source: postlfs/security/shadow.xml@ 38489aa0

10.0 10.1 11.0 11.1 11.2 8.4 9.0 9.1 lazarus plabs/python-mods qt5new trunk upgradedb xry111/intltool xry111/soup3 xry111/test-20220226
Last change on this file since 38489aa0 was 38489aa0, checked in by Pierre Labastie <pieere@…>, 4 years ago

Tags

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@21156 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 20.1 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY shadow-download-http "https://github.com/shadow-maint/shadow/releases/download/&shadow-version;/shadow-&shadow-version;.tar.xz">
8 <!ENTITY shadow-download-ftp " ">
9 <!ENTITY shadow-md5sum "b491fecbf1232632c32ff8f1437fd60e">
10 <!ENTITY shadow-size "1.6 MB">
11 <!ENTITY shadow-buildsize "33 MB">
12 <!ENTITY shadow-time "0.2 SBU">
13]>
14
15<sect1 id="shadow" xreflabel="Shadow-&shadow-version;">
16 <?dbhtml filename="shadow.html"?>
17
18 <sect1info>
19 <othername>$LastChangedBy$</othername>
20 <date>$Date$</date>
21 </sect1info>
22
23 <title>Shadow-&shadow-version;</title>
24
25 <indexterm zone="shadow">
26 <primary sortas="a-Shadow">Shadow</primary>
27 </indexterm>
28
29 <sect2 role="package">
30 <title>Introduction to Shadow</title>
31
32 <para>
33 <application>Shadow</application> was indeed installed in LFS and there is
34 no reason to reinstall it unless you installed
35 <application>CrackLib</application> or
36 <application>Linux-PAM</application> after your LFS system was completed.
37 If you have installed <application>CrackLib</application> after LFS, then
38 reinstalling <application>Shadow</application> will enable strong password
39 support. If you have installed <application>Linux-PAM</application>,
40 reinstalling <application>Shadow</application> will allow programs such as
41 <command>login</command> and <command>su</command> to utilize PAM.
42 </para>
43
44 &lfs84_checked;
45
46 <bridgehead renderas="sect3">Package Information</bridgehead>
47 <itemizedlist spacing="compact">
48 <listitem>
49 <para>
50 Download (HTTP): <ulink url="&shadow-download-http;"/>
51 </para>
52 </listitem>
53 <listitem>
54 <para>
55 Download (FTP): <ulink url="&shadow-download-ftp;"/>
56 </para>
57 </listitem>
58 <listitem>
59 <para>
60 Download MD5 sum: &shadow-md5sum;
61 </para>
62 </listitem>
63 <listitem>
64 <para>
65 Download size: &shadow-size;
66 </para>
67 </listitem>
68 <listitem>
69 <para>
70 Estimated disk space required: &shadow-buildsize;
71 </para>
72 </listitem>
73 <listitem>
74 <para>
75 Estimated build time: &shadow-time;
76 </para>
77 </listitem>
78 </itemizedlist>
79
80 <bridgehead renderas="sect3">Shadow Dependencies</bridgehead>
81
82 <bridgehead renderas="sect4">Required</bridgehead>
83 <para role="required">
84 <xref linkend="linux-pam"/> or
85 <xref linkend="cracklib"/>
86 </para>
87
88 <para condition="html" role="usernotes">
89 User Notes: <ulink url="&blfs-wiki;/shadow"/>
90 </para>
91 </sect2>
92
93 <sect2 role="installation">
94 <title>Installation of Shadow</title>
95
96 <important>
97 <para>
98 The installation commands shown below are for installations where
99 <application>Linux-PAM</application> has been installed (with or
100 without a <application>CrackLib</application> installation) and
101 <application>Shadow</application> is being reinstalled to support the
102 <application>Linux-PAM</application> installation.
103 </para>
104
105 <para>
106 If you are reinstalling <application>Shadow</application> to provide
107 strong password support using the <application>CrackLib</application>
108 library without using <application>Linux-PAM</application>, ensure you
109 add the <parameter>--with-libcrack</parameter> parameter to the
110 <command>configure</command> script below and also issue the following
111 command:
112 </para>
113
114<screen><userinput>sed -i 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' etc/login.defs</userinput></screen>
115 </important>
116
117 <para>
118 Reinstall <application>Shadow</application> by running the following
119 commands:
120 </para>
121
122<screen><userinput>sed -i 's/groups$(EXEEXT) //' src/Makefile.in &amp;&amp;
123
124find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; &amp;&amp;
125find man -name Makefile.in -exec sed -i 's/getspnam\.3 / /' {} \; &amp;&amp;
126find man -name Makefile.in -exec sed -i 's/passwd\.5 / /' {} \; &amp;&amp;
127
128sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \
129 -e 's@/var/spool/mail@/var/mail@' etc/login.defs &amp;&amp;
130
131sed -i 's/1000/999/' etc/useradd &amp;&amp;
132
133./configure --sysconfdir=/etc --with-group-name-max-length=32 &amp;&amp;
134make</userinput></screen>
135
136 <para>
137 This package does not come with a test suite.
138 </para>
139
140 <para>
141 Now, as the <systemitem class="username">root</systemitem> user:
142 </para>
143
144<screen role="root"><userinput>make install &amp;&amp;
145mv -v /usr/bin/passwd /bin</userinput></screen>
146 </sect2>
147
148 <sect2 role="commands">
149 <title>Command Explanations</title>
150
151 <para>
152 <command>sed -i 's/groups$(EXEEXT) //' src/Makefile.in</command>: This sed
153 is used to suppress the installation of the <command>groups</command>
154 program as the version from the <application>Coreutils</application>
155 package installed during LFS is preferred.
156 </para>
157
158 <para>
159 <command>find man -name Makefile.in -exec ... {} \;</command>: This
160 command is used to suppress the installation of the
161 <command>groups</command> man pages so the existing ones installed from
162 the <application>Coreutils</application> package are not replaced.
163 </para>
164
165 <para>
166 <command>sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' -e
167 's@/var/spool/mail@/var/mail@' etc/login.defs</command>: Instead of using
168 the default 'DES' method, this command modifies the installation to use
169 the more secure 'SHA512' method of hashing passwords, which also allows
170 passwords longer than eight characters. It also changes the obsolete
171 <filename class="directory">/var/spool/mail</filename> location for user
172 mailboxes that <application>Shadow</application> uses by default to the
173 <filename class="directory">/var/mail</filename> location.
174 </para>
175
176 <para>
177 <command>sed -i 's/1000/999/' etc/useradd</command>: Make a minor change
178 to make the default useradd consistent with the LFS groups file.
179 </para>
180
181 <para>
182 <parameter>--with-group-name-max-length=32</parameter>: The maximum
183 user name is 32 characters. Make the maximum group name the same.
184 </para>
185
186 <para>
187 <command>mv -v /usr/bin/passwd /bin</command>: The
188 <command>passwd</command> program may be needed during times when the
189 <filename class='directory'>/usr</filename> filesystem is not mounted so
190 it is moved into the root partition.
191 </para>
192 </sect2>
193
194 <sect2 role="configuration">
195 <title>Configuring Shadow</title>
196
197 <para>
198 <application>Shadow</application>'s stock configuration for the
199 <command>useradd</command> utility may not be desirable for your
200 installation. One default parameter causes <command>useradd</command> to
201 create a mailbox file for any newly created user.
202 <command>useradd</command> will make the group ownership of this file to
203 the <systemitem class="groupname">mail</systemitem> group with 0660
204 permissions. If you would prefer that these mailbox files are not created
205 by <command>useradd</command>, issue the following command as the
206 <systemitem class="username">root</systemitem> user:
207 </para>
208
209<screen role="root"><userinput>sed -i 's/yes/no/' /etc/default/useradd</userinput></screen>
210 </sect2>
211
212 <sect2 role="configuration">
213 <title>Configuring Linux-PAM to Work with Shadow</title>
214
215 <note>
216 <para>
217 The rest of this page is devoted to configuring
218 <application>Shadow</application> to work properly with
219 <application>Linux-PAM</application>. If you do not have
220 <application>Linux-PAM</application> installed, and you reinstalled
221 <application>Shadow</application> to support strong passwords via the
222 <application>CrackLib</application> library, no further configuration is
223 required.
224 </para>
225 </note>
226
227 <sect3 id="pam.d">
228 <title>Config Files</title>
229
230 <para>
231 <filename>/etc/pam.d/*</filename> or alternatively
232 <filename>/etc/pam.conf</filename>,
233 <filename>/etc/login.defs</filename> and
234 <filename>/etc/security/*</filename>
235 </para>
236
237 <indexterm zone="shadow pam.d">
238 <primary sortas="e-etc-pam.d">/etc/pam.d/*</primary>
239 </indexterm>
240
241 <indexterm zone="shadow pam.d">
242 <primary sortas="e-etc-pam.conf">/etc/pam.conf</primary>
243 </indexterm>
244
245 <indexterm zone="shadow pam.d">
246 <primary sortas="e-etc-login.defs">/etc/login.defs</primary>
247 </indexterm>
248
249 <indexterm zone="shadow pam.d">
250 <primary sortas="e-etc-security">/etc/security/*</primary>
251 </indexterm>
252 </sect3>
253
254 <sect3>
255 <title>Configuration Information</title>
256
257 <para>
258 Configuring your system to use <application>Linux-PAM</application> can
259 be a complex task. The information below will provide a basic setup so
260 that <application>Shadow</application>'s login and password
261 functionality will work effectively with
262 <application>Linux-PAM</application>. Review the information and links
263 on the <xref linkend="linux-pam"/> page for further configuration
264 information. For information specific to integrating
265 <application>Shadow</application>, <application>Linux-PAM</application>
266 and <application>CrackLib</application>, you can visit the following
267 link:
268 </para>
269
270 <itemizedlist spacing="compact">
271 <listitem>
272 <!-- New URL for the below link, according to it's author. -->
273 <para>
274 <ulink url="http://www.deer-run.com/~hal/linux_passwords_pam.html"/>
275 </para>
276 </listitem>
277 </itemizedlist>
278
279 <sect4 id="pam-login-defs">
280 <title>Configuring /etc/login.defs</title>
281
282 <para>
283 The <command>login</command> program currently performs many functions
284 which <application>Linux-PAM</application> modules should now handle.
285 The following <command>sed</command> command will comment out the
286 appropriate lines in <filename>/etc/login.defs</filename>, and stop
287 <command>login</command> from performing these functions (a backup
288 file named <filename>/etc/login.defs.orig</filename> is also created
289 to preserve the original file's contents). Issue the following
290 commands as the <systemitem class="username">root</systemitem> user:
291 </para>
292
293 <indexterm zone="shadow pam-login-defs">
294 <primary sortas="e-etc-login.defs">/etc/login.defs</primary>
295 </indexterm>
296
297<screen role="root"><userinput>install -v -m644 /etc/login.defs /etc/login.defs.orig &amp;&amp;
298for FUNCTION in FAIL_DELAY \
299 FAILLOG_ENAB \
300 LASTLOG_ENAB \
301 MAIL_CHECK_ENAB \
302 OBSCURE_CHECKS_ENAB \
303 PORTTIME_CHECKS_ENAB \
304 QUOTAS_ENAB \
305 CONSOLE MOTD_FILE \
306 FTMP_FILE NOLOGINS_FILE \
307 ENV_HZ PASS_MIN_LEN \
308 SU_WHEEL_ONLY \
309 CRACKLIB_DICTPATH \
310 PASS_CHANGE_TRIES \
311 PASS_ALWAYS_WARN \
312 CHFN_AUTH ENCRYPT_METHOD \
313 ENVIRON_FILE
314do
315 sed -i "s/^${FUNCTION}/# &amp;/" /etc/login.defs
316done</userinput></screen>
317 </sect4>
318
319 <sect4>
320 <title>Configuring the /etc/pam.d/ Files</title>
321
322 <para>
323 As mentioned previously in the <application>Linux-PAM</application>
324 instructions, <application>Linux-PAM</application> has two supported
325 methods for configuration. The commands below assume that you've
326 chosen to use a directory based configuration, where each program has
327 its own configuration file. You can optionally use a single
328 <filename>/etc/pam.conf</filename> configuration file by using the
329 text from the files below, and supplying the program name as an
330 additional first field for each line.
331 </para>
332
333 <para>
334 As the <systemitem class="username">root</systemitem> user, replace
335 the following <application>Linux-PAM</application> configuration files
336 in the <filename class="directory">/etc/pam.d/</filename> directory
337 (or add the contents to the <filename>/etc/pam.conf</filename> file)
338 using the following commands:
339 </para>
340 </sect4>
341
342 <sect4>
343 <title>'login'</title>
344
345<screen role="root"><userinput>cat &gt; /etc/pam.d/login &lt;&lt; "EOF"
346<literal># Begin /etc/pam.d/login
347
348# Set failure delay before next prompt to 3 seconds
349auth optional pam_faildelay.so delay=3000000
350
351# Check to make sure that the user is allowed to login
352auth requisite pam_nologin.so
353
354# Check to make sure that root is allowed to login
355# Disabled by default. You will need to create /etc/securetty
356# file for this module to function. See man 5 securetty.
357#auth required pam_securetty.so
358
359# Additional group memberships - disabled by default
360#auth optional pam_group.so
361
362# include system auth settings
363auth include system-auth
364
365# check access for the user
366account required pam_access.so
367
368# include system account settings
369account include system-account
370
371# Set default environment variables for the user
372session required pam_env.so
373
374# Set resource limits for the user
375session required pam_limits.so
376
377# Display date of last login - Disabled by default
378#session optional pam_lastlog.so
379
380# Display the message of the day - Disabled by default
381#session optional pam_motd.so
382
383# Check user's mail - Disabled by default
384#session optional pam_mail.so standard quiet
385
386# include system session and password settings
387session include system-session
388password include system-password
389
390# End /etc/pam.d/login</literal>
391EOF</userinput></screen>
392 </sect4>
393
394 <sect4>
395 <title>'passwd'</title>
396
397<screen role="root"><userinput>cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"
398<literal># Begin /etc/pam.d/passwd
399
400password include system-password
401
402# End /etc/pam.d/passwd</literal>
403EOF</userinput></screen>
404 </sect4>
405
406 <sect4>
407 <title>'su'</title>
408
409<screen role="root"><userinput>cat &gt; /etc/pam.d/su &lt;&lt; "EOF"
410<literal># Begin /etc/pam.d/su
411
412# always allow root
413auth sufficient pam_rootok.so
414
415# Allow users in the wheel group to execute su without a password
416# disabled by default
417#auth sufficient pam_wheel.so trust use_uid
418
419# include system auth settings
420auth include system-auth
421
422# limit su to users in the wheel group
423auth required pam_wheel.so use_uid
424
425# include system account settings
426account include system-account
427
428# Set default environment variables for the service user
429session required pam_env.so
430
431# include system session settings
432session include system-session
433
434# End /etc/pam.d/su</literal>
435EOF</userinput></screen>
436 </sect4>
437
438 <sect4>
439 <title>'chage'</title>
440
441<screen role="root"><userinput>cat &gt; /etc/pam.d/chage &lt;&lt; "EOF"
442<literal># Begin /etc/pam.d/chage
443
444# always allow root
445auth sufficient pam_rootok.so
446
447# include system auth, account, and session settings
448auth include system-auth
449account include system-account
450session include system-session
451
452# Always permit for authentication updates
453password required pam_permit.so
454
455# End /etc/pam.d/chage</literal>
456EOF</userinput></screen>
457 </sect4>
458
459 <sect4>
460 <title>Other common programs</title>
461 <!--<title>'chfn', 'chgpasswd', 'chgpasswd', 'chsh', 'groupadd', 'groupdel',
462 'groupmems', 'groupmod', 'newusers', 'useradd', 'userdel' and
463 'usermod'</title>-->
464
465<screen role="root"><userinput>for PROGRAM in chfn chgpasswd chpasswd chsh groupadd groupdel \
466 groupmems groupmod newusers useradd userdel usermod
467do
468 install -v -m644 /etc/pam.d/chage /etc/pam.d/${PROGRAM}
469 sed -i "s/chage/$PROGRAM/" /etc/pam.d/${PROGRAM}
470done</userinput></screen>
471
472 <para revision="systemd">Because the installation of
473 <application>systemd</application> is not yet complete, you will need
474 to remove the <filename>/run/nologin</filename> file before testing the
475 installation. Execute the following command as the
476 <systemitem class="username">root</systemitem> user:</para>
477
478<screen role="root" revision="systemd"><userinput>rm -f /run/nologin</userinput></screen>
479
480 <warning>
481 <para>
482 At this point, you should do a simple test to see if
483 <application>Shadow</application> is working as expected. Open
484 another terminal and log in as a user, then <command>su</command> to
485 <systemitem class="username">root</systemitem>. If you do not see
486 any errors, then all is well and you should proceed with the rest of
487 the configuration. If you did receive errors, stop now and double
488 check the above configuration files manually. You can also run the
489 test suite from the <application>Linux-PAM</application> package to
490 assist you in determining the problem. If you cannot find and fix
491 the error, you should recompile <application>Shadow</application>
492 adding the <option>--without-libpam</option> switch to the
493 <command>configure</command> command in the above instructions (also
494 move the <filename>/etc/login.defs.orig</filename> backup file to
495 <filename>/etc/login.defs</filename>). If you fail to do this and
496 the errors remain, you will be unable to log into your system.
497 </para>
498 </warning>
499 </sect4>
500
501 <sect4 id="pam-access">
502 <title>Configuring Login Access</title>
503
504 <para>
505 Instead of using the <filename>/etc/login.access</filename> file for
506 controlling access to the system, <application>Linux-PAM</application>
507 uses the <filename class='libraryfile'>pam_access.so</filename> module
508 along with the <filename>/etc/security/access.conf</filename> file.
509 Rename the <filename>/etc/login.access</filename> file using the
510 following command:
511 </para>
512
513 <indexterm zone="shadow pam-access">
514 <primary sortas="e-etc-security-access.conf">/etc/security/access.conf</primary>
515 </indexterm>
516
517<screen role="root"><userinput>[ -f /etc/login.access ] &amp;&amp; mv -v /etc/login.access{,.NOUSE}</userinput></screen>
518 </sect4>
519
520 <sect4 id="pam-limits">
521 <title>Configuring Resource Limits</title>
522
523 <para>
524 Instead of using the <filename>/etc/limits</filename> file for
525 limiting usage of system resources,
526 <application>Linux-PAM</application> uses the
527 <filename class='libraryfile'>pam_limits.so</filename> module along
528 with the <filename>/etc/security/limits.conf</filename> file. Rename
529 the <filename>/etc/limits</filename> file using the following command:
530 </para>
531
532 <indexterm zone="shadow pam-limits">
533 <primary sortas="e-etc-security-limits.conf">/etc/security/limits.conf</primary>
534 </indexterm>
535
536<screen role="root"><userinput>[ -f /etc/limits ] &amp;&amp; mv -v /etc/limits{,.NOUSE}</userinput></screen>
537
538 <caution><para>Be sure to test the login capabilities of the system
539 before logging out. Errors in the configuration can cause a permanent
540 lockout requiring a boot from an external source to correct the
541 problem.</para></caution>
542
543 </sect4>
544 </sect3>
545
546 </sect2>
547
548 <sect2 role="content">
549 <title>Contents</title>
550
551 <para>
552 A list of the installed files, along with their short descriptions can be
553 found at
554 <phrase revision="sysv">
555 <ulink url="&lfs-root;/chapter06/shadow.html#contents-shadow"/></phrase>
556 <phrase revision="systemd">
557 <ulink url="&lfs-rootd;/chapter06/shadow.html#contents-shadow"/></phrase>.
558 </para>
559
560 </sect2>
561
562</sect1>
Note: See TracBrowser for help on using the repository browser.