Context Navigation

shadow.xml@ 5f084a2

Visit:

10.0 10.1 11.0 11.1 11.2 11.3 12.0 12.1 6.0 6.1 6.2 6.2.0 6.2.0-rc1 6.2.0-rc2 6.3 6.3-rc1 6.3-rc2 6.3-rc3 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts krejzi/svn lazarus lxqt nosym perl-modules plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition systemd-11177 systemd-13485 trunk upgradedb xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal

Last change on this file since 5f084a2 was 5f084a2, checked in by Randy McMurchy <randy@…>, 19 years ago

Added md5sums to Shadow, Linux-PAM and cracklib instructions

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@3394 af4574ff-66df-0310-9fd7-8a98e5e911e0

Property mode set to 100644

File size: 10.0 KB

Line
1	<?xml version="1.0" encoding="ISO-8859-1"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
3	"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!ENTITY shadow-download-http " ">
8	<!ENTITY shadow-download-ftp "ftp://ftp.pld.org.pl/software/shadow/shadow-&shadow-version;.tar.bz2">
9	<!ENTITY shadow-md5sum "3a3d17d3d7c630b602baf66ae7434c61">
10	<!ENTITY shadow-size "814 KB">
11	<!ENTITY shadow-buildsize "14.1 MB">
12	<!ENTITY shadow-time "0.42 SBU">
13	]>
14
15	<sect1 id="shadow" xreflabel="Shadow-&shadow-version;">
16	<sect1info>
17	<othername>$LastChangedBy$</othername>
18	<date>$Date$</date>
19	</sect1info>
20	<?dbhtml filename="shadow.html"?>
21	<title>Shadow-&shadow-version;</title>
22	<indexterm zone="shadow">
23	<primary sortas="a-Shadow">Shadow</primary></indexterm>
24
25	<!--
26	<sect2>
27	<title>Configuring shadow</title>
28
29	<para>Shadow's Configuration File</para>
30
31	<para><userinput>/etc/login.defs</userinput></para>
32
33	<para>Enabling <acronym>MD</acronym>5 Passwords</para>
34
35	<para>To enable <acronym>MD</acronym>5 Passwords, modify the line in the
36	<filename>login.defs</filename> file that reads:
37	<screen><userinput>#MD5_CRYPT_ENAB no</userinput></screen>
38	to read:
39	<screen><userinput>MD5_CRYPT_ENAB yes</userinput></screen>
40	Passwords created after this change will be encrypted using
41	<acronym>MD</acronym>5 (Message-Digest Algorithm) instead of using
42	<acronym>DES</acronym> encryption.
43	</para>
44	</sect2>
45	-->
46
47	<sect2>
48	<title>Introduction to <application>Shadow</application></title>
49
50	<para>Shadow was indeed installed in <acronym>LFS</acronym> and there is
51	no reason to reinstall it unless you installed
52	<application>Linux-<acronym>PAM</acronym></application>. If you did,
53	this will allow programs like <command>login</command> and
54	<command>su</command> to utilize
55	<acronym>PAM</acronym>.</para>
56
57	<sect3><title>Package information</title>
58	<itemizedlist spacing="compact">
59	<listitem><para>Download (HTTP):
60	<ulink url="&shadow-download-http;"/></para></listitem>
61	<listitem><para>Download (FTP):
62	<ulink url="&shadow-download-ftp;"/></para></listitem>
63	<listitem><para>Download MD5 sum:
64	&shadow-md5sum;</para></listitem>
65	<listitem><para>Download size:
66	&shadow-size;</para></listitem>
67	<listitem><para>Estimated disk space required:
68	&shadow-buildsize;</para></listitem>
69	<listitem><para>Estimated build time:
70	&shadow-time;</para></listitem></itemizedlist>
71	</sect3>
72
73	<sect3><title>Additional downloads</title>
74	<itemizedlist spacing='compact'>
75	<listitem><para>Patch to fix linking against PAM:
76	<ulink url="&patch-root;/shadow-&shadow-version;-pam-1.patch"/></para>
77	</listitem>
78	</itemizedlist>
79	</sect3>
80
81	<sect3><title><application>Shadow</application> dependencies</title>
82	<sect4><title>Required</title>
83	<para><xref linkend="Linux_PAM"/></para></sect4>
84	</sect3>
85	</sect2>
86
87	<sect2>
88	<title>Installation of <application>Shadow</application></title>
89
90	<para>Reinstall <application>Shadow</application> by running the following
91	commands:</para>
92
93	<screen><userinput><command>patch -Np1 -i ../shadow-&shadow-version;-pam-1.patch &&
94	LIBS="-lpam -lpam_misc" ./configure --libdir=/usr/lib \
95	--enable-shared --with-libpam --without-libcrack &&
96	echo '#define HAVE_SETLOCALE 1' >> config.h &&
97	sed -i '/extern char/d' libmisc/xmalloc.c &&
98	make</command></userinput></screen>
99
100	<para>Now, as the root user:</para>
101
102	<screen><userinput role='root'><command>make install &&
103	mv /bin/sg /usr/bin &&
104	mv /bin/vigr /usr/sbin &&
105	mv /usr/bin/passwd /bin &&
106	rm /bin/groups &&
107	mv /usr/lib/lib{misc,shadow}.so.0* /lib &&
108	ln -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so &&
109	ln -sf ../../lib/libmisc.so.0 /usr/lib/libmisc.so</command></userinput></screen>
110
111	</sect2>
112
113	<sect2>
114	<title>Command explanations</title>
115
116	<para><parameter>--without-libcrack</parameter>: This switch tells
117	<application>Shadow</application> not to use
118	<filename class='libraryfile'>libcrack</filename>. This is desired as
119	<application>Linux-<acronym>PAM</acronym></application> already contains
120	<filename class='libraryfile'>libcrack</filename>.</para>
121
122	<para><command>sed -i '/extern char/d' libmisc/xmalloc.c</command>: This
123	fixes a compilation problem when using <application>GCC</application>-3.4.x.
124	</para>
125
126	</sect2>
127
128	<sect2>
129	<title>Configuring <application>Linux-<acronym>PAM</acronym></application> to
130	work with <application>Shadow</application></title>
131
132	<sect3 id="pam.d"><title>Config files</title>
133	<para><filename>/etc/pam.d/login</filename>,
134	<filename>/etc/pam.d/passwd</filename>,
135	<filename>/etc/pam.d/su</filename>,
136	<filename>/etc/pam.d/shadow</filename>,
137	<filename>/etc/pam.d/useradd</filename>, and
138	<filename>/etc/pam.d/chage</filename> –
139	alternatively, <filename>/etc/pam.conf</filename></para>
140	<indexterm zone="shadow pam.d">
141	<primary sortas="e-etc-pam.d">/etc/pam.d/*</primary></indexterm>
142	<indexterm zone="shadow pam.d">
143	<primary sortas="e-etc-pam.conf">/etc/pam.conf</primary></indexterm>
144	</sect3>
145
146	<sect3><title>Configuration Information</title>
147
148	<para>Add the following <application>Linux-<acronym>PAM</acronym></application>
149	configuration files to <filename class="directory">/etc/pam.d/</filename> (or
150	add them to <filename>/etc/pam.conf</filename> with the additional field for
151	the program).</para>
152
153	<screen><userinput><command>cat > /etc/pam.d/login << "EOF"</command>
154	# Begin /etc/pam.d/login
155
156	auth requisite pam_securetty.so
157	auth requisite pam_nologin.so
158	auth required pam_env.so
159	auth required pam_unix.so
160	account required pam_access.so
161	account required pam_unix.so
162	session required pam_motd.so
163	session required pam_limits.so
164	session optional pam_mail.so dir=/var/mail standard
165	session optional pam_lastlog.so
166	session required pam_unix.so
167
168	# End /etc/pam.d/login
169	<command>EOF
170	cat > /etc/pam.d/passwd << "EOF"</command>
171	# Begin /etc/pam.d/passwd
172
173	password required pam_unix.so md5 shadow
174
175	# End /etc/pam.d/passwd
176	<command>EOF
177	cat > /etc/pam.d/shadow << "EOF"</command>
178	# Begin /etc/pam.d/shadow
179
180	auth sufficient pam_rootok.so
181	auth required pam_unix.so
182	account required pam_unix.so
183	session required pam_unix.so
184	password required pam_permit.so
185
186	# End /etc/pam.d/shadow
187	<command>EOF
188	cat > /etc/pam.d/su << "EOF"</command>
189	# Begin /etc/pam.d/su
190
191	auth sufficient pam_rootok.so
192	auth required pam_unix.so
193	account required pam_unix.so
194	session required pam_unix.so
195
196	# End /etc/pam.d/su
197	<command>EOF
198	cat > /etc/pam.d/useradd << "EOF"</command>
199	# Begin /etc/pam.d/useradd
200
201	auth sufficient pam_rootok.so
202	auth required pam_unix.so
203	account required pam_unix.so
204	session required pam_unix.so
205	password required pam_permit.so
206
207	# End /etc/pam.d/useradd
208	<command>EOF
209	cat > /etc/pam.d/chage << "EOF"</command>
210	# Begin /etc/pam.d/chage
211
212	auth sufficient pam_rootok.so
213	auth required pam_unix.so
214	account required pam_unix.so
215	session required pam_unix.so
216	password required pam_permit.so
217
218	# End /etc/pam.d/chage
219	<command>EOF</command></userinput></screen>
220
221	<note><para>If you've installed <application>cracklib</application>, replace
222	<filename>/etc/pam.d/passwd</filename> with the following:</para></note>
223	<screen><userinput><command>cat > /etc/pam.d/passwd << "EOF"</command>
224	# Begin /etc/pam.d/passwd
225
226	password required pam_cracklib.so \
227	retry=3 difok=8 minlen=5 dcredit=3 ocredit=3 ucredit=2 lcredit=2
228	password required pam_unix.so md5 shadow use_authtok
229
230	# End /etc/pam.d/passwd
231	<command>EOF</command></userinput></screen>
232
233	<warning><para>At this point, you should do a simple test to see if
234	<application>Shadow</application> is
235	working as expected. Open another term and login as a user, then su to
236	to root. If you do not see any errors, then all is well and you should
237	proceed with the rest of the configuration. If you did
238	receive errors, stop now and double check the above configuration files
239	manually. If you cannot find, and fix the error, you should recompile
240	shadow replacing <envar>--with-libpam</envar> with
241	<envar>--without-libpam</envar> in the above
242	instructions. If you fail to do this and the errors remain, you
243	will be unable to log into your system.</para></warning>
244
245	<para>Currently, <filename>/etc/pam.d/other</filename> is configured to
246	allow anyone with an account on the machine to use programs
247	that do not specifically have a configuration file of their own. After
248	testing <application>Linux-<acronym>PAM</acronym></application> for proper
249	configuration, it can be changed to the following:</para>
250
251	<screen><userinput><command>cat > /etc/pam.d/other << "EOF"</command>
252	# Begin /etc/pam.d/other
253
254	auth required pam_deny.so
255	auth required pam_warn.so
256	account required pam_deny.so
257	session required pam_deny.so
258	password required pam_deny.so
259	password required pam_warn.so
260
261	# End /etc/pam.d/other
262	<command>EOF</command></userinput></screen>
263
264	<para>Finally, edit <filename>/etc/login.defs</filename> by adding '#'
265	to the beginning of the following lines:</para>
266	<screen>LASTLOG_ENAB
267	MAIL_CHECK_ENAB
268	PORTTIME_CHECKS_ENAB
269	CONSOLE
270	MOTD_FILE
271	NOLOGINS_FILE
272	PASS_MIN_LEN
273	SU_WHEEL_ONLY
274	MD5_CRYPT_ENAB
275	CONSOLE_GROUPS
276	ENVIRON_FILE</screen>
277
278	<para>This stops <command>login</command> from performing these functions, as
279	they will now be performed by <acronym>PAM</acronym> modules. Additionally,
280	add a '#' to the beginning of the following lines if you've installed
281	<application>cracklib</application>:</para>
282	<screen>OBSCURE_CHECKS_ENAB
283	CRACKLIB_DICTPATH
284	PASS_CHANGE_TRIES
285	PASS_ALWAYS_WARN</screen>
286	</sect3>
287
288	</sect2>
289
290	<sect2>
291	<title>Contents</title>
292
293	<para>A list of the installed files, along with their short descriptions can
294	be found at <ulink
295	url="http://www.linuxfromscratch.org/lfs/view/6.0/chapter06/shadow.html"/>.
296	</para>
297
298	</sect2>
299
300	</sect1>

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: postlfs/security/shadow.xml@ 5f084a2

Download in other formats: