source: postlfs/security/shadow.xml@ 024fb949

11.3 12.0 12.1 12.2 gimp3 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts lazarus lxqt plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition trunk xry111/for-12.3 xry111/llvm18 xry111/spidermonkey128 xry111/xf86-video-removal
Last change on this file since 024fb949 was 024fb949, checked in by Pierre Labastie <pierre.labastie@…>, 23 months ago

Returns to a more reasonable value of rounds in shadow

  • Property mode set to 100644
File size: 21.8 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY shadow-download-http "https://github.com/shadow-maint/shadow/releases/download/&shadow-version;/shadow-&shadow-version;.tar.xz">
8 <!ENTITY shadow-download-ftp " ">
9 <!ENTITY shadow-md5sum "b1ab01b5462ddcf43588374d57bec123">
10 <!ENTITY shadow-size "1.7 MB">
11 <!ENTITY shadow-buildsize "45 MB">
12 <!ENTITY shadow-time "0.2 SBU">
13]>
14
15<sect1 id="shadow" xreflabel="Shadow-&shadow-version;">
16 <?dbhtml filename="shadow.html"?>
17
18 <sect1info>
19 <date>$Date$</date>
20 </sect1info>
21
22 <title>Shadow-&shadow-version;</title>
23
24 <indexterm zone="shadow">
25 <primary sortas="a-Shadow">Shadow</primary>
26 </indexterm>
27
28 <sect2 role="package">
29 <title>Introduction to Shadow</title>
30
31 <para>
32 <application>Shadow</application> was indeed installed in LFS and there is
33 no reason to reinstall it unless you installed
34 <application>CrackLib</application> or
35 <application>Linux-PAM</application> after your LFS system was completed.
36 If you have installed <application>CrackLib</application> after LFS, then
37 reinstalling <application>Shadow</application> will enable strong password
38 support. If you have installed <application>Linux-PAM</application>,
39 reinstalling <application>Shadow</application> will allow programs such as
40 <command>login</command> and <command>su</command> to utilize PAM.
41 </para>
42
43 &lfs112_checked;
44
45 <bridgehead renderas="sect3">Package Information</bridgehead>
46 <itemizedlist spacing="compact">
47 <listitem>
48 <para>
49 Download (HTTP): <ulink url="&shadow-download-http;"/>
50 </para>
51 </listitem>
52 <listitem>
53 <para>
54 Download (FTP): <ulink url="&shadow-download-ftp;"/>
55 </para>
56 </listitem>
57 <listitem>
58 <para>
59 Download MD5 sum: &shadow-md5sum;
60 </para>
61 </listitem>
62 <listitem>
63 <para>
64 Download size: &shadow-size;
65 </para>
66 </listitem>
67 <listitem>
68 <para>
69 Estimated disk space required: &shadow-buildsize;
70 </para>
71 </listitem>
72 <listitem>
73 <para>
74 Estimated build time: &shadow-time;
75 </para>
76 </listitem>
77 </itemizedlist>
78<!--
79 <bridgehead renderas="sect3">Additional Downloads</bridgehead>
80 <itemizedlist spacing="compact">
81 <listitem>
82 <para>
83 Required patch:
84 <ulink url="&patch-root;/shadow-&shadow-version;-useradd_segfault-1.patch"/>
85 </para>
86 </listitem>
87 </itemizedlist>
88-->
89 <bridgehead renderas="sect3">Shadow Dependencies</bridgehead>
90
91 <bridgehead renderas="sect4">Required</bridgehead>
92 <para role="required">
93 <xref linkend="linux-pam"/> or
94 <xref role="nodep" linkend="cracklib"/>
95 </para>
96
97 <para condition="html" role="usernotes">
98 User Notes: <ulink url="&blfs-wiki;/shadow"/>
99 </para>
100 </sect2>
101
102 <sect2 role="installation">
103 <title>Installation of Shadow</title>
104
105 <important>
106 <para>
107 The installation commands shown below are for installations where
108 <application>Linux-PAM</application> has been installed and
109 <application>Shadow</application> is being reinstalled to support the
110 <application>Linux-PAM</application> installation.
111 </para>
112
113 <para>
114 If you are reinstalling <application>Shadow</application> to provide
115 strong password support using the <application>CrackLib</application>
116 library without using <application>Linux-PAM</application>, ensure you
117 add the <parameter>--with-libcrack</parameter> parameter to the
118 <command>configure</command> script below and also issue the following
119 command:
120 </para>
121
122<screen role="nodump"><userinput>sed -i 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' etc/login.defs</userinput></screen>
123 </important>
124
125 <para>
126 Reinstall <application>Shadow</application> by running the following
127 commands:
128 </para>
129<!--
130<screen><userinput>patch -Np1 -i ../shadow-4.10-useradd_segfault-1.patch &amp;&amp;
131
132sed -i "224s/rounds/min_rounds/" libmisc/salt.c &amp;&amp;
133-->
134<screen><userinput>sed -i 's/groups$(EXEEXT) //' src/Makefile.in &amp;&amp;
135
136find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; &amp;&amp;
137find man -name Makefile.in -exec sed -i 's/getspnam\.3 / /' {} \; &amp;&amp;
138find man -name Makefile.in -exec sed -i 's/passwd\.5 / /' {} \; &amp;&amp;
139
140sed -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \
141 -e 's@#\(SHA_CRYPT_..._ROUNDS 5000\)@\100@' \
142 -e 's@/var/spool/mail@/var/mail@' \
143 -e '/PATH=/{s@/sbin:@@;s@/bin:@@}' \
144 -i etc/login.defs &amp;&amp;
145
146./configure --sysconfdir=/etc \
147 --disable-static \
148 --with-group-name-max-length=32 &amp;&amp;
149make</userinput></screen>
150
151 <para>
152 This package does not come with a test suite.
153 </para>
154
155 <para>
156 Now, as the <systemitem class="username">root</systemitem> user:
157 </para>
158
159<screen role="root"><userinput>make exec_prefix=/usr install</userinput></screen>
160
161 <para>
162 The man pages were installed in LFS, but if reinstallation is
163 desired, run (as the <systemitem class="username">root</systemitem> user):
164 </para>
165
166<screen role="root"><userinput>make -C man install-man</userinput></screen>
167
168 </sect2>
169
170 <sect2 role="commands">
171 <title>Command Explanations</title>
172
173 <para>
174 <command>sed -i 's/groups$(EXEEXT) //' src/Makefile.in</command>: This sed
175 is used to suppress the installation of the <command>groups</command>
176 program as the version from the <application>Coreutils</application>
177 package installed during LFS is preferred.
178 </para>
179
180 <para>
181 <command>find man -name Makefile.in -exec ... {} \;</command>: The
182 first command is used to suppress the installation of the
183 <command>groups</command> man pages so the existing ones installed from
184 the <application>Coreutils</application> package are not replaced.
185 The two other commands prevent installation of manual pages that
186 are already installed by <application>Man-pages</application> in LFS.
187 </para>
188
189 <para>
190 <command>sed -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' -e
191 's@#\(SHA_CRYPT_..._ROUNDS 5000\)@\100@' -e
192 's@/var/spool/mail@/var/mail@' -e '/PATH=/{s@/sbin:@@;s@/bin:@@}'
193 -i etc/login.defs</command>: Instead of using the default 'DES'
194 method, this command modifies the installation to use the more secure
195 'SHA512' method of hashing passwords, which also allows passwords
196 longer than eight characters. The number of rounds is also increased
197 to prevent brute force password attacks. The command also changes the
198 obsolete <filename class="directory">/var/spool/mail</filename> location
199 for user mailboxes that <application>Shadow</application> uses by
200 default to the <filename class="directory">/var/mail</filename>
201 location. It also changes the default path to be consistent with that
202 set in LFS.
203 </para>
204<!--
205 <para>
206 <command>sed ... libmisc/salt.c</command> and
207 <command>sed ... libsubid/Makefile.am</command>: Fix a couple of errors
208 that were found after the package was released.
209 </para>
210-->
211 <para>
212 <parameter>--with-group-name-max-length=32</parameter>: The maximum
213 user name is 32 characters. Make the maximum group name the same.
214 </para>
215<!--
216 <para>
217 <parameter>-\-without-su</parameter>: Don't reinstall
218 <command>su</command> because upstream recommends using the
219 <command>su</command> command from <xref linkend='util-linux'/>
220 when <application>Linux-PAM</application> is available.
221 </para>
222-->
223 </sect2>
224
225<!-- Now, /etc/default/useradd is not reinstalled anymore, and this
226 configuration has been done in lfs
227 <sect2 role="configuration">
228 <title>Configuring Shadow</title>
229
230 <para>
231 <application>Shadow</application>'s stock configuration for the
232 <command>useradd</command> utility may not be desirable for your
233 installation. One default parameter causes <command>useradd</command> to
234 create a mailbox file for any newly created user.
235 <command>useradd</command> will make the group ownership of this file to
236 the <systemitem class="groupname">mail</systemitem> group with 0660
237 permissions. If you would prefer that these mailbox files are not created
238 by <command>useradd</command>, issue the following command as the
239 <systemitem class="username">root</systemitem> user:
240 </para>
241
242<screen role="root"><userinput>sed -i 's/yes/no/' /etc/default/useradd</userinput></screen>
243 </sect2>
244-->
245 <sect2 role="configuration">
246 <title>Configuring Linux-PAM to Work with Shadow</title>
247
248 <note>
249 <para>
250 The rest of this page is devoted to configuring
251 <application>Shadow</application> to work properly with
252 <application>Linux-PAM</application>. If you do not have
253 <application>Linux-PAM</application> installed, and you reinstalled
254 <application>Shadow</application> to support strong passwords via the
255 <application>CrackLib</application> library, no further configuration is
256 required.
257 </para>
258 </note>
259
260 <sect3 id="pam.d">
261 <title>Config Files</title>
262
263 <para>
264 <filename>/etc/pam.d/*</filename> or alternatively
265 <filename>/etc/pam.conf</filename>,
266 <filename>/etc/login.defs</filename> and
267 <filename>/etc/security/*</filename>
268 </para>
269
270 <indexterm zone="shadow pam.d">
271 <primary sortas="e-etc-pam.d">/etc/pam.d/*</primary>
272 </indexterm>
273
274 <indexterm zone="shadow pam.d">
275 <primary sortas="e-etc-pam.conf">/etc/pam.conf</primary>
276 </indexterm>
277
278 <indexterm zone="shadow pam.d">
279 <primary sortas="e-etc-login.defs">/etc/login.defs</primary>
280 </indexterm>
281
282 <indexterm zone="shadow pam.d">
283 <primary sortas="e-etc-security">/etc/security/*</primary>
284 </indexterm>
285 </sect3>
286
287 <sect3>
288 <title>Configuration Information</title>
289
290 <para>
291 Configuring your system to use <application>Linux-PAM</application> can
292 be a complex task. The information below will provide a basic setup so
293 that <application>Shadow</application>'s login and password
294 functionality will work effectively with
295 <application>Linux-PAM</application>. Review the information and links
296 on the <xref linkend="linux-pam"/> page for further configuration
297 information. For information specific to integrating
298 <application>Shadow</application>, <application>Linux-PAM</application>
299 and <application>libpwquality</application>, you can visit the
300 following link:
301 </para>
302
303 <itemizedlist spacing="compact">
304 <listitem>
305 <!-- Old URL redirects to here. -->
306 <para>
307 <ulink url="https://deer-run.com/users/hal/linux_passwords_pam.html"/>
308 </para>
309 </listitem>
310 </itemizedlist>
311
312 <sect4 id="pam-login-defs">
313 <title>Configuring /etc/login.defs</title>
314
315 <para>
316 The <command>login</command> program currently performs many functions
317 which <application>Linux-PAM</application> modules should now handle.
318 The following <command>sed</command> command will comment out the
319 appropriate lines in <filename>/etc/login.defs</filename>, and stop
320 <command>login</command> from performing these functions (a backup
321 file named <filename>/etc/login.defs.orig</filename> is also created
322 to preserve the original file's contents). Issue the following
323 commands as the <systemitem class="username">root</systemitem> user:
324 </para>
325
326 <indexterm zone="shadow pam-login-defs">
327 <primary sortas="e-etc-login.defs">/etc/login.defs</primary>
328 </indexterm>
329
330<screen role="root"><userinput>install -v -m644 /etc/login.defs /etc/login.defs.orig &amp;&amp;
331for FUNCTION in FAIL_DELAY \
332 FAILLOG_ENAB \
333 LASTLOG_ENAB \
334 MAIL_CHECK_ENAB \
335 OBSCURE_CHECKS_ENAB \
336 PORTTIME_CHECKS_ENAB \
337 QUOTAS_ENAB \
338 CONSOLE MOTD_FILE \
339 FTMP_FILE NOLOGINS_FILE \
340 ENV_HZ PASS_MIN_LEN \
341 SU_WHEEL_ONLY \
342 CRACKLIB_DICTPATH \
343 PASS_CHANGE_TRIES \
344 PASS_ALWAYS_WARN \
345 CHFN_AUTH ENCRYPT_METHOD \
346 ENVIRON_FILE
347do
348 sed -i "s/^${FUNCTION}/# &amp;/" /etc/login.defs
349done</userinput></screen>
350 </sect4>
351
352 <sect4>
353 <title>Configuring the /etc/pam.d/ Files</title>
354
355 <para>
356 As mentioned previously in the <application>Linux-PAM</application>
357 instructions, <application>Linux-PAM</application> has two supported
358 methods for configuration. The commands below assume that you've
359 chosen to use a directory based configuration, where each program has
360 its own configuration file. You can optionally use a single
361 <filename>/etc/pam.conf</filename> configuration file by using the
362 text from the files below, and supplying the program name as an
363 additional first field for each line.
364 </para>
365
366 <para>
367 As the <systemitem class="username">root</systemitem> user, create
368 the following <application>Linux-PAM</application> configuration files
369 in the <filename class="directory">/etc/pam.d/</filename> directory
370 (or add the contents to the <filename>/etc/pam.conf</filename> file)
371 using the following commands:
372 </para>
373 </sect4>
374
375 <sect4>
376 <title>'login'</title>
377
378<screen role="root"><userinput>cat &gt; /etc/pam.d/login &lt;&lt; "EOF"
379<literal># Begin /etc/pam.d/login
380
381# Set failure delay before next prompt to 3 seconds
382auth optional pam_faildelay.so delay=3000000
383
384# Check to make sure that the user is allowed to login
385auth requisite pam_nologin.so
386
387# Check to make sure that root is allowed to login
388# Disabled by default. You will need to create /etc/securetty
389# file for this module to function. See man 5 securetty.
390#auth required pam_securetty.so
391
392# Additional group memberships - disabled by default
393#auth optional pam_group.so
394
395# include system auth settings
396auth include system-auth
397
398# check access for the user
399account required pam_access.so
400
401# include system account settings
402account include system-account
403
404# Set default environment variables for the user
405session required pam_env.so
406
407# Set resource limits for the user
408session required pam_limits.so
409
410# Display date of last login - Disabled by default
411#session optional pam_lastlog.so
412
413# Display the message of the day - Disabled by default
414#session optional pam_motd.so
415
416# Check user's mail - Disabled by default
417#session optional pam_mail.so standard quiet
418
419# include system session and password settings
420session include system-session
421password include system-password
422
423# End /etc/pam.d/login</literal>
424EOF</userinput></screen>
425 </sect4>
426
427 <sect4>
428 <title>'passwd'</title>
429
430<screen role="root"><userinput>cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"
431<literal># Begin /etc/pam.d/passwd
432
433password include system-password
434
435# End /etc/pam.d/passwd</literal>
436EOF</userinput></screen>
437 </sect4>
438
439 <sect4>
440 <title>'su'</title>
441
442<screen role="root"><userinput>cat &gt; /etc/pam.d/su &lt;&lt; "EOF"
443<literal># Begin /etc/pam.d/su
444
445# always allow root
446auth sufficient pam_rootok.so
447
448# Allow users in the wheel group to execute su without a password
449# disabled by default
450#auth sufficient pam_wheel.so trust use_uid
451
452# include system auth settings
453auth include system-auth
454
455# limit su to users in the wheel group
456# disabled by default
457#auth required pam_wheel.so use_uid
458
459# include system account settings
460account include system-account
461
462# Set default environment variables for the service user
463session required pam_env.so
464
465# include system session settings
466session include system-session
467
468# End /etc/pam.d/su</literal>
469EOF</userinput></screen>
470 </sect4>
471
472 <sect4>
473 <title>'chpasswd' and 'newusers'</title>
474
475<screen role="root"><userinput>cat &gt; /etc/pam.d/chpasswd &lt;&lt; "EOF"
476<literal># Begin /etc/pam.d/chpasswd
477
478# always allow root
479auth sufficient pam_rootok.so
480
481# include system auth and account settings
482auth include system-auth
483account include system-account
484password include system-password
485
486# End /etc/pam.d/chpasswd</literal>
487EOF
488
489sed -e s/chpasswd/newusers/ /etc/pam.d/chpasswd >/etc/pam.d/newusers</userinput></screen>
490 </sect4>
491
492 <sect4>
493 <title>'chage'</title>
494
495<screen role="root"><userinput>cat &gt; /etc/pam.d/chage &lt;&lt; "EOF"
496<literal># Begin /etc/pam.d/chage
497
498# always allow root
499auth sufficient pam_rootok.so
500
501# include system auth and account settings
502auth include system-auth
503account include system-account
504
505# End /etc/pam.d/chage</literal>
506EOF</userinput></screen>
507 </sect4>
508
509 <sect4>
510 <title>Other shadow utilities</title>
511
512<screen role="root"><userinput>for PROGRAM in chfn chgpasswd chsh groupadd groupdel \
513 groupmems groupmod useradd userdel usermod
514do
515 install -v -m644 /etc/pam.d/chage /etc/pam.d/${PROGRAM}
516 sed -i "s/chage/$PROGRAM/" /etc/pam.d/${PROGRAM}
517done</userinput></screen>
518
519 <warning>
520 <para>
521 At this point, you should do a simple test to see if
522 <application>Shadow</application> is working as expected. Open
523 another terminal and log in as
524 <systemitem class="username">root</systemitem>, and then run
525 <command>login</command> and login as another user. If you do
526 not see any errors, then all is well and you should proceed with
527 the rest of the configuration. If you did receive errors, stop
528 now and double check the above configuration files manually.
529 Any error is the sign of an error in the above procedure.
530 You can also run the
531 test suite from the <application>Linux-PAM</application> package
532 to assist you in determining the problem. If you cannot find and
533 fix the error, you should recompile
534 <application>Shadow</application> adding the
535 <option>--without-libpam</option> switch to the
536 <command>configure</command> command in the above instructions
537 (also move the <filename>/etc/login.defs.orig</filename> backup
538 file to <filename>/etc/login.defs</filename>). If you fail to do
539 this and the errors remain, you will be unable to log into your
540 system.
541 </para>
542 </warning>
543 </sect4>
544
545 <sect4 id="pam-access">
546 <title>Configuring Login Access</title>
547
548 <para>
549 Instead of using the <filename>/etc/login.access</filename> file for
550 controlling access to the system, <application>Linux-PAM</application>
551 uses the <filename class='libraryfile'>pam_access.so</filename> module
552 along with the <filename>/etc/security/access.conf</filename> file.
553 Rename the <filename>/etc/login.access</filename> file using the
554 following command:
555 </para>
556
557 <indexterm zone="shadow pam-access">
558 <primary sortas="e-etc-security-access.conf">/etc/security/access.conf</primary>
559 </indexterm>
560<!-- to editors: it is a common belief that:
561 if <condition>; then <command>; fi
562 is equivalent to:
563 <condition> && <command>
564 This is not true in bash; try:
565 ([ 0 = 1 ] && echo not reachable); echo $? # echoes 1
566 vs
567 (if [ 0 = 1 ]; then echo not reachable; fi); echo $? # echoes 0
568 So in scripts that may call subshells (for example through sudo) and
569 that need error reporting, the outcome _is_ different. In all
570 cases, for bash, the "if" form should be preferred.-->
571<screen role="root"><userinput>if [ -f /etc/login.access ]; then mv -v /etc/login.access{,.NOUSE}; fi</userinput></screen>
572 </sect4>
573
574 <sect4 id="pam-limits">
575 <title>Configuring Resource Limits</title>
576
577 <para>
578 Instead of using the <filename>/etc/limits</filename> file for
579 limiting usage of system resources,
580 <application>Linux-PAM</application> uses the
581 <filename class='libraryfile'>pam_limits.so</filename> module along
582 with the <filename>/etc/security/limits.conf</filename> file. Rename
583 the <filename>/etc/limits</filename> file using the following command:
584 </para>
585
586 <indexterm zone="shadow pam-limits">
587 <primary sortas="e-etc-security-limits.conf">/etc/security/limits.conf</primary>
588 </indexterm>
589
590<screen role="root"><userinput>if [ -f /etc/limits ]; then mv -v /etc/limits{,.NOUSE}; fi</userinput></screen>
591
592 <caution>
593 <para>
594 Be sure to test the login capabilities of the system before logging
595 out. Errors in the configuration can cause a permanent
596 lockout requiring a boot from an external source to correct the
597 problem.
598 </para>
599 </caution>
600
601 </sect4>
602 </sect3>
603
604 </sect2>
605
606 <sect2 role="content">
607 <title>Contents</title>
608
609 <para>
610 A list of the installed files, along with their short descriptions can be
611 found at
612 <ulink url="&lfs-root;/chapter08/shadow.html#contents-shadow"/>.
613 </para>
614
615 </sect2>
616
617</sect1>
Note: See TracBrowser for help on using the repository browser.