Context Navigation

shadow.xml@ 39975e9

Visit:

10.0 10.1 11.0 11.1 11.2 11.3 12.0 12.1 6.0 6.1 6.2 6.2.0 6.2.0-rc1 6.2.0-rc2 6.3 6.3-rc1 6.3-rc2 6.3-rc3 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts krejzi/svn lazarus lxqt nosym perl-modules plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition systemd-11177 systemd-13485 trunk upgradedb xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal

Last change on this file since 39975e9 was 39975e9, checked in by Randy McMurchy <randy@…>, 20 years ago

Fixed Shadow instructions to build using GCC-3.4.x, added moving /usr/bin/passwd to /bin and added some cracklib notes

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@2483 af4574ff-66df-0310-9fd7-8a98e5e911e0

Property mode set to 100644

File size: 8.0 KB

Line
1	<?xml version="1.0" encoding="ISO-8859-1"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
3	"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6	]>
7
8	<sect1 id="shadow">
9	<?dbhtml filename="shadow.html"?>
10	<title>Shadow-&shadow-version;</title>
11
12	<!--
13	<sect2>
14	<title>Configuring shadow</title>
15
16	<para>Shadow's Configuration File</para>
17
18	<para><userinput>/etc/login.defs</userinput></para>
19
20	<para>Enabling <acronym>MD</acronym>5 Passwords</para>
21
22	<para>To enable <acronym>MD</acronym>5 Passwords, modify the line in the
23	<filename>login.defs</filename> file that reads:
24	<screen><userinput>#MD5_CRYPT_ENAB no</userinput></screen>
25	to read:
26	<screen><userinput>MD5_CRYPT_ENAB yes</userinput></screen>
27	Passwords created after this change will be encrypted using
28	<acronym>MD</acronym>5 (Message-Digest Algorithm) instead of using
29	<acronym>DES</acronym> encryption.
30	</para>
31	</sect2>
32	-->
33
34	<sect2>
35	<title>Introduction to <application>Shadow</application></title>
36
37	<para>Shadow was indeed installed in <acronym>LFS</acronym> and there is
38	no reason to reinstall it unless you installed
39	<application>Linux-<acronym>PAM</acronym></application>. If you did,
40	this will allow programs like <command>login</command> and
41	<command>su</command> to utilize
42	<acronym>PAM</acronym>.</para>
43
44	<sect3><title>Additional downloads</title>
45	<itemizedlist spacing='compact'>
46	<listitem><para>Patch to fix linking against PAM:
47	<ulink url="&patch-root;/shadow-&shadow-version;-pam-1.patch"/></para></listitem>
48	</itemizedlist>
49	</sect3>
50
51	<sect3><title><application>Shadow</application> dependencies</title>
52	<sect4><title>Required</title>
53	<para><xref linkend="Linux_PAM"/></para></sect4>
54	</sect3>
55	</sect2>
56
57	<sect2>
58	<title>Installation of <application>Shadow</application></title>
59
60	<para>Reinstall <application>Shadow</application> by running the following
61	commands:</para>
62
63	<screen><userinput><command>patch -Np1 -i ../shadow-&shadow-version;-pam-1.patch &&
64	LIBS="-lpam -lpam_misc" ./configure --libdir=/usr/lib \
65	--enable-shared --with-libpam --without-libcrack &&
66	echo '#define HAVE_SETLOCALE 1' >> config.h &&
67	sed -i '/extern char/d' libmisc/xmalloc.c &&
68	make &&
69	make install &&
70	mv /bin/sg /usr/bin &&
71	mv /bin/vigr /usr/sbin &&
72	mv /usr/bin/passwd /bin &&
73	rm /bin/groups &&
74	mv /usr/lib/lib{misc,shadow}.so.0* /lib &&
75	ln -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so &&
76	ln -sf ../../lib/libmisc.so.0 /usr/lib/libmisc.so</command></userinput></screen>
77
78	</sect2>
79
80	<sect2>
81	<title>Command explanations</title>
82
83	<para><parameter>--without-libcrack</parameter>: This switch tells
84	<application>Shadow</application> not to use
85	<filename class='libraryfile'>libcrack</filename>. This is desired as
86	<application>Linux-<acronym>PAM</acronym></application> already contains
87	<filename class='libraryfile'>libcrack</filename>.</para>
88
89	<para><command>sed -i '/extern char/d' libmisc/xmalloc.c</command>: This
90	fixes a compilation problem when using <application>GCC</application>-3.4.x.
91	</para>
92
93	<!-- Leftover from older instructions????
94	<para><command>cp debian/securetty /etc/securetty</command>: This
95	command sets the tty's that allow logins through <acronym>PAM</acronym>.</para>
96	-->
97
98	</sect2>
99
100	<sect2>
101	<title>Configuring <application>Linux-<acronym>PAM</acronym></application> to work
102	with <application>Shadow</application></title>
103
104	<sect3><title>Config files</title>
105	<para><filename>/etc/pam.d/login</filename>,
106	<filename>/etc/pam.d/passwd</filename>,
107	<filename>/etc/pam.d/su</filename>,
108	<filename>/etc/pam.d/shadow</filename>,
109	<filename>/etc/pam.d/useradd</filename>, and
110	<filename>/etc/pam.d/chage</filename> –
111	alternatively, <filename>/etc/pam.conf</filename></para>
112	</sect3>
113
114	<sect3><title>Configuration Information</title>
115
116	<para>Add the following <application>Linux-<acronym>PAM</acronym></application>
117	configuration files to <filename class="directory">/etc/pam.d/</filename> (or
118	add them to <filename>/etc/pam.conf</filename> with the additional field for
119	the program).</para>
120
121	<screen><userinput><command>cat > /etc/pam.d/login << "EOF"</command>
122	# Begin /etc/pam.d/login
123
124	auth requisite pam_securetty.so
125	auth requisite pam_nologin.so
126	auth required pam_env.so
127	auth required pam_unix.so
128	account required pam_access.so
129	account required pam_unix.so
130	session required pam_motd.so
131	session required pam_limits.so
132	session optional pam_mail.so dir=/var/mail standard
133	session optional pam_lastlog.so
134	session required pam_unix.so
135
136	# End /etc/pam.d/login
137	<command>EOF
138	cat > /etc/pam.d/passwd << "EOF"</command>
139	# Begin /etc/pam.d/passwd
140
141	password required pam_unix.so md5 shadow
142
143	# End /etc/pam.d/passwd
144	<command>EOF
145	cat > /etc/pam.d/shadow << "EOF"</command>
146	# Begin /etc/pam.d/shadow
147
148	auth sufficient pam_rootok.so
149	auth required pam_unix.so
150	account required pam_unix.so
151	session required pam_unix.so
152	password required pam_permit.so
153
154	# End /etc/pam.d/shadow
155	<command>EOF
156	cat > /etc/pam.d/su << "EOF"</command>
157	# Begin /etc/pam.d/su
158
159	auth sufficient pam_rootok.so
160	auth required pam_unix.so
161	account required pam_unix.so
162	session required pam_unix.so
163
164	# End /etc/pam.d/su
165	<command>EOF
166	cat > /etc/pam.d/useradd << "EOF"</command>
167	# Begin /etc/pam.d/useradd
168
169	auth sufficient pam_rootok.so
170	auth required pam_unix.so
171	account required pam_unix.so
172	session required pam_unix.so
173	password required pam_permit.so
174
175	# End /etc/pam.d/useradd
176	<command>EOF
177	cat > /etc/pam.d/chage << "EOF"</command>
178	# Begin /etc/pam.d/chage
179
180	auth sufficient pam_rootok.so
181	auth required pam_unix.so
182	account required pam_unix.so
183	session required pam_unix.so
184	password required pam_permit.so
185
186	# End /etc/pam.d/chage
187	<command>EOF</command></userinput></screen>
188
189	<note><para>If you've installed <application>cracklib</application>, replace
190	<filename>/etc/pam.d/passwd</filename> with the following:</para></note>
191	<screen><userinput><command>cat > /etc/pam.d/passwd << "EOF"</command>
192	# Begin /etc/pam.d/passwd
193
194	password required pam_cracklib.so \
195	retry=3 difok=8 minlen=5 dcredit=3 ocredit=3 ucredit=2 lcredit=2
196	password required pam_unix.so md5 shadow use_authtok
197
198	# End /etc/pam.d/passwd
199	<command>EOF</command></userinput></screen>
200
201	<para>Currently, <filename>/etc/pam.d/other</filename> is configured to
202	allow anyone with an account on the machine to use programs
203	that do not specifically have a configuration file of their own. After
204	testing <application>Linux-<acronym>PAM</acronym></application> for proper
205	configuration, it can be changed to the following:</para>
206
207	<screen><userinput><command>cat > /etc/pam.d/other << "EOF"</command>
208	# Begin /etc/pam.d/other
209
210	auth required pam_deny.so
211	auth required pam_warn.so
212	account required pam_deny.so
213	session required pam_deny.so
214	password required pam_deny.so
215	password required pam_warn.so
216
217	# End /etc/pam.d/other
218	<command>EOF</command></userinput></screen>
219
220	<para>Finally, edit <filename>/etc/login.defs</filename> by adding '#'
221	to the beginning of the following lines:</para>
222	<screen>LASTLOG_ENAB
223	MAIL_CHECK_ENAB
224	PORTTIME_CHECKS_ENAB
225	CONSOLE
226	MOTD_FILE
227	NOLOGINS_FILE
228	PASS_MIN_LEN
229	SU_WHEEL_ONLY
230	MD5_CRYPT_ENAB
231	CONSOLE_GROUPS
232	ENVIRON_FILE</screen>
233
234	<para>This stops <command>login</command> from performing these functions, as
235	they will now be performed by <acronym>PAM</acronym> modules. Additionally,
236	add a '#' to the beginning of the following lines if you've installed
237	<application>cracklib</application>:</para>
238	<screen>OBSCURE_CHECKS_ENAB
239	CRACKLIB_DICTPATH
240	PASS_CHANGE_TRIES
241	PASS_ALWAYS_WARN</screen>
242
243	</sect3>
244
245	</sect2>
246
247	</sect1>

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: postlfs/security/shadow.xml@ 39975e9

Download in other formats: