1 | <?xml version="1.0" encoding="ISO-8859-1"?>
|
---|
2 | <!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
---|
3 | "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
---|
4 | <!ENTITY % general-entities SYSTEM "../../general.ent">
|
---|
5 | %general-entities;
|
---|
6 |
|
---|
7 | <!ENTITY shadow-download-http "https://github.com/shadow-maint/shadow/releases/download/&shadow-version;/shadow-&shadow-version;.tar.xz">
|
---|
8 | <!ENTITY shadow-download-ftp " ">
|
---|
9 | <!ENTITY shadow-md5sum "b1ab01b5462ddcf43588374d57bec123">
|
---|
10 | <!ENTITY shadow-size "1.7 MB">
|
---|
11 | <!ENTITY shadow-buildsize "45 MB">
|
---|
12 | <!ENTITY shadow-time "0.2 SBU">
|
---|
13 | ]>
|
---|
14 |
|
---|
15 | <sect1 id="shadow" xreflabel="Shadow-&shadow-version;">
|
---|
16 | <?dbhtml filename="shadow.html"?>
|
---|
17 |
|
---|
18 | <sect1info>
|
---|
19 | <date>$Date$</date>
|
---|
20 | </sect1info>
|
---|
21 |
|
---|
22 | <title>Shadow-&shadow-version;</title>
|
---|
23 |
|
---|
24 | <indexterm zone="shadow">
|
---|
25 | <primary sortas="a-Shadow">Shadow</primary>
|
---|
26 | </indexterm>
|
---|
27 |
|
---|
28 | <sect2 role="package">
|
---|
29 | <title>Introduction to Shadow</title>
|
---|
30 |
|
---|
31 | <para>
|
---|
32 | <application>Shadow</application> was indeed installed in LFS and there is
|
---|
33 | no reason to reinstall it unless you installed
|
---|
34 | <application>CrackLib</application> or
|
---|
35 | <application>Linux-PAM</application> after your LFS system was completed.
|
---|
36 | If you have installed <application>CrackLib</application> after LFS, then
|
---|
37 | reinstalling <application>Shadow</application> will enable strong password
|
---|
38 | support. If you have installed <application>Linux-PAM</application>,
|
---|
39 | reinstalling <application>Shadow</application> will allow programs such as
|
---|
40 | <command>login</command> and <command>su</command> to utilize PAM.
|
---|
41 | </para>
|
---|
42 |
|
---|
43 | &lfs112_checked;
|
---|
44 |
|
---|
45 | <bridgehead renderas="sect3">Package Information</bridgehead>
|
---|
46 | <itemizedlist spacing="compact">
|
---|
47 | <listitem>
|
---|
48 | <para>
|
---|
49 | Download (HTTP): <ulink url="&shadow-download-http;"/>
|
---|
50 | </para>
|
---|
51 | </listitem>
|
---|
52 | <listitem>
|
---|
53 | <para>
|
---|
54 | Download (FTP): <ulink url="&shadow-download-ftp;"/>
|
---|
55 | </para>
|
---|
56 | </listitem>
|
---|
57 | <listitem>
|
---|
58 | <para>
|
---|
59 | Download MD5 sum: &shadow-md5sum;
|
---|
60 | </para>
|
---|
61 | </listitem>
|
---|
62 | <listitem>
|
---|
63 | <para>
|
---|
64 | Download size: &shadow-size;
|
---|
65 | </para>
|
---|
66 | </listitem>
|
---|
67 | <listitem>
|
---|
68 | <para>
|
---|
69 | Estimated disk space required: &shadow-buildsize;
|
---|
70 | </para>
|
---|
71 | </listitem>
|
---|
72 | <listitem>
|
---|
73 | <para>
|
---|
74 | Estimated build time: &shadow-time;
|
---|
75 | </para>
|
---|
76 | </listitem>
|
---|
77 | </itemizedlist>
|
---|
78 | <!--
|
---|
79 | <bridgehead renderas="sect3">Additional Downloads</bridgehead>
|
---|
80 | <itemizedlist spacing="compact">
|
---|
81 | <listitem>
|
---|
82 | <para>
|
---|
83 | Required patch:
|
---|
84 | <ulink url="&patch-root;/shadow-&shadow-version;-useradd_segfault-1.patch"/>
|
---|
85 | </para>
|
---|
86 | </listitem>
|
---|
87 | </itemizedlist>
|
---|
88 | -->
|
---|
89 | <bridgehead renderas="sect3">Shadow Dependencies</bridgehead>
|
---|
90 |
|
---|
91 | <bridgehead renderas="sect4">Required</bridgehead>
|
---|
92 | <para role="required">
|
---|
93 | <xref linkend="linux-pam"/> or
|
---|
94 | <xref role="nodep" linkend="cracklib"/>
|
---|
95 | </para>
|
---|
96 |
|
---|
97 | <para condition="html" role="usernotes">
|
---|
98 | User Notes: <ulink url="&blfs-wiki;/shadow"/>
|
---|
99 | </para>
|
---|
100 | </sect2>
|
---|
101 |
|
---|
102 | <sect2 role="installation">
|
---|
103 | <title>Installation of Shadow</title>
|
---|
104 |
|
---|
105 | <important>
|
---|
106 | <para>
|
---|
107 | The installation commands shown below are for installations where
|
---|
108 | <application>Linux-PAM</application> has been installed and
|
---|
109 | <application>Shadow</application> is being reinstalled to support the
|
---|
110 | <application>Linux-PAM</application> installation.
|
---|
111 | </para>
|
---|
112 |
|
---|
113 | <para>
|
---|
114 | If you are reinstalling <application>Shadow</application> to provide
|
---|
115 | strong password support using the <application>CrackLib</application>
|
---|
116 | library without using <application>Linux-PAM</application>, ensure you
|
---|
117 | add the <parameter>--with-libcrack</parameter> parameter to the
|
---|
118 | <command>configure</command> script below and also issue the following
|
---|
119 | command:
|
---|
120 | </para>
|
---|
121 |
|
---|
122 | <screen role="nodump"><userinput>sed -i 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' etc/login.defs</userinput></screen>
|
---|
123 | </important>
|
---|
124 |
|
---|
125 | <para>
|
---|
126 | Reinstall <application>Shadow</application> by running the following
|
---|
127 | commands:
|
---|
128 | </para>
|
---|
129 | <!--
|
---|
130 | <screen><userinput>patch -Np1 -i ../shadow-4.10-useradd_segfault-1.patch &&
|
---|
131 |
|
---|
132 | sed -i "224s/rounds/min_rounds/" libmisc/salt.c &&
|
---|
133 | -->
|
---|
134 | <screen><userinput>sed -i 's/groups$(EXEEXT) //' src/Makefile.in &&
|
---|
135 |
|
---|
136 | find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; &&
|
---|
137 | find man -name Makefile.in -exec sed -i 's/getspnam\.3 / /' {} \; &&
|
---|
138 | find man -name Makefile.in -exec sed -i 's/passwd\.5 / /' {} \; &&
|
---|
139 |
|
---|
140 | sed -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \
|
---|
141 | -e 's@#\(SHA_CRYPT_..._ROUNDS 5000\)@\100@' \
|
---|
142 | -e 's@/var/spool/mail@/var/mail@' \
|
---|
143 | -e '/PATH=/{s@/sbin:@@;s@/bin:@@}' \
|
---|
144 | -i etc/login.defs &&
|
---|
145 |
|
---|
146 | ./configure --sysconfdir=/etc \
|
---|
147 | --disable-static \
|
---|
148 | --with-group-name-max-length=32 &&
|
---|
149 | make</userinput></screen>
|
---|
150 |
|
---|
151 | <para>
|
---|
152 | This package does not come with a test suite.
|
---|
153 | </para>
|
---|
154 |
|
---|
155 | <para>
|
---|
156 | Now, as the <systemitem class="username">root</systemitem> user:
|
---|
157 | </para>
|
---|
158 |
|
---|
159 | <screen role="root"><userinput>make exec_prefix=/usr install</userinput></screen>
|
---|
160 |
|
---|
161 | <para>
|
---|
162 | The man pages were installed in LFS, but if reinstallation is
|
---|
163 | desired, run (as the <systemitem class="username">root</systemitem> user):
|
---|
164 | </para>
|
---|
165 |
|
---|
166 | <screen role="root"><userinput>make -C man install-man</userinput></screen>
|
---|
167 |
|
---|
168 | </sect2>
|
---|
169 |
|
---|
170 | <sect2 role="commands">
|
---|
171 | <title>Command Explanations</title>
|
---|
172 |
|
---|
173 | <para>
|
---|
174 | <command>sed -i 's/groups$(EXEEXT) //' src/Makefile.in</command>: This sed
|
---|
175 | is used to suppress the installation of the <command>groups</command>
|
---|
176 | program as the version from the <application>Coreutils</application>
|
---|
177 | package installed during LFS is preferred.
|
---|
178 | </para>
|
---|
179 |
|
---|
180 | <para>
|
---|
181 | <command>find man -name Makefile.in -exec ... {} \;</command>: The
|
---|
182 | first command is used to suppress the installation of the
|
---|
183 | <command>groups</command> man pages so the existing ones installed from
|
---|
184 | the <application>Coreutils</application> package are not replaced.
|
---|
185 | The two other commands prevent installation of manual pages that
|
---|
186 | are already installed by <application>Man-pages</application> in LFS.
|
---|
187 | </para>
|
---|
188 |
|
---|
189 | <para>
|
---|
190 | <command>sed -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' -e
|
---|
191 | 's@#\(SHA_CRYPT_..._ROUNDS 5000\)@\100@' -e
|
---|
192 | 's@/var/spool/mail@/var/mail@' -e '/PATH=/{s@/sbin:@@;s@/bin:@@}'
|
---|
193 | -i etc/login.defs</command>: Instead of using the default 'DES'
|
---|
194 | method, this command modifies the installation to use the more secure
|
---|
195 | 'SHA512' method of hashing passwords, which also allows passwords
|
---|
196 | longer than eight characters. The number of rounds is also increased
|
---|
197 | to prevent brute force password attacks. The command also changes the
|
---|
198 | obsolete <filename class="directory">/var/spool/mail</filename> location
|
---|
199 | for user mailboxes that <application>Shadow</application> uses by
|
---|
200 | default to the <filename class="directory">/var/mail</filename>
|
---|
201 | location. It also changes the default path to be consistent with that
|
---|
202 | set in LFS.
|
---|
203 | </para>
|
---|
204 | <!--
|
---|
205 | <para>
|
---|
206 | <command>sed ... libmisc/salt.c</command> and
|
---|
207 | <command>sed ... libsubid/Makefile.am</command>: Fix a couple of errors
|
---|
208 | that were found after the package was released.
|
---|
209 | </para>
|
---|
210 | -->
|
---|
211 | <para>
|
---|
212 | <parameter>--with-group-name-max-length=32</parameter>: The maximum
|
---|
213 | user name is 32 characters. Make the maximum group name the same.
|
---|
214 | </para>
|
---|
215 | <!--
|
---|
216 | <para>
|
---|
217 | <parameter>-\-without-su</parameter>: Don't reinstall
|
---|
218 | <command>su</command> because upstream recommends using the
|
---|
219 | <command>su</command> command from <xref linkend='util-linux'/>
|
---|
220 | when <application>Linux-PAM</application> is available.
|
---|
221 | </para>
|
---|
222 | -->
|
---|
223 | </sect2>
|
---|
224 |
|
---|
225 | <!-- Now, /etc/default/useradd is not reinstalled anymore, and this
|
---|
226 | configuration has been done in lfs
|
---|
227 | <sect2 role="configuration">
|
---|
228 | <title>Configuring Shadow</title>
|
---|
229 |
|
---|
230 | <para>
|
---|
231 | <application>Shadow</application>'s stock configuration for the
|
---|
232 | <command>useradd</command> utility may not be desirable for your
|
---|
233 | installation. One default parameter causes <command>useradd</command> to
|
---|
234 | create a mailbox file for any newly created user.
|
---|
235 | <command>useradd</command> will make the group ownership of this file to
|
---|
236 | the <systemitem class="groupname">mail</systemitem> group with 0660
|
---|
237 | permissions. If you would prefer that these mailbox files are not created
|
---|
238 | by <command>useradd</command>, issue the following command as the
|
---|
239 | <systemitem class="username">root</systemitem> user:
|
---|
240 | </para>
|
---|
241 |
|
---|
242 | <screen role="root"><userinput>sed -i 's/yes/no/' /etc/default/useradd</userinput></screen>
|
---|
243 | </sect2>
|
---|
244 | -->
|
---|
245 | <sect2 role="configuration">
|
---|
246 | <title>Configuring Linux-PAM to Work with Shadow</title>
|
---|
247 |
|
---|
248 | <note>
|
---|
249 | <para>
|
---|
250 | The rest of this page is devoted to configuring
|
---|
251 | <application>Shadow</application> to work properly with
|
---|
252 | <application>Linux-PAM</application>. If you do not have
|
---|
253 | <application>Linux-PAM</application> installed, and you reinstalled
|
---|
254 | <application>Shadow</application> to support strong passwords via the
|
---|
255 | <application>CrackLib</application> library, no further configuration is
|
---|
256 | required.
|
---|
257 | </para>
|
---|
258 | </note>
|
---|
259 |
|
---|
260 | <sect3 id="pam.d">
|
---|
261 | <title>Config Files</title>
|
---|
262 |
|
---|
263 | <para>
|
---|
264 | <filename>/etc/pam.d/*</filename> or alternatively
|
---|
265 | <filename>/etc/pam.conf</filename>,
|
---|
266 | <filename>/etc/login.defs</filename> and
|
---|
267 | <filename>/etc/security/*</filename>
|
---|
268 | </para>
|
---|
269 |
|
---|
270 | <indexterm zone="shadow pam.d">
|
---|
271 | <primary sortas="e-etc-pam.d">/etc/pam.d/*</primary>
|
---|
272 | </indexterm>
|
---|
273 |
|
---|
274 | <indexterm zone="shadow pam.d">
|
---|
275 | <primary sortas="e-etc-pam.conf">/etc/pam.conf</primary>
|
---|
276 | </indexterm>
|
---|
277 |
|
---|
278 | <indexterm zone="shadow pam.d">
|
---|
279 | <primary sortas="e-etc-login.defs">/etc/login.defs</primary>
|
---|
280 | </indexterm>
|
---|
281 |
|
---|
282 | <indexterm zone="shadow pam.d">
|
---|
283 | <primary sortas="e-etc-security">/etc/security/*</primary>
|
---|
284 | </indexterm>
|
---|
285 | </sect3>
|
---|
286 |
|
---|
287 | <sect3>
|
---|
288 | <title>Configuration Information</title>
|
---|
289 |
|
---|
290 | <para>
|
---|
291 | Configuring your system to use <application>Linux-PAM</application> can
|
---|
292 | be a complex task. The information below will provide a basic setup so
|
---|
293 | that <application>Shadow</application>'s login and password
|
---|
294 | functionality will work effectively with
|
---|
295 | <application>Linux-PAM</application>. Review the information and links
|
---|
296 | on the <xref linkend="linux-pam"/> page for further configuration
|
---|
297 | information. For information specific to integrating
|
---|
298 | <application>Shadow</application>, <application>Linux-PAM</application>
|
---|
299 | and <application>libpwquality</application>, you can visit the
|
---|
300 | following link:
|
---|
301 | </para>
|
---|
302 |
|
---|
303 | <itemizedlist spacing="compact">
|
---|
304 | <listitem>
|
---|
305 | <!-- Old URL redirects to here. -->
|
---|
306 | <para>
|
---|
307 | <ulink url="https://deer-run.com/users/hal/linux_passwords_pam.html"/>
|
---|
308 | </para>
|
---|
309 | </listitem>
|
---|
310 | </itemizedlist>
|
---|
311 |
|
---|
312 | <sect4 id="pam-login-defs">
|
---|
313 | <title>Configuring /etc/login.defs</title>
|
---|
314 |
|
---|
315 | <para>
|
---|
316 | The <command>login</command> program currently performs many functions
|
---|
317 | which <application>Linux-PAM</application> modules should now handle.
|
---|
318 | The following <command>sed</command> command will comment out the
|
---|
319 | appropriate lines in <filename>/etc/login.defs</filename>, and stop
|
---|
320 | <command>login</command> from performing these functions (a backup
|
---|
321 | file named <filename>/etc/login.defs.orig</filename> is also created
|
---|
322 | to preserve the original file's contents). Issue the following
|
---|
323 | commands as the <systemitem class="username">root</systemitem> user:
|
---|
324 | </para>
|
---|
325 |
|
---|
326 | <indexterm zone="shadow pam-login-defs">
|
---|
327 | <primary sortas="e-etc-login.defs">/etc/login.defs</primary>
|
---|
328 | </indexterm>
|
---|
329 |
|
---|
330 | <screen role="root"><userinput>install -v -m644 /etc/login.defs /etc/login.defs.orig &&
|
---|
331 | for FUNCTION in FAIL_DELAY \
|
---|
332 | FAILLOG_ENAB \
|
---|
333 | LASTLOG_ENAB \
|
---|
334 | MAIL_CHECK_ENAB \
|
---|
335 | OBSCURE_CHECKS_ENAB \
|
---|
336 | PORTTIME_CHECKS_ENAB \
|
---|
337 | QUOTAS_ENAB \
|
---|
338 | CONSOLE MOTD_FILE \
|
---|
339 | FTMP_FILE NOLOGINS_FILE \
|
---|
340 | ENV_HZ PASS_MIN_LEN \
|
---|
341 | SU_WHEEL_ONLY \
|
---|
342 | CRACKLIB_DICTPATH \
|
---|
343 | PASS_CHANGE_TRIES \
|
---|
344 | PASS_ALWAYS_WARN \
|
---|
345 | CHFN_AUTH ENCRYPT_METHOD \
|
---|
346 | ENVIRON_FILE
|
---|
347 | do
|
---|
348 | sed -i "s/^${FUNCTION}/# &/" /etc/login.defs
|
---|
349 | done</userinput></screen>
|
---|
350 | </sect4>
|
---|
351 |
|
---|
352 | <sect4>
|
---|
353 | <title>Configuring the /etc/pam.d/ Files</title>
|
---|
354 |
|
---|
355 | <para>
|
---|
356 | As mentioned previously in the <application>Linux-PAM</application>
|
---|
357 | instructions, <application>Linux-PAM</application> has two supported
|
---|
358 | methods for configuration. The commands below assume that you've
|
---|
359 | chosen to use a directory based configuration, where each program has
|
---|
360 | its own configuration file. You can optionally use a single
|
---|
361 | <filename>/etc/pam.conf</filename> configuration file by using the
|
---|
362 | text from the files below, and supplying the program name as an
|
---|
363 | additional first field for each line.
|
---|
364 | </para>
|
---|
365 |
|
---|
366 | <para>
|
---|
367 | As the <systemitem class="username">root</systemitem> user, create
|
---|
368 | the following <application>Linux-PAM</application> configuration files
|
---|
369 | in the <filename class="directory">/etc/pam.d/</filename> directory
|
---|
370 | (or add the contents to the <filename>/etc/pam.conf</filename> file)
|
---|
371 | using the following commands:
|
---|
372 | </para>
|
---|
373 | </sect4>
|
---|
374 |
|
---|
375 | <sect4>
|
---|
376 | <title>'login'</title>
|
---|
377 |
|
---|
378 | <screen role="root"><userinput>cat > /etc/pam.d/login << "EOF"
|
---|
379 | <literal># Begin /etc/pam.d/login
|
---|
380 |
|
---|
381 | # Set failure delay before next prompt to 3 seconds
|
---|
382 | auth optional pam_faildelay.so delay=3000000
|
---|
383 |
|
---|
384 | # Check to make sure that the user is allowed to login
|
---|
385 | auth requisite pam_nologin.so
|
---|
386 |
|
---|
387 | # Check to make sure that root is allowed to login
|
---|
388 | # Disabled by default. You will need to create /etc/securetty
|
---|
389 | # file for this module to function. See man 5 securetty.
|
---|
390 | #auth required pam_securetty.so
|
---|
391 |
|
---|
392 | # Additional group memberships - disabled by default
|
---|
393 | #auth optional pam_group.so
|
---|
394 |
|
---|
395 | # include system auth settings
|
---|
396 | auth include system-auth
|
---|
397 |
|
---|
398 | # check access for the user
|
---|
399 | account required pam_access.so
|
---|
400 |
|
---|
401 | # include system account settings
|
---|
402 | account include system-account
|
---|
403 |
|
---|
404 | # Set default environment variables for the user
|
---|
405 | session required pam_env.so
|
---|
406 |
|
---|
407 | # Set resource limits for the user
|
---|
408 | session required pam_limits.so
|
---|
409 |
|
---|
410 | # Display date of last login - Disabled by default
|
---|
411 | #session optional pam_lastlog.so
|
---|
412 |
|
---|
413 | # Display the message of the day - Disabled by default
|
---|
414 | #session optional pam_motd.so
|
---|
415 |
|
---|
416 | # Check user's mail - Disabled by default
|
---|
417 | #session optional pam_mail.so standard quiet
|
---|
418 |
|
---|
419 | # include system session and password settings
|
---|
420 | session include system-session
|
---|
421 | password include system-password
|
---|
422 |
|
---|
423 | # End /etc/pam.d/login</literal>
|
---|
424 | EOF</userinput></screen>
|
---|
425 | </sect4>
|
---|
426 |
|
---|
427 | <sect4>
|
---|
428 | <title>'passwd'</title>
|
---|
429 |
|
---|
430 | <screen role="root"><userinput>cat > /etc/pam.d/passwd << "EOF"
|
---|
431 | <literal># Begin /etc/pam.d/passwd
|
---|
432 |
|
---|
433 | password include system-password
|
---|
434 |
|
---|
435 | # End /etc/pam.d/passwd</literal>
|
---|
436 | EOF</userinput></screen>
|
---|
437 | </sect4>
|
---|
438 |
|
---|
439 | <sect4>
|
---|
440 | <title>'su'</title>
|
---|
441 |
|
---|
442 | <screen role="root"><userinput>cat > /etc/pam.d/su << "EOF"
|
---|
443 | <literal># Begin /etc/pam.d/su
|
---|
444 |
|
---|
445 | # always allow root
|
---|
446 | auth sufficient pam_rootok.so
|
---|
447 |
|
---|
448 | # Allow users in the wheel group to execute su without a password
|
---|
449 | # disabled by default
|
---|
450 | #auth sufficient pam_wheel.so trust use_uid
|
---|
451 |
|
---|
452 | # include system auth settings
|
---|
453 | auth include system-auth
|
---|
454 |
|
---|
455 | # limit su to users in the wheel group
|
---|
456 | # disabled by default
|
---|
457 | #auth required pam_wheel.so use_uid
|
---|
458 |
|
---|
459 | # include system account settings
|
---|
460 | account include system-account
|
---|
461 |
|
---|
462 | # Set default environment variables for the service user
|
---|
463 | session required pam_env.so
|
---|
464 |
|
---|
465 | # include system session settings
|
---|
466 | session include system-session
|
---|
467 |
|
---|
468 | # End /etc/pam.d/su</literal>
|
---|
469 | EOF</userinput></screen>
|
---|
470 | </sect4>
|
---|
471 |
|
---|
472 | <sect4>
|
---|
473 | <title>'chpasswd' and 'newusers'</title>
|
---|
474 |
|
---|
475 | <screen role="root"><userinput>cat > /etc/pam.d/chpasswd << "EOF"
|
---|
476 | <literal># Begin /etc/pam.d/chpasswd
|
---|
477 |
|
---|
478 | # always allow root
|
---|
479 | auth sufficient pam_rootok.so
|
---|
480 |
|
---|
481 | # include system auth and account settings
|
---|
482 | auth include system-auth
|
---|
483 | account include system-account
|
---|
484 | password include system-password
|
---|
485 |
|
---|
486 | # End /etc/pam.d/chpasswd</literal>
|
---|
487 | EOF
|
---|
488 |
|
---|
489 | sed -e s/chpasswd/newusers/ /etc/pam.d/chpasswd >/etc/pam.d/newusers</userinput></screen>
|
---|
490 | </sect4>
|
---|
491 |
|
---|
492 | <sect4>
|
---|
493 | <title>'chage'</title>
|
---|
494 |
|
---|
495 | <screen role="root"><userinput>cat > /etc/pam.d/chage << "EOF"
|
---|
496 | <literal># Begin /etc/pam.d/chage
|
---|
497 |
|
---|
498 | # always allow root
|
---|
499 | auth sufficient pam_rootok.so
|
---|
500 |
|
---|
501 | # include system auth and account settings
|
---|
502 | auth include system-auth
|
---|
503 | account include system-account
|
---|
504 |
|
---|
505 | # End /etc/pam.d/chage</literal>
|
---|
506 | EOF</userinput></screen>
|
---|
507 | </sect4>
|
---|
508 |
|
---|
509 | <sect4>
|
---|
510 | <title>Other shadow utilities</title>
|
---|
511 |
|
---|
512 | <screen role="root"><userinput>for PROGRAM in chfn chgpasswd chsh groupadd groupdel \
|
---|
513 | groupmems groupmod useradd userdel usermod
|
---|
514 | do
|
---|
515 | install -v -m644 /etc/pam.d/chage /etc/pam.d/${PROGRAM}
|
---|
516 | sed -i "s/chage/$PROGRAM/" /etc/pam.d/${PROGRAM}
|
---|
517 | done</userinput></screen>
|
---|
518 |
|
---|
519 | <warning>
|
---|
520 | <para>
|
---|
521 | At this point, you should do a simple test to see if
|
---|
522 | <application>Shadow</application> is working as expected. Open
|
---|
523 | another terminal and log in as
|
---|
524 | <systemitem class="username">root</systemitem>, and then run
|
---|
525 | <command>login</command> and login as another user. If you do
|
---|
526 | not see any errors, then all is well and you should proceed with
|
---|
527 | the rest of the configuration. If you did receive errors, stop
|
---|
528 | now and double check the above configuration files manually.
|
---|
529 | Any error is the sign of an error in the above procedure.
|
---|
530 | You can also run the
|
---|
531 | test suite from the <application>Linux-PAM</application> package
|
---|
532 | to assist you in determining the problem. If you cannot find and
|
---|
533 | fix the error, you should recompile
|
---|
534 | <application>Shadow</application> adding the
|
---|
535 | <option>--without-libpam</option> switch to the
|
---|
536 | <command>configure</command> command in the above instructions
|
---|
537 | (also move the <filename>/etc/login.defs.orig</filename> backup
|
---|
538 | file to <filename>/etc/login.defs</filename>). If you fail to do
|
---|
539 | this and the errors remain, you will be unable to log into your
|
---|
540 | system.
|
---|
541 | </para>
|
---|
542 | </warning>
|
---|
543 | </sect4>
|
---|
544 |
|
---|
545 | <sect4 id="pam-access">
|
---|
546 | <title>Configuring Login Access</title>
|
---|
547 |
|
---|
548 | <para>
|
---|
549 | Instead of using the <filename>/etc/login.access</filename> file for
|
---|
550 | controlling access to the system, <application>Linux-PAM</application>
|
---|
551 | uses the <filename class='libraryfile'>pam_access.so</filename> module
|
---|
552 | along with the <filename>/etc/security/access.conf</filename> file.
|
---|
553 | Rename the <filename>/etc/login.access</filename> file using the
|
---|
554 | following command:
|
---|
555 | </para>
|
---|
556 |
|
---|
557 | <indexterm zone="shadow pam-access">
|
---|
558 | <primary sortas="e-etc-security-access.conf">/etc/security/access.conf</primary>
|
---|
559 | </indexterm>
|
---|
560 | <!-- to editors: it is a common belief that:
|
---|
561 | if <condition>; then <command>; fi
|
---|
562 | is equivalent to:
|
---|
563 | <condition> && <command>
|
---|
564 | This is not true in bash; try:
|
---|
565 | ([ 0 = 1 ] && echo not reachable); echo $? # echoes 1
|
---|
566 | vs
|
---|
567 | (if [ 0 = 1 ]; then echo not reachable; fi); echo $? # echoes 0
|
---|
568 | So in scripts that may call subshells (for example through sudo) and
|
---|
569 | that need error reporting, the outcome _is_ different. In all
|
---|
570 | cases, for bash, the "if" form should be preferred.-->
|
---|
571 | <screen role="root"><userinput>if [ -f /etc/login.access ]; then mv -v /etc/login.access{,.NOUSE}; fi</userinput></screen>
|
---|
572 | </sect4>
|
---|
573 |
|
---|
574 | <sect4 id="pam-limits">
|
---|
575 | <title>Configuring Resource Limits</title>
|
---|
576 |
|
---|
577 | <para>
|
---|
578 | Instead of using the <filename>/etc/limits</filename> file for
|
---|
579 | limiting usage of system resources,
|
---|
580 | <application>Linux-PAM</application> uses the
|
---|
581 | <filename class='libraryfile'>pam_limits.so</filename> module along
|
---|
582 | with the <filename>/etc/security/limits.conf</filename> file. Rename
|
---|
583 | the <filename>/etc/limits</filename> file using the following command:
|
---|
584 | </para>
|
---|
585 |
|
---|
586 | <indexterm zone="shadow pam-limits">
|
---|
587 | <primary sortas="e-etc-security-limits.conf">/etc/security/limits.conf</primary>
|
---|
588 | </indexterm>
|
---|
589 |
|
---|
590 | <screen role="root"><userinput>if [ -f /etc/limits ]; then mv -v /etc/limits{,.NOUSE}; fi</userinput></screen>
|
---|
591 |
|
---|
592 | <caution>
|
---|
593 | <para>
|
---|
594 | Be sure to test the login capabilities of the system before logging
|
---|
595 | out. Errors in the configuration can cause a permanent
|
---|
596 | lockout requiring a boot from an external source to correct the
|
---|
597 | problem.
|
---|
598 | </para>
|
---|
599 | </caution>
|
---|
600 |
|
---|
601 | </sect4>
|
---|
602 | </sect3>
|
---|
603 |
|
---|
604 | </sect2>
|
---|
605 |
|
---|
606 | <sect2 role="content">
|
---|
607 | <title>Contents</title>
|
---|
608 |
|
---|
609 | <para>
|
---|
610 | A list of the installed files, along with their short descriptions can be
|
---|
611 | found at
|
---|
612 | <ulink url="&lfs-root;/chapter08/shadow.html#contents-shadow"/>.
|
---|
613 | </para>
|
---|
614 |
|
---|
615 | </sect2>
|
---|
616 |
|
---|
617 | </sect1>
|
---|