[b4b71892] | 1 | <?xml version="1.0" encoding="ISO-8859-1"?>
|
---|
[6732c094] | 2 | <!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
---|
| 3 | "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
---|
[b4b71892] | 4 | <!ENTITY % general-entities SYSTEM "../../general.ent">
|
---|
| 5 | %general-entities;
|
---|
[17fb537e] | 6 |
|
---|
[9a3142c] | 7 | <!ENTITY shadow-download-http
|
---|
| 8 | "http://pkg-shadow.alioth.debian.org/releases/shadow-&shadow-version;.tar.bz2 ">
|
---|
[fb89293] | 9 | <!ENTITY shadow-download-ftp " ">
|
---|
[5443006d] | 10 | <!ENTITY shadow-md5sum "d5f7a588fadb79faeb4b08b1eee82e9a">
|
---|
| 11 | <!ENTITY shadow-size "2.1 MB">
|
---|
| 12 | <!ENTITY shadow-buildsize "35 MB">
|
---|
[f4797d2] | 13 | <!ENTITY shadow-time "0.3 SBU">
|
---|
[b4b71892] | 14 | ]>
|
---|
| 15 |
|
---|
[17fb537e] | 16 | <sect1 id="shadow" xreflabel="Shadow-&shadow-version;">
|
---|
[322f172] | 17 | <?dbhtml filename="shadow.html"?>
|
---|
| 18 |
|
---|
| 19 | <sect1info>
|
---|
| 20 | <othername>$LastChangedBy$</othername>
|
---|
| 21 | <date>$Date$</date>
|
---|
| 22 | </sect1info>
|
---|
| 23 |
|
---|
| 24 | <title>Shadow-&shadow-version;</title>
|
---|
| 25 |
|
---|
| 26 | <indexterm zone="shadow">
|
---|
| 27 | <primary sortas="a-Shadow">Shadow</primary>
|
---|
| 28 | </indexterm>
|
---|
| 29 |
|
---|
| 30 | <sect2 role="package">
|
---|
| 31 | <title>Introduction to Shadow</title>
|
---|
| 32 |
|
---|
[9a3142c] | 33 | <para>
|
---|
| 34 | <application>Shadow</application> was indeed installed in LFS and there is
|
---|
| 35 | no reason to reinstall it unless you installed
|
---|
| 36 | <application>CrackLib</application> or
|
---|
| 37 | <application>Linux-PAM</application> after your LFS system was completed.
|
---|
| 38 | If you have installed <application>CrackLib</application> after LFS, then
|
---|
| 39 | reinstalling <application>Shadow</application> will enable strong password
|
---|
| 40 | support. If you have installed <application>Linux-PAM</application>,
|
---|
| 41 | reinstalling <application>Shadow</application> will allow programs such as
|
---|
| 42 | <command>login</command> and <command>su</command> to utilize PAM.
|
---|
| 43 | </para>
|
---|
[322f172] | 44 |
|
---|
[9a3142c] | 45 | &lfs71_checked;
|
---|
[f4797d2] | 46 |
|
---|
[322f172] | 47 | <bridgehead renderas="sect3">Package Information</bridgehead>
|
---|
| 48 | <itemizedlist spacing="compact">
|
---|
| 49 | <listitem>
|
---|
[9a3142c] | 50 | <para>
|
---|
| 51 | Download (HTTP): <ulink url="&shadow-download-http;"/>
|
---|
| 52 | </para>
|
---|
[322f172] | 53 | </listitem>
|
---|
[29d1c248] | 54 | <listitem>
|
---|
[9a3142c] | 55 | <para>
|
---|
| 56 | Download (FTP): <ulink url="&shadow-download-ftp;"/>
|
---|
| 57 | </para>
|
---|
[29d1c248] | 58 | </listitem>
|
---|
[322f172] | 59 | <listitem>
|
---|
[9a3142c] | 60 | <para>
|
---|
| 61 | Download MD5 sum: &shadow-md5sum;
|
---|
| 62 | </para>
|
---|
[322f172] | 63 | </listitem>
|
---|
| 64 | <listitem>
|
---|
[9a3142c] | 65 | <para>
|
---|
| 66 | Download size: &shadow-size;
|
---|
| 67 | </para>
|
---|
[322f172] | 68 | </listitem>
|
---|
| 69 | <listitem>
|
---|
[9a3142c] | 70 | <para>
|
---|
| 71 | Estimated disk space required: &shadow-buildsize;
|
---|
| 72 | </para>
|
---|
[322f172] | 73 | </listitem>
|
---|
| 74 | <listitem>
|
---|
[9a3142c] | 75 | <para>
|
---|
| 76 | Estimated build time: &shadow-time;
|
---|
| 77 | </para>
|
---|
[322f172] | 78 | </listitem>
|
---|
| 79 | </itemizedlist>
|
---|
| 80 |
|
---|
[5443006d] | 81 | <bridgehead renderas="sect3">Additional Downloads</bridgehead>
|
---|
[322f172] | 82 | <itemizedlist spacing='compact'>
|
---|
| 83 | <listitem>
|
---|
[9a3142c] | 84 | <para>
|
---|
| 85 | Required patch: <ulink
|
---|
| 86 | url="http://www.&lfs-domainname;/patches/lfs/development/shadow-&shadow-version;-nscd-1.patch"/>
|
---|
[5443006d] | 87 | </para>
|
---|
[322f172] | 88 | </listitem>
|
---|
[5443006d] | 89 | </itemizedlist>
|
---|
[322f172] | 90 |
|
---|
| 91 | <bridgehead renderas="sect3">Shadow Dependencies</bridgehead>
|
---|
| 92 |
|
---|
| 93 | <bridgehead renderas="sect4">Required</bridgehead>
|
---|
[9a3142c] | 94 | <para role="required">
|
---|
| 95 | <xref linkend="linux-pam"/> or
|
---|
| 96 | <xref linkend="cracklib"/>
|
---|
| 97 | </para>
|
---|
| 98 |
|
---|
| 99 | <para condition="html" role="usernotes">
|
---|
| 100 | User Notes: <ulink url="&blfs-wiki;/shadow"/>
|
---|
| 101 | </para>
|
---|
[322f172] | 102 | </sect2>
|
---|
| 103 |
|
---|
| 104 | <sect2 role="installation">
|
---|
| 105 | <title>Installation of Shadow</title>
|
---|
| 106 |
|
---|
[c6bdcb0] | 107 | <important>
|
---|
[9a3142c] | 108 | <para>
|
---|
| 109 | The installation commands shown below are for installations where
|
---|
| 110 | <application>Linux-PAM</application> has been installed (with or
|
---|
| 111 | without a <application>CrackLib</application> installation) and
|
---|
| 112 | <application>Shadow</application> is being reinstalled to support the
|
---|
| 113 | <application>Linux-PAM</application> installation.
|
---|
| 114 | </para>
|
---|
| 115 |
|
---|
| 116 | <para>
|
---|
| 117 | If you are reinstalling <application>Shadow</application> to provide
|
---|
| 118 | strong password support using the <application>CrackLib</application>
|
---|
| 119 | library without using <application>Linux-PAM</application>, ensure you
|
---|
| 120 | add the <parameter>--with-libcrack</parameter> parameter to the
|
---|
| 121 | <command>configure</command> script below and also issue the following
|
---|
| 122 | command:
|
---|
| 123 | </para>
|
---|
[bca744f] | 124 |
|
---|
| 125 | <screen><userinput>sed -i 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' etc/login.defs</userinput></screen>
|
---|
[c6bdcb0] | 126 | </important>
|
---|
| 127 |
|
---|
[9a3142c] | 128 | <para>
|
---|
| 129 | Reinstall <application>Shadow</application> by running the following
|
---|
| 130 | commands:
|
---|
| 131 | </para>
|
---|
[322f172] | 132 |
|
---|
[5443006d] | 133 | <screen><userinput>sed -i 's/groups$(EXEEXT) //' src/Makefile.in &&
|
---|
[bca744f] | 134 | find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; &&
|
---|
[5443006d] | 135 | sed -i -e 's/ ko//' -e 's/ zh_CN zh_TW//' man/Makefile.in &&
|
---|
[e5b9fc73] | 136 |
|
---|
[9a3142c] | 137 | sed -i '/<stdio.h>/a#include <stdarg.h>' libmisc/copydir.c &&
|
---|
[8f68b03] | 138 |
|
---|
[a9af283] | 139 | sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \
|
---|
[5443006d] | 140 | -e 's@/var/spool/mail@/var/mail@' etc/login.defs &&
|
---|
| 141 |
|
---|
| 142 | sed -i -e 's@PATH=/sbin:/bin:/usr/sbin:/usr/bin@&:/usr/local/sbin:/usr/local/bin@' \
|
---|
| 143 | -e 's@PATH=/bin:/usr/bin@&:/usr/local/bin@' etc/login.defs &&
|
---|
[8f68b03] | 144 |
|
---|
[5443006d] | 145 | patch -Np1 -i ../shadow-&shadow-version;-nscd-1.patch &&
|
---|
| 146 |
|
---|
[9a3142c] | 147 | ./configure --prefix=/usr --sysconfdir=/etc &&
|
---|
[322f172] | 148 | make</userinput></screen>
|
---|
[17fb537e] | 149 |
|
---|
[9a3142c] | 150 | <para>
|
---|
| 151 | This package does not come with a test suite.
|
---|
| 152 | </para>
|
---|
[31f3a57] | 153 |
|
---|
[9a3142c] | 154 | <para>
|
---|
| 155 | Now, as the <systemitem class="username">root</systemitem> user:
|
---|
| 156 | </para>
|
---|
[17fb537e] | 157 |
|
---|
[322f172] | 158 | <screen role="root"><userinput>make install &&
|
---|
[bca744f] | 159 | mv -v /usr/bin/passwd /bin</userinput></screen>
|
---|
[322f172] | 160 | </sect2>
|
---|
[b4b71892] | 161 |
|
---|
[322f172] | 162 | <sect2 role="commands">
|
---|
| 163 | <title>Command Explanations</title>
|
---|
[b4b71892] | 164 |
|
---|
[9a3142c] | 165 | <para>
|
---|
| 166 | <command>sed -i 's/groups$(EXEEXT) //' src/Makefile.in</command>: This sed
|
---|
| 167 | is used to suppress the installation of the <command>groups</command>
|
---|
| 168 | program as the version from the <application>Coreutils</application>
|
---|
| 169 | package installed during LFS is preferred.
|
---|
| 170 | </para>
|
---|
| 171 |
|
---|
| 172 | <para>
|
---|
| 173 | <command>find man -name Makefile.in -exec ... {} \;</command>: This
|
---|
| 174 | command is used to suppress the installation of the
|
---|
| 175 | <command>groups</command> man pages so the existing ones installed from
|
---|
| 176 | the <application>Coreutils</application> package are not replaced.
|
---|
| 177 | </para>
|
---|
| 178 |
|
---|
| 179 | <para>
|
---|
| 180 | <command>sed -i -e '...' -e '...' man/Makefile.in</command>: This command
|
---|
| 181 | disables the installation of Chinese and Korean manual pages, since
|
---|
| 182 | <application>Man-DB</application> cannot format them properly.
|
---|
| 183 | </para>
|
---|
| 184 |
|
---|
| 185 | <para>
|
---|
| 186 | <command>sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' -e
|
---|
| 187 | 's@/var/spool/mail@/var/mail@' etc/login.defs</command>: Instead of using
|
---|
| 188 | the default 'DES' method, this command modifies the installation to use
|
---|
| 189 | the more secure 'SHA512' method of hashing passwords, which also allows
|
---|
| 190 | passwords longer than eight characters. It also changes the obsolete
|
---|
| 191 | <filename class="directory">/var/spool/mail</filename> location for user
|
---|
| 192 | mailboxes that <application>Shadow</application> uses by default to the
|
---|
| 193 | <filename class="directory">/var/mail</filename> location.
|
---|
| 194 | </para>
|
---|
| 195 |
|
---|
| 196 | <para>
|
---|
| 197 | <command>sed -i -e
|
---|
| 198 | 's@PATH=/sbin:/bin:/usr/sbin:/usr/bin@&:/usr/local/sbin:/usr/local/bin@'
|
---|
| 199 | -e 's@PATH=/bin:/usr/bin@&:/usr/local/bin@' etc/login.defs</command>:
|
---|
| 200 | This sed expands PATH to
|
---|
| 201 | <filename class="directory">/usr/local/bin</filename> for normal and
|
---|
| 202 | <systemitem class="username">root</systemitem> user and to
|
---|
| 203 | <filename class="directory">/usr/local/sbin</filename> for
|
---|
| 204 | <systemitem class="username">root</systemitem> user only.
|
---|
| 205 | </para>
|
---|
| 206 |
|
---|
| 207 | <para>
|
---|
| 208 | <command>sed -i '/<stdio.h>/a#include <stdarg.h>'
|
---|
| 209 | libmisc/copydir.c</command>: This sed fixes a bug which would make the
|
---|
| 210 | build fail if <xref linkend="acl"/> is installed.
|
---|
| 211 | </para>
|
---|
| 212 |
|
---|
| 213 | <para>
|
---|
| 214 | <command>mv -v /usr/bin/passwd /bin</command>: The
|
---|
| 215 | <command>passwd</command> program may be needed during times when the
|
---|
| 216 | <filename class='directory'>/usr</filename> filesystem is not mounted so
|
---|
| 217 | it is moved into the root partition.
|
---|
| 218 | </para>
|
---|
[322f172] | 219 | </sect2>
|
---|
[b4b71892] | 220 |
|
---|
[e807ae1d] | 221 | <sect2 role="configuration">
|
---|
| 222 | <title>Configuring Shadow</title>
|
---|
| 223 |
|
---|
[9a3142c] | 224 | <para>
|
---|
| 225 | <application>Shadow</application>'s stock configuration for the
|
---|
| 226 | <command>useradd</command> utility may not be desirable for your
|
---|
| 227 | installation. One default parameter causes <command>useradd</command> to
|
---|
| 228 | create a mailbox file for any newly created user.
|
---|
| 229 | <command>useradd</command> will make the group ownership of this file to
|
---|
| 230 | the <systemitem class="groupname">mail</systemitem> group with 0660
|
---|
| 231 | permissions. If you would prefer that these mailbox files are not created
|
---|
| 232 | by <command>useradd</command>, issue the following command as the
|
---|
| 233 | <systemitem class="username">root</systemitem> user:
|
---|
| 234 | </para>
|
---|
[e807ae1d] | 235 |
|
---|
[bca744f] | 236 | <screen role="root"><userinput>sed -i 's/yes/no/' /etc/default/useradd</userinput></screen>
|
---|
[e807ae1d] | 237 | </sect2>
|
---|
| 238 |
|
---|
[322f172] | 239 | <sect2 role="configuration">
|
---|
| 240 | <title>Configuring Linux-PAM to Work with Shadow</title>
|
---|
[b4b71892] | 241 |
|
---|
[8f68b03] | 242 | <note>
|
---|
[9a3142c] | 243 | <para>
|
---|
| 244 | The rest of this page is devoted to configuring
|
---|
| 245 | <application>Shadow</application> to work properly with
|
---|
| 246 | <application>Linux-PAM</application>. If you do not have
|
---|
| 247 | <application>Linux-PAM</application> installed, and you reinstalled
|
---|
| 248 | <application>Shadow</application> to support strong passwords via the
|
---|
| 249 | <application>CrackLib</application> library, no further configuration is
|
---|
| 250 | required.
|
---|
| 251 | </para>
|
---|
[8f68b03] | 252 | </note>
|
---|
| 253 |
|
---|
[322f172] | 254 | <sect3 id="pam.d">
|
---|
| 255 | <title>Config Files</title>
|
---|
[b4b71892] | 256 |
|
---|
[9a3142c] | 257 | <para>
|
---|
| 258 | <filename>/etc/pam.d/*</filename> or alternatively
|
---|
| 259 | <filename>/etc/pam.conf</filename>,
|
---|
| 260 | <filename>/etc/login.defs</filename> and
|
---|
| 261 | <filename>/etc/security/*</filename>
|
---|
| 262 | </para>
|
---|
[b4b71892] | 263 |
|
---|
[322f172] | 264 | <indexterm zone="shadow pam.d">
|
---|
| 265 | <primary sortas="e-etc-pam.d">/etc/pam.d/*</primary>
|
---|
| 266 | </indexterm>
|
---|
[2197589] | 267 |
|
---|
[322f172] | 268 | <indexterm zone="shadow pam.d">
|
---|
| 269 | <primary sortas="e-etc-pam.conf">/etc/pam.conf</primary>
|
---|
| 270 | </indexterm>
|
---|
[4fcf20a5] | 271 |
|
---|
[1ba671c] | 272 | <indexterm zone="shadow pam.d">
|
---|
| 273 | <primary sortas="e-etc-login.defs">/etc/login.defs</primary>
|
---|
| 274 | </indexterm>
|
---|
| 275 |
|
---|
| 276 | <indexterm zone="shadow pam.d">
|
---|
| 277 | <primary sortas="e-etc-security">/etc/security/*</primary>
|
---|
| 278 | </indexterm>
|
---|
[322f172] | 279 | </sect3>
|
---|
| 280 |
|
---|
| 281 | <sect3>
|
---|
| 282 | <title>Configuration Information</title>
|
---|
| 283 |
|
---|
[9a3142c] | 284 | <para>
|
---|
| 285 | Configuring your system to use <application>Linux-PAM</application> can
|
---|
| 286 | be a complex task. The information below will provide a basic setup so
|
---|
| 287 | that <application>Shadow</application>'s login and password
|
---|
| 288 | functionality will work effectively with
|
---|
| 289 | <application>Linux-PAM</application>. Review the information and links
|
---|
| 290 | on the <xref linkend="linux-pam"/> page for further configuration
|
---|
| 291 | information. For information specific to integrating
|
---|
| 292 | <application>Shadow</application>, <application>Linux-PAM</application>
|
---|
| 293 | and <application>CrackLib</application>, you can visit the following
|
---|
| 294 | link:
|
---|
| 295 | </para>
|
---|
[8f68b03] | 296 |
|
---|
| 297 | <itemizedlist spacing="compact">
|
---|
[9a3142c] | 298 | <listitem>
|
---|
| 299 | <para>
|
---|
| 300 | <ulink url="http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html"/>
|
---|
| 301 | </para>
|
---|
| 302 | </listitem>
|
---|
[8f68b03] | 303 | </itemizedlist>
|
---|
| 304 |
|
---|
[1ba671c] | 305 | <sect4 id="pam-login-defs">
|
---|
| 306 | <title>Configuring /etc/login.defs</title>
|
---|
| 307 |
|
---|
[9a3142c] | 308 | <para>
|
---|
| 309 | The <command>login</command> program currently performs many functions
|
---|
| 310 | which <application>Linux-PAM</application> modules should now handle.
|
---|
| 311 | The following <command>sed</command> command will comment out the
|
---|
| 312 | appropriate lines in <filename>/etc/login.defs</filename>, and stop
|
---|
| 313 | <command>login</command> from performing these functions (a backup
|
---|
| 314 | file named <filename>/etc/login.defs.orig</filename> is also created
|
---|
| 315 | to preserve the original file's contents). Issue the following
|
---|
| 316 | commands as the <systemitem class="username">root</systemitem> user:
|
---|
| 317 | </para>
|
---|
[1ba671c] | 318 |
|
---|
| 319 | <indexterm zone="shadow pam-login-defs">
|
---|
| 320 | <primary sortas="e-etc-login.defs">/etc/login.defs</primary>
|
---|
| 321 | </indexterm>
|
---|
| 322 |
|
---|
| 323 | <screen role="root"><userinput>install -v -m644 /etc/login.defs /etc/login.defs.orig &&
|
---|
[5443006d] | 324 | for FUNCTION in FAIL_DELAY LASTLOG_ENAB \
|
---|
[7d1d69e1] | 325 | FAILLOG_ENAB QUOTAS_ENAB \
|
---|
| 326 | FTMP_FILE PASS_MIN_LEN \
|
---|
[5443006d] | 327 | MAIL_CHECK_ENAB \
|
---|
| 328 | OBSCURE_CHECKS_ENAB \
|
---|
| 329 | PORTTIME_CHECKS_ENAB \
|
---|
| 330 | CONSOLE MOTD_FILE \
|
---|
| 331 | NOLOGINS_FILE ENV_HZ \
|
---|
| 332 | SU_WHEEL_ONLY \
|
---|
| 333 | CRACKLIB_DICTPATH \
|
---|
| 334 | SYS_UID_MIN SYS_UID_MAX \
|
---|
| 335 | SYS_GID_MIN SYS_GID_MAX \
|
---|
| 336 | PASS_CHANGE_TRIES \
|
---|
| 337 | PASS_ALWAYS_WARN \
|
---|
| 338 | CHFN_AUTH ENVIRON_FILE
|
---|
[1ba671c] | 339 | do
|
---|
[9a3142c] | 340 | sed -i "s/^${FUNCTION}/# &/" /etc/login.defs
|
---|
[1ba671c] | 341 | done</userinput></screen>
|
---|
| 342 | </sect4>
|
---|
| 343 |
|
---|
| 344 | <sect4>
|
---|
| 345 | <title>Configuring the /etc/pam.d/ Files</title>
|
---|
| 346 |
|
---|
[9a3142c] | 347 | <para>
|
---|
| 348 | As mentioned previously in the <application>Linux-PAM</application>
|
---|
| 349 | instructions, <application>Linux-PAM</application> has two supported
|
---|
| 350 | methods for configuration. The commands below assume that you've
|
---|
| 351 | chosen to use a directory based configuration, where each program has
|
---|
| 352 | its own configuration file. You can optionally use a single
|
---|
| 353 | <filename>/etc/pam.conf</filename> configuration file by using the
|
---|
| 354 | text from the files below, and supplying the program name as an
|
---|
| 355 | additional first field for each line.
|
---|
| 356 | </para>
|
---|
[1ba671c] | 357 |
|
---|
[9a3142c] | 358 | <para>
|
---|
| 359 | As the <systemitem class="username">root</systemitem> user, replace
|
---|
| 360 | the following <application>Linux-PAM</application> configuration files
|
---|
| 361 | in the <filename class="directory">/etc/pam.d/</filename> directory
|
---|
| 362 | (or add the contents to the <filename>/etc/pam.conf</filename> file)
|
---|
| 363 | using the following commands:
|
---|
| 364 | </para>
|
---|
[1ba671c] | 365 | </sect4>
|
---|
[322f172] | 366 |
|
---|
| 367 | <sect4>
|
---|
[3e8fb4c] | 368 | <title>'system-account'</title>
|
---|
[322f172] | 369 |
|
---|
[3e8fb4c] | 370 | <screen role="root"><userinput>cat > /etc/pam.d/system-account << "EOF"
|
---|
| 371 | <literal># Begin /etc/pam.d/system-account
|
---|
[4fcf20a5] | 372 |
|
---|
[3e8fb4c] | 373 | account required pam_unix.so
|
---|
[4fcf20a5] | 374 |
|
---|
[3e8fb4c] | 375 | # End /etc/pam.d/system-account</literal>
|
---|
[322f172] | 376 | EOF</userinput></screen>
|
---|
| 377 | </sect4>
|
---|
[4fcf20a5] | 378 |
|
---|
[322f172] | 379 | <sect4>
|
---|
[3e8fb4c] | 380 | <title>'system-auth'</title>
|
---|
[4fcf20a5] | 381 |
|
---|
[3e8fb4c] | 382 | <screen role="root"><userinput>cat > /etc/pam.d/system-auth << "EOF"
|
---|
| 383 | <literal># Begin /etc/pam.d/system-auth
|
---|
[b4b71892] | 384 |
|
---|
[3e8fb4c] | 385 | auth required pam_unix.so
|
---|
[b4b71892] | 386 |
|
---|
[3e8fb4c] | 387 | # End /etc/pam.d/system-auth</literal>
|
---|
[322f172] | 388 | EOF</userinput></screen>
|
---|
| 389 | </sect4>
|
---|
[4fcf20a5] | 390 |
|
---|
[322f172] | 391 | <sect4>
|
---|
[3e8fb4c] | 392 | <title>'system-passwd' (with cracklib)</title>
|
---|
| 393 |
|
---|
| 394 | <screen role="root"><userinput>cat > /etc/pam.d/system-password << "EOF"
|
---|
| 395 | <literal># Begin /etc/pam.d/system-password
|
---|
| 396 |
|
---|
| 397 | # check new passwords for strength (man pam_cracklib)
|
---|
| 398 | password required pam_cracklib.so type=Linux retry=3 difok=5 \
|
---|
| 399 | difignore=23 minlen=9 dcredit=1 \
|
---|
| 400 | ucredit=1 lcredit=1 ocredit=1 \
|
---|
| 401 | dictpath=/lib/cracklib/pw_dict
|
---|
| 402 | # use sha512 hash for encryption, use shadow, and use the
|
---|
| 403 | # authentication token (chosen password) set by pam_cracklib
|
---|
| 404 | # above (or any previous modules)
|
---|
| 405 | password required pam_unix.so sha512 shadow use_authtok
|
---|
| 406 |
|
---|
| 407 | # End /etc/pam.d/system-password</literal>
|
---|
[322f172] | 408 | EOF</userinput></screen>
|
---|
| 409 |
|
---|
[9a3142c] | 410 | <note>
|
---|
| 411 | <para>
|
---|
| 412 | In its default configuration, owing to credits, pam_cracklib will
|
---|
| 413 | allow multiple case passwords as short as 6 characters, even with
|
---|
| 414 | the <parameter>minlen</parameter> value set to 11. You should review
|
---|
| 415 | the pam_cracklib(8) man page and determine if these default values
|
---|
| 416 | are acceptable for the security of your system.
|
---|
| 417 | </para>
|
---|
| 418 | </note>
|
---|
[322f172] | 419 | </sect4>
|
---|
[3e8fb4c] | 420 |
|
---|
| 421 | <sect4>
|
---|
| 422 | <title>'system-passwd' (without cracklib)</title>
|
---|
| 423 |
|
---|
| 424 | <screen role="root"><userinput>cat > /etc/pam.d/system-password << "EOF"
|
---|
| 425 | <literal># Begin /etc/pam.d/system-password
|
---|
| 426 |
|
---|
[a6bd736] | 427 | # use sha512 hash for encryption, use shadow, and try to use any previously
|
---|
[3e8fb4c] | 428 | # defined authentication token (chosen password) set by any prior module
|
---|
| 429 | password required pam_unix.so sha512 shadow try_first_pass
|
---|
| 430 |
|
---|
| 431 | # End /etc/pam.d/system-password</literal>
|
---|
| 432 | EOF</userinput></screen>
|
---|
| 433 | </sect4>
|
---|
| 434 |
|
---|
| 435 | <sect4>
|
---|
| 436 | <title>'system-session'</title>
|
---|
| 437 |
|
---|
| 438 | <screen role="root"><userinput>cat > /etc/pam.d/system-session << "EOF"
|
---|
| 439 | <literal># Begin /etc/pam.d/system-session
|
---|
| 440 |
|
---|
| 441 | session required pam_unix.so
|
---|
| 442 |
|
---|
| 443 | # End /etc/pam.d/system-session</literal>
|
---|
| 444 | EOF</userinput></screen>
|
---|
| 445 | </sect4>
|
---|
[b4b71892] | 446 |
|
---|
[322f172] | 447 | <sect4>
|
---|
[3e8fb4c] | 448 | <title>'login'</title>
|
---|
| 449 |
|
---|
| 450 | <screen role="root"><userinput>cat > /etc/pam.d/login << "EOF"
|
---|
| 451 | <literal># Begin /etc/pam.d/login
|
---|
| 452 |
|
---|
| 453 | # Set failure delay before next prompt to 3 seconds
|
---|
| 454 | auth optional pam_faildelay.so delay=3000000
|
---|
| 455 |
|
---|
| 456 | # Check to make sure that the user is allowed to login
|
---|
| 457 | auth requisite pam_nologin.so
|
---|
| 458 |
|
---|
[d265d4c] | 459 | # Check to make sure that root is allowed to login
|
---|
| 460 | # Disabled by default. You will need to create /etc/securetty
|
---|
| 461 | # file for this module to function. See man 5 securetty.
|
---|
| 462 | #auth required pam_securetty.so
|
---|
[3e8fb4c] | 463 |
|
---|
| 464 | # Additional group memberships - disabled by default
|
---|
| 465 | #auth optional pam_group.so
|
---|
| 466 |
|
---|
| 467 | # include the default auth settings
|
---|
| 468 | auth include system-auth
|
---|
| 469 |
|
---|
| 470 | # check access for the user
|
---|
| 471 | account required pam_access.so
|
---|
| 472 |
|
---|
| 473 | # include the default account settings
|
---|
| 474 | account include system-account
|
---|
| 475 |
|
---|
| 476 | # Set default environment variables for the user
|
---|
| 477 | session required pam_env.so
|
---|
| 478 |
|
---|
| 479 | # Set resource limits for the user
|
---|
| 480 | session required pam_limits.so
|
---|
| 481 |
|
---|
| 482 | # Display date of last login - Disabled by default
|
---|
| 483 | #session optional pam_lastlog.so
|
---|
| 484 |
|
---|
| 485 | # Display the message of the day - Disabled by default
|
---|
| 486 | #session optional pam_motd.so
|
---|
| 487 |
|
---|
| 488 | # Check user's mail - Disabled by default
|
---|
| 489 | #session optional pam_mail.so standard quiet
|
---|
| 490 |
|
---|
| 491 | # include the default session and password settings
|
---|
| 492 | session include system-session
|
---|
| 493 | password include system-password
|
---|
| 494 |
|
---|
| 495 | # End /etc/pam.d/login</literal>
|
---|
| 496 | EOF</userinput></screen>
|
---|
| 497 | </sect4>
|
---|
| 498 |
|
---|
| 499 | <sect4>
|
---|
| 500 | <title>'passwd'</title>
|
---|
[4fcf20a5] | 501 |
|
---|
[322f172] | 502 | <screen role="root"><userinput>cat > /etc/pam.d/passwd << "EOF"
|
---|
| 503 | <literal># Begin /etc/pam.d/passwd
|
---|
[4fcf20a5] | 504 |
|
---|
[3e8fb4c] | 505 | password include system-password
|
---|
[b4b71892] | 506 |
|
---|
[322f172] | 507 | # End /etc/pam.d/passwd</literal>
|
---|
| 508 | EOF</userinput></screen>
|
---|
| 509 | </sect4>
|
---|
[4fcf20a5] | 510 |
|
---|
[322f172] | 511 | <sect4>
|
---|
| 512 | <title>'su'</title>
|
---|
[4fcf20a5] | 513 |
|
---|
[322f172] | 514 | <screen role="root"><userinput>cat > /etc/pam.d/su << "EOF"
|
---|
| 515 | <literal># Begin /etc/pam.d/su
|
---|
[b4b71892] | 516 |
|
---|
[3e8fb4c] | 517 | # always allow root
|
---|
| 518 | auth sufficient pam_rootok.so
|
---|
[55e18620] | 519 | auth include system-auth
|
---|
[3e8fb4c] | 520 |
|
---|
| 521 | # include the default account settings
|
---|
| 522 | account include system-account
|
---|
| 523 |
|
---|
| 524 | # Set default environment variables for the service user
|
---|
| 525 | session required pam_env.so
|
---|
| 526 |
|
---|
| 527 | # include system session defaults
|
---|
| 528 | session include system-session
|
---|
[b4b71892] | 529 |
|
---|
[322f172] | 530 | # End /etc/pam.d/su</literal>
|
---|
| 531 | EOF</userinput></screen>
|
---|
| 532 | </sect4>
|
---|
[b4b71892] | 533 |
|
---|
[322f172] | 534 | <sect4>
|
---|
| 535 | <title>'chage'</title>
|
---|
| 536 |
|
---|
| 537 | <screen role="root"><userinput>cat > /etc/pam.d/chage << "EOF"
|
---|
[3e8fb4c] | 538 | <literal>#Begin /etc/pam.d/chage
|
---|
| 539 |
|
---|
| 540 | # always allow root
|
---|
| 541 | auth sufficient pam_rootok.so
|
---|
| 542 |
|
---|
| 543 | # include system defaults for auth account and session
|
---|
| 544 | auth include system-auth
|
---|
| 545 | account include system-account
|
---|
| 546 | session include system-session
|
---|
[b4b71892] | 547 |
|
---|
[3e8fb4c] | 548 | # Always permit for authentication updates
|
---|
| 549 | password required pam_permit.so
|
---|
[b4b71892] | 550 |
|
---|
[322f172] | 551 | # End /etc/pam.d/chage</literal>
|
---|
| 552 | EOF</userinput></screen>
|
---|
| 553 | </sect4>
|
---|
[b4b71892] | 554 |
|
---|
[322f172] | 555 | <sect4>
|
---|
[9a3142c] | 556 | <title>'chfn', 'chgpasswd', 'chgpasswd', 'chsh', 'groupadd', 'groupdel',
|
---|
| 557 | 'groupmems', 'groupmod', 'newusers', 'useradd', 'userdel' and
|
---|
| 558 | 'usermod'</title>
|
---|
[39975e9] | 559 |
|
---|
[bca744f] | 560 | <screen role="root"><userinput>for PROGRAM in chfn chgpasswd chpasswd chsh groupadd groupdel \
|
---|
| 561 | groupmems groupmod newusers useradd userdel usermod
|
---|
[4fcf20a5] | 562 | do
|
---|
[9a3142c] | 563 | install -v -m644 /etc/pam.d/chage /etc/pam.d/${PROGRAM}
|
---|
| 564 | sed -i "s/chage/$PROGRAM/" /etc/pam.d/${PROGRAM}
|
---|
[322f172] | 565 | done</userinput></screen>
|
---|
| 566 |
|
---|
| 567 | <warning>
|
---|
[9a3142c] | 568 | <para>
|
---|
| 569 | At this point, you should do a simple test to see if
|
---|
| 570 | <application>Shadow</application> is working as expected. Open
|
---|
| 571 | another terminal and log in as a user, then <command>su</command> to
|
---|
| 572 | <systemitem class="username">root</systemitem>. If you do not see
|
---|
| 573 | any errors, then all is well and you should proceed with the rest of
|
---|
| 574 | the configuration. If you did receive errors, stop now and double
|
---|
| 575 | check the above configuration files manually. You can also run the
|
---|
| 576 | test suite from the <application>Linux-PAM</application> package to
|
---|
| 577 | assist you in determining the problem. If you cannot find and fix
|
---|
| 578 | the error, you should recompile <application>Shadow</application>
|
---|
| 579 | adding the <option>--without-libpam</option> switch to the
|
---|
| 580 | <command>configure</command> command in the above instructions (also
|
---|
| 581 | move the <filename>/etc/login.defs.orig</filename> backup file to
|
---|
| 582 | <filename>/etc/login.defs</filename>). If you fail to do this and
|
---|
| 583 | the errors remain, you will be unable to log into your system.
|
---|
| 584 | </para>
|
---|
[322f172] | 585 | </warning>
|
---|
[349b53dd] | 586 | </sect4>
|
---|
| 587 |
|
---|
| 588 | <sect4>
|
---|
| 589 | <title>Other</title>
|
---|
| 590 |
|
---|
[9a3142c] | 591 | <para>
|
---|
| 592 | Currently, <filename>/etc/pam.d/other</filename> is configured to
|
---|
| 593 | allow anyone with an account on the machine to use PAM-aware programs
|
---|
| 594 | without a configuration file for that program. After testing
|
---|
| 595 | <application>Linux-PAM</application> for proper configuration, install
|
---|
| 596 | a more restrictive <filename>other</filename> file so that
|
---|
| 597 | program-specific configuration files are required:
|
---|
| 598 | </para>
|
---|
[322f172] | 599 |
|
---|
| 600 | <screen role="root"><userinput>cat > /etc/pam.d/other << "EOF"
|
---|
| 601 | <literal># Begin /etc/pam.d/other
|
---|
[b4b71892] | 602 |
|
---|
| 603 | auth required pam_warn.so
|
---|
[3e8fb4c] | 604 | auth required pam_deny.so
|
---|
[bca744f] | 605 | account required pam_warn.so
|
---|
[3e8fb4c] | 606 | account required pam_deny.so
|
---|
[b4b71892] | 607 | password required pam_warn.so
|
---|
[3e8fb4c] | 608 | password required pam_deny.so
|
---|
[bca744f] | 609 | session required pam_warn.so
|
---|
[3e8fb4c] | 610 | session required pam_deny.so
|
---|
[b4b71892] | 611 |
|
---|
[322f172] | 612 | # End /etc/pam.d/other</literal>
|
---|
| 613 | EOF</userinput></screen>
|
---|
| 614 | </sect4>
|
---|
[4fcf20a5] | 615 |
|
---|
[322f172] | 616 | <sect4 id="pam-access">
|
---|
| 617 | <title>Configuring Login Access</title>
|
---|
[4fcf20a5] | 618 |
|
---|
[9a3142c] | 619 | <para>
|
---|
| 620 | Instead of using the <filename>/etc/login.access</filename> file for
|
---|
| 621 | controlling access to the system, <application>Linux-PAM</application>
|
---|
| 622 | uses the <filename class='libraryfile'>pam_access.so</filename> module
|
---|
| 623 | along with the <filename>/etc/security/access.conf</filename> file.
|
---|
| 624 | Rename the <filename>/etc/login.access</filename> file using the
|
---|
| 625 | following command:
|
---|
| 626 | </para>
|
---|
[322f172] | 627 |
|
---|
| 628 | <indexterm zone="shadow pam-access">
|
---|
| 629 | <primary sortas="e-etc-security-access.conf">/etc/security/access.conf</primary>
|
---|
| 630 | </indexterm>
|
---|
| 631 |
|
---|
[9a3142c] | 632 | <screen role="root"><userinput>[ -f /etc/login.access ] && mv -v /etc/login.access{,.NOUSE}</userinput></screen>
|
---|
[322f172] | 633 | </sect4>
|
---|
| 634 |
|
---|
| 635 | <sect4 id="pam-limits">
|
---|
| 636 | <title>Configuring Resource Limits</title>
|
---|
| 637 |
|
---|
[9a3142c] | 638 | <para>
|
---|
| 639 | Instead of using the <filename>/etc/limits</filename> file for
|
---|
| 640 | limiting usage of system resources,
|
---|
| 641 | <application>Linux-PAM</application> uses the
|
---|
| 642 | <filename class='libraryfile'>pam_limits.so</filename> module along
|
---|
| 643 | with the <filename>/etc/security/limits.conf</filename> file. Rename
|
---|
| 644 | the <filename>/etc/limits</filename> file using the following command:
|
---|
| 645 | </para>
|
---|
[322f172] | 646 |
|
---|
| 647 | <indexterm zone="shadow pam-limits">
|
---|
| 648 | <primary sortas="e-etc-security-limits.conf">/etc/security/limits.conf</primary>
|
---|
| 649 | </indexterm>
|
---|
| 650 |
|
---|
[9a3142c] | 651 | <screen role="root"><userinput>[ -f /etc/limits ] && mv -v /etc/limits{,.NOUSE}</userinput></screen>
|
---|
[322f172] | 652 | </sect4>
|
---|
| 653 | </sect3>
|
---|
| 654 | </sect2>
|
---|
[f45b1953] | 655 |
|
---|
[322f172] | 656 | <sect2 role="content">
|
---|
| 657 | <title>Contents</title>
|
---|
[17fb537e] | 658 |
|
---|
[9a3142c] | 659 | <para>
|
---|
| 660 | A list of the installed files, along with their short descriptions can be
|
---|
| 661 | found at <ulink url="&lfs-root;/chapter06/shadow.html#contents-shadow"/>.
|
---|
| 662 | </para>
|
---|
[322f172] | 663 | </sect2>
|
---|
[f45b1953] | 664 | </sect1>
|
---|