source: postlfs/security/shadow.xml@ 49ee2def

10.0 10.1 11.0 11.1 7.10 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 krejzi/svn lazarus nosym perl-modules qt5new systemd-11177 systemd-13485 trunk upgradedb xry111/intltool xry111/test-20220226
Last change on this file since 49ee2def was 49ee2def, checked in by Bruce Dubbs <bdubbs@…>, 8 years ago

Sync shadow with LFS

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@13254 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 22.4 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY shadow-download-http "http://pkg-shadow.alioth.debian.org/releases/shadow-&shadow-version;.tar.xz">
8 <!ENTITY shadow-download-ftp " ">
9 <!ENTITY shadow-md5sum "2bfafe7d4962682d31b5eba65dba4fc8">
10 <!ENTITY shadow-size "1.5 MB">
11 <!ENTITY shadow-buildsize "53 MB">
12 <!ENTITY shadow-time "0.2 SBU">
13]>
14
15<sect1 id="shadow" xreflabel="Shadow-&shadow-version;">
16 <?dbhtml filename="shadow.html"?>
17
18 <sect1info>
19 <othername>$LastChangedBy$</othername>
20 <date>$Date$</date>
21 </sect1info>
22
23 <title>Shadow-&shadow-version;</title>
24
25 <indexterm zone="shadow">
26 <primary sortas="a-Shadow">Shadow</primary>
27 </indexterm>
28
29 <sect2 role="package">
30 <title>Introduction to Shadow</title>
31
32 <para>
33 <application>Shadow</application> was indeed installed in LFS and there is
34 no reason to reinstall it unless you installed
35 <application>CrackLib</application> or
36 <application>Linux-PAM</application> after your LFS system was completed.
37 If you have installed <application>CrackLib</application> after LFS, then
38 reinstalling <application>Shadow</application> will enable strong password
39 support. If you have installed <application>Linux-PAM</application>,
40 reinstalling <application>Shadow</application> will allow programs such as
41 <command>login</command> and <command>su</command> to utilize PAM.
42 </para>
43
44 &lfs75_checked;
45
46 <bridgehead renderas="sect3">Package Information</bridgehead>
47 <itemizedlist spacing="compact">
48 <listitem>
49 <para>
50 Download (HTTP): <ulink url="&shadow-download-http;"/>
51 </para>
52 </listitem>
53 <listitem>
54 <para>
55 Download (FTP): <ulink url="&shadow-download-ftp;"/>
56 </para>
57 </listitem>
58 <listitem>
59 <para>
60 Download MD5 sum: &shadow-md5sum;
61 </para>
62 </listitem>
63 <listitem>
64 <para>
65 Download size: &shadow-size;
66 </para>
67 </listitem>
68 <listitem>
69 <para>
70 Estimated disk space required: &shadow-buildsize;
71 </para>
72 </listitem>
73 <listitem>
74 <para>
75 Estimated build time: &shadow-time;
76 </para>
77 </listitem>
78 </itemizedlist>
79
80 <bridgehead renderas="sect3">Shadow Dependencies</bridgehead>
81
82 <bridgehead renderas="sect4">Required</bridgehead>
83 <para role="required">
84 <xref linkend="linux-pam"/> or
85 <xref linkend="cracklib"/>
86 </para>
87
88 <para condition="html" role="usernotes">
89 User Notes: <ulink url="&blfs-wiki;/shadow"/>
90 </para>
91 </sect2>
92
93 <sect2 role="installation">
94 <title>Installation of Shadow</title>
95
96 <important>
97 <para>
98 The installation commands shown below are for installations where
99 <application>Linux-PAM</application> has been installed (with or
100 without a <application>CrackLib</application> installation) and
101 <application>Shadow</application> is being reinstalled to support the
102 <application>Linux-PAM</application> installation.
103 </para>
104
105 <para>
106 If you are reinstalling <application>Shadow</application> to provide
107 strong password support using the <application>CrackLib</application>
108 library without using <application>Linux-PAM</application>, ensure you
109 add the <parameter>--with-libcrack</parameter> parameter to the
110 <command>configure</command> script below and also issue the following
111 command:
112 </para>
113
114<screen><userinput>sed -i 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' etc/login.defs</userinput></screen>
115 </important>
116
117 <para>
118 Reinstall <application>Shadow</application> by running the following
119 commands:
120 </para>
121
122<screen><userinput>sed -i 's/groups$(EXEEXT) //' src/Makefile.in &amp;&amp;
123find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; &amp;&amp;
124
125sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \
126 -e 's@/var/spool/mail@/var/mail@' etc/login.defs &amp;&amp;
127
128sed -i 's/1000/999/' etc/useradd &amp;&amp;
129
130./configure --sysconfdir=/etc --with-group-name-max-length=32 &amp;&amp;
131make</userinput></screen>
132
133 <para>
134 This package does not come with a test suite.
135 </para>
136
137 <para>
138 Now, as the <systemitem class="username">root</systemitem> user:
139 </para>
140
141<screen role="root"><userinput>make install &amp;&amp;
142mv -v /usr/bin/passwd /bin</userinput></screen>
143 </sect2>
144
145 <sect2 role="commands">
146 <title>Command Explanations</title>
147
148 <para>
149 <command>sed -i 's/groups$(EXEEXT) //' src/Makefile.in</command>: This sed
150 is used to suppress the installation of the <command>groups</command>
151 program as the version from the <application>Coreutils</application>
152 package installed during LFS is preferred.
153 </para>
154
155 <para>
156 <command>find man -name Makefile.in -exec ... {} \;</command>: This
157 command is used to suppress the installation of the
158 <command>groups</command> man pages so the existing ones installed from
159 the <application>Coreutils</application> package are not replaced.
160 </para>
161
162 <para>
163 <command>sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' -e
164 's@/var/spool/mail@/var/mail@' etc/login.defs</command>: Instead of using
165 the default 'DES' method, this command modifies the installation to use
166 the more secure 'SHA512' method of hashing passwords, which also allows
167 passwords longer than eight characters. It also changes the obsolete
168 <filename class="directory">/var/spool/mail</filename> location for user
169 mailboxes that <application>Shadow</application> uses by default to the
170 <filename class="directory">/var/mail</filename> location.
171 </para>
172
173 <para>
174 <command>sed -i 's/1000/999/' etc/useradd</command>: Make a minor change
175 to make the default useradd consistent with the LFS groups file.
176 </para>
177
178 <para>
179 <option>--with-group-name-max-length=32</option>: The maximum user name is
180 32 characters. Make the maximum group name the same.
181 </para>
182
183 <para>
184 <command>mv -v /usr/bin/passwd /bin</command>: The
185 <command>passwd</command> program may be needed during times when the
186 <filename class='directory'>/usr</filename> filesystem is not mounted so
187 it is moved into the root partition.
188 </para>
189 </sect2>
190
191 <sect2 role="configuration">
192 <title>Configuring Shadow</title>
193
194 <para>
195 <application>Shadow</application>'s stock configuration for the
196 <command>useradd</command> utility may not be desirable for your
197 installation. One default parameter causes <command>useradd</command> to
198 create a mailbox file for any newly created user.
199 <command>useradd</command> will make the group ownership of this file to
200 the <systemitem class="groupname">mail</systemitem> group with 0660
201 permissions. If you would prefer that these mailbox files are not created
202 by <command>useradd</command>, issue the following command as the
203 <systemitem class="username">root</systemitem> user:
204 </para>
205
206<screen role="root"><userinput>sed -i 's/yes/no/' /etc/default/useradd</userinput></screen>
207 </sect2>
208
209 <sect2 role="configuration">
210 <title>Configuring Linux-PAM to Work with Shadow</title>
211
212 <note>
213 <para>
214 The rest of this page is devoted to configuring
215 <application>Shadow</application> to work properly with
216 <application>Linux-PAM</application>. If you do not have
217 <application>Linux-PAM</application> installed, and you reinstalled
218 <application>Shadow</application> to support strong passwords via the
219 <application>CrackLib</application> library, no further configuration is
220 required.
221 </para>
222 </note>
223
224 <sect3 id="pam.d">
225 <title>Config Files</title>
226
227 <para>
228 <filename>/etc/pam.d/*</filename> or alternatively
229 <filename>/etc/pam.conf</filename>,
230 <filename>/etc/login.defs</filename> and
231 <filename>/etc/security/*</filename>
232 </para>
233
234 <indexterm zone="shadow pam.d">
235 <primary sortas="e-etc-pam.d">/etc/pam.d/*</primary>
236 </indexterm>
237
238 <indexterm zone="shadow pam.d">
239 <primary sortas="e-etc-pam.conf">/etc/pam.conf</primary>
240 </indexterm>
241
242 <indexterm zone="shadow pam.d">
243 <primary sortas="e-etc-login.defs">/etc/login.defs</primary>
244 </indexterm>
245
246 <indexterm zone="shadow pam.d">
247 <primary sortas="e-etc-security">/etc/security/*</primary>
248 </indexterm>
249 </sect3>
250
251 <sect3>
252 <title>Configuration Information</title>
253
254 <para>
255 Configuring your system to use <application>Linux-PAM</application> can
256 be a complex task. The information below will provide a basic setup so
257 that <application>Shadow</application>'s login and password
258 functionality will work effectively with
259 <application>Linux-PAM</application>. Review the information and links
260 on the <xref linkend="linux-pam"/> page for further configuration
261 information. For information specific to integrating
262 <application>Shadow</application>, <application>Linux-PAM</application>
263 and <application>CrackLib</application>, you can visit the following
264 link:
265 </para>
266
267 <itemizedlist spacing="compact">
268 <listitem>
269 <para>
270 <ulink url="http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html"/>
271 </para>
272 </listitem>
273 </itemizedlist>
274
275 <sect4 id="pam-login-defs">
276 <title>Configuring /etc/login.defs</title>
277
278 <para>
279 The <command>login</command> program currently performs many functions
280 which <application>Linux-PAM</application> modules should now handle.
281 The following <command>sed</command> command will comment out the
282 appropriate lines in <filename>/etc/login.defs</filename>, and stop
283 <command>login</command> from performing these functions (a backup
284 file named <filename>/etc/login.defs.orig</filename> is also created
285 to preserve the original file's contents). Issue the following
286 commands as the <systemitem class="username">root</systemitem> user:
287 </para>
288
289 <indexterm zone="shadow pam-login-defs">
290 <primary sortas="e-etc-login.defs">/etc/login.defs</primary>
291 </indexterm>
292
293<screen role="root"><userinput>install -v -m644 /etc/login.defs /etc/login.defs.orig &amp;&amp;
294for FUNCTION in FAIL_DELAY \
295 FAILLOG_ENAB \
296 LASTLOG_ENAB \
297 MAIL_CHECK_ENAB \
298 OBSCURE_CHECKS_ENAB \
299 PORTTIME_CHECKS_ENAB \
300 QUOTAS_ENAB \
301 CONSOLE MOTD_FILE \
302 FTMP_FILE NOLOGINS_FILE \
303 ENV_HZ PASS_MIN_LEN \
304 SU_WHEEL_ONLY \
305 CRACKLIB_DICTPATH \
306 PASS_CHANGE_TRIES \
307 PASS_ALWAYS_WARN \
308 CHFN_AUTH ENCRYPT_METHOD \
309 ENVIRON_FILE
310do
311 sed -i "s/^${FUNCTION}/# &amp;/" /etc/login.defs
312done</userinput></screen>
313 </sect4>
314
315 <sect4>
316 <title>Configuring the /etc/pam.d/ Files</title>
317
318 <para>
319 As mentioned previously in the <application>Linux-PAM</application>
320 instructions, <application>Linux-PAM</application> has two supported
321 methods for configuration. The commands below assume that you've
322 chosen to use a directory based configuration, where each program has
323 its own configuration file. You can optionally use a single
324 <filename>/etc/pam.conf</filename> configuration file by using the
325 text from the files below, and supplying the program name as an
326 additional first field for each line.
327 </para>
328
329 <para>
330 As the <systemitem class="username">root</systemitem> user, replace
331 the following <application>Linux-PAM</application> configuration files
332 in the <filename class="directory">/etc/pam.d/</filename> directory
333 (or add the contents to the <filename>/etc/pam.conf</filename> file)
334 using the following commands:
335 </para>
336 </sect4>
337
338 <sect4>
339 <title>'system-account'</title>
340
341<screen role="root"><userinput>cat &gt; /etc/pam.d/system-account &lt;&lt; "EOF"
342<literal># Begin /etc/pam.d/system-account
343
344account required pam_unix.so
345
346# End /etc/pam.d/system-account</literal>
347EOF</userinput></screen>
348 </sect4>
349
350 <sect4>
351 <title>'system-auth'</title>
352
353<screen role="root"><userinput>cat &gt; /etc/pam.d/system-auth &lt;&lt; "EOF"
354<literal># Begin /etc/pam.d/system-auth
355
356auth required pam_unix.so
357
358# End /etc/pam.d/system-auth</literal>
359EOF</userinput></screen>
360 </sect4>
361
362 <sect4>
363 <title>'system-passwd' (with cracklib)</title>
364
365<screen role="root"><userinput>cat &gt; /etc/pam.d/system-password &lt;&lt; "EOF"
366<literal># Begin /etc/pam.d/system-password
367
368# check new passwords for strength (man pam_cracklib)
369password required pam_cracklib.so type=Linux retry=3 difok=5 \
370 difignore=23 minlen=9 dcredit=1 \
371 ucredit=1 lcredit=1 ocredit=1 \
372 dictpath=/lib/cracklib/pw_dict
373# use sha512 hash for encryption, use shadow, and use the
374# authentication token (chosen password) set by pam_cracklib
375# above (or any previous modules)
376password required pam_unix.so sha512 shadow use_authtok
377
378# End /etc/pam.d/system-password</literal>
379EOF</userinput></screen>
380
381 <note>
382 <para>
383 In its default configuration, owing to credits, pam_cracklib will
384 allow multiple case passwords as short as 6 characters, even with
385 the <parameter>minlen</parameter> value set to 11. You should review
386 the pam_cracklib(8) man page and determine if these default values
387 are acceptable for the security of your system.
388 </para>
389 </note>
390 </sect4>
391
392 <sect4>
393 <title>'system-passwd' (without cracklib)</title>
394
395<screen role="root"><userinput>cat &gt; /etc/pam.d/system-password &lt;&lt; "EOF"
396<literal># Begin /etc/pam.d/system-password
397
398# use sha512 hash for encryption, use shadow, and try to use any previously
399# defined authentication token (chosen password) set by any prior module
400password required pam_unix.so sha512 shadow try_first_pass
401
402# End /etc/pam.d/system-password</literal>
403EOF</userinput></screen>
404 </sect4>
405
406 <sect4>
407 <title>'system-session'</title>
408
409<screen role="root"><userinput>cat &gt; /etc/pam.d/system-session &lt;&lt; "EOF"
410<literal># Begin /etc/pam.d/system-session
411
412session required pam_unix.so
413
414# End /etc/pam.d/system-session</literal>
415EOF</userinput></screen>
416 </sect4>
417
418 <sect4>
419 <title>'login'</title>
420
421<screen role="root"><userinput>cat &gt; /etc/pam.d/login &lt;&lt; "EOF"
422<literal># Begin /etc/pam.d/login
423
424# Set failure delay before next prompt to 3 seconds
425auth optional pam_faildelay.so delay=3000000
426
427# Check to make sure that the user is allowed to login
428auth requisite pam_nologin.so
429
430# Check to make sure that root is allowed to login
431# Disabled by default. You will need to create /etc/securetty
432# file for this module to function. See man 5 securetty.
433#auth required pam_securetty.so
434
435# Additional group memberships - disabled by default
436#auth optional pam_group.so
437
438# include the default auth settings
439auth include system-auth
440
441# check access for the user
442account required pam_access.so
443
444# include the default account settings
445account include system-account
446
447# Set default environment variables for the user
448session required pam_env.so
449
450# Set resource limits for the user
451session required pam_limits.so
452
453# Display date of last login - Disabled by default
454#session optional pam_lastlog.so
455
456# Display the message of the day - Disabled by default
457#session optional pam_motd.so
458
459# Check user's mail - Disabled by default
460#session optional pam_mail.so standard quiet
461
462# include the default session and password settings
463session include system-session
464password include system-password
465
466# End /etc/pam.d/login</literal>
467EOF</userinput></screen>
468 </sect4>
469
470 <sect4>
471 <title>'passwd'</title>
472
473<screen role="root"><userinput>cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"
474<literal># Begin /etc/pam.d/passwd
475
476password include system-password
477
478# End /etc/pam.d/passwd</literal>
479EOF</userinput></screen>
480 </sect4>
481
482 <sect4>
483 <title>'su'</title>
484
485<screen role="root"><userinput>cat &gt; /etc/pam.d/su &lt;&lt; "EOF"
486<literal># Begin /etc/pam.d/su
487
488# always allow root
489auth sufficient pam_rootok.so
490auth include system-auth
491
492# include the default account settings
493account include system-account
494
495# Set default environment variables for the service user
496session required pam_env.so
497
498# include system session defaults
499session include system-session
500
501# End /etc/pam.d/su</literal>
502EOF</userinput></screen>
503 </sect4>
504
505 <sect4>
506 <title>'chage'</title>
507
508<screen role="root"><userinput>cat &gt; /etc/pam.d/chage &lt;&lt; "EOF"
509<literal>#Begin /etc/pam.d/chage
510
511# always allow root
512auth sufficient pam_rootok.so
513
514# include system defaults for auth account and session
515auth include system-auth
516account include system-account
517session include system-session
518
519# Always permit for authentication updates
520password required pam_permit.so
521
522# End /etc/pam.d/chage</literal>
523EOF</userinput></screen>
524 </sect4>
525
526 <sect4>
527 <title>Other common programs</title>
528 <!--<title>'chfn', 'chgpasswd', 'chgpasswd', 'chsh', 'groupadd', 'groupdel',
529 'groupmems', 'groupmod', 'newusers', 'useradd', 'userdel' and
530 'usermod'</title>-->
531
532<screen role="root"><userinput>for PROGRAM in chfn chgpasswd chpasswd chsh groupadd groupdel \
533 groupmems groupmod newusers useradd userdel usermod
534do
535 install -v -m644 /etc/pam.d/chage /etc/pam.d/${PROGRAM}
536 sed -i "s/chage/$PROGRAM/" /etc/pam.d/${PROGRAM}
537done</userinput></screen>
538
539 <warning>
540 <para>
541 At this point, you should do a simple test to see if
542 <application>Shadow</application> is working as expected. Open
543 another terminal and log in as a user, then <command>su</command> to
544 <systemitem class="username">root</systemitem>. If you do not see
545 any errors, then all is well and you should proceed with the rest of
546 the configuration. If you did receive errors, stop now and double
547 check the above configuration files manually. You can also run the
548 test suite from the <application>Linux-PAM</application> package to
549 assist you in determining the problem. If you cannot find and fix
550 the error, you should recompile <application>Shadow</application>
551 adding the <option>--without-libpam</option> switch to the
552 <command>configure</command> command in the above instructions (also
553 move the <filename>/etc/login.defs.orig</filename> backup file to
554 <filename>/etc/login.defs</filename>). If you fail to do this and
555 the errors remain, you will be unable to log into your system.
556 </para>
557 </warning>
558 </sect4>
559
560 <sect4>
561 <title>Other</title>
562
563 <para>
564 Currently, <filename>/etc/pam.d/other</filename> is configured to
565 allow anyone with an account on the machine to use PAM-aware programs
566 without a configuration file for that program. After testing
567 <application>Linux-PAM</application> for proper configuration, install
568 a more restrictive <filename>other</filename> file so that
569 program-specific configuration files are required:
570 </para>
571
572<screen role="root"><userinput>cat &gt; /etc/pam.d/other &lt;&lt; "EOF"
573<literal># Begin /etc/pam.d/other
574
575auth required pam_warn.so
576auth required pam_deny.so
577account required pam_warn.so
578account required pam_deny.so
579password required pam_warn.so
580password required pam_deny.so
581session required pam_warn.so
582session required pam_deny.so
583
584# End /etc/pam.d/other</literal>
585EOF</userinput></screen>
586 </sect4>
587
588 <sect4 id="pam-access">
589 <title>Configuring Login Access</title>
590
591 <para>
592 Instead of using the <filename>/etc/login.access</filename> file for
593 controlling access to the system, <application>Linux-PAM</application>
594 uses the <filename class='libraryfile'>pam_access.so</filename> module
595 along with the <filename>/etc/security/access.conf</filename> file.
596 Rename the <filename>/etc/login.access</filename> file using the
597 following command:
598 </para>
599
600 <indexterm zone="shadow pam-access">
601 <primary sortas="e-etc-security-access.conf">/etc/security/access.conf</primary>
602 </indexterm>
603
604<screen role="root"><userinput>[ -f /etc/login.access ] &amp;&amp; mv -v /etc/login.access{,.NOUSE}</userinput></screen>
605 </sect4>
606
607 <sect4 id="pam-limits">
608 <title>Configuring Resource Limits</title>
609
610 <para>
611 Instead of using the <filename>/etc/limits</filename> file for
612 limiting usage of system resources,
613 <application>Linux-PAM</application> uses the
614 <filename class='libraryfile'>pam_limits.so</filename> module along
615 with the <filename>/etc/security/limits.conf</filename> file. Rename
616 the <filename>/etc/limits</filename> file using the following command:
617 </para>
618
619 <indexterm zone="shadow pam-limits">
620 <primary sortas="e-etc-security-limits.conf">/etc/security/limits.conf</primary>
621 </indexterm>
622
623<screen role="root"><userinput>[ -f /etc/limits ] &amp;&amp; mv -v /etc/limits{,.NOUSE}</userinput></screen>
624 </sect4>
625 </sect3>
626 </sect2>
627
628 <sect2 role="content">
629 <title>Contents</title>
630
631 <para>
632 A list of the installed files, along with their short descriptions can be
633 found at <ulink url="http://www.linuxfromscratch.org/lfs/view/&lfs-version;/chapter06/shadow.html#contents-shadow"/>.
634 </para>
635
636 </sect2>
637
638</sect1>
Note: See TracBrowser for help on using the repository browser.