Context Navigation

shadow.xml@ a0f03b0

Visit:

10.0 10.1 11.0 11.1 11.2 11.3 12.0 12.1 6.0 6.1 6.2 6.2.0 6.2.0-rc1 6.2.0-rc2 6.3 6.3-rc1 6.3-rc2 6.3-rc3 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts krejzi/svn lazarus lxqt nosym perl-modules plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition systemd-11177 systemd-13485 trunk upgradedb xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal

Last change on this file since a0f03b0 was a0f03b0, checked in by Archaic <archaic@…>, 20 years ago

Inserting sect1info

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@2591 af4574ff-66df-0310-9fd7-8a98e5e911e0

Property mode set to 100644

File size: 8.0 KB

Line
1	<?xml version="1.0" encoding="ISO-8859-1"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
3	"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6	]>
7
8	<sect1 id="shadow">
9	<sect1info>
10	<othername>$LastChangedBy: $</othername>
11	<date>$Date: $</date>
12	</sect1info>
13	<?dbhtml filename="shadow.html"?>
14	<title>Shadow-&shadow-version;</title>
15
16	<!--
17	<sect2>
18	<title>Configuring shadow</title>
19
20	<para>Shadow's Configuration File</para>
21
22	<para><userinput>/etc/login.defs</userinput></para>
23
24	<para>Enabling <acronym>MD</acronym>5 Passwords</para>
25
26	<para>To enable <acronym>MD</acronym>5 Passwords, modify the line in the
27	<filename>login.defs</filename> file that reads:
28	<screen><userinput>#MD5_CRYPT_ENAB no</userinput></screen>
29	to read:
30	<screen><userinput>MD5_CRYPT_ENAB yes</userinput></screen>
31	Passwords created after this change will be encrypted using
32	<acronym>MD</acronym>5 (Message-Digest Algorithm) instead of using
33	<acronym>DES</acronym> encryption.
34	</para>
35	</sect2>
36	-->
37
38	<sect2>
39	<title>Introduction to <application>Shadow</application></title>
40
41	<para>Shadow was indeed installed in <acronym>LFS</acronym> and there is
42	no reason to reinstall it unless you installed
43	<application>Linux-<acronym>PAM</acronym></application>. If you did,
44	this will allow programs like <command>login</command> and
45	<command>su</command> to utilize
46	<acronym>PAM</acronym>.</para>
47
48	<sect3><title>Additional downloads</title>
49	<itemizedlist spacing='compact'>
50	<listitem><para>Patch to fix linking against PAM:
51	<ulink url="&patch-root;/shadow-&shadow-version;-pam-1.patch"/></para></listitem>
52	</itemizedlist>
53	</sect3>
54
55	<sect3><title><application>Shadow</application> dependencies</title>
56	<sect4><title>Required</title>
57	<para><xref linkend="Linux_PAM"/></para></sect4>
58	</sect3>
59	</sect2>
60
61	<sect2>
62	<title>Installation of <application>Shadow</application></title>
63
64	<para>Reinstall <application>Shadow</application> by running the following
65	commands:</para>
66
67	<screen><userinput><command>patch -Np1 -i ../shadow-&shadow-version;-pam-1.patch &&
68	LIBS="-lpam -lpam_misc" ./configure --libdir=/usr/lib \
69	--enable-shared --with-libpam --without-libcrack &&
70	echo '#define HAVE_SETLOCALE 1' >> config.h &&
71	sed -i '/extern char/d' libmisc/xmalloc.c &&
72	make &&
73	make install &&
74	mv /bin/sg /usr/bin &&
75	mv /bin/vigr /usr/sbin &&
76	mv /usr/bin/passwd /bin &&
77	rm /bin/groups &&
78	mv /usr/lib/lib{misc,shadow}.so.0* /lib &&
79	ln -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so &&
80	ln -sf ../../lib/libmisc.so.0 /usr/lib/libmisc.so</command></userinput></screen>
81
82	</sect2>
83
84	<sect2>
85	<title>Command explanations</title>
86
87	<para><parameter>--without-libcrack</parameter>: This switch tells
88	<application>Shadow</application> not to use
89	<filename class='libraryfile'>libcrack</filename>. This is desired as
90	<application>Linux-<acronym>PAM</acronym></application> already contains
91	<filename class='libraryfile'>libcrack</filename>.</para>
92
93	<para><command>sed -i '/extern char/d' libmisc/xmalloc.c</command>: This
94	fixes a compilation problem when using <application>GCC</application>-3.4.x.
95	</para>
96
97	<!-- Leftover from older instructions????
98	<para><command>cp debian/securetty /etc/securetty</command>: This
99	command sets the tty's that allow logins through <acronym>PAM</acronym>.</para>
100	-->
101
102	</sect2>
103
104	<sect2>
105	<title>Configuring <application>Linux-<acronym>PAM</acronym></application> to work
106	with <application>Shadow</application></title>
107
108	<sect3><title>Config files</title>
109	<para><filename>/etc/pam.d/login</filename>,
110	<filename>/etc/pam.d/passwd</filename>,
111	<filename>/etc/pam.d/su</filename>,
112	<filename>/etc/pam.d/shadow</filename>,
113	<filename>/etc/pam.d/useradd</filename>, and
114	<filename>/etc/pam.d/chage</filename> –
115	alternatively, <filename>/etc/pam.conf</filename></para>
116	</sect3>
117
118	<sect3><title>Configuration Information</title>
119
120	<para>Add the following <application>Linux-<acronym>PAM</acronym></application>
121	configuration files to <filename class="directory">/etc/pam.d/</filename> (or
122	add them to <filename>/etc/pam.conf</filename> with the additional field for
123	the program).</para>
124
125	<screen><userinput><command>cat > /etc/pam.d/login << "EOF"</command>
126	# Begin /etc/pam.d/login
127
128	auth requisite pam_securetty.so
129	auth requisite pam_nologin.so
130	auth required pam_env.so
131	auth required pam_unix.so
132	account required pam_access.so
133	account required pam_unix.so
134	session required pam_motd.so
135	session required pam_limits.so
136	session optional pam_mail.so dir=/var/mail standard
137	session optional pam_lastlog.so
138	session required pam_unix.so
139
140	# End /etc/pam.d/login
141	<command>EOF
142	cat > /etc/pam.d/passwd << "EOF"</command>
143	# Begin /etc/pam.d/passwd
144
145	password required pam_unix.so md5 shadow
146
147	# End /etc/pam.d/passwd
148	<command>EOF
149	cat > /etc/pam.d/shadow << "EOF"</command>
150	# Begin /etc/pam.d/shadow
151
152	auth sufficient pam_rootok.so
153	auth required pam_unix.so
154	account required pam_unix.so
155	session required pam_unix.so
156	password required pam_permit.so
157
158	# End /etc/pam.d/shadow
159	<command>EOF
160	cat > /etc/pam.d/su << "EOF"</command>
161	# Begin /etc/pam.d/su
162
163	auth sufficient pam_rootok.so
164	auth required pam_unix.so
165	account required pam_unix.so
166	session required pam_unix.so
167
168	# End /etc/pam.d/su
169	<command>EOF
170	cat > /etc/pam.d/useradd << "EOF"</command>
171	# Begin /etc/pam.d/useradd
172
173	auth sufficient pam_rootok.so
174	auth required pam_unix.so
175	account required pam_unix.so
176	session required pam_unix.so
177	password required pam_permit.so
178
179	# End /etc/pam.d/useradd
180	<command>EOF
181	cat > /etc/pam.d/chage << "EOF"</command>
182	# Begin /etc/pam.d/chage
183
184	auth sufficient pam_rootok.so
185	auth required pam_unix.so
186	account required pam_unix.so
187	session required pam_unix.so
188	password required pam_permit.so
189
190	# End /etc/pam.d/chage
191	<command>EOF</command></userinput></screen>
192
193	<note><para>If you've installed <application>cracklib</application>, replace
194	<filename>/etc/pam.d/passwd</filename> with the following:</para></note>
195	<screen><userinput><command>cat > /etc/pam.d/passwd << "EOF"</command>
196	# Begin /etc/pam.d/passwd
197
198	password required pam_cracklib.so \
199	retry=3 difok=8 minlen=5 dcredit=3 ocredit=3 ucredit=2 lcredit=2
200	password required pam_unix.so md5 shadow use_authtok
201
202	# End /etc/pam.d/passwd
203	<command>EOF</command></userinput></screen>
204
205	<para>Currently, <filename>/etc/pam.d/other</filename> is configured to
206	allow anyone with an account on the machine to use programs
207	that do not specifically have a configuration file of their own. After
208	testing <application>Linux-<acronym>PAM</acronym></application> for proper
209	configuration, it can be changed to the following:</para>
210
211	<screen><userinput><command>cat > /etc/pam.d/other << "EOF"</command>
212	# Begin /etc/pam.d/other
213
214	auth required pam_deny.so
215	auth required pam_warn.so
216	account required pam_deny.so
217	session required pam_deny.so
218	password required pam_deny.so
219	password required pam_warn.so
220
221	# End /etc/pam.d/other
222	<command>EOF</command></userinput></screen>
223
224	<para>Finally, edit <filename>/etc/login.defs</filename> by adding '#'
225	to the beginning of the following lines:</para>
226	<screen>LASTLOG_ENAB
227	MAIL_CHECK_ENAB
228	PORTTIME_CHECKS_ENAB
229	CONSOLE
230	MOTD_FILE
231	NOLOGINS_FILE
232	PASS_MIN_LEN
233	SU_WHEEL_ONLY
234	MD5_CRYPT_ENAB
235	CONSOLE_GROUPS
236	ENVIRON_FILE</screen>
237
238	<para>This stops <command>login</command> from performing these functions, as
239	they will now be performed by <acronym>PAM</acronym> modules. Additionally,
240	add a '#' to the beginning of the following lines if you've installed
241	<application>cracklib</application>:</para>
242	<screen>OBSCURE_CHECKS_ENAB
243	CRACKLIB_DICTPATH
244	PASS_CHANGE_TRIES
245	PASS_ALWAYS_WARN</screen>
246
247	</sect3>
248
249	</sect2>
250
251	</sect1>

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: postlfs/security/shadow.xml@ a0f03b0

Download in other formats: