source: postlfs/security/shadow.xml@ 81d1117

10.0 10.1 11.0 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind ken/refactor-virt lazarus perl-modules qt5new trunk upgradedb xry111/git-date xry111/git-date-for-trunk xry111/git-date-test
Last change on this file since 81d1117 was 81d1117, checked in by Pierre Labastie <pieere@…>, 5 years ago

Fix shadow download

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@18260 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 20.3 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY shadow-download-http "https://github.com/shadow-maint/shadow/releases/download/&shadow-version;/shadow-&shadow-version;.tar.xz">
8 <!ENTITY shadow-download-ftp " ">
9 <!ENTITY shadow-md5sum "c06f8c2571b44899e60662f9ad259dd6">
10 <!ENTITY shadow-size "1.6 MB">
11 <!ENTITY shadow-buildsize "31 MB">
12 <!ENTITY shadow-time "0.2 SBU">
13]>
14
15<sect1 id="shadow" xreflabel="Shadow-&shadow-version;">
16 <?dbhtml filename="shadow.html"?>
17
18 <sect1info>
19 <othername>$LastChangedBy$</othername>
20 <date>$Date$</date>
21 </sect1info>
22
23 <title>Shadow-&shadow-version;</title>
24
25 <indexterm zone="shadow">
26 <primary sortas="a-Shadow">Shadow</primary>
27 </indexterm>
28
29 <sect2 role="package">
30 <title>Introduction to Shadow</title>
31
32 <para>
33 <application>Shadow</application> was indeed installed in LFS and there is
34 no reason to reinstall it unless you installed
35 <application>CrackLib</application> or
36 <application>Linux-PAM</application> after your LFS system was completed.
37 If you have installed <application>CrackLib</application> after LFS, then
38 reinstalling <application>Shadow</application> will enable strong password
39 support. If you have installed <application>Linux-PAM</application>,
40 reinstalling <application>Shadow</application> will allow programs such as
41 <command>login</command> and <command>su</command> to utilize PAM.
42 </para>
43
44 &lfs7a_checked;
45
46 <bridgehead renderas="sect3">Package Information</bridgehead>
47 <itemizedlist spacing="compact">
48 <listitem>
49 <para>
50 Download (HTTP): <ulink url="&shadow-download-http;"/>
51 </para>
52 </listitem>
53 <listitem>
54 <para>
55 Download (FTP): <ulink url="&shadow-download-ftp;"/>
56 </para>
57 </listitem>
58 <listitem>
59 <para>
60 Download MD5 sum: &shadow-md5sum;
61 </para>
62 </listitem>
63 <listitem>
64 <para>
65 Download size: &shadow-size;
66 </para>
67 </listitem>
68 <listitem>
69 <para>
70 Estimated disk space required: &shadow-buildsize;
71 </para>
72 </listitem>
73 <listitem>
74 <para>
75 Estimated build time: &shadow-time;
76 </para>
77 </listitem>
78 </itemizedlist>
79
80 <bridgehead renderas="sect3">Shadow Dependencies</bridgehead>
81
82 <bridgehead renderas="sect4">Required</bridgehead>
83 <para role="required">
84 <xref linkend="linux-pam"/> or
85 <xref linkend="cracklib"/>
86 </para>
87
88 <para condition="html" role="usernotes">
89 User Notes: <ulink url="&blfs-wiki;/shadow"/>
90 </para>
91 </sect2>
92
93 <sect2 role="installation">
94 <title>Installation of Shadow</title>
95
96 <important>
97 <para>
98 The installation commands shown below are for installations where
99 <application>Linux-PAM</application> has been installed (with or
100 without a <application>CrackLib</application> installation) and
101 <application>Shadow</application> is being reinstalled to support the
102 <application>Linux-PAM</application> installation.
103 </para>
104
105 <para>
106 If you are reinstalling <application>Shadow</application> to provide
107 strong password support using the <application>CrackLib</application>
108 library without using <application>Linux-PAM</application>, ensure you
109 add the <parameter>--with-libcrack</parameter> parameter to the
110 <command>configure</command> script below and also issue the following
111 command:
112 </para>
113
114<screen><userinput>sed -i 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' etc/login.defs</userinput></screen>
115 </important>
116
117 <para>
118 Reinstall <application>Shadow</application> by running the following
119 commands:
120 </para>
121
122<screen><userinput>sed -i 's/groups$(EXEEXT) //' src/Makefile.in &amp;&amp;
123
124find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; &amp;&amp;
125find man -name Makefile.in -exec sed -i 's/getspnam\.3 / /' {} \; &amp;&amp;
126find man -name Makefile.in -exec sed -i 's/passwd\.5 / /' {} \; &amp;&amp;
127
128sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \
129 -e 's@/var/spool/mail@/var/mail@' etc/login.defs &amp;&amp;
130
131sed -i 's/1000/999/' etc/useradd &amp;&amp;
132sed -i -e '/snprintf/s@_msg,@_msg, 256,@' src/su.c &amp;&amp;
133sed -i -e '47 d' -e '60,65 d' libmisc/myname.c &amp;&amp;
134
135./configure --sysconfdir=/etc --with-group-name-max-length=32 &amp;&amp;
136make</userinput></screen>
137
138 <para>
139 This package does not come with a test suite.
140 </para>
141
142 <para>
143 Now, as the <systemitem class="username">root</systemitem> user:
144 </para>
145
146<screen role="root"><userinput>make install &amp;&amp;
147mv -v /usr/bin/passwd /bin</userinput></screen>
148 </sect2>
149
150 <sect2 role="commands">
151 <title>Command Explanations</title>
152
153 <para>
154 <command>sed -i 's/groups$(EXEEXT) //' src/Makefile.in</command>: This sed
155 is used to suppress the installation of the <command>groups</command>
156 program as the version from the <application>Coreutils</application>
157 package installed during LFS is preferred.
158 </para>
159
160 <para>
161 <command>find man -name Makefile.in -exec ... {} \;</command>: This
162 command is used to suppress the installation of the
163 <command>groups</command> man pages so the existing ones installed from
164 the <application>Coreutils</application> package are not replaced.
165 </para>
166
167 <para>
168 <command>sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' -e
169 's@/var/spool/mail@/var/mail@' etc/login.defs</command>: Instead of using
170 the default 'DES' method, this command modifies the installation to use
171 the more secure 'SHA512' method of hashing passwords, which also allows
172 passwords longer than eight characters. It also changes the obsolete
173 <filename class="directory">/var/spool/mail</filename> location for user
174 mailboxes that <application>Shadow</application> uses by default to the
175 <filename class="directory">/var/mail</filename> location.
176 </para>
177
178 <para>
179 <command>sed -i 's/1000/999/' etc/useradd</command>: Make a minor change
180 to make the default useradd consistent with the LFS groups file.
181 </para>
182
183 <para>
184 <command>sed -i -e '/snprintf/s@_msg,@_msg, 256,@' src/su.c</command>: Fix
185 a build error that only occurs if <xref linkend="linux-pam"/> is detected
186 by <command>configure</command>.
187 </para>
188
189 <para>
190 <command>sed -i '47 d' -e '60,65 d' libmisc/myname.c</command>: Apply
191 a security fix from upstream.
192 </para>
193
194 <para>
195 <parameter>--with-group-name-max-length=32</parameter>: The maximum
196 user name is 32 characters. Make the maximum group name the same.
197 </para>
198
199 <para>
200 <command>mv -v /usr/bin/passwd /bin</command>: The
201 <command>passwd</command> program may be needed during times when the
202 <filename class='directory'>/usr</filename> filesystem is not mounted so
203 it is moved into the root partition.
204 </para>
205 </sect2>
206
207 <sect2 role="configuration">
208 <title>Configuring Shadow</title>
209
210 <para>
211 <application>Shadow</application>'s stock configuration for the
212 <command>useradd</command> utility may not be desirable for your
213 installation. One default parameter causes <command>useradd</command> to
214 create a mailbox file for any newly created user.
215 <command>useradd</command> will make the group ownership of this file to
216 the <systemitem class="groupname">mail</systemitem> group with 0660
217 permissions. If you would prefer that these mailbox files are not created
218 by <command>useradd</command>, issue the following command as the
219 <systemitem class="username">root</systemitem> user:
220 </para>
221
222<screen role="root"><userinput>sed -i 's/yes/no/' /etc/default/useradd</userinput></screen>
223 </sect2>
224
225 <sect2 role="configuration">
226 <title>Configuring Linux-PAM to Work with Shadow</title>
227
228 <note>
229 <para>
230 The rest of this page is devoted to configuring
231 <application>Shadow</application> to work properly with
232 <application>Linux-PAM</application>. If you do not have
233 <application>Linux-PAM</application> installed, and you reinstalled
234 <application>Shadow</application> to support strong passwords via the
235 <application>CrackLib</application> library, no further configuration is
236 required.
237 </para>
238 </note>
239
240 <sect3 id="pam.d">
241 <title>Config Files</title>
242
243 <para>
244 <filename>/etc/pam.d/*</filename> or alternatively
245 <filename>/etc/pam.conf</filename>,
246 <filename>/etc/login.defs</filename> and
247 <filename>/etc/security/*</filename>
248 </para>
249
250 <indexterm zone="shadow pam.d">
251 <primary sortas="e-etc-pam.d">/etc/pam.d/*</primary>
252 </indexterm>
253
254 <indexterm zone="shadow pam.d">
255 <primary sortas="e-etc-pam.conf">/etc/pam.conf</primary>
256 </indexterm>
257
258 <indexterm zone="shadow pam.d">
259 <primary sortas="e-etc-login.defs">/etc/login.defs</primary>
260 </indexterm>
261
262 <indexterm zone="shadow pam.d">
263 <primary sortas="e-etc-security">/etc/security/*</primary>
264 </indexterm>
265 </sect3>
266
267 <sect3>
268 <title>Configuration Information</title>
269
270 <para>
271 Configuring your system to use <application>Linux-PAM</application> can
272 be a complex task. The information below will provide a basic setup so
273 that <application>Shadow</application>'s login and password
274 functionality will work effectively with
275 <application>Linux-PAM</application>. Review the information and links
276 on the <xref linkend="linux-pam"/> page for further configuration
277 information. For information specific to integrating
278 <application>Shadow</application>, <application>Linux-PAM</application>
279 and <application>CrackLib</application>, you can visit the following
280 link:
281 </para>
282
283 <itemizedlist spacing="compact">
284 <listitem>
285 <para>
286 <ulink url="http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html"/>
287 </para>
288 </listitem>
289 </itemizedlist>
290
291 <sect4 id="pam-login-defs">
292 <title>Configuring /etc/login.defs</title>
293
294 <para>
295 The <command>login</command> program currently performs many functions
296 which <application>Linux-PAM</application> modules should now handle.
297 The following <command>sed</command> command will comment out the
298 appropriate lines in <filename>/etc/login.defs</filename>, and stop
299 <command>login</command> from performing these functions (a backup
300 file named <filename>/etc/login.defs.orig</filename> is also created
301 to preserve the original file's contents). Issue the following
302 commands as the <systemitem class="username">root</systemitem> user:
303 </para>
304
305 <indexterm zone="shadow pam-login-defs">
306 <primary sortas="e-etc-login.defs">/etc/login.defs</primary>
307 </indexterm>
308
309<screen role="root"><userinput>install -v -m644 /etc/login.defs /etc/login.defs.orig &amp;&amp;
310for FUNCTION in FAIL_DELAY \
311 FAILLOG_ENAB \
312 LASTLOG_ENAB \
313 MAIL_CHECK_ENAB \
314 OBSCURE_CHECKS_ENAB \
315 PORTTIME_CHECKS_ENAB \
316 QUOTAS_ENAB \
317 CONSOLE MOTD_FILE \
318 FTMP_FILE NOLOGINS_FILE \
319 ENV_HZ PASS_MIN_LEN \
320 SU_WHEEL_ONLY \
321 CRACKLIB_DICTPATH \
322 PASS_CHANGE_TRIES \
323 PASS_ALWAYS_WARN \
324 CHFN_AUTH ENCRYPT_METHOD \
325 ENVIRON_FILE
326do
327 sed -i "s/^${FUNCTION}/# &amp;/" /etc/login.defs
328done</userinput></screen>
329 </sect4>
330
331 <sect4>
332 <title>Configuring the /etc/pam.d/ Files</title>
333
334 <para>
335 As mentioned previously in the <application>Linux-PAM</application>
336 instructions, <application>Linux-PAM</application> has two supported
337 methods for configuration. The commands below assume that you've
338 chosen to use a directory based configuration, where each program has
339 its own configuration file. You can optionally use a single
340 <filename>/etc/pam.conf</filename> configuration file by using the
341 text from the files below, and supplying the program name as an
342 additional first field for each line.
343 </para>
344
345 <para>
346 As the <systemitem class="username">root</systemitem> user, replace
347 the following <application>Linux-PAM</application> configuration files
348 in the <filename class="directory">/etc/pam.d/</filename> directory
349 (or add the contents to the <filename>/etc/pam.conf</filename> file)
350 using the following commands:
351 </para>
352 </sect4>
353
354 <sect4>
355 <title>'login'</title>
356
357<screen role="root"><userinput>cat &gt; /etc/pam.d/login &lt;&lt; "EOF"
358<literal># Begin /etc/pam.d/login
359
360# Set failure delay before next prompt to 3 seconds
361auth optional pam_faildelay.so delay=3000000
362
363# Check to make sure that the user is allowed to login
364auth requisite pam_nologin.so
365
366# Check to make sure that root is allowed to login
367# Disabled by default. You will need to create /etc/securetty
368# file for this module to function. See man 5 securetty.
369#auth required pam_securetty.so
370
371# Additional group memberships - disabled by default
372#auth optional pam_group.so
373
374# include the default auth settings
375auth include system-auth
376
377# check access for the user
378account required pam_access.so
379
380# include the default account settings
381account include system-account
382
383# Set default environment variables for the user
384session required pam_env.so
385
386# Set resource limits for the user
387session required pam_limits.so
388
389# Display date of last login - Disabled by default
390#session optional pam_lastlog.so
391
392# Display the message of the day - Disabled by default
393#session optional pam_motd.so
394
395# Check user's mail - Disabled by default
396#session optional pam_mail.so standard quiet
397
398# include the default session and password settings
399session include system-session
400password include system-password
401
402# End /etc/pam.d/login</literal>
403EOF</userinput></screen>
404 </sect4>
405
406 <sect4>
407 <title>'passwd'</title>
408
409<screen role="root"><userinput>cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"
410<literal># Begin /etc/pam.d/passwd
411
412password include system-password
413
414# End /etc/pam.d/passwd</literal>
415EOF</userinput></screen>
416 </sect4>
417
418 <sect4>
419 <title>'su'</title>
420
421<screen role="root"><userinput>cat &gt; /etc/pam.d/su &lt;&lt; "EOF"
422<literal># Begin /etc/pam.d/su
423
424# always allow root
425auth sufficient pam_rootok.so
426auth include system-auth
427
428# include the default account settings
429account include system-account
430
431# Set default environment variables for the service user
432session required pam_env.so
433
434# include system session defaults
435session include system-session
436
437# End /etc/pam.d/su</literal>
438EOF</userinput></screen>
439 </sect4>
440
441 <sect4>
442 <title>'chage'</title>
443
444<screen role="root"><userinput>cat &gt; /etc/pam.d/chage &lt;&lt; "EOF"
445<literal># Begin /etc/pam.d/chage
446
447# always allow root
448auth sufficient pam_rootok.so
449
450# include system defaults for auth account and session
451auth include system-auth
452account include system-account
453session include system-session
454
455# Always permit for authentication updates
456password required pam_permit.so
457
458# End /etc/pam.d/chage</literal>
459EOF</userinput></screen>
460 </sect4>
461
462 <sect4>
463 <title>Other common programs</title>
464 <!--<title>'chfn', 'chgpasswd', 'chgpasswd', 'chsh', 'groupadd', 'groupdel',
465 'groupmems', 'groupmod', 'newusers', 'useradd', 'userdel' and
466 'usermod'</title>-->
467
468<screen role="root"><userinput>for PROGRAM in chfn chgpasswd chpasswd chsh groupadd groupdel \
469 groupmems groupmod newusers useradd userdel usermod
470do
471 install -v -m644 /etc/pam.d/chage /etc/pam.d/${PROGRAM}
472 sed -i "s/chage/$PROGRAM/" /etc/pam.d/${PROGRAM}
473done</userinput></screen>
474
475 <para revision="systemd">Because the installation of
476 <application>systemd</application> is not yet complete, you will need
477 to remove the <filename>/run/nologin</filename> file before testing the
478 installation. Execute the following command as the
479 <systemitem class="username">root</systemitem> user:</para>
480
481<screen role="root" revision="systemd"><userinput>rm -f /run/nologin</userinput></screen>
482
483 <warning>
484 <para>
485 At this point, you should do a simple test to see if
486 <application>Shadow</application> is working as expected. Open
487 another terminal and log in as a user, then <command>su</command> to
488 <systemitem class="username">root</systemitem>. If you do not see
489 any errors, then all is well and you should proceed with the rest of
490 the configuration. If you did receive errors, stop now and double
491 check the above configuration files manually. You can also run the
492 test suite from the <application>Linux-PAM</application> package to
493 assist you in determining the problem. If you cannot find and fix
494 the error, you should recompile <application>Shadow</application>
495 adding the <option>--without-libpam</option> switch to the
496 <command>configure</command> command in the above instructions (also
497 move the <filename>/etc/login.defs.orig</filename> backup file to
498 <filename>/etc/login.defs</filename>). If you fail to do this and
499 the errors remain, you will be unable to log into your system.
500 </para>
501 </warning>
502 </sect4>
503
504 <sect4 id="pam-access">
505 <title>Configuring Login Access</title>
506
507 <para>
508 Instead of using the <filename>/etc/login.access</filename> file for
509 controlling access to the system, <application>Linux-PAM</application>
510 uses the <filename class='libraryfile'>pam_access.so</filename> module
511 along with the <filename>/etc/security/access.conf</filename> file.
512 Rename the <filename>/etc/login.access</filename> file using the
513 following command:
514 </para>
515
516 <indexterm zone="shadow pam-access">
517 <primary sortas="e-etc-security-access.conf">/etc/security/access.conf</primary>
518 </indexterm>
519
520<screen role="root"><userinput>[ -f /etc/login.access ] &amp;&amp; mv -v /etc/login.access{,.NOUSE}</userinput></screen>
521 </sect4>
522
523 <sect4 id="pam-limits">
524 <title>Configuring Resource Limits</title>
525
526 <para>
527 Instead of using the <filename>/etc/limits</filename> file for
528 limiting usage of system resources,
529 <application>Linux-PAM</application> uses the
530 <filename class='libraryfile'>pam_limits.so</filename> module along
531 with the <filename>/etc/security/limits.conf</filename> file. Rename
532 the <filename>/etc/limits</filename> file using the following command:
533 </para>
534
535 <indexterm zone="shadow pam-limits">
536 <primary sortas="e-etc-security-limits.conf">/etc/security/limits.conf</primary>
537 </indexterm>
538
539<screen role="root"><userinput>[ -f /etc/limits ] &amp;&amp; mv -v /etc/limits{,.NOUSE}</userinput></screen>
540
541 <caution><para>Be sure to test the login capabilities of the system
542 before logging out. Errors in the configuration can cause a permanent
543 lockout requiring a boot from an external source to correct the
544 problem.</para></caution>
545
546 </sect4>
547 </sect3>
548
549 </sect2>
550
551 <sect2 role="content">
552 <title>Contents</title>
553
554 <para>
555 A list of the installed files, along with their short descriptions can be
556 found at
557 <phrase revision="sysv">
558 <ulink url="&lfs-root;/chapter06/shadow.html#contents-shadow"/></phrase>
559 <phrase revision="systemd">
560 <ulink url="&lfs-rootd;/chapter06/shadow.html#contents-shadow"/></phrase>.
561 </para>
562
563 </sect2>
564
565</sect1>
Note: See TracBrowser for help on using the repository browser.