source: postlfs/security/shadow.xml@ 11fdc11f

11.0 ken/refactor-virt lazarus qt5new trunk upgradedb
Last change on this file since 11fdc11f was 11fdc11f, checked in by Bruce Dubbs <bdubbs@…>, 4 months ago

Fix shadow URL and stats

  • Property mode set to 100644
File size: 20.5 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY shadow-download-http "https://github.com/shadow-maint/shadow/releases/download/v&shadow-version;/shadow-&shadow-version;.tar.xz">
8 <!ENTITY shadow-download-ftp " ">
9 <!ENTITY shadow-md5sum "126924090caf72f3de7e9261fd4e10ac">
10 <!ENTITY shadow-size "1.6 MB">
11 <!ENTITY shadow-buildsize "40 MB">
12 <!ENTITY shadow-time "0.3 SBU">
13]>
14
15<sect1 id="shadow" xreflabel="Shadow-&shadow-version;">
16 <?dbhtml filename="shadow.html"?>
17
18 <sect1info>
19 <date>$Date$</date>
20 </sect1info>
21
22 <title>Shadow-&shadow-version;</title>
23
24 <indexterm zone="shadow">
25 <primary sortas="a-Shadow">Shadow</primary>
26 </indexterm>
27
28 <sect2 role="package">
29 <title>Introduction to Shadow</title>
30
31 <para>
32 <application>Shadow</application> was indeed installed in LFS and there is
33 no reason to reinstall it unless you installed
34 <application>CrackLib</application> or
35 <application>Linux-PAM</application> after your LFS system was completed.
36 If you have installed <application>CrackLib</application> after LFS, then
37 reinstalling <application>Shadow</application> will enable strong password
38 support. If you have installed <application>Linux-PAM</application>,
39 reinstalling <application>Shadow</application> will allow programs such as
40 <command>login</command> and <command>su</command> to utilize PAM.
41 </para>
42
43 &lfs101_checked;
44
45 <bridgehead renderas="sect3">Package Information</bridgehead>
46 <itemizedlist spacing="compact">
47 <listitem>
48 <para>
49 Download (HTTP): <ulink url="&shadow-download-http;"/>
50 </para>
51 </listitem>
52 <listitem>
53 <para>
54 Download (FTP): <ulink url="&shadow-download-ftp;"/>
55 </para>
56 </listitem>
57 <listitem>
58 <para>
59 Download MD5 sum: &shadow-md5sum;
60 </para>
61 </listitem>
62 <listitem>
63 <para>
64 Download size: &shadow-size;
65 </para>
66 </listitem>
67 <listitem>
68 <para>
69 Estimated disk space required: &shadow-buildsize;
70 </para>
71 </listitem>
72 <listitem>
73 <para>
74 Estimated build time: &shadow-time;
75 </para>
76 </listitem>
77 </itemizedlist>
78
79 <bridgehead renderas="sect3">Shadow Dependencies</bridgehead>
80
81 <bridgehead renderas="sect4">Required</bridgehead>
82 <para role="required">
83 <xref linkend="linux-pam"/> or
84 <xref role="nodep" linkend="cracklib"/>
85 </para>
86
87 <para condition="html" role="usernotes">
88 User Notes: <ulink url="&blfs-wiki;/shadow"/>
89 </para>
90 </sect2>
91
92 <sect2 role="installation">
93 <title>Installation of Shadow</title>
94
95 <important>
96 <para>
97 The installation commands shown below are for installations where
98 <application>Linux-PAM</application> has been installed and
99 <application>Shadow</application> is being reinstalled to support the
100 <application>Linux-PAM</application> installation.
101 </para>
102
103 <para>
104 If you are reinstalling <application>Shadow</application> to provide
105 strong password support using the <application>CrackLib</application>
106 library without using <application>Linux-PAM</application>, ensure you
107 add the <parameter>--with-libcrack</parameter> parameter to the
108 <command>configure</command> script below and also issue the following
109 command:
110 </para>
111
112<screen role="nodump"><userinput>sed -i 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' etc/login.defs</userinput></screen>
113 </important>
114
115 <para>
116 Reinstall <application>Shadow</application> by running the following
117 commands:
118 </para>
119
120<screen><userinput>sed -i 's/groups$(EXEEXT) //' src/Makefile.in &amp;&amp;
121
122find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; &amp;&amp;
123find man -name Makefile.in -exec sed -i 's/getspnam\.3 / /' {} \; &amp;&amp;
124find man -name Makefile.in -exec sed -i 's/passwd\.5 / /' {} \; &amp;&amp;
125
126sed -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \
127 -e 's@/var/spool/mail@/var/mail@' \
128 -e '/PATH=/{s@/sbin:@@;s@/bin:@@}' \
129 -i etc/login.defs &amp;&amp;
130
131sed -i.orig '/$(LIBTCB)/i $(LIBPAM) \\' libsubid/Makefile.am &amp;&amp;
132sed -i "224s/rounds/min_rounds/" libmisc/salt.c &amp;&amp;
133
134autoreconf -fiv &amp;&amp;
135
136./configure --sysconfdir=/etc --with-group-name-max-length=32 &amp;&amp;
137make</userinput></screen>
138
139 <para>
140 This package does not come with a test suite.
141 </para>
142
143 <para>
144 Now, as the <systemitem class="username">root</systemitem> user:
145 </para>
146
147<screen role="root"><userinput>make exec_prefix=/usr install</userinput></screen>
148
149 </sect2>
150
151 <sect2 role="commands">
152 <title>Command Explanations</title>
153
154 <para>
155 <command>sed -i 's/groups$(EXEEXT) //' src/Makefile.in</command>: This sed
156 is used to suppress the installation of the <command>groups</command>
157 program as the version from the <application>Coreutils</application>
158 package installed during LFS is preferred.
159 </para>
160
161 <para>
162 <command>find man -name Makefile.in -exec ... {} \;</command>: This
163 command is used to suppress the installation of the
164 <command>groups</command> man pages so the existing ones installed from
165 the <application>Coreutils</application> package are not replaced.
166 </para>
167
168 <para>
169 <command>sed -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' -e
170 's@/var/spool/mail@/var/mail@' -e '/PATH=/{s@/sbin:@@;s@/bin:@@}'
171 -i etc/login.defs</command>: Instead of using
172 the default 'DES' method, this command modifies the installation to use
173 the more secure 'SHA512' method of hashing passwords, which also allows
174 passwords longer than eight characters. It also changes the obsolete
175 <filename class="directory">/var/spool/mail</filename> location for user
176 mailboxes that <application>Shadow</application> uses by default to the
177 <filename class="directory">/var/mail</filename> location. It also
178 changes the default path to be consistent with that set in LFS.
179 </para>
180
181 <para>
182 <command>sed ... libmisc/salt.c</command> and
183 <command>sed ... libsubid/Makefile.am</command>: Fix a couple of errors
184 that were found after the package was released.
185 </para>
186
187 <para>
188 <parameter>--with-group-name-max-length=32</parameter>: The maximum
189 user name is 32 characters. Make the maximum group name the same.
190 </para>
191
192 <!-- No longer needed as of 4.8
193 <para>
194 <command>mv -v /usr/bin/passwd /bin</command>: The
195 <command>passwd</command> program may be needed during times when the
196 <filename class='directory'>/usr</filename> filesystem is not mounted so
197 it is moved into the root partition.
198 </para>
199 -->
200
201 </sect2>
202
203 <sect2 role="configuration">
204 <title>Configuring Shadow</title>
205
206 <para>
207 <application>Shadow</application>'s stock configuration for the
208 <command>useradd</command> utility may not be desirable for your
209 installation. One default parameter causes <command>useradd</command> to
210 create a mailbox file for any newly created user.
211 <command>useradd</command> will make the group ownership of this file to
212 the <systemitem class="groupname">mail</systemitem> group with 0660
213 permissions. If you would prefer that these mailbox files are not created
214 by <command>useradd</command>, issue the following command as the
215 <systemitem class="username">root</systemitem> user:
216 </para>
217
218<screen role="root"><userinput>sed -i 's/yes/no/' /etc/default/useradd</userinput></screen>
219 </sect2>
220
221 <sect2 role="configuration">
222 <title>Configuring Linux-PAM to Work with Shadow</title>
223
224 <note>
225 <para>
226 The rest of this page is devoted to configuring
227 <application>Shadow</application> to work properly with
228 <application>Linux-PAM</application>. If you do not have
229 <application>Linux-PAM</application> installed, and you reinstalled
230 <application>Shadow</application> to support strong passwords via the
231 <application>CrackLib</application> library, no further configuration is
232 required.
233 </para>
234 </note>
235
236 <sect3 id="pam.d">
237 <title>Config Files</title>
238
239 <para>
240 <filename>/etc/pam.d/*</filename> or alternatively
241 <filename>/etc/pam.conf</filename>,
242 <filename>/etc/login.defs</filename> and
243 <filename>/etc/security/*</filename>
244 </para>
245
246 <indexterm zone="shadow pam.d">
247 <primary sortas="e-etc-pam.d">/etc/pam.d/*</primary>
248 </indexterm>
249
250 <indexterm zone="shadow pam.d">
251 <primary sortas="e-etc-pam.conf">/etc/pam.conf</primary>
252 </indexterm>
253
254 <indexterm zone="shadow pam.d">
255 <primary sortas="e-etc-login.defs">/etc/login.defs</primary>
256 </indexterm>
257
258 <indexterm zone="shadow pam.d">
259 <primary sortas="e-etc-security">/etc/security/*</primary>
260 </indexterm>
261 </sect3>
262
263 <sect3>
264 <title>Configuration Information</title>
265
266 <para>
267 Configuring your system to use <application>Linux-PAM</application> can
268 be a complex task. The information below will provide a basic setup so
269 that <application>Shadow</application>'s login and password
270 functionality will work effectively with
271 <application>Linux-PAM</application>. Review the information and links
272 on the <xref linkend="linux-pam"/> page for further configuration
273 information. For information specific to integrating
274 <application>Shadow</application>, <application>Linux-PAM</application>
275 and <application>libpwquality</application>, you can visit the
276 following link:
277 </para>
278
279 <itemizedlist spacing="compact">
280 <listitem>
281 <!-- New URL for the below link, according to it's author. -->
282 <para>
283 <ulink url="http://www.deer-run.com/~hal/linux_passwords_pam.html"/>
284 </para>
285 </listitem>
286 </itemizedlist>
287
288 <sect4 id="pam-login-defs">
289 <title>Configuring /etc/login.defs</title>
290
291 <para>
292 The <command>login</command> program currently performs many functions
293 which <application>Linux-PAM</application> modules should now handle.
294 The following <command>sed</command> command will comment out the
295 appropriate lines in <filename>/etc/login.defs</filename>, and stop
296 <command>login</command> from performing these functions (a backup
297 file named <filename>/etc/login.defs.orig</filename> is also created
298 to preserve the original file's contents). Issue the following
299 commands as the <systemitem class="username">root</systemitem> user:
300 </para>
301
302 <indexterm zone="shadow pam-login-defs">
303 <primary sortas="e-etc-login.defs">/etc/login.defs</primary>
304 </indexterm>
305
306<screen role="root"><userinput>install -v -m644 /etc/login.defs /etc/login.defs.orig &amp;&amp;
307for FUNCTION in FAIL_DELAY \
308 FAILLOG_ENAB \
309 LASTLOG_ENAB \
310 MAIL_CHECK_ENAB \
311 OBSCURE_CHECKS_ENAB \
312 PORTTIME_CHECKS_ENAB \
313 QUOTAS_ENAB \
314 CONSOLE MOTD_FILE \
315 FTMP_FILE NOLOGINS_FILE \
316 ENV_HZ PASS_MIN_LEN \
317 SU_WHEEL_ONLY \
318 CRACKLIB_DICTPATH \
319 PASS_CHANGE_TRIES \
320 PASS_ALWAYS_WARN \
321 CHFN_AUTH ENCRYPT_METHOD \
322 ENVIRON_FILE
323do
324 sed -i "s/^${FUNCTION}/# &amp;/" /etc/login.defs
325done</userinput></screen>
326 </sect4>
327
328 <sect4>
329 <title>Configuring the /etc/pam.d/ Files</title>
330
331 <para>
332 As mentioned previously in the <application>Linux-PAM</application>
333 instructions, <application>Linux-PAM</application> has two supported
334 methods for configuration. The commands below assume that you've
335 chosen to use a directory based configuration, where each program has
336 its own configuration file. You can optionally use a single
337 <filename>/etc/pam.conf</filename> configuration file by using the
338 text from the files below, and supplying the program name as an
339 additional first field for each line.
340 </para>
341
342 <para>
343 As the <systemitem class="username">root</systemitem> user, create
344 the following <application>Linux-PAM</application> configuration files
345 in the <filename class="directory">/etc/pam.d/</filename> directory
346 (or add the contents to the <filename>/etc/pam.conf</filename> file)
347 using the following commands:
348 </para>
349 </sect4>
350
351 <sect4>
352 <title>'login'</title>
353
354<screen role="root"><userinput>cat &gt; /etc/pam.d/login &lt;&lt; "EOF"
355<literal># Begin /etc/pam.d/login
356
357# Set failure delay before next prompt to 3 seconds
358auth optional pam_faildelay.so delay=3000000
359
360# Check to make sure that the user is allowed to login
361auth requisite pam_nologin.so
362
363# Check to make sure that root is allowed to login
364# Disabled by default. You will need to create /etc/securetty
365# file for this module to function. See man 5 securetty.
366#auth required pam_securetty.so
367
368# Additional group memberships - disabled by default
369#auth optional pam_group.so
370
371# include system auth settings
372auth include system-auth
373
374# check access for the user
375account required pam_access.so
376
377# include system account settings
378account include system-account
379
380# Set default environment variables for the user
381session required pam_env.so
382
383# Set resource limits for the user
384session required pam_limits.so
385
386# Display date of last login - Disabled by default
387#session optional pam_lastlog.so
388
389# Display the message of the day - Disabled by default
390#session optional pam_motd.so
391
392# Check user's mail - Disabled by default
393#session optional pam_mail.so standard quiet
394
395# include system session and password settings
396session include system-session
397password include system-password
398
399# End /etc/pam.d/login</literal>
400EOF</userinput></screen>
401 </sect4>
402
403 <sect4>
404 <title>'passwd'</title>
405
406<screen role="root"><userinput>cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"
407<literal># Begin /etc/pam.d/passwd
408
409password include system-password
410
411# End /etc/pam.d/passwd</literal>
412EOF</userinput></screen>
413 </sect4>
414
415 <sect4>
416 <title>'su'</title>
417
418<screen role="root"><userinput>cat &gt; /etc/pam.d/su &lt;&lt; "EOF"
419<literal># Begin /etc/pam.d/su
420
421# always allow root
422auth sufficient pam_rootok.so
423
424# Allow users in the wheel group to execute su without a password
425# disabled by default
426#auth sufficient pam_wheel.so trust use_uid
427
428# include system auth settings
429auth include system-auth
430
431# limit su to users in the wheel group
432auth required pam_wheel.so use_uid
433
434# include system account settings
435account include system-account
436
437# Set default environment variables for the service user
438session required pam_env.so
439
440# include system session settings
441session include system-session
442
443# End /etc/pam.d/su</literal>
444EOF</userinput></screen>
445 </sect4>
446
447 <sect4>
448 <title>'chage'</title>
449
450<screen role="root"><userinput>cat &gt; /etc/pam.d/chage &lt;&lt; "EOF"
451<literal># Begin /etc/pam.d/chage
452
453# always allow root
454auth sufficient pam_rootok.so
455
456# include system auth, account, and session settings
457auth include system-auth
458account include system-account
459session include system-session
460
461# Always permit for authentication updates
462password required pam_permit.so
463
464# End /etc/pam.d/chage</literal>
465EOF</userinput></screen>
466 </sect4>
467
468 <sect4>
469 <title>Other common programs</title>
470 <!--<title>'chfn', 'chgpasswd', 'chgpasswd', 'chsh', 'groupadd', 'groupdel',
471 'groupmems', 'groupmod', 'newusers', 'useradd', 'userdel' and
472 'usermod'</title>-->
473
474<screen role="root"><userinput>for PROGRAM in chfn chgpasswd chpasswd chsh groupadd groupdel \
475 groupmems groupmod newusers useradd userdel usermod
476do
477 install -v -m644 /etc/pam.d/chage /etc/pam.d/${PROGRAM}
478 sed -i "s/chage/$PROGRAM/" /etc/pam.d/${PROGRAM}
479done</userinput></screen>
480
481 <warning>
482 <para>
483 At this point, you should do a simple test to see if
484 <application>Shadow</application> is working as expected. Open
485 another terminal and log in as a user, then <command>su</command> to
486 <systemitem class="username">root</systemitem>. If you do not see
487 any errors, then all is well and you should proceed with the rest of
488 the configuration. If you did receive errors, stop now and double
489 check the above configuration files manually. One obvious reason
490 for an error is if the user is not in group <systemitem
491 class="groupname">wheel</systemitem>. You may want to run (as
492 <systemitem class="username">root</systemitem>): <command>usermod
493 -a -G wheel <replaceable>&lt;user&gt;</replaceable></command>.
494 Any other error is the sign of an error in the above procedure.
495 You can also run the
496 test suite from the <application>Linux-PAM</application> package to
497 assist you in determining the problem. If you cannot find and fix
498 the error, you should recompile <application>Shadow</application>
499 adding the <option>--without-libpam</option> switch to the
500 <command>configure</command> command in the above instructions (also
501 move the <filename>/etc/login.defs.orig</filename> backup file to
502 <filename>/etc/login.defs</filename>). If you fail to do this and
503 the errors remain, you will be unable to log into your system.
504 </para>
505 </warning>
506 </sect4>
507
508 <sect4 id="pam-access">
509 <title>Configuring Login Access</title>
510
511 <para>
512 Instead of using the <filename>/etc/login.access</filename> file for
513 controlling access to the system, <application>Linux-PAM</application>
514 uses the <filename class='libraryfile'>pam_access.so</filename> module
515 along with the <filename>/etc/security/access.conf</filename> file.
516 Rename the <filename>/etc/login.access</filename> file using the
517 following command:
518 </para>
519
520 <indexterm zone="shadow pam-access">
521 <primary sortas="e-etc-security-access.conf">/etc/security/access.conf</primary>
522 </indexterm>
523
524<screen role="root"><userinput>[ -f /etc/login.access ] &amp;&amp; mv -v /etc/login.access{,.NOUSE}</userinput></screen>
525 </sect4>
526
527 <sect4 id="pam-limits">
528 <title>Configuring Resource Limits</title>
529
530 <para>
531 Instead of using the <filename>/etc/limits</filename> file for
532 limiting usage of system resources,
533 <application>Linux-PAM</application> uses the
534 <filename class='libraryfile'>pam_limits.so</filename> module along
535 with the <filename>/etc/security/limits.conf</filename> file. Rename
536 the <filename>/etc/limits</filename> file using the following command:
537 </para>
538
539 <indexterm zone="shadow pam-limits">
540 <primary sortas="e-etc-security-limits.conf">/etc/security/limits.conf</primary>
541 </indexterm>
542
543<screen role="root"><userinput>[ -f /etc/limits ] &amp;&amp; mv -v /etc/limits{,.NOUSE}</userinput></screen>
544
545 <caution>
546 <para>
547 Be sure to test the login capabilities of the system before logging
548 out. Errors in the configuration can cause a permanent
549 lockout requiring a boot from an external source to correct the
550 problem.
551 </para>
552 </caution>
553
554 </sect4>
555 </sect3>
556
557 </sect2>
558
559 <sect2 role="content">
560 <title>Contents</title>
561
562 <para>
563 A list of the installed files, along with their short descriptions can be
564 found at
565 <phrase revision="sysv">
566 <ulink url="&lfs-root;/chapter08/shadow.html#contents-shadow"/></phrase>
567 <phrase revision="systemd">
568 <ulink url="&lfs-rootd;/chapter08/shadow.html#contents-shadow"/></phrase>.
569 </para>
570
571 </sect2>
572
573</sect1>
Note: See TracBrowser for help on using the repository browser.