1 | <?xml version="1.0" encoding="ISO-8859-1"?>
|
---|
2 | <!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
|
---|
3 | "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
|
---|
4 | <!ENTITY % general-entities SYSTEM "../../general.ent">
|
---|
5 | %general-entities;
|
---|
6 |
|
---|
7 | <!ENTITY shadow-download-http " ">
|
---|
8 | <!ENTITY shadow-download-ftp "ftp://ftp.pld.org.pl/software/shadow/shadow-&shadow-version;.tar.bz2">
|
---|
9 | <!ENTITY shadow-size "814 KB">
|
---|
10 | <!ENTITY shadow-buildsize "14.1 MB">
|
---|
11 | <!ENTITY shadow-time "0.42 SBU">
|
---|
12 | ]>
|
---|
13 |
|
---|
14 | <sect1 id="shadow" xreflabel="Shadow-&shadow-version;">
|
---|
15 | <sect1info>
|
---|
16 | <othername>$LastChangedBy$</othername>
|
---|
17 | <date>$Date$</date>
|
---|
18 | </sect1info>
|
---|
19 | <?dbhtml filename="shadow.html"?>
|
---|
20 | <title>Shadow-&shadow-version;</title>
|
---|
21 | <indexterm zone="shadow">
|
---|
22 | <primary sortas="a-Shadow">Shadow</primary></indexterm>
|
---|
23 |
|
---|
24 | <!--
|
---|
25 | <sect2>
|
---|
26 | <title>Configuring shadow</title>
|
---|
27 |
|
---|
28 | <para>Shadow's Configuration File</para>
|
---|
29 |
|
---|
30 | <para><userinput>/etc/login.defs</userinput></para>
|
---|
31 |
|
---|
32 | <para>Enabling <acronym>MD</acronym>5 Passwords</para>
|
---|
33 |
|
---|
34 | <para>To enable <acronym>MD</acronym>5 Passwords, modify the line in the
|
---|
35 | <filename>login.defs</filename> file that reads:
|
---|
36 | <screen><userinput>#MD5_CRYPT_ENAB no</userinput></screen>
|
---|
37 | to read:
|
---|
38 | <screen><userinput>MD5_CRYPT_ENAB yes</userinput></screen>
|
---|
39 | Passwords created after this change will be encrypted using
|
---|
40 | <acronym>MD</acronym>5 (Message-Digest Algorithm) instead of using
|
---|
41 | <acronym>DES</acronym> encryption.
|
---|
42 | </para>
|
---|
43 | </sect2>
|
---|
44 | -->
|
---|
45 |
|
---|
46 | <sect2>
|
---|
47 | <title>Introduction to <application>Shadow</application></title>
|
---|
48 |
|
---|
49 | <para>Shadow was indeed installed in <acronym>LFS</acronym> and there is
|
---|
50 | no reason to reinstall it unless you installed
|
---|
51 | <application>Linux-<acronym>PAM</acronym></application>. If you did,
|
---|
52 | this will allow programs like <command>login</command> and
|
---|
53 | <command>su</command> to utilize
|
---|
54 | <acronym>PAM</acronym>.</para>
|
---|
55 |
|
---|
56 | <sect3><title>Package information</title>
|
---|
57 | <itemizedlist spacing="compact">
|
---|
58 | <listitem><para>Download (HTTP):
|
---|
59 | <ulink url="&shadow-download-http;"/></para></listitem>
|
---|
60 | <listitem><para>Download (FTP):
|
---|
61 | <ulink url="&shadow-download-ftp;"/></para></listitem>
|
---|
62 | <listitem><para>Download size:
|
---|
63 | &shadow-size;</para></listitem>
|
---|
64 | <listitem><para>Estimated disk space required:
|
---|
65 | &shadow-buildsize;</para></listitem>
|
---|
66 | <listitem><para>Estimated build time:
|
---|
67 | &shadow-time;</para></listitem></itemizedlist>
|
---|
68 | </sect3>
|
---|
69 |
|
---|
70 | <sect3><title>Additional downloads</title>
|
---|
71 | <itemizedlist spacing='compact'>
|
---|
72 | <listitem><para>Patch to fix linking against PAM:
|
---|
73 | <ulink url="&patch-root;/shadow-&shadow-version;-pam-1.patch"/></para>
|
---|
74 | </listitem>
|
---|
75 | </itemizedlist>
|
---|
76 | </sect3>
|
---|
77 |
|
---|
78 | <sect3><title><application>Shadow</application> dependencies</title>
|
---|
79 | <sect4><title>Required</title>
|
---|
80 | <para><xref linkend="Linux_PAM"/></para></sect4>
|
---|
81 | </sect3>
|
---|
82 | </sect2>
|
---|
83 |
|
---|
84 | <sect2>
|
---|
85 | <title>Installation of <application>Shadow</application></title>
|
---|
86 |
|
---|
87 | <para>Reinstall <application>Shadow</application> by running the following
|
---|
88 | commands:</para>
|
---|
89 |
|
---|
90 | <screen><userinput><command>patch -Np1 -i ../shadow-&shadow-version;-pam-1.patch &&
|
---|
91 | LIBS="-lpam -lpam_misc" ./configure --libdir=/usr/lib \
|
---|
92 | --enable-shared --with-libpam --without-libcrack &&
|
---|
93 | echo '#define HAVE_SETLOCALE 1' >> config.h &&
|
---|
94 | sed -i '/extern char/d' libmisc/xmalloc.c &&
|
---|
95 | make</command></userinput></screen>
|
---|
96 |
|
---|
97 | <para>Now, as the root user:</para>
|
---|
98 |
|
---|
99 | <screen><userinput role='root'><command>make install &&
|
---|
100 | mv /bin/sg /usr/bin &&
|
---|
101 | mv /bin/vigr /usr/sbin &&
|
---|
102 | mv /usr/bin/passwd /bin &&
|
---|
103 | rm /bin/groups &&
|
---|
104 | mv /usr/lib/lib{misc,shadow}.so.0* /lib &&
|
---|
105 | ln -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so &&
|
---|
106 | ln -sf ../../lib/libmisc.so.0 /usr/lib/libmisc.so</command></userinput></screen>
|
---|
107 |
|
---|
108 | </sect2>
|
---|
109 |
|
---|
110 | <sect2>
|
---|
111 | <title>Command explanations</title>
|
---|
112 |
|
---|
113 | <para><parameter>--without-libcrack</parameter>: This switch tells
|
---|
114 | <application>Shadow</application> not to use
|
---|
115 | <filename class='libraryfile'>libcrack</filename>. This is desired as
|
---|
116 | <application>Linux-<acronym>PAM</acronym></application> already contains
|
---|
117 | <filename class='libraryfile'>libcrack</filename>.</para>
|
---|
118 |
|
---|
119 | <para><command>sed -i '/extern char/d' libmisc/xmalloc.c</command>: This
|
---|
120 | fixes a compilation problem when using <application>GCC</application>-3.4.x.
|
---|
121 | </para>
|
---|
122 |
|
---|
123 | </sect2>
|
---|
124 |
|
---|
125 | <sect2>
|
---|
126 | <title>Configuring <application>Linux-<acronym>PAM</acronym></application> to
|
---|
127 | work with <application>Shadow</application></title>
|
---|
128 |
|
---|
129 | <sect3 id="pam.d"><title>Config files</title>
|
---|
130 | <para><filename>/etc/pam.d/login</filename>,
|
---|
131 | <filename>/etc/pam.d/passwd</filename>,
|
---|
132 | <filename>/etc/pam.d/su</filename>,
|
---|
133 | <filename>/etc/pam.d/shadow</filename>,
|
---|
134 | <filename>/etc/pam.d/useradd</filename>, and
|
---|
135 | <filename>/etc/pam.d/chage</filename> –
|
---|
136 | alternatively, <filename>/etc/pam.conf</filename></para>
|
---|
137 | <indexterm zone="shadow pam.d">
|
---|
138 | <primary sortas="e-etc-pam.d">/etc/pam.d/*</primary></indexterm>
|
---|
139 | <indexterm zone="shadow pam.d">
|
---|
140 | <primary sortas="e-etc-pam.conf">/etc/pam.conf</primary></indexterm>
|
---|
141 | </sect3>
|
---|
142 |
|
---|
143 | <sect3><title>Configuration Information</title>
|
---|
144 |
|
---|
145 | <para>Add the following <application>Linux-<acronym>PAM</acronym></application>
|
---|
146 | configuration files to <filename class="directory">/etc/pam.d/</filename> (or
|
---|
147 | add them to <filename>/etc/pam.conf</filename> with the additional field for
|
---|
148 | the program).</para>
|
---|
149 |
|
---|
150 | <screen><userinput><command>cat > /etc/pam.d/login << "EOF"</command>
|
---|
151 | # Begin /etc/pam.d/login
|
---|
152 |
|
---|
153 | auth requisite pam_securetty.so
|
---|
154 | auth requisite pam_nologin.so
|
---|
155 | auth required pam_env.so
|
---|
156 | auth required pam_unix.so
|
---|
157 | account required pam_access.so
|
---|
158 | account required pam_unix.so
|
---|
159 | session required pam_motd.so
|
---|
160 | session required pam_limits.so
|
---|
161 | session optional pam_mail.so dir=/var/mail standard
|
---|
162 | session optional pam_lastlog.so
|
---|
163 | session required pam_unix.so
|
---|
164 |
|
---|
165 | # End /etc/pam.d/login
|
---|
166 | <command>EOF
|
---|
167 | cat > /etc/pam.d/passwd << "EOF"</command>
|
---|
168 | # Begin /etc/pam.d/passwd
|
---|
169 |
|
---|
170 | password required pam_unix.so md5 shadow
|
---|
171 |
|
---|
172 | # End /etc/pam.d/passwd
|
---|
173 | <command>EOF
|
---|
174 | cat > /etc/pam.d/shadow << "EOF"</command>
|
---|
175 | # Begin /etc/pam.d/shadow
|
---|
176 |
|
---|
177 | auth sufficient pam_rootok.so
|
---|
178 | auth required pam_unix.so
|
---|
179 | account required pam_unix.so
|
---|
180 | session required pam_unix.so
|
---|
181 | password required pam_permit.so
|
---|
182 |
|
---|
183 | # End /etc/pam.d/shadow
|
---|
184 | <command>EOF
|
---|
185 | cat > /etc/pam.d/su << "EOF"</command>
|
---|
186 | # Begin /etc/pam.d/su
|
---|
187 |
|
---|
188 | auth sufficient pam_rootok.so
|
---|
189 | auth required pam_unix.so
|
---|
190 | account required pam_unix.so
|
---|
191 | session required pam_unix.so
|
---|
192 |
|
---|
193 | # End /etc/pam.d/su
|
---|
194 | <command>EOF
|
---|
195 | cat > /etc/pam.d/useradd << "EOF"</command>
|
---|
196 | # Begin /etc/pam.d/useradd
|
---|
197 |
|
---|
198 | auth sufficient pam_rootok.so
|
---|
199 | auth required pam_unix.so
|
---|
200 | account required pam_unix.so
|
---|
201 | session required pam_unix.so
|
---|
202 | password required pam_permit.so
|
---|
203 |
|
---|
204 | # End /etc/pam.d/useradd
|
---|
205 | <command>EOF
|
---|
206 | cat > /etc/pam.d/chage << "EOF"</command>
|
---|
207 | # Begin /etc/pam.d/chage
|
---|
208 |
|
---|
209 | auth sufficient pam_rootok.so
|
---|
210 | auth required pam_unix.so
|
---|
211 | account required pam_unix.so
|
---|
212 | session required pam_unix.so
|
---|
213 | password required pam_permit.so
|
---|
214 |
|
---|
215 | # End /etc/pam.d/chage
|
---|
216 | <command>EOF</command></userinput></screen>
|
---|
217 |
|
---|
218 | <note><para>If you've installed <application>cracklib</application>, replace
|
---|
219 | <filename>/etc/pam.d/passwd</filename> with the following:</para></note>
|
---|
220 | <screen><userinput><command>cat > /etc/pam.d/passwd << "EOF"</command>
|
---|
221 | # Begin /etc/pam.d/passwd
|
---|
222 |
|
---|
223 | password required pam_cracklib.so \
|
---|
224 | retry=3 difok=8 minlen=5 dcredit=3 ocredit=3 ucredit=2 lcredit=2
|
---|
225 | password required pam_unix.so md5 shadow use_authtok
|
---|
226 |
|
---|
227 | # End /etc/pam.d/passwd
|
---|
228 | <command>EOF</command></userinput></screen>
|
---|
229 |
|
---|
230 | <warning><para>At this point, you should do a simple test to see if
|
---|
231 | <application>Shadow</application> is
|
---|
232 | working as expected. Open another term and login as a user, then su to
|
---|
233 | to root. If you do not see any errors, then all is well and you should
|
---|
234 | proceed with the rest of the configuration. If you did
|
---|
235 | receive errors, stop now and double check the above configuration files
|
---|
236 | manually. If you cannot find, and fix the error, you should recompile
|
---|
237 | shadow replacing <envar>--with-libpam</envar> with
|
---|
238 | <envar>--without-libpam</envar> in the above
|
---|
239 | instructions. If you fail to do this and the errors remain, you
|
---|
240 | will be unable to log into your system.</para></warning>
|
---|
241 |
|
---|
242 | <para>Currently, <filename>/etc/pam.d/other</filename> is configured to
|
---|
243 | allow anyone with an account on the machine to use programs
|
---|
244 | that do not specifically have a configuration file of their own. After
|
---|
245 | testing <application>Linux-<acronym>PAM</acronym></application> for proper
|
---|
246 | configuration, it can be changed to the following:</para>
|
---|
247 |
|
---|
248 | <screen><userinput><command>cat > /etc/pam.d/other << "EOF"</command>
|
---|
249 | # Begin /etc/pam.d/other
|
---|
250 |
|
---|
251 | auth required pam_deny.so
|
---|
252 | auth required pam_warn.so
|
---|
253 | account required pam_deny.so
|
---|
254 | session required pam_deny.so
|
---|
255 | password required pam_deny.so
|
---|
256 | password required pam_warn.so
|
---|
257 |
|
---|
258 | # End /etc/pam.d/other
|
---|
259 | <command>EOF</command></userinput></screen>
|
---|
260 |
|
---|
261 | <para>Finally, edit <filename>/etc/login.defs</filename> by adding '#'
|
---|
262 | to the beginning of the following lines:</para>
|
---|
263 | <screen>LASTLOG_ENAB
|
---|
264 | MAIL_CHECK_ENAB
|
---|
265 | PORTTIME_CHECKS_ENAB
|
---|
266 | CONSOLE
|
---|
267 | MOTD_FILE
|
---|
268 | NOLOGINS_FILE
|
---|
269 | PASS_MIN_LEN
|
---|
270 | SU_WHEEL_ONLY
|
---|
271 | MD5_CRYPT_ENAB
|
---|
272 | CONSOLE_GROUPS
|
---|
273 | ENVIRON_FILE</screen>
|
---|
274 |
|
---|
275 | <para>This stops <command>login</command> from performing these functions, as
|
---|
276 | they will now be performed by <acronym>PAM</acronym> modules. Additionally,
|
---|
277 | add a '#' to the beginning of the following lines if you've installed
|
---|
278 | <application>cracklib</application>:</para>
|
---|
279 | <screen>OBSCURE_CHECKS_ENAB
|
---|
280 | CRACKLIB_DICTPATH
|
---|
281 | PASS_CHANGE_TRIES
|
---|
282 | PASS_ALWAYS_WARN</screen>
|
---|
283 | </sect3>
|
---|
284 |
|
---|
285 | </sect2>
|
---|
286 |
|
---|
287 | <sect2>
|
---|
288 | <title>Contents</title>
|
---|
289 |
|
---|
290 | <para>A list of the installed files, along with their short descriptions can
|
---|
291 | be found at <ulink
|
---|
292 | url="http://www.linuxfromscratch.org/lfs/view/6.0/chapter06/shadow.html"/>.
|
---|
293 | </para>
|
---|
294 |
|
---|
295 | </sect2>
|
---|
296 |
|
---|
297 | </sect1>
|
---|