source: postlfs/security/shadow.xml@ 4fcf20a5

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
   "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
  <!ENTITY % general-entities SYSTEM "../../general.ent">
  %general-entities;

  <!ENTITY shadow-download-http " ">
  <!ENTITY shadow-download-ftp  "ftp://ftp.pld.org.pl/software/shadow/shadow-&shadow-version;.tar.bz2">
  <!ENTITY shadow-md5sum        "89ebec0d1c0d861a5bd5c4c63e5cb0cc">
  <!ENTITY shadow-size          "1.0 MB">
  <!ENTITY shadow-buildsize     "13.2 MB">
  <!ENTITY shadow-time          "0.31 SBU">
]>

<sect1 id="shadow" xreflabel="Shadow-&shadow-version;">
<sect1info>
<othername>$LastChangedBy$</othername>
<date>$Date$</date>
</sect1info>
<?dbhtml filename="shadow.html"?>
<title>Shadow-&shadow-version;</title>
<indexterm zone="shadow">
<primary sortas="a-Shadow">Shadow</primary></indexterm>

<sect2>
<title>Introduction to <application>Shadow</application></title>

<para>Shadow was indeed installed in <acronym>LFS</acronym> and there is
no reason to reinstall it unless you installed
<application>Linux-<acronym>PAM</acronym></application>.  If you did,
this will allow programs like <command>login</command> and
<command>su</command> to utilize
<acronym>PAM</acronym>.</para>

<sect3><title>Package information</title>
<itemizedlist spacing="compact">
<listitem><para>Download (HTTP): 
<ulink url="&shadow-download-http;"/></para></listitem>
<listitem><para>Download (FTP): 
<ulink url="&shadow-download-ftp;"/></para></listitem>
<listitem><para>Download MD5 sum: 
&shadow-md5sum;</para></listitem>
<listitem><para>Download size: 
&shadow-size;</para></listitem>
<listitem><para>Estimated disk space required: 
&shadow-buildsize;</para></listitem>
<listitem><para>Estimated build time: 
&shadow-time;</para></listitem></itemizedlist>
</sect3>

<sect3><title>Additional downloads</title>
<itemizedlist spacing='compact'>
<listitem><para>Patch to fix a bug in the <command>lastlog</command> program: 
<ulink url="&patch-root;/shadow-&shadow-version;-fix_lastlog-1.patch"/></para>
</listitem>
</itemizedlist>
</sect3>

<sect3><title><application>Shadow</application> dependencies</title>
<sect4><title>Required</title>
<para><xref linkend="Linux_PAM"/></para>
</sect4>
</sect3>

</sect2>

<sect2>
<title>Installation of <application>Shadow</application></title>

<para>Reinstall <application>Shadow</application> by running the following 
commands:</para>

<screen><userinput><command>patch -Np1 -i ../shadow-&shadow-version;-fix_lastlog-1.patch &amp;&amp;
./configure --libdir=/usr/lib --enable-shared \
    --with-libpam --without-libcrack &amp;&amp;
sed -i 's/groups$(EXEEXT) //' src/Makefile &amp;&amp;
sed -i '/groups/d' man/Makefile &amp;&amp;
make</command></userinput></screen>

<para>Now, as the root user:</para>

<screen><userinput role='root'><command>make install &amp;&amp;
mv -v /usr/bin/passwd /bin &amp;&amp;
mv -v /lib/libshadow.*a /usr/lib &amp;&amp;
rm -v /lib/libshadow.so &amp;&amp;
ln -v -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so</command></userinput></screen>

</sect2>

<sect2>
<title>Command explanations</title>

<para><parameter>--without-libcrack</parameter>: This switch tells 
<application>Shadow</application> not to use 
<filename class='libraryfile'>libcrack</filename>. This is desired as
<application>Linux-<acronym>PAM</acronym></application> already contains 
<filename class='libraryfile'>libcrack</filename>.</para>

<para><command>sed -i ...</command>: These commands are used to suppress the 
installation of the <command>groups</command> program as the version from the 
<application>Coreutils</application> package installed during 
<acronym>LFS</acronym> is preferred.</para>

</sect2>

<sect2>
<title>Configuring <application>Linux-<acronym>PAM</acronym></application> to 
work with <application>Shadow</application></title>

<sect3 id="pam.d"><title>Config files</title>
<para><filename>/etc/pam.d/*</filename>, or alternatively, 
<filename>/etc/pam.conf</filename></para>
<indexterm zone="shadow pam.d">
<primary sortas="e-etc-pam.d">/etc/pam.d/*</primary></indexterm>
<indexterm zone="shadow pam.d">
<primary sortas="e-etc-pam.conf">/etc/pam.conf</primary></indexterm>
</sect3>

<sect3><title>Configuration Information</title>

<para>Add the following <application>Linux-<acronym>PAM</acronym></application> 
configuration files to <filename class="directory">/etc/pam.d/</filename> (or 
add them to <filename>/etc/pam.conf</filename> with the additional field for 
the program).</para>

<sect4><title>login (with <application>cracklib</application>)</title>

<screen><userinput><command>cat &gt; /etc/pam.d/login &lt;&lt; "EOF"</command>
# Begin /etc/pam.d/login

auth        requisite      pam_securetty.so
auth        requisite      pam_nologin.so
auth        required       pam_env.so
auth        required       pam_unix.so
account     required       pam_access.so
account     required       pam_unix.so
session     required       pam_motd.so
session     required       pam_limits.so
session     optional       pam_mail.so      dir=/var/mail standard
session     optional       pam_lastlog.so
session     required       pam_unix.so
password    required       pam_cracklib.so  retry=3 difok=8 minlen=5 \
                                            dcredit=3 ocredit=3 \
                                            ucredit=2 lcredit=2
password    required       pam_unix.so      md5 shadow use_authtok

# End /etc/pam.d/login
<command>EOF</command></userinput></screen>
</sect4>

<sect4><title>login (without <application>cracklib</application>)</title>

<screen><userinput><command>cat &gt; /etc/pam.d/login &lt;&lt; "EOF"</command>
# Begin /etc/pam.d/login

auth        requisite      pam_securetty.so
auth        requisite      pam_nologin.so
auth        required       pam_env.so
auth        required       pam_unix.so
account     required       pam_access.so
account     required       pam_unix.so
session     required       pam_motd.so
session     required       pam_limits.so
session     optional       pam_mail.so      dir=/var/mail standard
session     optional       pam_lastlog.so
session     required       pam_unix.so
password    required       pam_unix.so      md5 shadow

# End /etc/pam.d/login
<command>EOF</command></userinput></screen>
</sect4>

<sect4><title>passwd (with <application>cracklib</application>)</title>

<screen><userinput><command>cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"</command>
# Begin /etc/pam.d/passwd

password    required       pam_cracklib.so  retry=3 difok=8 minlen=5 \
                                            dcredit=3  ocredit=3 \
                                            ucredit=2  lcredit=2
password    required       pam_unix.so      md5 shadow use_authtok

# End /etc/pam.d/passwd
<command>EOF</command></userinput></screen>
</sect4>

<sect4><title>passwd (without <application>cracklib</application>)</title>

<screen><userinput><command>cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"</command>
# Begin /etc/pam.d/passwd

password    required       pam_unix.so      md5 shadow

# End /etc/pam.d/passwd
<command>EOF</command></userinput></screen>
</sect4>

<sect4><title>su</title>

<screen><userinput><command>cat &gt; /etc/pam.d/su &lt;&lt; "EOF"</command>
# Begin /etc/pam.d/su

auth        sufficient      pam_rootok.so
auth        required        pam_unix.so
account     required        pam_unix.so
session     optional        pam_mail.so     dir=/var/mail standard
session     required        pam_unix.so

# End /etc/pam.d/su
<command>EOF</command></userinput></screen>
</sect4>

<sect4><title>chage</title>

<screen><userinput><command>cat &gt; /etc/pam.d/chage &lt;&lt; "EOF"</command>
# Begin /etc/pam.d/chage

auth        sufficient      pam_rootok.so
auth        required        pam_unix.so
account     required        pam_unix.so
session     required        pam_unix.so
password    required        pam_permit.so

# End /etc/pam.d/chage
<command>EOF</command></userinput></screen>
</sect4>

<sect4><title>chpasswd, newusers, groupadd, groupdel, groupmod, useradd, 
userdel and usermod</title>

<screen><userinput><command>for PROGRAM in chpasswd newusers groupadd groupdel \
               groupmod useradd userdel usermod
do
    cp /etc/pam.d/chage /etc/pam.d/$PROGRAM
    sed -i -e "s/chage/$PROGRAM/" /etc/pam.d/$PROGRAM
done</command></userinput></screen>
</sect4>

<sect4><title>other</title>

<warning><para>At this point, you should do a simple test to see if
<application>Shadow</application> is
working as expected.  Open another term and login as a user, then su to
to root.  If you do not see any errors, then all is well and you should
proceed with the rest of the configuration.  If you did
receive errors, stop now and double check the above configuration files
manually.  If you cannot find, and fix the error, you should recompile 
shadow replacing <parameter>--with-libpam</parameter> with
<parameter>--without-libpam</parameter> in the above
instructions.  If you fail to do this and the errors remain, you
will be unable to log into your system.</para></warning>

<para>Currently, <filename>/etc/pam.d/other</filename> is configured to
allow anyone with an account on the machine to use 
<acronym>PAM</acronym>-aware programs without a configuration file for that 
program. After testing <application>Linux-<acronym>PAM</acronym></application> 
for proper configuration, install a more restrictive 
<filename>other</filename> file so that program-specific configuration files 
are required:</para>

<screen><userinput><command>cat &gt; /etc/pam.d/other &lt;&lt; "EOF"</command>
# Begin /etc/pam.d/other

auth        required        pam_deny.so
auth        required        pam_warn.so
account     required        pam_deny.so
session     required        pam_deny.so
password    required        pam_deny.so
password    required        pam_warn.so

# End /etc/pam.d/other
<command>EOF</command></userinput></screen>
</sect4>

<sect4 id="pam-access"><title>Configuring login access</title>

<para>Instead of using the <filename>/etc/login.access</filename> file for 
controlling access to the system, 
<application>Linux-<acronym>PAM</acronym></application> uses the 
<filename class='libraryfile'>pam_access.so</filename> module along with the
<filename>/etc/security/access.conf</filename> file. Rename the 
<filename>/etc/login.access</filename> file using the following 
command:</para>
<indexterm zone="shadow pam-access"><primary 
sortas="e-etc-security-access.conf">/etc/security/access.conf</primary>
</indexterm>

<screen><userinput><command>if [ -f /etc/login.access ]; then
    mv -v /etc/login.access /etc/login.access.NOUSE
fi</command></userinput></screen>
</sect4>

<sect4 id="pam-limits"><title>Configuring resource limits</title>

<para>Instead of using the <filename>/etc/limits</filename> file for 
limiting usage of system resources, 
<application>Linux-<acronym>PAM</acronym></application> uses the 
<filename class='libraryfile'>pam_limits.so</filename> module along with the
<filename>/etc/security/limits.conf</filename> file. Rename the 
<filename>/etc/limits</filename> file using the following 
command:</para>
<indexterm zone="shadow pam-limits"><primary 
sortas="e-etc-security-limits.conf">/etc/security/limits.conf</primary>
</indexterm>

<screen><userinput><command>if [ -f /etc/limits ]; then
    mv -v /etc/limits /etc/limits.NOUSE
fi</command></userinput></screen>
</sect4>

<sect4 id="pam-login-defs"><title>Configuring /etc/login.defs</title>

<para>The <command>login</command> program currently performs many functions 
which <application>Linux-<acronym>PAM</acronym></application> modules should 
now handle. The following command will comment out the appropriate lines in 
<filename>/etc/login.defs</filename>, and stop <command>login</command> from 
performing these functions:</para>
<indexterm zone="shadow pam-login-defs"><primary 
sortas="e-etc-login.defs">/etc/login.defs</primary>
</indexterm>

<screen><userinput><command>for FUNCTION in LASTLOG_ENAB MAIL_CHECK_ENAB \
                PORTTIME_CHECKS_ENAB CONSOLE \
                MOTD_FILE NOLOGINS_FILE PASS_MIN_LEN \
                SU_WHEEL_ONLY MD5_CRYPT_ENAB \
                CONSOLE_GROUPS ENVIRON_FILE
do
    sed -i -e "s/^$FUNCTION/# &amp;/" /etc/login.defs
done</command></userinput></screen>

<para>If you have <application>cracklib</application> installed, also comment 
out four more lines using the following command:</para>

<screen><userinput><command>for FUNCTION in OBSCURE_CHECKS_ENAB CRACKLIB_DICTPATH \
                PASS_CHANGE_TRIES PASS_ALWAYS_WARN
do
    sed -i -e "s/^$FUNCTION/# &amp;/" /etc/login.defs
done</command></userinput></screen>
</sect4>

</sect3>

</sect2>

<sect2>
<title>Contents</title>

<para>A list of the installed files, along with their short descriptions can 
be found at 
<ulink url="&lfs-root;/chapter06/shadow.html#contents-shadow"/>.</para>

</sect2>

</sect1>