source: postlfs/security/shadow.xml@ 0bb2be7c

10.0 10.1 11.0 7.10 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 ken/refactor-virt krejzi/svn lazarus nosym perl-modules qt5new systemd-11177 systemd-13485 trunk upgradedb xry111/git-date xry111/git-date-for-trunk xry111/git-date-test
Last change on this file since 0bb2be7c was 0bb2be7c, checked in by Bruce Dubbs <bdubbs@…>, 8 years ago

Allow installation of all man pages in shadow

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@12500 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 22.5 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY shadow-download-http "http://cdn.debian.net/debian/pool/main/s/shadow//shadow_&shadow-version;.orig.tar.gz">
8 <!ENTITY shadow-download-ftp " ">
9 <!ENTITY shadow-md5sum "ae66de9953f840fb3a97f6148bc39a30">
10 <!ENTITY shadow-size "3.4 MB">
11 <!ENTITY shadow-buildsize "38 MB">
12 <!ENTITY shadow-time "0.3 SBU">
13]>
14
15<sect1 id="shadow" xreflabel="Shadow-&shadow-version;">
16 <?dbhtml filename="shadow.html"?>
17
18 <sect1info>
19 <othername>$LastChangedBy$</othername>
20 <date>$Date$</date>
21 </sect1info>
22
23 <title>Shadow-&shadow-version;</title>
24
25 <indexterm zone="shadow">
26 <primary sortas="a-Shadow">Shadow</primary>
27 </indexterm>
28
29 <sect2 role="package">
30 <title>Introduction to Shadow</title>
31
32 <para>
33 <application>Shadow</application> was indeed installed in LFS and there is
34 no reason to reinstall it unless you installed
35 <application>CrackLib</application> or
36 <application>Linux-PAM</application> after your LFS system was completed.
37 If you have installed <application>CrackLib</application> after LFS, then
38 reinstalling <application>Shadow</application> will enable strong password
39 support. If you have installed <application>Linux-PAM</application>,
40 reinstalling <application>Shadow</application> will allow programs such as
41 <command>login</command> and <command>su</command> to utilize PAM.
42 </para>
43
44 &lfs74_checked;
45
46 <bridgehead renderas="sect3">Package Information</bridgehead>
47 <itemizedlist spacing="compact">
48 <listitem>
49 <para>
50 Download (HTTP): <ulink url="&shadow-download-http;"/>
51 </para>
52 </listitem>
53 <listitem>
54 <para>
55 Download (FTP): <ulink url="&shadow-download-ftp;"/>
56 </para>
57 </listitem>
58 <listitem>
59 <para>
60 Download MD5 sum: &shadow-md5sum;
61 </para>
62 </listitem>
63 <listitem>
64 <para>
65 Download size: &shadow-size;
66 </para>
67 </listitem>
68 <listitem>
69 <para>
70 Estimated disk space required: &shadow-buildsize;
71 </para>
72 </listitem>
73 <listitem>
74 <para>
75 Estimated build time: &shadow-time;
76 </para>
77 </listitem>
78 </itemizedlist>
79
80 <bridgehead renderas="sect3">Shadow Dependencies</bridgehead>
81
82 <bridgehead renderas="sect4">Required</bridgehead>
83 <para role="required">
84 <xref linkend="linux-pam"/> or
85 <xref linkend="cracklib"/>
86 </para>
87
88 <para condition="html" role="usernotes">
89 User Notes: <ulink url="&blfs-wiki;/shadow"/>
90 </para>
91 </sect2>
92
93 <sect2 role="installation">
94 <title>Installation of Shadow</title>
95
96 <important>
97 <para>
98 The installation commands shown below are for installations where
99 <application>Linux-PAM</application> has been installed (with or
100 without a <application>CrackLib</application> installation) and
101 <application>Shadow</application> is being reinstalled to support the
102 <application>Linux-PAM</application> installation.
103 </para>
104
105 <para>
106 If you are reinstalling <application>Shadow</application> to provide
107 strong password support using the <application>CrackLib</application>
108 library without using <application>Linux-PAM</application>, ensure you
109 add the <parameter>--with-libcrack</parameter> parameter to the
110 <command>configure</command> script below and also issue the following
111 command:
112 </para>
113
114<screen><userinput>sed -i 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' etc/login.defs</userinput></screen>
115 </important>
116
117 <para>
118 Reinstall <application>Shadow</application> by running the following
119 commands:
120 </para>
121
122<screen><userinput>sed -i 's/groups$(EXEEXT) //' src/Makefile.in &amp;&amp;
123find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; &amp;&amp;
124
125sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \
126 -e 's@/var/spool/mail@/var/mail@' etc/login.defs &amp;&amp;
127
128sed -i -e 's@PATH=/sbin:/bin:/usr/sbin:/usr/bin@&amp;:/usr/local/sbin:/usr/local/bin@' \
129 -e 's@PATH=/bin:/usr/bin@&amp;:/usr/local/bin@' etc/login.defs &amp;&amp;
130
131./configure --prefix=/usr --sysconfdir=/etc &amp;&amp;
132make</userinput></screen>
133
134 <para>
135 This package does not come with a test suite.
136 </para>
137
138 <para>
139 Now, as the <systemitem class="username">root</systemitem> user:
140 </para>
141
142<screen role="root"><userinput>make install &amp;&amp;
143mv -v /usr/bin/passwd /bin</userinput></screen>
144 </sect2>
145
146 <sect2 role="commands">
147 <title>Command Explanations</title>
148
149 <para>
150 <command>sed -i 's/groups$(EXEEXT) //' src/Makefile.in</command>: This sed
151 is used to suppress the installation of the <command>groups</command>
152 program as the version from the <application>Coreutils</application>
153 package installed during LFS is preferred.
154 </para>
155
156 <para>
157 <command>find man -name Makefile.in -exec ... {} \;</command>: This
158 command is used to suppress the installation of the
159 <command>groups</command> man pages so the existing ones installed from
160 the <application>Coreutils</application> package are not replaced.
161 </para>
162
163 <para>
164 <command>sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' -e
165 's@/var/spool/mail@/var/mail@' etc/login.defs</command>: Instead of using
166 the default 'DES' method, this command modifies the installation to use
167 the more secure 'SHA512' method of hashing passwords, which also allows
168 passwords longer than eight characters. It also changes the obsolete
169 <filename class="directory">/var/spool/mail</filename> location for user
170 mailboxes that <application>Shadow</application> uses by default to the
171 <filename class="directory">/var/mail</filename> location.
172 </para>
173
174 <para>
175 <command>sed -i -e
176 's@PATH=/sbin:/bin:/usr/sbin:/usr/bin@&amp;:/usr/local/sbin:/usr/local/bin@'
177 -e 's@PATH=/bin:/usr/bin@&amp;:/usr/local/bin@' etc/login.defs</command>:
178 This sed expands PATH to
179 <filename class="directory">/usr/local/bin</filename> for normal and
180 <systemitem class="username">root</systemitem> user and to
181 <filename class="directory">/usr/local/sbin</filename> for
182 <systemitem class="username">root</systemitem> user only.
183 </para>
184
185 <para>
186 <command>mv -v /usr/bin/passwd /bin</command>: The
187 <command>passwd</command> program may be needed during times when the
188 <filename class='directory'>/usr</filename> filesystem is not mounted so
189 it is moved into the root partition.
190 </para>
191 </sect2>
192
193 <sect2 role="configuration">
194 <title>Configuring Shadow</title>
195
196 <para>
197 <application>Shadow</application>'s stock configuration for the
198 <command>useradd</command> utility may not be desirable for your
199 installation. One default parameter causes <command>useradd</command> to
200 create a mailbox file for any newly created user.
201 <command>useradd</command> will make the group ownership of this file to
202 the <systemitem class="groupname">mail</systemitem> group with 0660
203 permissions. If you would prefer that these mailbox files are not created
204 by <command>useradd</command>, issue the following command as the
205 <systemitem class="username">root</systemitem> user:
206 </para>
207
208<screen role="root"><userinput>sed -i 's/yes/no/' /etc/default/useradd</userinput></screen>
209 </sect2>
210
211 <sect2 role="configuration">
212 <title>Configuring Linux-PAM to Work with Shadow</title>
213
214 <note>
215 <para>
216 The rest of this page is devoted to configuring
217 <application>Shadow</application> to work properly with
218 <application>Linux-PAM</application>. If you do not have
219 <application>Linux-PAM</application> installed, and you reinstalled
220 <application>Shadow</application> to support strong passwords via the
221 <application>CrackLib</application> library, no further configuration is
222 required.
223 </para>
224 </note>
225
226 <sect3 id="pam.d">
227 <title>Config Files</title>
228
229 <para>
230 <filename>/etc/pam.d/*</filename> or alternatively
231 <filename>/etc/pam.conf</filename>,
232 <filename>/etc/login.defs</filename> and
233 <filename>/etc/security/*</filename>
234 </para>
235
236 <indexterm zone="shadow pam.d">
237 <primary sortas="e-etc-pam.d">/etc/pam.d/*</primary>
238 </indexterm>
239
240 <indexterm zone="shadow pam.d">
241 <primary sortas="e-etc-pam.conf">/etc/pam.conf</primary>
242 </indexterm>
243
244 <indexterm zone="shadow pam.d">
245 <primary sortas="e-etc-login.defs">/etc/login.defs</primary>
246 </indexterm>
247
248 <indexterm zone="shadow pam.d">
249 <primary sortas="e-etc-security">/etc/security/*</primary>
250 </indexterm>
251 </sect3>
252
253 <sect3>
254 <title>Configuration Information</title>
255
256 <para>
257 Configuring your system to use <application>Linux-PAM</application> can
258 be a complex task. The information below will provide a basic setup so
259 that <application>Shadow</application>'s login and password
260 functionality will work effectively with
261 <application>Linux-PAM</application>. Review the information and links
262 on the <xref linkend="linux-pam"/> page for further configuration
263 information. For information specific to integrating
264 <application>Shadow</application>, <application>Linux-PAM</application>
265 and <application>CrackLib</application>, you can visit the following
266 link:
267 </para>
268
269 <itemizedlist spacing="compact">
270 <listitem>
271 <para>
272 <ulink url="http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html"/>
273 </para>
274 </listitem>
275 </itemizedlist>
276
277 <sect4 id="pam-login-defs">
278 <title>Configuring /etc/login.defs</title>
279
280 <para>
281 The <command>login</command> program currently performs many functions
282 which <application>Linux-PAM</application> modules should now handle.
283 The following <command>sed</command> command will comment out the
284 appropriate lines in <filename>/etc/login.defs</filename>, and stop
285 <command>login</command> from performing these functions (a backup
286 file named <filename>/etc/login.defs.orig</filename> is also created
287 to preserve the original file's contents). Issue the following
288 commands as the <systemitem class="username">root</systemitem> user:
289 </para>
290
291 <indexterm zone="shadow pam-login-defs">
292 <primary sortas="e-etc-login.defs">/etc/login.defs</primary>
293 </indexterm>
294
295<screen role="root"><userinput>install -v -m644 /etc/login.defs /etc/login.defs.orig &amp;&amp;
296for FUNCTION in FAIL_DELAY FAILLOG_ENAB \
297 LASTLOG_ENAB \
298 MAIL_CHECK_ENAB \
299 OBSCURE_CHECKS_ENAB \
300 PORTTIME_CHECKS_ENAB \
301 QUOTAS_ENAB \
302 CONSOLE MOTD_FILE \
303 FTMP_FILE NOLOGINS_FILE \
304 ENV_HZ PASS_MIN_LEN \
305 SU_WHEEL_ONLY \
306 CRACKLIB_DICTPATH \
307 PASS_CHANGE_TRIES \
308 PASS_ALWAYS_WARN \
309 CHFN_AUTH ENCRYPT_METHOD \
310 ENVIRON_FILE
311do
312 sed -i "s/^${FUNCTION}/# &amp;/" /etc/login.defs
313done</userinput></screen>
314 </sect4>
315
316 <sect4>
317 <title>Configuring the /etc/pam.d/ Files</title>
318
319 <para>
320 As mentioned previously in the <application>Linux-PAM</application>
321 instructions, <application>Linux-PAM</application> has two supported
322 methods for configuration. The commands below assume that you've
323 chosen to use a directory based configuration, where each program has
324 its own configuration file. You can optionally use a single
325 <filename>/etc/pam.conf</filename> configuration file by using the
326 text from the files below, and supplying the program name as an
327 additional first field for each line.
328 </para>
329
330 <para>
331 As the <systemitem class="username">root</systemitem> user, replace
332 the following <application>Linux-PAM</application> configuration files
333 in the <filename class="directory">/etc/pam.d/</filename> directory
334 (or add the contents to the <filename>/etc/pam.conf</filename> file)
335 using the following commands:
336 </para>
337 </sect4>
338
339 <sect4>
340 <title>'system-account'</title>
341
342<screen role="root"><userinput>cat &gt; /etc/pam.d/system-account &lt;&lt; "EOF"
343<literal># Begin /etc/pam.d/system-account
344
345account required pam_unix.so
346
347# End /etc/pam.d/system-account</literal>
348EOF</userinput></screen>
349 </sect4>
350
351 <sect4>
352 <title>'system-auth'</title>
353
354<screen role="root"><userinput>cat &gt; /etc/pam.d/system-auth &lt;&lt; "EOF"
355<literal># Begin /etc/pam.d/system-auth
356
357auth required pam_unix.so
358
359# End /etc/pam.d/system-auth</literal>
360EOF</userinput></screen>
361 </sect4>
362
363 <sect4>
364 <title>'system-passwd' (with cracklib)</title>
365
366<screen role="root"><userinput>cat &gt; /etc/pam.d/system-password &lt;&lt; "EOF"
367<literal># Begin /etc/pam.d/system-password
368
369# check new passwords for strength (man pam_cracklib)
370password required pam_cracklib.so type=Linux retry=3 difok=5 \
371 difignore=23 minlen=9 dcredit=1 \
372 ucredit=1 lcredit=1 ocredit=1 \
373 dictpath=/lib/cracklib/pw_dict
374# use sha512 hash for encryption, use shadow, and use the
375# authentication token (chosen password) set by pam_cracklib
376# above (or any previous modules)
377password required pam_unix.so sha512 shadow use_authtok
378
379# End /etc/pam.d/system-password</literal>
380EOF</userinput></screen>
381
382 <note>
383 <para>
384 In its default configuration, owing to credits, pam_cracklib will
385 allow multiple case passwords as short as 6 characters, even with
386 the <parameter>minlen</parameter> value set to 11. You should review
387 the pam_cracklib(8) man page and determine if these default values
388 are acceptable for the security of your system.
389 </para>
390 </note>
391 </sect4>
392
393 <sect4>
394 <title>'system-passwd' (without cracklib)</title>
395
396<screen role="root"><userinput>cat &gt; /etc/pam.d/system-password &lt;&lt; "EOF"
397<literal># Begin /etc/pam.d/system-password
398
399# use sha512 hash for encryption, use shadow, and try to use any previously
400# defined authentication token (chosen password) set by any prior module
401password required pam_unix.so sha512 shadow try_first_pass
402
403# End /etc/pam.d/system-password</literal>
404EOF</userinput></screen>
405 </sect4>
406
407 <sect4>
408 <title>'system-session'</title>
409
410<screen role="root"><userinput>cat &gt; /etc/pam.d/system-session &lt;&lt; "EOF"
411<literal># Begin /etc/pam.d/system-session
412
413session required pam_unix.so
414
415# End /etc/pam.d/system-session</literal>
416EOF</userinput></screen>
417 </sect4>
418
419 <sect4>
420 <title>'login'</title>
421
422<screen role="root"><userinput>cat &gt; /etc/pam.d/login &lt;&lt; "EOF"
423<literal># Begin /etc/pam.d/login
424
425# Set failure delay before next prompt to 3 seconds
426auth optional pam_faildelay.so delay=3000000
427
428# Check to make sure that the user is allowed to login
429auth requisite pam_nologin.so
430
431# Check to make sure that root is allowed to login
432# Disabled by default. You will need to create /etc/securetty
433# file for this module to function. See man 5 securetty.
434#auth required pam_securetty.so
435
436# Additional group memberships - disabled by default
437#auth optional pam_group.so
438
439# include the default auth settings
440auth include system-auth
441
442# check access for the user
443account required pam_access.so
444
445# include the default account settings
446account include system-account
447
448# Set default environment variables for the user
449session required pam_env.so
450
451# Set resource limits for the user
452session required pam_limits.so
453
454# Display date of last login - Disabled by default
455#session optional pam_lastlog.so
456
457# Display the message of the day - Disabled by default
458#session optional pam_motd.so
459
460# Check user's mail - Disabled by default
461#session optional pam_mail.so standard quiet
462
463# include the default session and password settings
464session include system-session
465password include system-password
466
467# End /etc/pam.d/login</literal>
468EOF</userinput></screen>
469 </sect4>
470
471 <sect4>
472 <title>'passwd'</title>
473
474<screen role="root"><userinput>cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"
475<literal># Begin /etc/pam.d/passwd
476
477password include system-password
478
479# End /etc/pam.d/passwd</literal>
480EOF</userinput></screen>
481 </sect4>
482
483 <sect4>
484 <title>'su'</title>
485
486<screen role="root"><userinput>cat &gt; /etc/pam.d/su &lt;&lt; "EOF"
487<literal># Begin /etc/pam.d/su
488
489# always allow root
490auth sufficient pam_rootok.so
491auth include system-auth
492
493# include the default account settings
494account include system-account
495
496# Set default environment variables for the service user
497session required pam_env.so
498
499# include system session defaults
500session include system-session
501
502# End /etc/pam.d/su</literal>
503EOF</userinput></screen>
504 </sect4>
505
506 <sect4>
507 <title>'chage'</title>
508
509<screen role="root"><userinput>cat &gt; /etc/pam.d/chage &lt;&lt; "EOF"
510<literal>#Begin /etc/pam.d/chage
511
512# always allow root
513auth sufficient pam_rootok.so
514
515# include system defaults for auth account and session
516auth include system-auth
517account include system-account
518session include system-session
519
520# Always permit for authentication updates
521password required pam_permit.so
522
523# End /etc/pam.d/chage</literal>
524EOF</userinput></screen>
525 </sect4>
526
527 <sect4>
528 <title>'chfn', 'chgpasswd', 'chgpasswd', 'chsh', 'groupadd', 'groupdel',
529 'groupmems', 'groupmod', 'newusers', 'useradd', 'userdel' and
530 'usermod'</title>
531
532<screen role="root"><userinput>for PROGRAM in chfn chgpasswd chpasswd chsh groupadd groupdel \
533 groupmems groupmod newusers useradd userdel usermod
534do
535 install -v -m644 /etc/pam.d/chage /etc/pam.d/${PROGRAM}
536 sed -i "s/chage/$PROGRAM/" /etc/pam.d/${PROGRAM}
537done</userinput></screen>
538
539 <warning>
540 <para>
541 At this point, you should do a simple test to see if
542 <application>Shadow</application> is working as expected. Open
543 another terminal and log in as a user, then <command>su</command> to
544 <systemitem class="username">root</systemitem>. If you do not see
545 any errors, then all is well and you should proceed with the rest of
546 the configuration. If you did receive errors, stop now and double
547 check the above configuration files manually. You can also run the
548 test suite from the <application>Linux-PAM</application> package to
549 assist you in determining the problem. If you cannot find and fix
550 the error, you should recompile <application>Shadow</application>
551 adding the <option>--without-libpam</option> switch to the
552 <command>configure</command> command in the above instructions (also
553 move the <filename>/etc/login.defs.orig</filename> backup file to
554 <filename>/etc/login.defs</filename>). If you fail to do this and
555 the errors remain, you will be unable to log into your system.
556 </para>
557 </warning>
558 </sect4>
559
560 <sect4>
561 <title>Other</title>
562
563 <para>
564 Currently, <filename>/etc/pam.d/other</filename> is configured to
565 allow anyone with an account on the machine to use PAM-aware programs
566 without a configuration file for that program. After testing
567 <application>Linux-PAM</application> for proper configuration, install
568 a more restrictive <filename>other</filename> file so that
569 program-specific configuration files are required:
570 </para>
571
572<screen role="root"><userinput>cat &gt; /etc/pam.d/other &lt;&lt; "EOF"
573<literal># Begin /etc/pam.d/other
574
575auth required pam_warn.so
576auth required pam_deny.so
577account required pam_warn.so
578account required pam_deny.so
579password required pam_warn.so
580password required pam_deny.so
581session required pam_warn.so
582session required pam_deny.so
583
584# End /etc/pam.d/other</literal>
585EOF</userinput></screen>
586 </sect4>
587
588 <sect4 id="pam-access">
589 <title>Configuring Login Access</title>
590
591 <para>
592 Instead of using the <filename>/etc/login.access</filename> file for
593 controlling access to the system, <application>Linux-PAM</application>
594 uses the <filename class='libraryfile'>pam_access.so</filename> module
595 along with the <filename>/etc/security/access.conf</filename> file.
596 Rename the <filename>/etc/login.access</filename> file using the
597 following command:
598 </para>
599
600 <indexterm zone="shadow pam-access">
601 <primary sortas="e-etc-security-access.conf">/etc/security/access.conf</primary>
602 </indexterm>
603
604<screen role="root"><userinput>[ -f /etc/login.access ] &amp;&amp; mv -v /etc/login.access{,.NOUSE}</userinput></screen>
605 </sect4>
606
607 <sect4 id="pam-limits">
608 <title>Configuring Resource Limits</title>
609
610 <para>
611 Instead of using the <filename>/etc/limits</filename> file for
612 limiting usage of system resources,
613 <application>Linux-PAM</application> uses the
614 <filename class='libraryfile'>pam_limits.so</filename> module along
615 with the <filename>/etc/security/limits.conf</filename> file. Rename
616 the <filename>/etc/limits</filename> file using the following command:
617 </para>
618
619 <indexterm zone="shadow pam-limits">
620 <primary sortas="e-etc-security-limits.conf">/etc/security/limits.conf</primary>
621 </indexterm>
622
623<screen role="root"><userinput>[ -f /etc/limits ] &amp;&amp; mv -v /etc/limits{,.NOUSE}</userinput></screen>
624 </sect4>
625 </sect3>
626 </sect2>
627
628 <sect2 role="content">
629 <title>Contents</title>
630
631 <para>
632 A list of the installed files, along with their short descriptions can be
633 found at <ulink url="&lfs-root;/chapter06/shadow.html#contents-shadow"/>.
634 </para>
635
636 </sect2>
637
638</sect1>
Note: See TracBrowser for help on using the repository browser.