source: postlfs/security/shadow.xml@ 82e1be5

10.0 10.1 11.0 11.1 11.2 11.3 12.0 12.1 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gimp3 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts lazarus lxqt perl-modules plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition trunk upgradedb xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal
Last change on this file since 82e1be5 was 82e1be5, checked in by Bruce Dubbs <bdubbs@…>, 6 years ago

Update to cryptsetup-2.0.4.
Update to xfsprogs-4.17.0.
Tags.

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@20311 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 19.8 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY shadow-download-http "https://github.com/shadow-maint/shadow/releases/download/&shadow-version;/shadow-&shadow-version;.tar.xz">
8 <!ENTITY shadow-download-ftp " ">
9 <!ENTITY shadow-md5sum "b491fecbf1232632c32ff8f1437fd60e">
10 <!ENTITY shadow-size "1.6 MB">
11 <!ENTITY shadow-buildsize "33 MB">
12 <!ENTITY shadow-time "0.2 SBU">
13]>
14
15<sect1 id="shadow" xreflabel="Shadow-&shadow-version;">
16 <?dbhtml filename="shadow.html"?>
17
18 <sect1info>
19 <othername>$LastChangedBy$</othername>
20 <date>$Date$</date>
21 </sect1info>
22
23 <title>Shadow-&shadow-version;</title>
24
25 <indexterm zone="shadow">
26 <primary sortas="a-Shadow">Shadow</primary>
27 </indexterm>
28
29 <sect2 role="package">
30 <title>Introduction to Shadow</title>
31
32 <para>
33 <application>Shadow</application> was indeed installed in LFS and there is
34 no reason to reinstall it unless you installed
35 <application>CrackLib</application> or
36 <application>Linux-PAM</application> after your LFS system was completed.
37 If you have installed <application>CrackLib</application> after LFS, then
38 reinstalling <application>Shadow</application> will enable strong password
39 support. If you have installed <application>Linux-PAM</application>,
40 reinstalling <application>Shadow</application> will allow programs such as
41 <command>login</command> and <command>su</command> to utilize PAM.
42 </para>
43
44 &lfs83_checked;
45
46 <bridgehead renderas="sect3">Package Information</bridgehead>
47 <itemizedlist spacing="compact">
48 <listitem>
49 <para>
50 Download (HTTP): <ulink url="&shadow-download-http;"/>
51 </para>
52 </listitem>
53 <listitem>
54 <para>
55 Download (FTP): <ulink url="&shadow-download-ftp;"/>
56 </para>
57 </listitem>
58 <listitem>
59 <para>
60 Download MD5 sum: &shadow-md5sum;
61 </para>
62 </listitem>
63 <listitem>
64 <para>
65 Download size: &shadow-size;
66 </para>
67 </listitem>
68 <listitem>
69 <para>
70 Estimated disk space required: &shadow-buildsize;
71 </para>
72 </listitem>
73 <listitem>
74 <para>
75 Estimated build time: &shadow-time;
76 </para>
77 </listitem>
78 </itemizedlist>
79
80 <bridgehead renderas="sect3">Shadow Dependencies</bridgehead>
81
82 <bridgehead renderas="sect4">Required</bridgehead>
83 <para role="required">
84 <xref linkend="linux-pam"/> or
85 <xref linkend="cracklib"/>
86 </para>
87
88 <para condition="html" role="usernotes">
89 User Notes: <ulink url="&blfs-wiki;/shadow"/>
90 </para>
91 </sect2>
92
93 <sect2 role="installation">
94 <title>Installation of Shadow</title>
95
96 <important>
97 <para>
98 The installation commands shown below are for installations where
99 <application>Linux-PAM</application> has been installed (with or
100 without a <application>CrackLib</application> installation) and
101 <application>Shadow</application> is being reinstalled to support the
102 <application>Linux-PAM</application> installation.
103 </para>
104
105 <para>
106 If you are reinstalling <application>Shadow</application> to provide
107 strong password support using the <application>CrackLib</application>
108 library without using <application>Linux-PAM</application>, ensure you
109 add the <parameter>--with-libcrack</parameter> parameter to the
110 <command>configure</command> script below and also issue the following
111 command:
112 </para>
113
114<screen><userinput>sed -i 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' etc/login.defs</userinput></screen>
115 </important>
116
117 <para>
118 Reinstall <application>Shadow</application> by running the following
119 commands:
120 </para>
121
122<screen><userinput>sed -i 's/groups$(EXEEXT) //' src/Makefile.in &amp;&amp;
123
124find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; &amp;&amp;
125find man -name Makefile.in -exec sed -i 's/getspnam\.3 / /' {} \; &amp;&amp;
126find man -name Makefile.in -exec sed -i 's/passwd\.5 / /' {} \; &amp;&amp;
127
128sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \
129 -e 's@/var/spool/mail@/var/mail@' etc/login.defs &amp;&amp;
130
131sed -i 's/1000/999/' etc/useradd &amp;&amp;
132
133./configure --sysconfdir=/etc --with-group-name-max-length=32 &amp;&amp;
134make</userinput></screen>
135
136 <para>
137 This package does not come with a test suite.
138 </para>
139
140 <para>
141 Now, as the <systemitem class="username">root</systemitem> user:
142 </para>
143
144<screen role="root"><userinput>make install &amp;&amp;
145mv -v /usr/bin/passwd /bin</userinput></screen>
146 </sect2>
147
148 <sect2 role="commands">
149 <title>Command Explanations</title>
150
151 <para>
152 <command>sed -i 's/groups$(EXEEXT) //' src/Makefile.in</command>: This sed
153 is used to suppress the installation of the <command>groups</command>
154 program as the version from the <application>Coreutils</application>
155 package installed during LFS is preferred.
156 </para>
157
158 <para>
159 <command>find man -name Makefile.in -exec ... {} \;</command>: This
160 command is used to suppress the installation of the
161 <command>groups</command> man pages so the existing ones installed from
162 the <application>Coreutils</application> package are not replaced.
163 </para>
164
165 <para>
166 <command>sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' -e
167 's@/var/spool/mail@/var/mail@' etc/login.defs</command>: Instead of using
168 the default 'DES' method, this command modifies the installation to use
169 the more secure 'SHA512' method of hashing passwords, which also allows
170 passwords longer than eight characters. It also changes the obsolete
171 <filename class="directory">/var/spool/mail</filename> location for user
172 mailboxes that <application>Shadow</application> uses by default to the
173 <filename class="directory">/var/mail</filename> location.
174 </para>
175
176 <para>
177 <command>sed -i 's/1000/999/' etc/useradd</command>: Make a minor change
178 to make the default useradd consistent with the LFS groups file.
179 </para>
180
181 <para>
182 <parameter>--with-group-name-max-length=32</parameter>: The maximum
183 user name is 32 characters. Make the maximum group name the same.
184 </para>
185
186 <para>
187 <command>mv -v /usr/bin/passwd /bin</command>: The
188 <command>passwd</command> program may be needed during times when the
189 <filename class='directory'>/usr</filename> filesystem is not mounted so
190 it is moved into the root partition.
191 </para>
192 </sect2>
193
194 <sect2 role="configuration">
195 <title>Configuring Shadow</title>
196
197 <para>
198 <application>Shadow</application>'s stock configuration for the
199 <command>useradd</command> utility may not be desirable for your
200 installation. One default parameter causes <command>useradd</command> to
201 create a mailbox file for any newly created user.
202 <command>useradd</command> will make the group ownership of this file to
203 the <systemitem class="groupname">mail</systemitem> group with 0660
204 permissions. If you would prefer that these mailbox files are not created
205 by <command>useradd</command>, issue the following command as the
206 <systemitem class="username">root</systemitem> user:
207 </para>
208
209<screen role="root"><userinput>sed -i 's/yes/no/' /etc/default/useradd</userinput></screen>
210 </sect2>
211
212 <sect2 role="configuration">
213 <title>Configuring Linux-PAM to Work with Shadow</title>
214
215 <note>
216 <para>
217 The rest of this page is devoted to configuring
218 <application>Shadow</application> to work properly with
219 <application>Linux-PAM</application>. If you do not have
220 <application>Linux-PAM</application> installed, and you reinstalled
221 <application>Shadow</application> to support strong passwords via the
222 <application>CrackLib</application> library, no further configuration is
223 required.
224 </para>
225 </note>
226
227 <sect3 id="pam.d">
228 <title>Config Files</title>
229
230 <para>
231 <filename>/etc/pam.d/*</filename> or alternatively
232 <filename>/etc/pam.conf</filename>,
233 <filename>/etc/login.defs</filename> and
234 <filename>/etc/security/*</filename>
235 </para>
236
237 <indexterm zone="shadow pam.d">
238 <primary sortas="e-etc-pam.d">/etc/pam.d/*</primary>
239 </indexterm>
240
241 <indexterm zone="shadow pam.d">
242 <primary sortas="e-etc-pam.conf">/etc/pam.conf</primary>
243 </indexterm>
244
245 <indexterm zone="shadow pam.d">
246 <primary sortas="e-etc-login.defs">/etc/login.defs</primary>
247 </indexterm>
248
249 <indexterm zone="shadow pam.d">
250 <primary sortas="e-etc-security">/etc/security/*</primary>
251 </indexterm>
252 </sect3>
253
254 <sect3>
255 <title>Configuration Information</title>
256
257 <para>
258 Configuring your system to use <application>Linux-PAM</application> can
259 be a complex task. The information below will provide a basic setup so
260 that <application>Shadow</application>'s login and password
261 functionality will work effectively with
262 <application>Linux-PAM</application>. Review the information and links
263 on the <xref linkend="linux-pam"/> page for further configuration
264 information. For information specific to integrating
265 <application>Shadow</application>, <application>Linux-PAM</application>
266 and <application>CrackLib</application>, you can visit the following
267 link:
268 </para>
269
270 <itemizedlist spacing="compact">
271 <listitem>
272 <para>
273 <ulink url="http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html"/>
274 </para>
275 </listitem>
276 </itemizedlist>
277
278 <sect4 id="pam-login-defs">
279 <title>Configuring /etc/login.defs</title>
280
281 <para>
282 The <command>login</command> program currently performs many functions
283 which <application>Linux-PAM</application> modules should now handle.
284 The following <command>sed</command> command will comment out the
285 appropriate lines in <filename>/etc/login.defs</filename>, and stop
286 <command>login</command> from performing these functions (a backup
287 file named <filename>/etc/login.defs.orig</filename> is also created
288 to preserve the original file's contents). Issue the following
289 commands as the <systemitem class="username">root</systemitem> user:
290 </para>
291
292 <indexterm zone="shadow pam-login-defs">
293 <primary sortas="e-etc-login.defs">/etc/login.defs</primary>
294 </indexterm>
295
296<screen role="root"><userinput>install -v -m644 /etc/login.defs /etc/login.defs.orig &amp;&amp;
297for FUNCTION in FAIL_DELAY \
298 FAILLOG_ENAB \
299 LASTLOG_ENAB \
300 MAIL_CHECK_ENAB \
301 OBSCURE_CHECKS_ENAB \
302 PORTTIME_CHECKS_ENAB \
303 QUOTAS_ENAB \
304 CONSOLE MOTD_FILE \
305 FTMP_FILE NOLOGINS_FILE \
306 ENV_HZ PASS_MIN_LEN \
307 SU_WHEEL_ONLY \
308 CRACKLIB_DICTPATH \
309 PASS_CHANGE_TRIES \
310 PASS_ALWAYS_WARN \
311 CHFN_AUTH ENCRYPT_METHOD \
312 ENVIRON_FILE
313do
314 sed -i "s/^${FUNCTION}/# &amp;/" /etc/login.defs
315done</userinput></screen>
316 </sect4>
317
318 <sect4>
319 <title>Configuring the /etc/pam.d/ Files</title>
320
321 <para>
322 As mentioned previously in the <application>Linux-PAM</application>
323 instructions, <application>Linux-PAM</application> has two supported
324 methods for configuration. The commands below assume that you've
325 chosen to use a directory based configuration, where each program has
326 its own configuration file. You can optionally use a single
327 <filename>/etc/pam.conf</filename> configuration file by using the
328 text from the files below, and supplying the program name as an
329 additional first field for each line.
330 </para>
331
332 <para>
333 As the <systemitem class="username">root</systemitem> user, replace
334 the following <application>Linux-PAM</application> configuration files
335 in the <filename class="directory">/etc/pam.d/</filename> directory
336 (or add the contents to the <filename>/etc/pam.conf</filename> file)
337 using the following commands:
338 </para>
339 </sect4>
340
341 <sect4>
342 <title>'login'</title>
343
344<screen role="root"><userinput>cat &gt; /etc/pam.d/login &lt;&lt; "EOF"
345<literal># Begin /etc/pam.d/login
346
347# Set failure delay before next prompt to 3 seconds
348auth optional pam_faildelay.so delay=3000000
349
350# Check to make sure that the user is allowed to login
351auth requisite pam_nologin.so
352
353# Check to make sure that root is allowed to login
354# Disabled by default. You will need to create /etc/securetty
355# file for this module to function. See man 5 securetty.
356#auth required pam_securetty.so
357
358# Additional group memberships - disabled by default
359#auth optional pam_group.so
360
361# include the default auth settings
362auth include system-auth
363
364# check access for the user
365account required pam_access.so
366
367# include the default account settings
368account include system-account
369
370# Set default environment variables for the user
371session required pam_env.so
372
373# Set resource limits for the user
374session required pam_limits.so
375
376# Display date of last login - Disabled by default
377#session optional pam_lastlog.so
378
379# Display the message of the day - Disabled by default
380#session optional pam_motd.so
381
382# Check user's mail - Disabled by default
383#session optional pam_mail.so standard quiet
384
385# include the default session and password settings
386session include system-session
387password include system-password
388
389# End /etc/pam.d/login</literal>
390EOF</userinput></screen>
391 </sect4>
392
393 <sect4>
394 <title>'passwd'</title>
395
396<screen role="root"><userinput>cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"
397<literal># Begin /etc/pam.d/passwd
398
399password include system-password
400
401# End /etc/pam.d/passwd</literal>
402EOF</userinput></screen>
403 </sect4>
404
405 <sect4>
406 <title>'su'</title>
407
408<screen role="root"><userinput>cat &gt; /etc/pam.d/su &lt;&lt; "EOF"
409<literal># Begin /etc/pam.d/su
410
411# always allow root
412auth sufficient pam_rootok.so
413auth include system-auth
414
415# include the default account settings
416account include system-account
417
418# Set default environment variables for the service user
419session required pam_env.so
420
421# include system session defaults
422session include system-session
423
424# End /etc/pam.d/su</literal>
425EOF</userinput></screen>
426 </sect4>
427
428 <sect4>
429 <title>'chage'</title>
430
431<screen role="root"><userinput>cat &gt; /etc/pam.d/chage &lt;&lt; "EOF"
432<literal># Begin /etc/pam.d/chage
433
434# always allow root
435auth sufficient pam_rootok.so
436
437# include system defaults for auth account and session
438auth include system-auth
439account include system-account
440session include system-session
441
442# Always permit for authentication updates
443password required pam_permit.so
444
445# End /etc/pam.d/chage</literal>
446EOF</userinput></screen>
447 </sect4>
448
449 <sect4>
450 <title>Other common programs</title>
451 <!--<title>'chfn', 'chgpasswd', 'chgpasswd', 'chsh', 'groupadd', 'groupdel',
452 'groupmems', 'groupmod', 'newusers', 'useradd', 'userdel' and
453 'usermod'</title>-->
454
455<screen role="root"><userinput>for PROGRAM in chfn chgpasswd chpasswd chsh groupadd groupdel \
456 groupmems groupmod newusers useradd userdel usermod
457do
458 install -v -m644 /etc/pam.d/chage /etc/pam.d/${PROGRAM}
459 sed -i "s/chage/$PROGRAM/" /etc/pam.d/${PROGRAM}
460done</userinput></screen>
461
462 <para revision="systemd">Because the installation of
463 <application>systemd</application> is not yet complete, you will need
464 to remove the <filename>/run/nologin</filename> file before testing the
465 installation. Execute the following command as the
466 <systemitem class="username">root</systemitem> user:</para>
467
468<screen role="root" revision="systemd"><userinput>rm -f /run/nologin</userinput></screen>
469
470 <warning>
471 <para>
472 At this point, you should do a simple test to see if
473 <application>Shadow</application> is working as expected. Open
474 another terminal and log in as a user, then <command>su</command> to
475 <systemitem class="username">root</systemitem>. If you do not see
476 any errors, then all is well and you should proceed with the rest of
477 the configuration. If you did receive errors, stop now and double
478 check the above configuration files manually. You can also run the
479 test suite from the <application>Linux-PAM</application> package to
480 assist you in determining the problem. If you cannot find and fix
481 the error, you should recompile <application>Shadow</application>
482 adding the <option>--without-libpam</option> switch to the
483 <command>configure</command> command in the above instructions (also
484 move the <filename>/etc/login.defs.orig</filename> backup file to
485 <filename>/etc/login.defs</filename>). If you fail to do this and
486 the errors remain, you will be unable to log into your system.
487 </para>
488 </warning>
489 </sect4>
490
491 <sect4 id="pam-access">
492 <title>Configuring Login Access</title>
493
494 <para>
495 Instead of using the <filename>/etc/login.access</filename> file for
496 controlling access to the system, <application>Linux-PAM</application>
497 uses the <filename class='libraryfile'>pam_access.so</filename> module
498 along with the <filename>/etc/security/access.conf</filename> file.
499 Rename the <filename>/etc/login.access</filename> file using the
500 following command:
501 </para>
502
503 <indexterm zone="shadow pam-access">
504 <primary sortas="e-etc-security-access.conf">/etc/security/access.conf</primary>
505 </indexterm>
506
507<screen role="root"><userinput>[ -f /etc/login.access ] &amp;&amp; mv -v /etc/login.access{,.NOUSE}</userinput></screen>
508 </sect4>
509
510 <sect4 id="pam-limits">
511 <title>Configuring Resource Limits</title>
512
513 <para>
514 Instead of using the <filename>/etc/limits</filename> file for
515 limiting usage of system resources,
516 <application>Linux-PAM</application> uses the
517 <filename class='libraryfile'>pam_limits.so</filename> module along
518 with the <filename>/etc/security/limits.conf</filename> file. Rename
519 the <filename>/etc/limits</filename> file using the following command:
520 </para>
521
522 <indexterm zone="shadow pam-limits">
523 <primary sortas="e-etc-security-limits.conf">/etc/security/limits.conf</primary>
524 </indexterm>
525
526<screen role="root"><userinput>[ -f /etc/limits ] &amp;&amp; mv -v /etc/limits{,.NOUSE}</userinput></screen>
527
528 <caution><para>Be sure to test the login capabilities of the system
529 before logging out. Errors in the configuration can cause a permanent
530 lockout requiring a boot from an external source to correct the
531 problem.</para></caution>
532
533 </sect4>
534 </sect3>
535
536 </sect2>
537
538 <sect2 role="content">
539 <title>Contents</title>
540
541 <para>
542 A list of the installed files, along with their short descriptions can be
543 found at
544 <phrase revision="sysv">
545 <ulink url="&lfs-root;/chapter06/shadow.html#contents-shadow"/></phrase>
546 <phrase revision="systemd">
547 <ulink url="&lfs-rootd;/chapter06/shadow.html#contents-shadow"/></phrase>.
548 </para>
549
550 </sect2>
551
552</sect1>
Note: See TracBrowser for help on using the repository browser.