source: postlfs/security/shadow.xml@ 265c7da

10.0 10.1 11.0 11.1 7.10 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 krejzi/svn lazarus nosym perl-modules qt5new systemd-11177 systemd-13485 trunk upgradedb xry111/intltool xry111/test-20220226
Last change on this file since 265c7da was 265c7da, checked in by Bruce Dubbs <bdubbs@…>, 8 years ago

Fix gnumeeric md5sum.
Do some minor reformatting in shadow.

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@13176 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 22.2 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY shadow-download-http "http://pkg-shadow.alioth.debian.org/releases/shadow-&shadow-version;.tar.xz">
8 <!ENTITY shadow-download-ftp " ">
9 <!ENTITY shadow-md5sum "2bfafe7d4962682d31b5eba65dba4fc8">
10 <!ENTITY shadow-size "1.5 MB">
11 <!ENTITY shadow-buildsize "53 MB">
12 <!ENTITY shadow-time "0.2 SBU">
13]>
14
15<sect1 id="shadow" xreflabel="Shadow-&shadow-version;">
16 <?dbhtml filename="shadow.html"?>
17
18 <sect1info>
19 <othername>$LastChangedBy$</othername>
20 <date>$Date$</date>
21 </sect1info>
22
23 <title>Shadow-&shadow-version;</title>
24
25 <indexterm zone="shadow">
26 <primary sortas="a-Shadow">Shadow</primary>
27 </indexterm>
28
29 <sect2 role="package">
30 <title>Introduction to Shadow</title>
31
32 <para>
33 <application>Shadow</application> was indeed installed in LFS and there is
34 no reason to reinstall it unless you installed
35 <application>CrackLib</application> or
36 <application>Linux-PAM</application> after your LFS system was completed.
37 If you have installed <application>CrackLib</application> after LFS, then
38 reinstalling <application>Shadow</application> will enable strong password
39 support. If you have installed <application>Linux-PAM</application>,
40 reinstalling <application>Shadow</application> will allow programs such as
41 <command>login</command> and <command>su</command> to utilize PAM.
42 </para>
43
44 &lfs75_checked;
45
46 <bridgehead renderas="sect3">Package Information</bridgehead>
47 <itemizedlist spacing="compact">
48 <listitem>
49 <para>
50 Download (HTTP): <ulink url="&shadow-download-http;"/>
51 </para>
52 </listitem>
53 <listitem>
54 <para>
55 Download (FTP): <ulink url="&shadow-download-ftp;"/>
56 </para>
57 </listitem>
58 <listitem>
59 <para>
60 Download MD5 sum: &shadow-md5sum;
61 </para>
62 </listitem>
63 <listitem>
64 <para>
65 Download size: &shadow-size;
66 </para>
67 </listitem>
68 <listitem>
69 <para>
70 Estimated disk space required: &shadow-buildsize;
71 </para>
72 </listitem>
73 <listitem>
74 <para>
75 Estimated build time: &shadow-time;
76 </para>
77 </listitem>
78 </itemizedlist>
79
80 <bridgehead renderas="sect3">Shadow Dependencies</bridgehead>
81
82 <bridgehead renderas="sect4">Required</bridgehead>
83 <para role="required">
84 <xref linkend="linux-pam"/> or
85 <xref linkend="cracklib"/>
86 </para>
87
88 <para condition="html" role="usernotes">
89 User Notes: <ulink url="&blfs-wiki;/shadow"/>
90 </para>
91 </sect2>
92
93 <sect2 role="installation">
94 <title>Installation of Shadow</title>
95
96 <important>
97 <para>
98 The installation commands shown below are for installations where
99 <application>Linux-PAM</application> has been installed (with or
100 without a <application>CrackLib</application> installation) and
101 <application>Shadow</application> is being reinstalled to support the
102 <application>Linux-PAM</application> installation.
103 </para>
104
105 <para>
106 If you are reinstalling <application>Shadow</application> to provide
107 strong password support using the <application>CrackLib</application>
108 library without using <application>Linux-PAM</application>, ensure you
109 add the <parameter>--with-libcrack</parameter> parameter to the
110 <command>configure</command> script below and also issue the following
111 command:
112 </para>
113
114<screen><userinput>sed -i 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' etc/login.defs</userinput></screen>
115 </important>
116
117 <para>
118 Reinstall <application>Shadow</application> by running the following
119 commands:
120 </para>
121
122<screen><userinput>sed -i 's/groups$(EXEEXT) //' src/Makefile.in &amp;&amp;
123find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; &amp;&amp;
124
125sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \
126 -e 's@/var/spool/mail@/var/mail@' etc/login.defs &amp;&amp;
127
128sed -i 's/1000/999/' etc/useradd &amp;&amp;
129
130./configure --sysconfdir=/etc &amp;&amp;
131make</userinput></screen>
132
133 <para>
134 This package does not come with a test suite.
135 </para>
136
137 <para>
138 Now, as the <systemitem class="username">root</systemitem> user:
139 </para>
140
141<screen role="root"><userinput>make install &amp;&amp;
142mv -v /usr/bin/passwd /bin</userinput></screen>
143 </sect2>
144
145 <sect2 role="commands">
146 <title>Command Explanations</title>
147
148 <para>
149 <command>sed -i 's/groups$(EXEEXT) //' src/Makefile.in</command>: This sed
150 is used to suppress the installation of the <command>groups</command>
151 program as the version from the <application>Coreutils</application>
152 package installed during LFS is preferred.
153 </para>
154
155 <para>
156 <command>find man -name Makefile.in -exec ... {} \;</command>: This
157 command is used to suppress the installation of the
158 <command>groups</command> man pages so the existing ones installed from
159 the <application>Coreutils</application> package are not replaced.
160 </para>
161
162 <para>
163 <command>sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' -e
164 's@/var/spool/mail@/var/mail@' etc/login.defs</command>: Instead of using
165 the default 'DES' method, this command modifies the installation to use
166 the more secure 'SHA512' method of hashing passwords, which also allows
167 passwords longer than eight characters. It also changes the obsolete
168 <filename class="directory">/var/spool/mail</filename> location for user
169 mailboxes that <application>Shadow</application> uses by default to the
170 <filename class="directory">/var/mail</filename> location.
171 </para>
172
173 <para>
174 <command>sed -i 's/1000/999/' etc/useradd</command>: Make a minor change
175 to make the default useradd consistent with the LFS groups file.
176 </para>
177
178 <para>
179 <command>mv -v /usr/bin/passwd /bin</command>: The
180 <command>passwd</command> program may be needed during times when the
181 <filename class='directory'>/usr</filename> filesystem is not mounted so
182 it is moved into the root partition.
183 </para>
184 </sect2>
185
186 <sect2 role="configuration">
187 <title>Configuring Shadow</title>
188
189 <para>
190 <application>Shadow</application>'s stock configuration for the
191 <command>useradd</command> utility may not be desirable for your
192 installation. One default parameter causes <command>useradd</command> to
193 create a mailbox file for any newly created user.
194 <command>useradd</command> will make the group ownership of this file to
195 the <systemitem class="groupname">mail</systemitem> group with 0660
196 permissions. If you would prefer that these mailbox files are not created
197 by <command>useradd</command>, issue the following command as the
198 <systemitem class="username">root</systemitem> user:
199 </para>
200
201<screen role="root"><userinput>sed -i 's/yes/no/' /etc/default/useradd</userinput></screen>
202 </sect2>
203
204 <sect2 role="configuration">
205 <title>Configuring Linux-PAM to Work with Shadow</title>
206
207 <note>
208 <para>
209 The rest of this page is devoted to configuring
210 <application>Shadow</application> to work properly with
211 <application>Linux-PAM</application>. If you do not have
212 <application>Linux-PAM</application> installed, and you reinstalled
213 <application>Shadow</application> to support strong passwords via the
214 <application>CrackLib</application> library, no further configuration is
215 required.
216 </para>
217 </note>
218
219 <sect3 id="pam.d">
220 <title>Config Files</title>
221
222 <para>
223 <filename>/etc/pam.d/*</filename> or alternatively
224 <filename>/etc/pam.conf</filename>,
225 <filename>/etc/login.defs</filename> and
226 <filename>/etc/security/*</filename>
227 </para>
228
229 <indexterm zone="shadow pam.d">
230 <primary sortas="e-etc-pam.d">/etc/pam.d/*</primary>
231 </indexterm>
232
233 <indexterm zone="shadow pam.d">
234 <primary sortas="e-etc-pam.conf">/etc/pam.conf</primary>
235 </indexterm>
236
237 <indexterm zone="shadow pam.d">
238 <primary sortas="e-etc-login.defs">/etc/login.defs</primary>
239 </indexterm>
240
241 <indexterm zone="shadow pam.d">
242 <primary sortas="e-etc-security">/etc/security/*</primary>
243 </indexterm>
244 </sect3>
245
246 <sect3>
247 <title>Configuration Information</title>
248
249 <para>
250 Configuring your system to use <application>Linux-PAM</application> can
251 be a complex task. The information below will provide a basic setup so
252 that <application>Shadow</application>'s login and password
253 functionality will work effectively with
254 <application>Linux-PAM</application>. Review the information and links
255 on the <xref linkend="linux-pam"/> page for further configuration
256 information. For information specific to integrating
257 <application>Shadow</application>, <application>Linux-PAM</application>
258 and <application>CrackLib</application>, you can visit the following
259 link:
260 </para>
261
262 <itemizedlist spacing="compact">
263 <listitem>
264 <para>
265 <ulink url="http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html"/>
266 </para>
267 </listitem>
268 </itemizedlist>
269
270 <sect4 id="pam-login-defs">
271 <title>Configuring /etc/login.defs</title>
272
273 <para>
274 The <command>login</command> program currently performs many functions
275 which <application>Linux-PAM</application> modules should now handle.
276 The following <command>sed</command> command will comment out the
277 appropriate lines in <filename>/etc/login.defs</filename>, and stop
278 <command>login</command> from performing these functions (a backup
279 file named <filename>/etc/login.defs.orig</filename> is also created
280 to preserve the original file's contents). Issue the following
281 commands as the <systemitem class="username">root</systemitem> user:
282 </para>
283
284 <indexterm zone="shadow pam-login-defs">
285 <primary sortas="e-etc-login.defs">/etc/login.defs</primary>
286 </indexterm>
287
288<screen role="root"><userinput>install -v -m644 /etc/login.defs /etc/login.defs.orig &amp;&amp;
289for FUNCTION in FAIL_DELAY \
290 FAILLOG_ENAB \
291 LASTLOG_ENAB \
292 MAIL_CHECK_ENAB \
293 OBSCURE_CHECKS_ENAB \
294 PORTTIME_CHECKS_ENAB \
295 QUOTAS_ENAB \
296 CONSOLE MOTD_FILE \
297 FTMP_FILE NOLOGINS_FILE \
298 ENV_HZ PASS_MIN_LEN \
299 SU_WHEEL_ONLY \
300 CRACKLIB_DICTPATH \
301 PASS_CHANGE_TRIES \
302 PASS_ALWAYS_WARN \
303 CHFN_AUTH ENCRYPT_METHOD \
304 ENVIRON_FILE
305do
306 sed -i "s/^${FUNCTION}/# &amp;/" /etc/login.defs
307done</userinput></screen>
308 </sect4>
309
310 <sect4>
311 <title>Configuring the /etc/pam.d/ Files</title>
312
313 <para>
314 As mentioned previously in the <application>Linux-PAM</application>
315 instructions, <application>Linux-PAM</application> has two supported
316 methods for configuration. The commands below assume that you've
317 chosen to use a directory based configuration, where each program has
318 its own configuration file. You can optionally use a single
319 <filename>/etc/pam.conf</filename> configuration file by using the
320 text from the files below, and supplying the program name as an
321 additional first field for each line.
322 </para>
323
324 <para>
325 As the <systemitem class="username">root</systemitem> user, replace
326 the following <application>Linux-PAM</application> configuration files
327 in the <filename class="directory">/etc/pam.d/</filename> directory
328 (or add the contents to the <filename>/etc/pam.conf</filename> file)
329 using the following commands:
330 </para>
331 </sect4>
332
333 <sect4>
334 <title>'system-account'</title>
335
336<screen role="root"><userinput>cat &gt; /etc/pam.d/system-account &lt;&lt; "EOF"
337<literal># Begin /etc/pam.d/system-account
338
339account required pam_unix.so
340
341# End /etc/pam.d/system-account</literal>
342EOF</userinput></screen>
343 </sect4>
344
345 <sect4>
346 <title>'system-auth'</title>
347
348<screen role="root"><userinput>cat &gt; /etc/pam.d/system-auth &lt;&lt; "EOF"
349<literal># Begin /etc/pam.d/system-auth
350
351auth required pam_unix.so
352
353# End /etc/pam.d/system-auth</literal>
354EOF</userinput></screen>
355 </sect4>
356
357 <sect4>
358 <title>'system-passwd' (with cracklib)</title>
359
360<screen role="root"><userinput>cat &gt; /etc/pam.d/system-password &lt;&lt; "EOF"
361<literal># Begin /etc/pam.d/system-password
362
363# check new passwords for strength (man pam_cracklib)
364password required pam_cracklib.so type=Linux retry=3 difok=5 \
365 difignore=23 minlen=9 dcredit=1 \
366 ucredit=1 lcredit=1 ocredit=1 \
367 dictpath=/lib/cracklib/pw_dict
368# use sha512 hash for encryption, use shadow, and use the
369# authentication token (chosen password) set by pam_cracklib
370# above (or any previous modules)
371password required pam_unix.so sha512 shadow use_authtok
372
373# End /etc/pam.d/system-password</literal>
374EOF</userinput></screen>
375
376 <note>
377 <para>
378 In its default configuration, owing to credits, pam_cracklib will
379 allow multiple case passwords as short as 6 characters, even with
380 the <parameter>minlen</parameter> value set to 11. You should review
381 the pam_cracklib(8) man page and determine if these default values
382 are acceptable for the security of your system.
383 </para>
384 </note>
385 </sect4>
386
387 <sect4>
388 <title>'system-passwd' (without cracklib)</title>
389
390<screen role="root"><userinput>cat &gt; /etc/pam.d/system-password &lt;&lt; "EOF"
391<literal># Begin /etc/pam.d/system-password
392
393# use sha512 hash for encryption, use shadow, and try to use any previously
394# defined authentication token (chosen password) set by any prior module
395password required pam_unix.so sha512 shadow try_first_pass
396
397# End /etc/pam.d/system-password</literal>
398EOF</userinput></screen>
399 </sect4>
400
401 <sect4>
402 <title>'system-session'</title>
403
404<screen role="root"><userinput>cat &gt; /etc/pam.d/system-session &lt;&lt; "EOF"
405<literal># Begin /etc/pam.d/system-session
406
407session required pam_unix.so
408
409# End /etc/pam.d/system-session</literal>
410EOF</userinput></screen>
411 </sect4>
412
413 <sect4>
414 <title>'login'</title>
415
416<screen role="root"><userinput>cat &gt; /etc/pam.d/login &lt;&lt; "EOF"
417<literal># Begin /etc/pam.d/login
418
419# Set failure delay before next prompt to 3 seconds
420auth optional pam_faildelay.so delay=3000000
421
422# Check to make sure that the user is allowed to login
423auth requisite pam_nologin.so
424
425# Check to make sure that root is allowed to login
426# Disabled by default. You will need to create /etc/securetty
427# file for this module to function. See man 5 securetty.
428#auth required pam_securetty.so
429
430# Additional group memberships - disabled by default
431#auth optional pam_group.so
432
433# include the default auth settings
434auth include system-auth
435
436# check access for the user
437account required pam_access.so
438
439# include the default account settings
440account include system-account
441
442# Set default environment variables for the user
443session required pam_env.so
444
445# Set resource limits for the user
446session required pam_limits.so
447
448# Display date of last login - Disabled by default
449#session optional pam_lastlog.so
450
451# Display the message of the day - Disabled by default
452#session optional pam_motd.so
453
454# Check user's mail - Disabled by default
455#session optional pam_mail.so standard quiet
456
457# include the default session and password settings
458session include system-session
459password include system-password
460
461# End /etc/pam.d/login</literal>
462EOF</userinput></screen>
463 </sect4>
464
465 <sect4>
466 <title>'passwd'</title>
467
468<screen role="root"><userinput>cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"
469<literal># Begin /etc/pam.d/passwd
470
471password include system-password
472
473# End /etc/pam.d/passwd</literal>
474EOF</userinput></screen>
475 </sect4>
476
477 <sect4>
478 <title>'su'</title>
479
480<screen role="root"><userinput>cat &gt; /etc/pam.d/su &lt;&lt; "EOF"
481<literal># Begin /etc/pam.d/su
482
483# always allow root
484auth sufficient pam_rootok.so
485auth include system-auth
486
487# include the default account settings
488account include system-account
489
490# Set default environment variables for the service user
491session required pam_env.so
492
493# include system session defaults
494session include system-session
495
496# End /etc/pam.d/su</literal>
497EOF</userinput></screen>
498 </sect4>
499
500 <sect4>
501 <title>'chage'</title>
502
503<screen role="root"><userinput>cat &gt; /etc/pam.d/chage &lt;&lt; "EOF"
504<literal>#Begin /etc/pam.d/chage
505
506# always allow root
507auth sufficient pam_rootok.so
508
509# include system defaults for auth account and session
510auth include system-auth
511account include system-account
512session include system-session
513
514# Always permit for authentication updates
515password required pam_permit.so
516
517# End /etc/pam.d/chage</literal>
518EOF</userinput></screen>
519 </sect4>
520
521 <sect4>
522 <title>Other common programs</title>
523 <!--<title>'chfn', 'chgpasswd', 'chgpasswd', 'chsh', 'groupadd', 'groupdel',
524 'groupmems', 'groupmod', 'newusers', 'useradd', 'userdel' and
525 'usermod'</title>-->
526
527<screen role="root"><userinput>for PROGRAM in chfn chgpasswd chpasswd chsh groupadd groupdel \
528 groupmems groupmod newusers useradd userdel usermod
529do
530 install -v -m644 /etc/pam.d/chage /etc/pam.d/${PROGRAM}
531 sed -i "s/chage/$PROGRAM/" /etc/pam.d/${PROGRAM}
532done</userinput></screen>
533
534 <warning>
535 <para>
536 At this point, you should do a simple test to see if
537 <application>Shadow</application> is working as expected. Open
538 another terminal and log in as a user, then <command>su</command> to
539 <systemitem class="username">root</systemitem>. If you do not see
540 any errors, then all is well and you should proceed with the rest of
541 the configuration. If you did receive errors, stop now and double
542 check the above configuration files manually. You can also run the
543 test suite from the <application>Linux-PAM</application> package to
544 assist you in determining the problem. If you cannot find and fix
545 the error, you should recompile <application>Shadow</application>
546 adding the <option>--without-libpam</option> switch to the
547 <command>configure</command> command in the above instructions (also
548 move the <filename>/etc/login.defs.orig</filename> backup file to
549 <filename>/etc/login.defs</filename>). If you fail to do this and
550 the errors remain, you will be unable to log into your system.
551 </para>
552 </warning>
553 </sect4>
554
555 <sect4>
556 <title>Other</title>
557
558 <para>
559 Currently, <filename>/etc/pam.d/other</filename> is configured to
560 allow anyone with an account on the machine to use PAM-aware programs
561 without a configuration file for that program. After testing
562 <application>Linux-PAM</application> for proper configuration, install
563 a more restrictive <filename>other</filename> file so that
564 program-specific configuration files are required:
565 </para>
566
567<screen role="root"><userinput>cat &gt; /etc/pam.d/other &lt;&lt; "EOF"
568<literal># Begin /etc/pam.d/other
569
570auth required pam_warn.so
571auth required pam_deny.so
572account required pam_warn.so
573account required pam_deny.so
574password required pam_warn.so
575password required pam_deny.so
576session required pam_warn.so
577session required pam_deny.so
578
579# End /etc/pam.d/other</literal>
580EOF</userinput></screen>
581 </sect4>
582
583 <sect4 id="pam-access">
584 <title>Configuring Login Access</title>
585
586 <para>
587 Instead of using the <filename>/etc/login.access</filename> file for
588 controlling access to the system, <application>Linux-PAM</application>
589 uses the <filename class='libraryfile'>pam_access.so</filename> module
590 along with the <filename>/etc/security/access.conf</filename> file.
591 Rename the <filename>/etc/login.access</filename> file using the
592 following command:
593 </para>
594
595 <indexterm zone="shadow pam-access">
596 <primary sortas="e-etc-security-access.conf">/etc/security/access.conf</primary>
597 </indexterm>
598
599<screen role="root"><userinput>[ -f /etc/login.access ] &amp;&amp; mv -v /etc/login.access{,.NOUSE}</userinput></screen>
600 </sect4>
601
602 <sect4 id="pam-limits">
603 <title>Configuring Resource Limits</title>
604
605 <para>
606 Instead of using the <filename>/etc/limits</filename> file for
607 limiting usage of system resources,
608 <application>Linux-PAM</application> uses the
609 <filename class='libraryfile'>pam_limits.so</filename> module along
610 with the <filename>/etc/security/limits.conf</filename> file. Rename
611 the <filename>/etc/limits</filename> file using the following command:
612 </para>
613
614 <indexterm zone="shadow pam-limits">
615 <primary sortas="e-etc-security-limits.conf">/etc/security/limits.conf</primary>
616 </indexterm>
617
618<screen role="root"><userinput>[ -f /etc/limits ] &amp;&amp; mv -v /etc/limits{,.NOUSE}</userinput></screen>
619 </sect4>
620 </sect3>
621 </sect2>
622
623 <sect2 role="content">
624 <title>Contents</title>
625
626 <para>
627 A list of the installed files, along with their short descriptions can be
628 found at <ulink url="http://www.linuxfromscratch.org/lfs/view/&lfs-version;/chapter06/shadow.html#contents-shadow"/>.
629 </para>
630
631 </sect2>
632
633</sect1>
Note: See TracBrowser for help on using the repository browser.