source: postlfs/security/shadow.xml@ 78b5501

10.0 10.1 11.0 11.1 11.2 11.3 12.0 12.1 12.2 7.10 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gimp3 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts lazarus lxqt nosym perl-modules plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition trunk upgradedb xry111/for-12.3 xry111/intltool xry111/llvm18 xry111/soup3 xry111/spidermonkey128 xry111/test-20220226 xry111/xf86-video-removal
Last change on this file since 78b5501 was 78b5501, checked in by Bruce Dubbs <bdubbs@…>, 9 years ago

Move generic PAM configuration from shadow to the PAM section

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@16058 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 19.8 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY shadow-download-http "http://pkg-shadow.alioth.debian.org/releases/shadow-&shadow-version;.tar.xz">
8 <!ENTITY shadow-download-ftp " ">
9 <!ENTITY shadow-md5sum "2bfafe7d4962682d31b5eba65dba4fc8">
10 <!ENTITY shadow-size "1.5 MB">
11 <!ENTITY shadow-buildsize "53 MB">
12 <!ENTITY shadow-time "0.2 SBU">
13]>
14
15<sect1 id="shadow" xreflabel="Shadow-&shadow-version;">
16 <?dbhtml filename="shadow.html"?>
17
18 <sect1info>
19 <othername>$LastChangedBy$</othername>
20 <date>$Date$</date>
21 </sect1info>
22
23 <title>Shadow-&shadow-version;</title>
24
25 <indexterm zone="shadow">
26 <primary sortas="a-Shadow">Shadow</primary>
27 </indexterm>
28
29 <sect2 role="package">
30 <title>Introduction to Shadow</title>
31
32 <para>
33 <application>Shadow</application> was indeed installed in LFS and there is
34 no reason to reinstall it unless you installed
35 <application>CrackLib</application> or
36 <application>Linux-PAM</application> after your LFS system was completed.
37 If you have installed <application>CrackLib</application> after LFS, then
38 reinstalling <application>Shadow</application> will enable strong password
39 support. If you have installed <application>Linux-PAM</application>,
40 reinstalling <application>Shadow</application> will allow programs such as
41 <command>login</command> and <command>su</command> to utilize PAM.
42 </para>
43
44 &lfs77_checked;
45
46 <bridgehead renderas="sect3">Package Information</bridgehead>
47 <itemizedlist spacing="compact">
48 <listitem>
49 <para>
50 Download (HTTP): <ulink url="&shadow-download-http;"/>
51 </para>
52 </listitem>
53 <listitem>
54 <para>
55 Download (FTP): <ulink url="&shadow-download-ftp;"/>
56 </para>
57 </listitem>
58 <listitem>
59 <para>
60 Download MD5 sum: &shadow-md5sum;
61 </para>
62 </listitem>
63 <listitem>
64 <para>
65 Download size: &shadow-size;
66 </para>
67 </listitem>
68 <listitem>
69 <para>
70 Estimated disk space required: &shadow-buildsize;
71 </para>
72 </listitem>
73 <listitem>
74 <para>
75 Estimated build time: &shadow-time;
76 </para>
77 </listitem>
78 </itemizedlist>
79
80 <bridgehead renderas="sect3">Shadow Dependencies</bridgehead>
81
82 <bridgehead renderas="sect4">Required</bridgehead>
83 <para role="required">
84 <xref linkend="linux-pam"/> or
85 <xref linkend="cracklib"/>
86 </para>
87
88 <para condition="html" role="usernotes">
89 User Notes: <ulink url="&blfs-wiki;/shadow"/>
90 </para>
91 </sect2>
92
93 <sect2 role="installation">
94 <title>Installation of Shadow</title>
95
96 <important>
97 <para>
98 The installation commands shown below are for installations where
99 <application>Linux-PAM</application> has been installed (with or
100 without a <application>CrackLib</application> installation) and
101 <application>Shadow</application> is being reinstalled to support the
102 <application>Linux-PAM</application> installation.
103 </para>
104
105 <para>
106 If you are reinstalling <application>Shadow</application> to provide
107 strong password support using the <application>CrackLib</application>
108 library without using <application>Linux-PAM</application>, ensure you
109 add the <parameter>--with-libcrack</parameter> parameter to the
110 <command>configure</command> script below and also issue the following
111 command:
112 </para>
113
114<screen><userinput>sed -i 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' etc/login.defs</userinput></screen>
115 </important>
116
117 <para>
118 Reinstall <application>Shadow</application> by running the following
119 commands:
120 </para>
121
122<screen><userinput>sed -i 's/groups$(EXEEXT) //' src/Makefile.in &amp;&amp;
123find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; &amp;&amp;
124
125sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \
126 -e 's@/var/spool/mail@/var/mail@' etc/login.defs &amp;&amp;
127
128sed -i 's/1000/999/' etc/useradd &amp;&amp;
129
130./configure --sysconfdir=/etc --with-group-name-max-length=32 &amp;&amp;
131make</userinput></screen>
132
133 <para>
134 This package does not come with a test suite.
135 </para>
136
137 <para>
138 Now, as the <systemitem class="username">root</systemitem> user:
139 </para>
140
141<screen role="root"><userinput>make install &amp;&amp;
142mv -v /usr/bin/passwd /bin</userinput></screen>
143 </sect2>
144
145 <sect2 role="commands">
146 <title>Command Explanations</title>
147
148 <para>
149 <command>sed -i 's/groups$(EXEEXT) //' src/Makefile.in</command>: This sed
150 is used to suppress the installation of the <command>groups</command>
151 program as the version from the <application>Coreutils</application>
152 package installed during LFS is preferred.
153 </para>
154
155 <para>
156 <command>find man -name Makefile.in -exec ... {} \;</command>: This
157 command is used to suppress the installation of the
158 <command>groups</command> man pages so the existing ones installed from
159 the <application>Coreutils</application> package are not replaced.
160 </para>
161
162 <para>
163 <command>sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' -e
164 's@/var/spool/mail@/var/mail@' etc/login.defs</command>: Instead of using
165 the default 'DES' method, this command modifies the installation to use
166 the more secure 'SHA512' method of hashing passwords, which also allows
167 passwords longer than eight characters. It also changes the obsolete
168 <filename class="directory">/var/spool/mail</filename> location for user
169 mailboxes that <application>Shadow</application> uses by default to the
170 <filename class="directory">/var/mail</filename> location.
171 </para>
172
173 <para>
174 <command>sed -i 's/1000/999/' etc/useradd</command>: Make a minor change
175 to make the default useradd consistent with the LFS groups file.
176 </para>
177
178 <para>
179 <option>--with-group-name-max-length=32</option>: The maximum user name is
180 32 characters. Make the maximum group name the same.
181 </para>
182
183 <para>
184 <command>mv -v /usr/bin/passwd /bin</command>: The
185 <command>passwd</command> program may be needed during times when the
186 <filename class='directory'>/usr</filename> filesystem is not mounted so
187 it is moved into the root partition.
188 </para>
189 </sect2>
190
191 <sect2 role="configuration">
192 <title>Configuring Shadow</title>
193
194 <para>
195 <application>Shadow</application>'s stock configuration for the
196 <command>useradd</command> utility may not be desirable for your
197 installation. One default parameter causes <command>useradd</command> to
198 create a mailbox file for any newly created user.
199 <command>useradd</command> will make the group ownership of this file to
200 the <systemitem class="groupname">mail</systemitem> group with 0660
201 permissions. If you would prefer that these mailbox files are not created
202 by <command>useradd</command>, issue the following command as the
203 <systemitem class="username">root</systemitem> user:
204 </para>
205
206<screen role="root"><userinput>sed -i 's/yes/no/' /etc/default/useradd</userinput></screen>
207 </sect2>
208
209 <sect2 role="configuration">
210 <title>Configuring Linux-PAM to Work with Shadow</title>
211
212 <note>
213 <para>
214 The rest of this page is devoted to configuring
215 <application>Shadow</application> to work properly with
216 <application>Linux-PAM</application>. If you do not have
217 <application>Linux-PAM</application> installed, and you reinstalled
218 <application>Shadow</application> to support strong passwords via the
219 <application>CrackLib</application> library, no further configuration is
220 required.
221 </para>
222 </note>
223
224 <sect3 id="pam.d">
225 <title>Config Files</title>
226
227 <para>
228 <filename>/etc/pam.d/*</filename> or alternatively
229 <filename>/etc/pam.conf</filename>,
230 <filename>/etc/login.defs</filename> and
231 <filename>/etc/security/*</filename>
232 </para>
233
234 <indexterm zone="shadow pam.d">
235 <primary sortas="e-etc-pam.d">/etc/pam.d/*</primary>
236 </indexterm>
237
238 <indexterm zone="shadow pam.d">
239 <primary sortas="e-etc-pam.conf">/etc/pam.conf</primary>
240 </indexterm>
241
242 <indexterm zone="shadow pam.d">
243 <primary sortas="e-etc-login.defs">/etc/login.defs</primary>
244 </indexterm>
245
246 <indexterm zone="shadow pam.d">
247 <primary sortas="e-etc-security">/etc/security/*</primary>
248 </indexterm>
249 </sect3>
250
251 <sect3>
252 <title>Configuration Information</title>
253
254 <para>
255 Configuring your system to use <application>Linux-PAM</application> can
256 be a complex task. The information below will provide a basic setup so
257 that <application>Shadow</application>'s login and password
258 functionality will work effectively with
259 <application>Linux-PAM</application>. Review the information and links
260 on the <xref linkend="linux-pam"/> page for further configuration
261 information. For information specific to integrating
262 <application>Shadow</application>, <application>Linux-PAM</application>
263 and <application>CrackLib</application>, you can visit the following
264 link:
265 </para>
266
267 <itemizedlist spacing="compact">
268 <listitem>
269 <para>
270 <ulink url="http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html"/>
271 </para>
272 </listitem>
273 </itemizedlist>
274
275 <sect4 id="pam-login-defs">
276 <title>Configuring /etc/login.defs</title>
277
278 <para>
279 The <command>login</command> program currently performs many functions
280 which <application>Linux-PAM</application> modules should now handle.
281 The following <command>sed</command> command will comment out the
282 appropriate lines in <filename>/etc/login.defs</filename>, and stop
283 <command>login</command> from performing these functions (a backup
284 file named <filename>/etc/login.defs.orig</filename> is also created
285 to preserve the original file's contents). Issue the following
286 commands as the <systemitem class="username">root</systemitem> user:
287 </para>
288
289 <indexterm zone="shadow pam-login-defs">
290 <primary sortas="e-etc-login.defs">/etc/login.defs</primary>
291 </indexterm>
292
293<screen role="root"><userinput>install -v -m644 /etc/login.defs /etc/login.defs.orig &amp;&amp;
294for FUNCTION in FAIL_DELAY \
295 FAILLOG_ENAB \
296 LASTLOG_ENAB \
297 MAIL_CHECK_ENAB \
298 OBSCURE_CHECKS_ENAB \
299 PORTTIME_CHECKS_ENAB \
300 QUOTAS_ENAB \
301 CONSOLE MOTD_FILE \
302 FTMP_FILE NOLOGINS_FILE \
303 ENV_HZ PASS_MIN_LEN \
304 SU_WHEEL_ONLY \
305 CRACKLIB_DICTPATH \
306 PASS_CHANGE_TRIES \
307 PASS_ALWAYS_WARN \
308 CHFN_AUTH ENCRYPT_METHOD \
309 ENVIRON_FILE
310do
311 sed -i "s/^${FUNCTION}/# &amp;/" /etc/login.defs
312done</userinput></screen>
313 </sect4>
314
315 <sect4>
316 <title>Configuring the /etc/pam.d/ Files</title>
317
318 <para>
319 As mentioned previously in the <application>Linux-PAM</application>
320 instructions, <application>Linux-PAM</application> has two supported
321 methods for configuration. The commands below assume that you've
322 chosen to use a directory based configuration, where each program has
323 its own configuration file. You can optionally use a single
324 <filename>/etc/pam.conf</filename> configuration file by using the
325 text from the files below, and supplying the program name as an
326 additional first field for each line.
327 </para>
328
329 <para>
330 As the <systemitem class="username">root</systemitem> user, replace
331 the following <application>Linux-PAM</application> configuration files
332 in the <filename class="directory">/etc/pam.d/</filename> directory
333 (or add the contents to the <filename>/etc/pam.conf</filename> file)
334 using the following commands:
335 </para>
336 </sect4>
337
338 <sect4>
339 <title>'login'</title>
340
341<screen role="root"><userinput>cat &gt; /etc/pam.d/login &lt;&lt; "EOF"
342<literal># Begin /etc/pam.d/login
343
344# Set failure delay before next prompt to 3 seconds
345auth optional pam_faildelay.so delay=3000000
346
347# Check to make sure that the user is allowed to login
348auth requisite pam_nologin.so
349
350# Check to make sure that root is allowed to login
351# Disabled by default. You will need to create /etc/securetty
352# file for this module to function. See man 5 securetty.
353#auth required pam_securetty.so
354
355# Additional group memberships - disabled by default
356#auth optional pam_group.so
357
358# include the default auth settings
359auth include system-auth
360
361# check access for the user
362account required pam_access.so
363
364# include the default account settings
365account include system-account
366
367# Set default environment variables for the user
368session required pam_env.so
369
370# Set resource limits for the user
371session required pam_limits.so
372
373# Display date of last login - Disabled by default
374#session optional pam_lastlog.so
375
376# Display the message of the day - Disabled by default
377#session optional pam_motd.so
378
379# Check user's mail - Disabled by default
380#session optional pam_mail.so standard quiet
381
382# include the default session and password settings
383session include system-session
384password include system-password
385
386# End /etc/pam.d/login</literal>
387EOF</userinput></screen>
388 </sect4>
389
390 <sect4>
391 <title>'passwd'</title>
392
393<screen role="root"><userinput>cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"
394<literal># Begin /etc/pam.d/passwd
395
396password include system-password
397
398# End /etc/pam.d/passwd</literal>
399EOF</userinput></screen>
400 </sect4>
401
402 <sect4>
403 <title>'su'</title>
404
405<screen role="root"><userinput>cat &gt; /etc/pam.d/su &lt;&lt; "EOF"
406<literal># Begin /etc/pam.d/su
407
408# always allow root
409auth sufficient pam_rootok.so
410auth include system-auth
411
412# include the default account settings
413account include system-account
414
415# Set default environment variables for the service user
416session required pam_env.so
417
418# include system session defaults
419session include system-session
420
421# End /etc/pam.d/su</literal>
422EOF</userinput></screen>
423 </sect4>
424
425 <sect4>
426 <title>'chage'</title>
427
428<screen role="root"><userinput>cat &gt; /etc/pam.d/chage &lt;&lt; "EOF"
429<literal>#Begin /etc/pam.d/chage
430
431# always allow root
432auth sufficient pam_rootok.so
433
434# include system defaults for auth account and session
435auth include system-auth
436account include system-account
437session include system-session
438
439# Always permit for authentication updates
440password required pam_permit.so
441
442# End /etc/pam.d/chage</literal>
443EOF</userinput></screen>
444 </sect4>
445
446 <sect4>
447 <title>Other common programs</title>
448 <!--<title>'chfn', 'chgpasswd', 'chgpasswd', 'chsh', 'groupadd', 'groupdel',
449 'groupmems', 'groupmod', 'newusers', 'useradd', 'userdel' and
450 'usermod'</title>-->
451
452<screen role="root"><userinput>for PROGRAM in chfn chgpasswd chpasswd chsh groupadd groupdel \
453 groupmems groupmod newusers useradd userdel usermod
454do
455 install -v -m644 /etc/pam.d/chage /etc/pam.d/${PROGRAM}
456 sed -i "s/chage/$PROGRAM/" /etc/pam.d/${PROGRAM}
457done</userinput></screen>
458
459 <warning>
460 <para>
461 At this point, you should do a simple test to see if
462 <application>Shadow</application> is working as expected. Open
463 another terminal and log in as a user, then <command>su</command> to
464 <systemitem class="username">root</systemitem>. If you do not see
465 any errors, then all is well and you should proceed with the rest of
466 the configuration. If you did receive errors, stop now and double
467 check the above configuration files manually. You can also run the
468 test suite from the <application>Linux-PAM</application> package to
469 assist you in determining the problem. If you cannot find and fix
470 the error, you should recompile <application>Shadow</application>
471 adding the <option>--without-libpam</option> switch to the
472 <command>configure</command> command in the above instructions (also
473 move the <filename>/etc/login.defs.orig</filename> backup file to
474 <filename>/etc/login.defs</filename>). If you fail to do this and
475 the errors remain, you will be unable to log into your system.
476 </para>
477 </warning>
478 </sect4>
479
480 <sect4>
481 <title>Other</title>
482
483 <para>
484 Currently, <filename>/etc/pam.d/other</filename> is configured to
485 allow anyone with an account on the machine to use PAM-aware programs
486 without a configuration file for that program. After testing
487 <application>Linux-PAM</application> for proper configuration, install
488 a more restrictive <filename>other</filename> file so that
489 program-specific configuration files are required:
490 </para>
491
492<screen role="root"><userinput>cat &gt; /etc/pam.d/other &lt;&lt; "EOF"
493<literal># Begin /etc/pam.d/other
494
495auth required pam_warn.so
496auth required pam_deny.so
497account required pam_warn.so
498account required pam_deny.so
499password required pam_warn.so
500password required pam_deny.so
501session required pam_warn.so
502session required pam_deny.so
503
504# End /etc/pam.d/other</literal>
505EOF</userinput></screen>
506 </sect4>
507
508 <sect4 id="pam-access">
509 <title>Configuring Login Access</title>
510
511 <para>
512 Instead of using the <filename>/etc/login.access</filename> file for
513 controlling access to the system, <application>Linux-PAM</application>
514 uses the <filename class='libraryfile'>pam_access.so</filename> module
515 along with the <filename>/etc/security/access.conf</filename> file.
516 Rename the <filename>/etc/login.access</filename> file using the
517 following command:
518 </para>
519
520 <indexterm zone="shadow pam-access">
521 <primary sortas="e-etc-security-access.conf">/etc/security/access.conf</primary>
522 </indexterm>
523
524<screen role="root"><userinput>[ -f /etc/login.access ] &amp;&amp; mv -v /etc/login.access{,.NOUSE}</userinput></screen>
525 </sect4>
526
527 <sect4 id="pam-limits">
528 <title>Configuring Resource Limits</title>
529
530 <para>
531 Instead of using the <filename>/etc/limits</filename> file for
532 limiting usage of system resources,
533 <application>Linux-PAM</application> uses the
534 <filename class='libraryfile'>pam_limits.so</filename> module along
535 with the <filename>/etc/security/limits.conf</filename> file. Rename
536 the <filename>/etc/limits</filename> file using the following command:
537 </para>
538
539 <indexterm zone="shadow pam-limits">
540 <primary sortas="e-etc-security-limits.conf">/etc/security/limits.conf</primary>
541 </indexterm>
542
543<screen role="root"><userinput>[ -f /etc/limits ] &amp;&amp; mv -v /etc/limits{,.NOUSE}</userinput></screen>
544 </sect4>
545 </sect3>
546 </sect2>
547
548 <sect2 role="content">
549 <title>Contents</title>
550
551 <para>
552 A list of the installed files, along with their short descriptions can be
553 found at <ulink url="http://www.linuxfromscratch.org/lfs/view/&lfs-version;/chapter06/shadow.html#contents-shadow"/>.
554 </para>
555
556 </sect2>
557
558</sect1>
Note: See TracBrowser for help on using the repository browser.