source: postlfs/security/shadow.xml@ 7a2eb035

10.0 10.1 11.0 11.1 11.2 lazarus plabs/python-mods qt5new trunk upgradedb xry111/intltool xry111/soup3 xry111/test-20220226
Last change on this file since 7a2eb035 was 7a2eb035, checked in by Xi Ruoyao <xry111@…>, 2 years ago

shadow: remove /run/nologin notes not necessary with recent systemd version

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@23467 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 20.2 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY shadow-download-http "https://github.com/shadow-maint/shadow/releases/download/&shadow-version;/shadow-&shadow-version;.tar.xz">
8 <!ENTITY shadow-download-ftp " ">
9 <!ENTITY shadow-md5sum "4b05eff8a427cf50e615bda324b5bc45">
10 <!ENTITY shadow-size "1.5 MB">
11 <!ENTITY shadow-buildsize "33 MB">
12 <!ENTITY shadow-time "0.2 SBU">
13]>
14
15<sect1 id="shadow" xreflabel="Shadow-&shadow-version;">
16 <?dbhtml filename="shadow.html"?>
17
18 <sect1info>
19 <othername>$LastChangedBy$</othername>
20 <date>$Date$</date>
21 </sect1info>
22
23 <title>Shadow-&shadow-version;</title>
24
25 <indexterm zone="shadow">
26 <primary sortas="a-Shadow">Shadow</primary>
27 </indexterm>
28
29 <sect2 role="package">
30 <title>Introduction to Shadow</title>
31
32 <para>
33 <application>Shadow</application> was indeed installed in LFS and there is
34 no reason to reinstall it unless you installed
35 <application>CrackLib</application> or
36 <application>Linux-PAM</application> after your LFS system was completed.
37 If you have installed <application>CrackLib</application> after LFS, then
38 reinstalling <application>Shadow</application> will enable strong password
39 support. If you have installed <application>Linux-PAM</application>,
40 reinstalling <application>Shadow</application> will allow programs such as
41 <command>login</command> and <command>su</command> to utilize PAM.
42 </para>
43
44 &lfs91_checked;
45
46 <bridgehead renderas="sect3">Package Information</bridgehead>
47 <itemizedlist spacing="compact">
48 <listitem>
49 <para>
50 Download (HTTP): <ulink url="&shadow-download-http;"/>
51 </para>
52 </listitem>
53 <listitem>
54 <para>
55 Download (FTP): <ulink url="&shadow-download-ftp;"/>
56 </para>
57 </listitem>
58 <listitem>
59 <para>
60 Download MD5 sum: &shadow-md5sum;
61 </para>
62 </listitem>
63 <listitem>
64 <para>
65 Download size: &shadow-size;
66 </para>
67 </listitem>
68 <listitem>
69 <para>
70 Estimated disk space required: &shadow-buildsize;
71 </para>
72 </listitem>
73 <listitem>
74 <para>
75 Estimated build time: &shadow-time;
76 </para>
77 </listitem>
78 </itemizedlist>
79
80 <bridgehead renderas="sect3">Shadow Dependencies</bridgehead>
81
82 <bridgehead renderas="sect4">Required</bridgehead>
83 <para role="required">
84 <xref linkend="linux-pam"/> or
85 <xref role="nodep" linkend="cracklib"/>
86 </para>
87
88 <para condition="html" role="usernotes">
89 User Notes: <ulink url="&blfs-wiki;/shadow"/>
90 </para>
91 </sect2>
92
93 <sect2 role="installation">
94 <title>Installation of Shadow</title>
95
96 <important>
97 <para>
98 The installation commands shown below are for installations where
99 <application>Linux-PAM</application> has been installed and
100 <application>Shadow</application> is being reinstalled to support the
101 <application>Linux-PAM</application> installation.
102 </para>
103
104 <para>
105 If you are reinstalling <application>Shadow</application> to provide
106 strong password support using the <application>CrackLib</application>
107 library without using <application>Linux-PAM</application>, ensure you
108 add the <parameter>--with-libcrack</parameter> parameter to the
109 <command>configure</command> script below and also issue the following
110 command:
111 </para>
112
113<screen role="nodump"><userinput>sed -i 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' etc/login.defs</userinput></screen>
114 </important>
115
116 <para>
117 Reinstall <application>Shadow</application> by running the following
118 commands:
119 </para>
120
121<screen><userinput>sed -i 's/groups$(EXEEXT) //' src/Makefile.in &amp;&amp;
122
123find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; &amp;&amp;
124find man -name Makefile.in -exec sed -i 's/getspnam\.3 / /' {} \; &amp;&amp;
125find man -name Makefile.in -exec sed -i 's/passwd\.5 / /' {} \; &amp;&amp;
126
127sed -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \
128 -e 's@/var/spool/mail@/var/mail@' \
129 -i etc/login.defs &amp;&amp;
130
131sed -i 's/1000/999/' etc/useradd &amp;&amp;
132
133./configure --sysconfdir=/etc --with-group-name-max-length=32 &amp;&amp;
134make</userinput></screen>
135
136 <para>
137 This package does not come with a test suite.
138 </para>
139
140 <para>
141 Now, as the <systemitem class="username">root</systemitem> user:
142 </para>
143
144<screen role="root"><userinput>make install</userinput></screen>
145
146 </sect2>
147
148 <sect2 role="commands">
149 <title>Command Explanations</title>
150
151 <para>
152 <command>sed -i 's/groups$(EXEEXT) //' src/Makefile.in</command>: This sed
153 is used to suppress the installation of the <command>groups</command>
154 program as the version from the <application>Coreutils</application>
155 package installed during LFS is preferred.
156 </para>
157
158 <para>
159 <command>find man -name Makefile.in -exec ... {} \;</command>: This
160 command is used to suppress the installation of the
161 <command>groups</command> man pages so the existing ones installed from
162 the <application>Coreutils</application> package are not replaced.
163 </para>
164
165 <para>
166 <command>sed -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' -e
167 's@/var/spool/mail@/var/mail@' -i etc/login.defs</command>: Instead of using
168 the default 'DES' method, this command modifies the installation to use
169 the more secure 'SHA512' method of hashing passwords, which also allows
170 passwords longer than eight characters. It also changes the obsolete
171 <filename class="directory">/var/spool/mail</filename> location for user
172 mailboxes that <application>Shadow</application> uses by default to the
173 <filename class="directory">/var/mail</filename> location.
174 </para>
175
176 <para>
177 <command>sed -i 's/1000/999/' etc/useradd</command>: Make a minor change
178 to make the default useradd consistent with the LFS groups file.
179 </para>
180
181 <para>
182 <parameter>--with-group-name-max-length=32</parameter>: The maximum
183 user name is 32 characters. Make the maximum group name the same.
184 </para>
185
186 <!-- No longer needed as of 4.8
187 <para>
188 <command>mv -v /usr/bin/passwd /bin</command>: The
189 <command>passwd</command> program may be needed during times when the
190 <filename class='directory'>/usr</filename> filesystem is not mounted so
191 it is moved into the root partition.
192 </para>
193 -->
194
195 </sect2>
196
197 <sect2 role="configuration">
198 <title>Configuring Shadow</title>
199
200 <para>
201 <application>Shadow</application>'s stock configuration for the
202 <command>useradd</command> utility may not be desirable for your
203 installation. One default parameter causes <command>useradd</command> to
204 create a mailbox file for any newly created user.
205 <command>useradd</command> will make the group ownership of this file to
206 the <systemitem class="groupname">mail</systemitem> group with 0660
207 permissions. If you would prefer that these mailbox files are not created
208 by <command>useradd</command>, issue the following command as the
209 <systemitem class="username">root</systemitem> user:
210 </para>
211
212<screen role="root"><userinput>sed -i 's/yes/no/' /etc/default/useradd</userinput></screen>
213 </sect2>
214
215 <sect2 role="configuration">
216 <title>Configuring Linux-PAM to Work with Shadow</title>
217
218 <note>
219 <para>
220 The rest of this page is devoted to configuring
221 <application>Shadow</application> to work properly with
222 <application>Linux-PAM</application>. If you do not have
223 <application>Linux-PAM</application> installed, and you reinstalled
224 <application>Shadow</application> to support strong passwords via the
225 <application>CrackLib</application> library, no further configuration is
226 required.
227 </para>
228 </note>
229
230 <sect3 id="pam.d">
231 <title>Config Files</title>
232
233 <para>
234 <filename>/etc/pam.d/*</filename> or alternatively
235 <filename>/etc/pam.conf</filename>,
236 <filename>/etc/login.defs</filename> and
237 <filename>/etc/security/*</filename>
238 </para>
239
240 <indexterm zone="shadow pam.d">
241 <primary sortas="e-etc-pam.d">/etc/pam.d/*</primary>
242 </indexterm>
243
244 <indexterm zone="shadow pam.d">
245 <primary sortas="e-etc-pam.conf">/etc/pam.conf</primary>
246 </indexterm>
247
248 <indexterm zone="shadow pam.d">
249 <primary sortas="e-etc-login.defs">/etc/login.defs</primary>
250 </indexterm>
251
252 <indexterm zone="shadow pam.d">
253 <primary sortas="e-etc-security">/etc/security/*</primary>
254 </indexterm>
255 </sect3>
256
257 <sect3>
258 <title>Configuration Information</title>
259
260 <para>
261 Configuring your system to use <application>Linux-PAM</application> can
262 be a complex task. The information below will provide a basic setup so
263 that <application>Shadow</application>'s login and password
264 functionality will work effectively with
265 <application>Linux-PAM</application>. Review the information and links
266 on the <xref linkend="linux-pam"/> page for further configuration
267 information. For information specific to integrating
268 <application>Shadow</application>, <application>Linux-PAM</application>
269 and <application>libpwquality</application>, you can visit the
270 following link:
271 </para>
272
273 <itemizedlist spacing="compact">
274 <listitem>
275 <!-- New URL for the below link, according to it's author. -->
276 <para>
277 <ulink url="http://www.deer-run.com/~hal/linux_passwords_pam.html"/>
278 </para>
279 </listitem>
280 </itemizedlist>
281
282 <sect4 id="pam-login-defs">
283 <title>Configuring /etc/login.defs</title>
284
285 <para>
286 The <command>login</command> program currently performs many functions
287 which <application>Linux-PAM</application> modules should now handle.
288 The following <command>sed</command> command will comment out the
289 appropriate lines in <filename>/etc/login.defs</filename>, and stop
290 <command>login</command> from performing these functions (a backup
291 file named <filename>/etc/login.defs.orig</filename> is also created
292 to preserve the original file's contents). Issue the following
293 commands as the <systemitem class="username">root</systemitem> user:
294 </para>
295
296 <indexterm zone="shadow pam-login-defs">
297 <primary sortas="e-etc-login.defs">/etc/login.defs</primary>
298 </indexterm>
299
300<screen role="root"><userinput>install -v -m644 /etc/login.defs /etc/login.defs.orig &amp;&amp;
301for FUNCTION in FAIL_DELAY \
302 FAILLOG_ENAB \
303 LASTLOG_ENAB \
304 MAIL_CHECK_ENAB \
305 OBSCURE_CHECKS_ENAB \
306 PORTTIME_CHECKS_ENAB \
307 QUOTAS_ENAB \
308 CONSOLE MOTD_FILE \
309 FTMP_FILE NOLOGINS_FILE \
310 ENV_HZ PASS_MIN_LEN \
311 SU_WHEEL_ONLY \
312 CRACKLIB_DICTPATH \
313 PASS_CHANGE_TRIES \
314 PASS_ALWAYS_WARN \
315 CHFN_AUTH ENCRYPT_METHOD \
316 ENVIRON_FILE
317do
318 sed -i "s/^${FUNCTION}/# &amp;/" /etc/login.defs
319done</userinput></screen>
320 </sect4>
321
322 <sect4>
323 <title>Configuring the /etc/pam.d/ Files</title>
324
325 <para>
326 As mentioned previously in the <application>Linux-PAM</application>
327 instructions, <application>Linux-PAM</application> has two supported
328 methods for configuration. The commands below assume that you've
329 chosen to use a directory based configuration, where each program has
330 its own configuration file. You can optionally use a single
331 <filename>/etc/pam.conf</filename> configuration file by using the
332 text from the files below, and supplying the program name as an
333 additional first field for each line.
334 </para>
335
336 <para>
337 As the <systemitem class="username">root</systemitem> user, create
338 the following <application>Linux-PAM</application> configuration files
339 in the <filename class="directory">/etc/pam.d/</filename> directory
340 (or add the contents to the <filename>/etc/pam.conf</filename> file)
341 using the following commands:
342 </para>
343 </sect4>
344
345 <sect4>
346 <title>'login'</title>
347
348<screen role="root"><userinput>cat &gt; /etc/pam.d/login &lt;&lt; "EOF"
349<literal># Begin /etc/pam.d/login
350
351# Set failure delay before next prompt to 3 seconds
352auth optional pam_faildelay.so delay=3000000
353
354# Check to make sure that the user is allowed to login
355auth requisite pam_nologin.so
356
357# Check to make sure that root is allowed to login
358# Disabled by default. You will need to create /etc/securetty
359# file for this module to function. See man 5 securetty.
360#auth required pam_securetty.so
361
362# Additional group memberships - disabled by default
363#auth optional pam_group.so
364
365# include system auth settings
366auth include system-auth
367
368# check access for the user
369account required pam_access.so
370
371# include system account settings
372account include system-account
373
374# Set default environment variables for the user
375session required pam_env.so
376
377# Set resource limits for the user
378session required pam_limits.so
379
380# Display date of last login - Disabled by default
381#session optional pam_lastlog.so
382
383# Display the message of the day - Disabled by default
384#session optional pam_motd.so
385
386# Check user's mail - Disabled by default
387#session optional pam_mail.so standard quiet
388
389# include system session and password settings
390session include system-session
391password include system-password
392
393# End /etc/pam.d/login</literal>
394EOF</userinput></screen>
395 </sect4>
396
397 <sect4>
398 <title>'passwd'</title>
399
400<screen role="root"><userinput>cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"
401<literal># Begin /etc/pam.d/passwd
402
403password include system-password
404
405# End /etc/pam.d/passwd</literal>
406EOF</userinput></screen>
407 </sect4>
408
409 <sect4>
410 <title>'su'</title>
411
412<screen role="root"><userinput>cat &gt; /etc/pam.d/su &lt;&lt; "EOF"
413<literal># Begin /etc/pam.d/su
414
415# always allow root
416auth sufficient pam_rootok.so
417
418# Allow users in the wheel group to execute su without a password
419# disabled by default
420#auth sufficient pam_wheel.so trust use_uid
421
422# include system auth settings
423auth include system-auth
424
425# limit su to users in the wheel group
426auth required pam_wheel.so use_uid
427
428# include system account settings
429account include system-account
430
431# Set default environment variables for the service user
432session required pam_env.so
433
434# include system session settings
435session include system-session
436
437# End /etc/pam.d/su</literal>
438EOF</userinput></screen>
439 </sect4>
440
441 <sect4>
442 <title>'chage'</title>
443
444<screen role="root"><userinput>cat &gt; /etc/pam.d/chage &lt;&lt; "EOF"
445<literal># Begin /etc/pam.d/chage
446
447# always allow root
448auth sufficient pam_rootok.so
449
450# include system auth, account, and session settings
451auth include system-auth
452account include system-account
453session include system-session
454
455# Always permit for authentication updates
456password required pam_permit.so
457
458# End /etc/pam.d/chage</literal>
459EOF</userinput></screen>
460 </sect4>
461
462 <sect4>
463 <title>Other common programs</title>
464 <!--<title>'chfn', 'chgpasswd', 'chgpasswd', 'chsh', 'groupadd', 'groupdel',
465 'groupmems', 'groupmod', 'newusers', 'useradd', 'userdel' and
466 'usermod'</title>-->
467
468<screen role="root"><userinput>for PROGRAM in chfn chgpasswd chpasswd chsh groupadd groupdel \
469 groupmems groupmod newusers useradd userdel usermod
470do
471 install -v -m644 /etc/pam.d/chage /etc/pam.d/${PROGRAM}
472 sed -i "s/chage/$PROGRAM/" /etc/pam.d/${PROGRAM}
473done</userinput></screen>
474
475 <warning>
476 <para>
477 At this point, you should do a simple test to see if
478 <application>Shadow</application> is working as expected. Open
479 another terminal and log in as a user, then <command>su</command> to
480 <systemitem class="username">root</systemitem>. If you do not see
481 any errors, then all is well and you should proceed with the rest of
482 the configuration. If you did receive errors, stop now and double
483 check the above configuration files manually. One obvious reason
484 for an error is if the user is not in group <systemitem
485 class="groupname">wheel</systemitem>. You may want to run (as
486 <systemitem class="username">root</systemitem>): <command>usermod
487 -a -G wheel <replaceable>&lt;user&gt;</replaceable></command>.
488 Any other error is the sign of an error in the above procedure.
489 You can also run the
490 test suite from the <application>Linux-PAM</application> package to
491 assist you in determining the problem. If you cannot find and fix
492 the error, you should recompile <application>Shadow</application>
493 adding the <option>--without-libpam</option> switch to the
494 <command>configure</command> command in the above instructions (also
495 move the <filename>/etc/login.defs.orig</filename> backup file to
496 <filename>/etc/login.defs</filename>). If you fail to do this and
497 the errors remain, you will be unable to log into your system.
498 </para>
499 </warning>
500 </sect4>
501
502 <sect4 id="pam-access">
503 <title>Configuring Login Access</title>
504
505 <para>
506 Instead of using the <filename>/etc/login.access</filename> file for
507 controlling access to the system, <application>Linux-PAM</application>
508 uses the <filename class='libraryfile'>pam_access.so</filename> module
509 along with the <filename>/etc/security/access.conf</filename> file.
510 Rename the <filename>/etc/login.access</filename> file using the
511 following command:
512 </para>
513
514 <indexterm zone="shadow pam-access">
515 <primary sortas="e-etc-security-access.conf">/etc/security/access.conf</primary>
516 </indexterm>
517
518<screen role="root"><userinput>[ -f /etc/login.access ] &amp;&amp; mv -v /etc/login.access{,.NOUSE}</userinput></screen>
519 </sect4>
520
521 <sect4 id="pam-limits">
522 <title>Configuring Resource Limits</title>
523
524 <para>
525 Instead of using the <filename>/etc/limits</filename> file for
526 limiting usage of system resources,
527 <application>Linux-PAM</application> uses the
528 <filename class='libraryfile'>pam_limits.so</filename> module along
529 with the <filename>/etc/security/limits.conf</filename> file. Rename
530 the <filename>/etc/limits</filename> file using the following command:
531 </para>
532
533 <indexterm zone="shadow pam-limits">
534 <primary sortas="e-etc-security-limits.conf">/etc/security/limits.conf</primary>
535 </indexterm>
536
537<screen role="root"><userinput>[ -f /etc/limits ] &amp;&amp; mv -v /etc/limits{,.NOUSE}</userinput></screen>
538
539 <caution>
540 <para>
541 Be sure to test the login capabilities of the system before logging
542 out. Errors in the configuration can cause a permanent
543 lockout requiring a boot from an external source to correct the
544 problem.
545 </para>
546 </caution>
547
548 </sect4>
549 </sect3>
550
551 </sect2>
552
553 <sect2 role="content">
554 <title>Contents</title>
555
556 <para>
557 A list of the installed files, along with their short descriptions can be
558 found at
559 <phrase revision="sysv">
560 <ulink url="&lfs-root;/chapter06/shadow.html#contents-shadow"/></phrase>
561 <phrase revision="systemd">
562 <ulink url="&lfs-rootd;/chapter06/shadow.html#contents-shadow"/></phrase>.
563 </para>
564
565 </sect2>
566
567</sect1>
Note: See TracBrowser for help on using the repository browser.