source: postlfs/security/shadow.xml@ 0f870c5

11.0 11.1 11.2 11.3 12.0 12.1 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts lazarus lxqt plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition trunk upgradedb xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal
Last change on this file since 0f870c5 was 45ab6c7, checked in by Xi Ruoyao <xry111@…>, 3 years ago

more SVN prop clean up

Remove "$LastChanged$" everywhere, and also some unused $Date$
  • Property mode set to 100644
File size: 20.1 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY shadow-download-http "https://github.com/shadow-maint/shadow/releases/download/&shadow-version;/shadow-&shadow-version;.tar.xz">
8 <!ENTITY shadow-download-ftp " ">
9 <!ENTITY shadow-md5sum "4b05eff8a427cf50e615bda324b5bc45">
10 <!ENTITY shadow-size "1.5 MB">
11 <!ENTITY shadow-buildsize "33 MB">
12 <!ENTITY shadow-time "0.2 SBU">
13]>
14
15<sect1 id="shadow" xreflabel="Shadow-&shadow-version;">
16 <?dbhtml filename="shadow.html"?>
17
18 <sect1info>
19 <date>$Date$</date>
20 </sect1info>
21
22 <title>Shadow-&shadow-version;</title>
23
24 <indexterm zone="shadow">
25 <primary sortas="a-Shadow">Shadow</primary>
26 </indexterm>
27
28 <sect2 role="package">
29 <title>Introduction to Shadow</title>
30
31 <para>
32 <application>Shadow</application> was indeed installed in LFS and there is
33 no reason to reinstall it unless you installed
34 <application>CrackLib</application> or
35 <application>Linux-PAM</application> after your LFS system was completed.
36 If you have installed <application>CrackLib</application> after LFS, then
37 reinstalling <application>Shadow</application> will enable strong password
38 support. If you have installed <application>Linux-PAM</application>,
39 reinstalling <application>Shadow</application> will allow programs such as
40 <command>login</command> and <command>su</command> to utilize PAM.
41 </para>
42
43 &lfs101_checked;
44
45 <bridgehead renderas="sect3">Package Information</bridgehead>
46 <itemizedlist spacing="compact">
47 <listitem>
48 <para>
49 Download (HTTP): <ulink url="&shadow-download-http;"/>
50 </para>
51 </listitem>
52 <listitem>
53 <para>
54 Download (FTP): <ulink url="&shadow-download-ftp;"/>
55 </para>
56 </listitem>
57 <listitem>
58 <para>
59 Download MD5 sum: &shadow-md5sum;
60 </para>
61 </listitem>
62 <listitem>
63 <para>
64 Download size: &shadow-size;
65 </para>
66 </listitem>
67 <listitem>
68 <para>
69 Estimated disk space required: &shadow-buildsize;
70 </para>
71 </listitem>
72 <listitem>
73 <para>
74 Estimated build time: &shadow-time;
75 </para>
76 </listitem>
77 </itemizedlist>
78
79 <bridgehead renderas="sect3">Shadow Dependencies</bridgehead>
80
81 <bridgehead renderas="sect4">Required</bridgehead>
82 <para role="required">
83 <xref linkend="linux-pam"/> or
84 <xref role="nodep" linkend="cracklib"/>
85 </para>
86
87 <para condition="html" role="usernotes">
88 User Notes: <ulink url="&blfs-wiki;/shadow"/>
89 </para>
90 </sect2>
91
92 <sect2 role="installation">
93 <title>Installation of Shadow</title>
94
95 <important>
96 <para>
97 The installation commands shown below are for installations where
98 <application>Linux-PAM</application> has been installed and
99 <application>Shadow</application> is being reinstalled to support the
100 <application>Linux-PAM</application> installation.
101 </para>
102
103 <para>
104 If you are reinstalling <application>Shadow</application> to provide
105 strong password support using the <application>CrackLib</application>
106 library without using <application>Linux-PAM</application>, ensure you
107 add the <parameter>--with-libcrack</parameter> parameter to the
108 <command>configure</command> script below and also issue the following
109 command:
110 </para>
111
112<screen role="nodump"><userinput>sed -i 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' etc/login.defs</userinput></screen>
113 </important>
114
115 <para>
116 Reinstall <application>Shadow</application> by running the following
117 commands:
118 </para>
119
120<screen><userinput>sed -i 's/groups$(EXEEXT) //' src/Makefile.in &amp;&amp;
121
122find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; &amp;&amp;
123find man -name Makefile.in -exec sed -i 's/getspnam\.3 / /' {} \; &amp;&amp;
124find man -name Makefile.in -exec sed -i 's/passwd\.5 / /' {} \; &amp;&amp;
125
126sed -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \
127 -e 's@/var/spool/mail@/var/mail@' \
128 -i etc/login.defs &amp;&amp;
129
130sed -i 's/1000/999/' etc/useradd &amp;&amp;
131
132./configure --sysconfdir=/etc --with-group-name-max-length=32 &amp;&amp;
133make</userinput></screen>
134
135 <para>
136 This package does not come with a test suite.
137 </para>
138
139 <para>
140 Now, as the <systemitem class="username">root</systemitem> user:
141 </para>
142
143<screen role="root"><userinput>make install</userinput></screen>
144
145 </sect2>
146
147 <sect2 role="commands">
148 <title>Command Explanations</title>
149
150 <para>
151 <command>sed -i 's/groups$(EXEEXT) //' src/Makefile.in</command>: This sed
152 is used to suppress the installation of the <command>groups</command>
153 program as the version from the <application>Coreutils</application>
154 package installed during LFS is preferred.
155 </para>
156
157 <para>
158 <command>find man -name Makefile.in -exec ... {} \;</command>: This
159 command is used to suppress the installation of the
160 <command>groups</command> man pages so the existing ones installed from
161 the <application>Coreutils</application> package are not replaced.
162 </para>
163
164 <para>
165 <command>sed -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' -e
166 's@/var/spool/mail@/var/mail@' -i etc/login.defs</command>: Instead of using
167 the default 'DES' method, this command modifies the installation to use
168 the more secure 'SHA512' method of hashing passwords, which also allows
169 passwords longer than eight characters. It also changes the obsolete
170 <filename class="directory">/var/spool/mail</filename> location for user
171 mailboxes that <application>Shadow</application> uses by default to the
172 <filename class="directory">/var/mail</filename> location.
173 </para>
174
175 <para>
176 <command>sed -i 's/1000/999/' etc/useradd</command>: Make a minor change
177 to make the default useradd consistent with the LFS groups file.
178 </para>
179
180 <para>
181 <parameter>--with-group-name-max-length=32</parameter>: The maximum
182 user name is 32 characters. Make the maximum group name the same.
183 </para>
184
185 <!-- No longer needed as of 4.8
186 <para>
187 <command>mv -v /usr/bin/passwd /bin</command>: The
188 <command>passwd</command> program may be needed during times when the
189 <filename class='directory'>/usr</filename> filesystem is not mounted so
190 it is moved into the root partition.
191 </para>
192 -->
193
194 </sect2>
195
196 <sect2 role="configuration">
197 <title>Configuring Shadow</title>
198
199 <para>
200 <application>Shadow</application>'s stock configuration for the
201 <command>useradd</command> utility may not be desirable for your
202 installation. One default parameter causes <command>useradd</command> to
203 create a mailbox file for any newly created user.
204 <command>useradd</command> will make the group ownership of this file to
205 the <systemitem class="groupname">mail</systemitem> group with 0660
206 permissions. If you would prefer that these mailbox files are not created
207 by <command>useradd</command>, issue the following command as the
208 <systemitem class="username">root</systemitem> user:
209 </para>
210
211<screen role="root"><userinput>sed -i 's/yes/no/' /etc/default/useradd</userinput></screen>
212 </sect2>
213
214 <sect2 role="configuration">
215 <title>Configuring Linux-PAM to Work with Shadow</title>
216
217 <note>
218 <para>
219 The rest of this page is devoted to configuring
220 <application>Shadow</application> to work properly with
221 <application>Linux-PAM</application>. If you do not have
222 <application>Linux-PAM</application> installed, and you reinstalled
223 <application>Shadow</application> to support strong passwords via the
224 <application>CrackLib</application> library, no further configuration is
225 required.
226 </para>
227 </note>
228
229 <sect3 id="pam.d">
230 <title>Config Files</title>
231
232 <para>
233 <filename>/etc/pam.d/*</filename> or alternatively
234 <filename>/etc/pam.conf</filename>,
235 <filename>/etc/login.defs</filename> and
236 <filename>/etc/security/*</filename>
237 </para>
238
239 <indexterm zone="shadow pam.d">
240 <primary sortas="e-etc-pam.d">/etc/pam.d/*</primary>
241 </indexterm>
242
243 <indexterm zone="shadow pam.d">
244 <primary sortas="e-etc-pam.conf">/etc/pam.conf</primary>
245 </indexterm>
246
247 <indexterm zone="shadow pam.d">
248 <primary sortas="e-etc-login.defs">/etc/login.defs</primary>
249 </indexterm>
250
251 <indexterm zone="shadow pam.d">
252 <primary sortas="e-etc-security">/etc/security/*</primary>
253 </indexterm>
254 </sect3>
255
256 <sect3>
257 <title>Configuration Information</title>
258
259 <para>
260 Configuring your system to use <application>Linux-PAM</application> can
261 be a complex task. The information below will provide a basic setup so
262 that <application>Shadow</application>'s login and password
263 functionality will work effectively with
264 <application>Linux-PAM</application>. Review the information and links
265 on the <xref linkend="linux-pam"/> page for further configuration
266 information. For information specific to integrating
267 <application>Shadow</application>, <application>Linux-PAM</application>
268 and <application>libpwquality</application>, you can visit the
269 following link:
270 </para>
271
272 <itemizedlist spacing="compact">
273 <listitem>
274 <!-- New URL for the below link, according to it's author. -->
275 <para>
276 <ulink url="http://www.deer-run.com/~hal/linux_passwords_pam.html"/>
277 </para>
278 </listitem>
279 </itemizedlist>
280
281 <sect4 id="pam-login-defs">
282 <title>Configuring /etc/login.defs</title>
283
284 <para>
285 The <command>login</command> program currently performs many functions
286 which <application>Linux-PAM</application> modules should now handle.
287 The following <command>sed</command> command will comment out the
288 appropriate lines in <filename>/etc/login.defs</filename>, and stop
289 <command>login</command> from performing these functions (a backup
290 file named <filename>/etc/login.defs.orig</filename> is also created
291 to preserve the original file's contents). Issue the following
292 commands as the <systemitem class="username">root</systemitem> user:
293 </para>
294
295 <indexterm zone="shadow pam-login-defs">
296 <primary sortas="e-etc-login.defs">/etc/login.defs</primary>
297 </indexterm>
298
299<screen role="root"><userinput>install -v -m644 /etc/login.defs /etc/login.defs.orig &amp;&amp;
300for FUNCTION in FAIL_DELAY \
301 FAILLOG_ENAB \
302 LASTLOG_ENAB \
303 MAIL_CHECK_ENAB \
304 OBSCURE_CHECKS_ENAB \
305 PORTTIME_CHECKS_ENAB \
306 QUOTAS_ENAB \
307 CONSOLE MOTD_FILE \
308 FTMP_FILE NOLOGINS_FILE \
309 ENV_HZ PASS_MIN_LEN \
310 SU_WHEEL_ONLY \
311 CRACKLIB_DICTPATH \
312 PASS_CHANGE_TRIES \
313 PASS_ALWAYS_WARN \
314 CHFN_AUTH ENCRYPT_METHOD \
315 ENVIRON_FILE
316do
317 sed -i "s/^${FUNCTION}/# &amp;/" /etc/login.defs
318done</userinput></screen>
319 </sect4>
320
321 <sect4>
322 <title>Configuring the /etc/pam.d/ Files</title>
323
324 <para>
325 As mentioned previously in the <application>Linux-PAM</application>
326 instructions, <application>Linux-PAM</application> has two supported
327 methods for configuration. The commands below assume that you've
328 chosen to use a directory based configuration, where each program has
329 its own configuration file. You can optionally use a single
330 <filename>/etc/pam.conf</filename> configuration file by using the
331 text from the files below, and supplying the program name as an
332 additional first field for each line.
333 </para>
334
335 <para>
336 As the <systemitem class="username">root</systemitem> user, create
337 the following <application>Linux-PAM</application> configuration files
338 in the <filename class="directory">/etc/pam.d/</filename> directory
339 (or add the contents to the <filename>/etc/pam.conf</filename> file)
340 using the following commands:
341 </para>
342 </sect4>
343
344 <sect4>
345 <title>'login'</title>
346
347<screen role="root"><userinput>cat &gt; /etc/pam.d/login &lt;&lt; "EOF"
348<literal># Begin /etc/pam.d/login
349
350# Set failure delay before next prompt to 3 seconds
351auth optional pam_faildelay.so delay=3000000
352
353# Check to make sure that the user is allowed to login
354auth requisite pam_nologin.so
355
356# Check to make sure that root is allowed to login
357# Disabled by default. You will need to create /etc/securetty
358# file for this module to function. See man 5 securetty.
359#auth required pam_securetty.so
360
361# Additional group memberships - disabled by default
362#auth optional pam_group.so
363
364# include system auth settings
365auth include system-auth
366
367# check access for the user
368account required pam_access.so
369
370# include system account settings
371account include system-account
372
373# Set default environment variables for the user
374session required pam_env.so
375
376# Set resource limits for the user
377session required pam_limits.so
378
379# Display date of last login - Disabled by default
380#session optional pam_lastlog.so
381
382# Display the message of the day - Disabled by default
383#session optional pam_motd.so
384
385# Check user's mail - Disabled by default
386#session optional pam_mail.so standard quiet
387
388# include system session and password settings
389session include system-session
390password include system-password
391
392# End /etc/pam.d/login</literal>
393EOF</userinput></screen>
394 </sect4>
395
396 <sect4>
397 <title>'passwd'</title>
398
399<screen role="root"><userinput>cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"
400<literal># Begin /etc/pam.d/passwd
401
402password include system-password
403
404# End /etc/pam.d/passwd</literal>
405EOF</userinput></screen>
406 </sect4>
407
408 <sect4>
409 <title>'su'</title>
410
411<screen role="root"><userinput>cat &gt; /etc/pam.d/su &lt;&lt; "EOF"
412<literal># Begin /etc/pam.d/su
413
414# always allow root
415auth sufficient pam_rootok.so
416
417# Allow users in the wheel group to execute su without a password
418# disabled by default
419#auth sufficient pam_wheel.so trust use_uid
420
421# include system auth settings
422auth include system-auth
423
424# limit su to users in the wheel group
425auth required pam_wheel.so use_uid
426
427# include system account settings
428account include system-account
429
430# Set default environment variables for the service user
431session required pam_env.so
432
433# include system session settings
434session include system-session
435
436# End /etc/pam.d/su</literal>
437EOF</userinput></screen>
438 </sect4>
439
440 <sect4>
441 <title>'chage'</title>
442
443<screen role="root"><userinput>cat &gt; /etc/pam.d/chage &lt;&lt; "EOF"
444<literal># Begin /etc/pam.d/chage
445
446# always allow root
447auth sufficient pam_rootok.so
448
449# include system auth, account, and session settings
450auth include system-auth
451account include system-account
452session include system-session
453
454# Always permit for authentication updates
455password required pam_permit.so
456
457# End /etc/pam.d/chage</literal>
458EOF</userinput></screen>
459 </sect4>
460
461 <sect4>
462 <title>Other common programs</title>
463 <!--<title>'chfn', 'chgpasswd', 'chgpasswd', 'chsh', 'groupadd', 'groupdel',
464 'groupmems', 'groupmod', 'newusers', 'useradd', 'userdel' and
465 'usermod'</title>-->
466
467<screen role="root"><userinput>for PROGRAM in chfn chgpasswd chpasswd chsh groupadd groupdel \
468 groupmems groupmod newusers useradd userdel usermod
469do
470 install -v -m644 /etc/pam.d/chage /etc/pam.d/${PROGRAM}
471 sed -i "s/chage/$PROGRAM/" /etc/pam.d/${PROGRAM}
472done</userinput></screen>
473
474 <warning>
475 <para>
476 At this point, you should do a simple test to see if
477 <application>Shadow</application> is working as expected. Open
478 another terminal and log in as a user, then <command>su</command> to
479 <systemitem class="username">root</systemitem>. If you do not see
480 any errors, then all is well and you should proceed with the rest of
481 the configuration. If you did receive errors, stop now and double
482 check the above configuration files manually. One obvious reason
483 for an error is if the user is not in group <systemitem
484 class="groupname">wheel</systemitem>. You may want to run (as
485 <systemitem class="username">root</systemitem>): <command>usermod
486 -a -G wheel <replaceable>&lt;user&gt;</replaceable></command>.
487 Any other error is the sign of an error in the above procedure.
488 You can also run the
489 test suite from the <application>Linux-PAM</application> package to
490 assist you in determining the problem. If you cannot find and fix
491 the error, you should recompile <application>Shadow</application>
492 adding the <option>--without-libpam</option> switch to the
493 <command>configure</command> command in the above instructions (also
494 move the <filename>/etc/login.defs.orig</filename> backup file to
495 <filename>/etc/login.defs</filename>). If you fail to do this and
496 the errors remain, you will be unable to log into your system.
497 </para>
498 </warning>
499 </sect4>
500
501 <sect4 id="pam-access">
502 <title>Configuring Login Access</title>
503
504 <para>
505 Instead of using the <filename>/etc/login.access</filename> file for
506 controlling access to the system, <application>Linux-PAM</application>
507 uses the <filename class='libraryfile'>pam_access.so</filename> module
508 along with the <filename>/etc/security/access.conf</filename> file.
509 Rename the <filename>/etc/login.access</filename> file using the
510 following command:
511 </para>
512
513 <indexterm zone="shadow pam-access">
514 <primary sortas="e-etc-security-access.conf">/etc/security/access.conf</primary>
515 </indexterm>
516
517<screen role="root"><userinput>[ -f /etc/login.access ] &amp;&amp; mv -v /etc/login.access{,.NOUSE}</userinput></screen>
518 </sect4>
519
520 <sect4 id="pam-limits">
521 <title>Configuring Resource Limits</title>
522
523 <para>
524 Instead of using the <filename>/etc/limits</filename> file for
525 limiting usage of system resources,
526 <application>Linux-PAM</application> uses the
527 <filename class='libraryfile'>pam_limits.so</filename> module along
528 with the <filename>/etc/security/limits.conf</filename> file. Rename
529 the <filename>/etc/limits</filename> file using the following command:
530 </para>
531
532 <indexterm zone="shadow pam-limits">
533 <primary sortas="e-etc-security-limits.conf">/etc/security/limits.conf</primary>
534 </indexterm>
535
536<screen role="root"><userinput>[ -f /etc/limits ] &amp;&amp; mv -v /etc/limits{,.NOUSE}</userinput></screen>
537
538 <caution>
539 <para>
540 Be sure to test the login capabilities of the system before logging
541 out. Errors in the configuration can cause a permanent
542 lockout requiring a boot from an external source to correct the
543 problem.
544 </para>
545 </caution>
546
547 </sect4>
548 </sect3>
549
550 </sect2>
551
552 <sect2 role="content">
553 <title>Contents</title>
554
555 <para>
556 A list of the installed files, along with their short descriptions can be
557 found at
558 <phrase revision="sysv">
559 <ulink url="&lfs-root;/chapter08/shadow.html#contents-shadow"/></phrase>
560 <phrase revision="systemd">
561 <ulink url="&lfs-rootd;/chapter08/shadow.html#contents-shadow"/></phrase>.
562 </para>
563
564 </sect2>
565
566</sect1>
Note: See TracBrowser for help on using the repository browser.