Context Navigation

shadow.xml@ 0ef1837

Visit:

10.0 10.1 11.0 11.1 11.2 11.3 12.0 12.1 6.0 6.1 6.2 6.2.0 6.2.0-rc1 6.2.0-rc2 6.3 6.3-rc1 6.3-rc2 6.3-rc3 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts krejzi/svn lazarus lxqt nosym perl-modules plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition systemd-11177 systemd-13485 trunk upgradedb xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal

Last change on this file since 0ef1837 was 8f9c9862, checked in by DJ Lucas <dj@…>, 19 years ago

Updated to Linux-PAM-0.78 and added testing note to shadow instructions

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@3045 af4574ff-66df-0310-9fd7-8a98e5e911e0

Property mode set to 100644

File size: 8.7 KB

Line
1	<?xml version="1.0" encoding="ISO-8859-1"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
3	"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6	]>
7
8	<sect1 id="shadow">
9	<sect1info>
10	<othername>$LastChangedBy$</othername>
11	<date>$Date$</date>
12	</sect1info>
13	<?dbhtml filename="shadow.html"?>
14	<title>Shadow-&shadow-version;</title>
15
16	<!--
17	<sect2>
18	<title>Configuring shadow</title>
19
20	<para>Shadow's Configuration File</para>
21
22	<para><userinput>/etc/login.defs</userinput></para>
23
24	<para>Enabling <acronym>MD</acronym>5 Passwords</para>
25
26	<para>To enable <acronym>MD</acronym>5 Passwords, modify the line in the
27	<filename>login.defs</filename> file that reads:
28	<screen><userinput>#MD5_CRYPT_ENAB no</userinput></screen>
29	to read:
30	<screen><userinput>MD5_CRYPT_ENAB yes</userinput></screen>
31	Passwords created after this change will be encrypted using
32	<acronym>MD</acronym>5 (Message-Digest Algorithm) instead of using
33	<acronym>DES</acronym> encryption.
34	</para>
35	</sect2>
36	-->
37
38	<sect2>
39	<title>Introduction to <application>Shadow</application></title>
40
41	<para>Shadow was indeed installed in <acronym>LFS</acronym> and there is
42	no reason to reinstall it unless you installed
43	<application>Linux-<acronym>PAM</acronym></application>. If you did,
44	this will allow programs like <command>login</command> and
45	<command>su</command> to utilize
46	<acronym>PAM</acronym>.</para>
47
48	<sect3><title>Additional downloads</title>
49	<itemizedlist spacing='compact'>
50	<listitem><para>Patch to fix linking against PAM:
51	<ulink url="&patch-root;/shadow-&shadow-version;-pam-1.patch"/></para></listitem>
52	</itemizedlist>
53	</sect3>
54
55	<sect3><title><application>Shadow</application> dependencies</title>
56	<sect4><title>Required</title>
57	<para><xref linkend="Linux_PAM"/></para></sect4>
58	</sect3>
59	</sect2>
60
61	<sect2>
62	<title>Installation of <application>Shadow</application></title>
63
64	<para>Reinstall <application>Shadow</application> by running the following
65	commands:</para>
66
67	<screen><userinput><command>patch -Np1 -i ../shadow-&shadow-version;-pam-1.patch &&
68	LIBS="-lpam -lpam_misc" ./configure --libdir=/usr/lib \
69	--enable-shared --with-libpam --without-libcrack &&
70	echo '#define HAVE_SETLOCALE 1' >> config.h &&
71	sed -i '/extern char/d' libmisc/xmalloc.c &&
72	make &&
73	make install &&
74	mv /bin/sg /usr/bin &&
75	mv /bin/vigr /usr/sbin &&
76	mv /usr/bin/passwd /bin &&
77	rm /bin/groups &&
78	mv /usr/lib/lib{misc,shadow}.so.0* /lib &&
79	ln -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so &&
80	ln -sf ../../lib/libmisc.so.0 /usr/lib/libmisc.so</command></userinput></screen>
81
82	</sect2>
83
84	<sect2>
85	<title>Command explanations</title>
86
87	<para><parameter>--without-libcrack</parameter>: This switch tells
88	<application>Shadow</application> not to use
89	<filename class='libraryfile'>libcrack</filename>. This is desired as
90	<application>Linux-<acronym>PAM</acronym></application> already contains
91	<filename class='libraryfile'>libcrack</filename>.</para>
92
93	<para><command>sed -i '/extern char/d' libmisc/xmalloc.c</command>: This
94	fixes a compilation problem when using <application>GCC</application>-3.4.x.
95	</para>
96
97	<!-- Leftover from older instructions????
98	<para><command>cp debian/securetty /etc/securetty</command>: This
99	command sets the tty's that allow logins through <acronym>PAM</acronym>.</para>
100	-->
101
102	</sect2>
103
104	<sect2>
105	<title>Configuring <application>Linux-<acronym>PAM</acronym></application> to work
106	with <application>Shadow</application></title>
107
108	<sect3><title>Config files</title>
109	<para><filename>/etc/pam.d/login</filename>,
110	<filename>/etc/pam.d/passwd</filename>,
111	<filename>/etc/pam.d/su</filename>,
112	<filename>/etc/pam.d/shadow</filename>,
113	<filename>/etc/pam.d/useradd</filename>, and
114	<filename>/etc/pam.d/chage</filename> –
115	alternatively, <filename>/etc/pam.conf</filename></para>
116	</sect3>
117
118	<sect3><title>Configuration Information</title>
119
120	<para>Add the following <application>Linux-<acronym>PAM</acronym></application>
121	configuration files to <filename class="directory">/etc/pam.d/</filename> (or
122	add them to <filename>/etc/pam.conf</filename> with the additional field for
123	the program).</para>
124
125	<screen><userinput><command>cat > /etc/pam.d/login << "EOF"</command>
126	# Begin /etc/pam.d/login
127
128	auth requisite pam_securetty.so
129	auth requisite pam_nologin.so
130	auth required pam_env.so
131	auth required pam_unix.so
132	account required pam_access.so
133	account required pam_unix.so
134	session required pam_motd.so
135	session required pam_limits.so
136	session optional pam_mail.so dir=/var/mail standard
137	session optional pam_lastlog.so
138	session required pam_unix.so
139
140	# End /etc/pam.d/login
141	<command>EOF
142	cat > /etc/pam.d/passwd << "EOF"</command>
143	# Begin /etc/pam.d/passwd
144
145	password required pam_unix.so md5 shadow
146
147	# End /etc/pam.d/passwd
148	<command>EOF
149	cat > /etc/pam.d/shadow << "EOF"</command>
150	# Begin /etc/pam.d/shadow
151
152	auth sufficient pam_rootok.so
153	auth required pam_unix.so
154	account required pam_unix.so
155	session required pam_unix.so
156	password required pam_permit.so
157
158	# End /etc/pam.d/shadow
159	<command>EOF
160	cat > /etc/pam.d/su << "EOF"</command>
161	# Begin /etc/pam.d/su
162
163	auth sufficient pam_rootok.so
164	auth required pam_unix.so
165	account required pam_unix.so
166	session required pam_unix.so
167
168	# End /etc/pam.d/su
169	<command>EOF
170	cat > /etc/pam.d/useradd << "EOF"</command>
171	# Begin /etc/pam.d/useradd
172
173	auth sufficient pam_rootok.so
174	auth required pam_unix.so
175	account required pam_unix.so
176	session required pam_unix.so
177	password required pam_permit.so
178
179	# End /etc/pam.d/useradd
180	<command>EOF
181	cat > /etc/pam.d/chage << "EOF"</command>
182	# Begin /etc/pam.d/chage
183
184	auth sufficient pam_rootok.so
185	auth required pam_unix.so
186	account required pam_unix.so
187	session required pam_unix.so
188	password required pam_permit.so
189
190	# End /etc/pam.d/chage
191	<command>EOF</command></userinput></screen>
192
193	<note><para>If you've installed <application>cracklib</application>, replace
194	<filename>/etc/pam.d/passwd</filename> with the following:</para></note>
195	<screen><userinput><command>cat > /etc/pam.d/passwd << "EOF"</command>
196	# Begin /etc/pam.d/passwd
197
198	password required pam_cracklib.so \
199	retry=3 difok=8 minlen=5 dcredit=3 ocredit=3 ucredit=2 lcredit=2
200	password required pam_unix.so md5 shadow use_authtok
201
202	# End /etc/pam.d/passwd
203	<command>EOF</command></userinput></screen>
204
205	<note><para>At this point, you should do a simple test to see if
206	<application>Shadow</application> is
207	working as expected. Open another term and login as a user, then su to
208	to root. If you do not see any errors, then all is well and you should
209	proceed with the rest of the configuration. If you did
210	receive errors, stop now and double check the above configuration files
211	manually. If you cannot find, and fix the error, you should recopile
212	shadow replacing <envar>--with-libpam</envar> with
213	<envar>--without-libpam</envar> in the above
214	instructions. If you fail to do this and the errors remain, you
215	will be unable to log into your system.</para></note>
216
217	<para>Currently, <filename>/etc/pam.d/other</filename> is configured to
218	allow anyone with an account on the machine to use programs
219	that do not specifically have a configuration file of their own. After
220	testing <application>Linux-<acronym>PAM</acronym></application> for proper
221	configuration, it can be changed to the following:</para>
222
223	<screen><userinput><command>cat > /etc/pam.d/other << "EOF"</command>
224	# Begin /etc/pam.d/other
225
226	auth required pam_deny.so
227	auth required pam_warn.so
228	account required pam_deny.so
229	session required pam_deny.so
230	password required pam_deny.so
231	password required pam_warn.so
232
233	# End /etc/pam.d/other
234	<command>EOF</command></userinput></screen>
235
236	<para>Finally, edit <filename>/etc/login.defs</filename> by adding '#'
237	to the beginning of the following lines:</para>
238	<screen>LASTLOG_ENAB
239	MAIL_CHECK_ENAB
240	PORTTIME_CHECKS_ENAB
241	CONSOLE
242	MOTD_FILE
243	NOLOGINS_FILE
244	PASS_MIN_LEN
245	SU_WHEEL_ONLY
246	MD5_CRYPT_ENAB
247	CONSOLE_GROUPS
248	ENVIRON_FILE</screen>
249
250	<para>This stops <command>login</command> from performing these functions, as
251	they will now be performed by <acronym>PAM</acronym> modules. Additionally,
252	add a '#' to the beginning of the following lines if you've installed
253	<application>cracklib</application>:</para>
254	<screen>OBSCURE_CHECKS_ENAB
255	CRACKLIB_DICTPATH
256	PASS_CHANGE_TRIES
257	PASS_ALWAYS_WARN</screen>
258
259	</sect3>
260
261	</sect2>
262
263	</sect1>

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: postlfs/security/shadow.xml@ 0ef1837

Download in other formats: