[b4b71892] | 1 | <?xml version="1.0" encoding="ISO-8859-1"?>
|
---|
[6732c094] | 2 | <!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
---|
| 3 | "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
---|
[b4b71892] | 4 | <!ENTITY % general-entities SYSTEM "../../general.ent">
|
---|
| 5 | %general-entities;
|
---|
[17fb537e] | 6 |
|
---|
[bca744f] | 7 | <!ENTITY shadow-download-http " ">
|
---|
| 8 | <!ENTITY shadow-download-ftp "ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-&shadow-version;.tar.bz2">
|
---|
[f4797d2] | 9 | <!ENTITY shadow-md5sum "d593a9cab93c48ee0a6ba056db8c1997">
|
---|
| 10 | <!ENTITY shadow-size "1.8 MB">
|
---|
| 11 | <!ENTITY shadow-buildsize "30 MB">
|
---|
| 12 | <!ENTITY shadow-time "0.3 SBU">
|
---|
[b4b71892] | 13 | ]>
|
---|
| 14 |
|
---|
[17fb537e] | 15 | <sect1 id="shadow" xreflabel="Shadow-&shadow-version;">
|
---|
[322f172] | 16 | <?dbhtml filename="shadow.html"?>
|
---|
| 17 |
|
---|
| 18 | <sect1info>
|
---|
| 19 | <othername>$LastChangedBy$</othername>
|
---|
| 20 | <date>$Date$</date>
|
---|
| 21 | </sect1info>
|
---|
| 22 |
|
---|
| 23 | <title>Shadow-&shadow-version;</title>
|
---|
| 24 |
|
---|
| 25 | <indexterm zone="shadow">
|
---|
| 26 | <primary sortas="a-Shadow">Shadow</primary>
|
---|
| 27 | </indexterm>
|
---|
| 28 |
|
---|
| 29 | <sect2 role="package">
|
---|
| 30 | <title>Introduction to Shadow</title>
|
---|
| 31 |
|
---|
| 32 | <para><application>Shadow</application> was indeed installed in LFS and
|
---|
| 33 | there is no reason to reinstall it unless you installed
|
---|
[c6bdcb0] | 34 | <application>CrackLib</application> or
|
---|
| 35 | <application>Linux-PAM</application> after your LFS system was completed.
|
---|
| 36 | If you have installed <application>CrackLib</application> after LFS, then
|
---|
| 37 | reinstalling <application>Shadow</application> will enable strong password
|
---|
| 38 | support. If you have installed <application>Linux-PAM</application>,
|
---|
| 39 | reinstalling <application>Shadow</application> will allow programs such as
|
---|
[d8684cbc] | 40 | <command>login</command> and <command>su</command> to utilize PAM.</para>
|
---|
[322f172] | 41 |
|
---|
[a8d3d55a] | 42 | &lfs67_checked;
|
---|
[f4797d2] | 43 |
|
---|
[322f172] | 44 | <bridgehead renderas="sect3">Package Information</bridgehead>
|
---|
| 45 | <itemizedlist spacing="compact">
|
---|
| 46 | <listitem>
|
---|
| 47 | <para>Download (HTTP): <ulink url="&shadow-download-http;"/></para>
|
---|
| 48 | </listitem>
|
---|
| 49 | <listitem>
|
---|
| 50 | <para>Download (FTP): <ulink url="&shadow-download-ftp;"/></para>
|
---|
| 51 | </listitem>
|
---|
| 52 | <listitem>
|
---|
| 53 | <para>Download MD5 sum: &shadow-md5sum;</para>
|
---|
| 54 | </listitem>
|
---|
| 55 | <listitem>
|
---|
| 56 | <para>Download size: &shadow-size;</para>
|
---|
| 57 | </listitem>
|
---|
| 58 | <listitem>
|
---|
| 59 | <para>Estimated disk space required: &shadow-buildsize;</para>
|
---|
| 60 | </listitem>
|
---|
| 61 | <listitem>
|
---|
| 62 | <para>Estimated build time: &shadow-time;</para>
|
---|
| 63 | </listitem>
|
---|
| 64 | </itemizedlist>
|
---|
| 65 |
|
---|
[bca744f] | 66 | <!-- <bridgehead renderas="sect3">Additional Downloads</bridgehead>
|
---|
[322f172] | 67 | <itemizedlist spacing='compact'>
|
---|
| 68 | <listitem>
|
---|
[d8684cbc] | 69 | <para>Required patch: <ulink
|
---|
[e807ae1d] | 70 | url="&patch-root;/shadow-&shadow-version;-useradd_fix-2.patch"/></para>
|
---|
[322f172] | 71 | </listitem>
|
---|
[bca744f] | 72 | </itemizedlist> -->
|
---|
[322f172] | 73 |
|
---|
| 74 | <bridgehead renderas="sect3">Shadow Dependencies</bridgehead>
|
---|
| 75 |
|
---|
| 76 | <bridgehead renderas="sect4">Required</bridgehead>
|
---|
[c6bdcb0] | 77 | <para role="required"><xref linkend="linux-pam"/> and/or
|
---|
| 78 | <xref linkend="cracklib"/></para>
|
---|
[322f172] | 79 |
|
---|
[3597eb6] | 80 | <para condition="html" role="usernotes">User Notes:
|
---|
| 81 | <ulink url="&blfs-wiki;/shadow"/></para>
|
---|
| 82 |
|
---|
[322f172] | 83 | </sect2>
|
---|
| 84 |
|
---|
| 85 | <sect2 role="installation">
|
---|
| 86 | <title>Installation of Shadow</title>
|
---|
| 87 |
|
---|
[c6bdcb0] | 88 | <important>
|
---|
[bca744f] | 89 | <para>The installation commands shown below are for installations where
|
---|
[c6bdcb0] | 90 | <application>Linux-PAM</application> has been installed (with or
|
---|
| 91 | without a <application>CrackLib</application> installation) and
|
---|
| 92 | <application>Shadow</application> is being reinstalled to support the
|
---|
[bca744f] | 93 | <application>Linux-PAM</application> installation.</para>
|
---|
| 94 |
|
---|
| 95 | <para> If you are reinstalling <application>Shadow</application> to
|
---|
| 96 | provide strong password support using the
|
---|
| 97 | <application>CrackLib</application> library without using
|
---|
| 98 | <application>Linux-PAM</application>, ensure you add the
|
---|
| 99 | <parameter>--with-libcrack</parameter> parameter to the
|
---|
| 100 | <command>configure</command> script below and also issue the following
|
---|
| 101 | command:</para>
|
---|
| 102 |
|
---|
| 103 | <screen><userinput>sed -i 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' etc/login.defs</userinput></screen>
|
---|
[c6bdcb0] | 104 | </important>
|
---|
| 105 |
|
---|
[322f172] | 106 | <para>Reinstall <application>Shadow</application> by running the following
|
---|
| 107 | commands:</para>
|
---|
| 108 |
|
---|
[bca744f] | 109 | <screen><userinput>sed -i 's/groups$(EXEEXT) //' src/Makefile.in &&
|
---|
| 110 | find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; &&
|
---|
| 111 | sed -i -e 's/ ko//' -e 's/ zh_CN zh_TW//' man/Makefile.in &&
|
---|
[8f68b03] | 112 |
|
---|
[bca744f] | 113 | sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD MD5@' \
|
---|
| 114 | -e 's@/var/spool/mail@/var/mail@' etc/login.defs &&
|
---|
[8f68b03] | 115 |
|
---|
[bca744f] | 116 | ./configure --sysconfdir=/etc &&
|
---|
[322f172] | 117 | make</userinput></screen>
|
---|
[17fb537e] | 118 |
|
---|
[31f3a57] | 119 | <para>This package does not come with a test suite.</para>
|
---|
| 120 |
|
---|
[322f172] | 121 | <para>Now, as the <systemitem class="username">root</systemitem> user:</para>
|
---|
[17fb537e] | 122 |
|
---|
[322f172] | 123 | <screen role="root"><userinput>make install &&
|
---|
[bca744f] | 124 | mv -v /usr/bin/passwd /bin</userinput></screen>
|
---|
[b4b71892] | 125 |
|
---|
[322f172] | 126 | </sect2>
|
---|
[b4b71892] | 127 |
|
---|
[322f172] | 128 | <sect2 role="commands">
|
---|
| 129 | <title>Command Explanations</title>
|
---|
[b4b71892] | 130 |
|
---|
[bca744f] | 131 | <para><command>sed -i 's/groups$(EXEEXT) //' src/Makefile.in</command>:
|
---|
| 132 | This command is used to suppress the installation of the
|
---|
[8f68b03] | 133 | <command>groups</command> program as the version from the
|
---|
| 134 | <application>Coreutils</application> package installed during LFS is
|
---|
| 135 | preferred.</para>
|
---|
| 136 |
|
---|
[bca744f] | 137 | <para><command>find man -name Makefile.in -exec ... {} \;</command>: This
|
---|
[8f68b03] | 138 | command is used to suppress the installation of the
|
---|
| 139 | <command>groups</command> man pages so the existing ones installed from
|
---|
| 140 | the <application>Coreutils</application> package are not replaced.</para>
|
---|
| 141 |
|
---|
[bca744f] | 142 | <para><command>sed -i -e '...' -e '...' man/Makefile.in</command>: This
|
---|
[8f68b03] | 143 | command disables the installation of Chinese and Korean manual pages, since
|
---|
| 144 | <application>Man-DB</application> cannot format them properly.</para>
|
---|
| 145 |
|
---|
[bca744f] | 146 | <para><command>sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD MD5@'
|
---|
| 147 | -e 's@/var/spool/mail@/var/mail@' etc/login.defs</command>:
|
---|
| 148 | Instead of using the default 'crypt' method, this command modifies the
|
---|
| 149 | installation to use the more secure 'MD5' method of password encryption,
|
---|
| 150 | which also allows passwords longer than eight characters. It also changes
|
---|
| 151 | the obsolete <filename class="directory">/var/spool/mail</filename>
|
---|
| 152 | location for user mailboxes that <application>Shadow</application> uses by
|
---|
| 153 | default to the <filename class="directory">/var/mail</filename>
|
---|
| 154 | location.</para>
|
---|
| 155 |
|
---|
[8f68b03] | 156 | <para><command>mv -v /usr/bin/passwd /bin</command>: The
|
---|
| 157 | <command>passwd</command> program may be needed during times when the
|
---|
| 158 | <filename class='directory'>/usr</filename> filesystem is not mounted so
|
---|
| 159 | it is moved into the root partition.</para>
|
---|
| 160 |
|
---|
[322f172] | 161 | </sect2>
|
---|
[b4b71892] | 162 |
|
---|
[e807ae1d] | 163 | <sect2 role="configuration">
|
---|
| 164 | <title>Configuring Shadow</title>
|
---|
| 165 |
|
---|
| 166 | <para><application>Shadow</application>'s stock configuration for the
|
---|
[8c9e2f6e] | 167 | <command>useradd</command> utility may not be desirable for your
|
---|
[bca744f] | 168 | installation. One default parameter causes <command>useradd</command> to
|
---|
| 169 | create a mailbox file for any newly created user.
|
---|
| 170 | <command>useradd</command> will make the group ownership of this file to
|
---|
| 171 | the <systemitem class="groupname">mail</systemitem> group with 0660
|
---|
| 172 | permissions. If you would prefer that these mailbox files are not created
|
---|
| 173 | by <command>useradd</command>, issue the
|
---|
| 174 | following command as the <systemitem class="username">root</systemitem> user:</para>
|
---|
[e807ae1d] | 175 |
|
---|
[bca744f] | 176 | <screen role="root"><userinput>sed -i 's/yes/no/' /etc/default/useradd</userinput></screen>
|
---|
[e807ae1d] | 177 |
|
---|
| 178 | </sect2>
|
---|
| 179 |
|
---|
[322f172] | 180 | <sect2 role="configuration">
|
---|
| 181 | <title>Configuring Linux-PAM to Work with Shadow</title>
|
---|
[b4b71892] | 182 |
|
---|
[8f68b03] | 183 | <note>
|
---|
[eb2eccc] | 184 | <para>The rest of this page is devoted to configuring
|
---|
[8f68b03] | 185 | <application>Shadow</application> to work properly with
|
---|
| 186 | <application>Linux-PAM</application>. If you do not have
|
---|
| 187 | <application>Linux-PAM</application> installed, and you reinstalled
|
---|
| 188 | <application>Shadow</application> to support strong passwords via
|
---|
| 189 | the <application>CrackLib</application> library, no further configuration
|
---|
| 190 | is required.</para>
|
---|
| 191 | </note>
|
---|
| 192 |
|
---|
[322f172] | 193 | <sect3 id="pam.d">
|
---|
| 194 | <title>Config Files</title>
|
---|
[b4b71892] | 195 |
|
---|
[1ba671c] | 196 | <para><filename>/etc/pam.d/*</filename> or alternatively
|
---|
[bca744f] | 197 | <filename>/etc/pam.conf, /etc/login.defs, and
|
---|
[1ba671c] | 198 | /etc/security/*</filename></para>
|
---|
[b4b71892] | 199 |
|
---|
[322f172] | 200 | <indexterm zone="shadow pam.d">
|
---|
| 201 | <primary sortas="e-etc-pam.d">/etc/pam.d/*</primary>
|
---|
| 202 | </indexterm>
|
---|
[2197589] | 203 |
|
---|
[322f172] | 204 | <indexterm zone="shadow pam.d">
|
---|
| 205 | <primary sortas="e-etc-pam.conf">/etc/pam.conf</primary>
|
---|
| 206 | </indexterm>
|
---|
[4fcf20a5] | 207 |
|
---|
[1ba671c] | 208 | <indexterm zone="shadow pam.d">
|
---|
| 209 | <primary sortas="e-etc-login.defs">/etc/login.defs</primary>
|
---|
| 210 | </indexterm>
|
---|
| 211 |
|
---|
| 212 | <indexterm zone="shadow pam.d">
|
---|
| 213 | <primary sortas="e-etc-security">/etc/security/*</primary>
|
---|
| 214 | </indexterm>
|
---|
| 215 |
|
---|
[322f172] | 216 | </sect3>
|
---|
| 217 |
|
---|
| 218 | <sect3>
|
---|
| 219 | <title>Configuration Information</title>
|
---|
| 220 |
|
---|
[8f68b03] | 221 | <para>Configuring your system to use <application>Linux-PAM</application>
|
---|
| 222 | can be a complex task. The information below will provide a basic setup
|
---|
| 223 | so that <application>Shadow</application>'s login and password
|
---|
| 224 | functionality will work effectively with
|
---|
| 225 | <application>Linux-PAM</application>. Review the information and links on
|
---|
| 226 | the <xref linkend="linux-pam"/> page for further configuration
|
---|
| 227 | information. For information specific to integrating
|
---|
| 228 | <application>Shadow</application>, <application>Linux-PAM</application>
|
---|
| 229 | and <application>CrackLib</application>, you can visit the following
|
---|
| 230 | links:</para>
|
---|
| 231 |
|
---|
| 232 | <itemizedlist spacing="compact">
|
---|
| 233 | <listitem>
|
---|
| 234 | <para><ulink
|
---|
[3e8fb4c] | 235 | url="http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_cracklib.html"/></para>
|
---|
[8f68b03] | 236 | </listitem>
|
---|
| 237 | <listitem>
|
---|
| 238 | <para><ulink
|
---|
| 239 | url="http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html"/></para>
|
---|
| 240 | </listitem>
|
---|
| 241 | </itemizedlist>
|
---|
| 242 |
|
---|
[1ba671c] | 243 | <sect4 id="pam-login-defs">
|
---|
| 244 | <title>Configuring /etc/login.defs</title>
|
---|
| 245 |
|
---|
| 246 | <para>The <command>login</command> program currently performs many
|
---|
| 247 | functions which <application>Linux-PAM</application> modules should
|
---|
| 248 | now handle. The following <command>sed</command> command will comment
|
---|
| 249 | out the appropriate lines in <filename>/etc/login.defs</filename>, and
|
---|
| 250 | stop <command>login</command> from performing these functions (a backup
|
---|
| 251 | file named <filename>/etc/login.defs.orig</filename> is also created
|
---|
[d8684cbc] | 252 | to preserve the original file's contents). Issue the following commands
|
---|
| 253 | as the <systemitem class="username">root</systemitem> user:</para>
|
---|
[1ba671c] | 254 |
|
---|
| 255 | <indexterm zone="shadow pam-login-defs">
|
---|
| 256 | <primary sortas="e-etc-login.defs">/etc/login.defs</primary>
|
---|
| 257 | </indexterm>
|
---|
| 258 |
|
---|
| 259 | <screen role="root"><userinput>install -v -m644 /etc/login.defs /etc/login.defs.orig &&
|
---|
| 260 | for FUNCTION in LASTLOG_ENAB MAIL_CHECK_ENAB \
|
---|
| 261 | PORTTIME_CHECKS_ENAB CONSOLE \
|
---|
| 262 | MOTD_FILE NOLOGINS_FILE PASS_MIN_LEN \
|
---|
| 263 | SU_WHEEL_ONLY MD5_CRYPT_ENAB \
|
---|
| 264 | CONSOLE_GROUPS ENVIRON_FILE \
|
---|
| 265 | ULIMIT ENV_TZ ENV_HZ ENV_SUPATH \
|
---|
| 266 | ENV_PATH QMAIL_DIR MAIL_DIR MAIL_FILE \
|
---|
[8f68b03] | 267 | CHFN_AUTH FAILLOG_ENAB QUOTAS_ENAB FTMP_FILE \
|
---|
| 268 | OBSCURE_CHECKS_ENAB CRACKLIB_DICTPATH \
|
---|
[71e9f62] | 269 | PASS_CHANGE_TRIES PASS_ALWAYS_WARN ISSUE_FILE
|
---|
[1ba671c] | 270 | do
|
---|
[d8684cbc] | 271 | sed -i "s/^$FUNCTION/# &/" /etc/login.defs
|
---|
[1ba671c] | 272 | done</userinput></screen>
|
---|
| 273 |
|
---|
| 274 | </sect4>
|
---|
| 275 |
|
---|
| 276 | <sect4>
|
---|
| 277 | <title>Configuring the /etc/pam.d/ Files</title>
|
---|
| 278 |
|
---|
[29f80ebc] | 279 | <para>As mentioned previously in the
|
---|
| 280 | <application>Linux-PAM</application> instructions,
|
---|
| 281 | <application>Linux-PAM</application> has two supported methods for
|
---|
| 282 | configuration. The commands below assume that you've chosen to use
|
---|
| 283 | a directory based configuration, where each program has its own
|
---|
[eb2eccc] | 284 | configuration file. You can optionally use a single
|
---|
[29f80ebc] | 285 | <filename>/etc/pam.conf</filename> configuration file by using the
|
---|
| 286 | text from the files below, and supplying the program name as an
|
---|
[eb2eccc] | 287 | additional first field for each line.</para>
|
---|
| 288 |
|
---|
| 289 | <para>As the <systemitem class="username">root</systemitem> user,
|
---|
[bca744f] | 290 | replace the following <application>Linux-PAM</application>
|
---|
| 291 | configuration files in the
|
---|
[29f80ebc] | 292 | <filename class="directory">/etc/pam.d/</filename> directory (or
|
---|
[bca744f] | 293 | add the contents to the <filename>/etc/pam.conf</filename> file) using
|
---|
[eb2eccc] | 294 | the following commands:</para>
|
---|
[1ba671c] | 295 |
|
---|
| 296 | </sect4>
|
---|
[322f172] | 297 |
|
---|
| 298 | <sect4>
|
---|
[3e8fb4c] | 299 | <title>'system-account'</title>
|
---|
[322f172] | 300 |
|
---|
[3e8fb4c] | 301 | <screen role="root"><userinput>cat > /etc/pam.d/system-account << "EOF"
|
---|
| 302 | <literal># Begin /etc/pam.d/system-account
|
---|
[4fcf20a5] | 303 |
|
---|
[3e8fb4c] | 304 | account required pam_unix.so
|
---|
[4fcf20a5] | 305 |
|
---|
[3e8fb4c] | 306 | # End /etc/pam.d/system-account</literal>
|
---|
[322f172] | 307 | EOF</userinput></screen>
|
---|
| 308 |
|
---|
| 309 | </sect4>
|
---|
[4fcf20a5] | 310 |
|
---|
[322f172] | 311 | <sect4>
|
---|
[3e8fb4c] | 312 | <title>'system-auth'</title>
|
---|
[4fcf20a5] | 313 |
|
---|
[3e8fb4c] | 314 | <screen role="root"><userinput>cat > /etc/pam.d/system-auth << "EOF"
|
---|
| 315 | <literal># Begin /etc/pam.d/system-auth
|
---|
[b4b71892] | 316 |
|
---|
[3e8fb4c] | 317 | auth required pam_unix.so
|
---|
[b4b71892] | 318 |
|
---|
[3e8fb4c] | 319 | # End /etc/pam.d/system-auth</literal>
|
---|
[322f172] | 320 | EOF</userinput></screen>
|
---|
[4fcf20a5] | 321 |
|
---|
[322f172] | 322 | </sect4>
|
---|
[4fcf20a5] | 323 |
|
---|
[322f172] | 324 | <sect4>
|
---|
[3e8fb4c] | 325 | <title>'system-passwd' (with cracklib)</title>
|
---|
| 326 |
|
---|
| 327 | <screen role="root"><userinput>cat > /etc/pam.d/system-password << "EOF"
|
---|
| 328 | <literal># Begin /etc/pam.d/system-password
|
---|
| 329 |
|
---|
| 330 | # check new passwords for strength (man pam_cracklib)
|
---|
| 331 | password required pam_cracklib.so type=Linux retry=3 difok=5 \
|
---|
| 332 | difignore=23 minlen=9 dcredit=1 \
|
---|
| 333 | ucredit=1 lcredit=1 ocredit=1 \
|
---|
| 334 | dictpath=/lib/cracklib/pw_dict
|
---|
| 335 | # use sha512 hash for encryption, use shadow, and use the
|
---|
| 336 | # authentication token (chosen password) set by pam_cracklib
|
---|
| 337 | # above (or any previous modules)
|
---|
| 338 | password required pam_unix.so sha512 shadow use_authtok
|
---|
| 339 |
|
---|
| 340 | # End /etc/pam.d/system-password</literal>
|
---|
[322f172] | 341 | EOF</userinput></screen>
|
---|
| 342 |
|
---|
[c0c33269] | 343 | <note><para>In its default configuration, owing to credits,
|
---|
| 344 | pam_cracklib will allow multiple case passwords as short as 6
|
---|
| 345 | characters, even with the <parameter>minlen</parameter> value
|
---|
| 346 | set to 11. You should review the pam_cracklib(8) man page and
|
---|
| 347 | determine if these default values are acceptable for the security
|
---|
| 348 | of your system.</para></note>
|
---|
| 349 |
|
---|
[322f172] | 350 | </sect4>
|
---|
[3e8fb4c] | 351 |
|
---|
| 352 | <sect4>
|
---|
| 353 | <title>'system-passwd' (without cracklib)</title>
|
---|
| 354 |
|
---|
| 355 | <screen role="root"><userinput>cat > /etc/pam.d/system-password << "EOF"
|
---|
| 356 | <literal># Begin /etc/pam.d/system-password
|
---|
| 357 |
|
---|
| 358 | # use sha512 hash for encryption, use shadow, and try to use any perviously
|
---|
| 359 | # defined authentication token (chosen password) set by any prior module
|
---|
| 360 | password required pam_unix.so sha512 shadow try_first_pass
|
---|
| 361 |
|
---|
| 362 | # End /etc/pam.d/system-password</literal>
|
---|
| 363 | EOF</userinput></screen>
|
---|
| 364 |
|
---|
| 365 | </sect4>
|
---|
| 366 |
|
---|
| 367 | <sect4>
|
---|
| 368 | <title>'system-session'</title>
|
---|
| 369 |
|
---|
| 370 | <screen role="root"><userinput>cat > /etc/pam.d/system-session << "EOF"
|
---|
| 371 | <literal># Begin /etc/pam.d/system-session
|
---|
| 372 |
|
---|
| 373 | session required pam_unix.so
|
---|
| 374 |
|
---|
| 375 | # End /etc/pam.d/system-session</literal>
|
---|
| 376 | EOF</userinput></screen>
|
---|
| 377 |
|
---|
| 378 | </sect4>
|
---|
[b4b71892] | 379 |
|
---|
[322f172] | 380 | <sect4>
|
---|
[3e8fb4c] | 381 | <title>'login'</title>
|
---|
| 382 |
|
---|
| 383 | <screen role="root"><userinput>cat > /etc/pam.d/login << "EOF"
|
---|
| 384 | <literal># Begin /etc/pam.d/login
|
---|
| 385 |
|
---|
| 386 | # Set failure delay before next prompt to 3 seconds
|
---|
| 387 | auth optional pam_faildelay.so delay=3000000
|
---|
| 388 |
|
---|
| 389 | # Check to make sure that the user is allowed to login
|
---|
| 390 | auth requisite pam_nologin.so
|
---|
| 391 |
|
---|
| 392 | # Check to make sure that root is allowed to login
|
---|
| 393 | auth required pam_securetty.so
|
---|
| 394 |
|
---|
| 395 | # Additional group memberships - disabled by default
|
---|
| 396 | #auth optional pam_group.so
|
---|
| 397 |
|
---|
| 398 | # include the default auth settings
|
---|
| 399 | auth include system-auth
|
---|
| 400 |
|
---|
| 401 | # check access for the user
|
---|
| 402 | account required pam_access.so
|
---|
| 403 |
|
---|
| 404 | # include the default account settings
|
---|
| 405 | account include system-account
|
---|
| 406 |
|
---|
| 407 | # Set default environment variables for the user
|
---|
| 408 | session required pam_env.so
|
---|
| 409 |
|
---|
| 410 | # Set resource limits for the user
|
---|
| 411 | session required pam_limits.so
|
---|
| 412 |
|
---|
| 413 | # Display date of last login - Disabled by default
|
---|
| 414 | #session optional pam_lastlog.so
|
---|
| 415 |
|
---|
| 416 | # Display the message of the day - Disabled by default
|
---|
| 417 | #session optional pam_motd.so
|
---|
| 418 |
|
---|
| 419 | # Check user's mail - Disabled by default
|
---|
| 420 | #session optional pam_mail.so standard quiet
|
---|
| 421 |
|
---|
| 422 | # Use xauth keys (if available)
|
---|
| 423 | session optional pam_xauth.so
|
---|
| 424 |
|
---|
| 425 | # include the default session and password settings
|
---|
| 426 | session include system-session
|
---|
| 427 | password include system-password
|
---|
| 428 |
|
---|
| 429 | # End /etc/pam.d/login</literal>
|
---|
| 430 | EOF</userinput></screen>
|
---|
| 431 |
|
---|
| 432 | </sect4>
|
---|
| 433 |
|
---|
| 434 | <sect4>
|
---|
| 435 | <title>'passwd'</title>
|
---|
[4fcf20a5] | 436 |
|
---|
[322f172] | 437 | <screen role="root"><userinput>cat > /etc/pam.d/passwd << "EOF"
|
---|
| 438 | <literal># Begin /etc/pam.d/passwd
|
---|
[4fcf20a5] | 439 |
|
---|
[3e8fb4c] | 440 | password include system-password
|
---|
[b4b71892] | 441 |
|
---|
[322f172] | 442 | # End /etc/pam.d/passwd</literal>
|
---|
| 443 | EOF</userinput></screen>
|
---|
| 444 |
|
---|
| 445 | </sect4>
|
---|
[4fcf20a5] | 446 |
|
---|
[322f172] | 447 | <sect4>
|
---|
| 448 | <title>'su'</title>
|
---|
[4fcf20a5] | 449 |
|
---|
[322f172] | 450 | <screen role="root"><userinput>cat > /etc/pam.d/su << "EOF"
|
---|
| 451 | <literal># Begin /etc/pam.d/su
|
---|
[b4b71892] | 452 |
|
---|
[3e8fb4c] | 453 | # always allow root
|
---|
| 454 | auth sufficient pam_rootok.so
|
---|
[55e18620] | 455 | auth include system-auth
|
---|
[3e8fb4c] | 456 |
|
---|
| 457 | # include the default account settings
|
---|
| 458 | account include system-account
|
---|
| 459 |
|
---|
| 460 | # Use xauth keys (if available)
|
---|
| 461 | session optional pam_xauth.so
|
---|
| 462 |
|
---|
| 463 | # Set default environment variables for the service user
|
---|
| 464 | session required pam_env.so
|
---|
| 465 |
|
---|
| 466 | # include system session defaults
|
---|
| 467 | session include system-session
|
---|
[b4b71892] | 468 |
|
---|
[322f172] | 469 | # End /etc/pam.d/su</literal>
|
---|
| 470 | EOF</userinput></screen>
|
---|
[b4b71892] | 471 |
|
---|
[322f172] | 472 | </sect4>
|
---|
[b4b71892] | 473 |
|
---|
[322f172] | 474 | <sect4>
|
---|
| 475 | <title>'chage'</title>
|
---|
| 476 |
|
---|
| 477 | <screen role="root"><userinput>cat > /etc/pam.d/chage << "EOF"
|
---|
[3e8fb4c] | 478 | <literal>#Begin /etc/pam.d/chage
|
---|
| 479 |
|
---|
| 480 | # always allow root
|
---|
| 481 | auth sufficient pam_rootok.so
|
---|
| 482 |
|
---|
| 483 | # include system defaults for auth account and session
|
---|
| 484 | auth include system-auth
|
---|
| 485 | account include system-account
|
---|
| 486 | session include system-session
|
---|
[b4b71892] | 487 |
|
---|
[3e8fb4c] | 488 | # Always permit for authentication updates
|
---|
| 489 | password required pam_permit.so
|
---|
[b4b71892] | 490 |
|
---|
[322f172] | 491 | # End /etc/pam.d/chage</literal>
|
---|
| 492 | EOF</userinput></screen>
|
---|
| 493 |
|
---|
| 494 | </sect4>
|
---|
[b4b71892] | 495 |
|
---|
[322f172] | 496 | <sect4>
|
---|
[bca744f] | 497 | <title>'chfn', 'chgpasswd', 'chgpasswd', 'chsh', 'groupadd',
|
---|
| 498 | 'groupdel', 'groupmems', 'groupmod', 'newusers', 'useradd', 'userdel'
|
---|
| 499 | and 'usermod'</title>
|
---|
[39975e9] | 500 |
|
---|
[bca744f] | 501 | <screen role="root"><userinput>for PROGRAM in chfn chgpasswd chpasswd chsh groupadd groupdel \
|
---|
| 502 | groupmems groupmod newusers useradd userdel usermod
|
---|
[4fcf20a5] | 503 | do
|
---|
[904f31e2] | 504 | install -v -m644 /etc/pam.d/chage /etc/pam.d/$PROGRAM
|
---|
[d8684cbc] | 505 | sed -i "s/chage/$PROGRAM/" /etc/pam.d/$PROGRAM
|
---|
[322f172] | 506 | done</userinput></screen>
|
---|
| 507 |
|
---|
| 508 | <warning>
|
---|
| 509 | <para>At this point, you should do a simple test to see if
|
---|
| 510 | <application>Shadow</application> is working as expected. Open
|
---|
[1ba671c] | 511 | another terminal and log in as a user, then <command>su</command> to
|
---|
[974951c] | 512 | <systemitem class="username">root</systemitem>. If you do not see any
|
---|
| 513 | errors, then all is well and you should proceed with the rest of the
|
---|
[322f172] | 514 | configuration. If you did receive errors, stop now and double check
|
---|
[b65246b] | 515 | the above configuration files manually. You can also run the test
|
---|
| 516 | suite from the <application>Linux-PAM</application> package to assist
|
---|
| 517 | you in determining the problem. If you cannot find and
|
---|
[322f172] | 518 | fix the error, you should recompile <application>Shadow</application>
|
---|
[3e13cd9] | 519 | adding the <option>--without-libpam</option> switch to the
|
---|
| 520 | <command>configure</command> command in the above instructions
|
---|
| 521 | (also move the <filename>/etc/login.defs.orig</filename> backup
|
---|
| 522 | file to <filename>/etc/login.defs</filename>). If you
|
---|
[322f172] | 523 | fail to do this and the errors remain, you will be unable to log into
|
---|
| 524 | your system.</para>
|
---|
| 525 | </warning>
|
---|
| 526 |
|
---|
[349b53dd] | 527 | </sect4>
|
---|
| 528 |
|
---|
| 529 | <sect4>
|
---|
| 530 | <title>Other</title>
|
---|
| 531 |
|
---|
[322f172] | 532 | <para>Currently, <filename>/etc/pam.d/other</filename> is configured
|
---|
| 533 | to allow anyone with an account on the machine to use PAM-aware
|
---|
| 534 | programs without a configuration file for that program. After testing
|
---|
| 535 | <application>Linux-PAM</application> for proper configuration, install
|
---|
| 536 | a more restrictive <filename>other</filename> file so that
|
---|
| 537 | program-specific configuration files are required:</para>
|
---|
| 538 |
|
---|
| 539 | <screen role="root"><userinput>cat > /etc/pam.d/other << "EOF"
|
---|
| 540 | <literal># Begin /etc/pam.d/other
|
---|
[b4b71892] | 541 |
|
---|
| 542 | auth required pam_warn.so
|
---|
[3e8fb4c] | 543 | auth required pam_deny.so
|
---|
[bca744f] | 544 | account required pam_warn.so
|
---|
[3e8fb4c] | 545 | account required pam_deny.so
|
---|
[b4b71892] | 546 | password required pam_warn.so
|
---|
[3e8fb4c] | 547 | password required pam_deny.so
|
---|
[bca744f] | 548 | session required pam_warn.so
|
---|
[3e8fb4c] | 549 | session required pam_deny.so
|
---|
[b4b71892] | 550 |
|
---|
[322f172] | 551 | # End /etc/pam.d/other</literal>
|
---|
| 552 | EOF</userinput></screen>
|
---|
[4fcf20a5] | 553 |
|
---|
[322f172] | 554 | </sect4>
|
---|
[4fcf20a5] | 555 |
|
---|
[322f172] | 556 | <sect4 id="pam-access">
|
---|
| 557 | <title>Configuring Login Access</title>
|
---|
[4fcf20a5] | 558 |
|
---|
[322f172] | 559 | <para>Instead of using the <filename>/etc/login.access</filename>
|
---|
| 560 | file for controlling access to the system,
|
---|
| 561 | <application>Linux-PAM</application> uses the
|
---|
| 562 | <filename class='libraryfile'>pam_access.so</filename> module along
|
---|
| 563 | with the <filename>/etc/security/access.conf</filename> file. Rename
|
---|
| 564 | the <filename>/etc/login.access</filename> file using the following
|
---|
| 565 | command:</para>
|
---|
| 566 |
|
---|
| 567 | <indexterm zone="shadow pam-access">
|
---|
| 568 | <primary sortas="e-etc-security-access.conf">/etc/security/access.conf</primary>
|
---|
| 569 | </indexterm>
|
---|
| 570 |
|
---|
| 571 | <screen role="root"><userinput>if [ -f /etc/login.access ]; then
|
---|
[4fcf20a5] | 572 | mv -v /etc/login.access /etc/login.access.NOUSE
|
---|
[322f172] | 573 | fi</userinput></screen>
|
---|
| 574 |
|
---|
| 575 | </sect4>
|
---|
| 576 |
|
---|
| 577 | <sect4 id="pam-limits">
|
---|
| 578 | <title>Configuring Resource Limits</title>
|
---|
| 579 |
|
---|
| 580 | <para>Instead of using the <filename>/etc/limits</filename> file
|
---|
| 581 | for limiting usage of system resources,
|
---|
| 582 | <application>Linux-PAM</application> uses the
|
---|
| 583 | <filename class='libraryfile'>pam_limits.so</filename> module along
|
---|
| 584 | with the <filename>/etc/security/limits.conf</filename> file. Rename
|
---|
| 585 | the <filename>/etc/limits</filename> file using the following
|
---|
| 586 | command:</para>
|
---|
| 587 |
|
---|
| 588 | <indexterm zone="shadow pam-limits">
|
---|
| 589 | <primary sortas="e-etc-security-limits.conf">/etc/security/limits.conf</primary>
|
---|
| 590 | </indexterm>
|
---|
| 591 |
|
---|
| 592 | <screen role="root"><userinput>if [ -f /etc/limits ]; then
|
---|
[4fcf20a5] | 593 | mv -v /etc/limits /etc/limits.NOUSE
|
---|
[322f172] | 594 | fi</userinput></screen>
|
---|
| 595 |
|
---|
| 596 | </sect4>
|
---|
[4fcf20a5] | 597 |
|
---|
[7fb0e285] | 598 | <sect4 id="pam-env">
|
---|
| 599 | <title>Configuring Default Environment</title>
|
---|
| 600 |
|
---|
[bccbdaea] | 601 | <para>During previous configuration, several items were removed from
|
---|
[7fb0e285] | 602 | <filename>/etc/login.defs</filename>. Some of these items are now
|
---|
[bccbdaea] | 603 | controlled by the <filename class='libraryfile'>pam_env.so</filename>
|
---|
| 604 | module and the <filename>/etc/security/pam_env.conf</filename>
|
---|
| 605 | configuration file. In particular, the default path has been
|
---|
| 606 | changed. To recover your default path, execute the following
|
---|
[7fb0e285] | 607 | commands:</para>
|
---|
| 608 |
|
---|
[d8684cbc] | 609 | <screen role="root"><userinput>ENV_PATH=`grep '^ENV_PATH' /etc/login.defs.orig | \
|
---|
[7fb0e285] | 610 | awk '{ print $2 }' | sed 's/PATH=//'` &&
|
---|
[d8684cbc] | 611 | echo 'PATH DEFAULT='`echo "${ENV_PATH}"`\
|
---|
| 612 | ' OVERRIDE=${PATH}' \
|
---|
[7fb0e285] | 613 | >> /etc/security/pam_env.conf &&
|
---|
[d8684cbc] | 614 | unset ENV_PATH</userinput></screen>
|
---|
[7fb0e285] | 615 |
|
---|
[d8684cbc] | 616 | <note>
|
---|
[f56ef5d3] | 617 | <para>The ENV_SUPATH option used to modify root's default path
|
---|
| 618 | does not work with PAM. You have to set the path in root's login
|
---|
| 619 | scripts instead.
|
---|
| 620 | </para>
|
---|
[d8684cbc] | 621 | </note>
|
---|
[7fb0e285] | 622 |
|
---|
| 623 | </sect4>
|
---|
| 624 |
|
---|
[322f172] | 625 | </sect3>
|
---|
[b4b71892] | 626 |
|
---|
[322f172] | 627 | </sect2>
|
---|
[f45b1953] | 628 |
|
---|
[322f172] | 629 | <sect2 role="content">
|
---|
| 630 | <title>Contents</title>
|
---|
[17fb537e] | 631 |
|
---|
[322f172] | 632 | <para>A list of the installed files, along with their short descriptions
|
---|
| 633 | can be found at
|
---|
| 634 | <ulink url="&lfs-root;/chapter06/shadow.html#contents-shadow"/>.</para>
|
---|
[17fb537e] | 635 |
|
---|
[322f172] | 636 | </sect2>
|
---|
[17fb537e] | 637 |
|
---|
[f45b1953] | 638 | </sect1>
|
---|