source: postlfs/security/shadow.xml@ 0cd6d67

10.0 10.1 11.0 6.0 6.1 6.2 6.2.0 6.2.0-rc1 6.2.0-rc2 6.3 6.3-rc1 6.3-rc2 6.3-rc3 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 ken/refactor-virt krejzi/svn lazarus nosym perl-modules qt5new systemd-11177 systemd-13485 trunk xry111/git-date xry111/git-date-for-trunk xry111/git-date-test
Last change on this file since 0cd6d67 was 0cd6d67, checked in by Randy McMurchy <randy@…>, 17 years ago

Modified configuration file index sorting tags in various packages so that the index is sorted properly

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@3265 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 9.0 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
3 "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6]>
7
8<sect1 id="shadow">
9<sect1info>
10<othername>$LastChangedBy$</othername>
11<date>$Date$</date>
12</sect1info>
13<?dbhtml filename="shadow.html"?>
14<title>Shadow-&shadow-version;</title>
15<indexterm zone="shadow">
16<primary sortas="a-Shadow">Shadow</primary></indexterm>
17
18<!--
19<sect2>
20<title>Configuring shadow</title>
21
22<para>Shadow's Configuration File</para>
23
24<para><userinput>/etc/login.defs</userinput></para>
25
26<para>Enabling <acronym>MD</acronym>5 Passwords</para>
27
28<para>To enable <acronym>MD</acronym>5 Passwords, modify the line in the
29<filename>login.defs</filename> file that reads:
30<screen><userinput>#MD5_CRYPT_ENAB no</userinput></screen>
31to read:
32<screen><userinput>MD5_CRYPT_ENAB yes</userinput></screen>
33Passwords created after this change will be encrypted using
34<acronym>MD</acronym>5 (Message-Digest Algorithm) instead of using
35<acronym>DES</acronym> encryption.
36</para>
37</sect2>
38-->
39
40<sect2>
41<title>Introduction to <application>Shadow</application></title>
42
43<para>Shadow was indeed installed in <acronym>LFS</acronym> and there is
44no reason to reinstall it unless you installed
45<application>Linux-<acronym>PAM</acronym></application>. If you did,
46this will allow programs like <command>login</command> and
47<command>su</command> to utilize
48<acronym>PAM</acronym>.</para>
49
50<sect3><title>Additional downloads</title>
51<itemizedlist spacing='compact'>
52<listitem><para>Patch to fix linking against PAM:
53<ulink url="&patch-root;/shadow-&shadow-version;-pam-1.patch"/></para>
54</listitem>
55</itemizedlist>
56</sect3>
57
58<sect3><title><application>Shadow</application> dependencies</title>
59<sect4><title>Required</title>
60<para><xref linkend="Linux_PAM"/></para></sect4>
61</sect3>
62</sect2>
63
64<sect2>
65<title>Installation of <application>Shadow</application></title>
66
67<para>Reinstall <application>Shadow</application> by running the following
68commands:</para>
69
70<screen><userinput><command>patch -Np1 -i ../shadow-&shadow-version;-pam-1.patch &amp;&amp;
71LIBS="-lpam -lpam_misc" ./configure --libdir=/usr/lib \
72 --enable-shared --with-libpam --without-libcrack &amp;&amp;
73echo '#define HAVE_SETLOCALE 1' >> config.h &amp;&amp;
74sed -i '/extern char/d' libmisc/xmalloc.c &amp;&amp;
75make &amp;&amp;
76make install &amp;&amp;
77mv /bin/sg /usr/bin &amp;&amp;
78mv /bin/vigr /usr/sbin &amp;&amp;
79mv /usr/bin/passwd /bin &amp;&amp;
80rm /bin/groups &amp;&amp;
81mv /usr/lib/lib{misc,shadow}.so.0* /lib &amp;&amp;
82ln -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so &amp;&amp;
83ln -sf ../../lib/libmisc.so.0 /usr/lib/libmisc.so</command></userinput></screen>
84
85</sect2>
86
87<sect2>
88<title>Command explanations</title>
89
90<para><parameter>--without-libcrack</parameter>: This switch tells
91<application>Shadow</application> not to use
92<filename class='libraryfile'>libcrack</filename>. This is desired as
93<application>Linux-<acronym>PAM</acronym></application> already contains
94<filename class='libraryfile'>libcrack</filename>.</para>
95
96<para><command>sed -i '/extern char/d' libmisc/xmalloc.c</command>: This
97fixes a compilation problem when using <application>GCC</application>-3.4.x.
98</para>
99
100<!-- Leftover from older instructions????
101<para><command>cp debian/securetty /etc/securetty</command>: This
102command sets the tty's that allow logins through <acronym>PAM</acronym>.</para>
103-->
104
105</sect2>
106
107<sect2>
108<title>Configuring <application>Linux-<acronym>PAM</acronym></application> to
109work with <application>Shadow</application></title>
110
111<sect3 id="pam.d"><title>Config files</title>
112<para><filename>/etc/pam.d/login</filename>,
113<filename>/etc/pam.d/passwd</filename>,
114<filename>/etc/pam.d/su</filename>,
115<filename>/etc/pam.d/shadow</filename>,
116<filename>/etc/pam.d/useradd</filename>, and
117<filename>/etc/pam.d/chage</filename> &ndash;
118alternatively, <filename>/etc/pam.conf</filename></para>
119<indexterm zone="shadow pam.d">
120<primary sortas="e-etc-pam.d">/etc/pam.d/</primary></indexterm>
121<indexterm zone="shadow pam.d">
122<primary sortas="e-etc-pam.conf">/etc/pam.conf</primary></indexterm>
123</sect3>
124
125<sect3><title>Configuration Information</title>
126
127<para>Add the following <application>Linux-<acronym>PAM</acronym></application>
128configuration files to <filename class="directory">/etc/pam.d/</filename> (or
129add them to <filename>/etc/pam.conf</filename> with the additional field for
130the program).</para>
131
132<screen><userinput><command>cat &gt; /etc/pam.d/login &lt;&lt; "EOF"</command>
133# Begin /etc/pam.d/login
134
135auth requisite pam_securetty.so
136auth requisite pam_nologin.so
137auth required pam_env.so
138auth required pam_unix.so
139account required pam_access.so
140account required pam_unix.so
141session required pam_motd.so
142session required pam_limits.so
143session optional pam_mail.so dir=/var/mail standard
144session optional pam_lastlog.so
145session required pam_unix.so
146
147# End /etc/pam.d/login
148<command>EOF
149cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"</command>
150# Begin /etc/pam.d/passwd
151
152password required pam_unix.so md5 shadow
153
154# End /etc/pam.d/passwd
155<command>EOF
156cat &gt; /etc/pam.d/shadow &lt;&lt; "EOF"</command>
157# Begin /etc/pam.d/shadow
158
159auth sufficient pam_rootok.so
160auth required pam_unix.so
161account required pam_unix.so
162session required pam_unix.so
163password required pam_permit.so
164
165# End /etc/pam.d/shadow
166<command>EOF
167cat &gt; /etc/pam.d/su &lt;&lt; "EOF"</command>
168# Begin /etc/pam.d/su
169
170auth sufficient pam_rootok.so
171auth required pam_unix.so
172account required pam_unix.so
173session required pam_unix.so
174
175# End /etc/pam.d/su
176<command>EOF
177cat &gt; /etc/pam.d/useradd &lt;&lt; "EOF"</command>
178# Begin /etc/pam.d/useradd
179
180auth sufficient pam_rootok.so
181auth required pam_unix.so
182account required pam_unix.so
183session required pam_unix.so
184password required pam_permit.so
185
186# End /etc/pam.d/useradd
187<command>EOF
188cat &gt; /etc/pam.d/chage &lt;&lt; "EOF"</command>
189# Begin /etc/pam.d/chage
190
191auth sufficient pam_rootok.so
192auth required pam_unix.so
193account required pam_unix.so
194session required pam_unix.so
195password required pam_permit.so
196
197# End /etc/pam.d/chage
198<command>EOF</command></userinput></screen>
199
200<note><para>If you've installed <application>cracklib</application>, replace
201<filename>/etc/pam.d/passwd</filename> with the following:</para></note>
202<screen><userinput><command>cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"</command>
203# Begin /etc/pam.d/passwd
204
205password required pam_cracklib.so \
206 retry=3 difok=8 minlen=5 dcredit=3 ocredit=3 ucredit=2 lcredit=2
207password required pam_unix.so md5 shadow use_authtok
208
209# End /etc/pam.d/passwd
210<command>EOF</command></userinput></screen>
211
212<warning><para>At this point, you should do a simple test to see if
213<application>Shadow</application> is
214working as expected. Open another term and login as a user, then su to
215to root. If you do not see any errors, then all is well and you should
216proceed with the rest of the configuration. If you did
217receive errors, stop now and double check the above configuration files
218manually. If you cannot find, and fix the error, you should recompile
219shadow replacing <envar>--with-libpam</envar> with
220<envar>--without-libpam</envar> in the above
221instructions. If you fail to do this and the errors remain, you
222will be unable to log into your system.</para></warning>
223
224<para>Currently, <filename>/etc/pam.d/other</filename> is configured to
225allow anyone with an account on the machine to use programs
226that do not specifically have a configuration file of their own. After
227testing <application>Linux-<acronym>PAM</acronym></application> for proper
228configuration, it can be changed to the following:</para>
229
230<screen><userinput><command>cat &gt; /etc/pam.d/other &lt;&lt; "EOF"</command>
231# Begin /etc/pam.d/other
232
233auth required pam_deny.so
234auth required pam_warn.so
235account required pam_deny.so
236session required pam_deny.so
237password required pam_deny.so
238password required pam_warn.so
239
240# End /etc/pam.d/other
241<command>EOF</command></userinput></screen>
242
243<para>Finally, edit <filename>/etc/login.defs</filename> by adding '#'
244to the beginning of the following lines:</para>
245<screen>LASTLOG_ENAB
246MAIL_CHECK_ENAB
247PORTTIME_CHECKS_ENAB
248CONSOLE
249MOTD_FILE
250NOLOGINS_FILE
251PASS_MIN_LEN
252SU_WHEEL_ONLY
253MD5_CRYPT_ENAB
254CONSOLE_GROUPS
255ENVIRON_FILE</screen>
256
257<para>This stops <command>login</command> from performing these functions, as
258they will now be performed by <acronym>PAM</acronym> modules. Additionally,
259add a '#' to the beginning of the following lines if you've installed
260<application>cracklib</application>:</para>
261<screen>OBSCURE_CHECKS_ENAB
262CRACKLIB_DICTPATH
263PASS_CHANGE_TRIES
264PASS_ALWAYS_WARN</screen>
265
266</sect3>
267
268</sect2>
269
270</sect1>
Note: See TracBrowser for help on using the repository browser.