to suppress the installation of the
|
---|
| 162 | <command>groups</command> man pages so the existing ones installed from
|
---|
| 163 | the <application>Coreutils</application> package are not replaced.
|
---|
| 164 | </para>
|
---|
| 165 |
|
---|
| 166 | <para>
|
---|
[a83fdb2] | 167 | <command>sed -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' -e
|
---|
| 168 | 's@/var/spool/mail@/var/mail@' -i etc/login.defs</command>: Instead of using
|
---|
[9a3142c] | 169 | the default 'DES' method, this command modifies the installation to use
|
---|
| 170 | the more secure 'SHA512' method of hashing passwords, which also allows
|
---|
| 171 | passwords longer than eight characters. It also changes the obsolete
|
---|
| 172 | <filename class="directory">/var/spool/mail</filename> location for user
|
---|
| 173 | mailboxes that <application>Shadow</application> uses by default to the
|
---|
| 174 | <filename class="directory">/var/mail</filename> location.
|
---|
| 175 | </para>
|
---|
| 176 |
|
---|
| 177 | <para>
|
---|
[f3429309] | 178 | <command>sed -i 's/1000/999/' etc/useradd</command>: Make a minor change
|
---|
[d64103f] | 179 | to make the default useradd consistent with the LFS groups file.
|
---|
[9a3142c] | 180 | </para>
|
---|
| 181 |
|
---|
[49ee2def] | 182 | <para>
|
---|
[f1d7196] | 183 | <parameter>--with-group-name-max-length=32</parameter>: The maximum
|
---|
| 184 | user name is 32 characters. Make the maximum group name the same.
|
---|
[49ee2def] | 185 | </para>
|
---|
| 186 |
|
---|
[fbb96eb6] | 187 | <!-- No longer needed as of 4.8
|
---|
[9a3142c] | 188 | <para>
|
---|
| 189 | <command>mv -v /usr/bin/passwd /bin</command>: The
|
---|
| 190 | <command>passwd</command> program may be needed during times when the
|
---|
| 191 | <filename class='directory'>/usr</filename> filesystem is not mounted so
|
---|
| 192 | it is moved into the root partition.
|
---|
| 193 | </para>
|
---|
[fbb96eb6] | 194 | -->
|
---|
| 195 |
|
---|
[322f172] | 196 | </sect2>
|
---|
[b4b71892] | 197 |
|
---|
[e807ae1d] | 198 | <sect2 role="configuration">
|
---|
| 199 | <title>Configuring Shadow</title>
|
---|
| 200 |
|
---|
[9a3142c] | 201 | <para>
|
---|
| 202 | <application>Shadow</application>'s stock configuration for the
|
---|
| 203 | <command>useradd</command> utility may not be desirable for your
|
---|
| 204 | installation. One default parameter causes <command>useradd</command> to
|
---|
| 205 | create a mailbox file for any newly created user.
|
---|
| 206 | <command>useradd</command> will make the group ownership of this file to
|
---|
| 207 | the <systemitem class="groupname">mail</systemitem> group with 0660
|
---|
| 208 | permissions. If you would prefer that these mailbox files are not created
|
---|
| 209 | by <command>useradd</command>, issue the following command as the
|
---|
| 210 | <systemitem class="username">root</systemitem> user:
|
---|
| 211 | </para>
|
---|
[e807ae1d] | 212 |
|
---|
[bca744f] | 213 | <screen role="root"><userinput>sed -i 's/yes/no/' /etc/default/useradd</userinput></screen>
|
---|
[e807ae1d] | 214 | </sect2>
|
---|
| 215 |
|
---|
[322f172] | 216 | <sect2 role="configuration">
|
---|
| 217 | <title>Configuring Linux-PAM to Work with Shadow</title>
|
---|
[b4b71892] | 218 |
|
---|
[8f68b03] | 219 | <note>
|
---|
[9a3142c] | 220 | <para>
|
---|
| 221 | The rest of this page is devoted to configuring
|
---|
| 222 | <application>Shadow</application> to work properly with
|
---|
| 223 | <application>Linux-PAM</application>. If you do not have
|
---|
| 224 | <application>Linux-PAM</application> installed, and you reinstalled
|
---|
| 225 | <application>Shadow</application> to support strong passwords via the
|
---|
| 226 | <application>CrackLib</application> library, no further configuration is
|
---|
| 227 | required.
|
---|
| 228 | </para>
|
---|
[8f68b03] | 229 | </note>
|
---|
| 230 |
|
---|
[322f172] | 231 | <sect3 id="pam.d">
|
---|
| 232 | <title>Config Files</title>
|
---|
[b4b71892] | 233 |
|
---|
[9a3142c] | 234 | <para>
|
---|
| 235 | <filename>/etc/pam.d/*</filename> or alternatively
|
---|
| 236 | <filename>/etc/pam.conf</filename>,
|
---|
| 237 | <filename>/etc/login.defs</filename> and
|
---|
| 238 | <filename>/etc/security/*</filename>
|
---|
| 239 | </para>
|
---|
[b4b71892] | 240 |
|
---|
[322f172] | 241 | <indexterm zone="shadow pam.d">
|
---|
| 242 | <primary sortas="e-etc-pam.d">/etc/pam.d/*</primary>
|
---|
| 243 | </indexterm>
|
---|
[2197589] | 244 |
|
---|
[322f172] | 245 | <indexterm zone="shadow pam.d">
|
---|
| 246 | <primary sortas="e-etc-pam.conf">/etc/pam.conf</primary>
|
---|
| 247 | </indexterm>
|
---|
[4fcf20a5] | 248 |
|
---|
[1ba671c] | 249 | <indexterm zone="shadow pam.d">
|
---|
| 250 | <primary sortas="e-etc-login.defs">/etc/login.defs</primary>
|
---|
| 251 | </indexterm>
|
---|
| 252 |
|
---|
| 253 | <indexterm zone="shadow pam.d">
|
---|
| 254 | <primary sortas="e-etc-security">/etc/security/*</primary>
|
---|
| 255 | </indexterm>
|
---|
[322f172] | 256 | </sect3>
|
---|
| 257 |
|
---|
| 258 | <sect3>
|
---|
| 259 | <title>Configuration Information</title>
|
---|
| 260 |
|
---|
[9a3142c] | 261 | <para>
|
---|
| 262 | Configuring your system to use <application>Linux-PAM</application> can
|
---|
| 263 | be a complex task. The information below will provide a basic setup so
|
---|
| 264 | that <application>Shadow</application>'s login and password
|
---|
| 265 | functionality will work effectively with
|
---|
| 266 | <application>Linux-PAM</application>. Review the information and links
|
---|
| 267 | on the <xref linkend="linux-pam"/> page for further configuration
|
---|
| 268 | information. For information specific to integrating
|
---|
| 269 | <application>Shadow</application>, <application>Linux-PAM</application>
|
---|
| 270 | and <application>CrackLib</application>, you can visit the following
|
---|
| 271 | link:
|
---|
| 272 | </para>
|
---|
[8f68b03] | 273 |
|
---|
| 274 | <itemizedlist spacing="compact">
|
---|
[9a3142c] | 275 | <listitem>
|
---|
[18f18c2] | 276 | <!-- New URL for the below link, according to it's author. -->
|
---|
[9a3142c] | 277 | <para>
|
---|
[18f18c2] | 278 | <ulink url="http://www.deer-run.com/~hal/linux_passwords_pam.html"/>
|
---|
[9a3142c] | 279 | </para>
|
---|
| 280 | </listitem>
|
---|
[8f68b03] | 281 | </itemizedlist>
|
---|
| 282 |
|
---|
[1ba671c] | 283 | <sect4 id="pam-login-defs">
|
---|
| 284 | <title>Configuring /etc/login.defs</title>
|
---|
| 285 |
|
---|
[9a3142c] | 286 | <para>
|
---|
| 287 | The <command>login</command> program currently performs many functions
|
---|
| 288 | which <application>Linux-PAM</application> modules should now handle.
|
---|
| 289 | The following <command>sed</command> command will comment out the
|
---|
| 290 | appropriate lines in <filename>/etc/login.defs</filename>, and stop
|
---|
| 291 | <command>login</command> from performing these functions (a backup
|
---|
| 292 | file named <filename>/etc/login.defs.orig</filename> is also created
|
---|
| 293 | to preserve the original file's contents). Issue the following
|
---|
| 294 | commands as the <systemitem class="username">root</systemitem> user:
|
---|
| 295 | </para>
|
---|
[1ba671c] | 296 |
|
---|
| 297 | <indexterm zone="shadow pam-login-defs">
|
---|
| 298 | <primary sortas="e-etc-login.defs">/etc/login.defs</primary>
|
---|
| 299 | </indexterm>
|
---|
| 300 |
|
---|
| 301 | <screen role="root"><userinput>install -v -m644 /etc/login.defs /etc/login.defs.orig &&
|
---|
[265c7da] | 302 | for FUNCTION in FAIL_DELAY \
|
---|
| 303 | FAILLOG_ENAB \
|
---|
| 304 | LASTLOG_ENAB \
|
---|
| 305 | MAIL_CHECK_ENAB \
|
---|
| 306 | OBSCURE_CHECKS_ENAB \
|
---|
| 307 | PORTTIME_CHECKS_ENAB \
|
---|
| 308 | QUOTAS_ENAB \
|
---|
| 309 | CONSOLE MOTD_FILE \
|
---|
| 310 | FTMP_FILE NOLOGINS_FILE \
|
---|
| 311 | ENV_HZ PASS_MIN_LEN \
|
---|
| 312 | SU_WHEEL_ONLY \
|
---|
| 313 | CRACKLIB_DICTPATH \
|
---|
| 314 | PASS_CHANGE_TRIES \
|
---|
| 315 | PASS_ALWAYS_WARN \
|
---|
[574d896d] | 316 | CHFN_AUTH ENCRYPT_METHOD \
|
---|
| 317 | ENVIRON_FILE
|
---|
[1ba671c] | 318 | do
|
---|
[9a3142c] | 319 | sed -i "s/^${FUNCTION}/# &/" /etc/login.defs
|
---|
[1ba671c] | 320 | done</userinput></screen>
|
---|
| 321 | </sect4>
|
---|
| 322 |
|
---|
| 323 | <sect4>
|
---|
| 324 | <title>Configuring the /etc/pam.d/ Files</title>
|
---|
| 325 |
|
---|
[9a3142c] | 326 | <para>
|
---|
| 327 | As mentioned previously in the <application>Linux-PAM</application>
|
---|
| 328 | instructions, <application>Linux-PAM</application> has two supported
|
---|
| 329 | methods for configuration. The commands below assume that you've
|
---|
| 330 | chosen to use a directory based configuration, where each program has
|
---|
| 331 | its own configuration file. You can optionally use a single
|
---|
| 332 | <filename>/etc/pam.conf</filename> configuration file by using the
|
---|
| 333 | text from the files below, and supplying the program name as an
|
---|
| 334 | additional first field for each line.
|
---|
| 335 | </para>
|
---|
[1ba671c] | 336 |
|
---|
[9a3142c] | 337 | <para>
|
---|
| 338 | As the <systemitem class="username">root</systemitem> user, replace
|
---|
| 339 | the following <application>Linux-PAM</application> configuration files
|
---|
| 340 | in the <filename class="directory">/etc/pam.d/</filename> directory
|
---|
| 341 | (or add the contents to the <filename>/etc/pam.conf</filename> file)
|
---|
| 342 | using the following commands:
|
---|
| 343 | </para>
|
---|
[1ba671c] | 344 | </sect4>
|
---|
[322f172] | 345 |
|
---|
| 346 | <sect4>
|
---|
[3e8fb4c] | 347 | <title>'login'</title>
|
---|
| 348 |
|
---|
| 349 | <screen role="root"><userinput>cat > /etc/pam.d/login << "EOF"
|
---|
| 350 | <literal># Begin /etc/pam.d/login
|
---|
| 351 |
|
---|
| 352 | # Set failure delay before next prompt to 3 seconds
|
---|
| 353 | auth optional pam_faildelay.so delay=3000000
|
---|
| 354 |
|
---|
| 355 | # Check to make sure that the user is allowed to login
|
---|
| 356 | auth requisite pam_nologin.so
|
---|
| 357 |
|
---|
[0d7900a] | 358 | # Check to make sure that root is allowed to login
|
---|
[d265d4c] | 359 | # Disabled by default. You will need to create /etc/securetty
|
---|
| 360 | # file for this module to function. See man 5 securetty.
|
---|
| 361 | #auth required pam_securetty.so
|
---|
[3e8fb4c] | 362 |
|
---|
| 363 | # Additional group memberships - disabled by default
|
---|
| 364 | #auth optional pam_group.so
|
---|
| 365 |
|
---|
[a5b9f1e] | 366 | # include system auth settings
|
---|
[3e8fb4c] | 367 | auth include system-auth
|
---|
| 368 |
|
---|
| 369 | # check access for the user
|
---|
| 370 | account required pam_access.so
|
---|
| 371 |
|
---|
[a5b9f1e] | 372 | # include system account settings
|
---|
[3e8fb4c] | 373 | account include system-account
|
---|
| 374 |
|
---|
| 375 | # Set default environment variables for the user
|
---|
| 376 | session required pam_env.so
|
---|
| 377 |
|
---|
| 378 | # Set resource limits for the user
|
---|
| 379 | session required pam_limits.so
|
---|
| 380 |
|
---|
| 381 | # Display date of last login - Disabled by default
|
---|
| 382 | #session optional pam_lastlog.so
|
---|
| 383 |
|
---|
| 384 | # Display the message of the day - Disabled by default
|
---|
| 385 | #session optional pam_motd.so
|
---|
| 386 |
|
---|
| 387 | # Check user's mail - Disabled by default
|
---|
| 388 | #session optional pam_mail.so standard quiet
|
---|
| 389 |
|
---|
[a5b9f1e] | 390 | # include system session and password settings
|
---|
[3e8fb4c] | 391 | session include system-session
|
---|
| 392 | password include system-password
|
---|
| 393 |
|
---|
| 394 | # End /etc/pam.d/login</literal>
|
---|
| 395 | EOF</userinput></screen>
|
---|
| 396 | </sect4>
|
---|
| 397 |
|
---|
| 398 | <sect4>
|
---|
| 399 | <title>'passwd'</title>
|
---|
[4fcf20a5] | 400 |
|
---|
[322f172] | 401 | <screen role="root"><userinput>cat > /etc/pam.d/passwd << "EOF"
|
---|
| 402 | <literal># Begin /etc/pam.d/passwd
|
---|
[4fcf20a5] | 403 |
|
---|
[3e8fb4c] | 404 | password include system-password
|
---|
[b4b71892] | 405 |
|
---|
[322f172] | 406 | # End /etc/pam.d/passwd</literal>
|
---|
| 407 | EOF</userinput></screen>
|
---|
| 408 | </sect4>
|
---|
[4fcf20a5] | 409 |
|
---|
[322f172] | 410 | <sect4>
|
---|
| 411 | <title>'su'</title>
|
---|
[4fcf20a5] | 412 |
|
---|
[322f172] | 413 | <screen role="root"><userinput>cat > /etc/pam.d/su << "EOF"
|
---|
| 414 | <literal># Begin /etc/pam.d/su
|
---|
[b4b71892] | 415 |
|
---|
[3e8fb4c] | 416 | # always allow root
|
---|
| 417 | auth sufficient pam_rootok.so
|
---|
[a5b9f1e] | 418 |
|
---|
| 419 | # Allow users in the wheel group to execute su without a password
|
---|
| 420 | # disabled by default
|
---|
| 421 | #auth sufficient pam_wheel.so trust use_uid
|
---|
| 422 |
|
---|
| 423 | # include system auth settings
|
---|
[55e18620] | 424 | auth include system-auth
|
---|
[3e8fb4c] | 425 |
|
---|
[a5b9f1e] | 426 | # limit su to users in the wheel group
|
---|
| 427 | auth required pam_wheel.so use_uid
|
---|
| 428 |
|
---|
| 429 | # include system account settings
|
---|
[3e8fb4c] | 430 | account include system-account
|
---|
| 431 |
|
---|
| 432 | # Set default environment variables for the service user
|
---|
| 433 | session required pam_env.so
|
---|
| 434 |
|
---|
[a5b9f1e] | 435 | # include system session settings
|
---|
[3e8fb4c] | 436 | session include system-session
|
---|
[b4b71892] | 437 |
|
---|
[322f172] | 438 | # End /etc/pam.d/su</literal>
|
---|
| 439 | EOF</userinput></screen>
|
---|
| 440 | </sect4>
|
---|
[b4b71892] | 441 |
|
---|
[322f172] | 442 | <sect4>
|
---|
| 443 | <title>'chage'</title>
|
---|
| 444 |
|
---|
| 445 | <screen role="root"><userinput>cat > /etc/pam.d/chage << "EOF"
|
---|
[2f12da13] | 446 | <literal># Begin /etc/pam.d/chage
|
---|
[3e8fb4c] | 447 |
|
---|
| 448 | # always allow root
|
---|
| 449 | auth sufficient pam_rootok.so
|
---|
| 450 |
|
---|
[a5b9f1e] | 451 | # include system auth, account, and session settings
|
---|
[3e8fb4c] | 452 | auth include system-auth
|
---|
| 453 | account include system-account
|
---|
| 454 | session include system-session
|
---|
[b4b71892] | 455 |
|
---|
[3e8fb4c] | 456 | # Always permit for authentication updates
|
---|
| 457 | password required pam_permit.so
|
---|
[b4b71892] | 458 |
|
---|
[322f172] | 459 | # End /etc/pam.d/chage</literal>
|
---|
| 460 | EOF</userinput></screen>
|
---|
| 461 | </sect4>
|
---|
[b4b71892] | 462 |
|
---|
[322f172] | 463 | <sect4>
|
---|
[265c7da] | 464 | <title>Other common programs</title>
|
---|
| 465 | <!--<title>'chfn', 'chgpasswd', 'chgpasswd', 'chsh', 'groupadd', 'groupdel',
|
---|
[9a3142c] | 466 | 'groupmems', 'groupmod', 'newusers', 'useradd', 'userdel' and
|
---|
[265c7da] | 467 | 'usermod'</title>-->
|
---|
[39975e9] | 468 |
|
---|
[bca744f] | 469 | <screen role="root"><userinput>for PROGRAM in chfn chgpasswd chpasswd chsh groupadd groupdel \
|
---|
| 470 | groupmems groupmod newusers useradd userdel usermod
|
---|
[4fcf20a5] | 471 | do
|
---|
[9a3142c] | 472 | install -v -m644 /etc/pam.d/chage /etc/pam.d/${PROGRAM}
|
---|
| 473 | sed -i "s/chage/$PROGRAM/" /etc/pam.d/${PROGRAM}
|
---|
[322f172] | 474 | done</userinput></screen>
|
---|
| 475 |
|
---|
[f586237] | 476 | <para revision="systemd">Because the installation of
|
---|
| 477 | <application>systemd</application> is not yet complete, you will need
|
---|
| 478 | to remove the <filename>/run/nologin</filename> file before testing the
|
---|
| 479 | installation. Execute the following command as the
|
---|
| 480 | <systemitem class="username">root</systemitem> user:</para>
|
---|
| 481 |
|
---|
| 482 | <screen role="root" revision="systemd"><userinput>rm -f /run/nologin</userinput></screen>
|
---|
| 483 |
|
---|
[7ab715e] | 484 | <note revision="systemd">
|
---|
[8cb62480] | 485 | <para>
|
---|
| 486 | If you are building <application>Shadow</application> with Linux-PAM,
|
---|
[7ab715e] | 487 | you should install <xref linkend="systemd"/> now.
|
---|
| 488 | Or due to the lack of <filename>systemd-user-sessions.service</filename>,
|
---|
| 489 | the <filename>/run/nologin</filename> file will prohibit the unprivileged
|
---|
| 490 | users to login into the system. If that happens you can still login
|
---|
| 491 | as <systemitem class="username">root</systemitem>.
|
---|
[8cb62480] | 492 | </para>
|
---|
[7ab715e] | 493 | </note>
|
---|
[8cb62480] | 494 |
|
---|
[322f172] | 495 | <warning>
|
---|
[9a3142c] | 496 | <para>
|
---|
| 497 | At this point, you should do a simple test to see if
|
---|
| 498 | <application>Shadow</application> is working as expected. Open
|
---|
| 499 | another terminal and log in as a user, then <command>su</command> to
|
---|
| 500 | <systemitem class="username">root</systemitem>. If you do not see
|
---|
| 501 | any errors, then all is well and you should proceed with the rest of
|
---|
| 502 | the configuration. If you did receive errors, stop now and double
|
---|
[e6ae99a] | 503 | check the above configuration files manually. One obvious reason
|
---|
| 504 | for an error is if the user is not in group <systemitem
|
---|
| 505 | class="groupname">wheel</systemitem>. You may want to run (as
|
---|
| 506 | <systemitem class="username">root</systemitem>): <command>usermod
|
---|
| 507 | -a -G wheel <replaceable><user></replaceable></command>.
|
---|
| 508 | Any other error is the sign of an error in the above procedure.
|
---|
| 509 | You can also run the
|
---|
[9a3142c] | 510 | test suite from the <application>Linux-PAM</application> package to
|
---|
| 511 | assist you in determining the problem. If you cannot find and fix
|
---|
| 512 | the error, you should recompile <application>Shadow</application>
|
---|
| 513 | adding the <option>--without-libpam</option> switch to the
|
---|
| 514 | <command>configure</command> command in the above instructions (also
|
---|
| 515 | move the <filename>/etc/login.defs.orig</filename> backup file to
|
---|
| 516 | <filename>/etc/login.defs</filename>). If you fail to do this and
|
---|
| 517 | the errors remain, you will be unable to log into your system.
|
---|
| 518 | </para>
|
---|
[322f172] | 519 | </warning>
|
---|
[349b53dd] | 520 | </sect4>
|
---|
| 521 |
|
---|
[322f172] | 522 | <sect4 id="pam-access">
|
---|
| 523 | <title>Configuring Login Access</title>
|
---|
[4fcf20a5] | 524 |
|
---|
[9a3142c] | 525 | <para>
|
---|
| 526 | Instead of using the <filename>/etc/login.access</filename> file for
|
---|
| 527 | controlling access to the system, <application>Linux-PAM</application>
|
---|
| 528 | uses the <filename class='libraryfile'>pam_access.so</filename> module
|
---|
| 529 | along with the <filename>/etc/security/access.conf</filename> file.
|
---|
| 530 | Rename the <filename>/etc/login.access</filename> file using the
|
---|
| 531 | following command:
|
---|
| 532 | </para>
|
---|
[322f172] | 533 |
|
---|
| 534 | <indexterm zone="shadow pam-access">
|
---|
| 535 | <primary sortas="e-etc-security-access.conf">/etc/security/access.conf</primary>
|
---|
| 536 | </indexterm>
|
---|
| 537 |
|
---|
[9a3142c] | 538 | <screen role="root"><userinput>[ -f /etc/login.access ] && mv -v /etc/login.access{,.NOUSE}</userinput></screen>
|
---|
[322f172] | 539 | </sect4>
|
---|
| 540 |
|
---|
| 541 | <sect4 id="pam-limits">
|
---|
| 542 | <title>Configuring Resource Limits</title>
|
---|
| 543 |
|
---|
[9a3142c] | 544 | <para>
|
---|
| 545 | Instead of using the <filename>/etc/limits</filename> file for
|
---|
| 546 | limiting usage of system resources,
|
---|
| 547 | <application>Linux-PAM</application> uses the
|
---|
| 548 | <filename class='libraryfile'>pam_limits.so</filename> module along
|
---|
| 549 | with the <filename>/etc/security/limits.conf</filename> file. Rename
|
---|
| 550 | the <filename>/etc/limits</filename> file using the following command:
|
---|
| 551 | </para>
|
---|
[322f172] | 552 |
|
---|
| 553 | <indexterm zone="shadow pam-limits">
|
---|
| 554 | <primary sortas="e-etc-security-limits.conf">/etc/security/limits.conf</primary>
|
---|
| 555 | </indexterm>
|
---|
| 556 |
|
---|
[9a3142c] | 557 | <screen role="root"><userinput>[ -f /etc/limits ] && mv -v /etc/limits{,.NOUSE}</userinput></screen>
|
---|
[74f20a1] | 558 |
|
---|
| 559 | <caution><para>Be sure to test the login capabilities of the system
|
---|
[d4f9cee] | 560 | before logging out. Errors in the configuration can cause a permanent
|
---|
[74f20a1] | 561 | lockout requiring a boot from an external source to correct the
|
---|
| 562 | problem.</para></caution>
|
---|
| 563 |
|
---|
[322f172] | 564 | </sect4>
|
---|
| 565 | </sect3>
|
---|
[74f20a1] | 566 |
|
---|
[322f172] | 567 | </sect2>
|
---|
[f45b1953] | 568 |
|
---|
[322f172] | 569 | <sect2 role="content">
|
---|
| 570 | <title>Contents</title>
|
---|
[17fb537e] | 571 |
|
---|
[9a3142c] | 572 | <para>
|
---|
| 573 | A list of the installed files, along with their short descriptions can be
|
---|
[f586237] | 574 | found at
|
---|
| 575 | <phrase revision="sysv">
|
---|
| 576 | <ulink url="&lfs-root;/chapter06/shadow.html#contents-shadow"/></phrase>
|
---|
| 577 | <phrase revision="systemd">
|
---|
| 578 | <ulink url="&lfs-rootd;/chapter06/shadow.html#contents-shadow"/></phrase>.
|
---|
[9a3142c] | 579 | </para>
|
---|
[c627795] | 580 |
|
---|
[322f172] | 581 | </sect2>
|
---|
[c627795] | 582 |
|
---|
[f45b1953] | 583 | </sect1>
|
---|