source: postlfs/security/shadow.xml@ 322f172

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
   "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd" [
  <!ENTITY % general-entities SYSTEM "../../general.ent">
  %general-entities;

  <!ENTITY shadow-download-http " ">
  <!ENTITY shadow-download-ftp  "ftp://ftp.pld.org.pl/software/shadow/shadow-&shadow-version;.tar.bz2">
  <!ENTITY shadow-md5sum        "89ebec0d1c0d861a5bd5c4c63e5cb0cc">
  <!ENTITY shadow-size          "1.0 MB">
  <!ENTITY shadow-buildsize     "13.2 MB">
  <!ENTITY shadow-time          "0.31 SBU">
]>

<sect1 id="shadow" xreflabel="Shadow-&shadow-version;">
  <?dbhtml filename="shadow.html"?>

  <sect1info>
    <othername>$LastChangedBy$</othername>
    <date>$Date$</date>
  </sect1info>

  <title>Shadow-&shadow-version;</title>

  <indexterm zone="shadow">
    <primary sortas="a-Shadow">Shadow</primary>
  </indexterm>

  <sect2 role="package">
    <title>Introduction to Shadow</title>

    <para><application>Shadow</application> was indeed installed in LFS and
    there is no reason to reinstall it unless you installed
    <application>Linux-PAM</application>. If you did, this will allow programs
    like <command>login</command> and <command>su</command> to utilize PAM.</para>

    <bridgehead renderas="sect3">Package Information</bridgehead>
    <itemizedlist spacing="compact">
      <listitem>
        <para>Download (HTTP): <ulink url="&shadow-download-http;"/></para>
      </listitem>
      <listitem>
        <para>Download (FTP): <ulink url="&shadow-download-ftp;"/></para>
      </listitem>
      <listitem>
        <para>Download MD5 sum: &shadow-md5sum;</para>
      </listitem>
      <listitem>
        <para>Download size: &shadow-size;</para>
      </listitem>
      <listitem>
        <para>Estimated disk space required: &shadow-buildsize;</para>
      </listitem>
      <listitem>
        <para>Estimated build time: &shadow-time;</para>
      </listitem>
    </itemizedlist>

    <bridgehead renderas="sect3">Additional Downloads</bridgehead>
    <itemizedlist spacing='compact'>
      <listitem>
        <para>Patch to fix a bug in the <command>lastlog</command> program:
        <ulink url="&patch-root;/shadow-&shadow-version;-fix_lastlog-1.patch"/></para>
      </listitem>
    </itemizedlist>

    <bridgehead renderas="sect3">Shadow Dependencies</bridgehead>

    <bridgehead renderas="sect4">Required</bridgehead>
    <para><xref linkend="Linux_PAM"/></para>

  </sect2>

  <sect2 role="installation">
    <title>Installation of Shadow</title>

    <para>Reinstall <application>Shadow</application> by running the following
    commands:</para>

<screen><userinput>patch -Np1 -i ../shadow-&shadow-version;-fix_lastlog-1.patch &amp;&amp;
./configure --libdir=/lib --enable-shared \
    --with-libpam --without-libcrack &amp;&amp;
sed -i 's/groups$(EXEEXT) //' src/Makefile &amp;&amp;
sed -i '/groups/d' man/Makefile &amp;&amp;
make</userinput></screen>

    <para>Now, as the <systemitem class="username">root</systemitem> user:</para>

<screen role="root"><userinput>make install &amp;&amp;
mv -v /usr/bin/passwd /bin &amp;&amp;
mv -v /lib/libshadow.*a /usr/lib &amp;&amp;
rm -v /lib/libshadow.so &amp;&amp;
ln -v -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so</userinput></screen>

  </sect2>

  <sect2 role="commands">
    <title>Command Explanations</title>

    <para><parameter>--without-libcrack</parameter>: This switch tells
    <application>Shadow</application> not to use
    <filename class='libraryfile'>libcrack</filename>. This is desired as
    <application>Linux-PAM</application> already contains
    <filename class='libraryfile'>libcrack</filename>.</para>

    <para><command>sed -i ...</command>: These commands are used to suppress
    the installation of the <command>groups</command> program as the version
    from the <application>Coreutils</application> package installed during
    LFS is preferred.</para>

  </sect2>

  <sect2 role="configuration">
    <title>Configuring Linux-PAM to Work with Shadow</title>

    <sect3 id="pam.d">
      <title>Config Files</title>

      <para><filename>/etc/pam.d/*</filename>, or alternatively,
      <filename>/etc/pam.conf</filename></para>

      <indexterm zone="shadow pam.d">
        <primary sortas="e-etc-pam.d">/etc/pam.d/*</primary>
      </indexterm>

      <indexterm zone="shadow pam.d">
        <primary sortas="e-etc-pam.conf">/etc/pam.conf</primary>
      </indexterm>

    </sect3>

    <sect3>
      <title>Configuration Information</title>

      <para>Add the following <application>Linux-PAM</application> configuration
      files to <filename class="directory">/etc/pam.d/</filename> (or add them
      to <filename>/etc/pam.conf</filename> with the additional field for
      the program).</para>

      <sect4>
        <title>'login' (with Cracklib)</title>

<screen role="root"><userinput>cat &gt; /etc/pam.d/login &lt;&lt; "EOF"
<literal># Begin /etc/pam.d/login

auth        requisite      pam_securetty.so
auth        requisite      pam_nologin.so
auth        required       pam_env.so
auth        required       pam_unix.so
account     required       pam_access.so
account     required       pam_unix.so
session     required       pam_motd.so
session     required       pam_limits.so
session     optional       pam_mail.so      dir=/var/mail standard
session     optional       pam_lastlog.so
session     required       pam_unix.so
password    required       pam_cracklib.so  retry=3 difok=8 minlen=5 \
                                            dcredit=3 ocredit=3 \
                                            ucredit=2 lcredit=2
password    required       pam_unix.so      md5 shadow use_authtok

# End /etc/pam.d/login</literal>
EOF</userinput></screen>

      </sect4>

      <sect4>
        <title>'login' (without Cracklib)</title>

<screen role="root"><userinput>cat &gt; /etc/pam.d/login &lt;&lt; "EOF"
<literal># Begin /etc/pam.d/login

auth        requisite      pam_securetty.so
auth        requisite      pam_nologin.so
auth        required       pam_env.so
auth        required       pam_unix.so
account     required       pam_access.so
account     required       pam_unix.so
session     required       pam_motd.so
session     required       pam_limits.so
session     optional       pam_mail.so      dir=/var/mail standard
session     optional       pam_lastlog.so
session     required       pam_unix.so
password    required       pam_unix.so      md5 shadow

# End /etc/pam.d/login</literal>
EOF</userinput></screen>

      </sect4>

      <sect4>
        <title>'passwd' (with Cracklib)</title>

<screen role="root"><userinput>cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"
<literal># Begin /etc/pam.d/passwd

password    required       pam_cracklib.so  retry=3 difok=8 minlen=5 \
                                            dcredit=3  ocredit=3 \
                                            ucredit=2  lcredit=2
password    required       pam_unix.so      md5 shadow use_authtok

# End /etc/pam.d/passwd</literal>
EOF</userinput></screen>

      </sect4>

      <sect4>
        <title>'passwd' (without Cracklib)</title>

<screen role="root"><userinput>cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"
<literal># Begin /etc/pam.d/passwd

password    required       pam_unix.so      md5 shadow

# End /etc/pam.d/passwd</literal>
EOF</userinput></screen>

      </sect4>

      <sect4>
        <title>'su'</title>

<screen role="root"><userinput>cat &gt; /etc/pam.d/su &lt;&lt; "EOF"
<literal># Begin /etc/pam.d/su

auth        sufficient      pam_rootok.so
auth        required        pam_unix.so
account     required        pam_unix.so
session     optional        pam_mail.so     dir=/var/mail standard
session     required        pam_unix.so

# End /etc/pam.d/su</literal>
EOF</userinput></screen>

      </sect4>

      <sect4>
        <title>'chage'</title>

<screen role="root"><userinput>cat &gt; /etc/pam.d/chage &lt;&lt; "EOF"
<literal># Begin /etc/pam.d/chage

auth        sufficient      pam_rootok.so
auth        required        pam_unix.so
account     required        pam_unix.so
session     required        pam_unix.so
password    required        pam_permit.so

# End /etc/pam.d/chage</literal>
EOF</userinput></screen>

      </sect4>

      <sect4>
        <title>'chpasswd', 'newusers', 'groupadd', 'groupdel',
        'groupmod', 'useradd', 'userdel', and 'usermod'</title>

<screen role="root"><userinput>for PROGRAM in chpasswd newusers groupadd groupdel \
               groupmod useradd userdel usermod
do
    install -v -m644 /etc/pam.d/chage /etc/pam.d/$PROGRAM
    sed -i -e "s/chage/$PROGRAM/" /etc/pam.d/$PROGRAM
done</userinput></screen>

      </sect4>

      <sect4>
        <title>Other</title>

        <warning>
          <para>At this point, you should do a simple test to see if
          <application>Shadow</application> is working as expected. Open
          another term and login as a user, then su to <systemitem
          class="username">root</systemitem>. If you do not see any errors,
          then all is well and you should proceed with the rest of the
          configuration. If you did receive errors, stop now and double check
          the above configuration files manually.  If you cannot find, and
          fix the error, you should recompile <application>Shadow</application>
          replacing <option>--with-libpam</option> with
          <option>--without-libpam</option> in the above instructions. If you
          fail to do this and the errors remain, you will be unable to log into
          your system.</para>
        </warning>

        <para>Currently, <filename>/etc/pam.d/other</filename> is configured
        to allow anyone with an account on the machine to use PAM-aware
        programs without a configuration file for that program. After testing
        <application>Linux-PAM</application> for proper configuration, install
        a more restrictive <filename>other</filename> file so that
        program-specific configuration files are required:</para>

<screen role="root"><userinput>cat &gt; /etc/pam.d/other &lt;&lt; "EOF"
<literal># Begin /etc/pam.d/other

auth        required        pam_deny.so
auth        required        pam_warn.so
account     required        pam_deny.so
session     required        pam_deny.so
password    required        pam_deny.so
password    required        pam_warn.so

# End /etc/pam.d/other</literal>
EOF</userinput></screen>

      </sect4>

      <sect4 id="pam-access">
        <title>Configuring Login Access</title>

        <para>Instead of using the <filename>/etc/login.access</filename>
        file for controlling access to the system,
        <application>Linux-PAM</application> uses the
        <filename class='libraryfile'>pam_access.so</filename> module along
        with the <filename>/etc/security/access.conf</filename> file. Rename
        the <filename>/etc/login.access</filename> file using the following
        command:</para>

        <indexterm zone="shadow pam-access">
          <primary sortas="e-etc-security-access.conf">/etc/security/access.conf</primary>
        </indexterm>

<screen role="root"><userinput>if [ -f /etc/login.access ]; then
    mv -v /etc/login.access /etc/login.access.NOUSE
fi</userinput></screen>

      </sect4>

      <sect4 id="pam-limits">
        <title>Configuring Resource Limits</title>

        <para>Instead of using the <filename>/etc/limits</filename> file
        for limiting usage of system resources,
        <application>Linux-PAM</application> uses the
        <filename class='libraryfile'>pam_limits.so</filename> module along
        with the <filename>/etc/security/limits.conf</filename> file. Rename
        the <filename>/etc/limits</filename> file using the following
        command:</para>

        <indexterm zone="shadow pam-limits">
          <primary sortas="e-etc-security-limits.conf">/etc/security/limits.conf</primary>
        </indexterm>

<screen role="root"><userinput>if [ -f /etc/limits ]; then
    mv -v /etc/limits /etc/limits.NOUSE
fi</userinput></screen>

      </sect4>

      <sect4 id="pam-login-defs">
        <title>Configuring /etc/login.defs</title>

        <para>The <command>login</command> program currently performs many
        functions which <application>Linux-PAM</application> modules should
        now handle. The following command will comment out the appropriate
        lines in <filename>/etc/login.defs</filename>, and stop
        <command>login</command> from performing these functions:</para>

        <indexterm zone="shadow pam-login-defs">
          <primary sortas="e-etc-login.defs">/etc/login.defs</primary>
        </indexterm>

<screen role="root"><userinput>for FUNCTION in LASTLOG_ENAB MAIL_CHECK_ENAB \
                PORTTIME_CHECKS_ENAB CONSOLE \
                MOTD_FILE NOLOGINS_FILE PASS_MIN_LEN \
                SU_WHEEL_ONLY MD5_CRYPT_ENAB \
                CONSOLE_GROUPS ENVIRON_FILE
do
    sed -i -e "s/^$FUNCTION/# &amp;/" /etc/login.defs
done</userinput></screen>

        <para>If you have <application>cracklib</application> installed,
        also comment out four more lines using the following command:</para>

<screen role="root"><userinput>for FUNCTION in OBSCURE_CHECKS_ENAB CRACKLIB_DICTPATH \
                PASS_CHANGE_TRIES PASS_ALWAYS_WARN
do
    sed -i -e "s/^$FUNCTION/# &amp;/" /etc/login.defs
done</userinput></screen>

      </sect4>

    </sect3>

  </sect2>

  <sect2 role="content">
    <title>Contents</title>

    <para>A list of the installed files, along with their short descriptions
    can be found at
    <ulink url="&lfs-root;/chapter06/shadow.html#contents-shadow"/>.</para>

  </sect2>

</sect1>