Context Navigation

source: postlfs/security/shadow.xml@ 922e013

Visit:

11.1 11.2 11.3 12.0 12.1 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts lazarus lxqt plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition trunk xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal

Last change on this file since 922e013 was 922e013, checked in by Bruce Dubbs <bdubbs@…>, 2 years ago
Package Updates. Update to iso-codes-4.8.0. Update to libgsf-1.14.48. Update to shadow-4.10.
Property mode set to `100644`
File size: 20.3 KB

Line
1	<?xml version="1.0" encoding="ISO-8859-1"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!ENTITY shadow-download-http "https://github.com/shadow-maint/shadow/releases/download/v&shadow-version;/shadow-&shadow-version;.tar.xz">
8	<!ENTITY shadow-download-ftp " ">
9	<!ENTITY shadow-md5sum "3a7936a9d0834243816fe0977c3b956e">
10	<!ENTITY shadow-size "1.6 MB">
11	<!ENTITY shadow-buildsize "38 MB">
12	<!ENTITY shadow-time "0.2 SBU">
13	]>
14
15	<sect1 id="shadow" xreflabel="Shadow-&shadow-version;">
16	<?dbhtml filename="shadow.html"?>
17
18	<sect1info>
19	<date>$Date$</date>
20	</sect1info>
21
22	<title>Shadow-&shadow-version;</title>
23
24	<indexterm zone="shadow">
25	<primary sortas="a-Shadow">Shadow</primary>
26	</indexterm>
27
28	<sect2 role="package">
29	<title>Introduction to Shadow</title>
30
31	<para>
32	<application>Shadow</application> was indeed installed in LFS and there is
33	no reason to reinstall it unless you installed
34	<application>CrackLib</application> or
35	<application>Linux-PAM</application> after your LFS system was completed.
36	If you have installed <application>CrackLib</application> after LFS, then
37	reinstalling <application>Shadow</application> will enable strong password
38	support. If you have installed <application>Linux-PAM</application>,
39	reinstalling <application>Shadow</application> will allow programs such as
40	<command>login</command> and <command>su</command> to utilize PAM.
41	</para>
42
43	&lfs110a_checked;
44
45	<bridgehead renderas="sect3">Package Information</bridgehead>
46	<itemizedlist spacing="compact">
47	<listitem>
48	<para>
49	Download (HTTP): <ulink url="&shadow-download-http;"/>
50	</para>
51	</listitem>
52	<listitem>
53	<para>
54	Download (FTP): <ulink url="&shadow-download-ftp;"/>
55	</para>
56	</listitem>
57	<listitem>
58	<para>
59	Download MD5 sum: &shadow-md5sum;
60	</para>
61	</listitem>
62	<listitem>
63	<para>
64	Download size: &shadow-size;
65	</para>
66	</listitem>
67	<listitem>
68	<para>
69	Estimated disk space required: &shadow-buildsize;
70	</para>
71	</listitem>
72	<listitem>
73	<para>
74	Estimated build time: &shadow-time;
75	</para>
76	</listitem>
77	</itemizedlist>
78
79	<bridgehead renderas="sect3">Additional Downloads</bridgehead>
80	<itemizedlist spacing="compact">
81	<listitem>
82	<para>
83	Required patch:
84	<ulink url="&patch-root;/shadow-&shadow-version;-useradd_segfault-1.patch"/>
85	</para>
86	</listitem>
87	</itemizedlist>
88
89	<bridgehead renderas="sect3">Shadow Dependencies</bridgehead>
90
91	<bridgehead renderas="sect4">Required</bridgehead>
92	<para role="required">
93	<xref linkend="linux-pam"/> or
94	<xref role="nodep" linkend="cracklib"/>
95	</para>
96
97	<para condition="html" role="usernotes">
98	User Notes: <ulink url="&blfs-wiki;/shadow"/>
99	</para>
100	</sect2>
101
102	<sect2 role="installation">
103	<title>Installation of Shadow</title>
104
105	<important>
106	<para>
107	The installation commands shown below are for installations where
108	<application>Linux-PAM</application> has been installed and
109	<application>Shadow</application> is being reinstalled to support the
110	<application>Linux-PAM</application> installation.
111	</para>
112
113	<para>
114	If you are reinstalling <application>Shadow</application> to provide
115	strong password support using the <application>CrackLib</application>
116	library without using <application>Linux-PAM</application>, ensure you
117	add the <parameter>--with-libcrack</parameter> parameter to the
118	<command>configure</command> script below and also issue the following
119	command:
120	</para>
121
122	<screen role="nodump"><userinput>sed -i 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' etc/login.defs</userinput></screen>
123	</important>
124
125	<para>
126	Reinstall <application>Shadow</application> by running the following
127	commands:
128	</para>
129
130	<screen><userinput>patch -Np1 -i ../shadow-4.10--useradd_segfault-1.patch &&
131
132	sed -i "224s/rounds/min_rounds/" libmisc/salt.c &&
133	sed -i 's/groups$(EXEEXT) //' src/Makefile.in &&
134
135	find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; &&
136	find man -name Makefile.in -exec sed -i 's/getspnam\.3 / /' {} \; &&
137	find man -name Makefile.in -exec sed -i 's/passwd\.5 / /' {} \; &&
138
139	sed -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \
140	-e 's@/var/spool/mail@/var/mail@' \
141	-e '/PATH=/{s@/sbin:@@;s@/bin:@@}' \
142	-i etc/login.defs &&
143
144	./configure --sysconfdir=/etc \
145	--with-group-name-max-length=32 &&
146	make</userinput></screen>
147
148	<para>
149	This package does not come with a test suite.
150	</para>
151
152	<para>
153	Now, as the <systemitem class="username">root</systemitem> user:
154	</para>
155
156	<screen role="root"><userinput>make exec_prefix=/usr install</userinput></screen>
157
158	</sect2>
159
160	<sect2 role="commands">
161	<title>Command Explanations</title>
162
163	<para>
164	<command>sed -i 's/groups$(EXEEXT) //' src/Makefile.in</command>: This sed
165	is used to suppress the installation of the <command>groups</command>
166	program as the version from the <application>Coreutils</application>
167	package installed during LFS is preferred.
168	</para>
169
170	<para>
171	<command>find man -name Makefile.in -exec ... {} \;</command>: This
172	command is used to suppress the installation of the
173	<command>groups</command> man pages so the existing ones installed from
174	the <application>Coreutils</application> package are not replaced.
175	</para>
176
177	<para>
178	<command>sed -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' -e
179	's@/var/spool/mail@/var/mail@' -e '/PATH=/{s@/sbin:@@;s@/bin:@@}'
180	-i etc/login.defs</command>: Instead of using
181	the default 'DES' method, this command modifies the installation to use
182	the more secure 'SHA512' method of hashing passwords, which also allows
183	passwords longer than eight characters. It also changes the obsolete
184	<filename class="directory">/var/spool/mail</filename> location for user
185	mailboxes that <application>Shadow</application> uses by default to the
186	<filename class="directory">/var/mail</filename> location. It also
187	changes the default path to be consistent with that set in LFS.
188	</para>
189
190	<para>
191	<command>sed ... libmisc/salt.c</command> and
192	<command>sed ... libsubid/Makefile.am</command>: Fix a couple of errors
193	that were found after the package was released.
194	</para>
195
196	<para>
197	<parameter>--with-group-name-max-length=32</parameter>: The maximum
198	user name is 32 characters. Make the maximum group name the same.
199	</para>
200
201	<para>
202	<parameter>--without-su</parameter>: Don't reinstall
203	<command>su</command> because upstream recommends using the
204	<command>su</command> command from <xref linkend='util-linux'/>
205	when <application>Linux-PAM</application> is available.
206	</para>
207
208	</sect2>
209
210	<sect2 role="configuration">
211	<title>Configuring Shadow</title>
212
213	<para>
214	<application>Shadow</application>'s stock configuration for the
215	<command>useradd</command> utility may not be desirable for your
216	installation. One default parameter causes <command>useradd</command> to
217	create a mailbox file for any newly created user.
218	<command>useradd</command> will make the group ownership of this file to
219	the <systemitem class="groupname">mail</systemitem> group with 0660
220	permissions. If you would prefer that these mailbox files are not created
221	by <command>useradd</command>, issue the following command as the
222	<systemitem class="username">root</systemitem> user:
223	</para>
224
225	<screen role="root"><userinput>sed -i 's/yes/no/' /etc/default/useradd</userinput></screen>
226	</sect2>
227
228	<sect2 role="configuration">
229	<title>Configuring Linux-PAM to Work with Shadow</title>
230
231	<note>
232	<para>
233	The rest of this page is devoted to configuring
234	<application>Shadow</application> to work properly with
235	<application>Linux-PAM</application>. If you do not have
236	<application>Linux-PAM</application> installed, and you reinstalled
237	<application>Shadow</application> to support strong passwords via the
238	<application>CrackLib</application> library, no further configuration is
239	required.
240	</para>
241	</note>
242
243	<sect3 id="pam.d">
244	<title>Config Files</title>
245
246	<para>
247	<filename>/etc/pam.d/*</filename> or alternatively
248	<filename>/etc/pam.conf</filename>,
249	<filename>/etc/login.defs</filename> and
250	<filename>/etc/security/*</filename>
251	</para>
252
253	<indexterm zone="shadow pam.d">
254	<primary sortas="e-etc-pam.d">/etc/pam.d/*</primary>
255	</indexterm>
256
257	<indexterm zone="shadow pam.d">
258	<primary sortas="e-etc-pam.conf">/etc/pam.conf</primary>
259	</indexterm>
260
261	<indexterm zone="shadow pam.d">
262	<primary sortas="e-etc-login.defs">/etc/login.defs</primary>
263	</indexterm>
264
265	<indexterm zone="shadow pam.d">
266	<primary sortas="e-etc-security">/etc/security/*</primary>
267	</indexterm>
268	</sect3>
269
270	<sect3>
271	<title>Configuration Information</title>
272
273	<para>
274	Configuring your system to use <application>Linux-PAM</application> can
275	be a complex task. The information below will provide a basic setup so
276	that <application>Shadow</application>'s login and password
277	functionality will work effectively with
278	<application>Linux-PAM</application>. Review the information and links
279	on the <xref linkend="linux-pam"/> page for further configuration
280	information. For information specific to integrating
281	<application>Shadow</application>, <application>Linux-PAM</application>
282	and <application>libpwquality</application>, you can visit the
283	following link:
284	</para>
285
286	<itemizedlist spacing="compact">
287	<listitem>
288	<!-- New URL for the below link, according to it's author. -->
289	<para>
290	<ulink url="http://www.deer-run.com/~hal/linux_passwords_pam.html"/>
291	</para>
292	</listitem>
293	</itemizedlist>
294
295	<sect4 id="pam-login-defs">
296	<title>Configuring /etc/login.defs</title>
297
298	<para>
299	The <command>login</command> program currently performs many functions
300	which <application>Linux-PAM</application> modules should now handle.
301	The following <command>sed</command> command will comment out the
302	appropriate lines in <filename>/etc/login.defs</filename>, and stop
303	<command>login</command> from performing these functions (a backup
304	file named <filename>/etc/login.defs.orig</filename> is also created
305	to preserve the original file's contents). Issue the following
306	commands as the <systemitem class="username">root</systemitem> user:
307	</para>
308
309	<indexterm zone="shadow pam-login-defs">
310	<primary sortas="e-etc-login.defs">/etc/login.defs</primary>
311	</indexterm>
312
313	<screen role="root"><userinput>install -v -m644 /etc/login.defs /etc/login.defs.orig &&
314	for FUNCTION in FAIL_DELAY \
315	FAILLOG_ENAB \
316	LASTLOG_ENAB \
317	MAIL_CHECK_ENAB \
318	OBSCURE_CHECKS_ENAB \
319	PORTTIME_CHECKS_ENAB \
320	QUOTAS_ENAB \
321	CONSOLE MOTD_FILE \
322	FTMP_FILE NOLOGINS_FILE \
323	ENV_HZ PASS_MIN_LEN \
324	SU_WHEEL_ONLY \
325	CRACKLIB_DICTPATH \
326	PASS_CHANGE_TRIES \
327	PASS_ALWAYS_WARN \
328	CHFN_AUTH ENCRYPT_METHOD \
329	ENVIRON_FILE
330	do
331	sed -i "s/^${FUNCTION}/# &/" /etc/login.defs
332	done</userinput></screen>
333	</sect4>
334
335	<sect4>
336	<title>Configuring the /etc/pam.d/ Files</title>
337
338	<para>
339	As mentioned previously in the <application>Linux-PAM</application>
340	instructions, <application>Linux-PAM</application> has two supported
341	methods for configuration. The commands below assume that you've
342	chosen to use a directory based configuration, where each program has
343	its own configuration file. You can optionally use a single
344	<filename>/etc/pam.conf</filename> configuration file by using the
345	text from the files below, and supplying the program name as an
346	additional first field for each line.
347	</para>
348
349	<para>
350	As the <systemitem class="username">root</systemitem> user, create
351	the following <application>Linux-PAM</application> configuration files
352	in the <filename class="directory">/etc/pam.d/</filename> directory
353	(or add the contents to the <filename>/etc/pam.conf</filename> file)
354	using the following commands:
355	</para>
356	</sect4>
357
358	<sect4>
359	<title>'login'</title>
360
361	<screen role="root"><userinput>cat > /etc/pam.d/login << "EOF"
362	<literal># Begin /etc/pam.d/login
363
364	# Set failure delay before next prompt to 3 seconds
365	auth optional pam_faildelay.so delay=3000000
366
367	# Check to make sure that the user is allowed to login
368	auth requisite pam_nologin.so
369
370	# Check to make sure that root is allowed to login
371	# Disabled by default. You will need to create /etc/securetty
372	# file for this module to function. See man 5 securetty.
373	#auth required pam_securetty.so
374
375	# Additional group memberships - disabled by default
376	#auth optional pam_group.so
377
378	# include system auth settings
379	auth include system-auth
380
381	# check access for the user
382	account required pam_access.so
383
384	# include system account settings
385	account include system-account
386
387	# Set default environment variables for the user
388	session required pam_env.so
389
390	# Set resource limits for the user
391	session required pam_limits.so
392
393	# Display date of last login - Disabled by default
394	#session optional pam_lastlog.so
395
396	# Display the message of the day - Disabled by default
397	#session optional pam_motd.so
398
399	# Check user's mail - Disabled by default
400	#session optional pam_mail.so standard quiet
401
402	# include system session and password settings
403	session include system-session
404	password include system-password
405
406	# End /etc/pam.d/login</literal>
407	EOF</userinput></screen>
408	</sect4>
409
410	<sect4>
411	<title>'passwd'</title>
412
413	<screen role="root"><userinput>cat > /etc/pam.d/passwd << "EOF"
414	<literal># Begin /etc/pam.d/passwd
415
416	password include system-password
417
418	# End /etc/pam.d/passwd</literal>
419	EOF</userinput></screen>
420	</sect4>
421
422	<sect4>
423	<title>'su'</title>
424
425	<screen role="root"><userinput>cat > /etc/pam.d/chage << "EOF"
426	<literal># Begin /etc/pam.d/su
427
428	# always allow root
429	auth sufficient pam_rootok.so
430
431	# Allow users in the wheel group to execute su without a password
432	# disabled by default
433	#auth sufficient pam_wheel.so trust use_uid
434
435	# include system auth settings
436	auth include system-auth
437
438	# limit su to users in the wheel group
439	auth required pam_wheel.so use_uid
440
441	# include system account settings
442	account include system-account
443
444	# Set default environment variables for the service user
445	session required pam_env.so
446
447	# include system session settings
448	session include system-session
449
450	# End /etc/pam.d/su</literal>
451	EOF</userinput></screen>
452	</sect4>
453
454	<sect4>
455	<title>'chage'</title>
456
457	<screen role="root"><userinput>cat > /etc/pam.d/chage << "EOF"
458	<literal># Begin /etc/pam.d/chage
459
460	# always allow root
461	auth sufficient pam_rootok.so
462
463	# include system auth, account, and session settings
464	auth include system-auth
465	account include system-account
466	session include system-session
467
468	# Always permit for authentication updates
469	password required pam_permit.so
470
471	# End /etc/pam.d/chage</literal>
472	EOF</userinput></screen>
473	</sect4>
474
475	<sect4>
476	<title>Other common programs</title>
477	<!--<title>'chfn', 'chgpasswd', 'chgpasswd', 'chsh', 'groupadd', 'groupdel',
478	'groupmems', 'groupmod', 'newusers', 'useradd', 'userdel' and
479	'usermod'</title>-->
480
481	<screen role="root"><userinput>for PROGRAM in chfn chgpasswd chpasswd chsh groupadd groupdel \
482	groupmems groupmod newusers useradd userdel usermod
483	do
484	install -v -m644 /etc/pam.d/chage /etc/pam.d/${PROGRAM}
485	sed -i "s/chage/$PROGRAM/" /etc/pam.d/${PROGRAM}
486	done</userinput></screen>
487
488	<warning>
489	<para>
490	At this point, you should do a simple test to see if
491	<application>Shadow</application> is working as expected. Open
492	another terminal and log in as
493	<systemitem class="username">root</systemitem>, and then run
494	<command>login</command> and login as another user. If you do
495	not see any errors, then all is well and you should proceed with
496	the rest of the configuration. If you did receive errors, stop
497	now and double check the above configuration files manually.
498	Any error is the sign of an error in the above procedure.
499	You can also run the
500	test suite from the <application>Linux-PAM</application> package
501	to assist you in determining the problem. If you cannot find and
502	fix the error, you should recompile
503	<application>Shadow</application> adding the
504	<option>--without-libpam</option> switch to the
505	<command>configure</command> command in the above instructions
506	(also move the <filename>/etc/login.defs.orig</filename> backup
507	file to <filename>/etc/login.defs</filename>). If you fail to do
508	this and the errors remain, you will be unable to log into your
509	system.
510	</para>
511	</warning>
512	</sect4>
513
514	<sect4 id="pam-access">
515	<title>Configuring Login Access</title>
516
517	<para>
518	Instead of using the <filename>/etc/login.access</filename> file for
519	controlling access to the system, <application>Linux-PAM</application>
520	uses the <filename class='libraryfile'>pam_access.so</filename> module
521	along with the <filename>/etc/security/access.conf</filename> file.
522	Rename the <filename>/etc/login.access</filename> file using the
523	following command:
524	</para>
525
526	<indexterm zone="shadow pam-access">
527	<primary sortas="e-etc-security-access.conf">/etc/security/access.conf</primary>
528	</indexterm>
529
530	<screen role="root"><userinput>[ -f /etc/login.access ] && mv -v /etc/login.access{,.NOUSE}</userinput></screen>
531	</sect4>
532
533	<sect4 id="pam-limits">
534	<title>Configuring Resource Limits</title>
535
536	<para>
537	Instead of using the <filename>/etc/limits</filename> file for
538	limiting usage of system resources,
539	<application>Linux-PAM</application> uses the
540	<filename class='libraryfile'>pam_limits.so</filename> module along
541	with the <filename>/etc/security/limits.conf</filename> file. Rename
542	the <filename>/etc/limits</filename> file using the following command:
543	</para>
544
545	<indexterm zone="shadow pam-limits">
546	<primary sortas="e-etc-security-limits.conf">/etc/security/limits.conf</primary>
547	</indexterm>
548
549	<screen role="root"><userinput>[ -f /etc/limits ] && mv -v /etc/limits{,.NOUSE}</userinput></screen>
550
551	<caution>
552	<para>
553	Be sure to test the login capabilities of the system before logging
554	out. Errors in the configuration can cause a permanent
555	lockout requiring a boot from an external source to correct the
556	problem.
557	</para>
558	</caution>
559
560	</sect4>
561	</sect3>
562
563	</sect2>
564
565	<sect2 role="content">
566	<title>Contents</title>
567
568	<para>
569	A list of the installed files, along with their short descriptions can be
570	found at
571	<ulink url="&lfs-root;/chapter08/shadow.html#contents-shadow"/>.
572	</para>
573
574	</sect2>
575
576	</sect1>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: