1 | <?xml version="1.0" encoding="ISO-8859-1"?>
|
---|
2 | <!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
---|
3 | "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
---|
4 | <!ENTITY % general-entities SYSTEM "../../general.ent">
|
---|
5 | %general-entities;
|
---|
6 |
|
---|
7 | <!-- <!ENTITY shadow-download-http "http://ftp.pld.org.pl/software/shadow/old/shadow-&shadow-version;.tar.bz2"> -->
|
---|
8 | <!-- <!ENTITY shadow-download-ftp "ftp://ftp.pld.org.pl/software/shadow/shadow-&shadow-version;.tar.bz2"> -->
|
---|
9 | <!-- <!ENTITY shadow-download-http "http://cross-lfs.org/files/packages/svn/shadow-&shadow-version;.tar.bz2"> -->
|
---|
10 | <!ENTITY shadow-download-http "http://anduin.linuxfromscratch.org/sources/LFS/lfs-packages/development/shadow-&shadow-version;.tar.bz2">
|
---|
11 | <!ENTITY shadow-download-ftp " ">
|
---|
12 | <!ENTITY shadow-md5sum "e7751d46ecf219c07ae0b028ab3335c6">
|
---|
13 | <!ENTITY shadow-size "1.5 MB">
|
---|
14 | <!ENTITY shadow-buildsize "18 MB">
|
---|
15 | <!ENTITY shadow-time "0.3 SBU">
|
---|
16 | ]>
|
---|
17 |
|
---|
18 | <sect1 id="shadow" xreflabel="Shadow-&shadow-version;">
|
---|
19 | <?dbhtml filename="shadow.html"?>
|
---|
20 |
|
---|
21 | <sect1info>
|
---|
22 | <othername>$LastChangedBy$</othername>
|
---|
23 | <date>$Date$</date>
|
---|
24 | </sect1info>
|
---|
25 |
|
---|
26 | <title>Shadow-&shadow-version;</title>
|
---|
27 |
|
---|
28 | <indexterm zone="shadow">
|
---|
29 | <primary sortas="a-Shadow">Shadow</primary>
|
---|
30 | </indexterm>
|
---|
31 |
|
---|
32 | <sect2 role="package">
|
---|
33 | <title>Introduction to Shadow</title>
|
---|
34 |
|
---|
35 | <para><application>Shadow</application> was indeed installed in LFS and
|
---|
36 | there is no reason to reinstall it unless you installed
|
---|
37 | <application>CrackLib</application> or
|
---|
38 | <application>Linux-PAM</application> after your LFS system was completed.
|
---|
39 | If you have installed <application>CrackLib</application> after LFS, then
|
---|
40 | reinstalling <application>Shadow</application> will enable strong password
|
---|
41 | support. If you have installed <application>Linux-PAM</application>,
|
---|
42 | reinstalling <application>Shadow</application> will allow programs such as
|
---|
43 | <command>login</command> and <command>su</command> to utilize PAM.</para>
|
---|
44 |
|
---|
45 | <bridgehead renderas="sect3">Package Information</bridgehead>
|
---|
46 | <itemizedlist spacing="compact">
|
---|
47 | <listitem>
|
---|
48 | <para>Download (HTTP): <ulink url="&shadow-download-http;"/></para>
|
---|
49 | </listitem>
|
---|
50 | <listitem>
|
---|
51 | <para>Download (FTP): <ulink url="&shadow-download-ftp;"/></para>
|
---|
52 | </listitem>
|
---|
53 | <listitem>
|
---|
54 | <para>Download MD5 sum: &shadow-md5sum;</para>
|
---|
55 | </listitem>
|
---|
56 | <listitem>
|
---|
57 | <para>Download size: &shadow-size;</para>
|
---|
58 | </listitem>
|
---|
59 | <listitem>
|
---|
60 | <para>Estimated disk space required: &shadow-buildsize;</para>
|
---|
61 | </listitem>
|
---|
62 | <listitem>
|
---|
63 | <para>Estimated build time: &shadow-time;</para>
|
---|
64 | </listitem>
|
---|
65 | </itemizedlist>
|
---|
66 |
|
---|
67 | <bridgehead renderas="sect3">Additional Downloads</bridgehead>
|
---|
68 | <itemizedlist spacing='compact'>
|
---|
69 | <listitem>
|
---|
70 | <para>Required patch: <ulink
|
---|
71 | url="&patch-root;/shadow-&shadow-version;-useradd_fix-2.patch"/></para>
|
---|
72 | </listitem>
|
---|
73 | </itemizedlist>
|
---|
74 |
|
---|
75 | <bridgehead renderas="sect3">Shadow Dependencies</bridgehead>
|
---|
76 |
|
---|
77 | <bridgehead renderas="sect4">Required</bridgehead>
|
---|
78 | <para role="required"><xref linkend="linux-pam"/> and/or
|
---|
79 | <xref linkend="cracklib"/></para>
|
---|
80 |
|
---|
81 | <para condition="html" role="usernotes">User Notes:
|
---|
82 | <ulink url="&blfs-wiki;/shadow"/></para>
|
---|
83 |
|
---|
84 | </sect2>
|
---|
85 |
|
---|
86 | <sect2 role="installation">
|
---|
87 | <title>Installation of Shadow</title>
|
---|
88 |
|
---|
89 | <important>
|
---|
90 | <para>The installation shown below is for a situation where
|
---|
91 | <application>Linux-PAM</application> has been installed (with or
|
---|
92 | without a <application>CrackLib</application> installation) and
|
---|
93 | <application>Shadow</application> is being reinstalled to support the
|
---|
94 | <application>Linux-PAM</application> installation. If you are
|
---|
95 | reinstalling <application>Shadow</application> to provide strong
|
---|
96 | password support via the <application>CrackLib</application> library
|
---|
97 | and you have not installed <application>Linux-PAM</application>, ensure
|
---|
98 | you add the <parameter>--with-libcrack</parameter> parameter to the
|
---|
99 | <command>configure</command> script below.</para>
|
---|
100 | </important>
|
---|
101 |
|
---|
102 | <para>Reinstall <application>Shadow</application> by running the following
|
---|
103 | commands:</para>
|
---|
104 |
|
---|
105 | <screen><userinput>patch -Np1 -i ../shadow-&shadow-version;-useradd_fix-2.patch &&
|
---|
106 |
|
---|
107 | ./configure --libdir=/lib \
|
---|
108 | --sysconfdir=/etc \
|
---|
109 | --enable-shared \
|
---|
110 | --without-selinux &&
|
---|
111 |
|
---|
112 | sed -i 's/groups$(EXEEXT) //' src/Makefile &&
|
---|
113 | find man -name Makefile -exec sed -i 's/groups\.1 / /' {} \; &&
|
---|
114 | sed -i -e 's/ ko//' -e 's/ zh_CN zh_TW//' man/Makefile &&
|
---|
115 |
|
---|
116 | for i in de es fi fr id it pt_BR; do
|
---|
117 | convert-mans UTF-8 ISO-8859-1 man/${i}/*.?
|
---|
118 | done &&
|
---|
119 |
|
---|
120 | for i in cs hu pl; do
|
---|
121 | convert-mans UTF-8 ISO-8859-2 man/${i}/*.?
|
---|
122 | done &&
|
---|
123 |
|
---|
124 | convert-mans UTF-8 EUC-JP man/ja/*.? &&
|
---|
125 | convert-mans UTF-8 KOI8-R man/ru/*.? &&
|
---|
126 | convert-mans UTF-8 ISO-8859-9 man/tr/*.? &&
|
---|
127 |
|
---|
128 | make</userinput></screen>
|
---|
129 |
|
---|
130 | <para>This package does not come with a test suite.</para>
|
---|
131 |
|
---|
132 | <para>Now, as the <systemitem class="username">root</systemitem> user:</para>
|
---|
133 |
|
---|
134 | <screen role="root"><userinput>make install &&
|
---|
135 | mv -v /usr/bin/passwd /bin &&
|
---|
136 | mv -v /lib/libshadow.*a /usr/lib &&
|
---|
137 | rm -v /lib/libshadow.so &&
|
---|
138 | ln -v -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so</userinput></screen>
|
---|
139 |
|
---|
140 | </sect2>
|
---|
141 |
|
---|
142 | <sect2 role="commands">
|
---|
143 | <title>Command Explanations</title>
|
---|
144 |
|
---|
145 | <!-- Removed the -with-libpam and -without-libcrack options from the
|
---|
146 | default as these are the defaults. Pam will automatically be picked
|
---|
147 | up if it is installed, and CrackLib won't be used unless specifically
|
---|
148 | requested via -with-libcrack
|
---|
149 | <para><parameter>-without-libcrack</parameter>: This switch tells
|
---|
150 | <application>Shadow</application> not to use
|
---|
151 | <filename class='libraryfile'>libcrack</filename>. This is desired as
|
---|
152 | <application>Linux-PAM</application> will provide
|
---|
153 | <filename class='libraryfile'>libcrack</filename> functionality.</para>
|
---|
154 | -->
|
---|
155 |
|
---|
156 | <para><parameter>--without-selinux</parameter>: Support for selinux is
|
---|
157 | enabled by default, but selinux is not built in a base LFS system. The
|
---|
158 | <command>configure</command> script will fail if this option is not
|
---|
159 | used.</para>
|
---|
160 |
|
---|
161 | <para><command>sed -i 's/groups$(EXEEXT) //' src/Makefile</command>: This
|
---|
162 | command is used to suppress the installation of the
|
---|
163 | <command>groups</command> program as the version from the
|
---|
164 | <application>Coreutils</application> package installed during LFS is
|
---|
165 | preferred.</para>
|
---|
166 |
|
---|
167 | <para><command>find man -name Makefile -exec ... {} \;</command>: This
|
---|
168 | command is used to suppress the installation of the
|
---|
169 | <command>groups</command> man pages so the existing ones installed from
|
---|
170 | the <application>Coreutils</application> package are not replaced.</para>
|
---|
171 |
|
---|
172 | <para><command>sed -i -e '...' -e '...' man/Makefile</command>: This
|
---|
173 | command disables the installation of Chinese and Korean manual pages, since
|
---|
174 | <application>Man-DB</application> cannot format them properly.</para>
|
---|
175 |
|
---|
176 | <para><command>convert-mans ...</command>: These commands are used to
|
---|
177 | convert some of the man pages so that <application>Man-DB</application>
|
---|
178 | will display them in the expected encodings.</para>
|
---|
179 |
|
---|
180 | <para><command>mv -v /usr/bin/passwd /bin</command>: The
|
---|
181 | <command>passwd</command> program may be needed during times when the
|
---|
182 | <filename class='directory'>/usr</filename> filesystem is not mounted so
|
---|
183 | it is moved into the root partition.</para>
|
---|
184 |
|
---|
185 | <para><command>mv -v ...; rm -v ...; ln -v ...</command>: These commands
|
---|
186 | are used to move the <filename class='libraryfile'>libshadow</filename>
|
---|
187 | library to the root partition to support the moving of the
|
---|
188 | <command>passwd</command> program earlier.</para>
|
---|
189 |
|
---|
190 | </sect2>
|
---|
191 |
|
---|
192 | <sect2 role="configuration">
|
---|
193 | <title>Configuring Shadow</title>
|
---|
194 |
|
---|
195 | <para><application>Shadow</application>'s stock configuration for the
|
---|
196 | <command>useradd</command> utility is not suitable for LFS systems. Use the
|
---|
197 | following commands as the <systemitem class="username">root</systemitem>
|
---|
198 | user to change the default home directory for new users and prevent the
|
---|
199 | creation of mail spool files:</para>
|
---|
200 |
|
---|
201 | <screen role="root"><userinput>useradd -D -b /home &&
|
---|
202 | sed -i 's/yes/no/' /etc/default/useradd</userinput></screen>
|
---|
203 |
|
---|
204 | </sect2>
|
---|
205 |
|
---|
206 | <sect2 role="configuration">
|
---|
207 | <title>Configuring Linux-PAM to Work with Shadow</title>
|
---|
208 |
|
---|
209 | <note>
|
---|
210 | <para>The rest of this page is devoted to configuring
|
---|
211 | <application>Shadow</application> to work properly with
|
---|
212 | <application>Linux-PAM</application>. If you do not have
|
---|
213 | <application>Linux-PAM</application> installed, and you reinstalled
|
---|
214 | <application>Shadow</application> to support strong passwords via
|
---|
215 | the <application>CrackLib</application> library, no further configuration
|
---|
216 | is required.</para>
|
---|
217 | </note>
|
---|
218 |
|
---|
219 | <sect3 id="pam.d">
|
---|
220 | <title>Config Files</title>
|
---|
221 |
|
---|
222 | <para><filename>/etc/pam.d/*</filename> or alternatively
|
---|
223 | <filename>/etc/pam.conf, /etc/login.defs and
|
---|
224 | /etc/security/*</filename></para>
|
---|
225 |
|
---|
226 | <indexterm zone="shadow pam.d">
|
---|
227 | <primary sortas="e-etc-pam.d">/etc/pam.d/*</primary>
|
---|
228 | </indexterm>
|
---|
229 |
|
---|
230 | <indexterm zone="shadow pam.d">
|
---|
231 | <primary sortas="e-etc-pam.conf">/etc/pam.conf</primary>
|
---|
232 | </indexterm>
|
---|
233 |
|
---|
234 | <indexterm zone="shadow pam.d">
|
---|
235 | <primary sortas="e-etc-login.defs">/etc/login.defs</primary>
|
---|
236 | </indexterm>
|
---|
237 |
|
---|
238 | <indexterm zone="shadow pam.d">
|
---|
239 | <primary sortas="e-etc-security">/etc/security/*</primary>
|
---|
240 | </indexterm>
|
---|
241 |
|
---|
242 | </sect3>
|
---|
243 |
|
---|
244 | <sect3>
|
---|
245 | <title>Configuration Information</title>
|
---|
246 |
|
---|
247 | <para>Configuring your system to use <application>Linux-PAM</application>
|
---|
248 | can be a complex task. The information below will provide a basic setup
|
---|
249 | so that <application>Shadow</application>'s login and password
|
---|
250 | functionality will work effectively with
|
---|
251 | <application>Linux-PAM</application>. Review the information and links on
|
---|
252 | the <xref linkend="linux-pam"/> page for further configuration
|
---|
253 | information. For information specific to integrating
|
---|
254 | <application>Shadow</application>, <application>Linux-PAM</application>
|
---|
255 | and <application>CrackLib</application>, you can visit the following
|
---|
256 | links:</para>
|
---|
257 |
|
---|
258 | <itemizedlist spacing="compact">
|
---|
259 | <listitem>
|
---|
260 | <para><ulink
|
---|
261 | url="http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam-6.html#ss6.3"/></para>
|
---|
262 | </listitem>
|
---|
263 | <listitem>
|
---|
264 | <para><ulink
|
---|
265 | url="http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html"/></para>
|
---|
266 | </listitem>
|
---|
267 | </itemizedlist>
|
---|
268 |
|
---|
269 | <sect4 id="pam-login-defs">
|
---|
270 | <title>Configuring /etc/login.defs</title>
|
---|
271 |
|
---|
272 | <para>The <command>login</command> program currently performs many
|
---|
273 | functions which <application>Linux-PAM</application> modules should
|
---|
274 | now handle. The following <command>sed</command> command will comment
|
---|
275 | out the appropriate lines in <filename>/etc/login.defs</filename>, and
|
---|
276 | stop <command>login</command> from performing these functions (a backup
|
---|
277 | file named <filename>/etc/login.defs.orig</filename> is also created
|
---|
278 | to preserve the original file's contents). Issue the following commands
|
---|
279 | as the <systemitem class="username">root</systemitem> user:</para>
|
---|
280 |
|
---|
281 | <indexterm zone="shadow pam-login-defs">
|
---|
282 | <primary sortas="e-etc-login.defs">/etc/login.defs</primary>
|
---|
283 | </indexterm>
|
---|
284 |
|
---|
285 | <screen role="root"><userinput>install -v -m644 /etc/login.defs /etc/login.defs.orig &&
|
---|
286 | for FUNCTION in LASTLOG_ENAB MAIL_CHECK_ENAB \
|
---|
287 | PORTTIME_CHECKS_ENAB CONSOLE \
|
---|
288 | MOTD_FILE NOLOGINS_FILE PASS_MIN_LEN \
|
---|
289 | SU_WHEEL_ONLY MD5_CRYPT_ENAB \
|
---|
290 | CONSOLE_GROUPS ENVIRON_FILE \
|
---|
291 | ULIMIT ENV_TZ ENV_HZ ENV_SUPATH \
|
---|
292 | ENV_PATH QMAIL_DIR MAIL_DIR MAIL_FILE \
|
---|
293 | CHFN_AUTH FAILLOG_ENAB QUOTAS_ENAB FTMP_FILE \
|
---|
294 | OBSCURE_CHECKS_ENAB CRACKLIB_DICTPATH \
|
---|
295 | PASS_CHANGE_TRIES PASS_ALWAYS_WARN ISSUE_FILE
|
---|
296 | do
|
---|
297 | sed -i "s/^$FUNCTION/# &/" /etc/login.defs
|
---|
298 | done</userinput></screen>
|
---|
299 |
|
---|
300 | <!-- Moved the commenting of these four parameters into the section
|
---|
301 | above. If PAM is installed, it complains if these are not commented
|
---|
302 | regardless if CrackLib is installed.
|
---|
303 |
|
---|
304 | <para>If you have <application>CrackLib</application> installed,
|
---|
305 | also comment out four more lines using the following command as the
|
---|
306 | <systemitem class="username">root</systemitem> user:</para>
|
---|
307 |
|
---|
308 | <screen role="root"><userinput>for FUNCTION in OBSCURE_CHECKS_ENAB CRACKLIB_DICTPATH \
|
---|
309 | PASS_CHANGE_TRIES PASS_ALWAYS_WARN
|
---|
310 | do
|
---|
311 | sed -i "s/^$FUNCTION/# &/" /etc/login.defs
|
---|
312 | done</userinput></screen>
|
---|
313 |
|
---|
314 | -->
|
---|
315 |
|
---|
316 | </sect4>
|
---|
317 |
|
---|
318 | <sect4>
|
---|
319 | <title>Configuring the /etc/pam.d/ Files</title>
|
---|
320 |
|
---|
321 | <para>As mentioned previously in the
|
---|
322 | <application>Linux-PAM</application> instructions,
|
---|
323 | <application>Linux-PAM</application> has two supported methods for
|
---|
324 | configuration. The commands below assume that you've chosen to use
|
---|
325 | a directory based configuration, where each program has its own
|
---|
326 | configuration file. You can optionally use a single
|
---|
327 | <filename>/etc/pam.conf</filename> configuration file by using the
|
---|
328 | text from the files below, and supplying the program name as an
|
---|
329 | additional first field for each line.</para>
|
---|
330 |
|
---|
331 | <para>As the <systemitem class="username">root</systemitem> user,
|
---|
332 | create the <filename class="directory">/etc/pam.d</filename>
|
---|
333 | directory with the following command:</para>
|
---|
334 |
|
---|
335 | <screen role="root"><userinput>install -v -d -m755 /etc/pam.d</userinput></screen>
|
---|
336 |
|
---|
337 | <para>While still the <systemitem class="username">root</systemitem>
|
---|
338 | user, add the following <application>Linux-PAM</application>
|
---|
339 | configuration files to the
|
---|
340 | <filename class="directory">/etc/pam.d/</filename> directory (or
|
---|
341 | add the contents to the <filename>/etc/pam.conf</filename> file) with
|
---|
342 | the following commands:</para>
|
---|
343 |
|
---|
344 | </sect4>
|
---|
345 |
|
---|
346 | <sect4>
|
---|
347 | <title>'login' (with CrackLib)</title>
|
---|
348 |
|
---|
349 | <screen role="root"><userinput>cat > /etc/pam.d/login << "EOF"
|
---|
350 | <literal># Begin /etc/pam.d/login
|
---|
351 |
|
---|
352 | auth requisite pam_nologin.so
|
---|
353 | auth required pam_securetty.so
|
---|
354 | auth required pam_unix.so
|
---|
355 | account required pam_access.so
|
---|
356 | account required pam_unix.so
|
---|
357 | session required pam_env.so
|
---|
358 | session required pam_motd.so
|
---|
359 | session required pam_limits.so
|
---|
360 | session optional pam_mail.so dir=/var/mail standard
|
---|
361 | session optional pam_lastlog.so
|
---|
362 | session required pam_unix.so
|
---|
363 | password required pam_cracklib.so retry=3
|
---|
364 | password required pam_unix.so md5 shadow use_authtok
|
---|
365 |
|
---|
366 | # End /etc/pam.d/login</literal>
|
---|
367 | EOF</userinput></screen>
|
---|
368 |
|
---|
369 | </sect4>
|
---|
370 |
|
---|
371 | <sect4>
|
---|
372 | <title>'login' (without CrackLib)</title>
|
---|
373 |
|
---|
374 | <screen role="root"><userinput>cat > /etc/pam.d/login << "EOF"
|
---|
375 | <literal># Begin /etc/pam.d/login
|
---|
376 |
|
---|
377 | auth requisite pam_nologin.so
|
---|
378 | auth required pam_securetty.so
|
---|
379 | auth required pam_env.so
|
---|
380 | auth required pam_unix.so
|
---|
381 | account required pam_access.so
|
---|
382 | account required pam_unix.so
|
---|
383 | session required pam_motd.so
|
---|
384 | session required pam_limits.so
|
---|
385 | session optional pam_mail.so dir=/var/mail standard
|
---|
386 | session optional pam_lastlog.so
|
---|
387 | session required pam_unix.so
|
---|
388 | password required pam_unix.so md5 shadow
|
---|
389 |
|
---|
390 | # End /etc/pam.d/login</literal>
|
---|
391 | EOF</userinput></screen>
|
---|
392 |
|
---|
393 | </sect4>
|
---|
394 |
|
---|
395 | <sect4>
|
---|
396 | <title>'passwd' (with CrackLib)</title>
|
---|
397 |
|
---|
398 | <screen role="root"><userinput>cat > /etc/pam.d/passwd << "EOF"
|
---|
399 | <literal># Begin /etc/pam.d/passwd
|
---|
400 |
|
---|
401 | password required pam_cracklib.so type=Linux retry=1 \
|
---|
402 | difok=5 diffignore=23 minlen=9 \
|
---|
403 | dcredit=1 ucredit=1 lcredit=1 \
|
---|
404 | ocredit=1 \
|
---|
405 | dictpath=/lib/cracklib/pw_dict
|
---|
406 | password required pam_unix.so md5 shadow use_authtok
|
---|
407 |
|
---|
408 | # End /etc/pam.d/passwd</literal>
|
---|
409 | EOF</userinput></screen>
|
---|
410 |
|
---|
411 | <note><para>In its default configuration, owing to credits,
|
---|
412 | pam_cracklib will allow multiple case passwords as short as 6
|
---|
413 | characters, even with the <parameter>minlen</parameter> value
|
---|
414 | set to 11. You should review the pam_cracklib(8) man page and
|
---|
415 | determine if these default values are acceptable for the security
|
---|
416 | of your system.</para></note>
|
---|
417 |
|
---|
418 | </sect4>
|
---|
419 |
|
---|
420 | <sect4>
|
---|
421 | <title>'passwd' (without CrackLib)</title>
|
---|
422 |
|
---|
423 | <screen role="root"><userinput>cat > /etc/pam.d/passwd << "EOF"
|
---|
424 | <literal># Begin /etc/pam.d/passwd
|
---|
425 |
|
---|
426 | password required pam_unix.so md5 shadow
|
---|
427 |
|
---|
428 | # End /etc/pam.d/passwd</literal>
|
---|
429 | EOF</userinput></screen>
|
---|
430 |
|
---|
431 | </sect4>
|
---|
432 |
|
---|
433 | <sect4>
|
---|
434 | <title>'su'</title>
|
---|
435 |
|
---|
436 | <screen role="root"><userinput>cat > /etc/pam.d/su << "EOF"
|
---|
437 | <literal># Begin /etc/pam.d/su
|
---|
438 |
|
---|
439 | auth sufficient pam_rootok.so
|
---|
440 | auth required pam_unix.so
|
---|
441 | account required pam_unix.so
|
---|
442 | session optional pam_mail.so dir=/var/mail standard
|
---|
443 | session optional pam_xauth.so
|
---|
444 | session required pam_env.so
|
---|
445 | session required pam_unix.so
|
---|
446 |
|
---|
447 | # End /etc/pam.d/su</literal>
|
---|
448 | EOF</userinput></screen>
|
---|
449 |
|
---|
450 | </sect4>
|
---|
451 |
|
---|
452 | <sect4>
|
---|
453 | <title>'chage'</title>
|
---|
454 |
|
---|
455 | <screen role="root"><userinput>cat > /etc/pam.d/chage << "EOF"
|
---|
456 | <literal># Begin /etc/pam.d/chage
|
---|
457 |
|
---|
458 | auth sufficient pam_rootok.so
|
---|
459 | auth required pam_unix.so
|
---|
460 | account required pam_unix.so
|
---|
461 | session required pam_unix.so
|
---|
462 | password required pam_permit.so
|
---|
463 |
|
---|
464 | # End /etc/pam.d/chage</literal>
|
---|
465 | EOF</userinput></screen>
|
---|
466 |
|
---|
467 | </sect4>
|
---|
468 |
|
---|
469 | <sect4>
|
---|
470 | <title>'chpasswd', 'chgpasswd', 'groupadd', 'groupdel', 'groupmems',
|
---|
471 | 'groupmod', 'newusers', 'useradd', 'userdel', and 'usermod'</title>
|
---|
472 |
|
---|
473 | <screen role="root"><userinput>for PROGRAM in chpasswd chgpasswd groupadd groupdel groupmems \
|
---|
474 | groupmod newusers useradd userdel usermod
|
---|
475 | do
|
---|
476 | install -v -m644 /etc/pam.d/chage /etc/pam.d/$PROGRAM
|
---|
477 | sed -i "s/chage/$PROGRAM/" /etc/pam.d/$PROGRAM
|
---|
478 | done</userinput></screen>
|
---|
479 |
|
---|
480 | <warning>
|
---|
481 | <para>At this point, you should do a simple test to see if
|
---|
482 | <application>Shadow</application> is working as expected. Open
|
---|
483 | another terminal and log in as a user, then <command>su</command> to
|
---|
484 | <systemitem class="username">root</systemitem>. If you do not see any
|
---|
485 | errors, then all is well and you should proceed with the rest of the
|
---|
486 | configuration. If you did receive errors, stop now and double check
|
---|
487 | the above configuration files manually. You can also run the test
|
---|
488 | suite from the <application>Linux-PAM</application> package to assist
|
---|
489 | you in determining the problem. If you cannot find and
|
---|
490 | fix the error, you should recompile <application>Shadow</application>
|
---|
491 | adding the <option>--without-libpam</option> switch to the
|
---|
492 | <command>configure</command> command in the above instructions
|
---|
493 | (also move the <filename>/etc/login.defs.orig</filename> backup
|
---|
494 | file to <filename>/etc/login.defs</filename>). If you
|
---|
495 | fail to do this and the errors remain, you will be unable to log into
|
---|
496 | your system.</para>
|
---|
497 | </warning>
|
---|
498 |
|
---|
499 | </sect4>
|
---|
500 |
|
---|
501 | <sect4>
|
---|
502 | <title>Other</title>
|
---|
503 |
|
---|
504 | <para>Currently, <filename>/etc/pam.d/other</filename> is configured
|
---|
505 | to allow anyone with an account on the machine to use PAM-aware
|
---|
506 | programs without a configuration file for that program. After testing
|
---|
507 | <application>Linux-PAM</application> for proper configuration, install
|
---|
508 | a more restrictive <filename>other</filename> file so that
|
---|
509 | program-specific configuration files are required:</para>
|
---|
510 |
|
---|
511 | <screen role="root"><userinput>cat > /etc/pam.d/other << "EOF"
|
---|
512 | <literal># Begin /etc/pam.d/other
|
---|
513 |
|
---|
514 | auth required pam_deny.so
|
---|
515 | auth required pam_warn.so
|
---|
516 | account required pam_deny.so
|
---|
517 | session required pam_deny.so
|
---|
518 | password required pam_deny.so
|
---|
519 | password required pam_warn.so
|
---|
520 |
|
---|
521 | # End /etc/pam.d/other</literal>
|
---|
522 | EOF</userinput></screen>
|
---|
523 |
|
---|
524 | <para>If you preserved the source tree from the
|
---|
525 | <application>Linux-PAM</application> package (or you feel like unpacking
|
---|
526 | that tarball, then running <command>configure</command> and
|
---|
527 | <command>make</command>), now would be a good time to run the test
|
---|
528 | suite from this package. This test suite will use the configuration you
|
---|
529 | just finished during the tests. All the tests should pass.</para>
|
---|
530 |
|
---|
531 | </sect4>
|
---|
532 |
|
---|
533 | <sect4 id="pam-access">
|
---|
534 | <title>Configuring Login Access</title>
|
---|
535 |
|
---|
536 | <para>Instead of using the <filename>/etc/login.access</filename>
|
---|
537 | file for controlling access to the system,
|
---|
538 | <application>Linux-PAM</application> uses the
|
---|
539 | <filename class='libraryfile'>pam_access.so</filename> module along
|
---|
540 | with the <filename>/etc/security/access.conf</filename> file. Rename
|
---|
541 | the <filename>/etc/login.access</filename> file using the following
|
---|
542 | command:</para>
|
---|
543 |
|
---|
544 | <indexterm zone="shadow pam-access">
|
---|
545 | <primary sortas="e-etc-security-access.conf">/etc/security/access.conf</primary>
|
---|
546 | </indexterm>
|
---|
547 |
|
---|
548 | <screen role="root"><userinput>if [ -f /etc/login.access ]; then
|
---|
549 | mv -v /etc/login.access /etc/login.access.NOUSE
|
---|
550 | fi</userinput></screen>
|
---|
551 |
|
---|
552 | </sect4>
|
---|
553 |
|
---|
554 | <sect4 id="pam-limits">
|
---|
555 | <title>Configuring Resource Limits</title>
|
---|
556 |
|
---|
557 | <para>Instead of using the <filename>/etc/limits</filename> file
|
---|
558 | for limiting usage of system resources,
|
---|
559 | <application>Linux-PAM</application> uses the
|
---|
560 | <filename class='libraryfile'>pam_limits.so</filename> module along
|
---|
561 | with the <filename>/etc/security/limits.conf</filename> file. Rename
|
---|
562 | the <filename>/etc/limits</filename> file using the following
|
---|
563 | command:</para>
|
---|
564 |
|
---|
565 | <indexterm zone="shadow pam-limits">
|
---|
566 | <primary sortas="e-etc-security-limits.conf">/etc/security/limits.conf</primary>
|
---|
567 | </indexterm>
|
---|
568 |
|
---|
569 | <screen role="root"><userinput>if [ -f /etc/limits ]; then
|
---|
570 | mv -v /etc/limits /etc/limits.NOUSE
|
---|
571 | fi</userinput></screen>
|
---|
572 |
|
---|
573 | </sect4>
|
---|
574 |
|
---|
575 | <sect4 id="pam-env">
|
---|
576 | <title>Configuring Default Environment</title>
|
---|
577 |
|
---|
578 | <para>During previous configuration, several items were removed from
|
---|
579 | <filename>/etc/login.defs</filename>. Some of these items are now
|
---|
580 | controlled by the <filename class='libraryfile'>pam_env.so</filename>
|
---|
581 | module and the <filename>/etc/security/pam_env.conf</filename>
|
---|
582 | configuration file. In particular, the default path has been
|
---|
583 | changed. To recover your default path, execute the following
|
---|
584 | commands:</para>
|
---|
585 |
|
---|
586 | <screen role="root"><userinput>ENV_PATH=`grep '^ENV_PATH' /etc/login.defs.orig | \
|
---|
587 | awk '{ print $2 }' | sed 's/PATH=//'` &&
|
---|
588 | echo 'PATH DEFAULT='`echo "${ENV_PATH}"`\
|
---|
589 | ' OVERRIDE=${PATH}' \
|
---|
590 | >> /etc/security/pam_env.conf &&
|
---|
591 | unset ENV_PATH</userinput></screen>
|
---|
592 |
|
---|
593 | <note>
|
---|
594 | <para>ENV_SUPATH is no longer supported. You must create
|
---|
595 | a valid <filename>/root/.bashrc</filename> file to provide a
|
---|
596 | modified path for the super-user.</para>
|
---|
597 | </note>
|
---|
598 |
|
---|
599 | </sect4>
|
---|
600 |
|
---|
601 | </sect3>
|
---|
602 |
|
---|
603 | </sect2>
|
---|
604 |
|
---|
605 | <sect2 role="content">
|
---|
606 | <title>Contents</title>
|
---|
607 |
|
---|
608 | <para>A list of the installed files, along with their short descriptions
|
---|
609 | can be found at
|
---|
610 | <ulink url="&lfs-root;/chapter06/shadow.html#contents-shadow"/>.</para>
|
---|
611 |
|
---|
612 | </sect2>
|
---|
613 |
|
---|
614 | </sect1>
|
---|