source: postlfs/security/shadow.xml@ b4b71892

10.0 10.1 11.0 6.0 6.1 6.2 6.2.0 6.2.0-rc1 6.2.0-rc2 6.3 6.3-rc1 6.3-rc2 6.3-rc3 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 ken/refactor-virt krejzi/svn lazarus nosym perl-modules qt5new systemd-11177 systemd-13485 trunk xry111/git-date xry111/git-date-for-trunk xry111/git-date-test
Last change on this file since b4b71892 was b4b71892, checked in by Bruce Dubbs <bdubbs@…>, 17 years ago

New XML Chapter 4

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@2288 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 6.8 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
3 "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6]>
7
8<sect1 id="shadow">
9<?dbhtml filename="shadow.html"?>
10<title>Shadow-&shadow-version;</title>
11
12<!--
13<sect2>
14<title>Configuring shadow</title>
15
16<para>Shadow's Configuration File</para>
17
18<para><userinput>/etc/login.defs</userinput></para>
19
20<para>Enabling <acronym>MD</acronym>5 Passwords</para>
21
22<para>To enable <acronym>MD</acronym>5 Passwords, modify the line in the
23<filename>login.defs</filename> file that reads:
24<screen><userinput>#MD5_CRYPT_ENAB no</userinput></screen>
25to read:
26<screen><userinput>MD5_CRYPT_ENAB yes</userinput></screen>
27Passwords created after this change will be encrypted using
28<acronym>MD</acronym>5 (Message-Digest Algorithm) instead of using
29<acronym>DES</acronym> encryption.
30</para>
31</sect2>
32-->
33
34
35<sect2>
36<title>Introduction to <application>Shadow</application></title>
37
38<para>Shadow was indeed installed in <acronym>LFS</acronym> and there is
39no reason to reinstall it unless you installed
40<application>Linux-<acronym>PAM</acronym></application>. If you did,
41this will allow programs like <command>login</command> and
42<command>su</command> to utilize
43<acronym>PAM</acronym>.</para>
44
45<sect3><title>Additional downloads</title>
46<itemizedlist spacing='compact'>
47<listitem><para>Patch to fix linking against PAM:
48<ulink url="&patch-root;/shadow-&shadow-version;-pam-1.patch"/></para></listitem>
49</itemizedlist>
50</sect3>
51
52<sect3><title><application>Shadow</application> dependencies</title>
53<sect4><title>Required</title>
54<para><xref linkend="Linux_PAM"/></para></sect4>
55</sect3>
56</sect2>
57
58
59<sect2>
60<title>Installation of <application>shadow</application></title>
61
62<para>Reinstall shadow by running the following commands:</para>
63
64<screen><userinput><command>patch -Np1 -i ../shadow-&shadow-version;-pam-1.patch &amp;&amp;
65LIBS="-lpam -lpam_misc" ./configure --libdir=/usr/lib \
66 --enable-shared --with-libpam --without-libcrack &amp;&amp;
67echo '#define HAVE_SETLOCALE 1' >> config.h &amp;&amp;
68make &amp;&amp;
69make install &amp;&amp;
70mv /bin/sg /usr/bin &amp;&amp;
71mv /bin/vigr /usr/sbin &amp;&amp;
72rm /bin/groups &amp;&amp;
73mv /usr/lib/lib{misc,shadow}.so.0* /lib &amp;&amp;
74ln -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so &amp;&amp;
75ln -sf ../../lib/libmisc.so.0 /usr/lib/libmisc.so</command></userinput></screen>
76
77</sect2>
78
79
80<sect2>
81<title>Command explanations</title>
82
83<para><parameter>--without-libcrack</parameter>: This switch tells shadow
84not to use libcrack. This is desired as
85<application>Linux-<acronym>PAM</acronym></application> already
86contains libcrack.</para>
87
88<!-- Leftover from older instructions????
89<para><command>cp debian/securetty /etc/securetty</command>: This
90command sets the tty's that allow logins through <acronym>PAM</acronym>.</para>
91-->
92
93</sect2>
94
95
96<sect2>
97<title>Configuring <application><acronym>PAM</acronym></application> to work
98with <application>shadow</application></title>
99
100<sect3><title>Config files</title>
101<para><filename>/etc/pam.d/login</filename>,
102<filename>/etc/pam.d/passwd</filename>,
103<filename>/etc/pam.d/su</filename>,
104<filename>/etc/pam.d/shadow</filename>, and
105<filename>/etc/pam.d/useradd</filename></para>
106</sect3>
107
108<sect3><title>Configuration Information</title>
109
110<para>Add the following <application><acronym>PAM</acronym></application>
111configuration files to <filename class="directory">/etc/pam.d</filename> (or add them to
112<filename>/etc/pam.conf</filename> with the additional field for the program).
113</para>
114<screen><userinput><command>cat &gt; /etc/pam.d/login &lt;&lt; "EOF"</command>
115# Begin /etc/pam.d/login
116
117auth requisite pam_securetty.so
118auth requisite pam_nologin.so
119auth required pam_env.so
120auth required pam_unix.so
121account required pam_access.so
122account required pam_unix.so
123session required pam_motd.so
124session required pam_limits.so
125session optional pam_mail.so dir=/var/mail standard
126session optional pam_lastlog.so
127session required pam_unix.so
128
129# End /etc/pam.d/login
130<command>EOF
131cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"</command>
132# Begin /etc/pam.d/passwd
133
134password required pam_unix.so md5 shadow
135
136# End /etc/pam.d/passwd
137<command>EOF
138cat &gt; /etc/pam.d/shadow &lt;&lt; "EOF"</command>
139# Begin /etc/pam.d/shadow
140
141auth sufficient pam_rootok.so
142auth required pam_unix.so
143account required pam_unix.so
144session required pam_unix.so
145password required pam_permit.so
146
147# End /etc/pam.d/shadow
148<command>EOF
149cat &gt; /etc/pam.d/su &lt;&lt; "EOF"</command>
150# Begin /etc/pam.d/su
151
152auth sufficient pam_rootok.so
153auth required pam_unix.so
154account required pam_unix.so
155session required pam_unix.so
156
157# End /etc/pam.d/su
158<command>EOF
159cat &gt; /etc/pam.d/useradd &lt;&lt; "EOF"</command>
160# Begin /etc/pam.d/useradd
161
162auth sufficient pam_rootok.so
163auth required pam_unix.so
164account required pam_unix.so
165session required pam_unix.so
166password required pam_permit.so
167
168# End /etc/pam.d/useradd
169<command>EOF
170cat &gt; /etc/pam.d/chage &lt;&lt; "EOF"</command>
171# Begin /etc/pam.d/chage
172
173auth sufficient pam_rootok.so
174auth required pam_unix.so
175account required pam_unix.so
176session required pam_unix.so
177password required pam_permit.so
178
179# End /etc/pam.d/chage
180<command>EOF</command></userinput></screen>
181
182<para>Currently, <filename>/etc/pam.d/other</filename> is configured to
183allow anyone with an account on the machine to use programs
184that do not specifically have a configuration file of their own. After
185testing <application><acronym>PAM</acronym></application> for proper
186configuration, it can be changed to the following:</para>
187
188<screen><userinput><command>cat &gt; /etc/pam.d/other &lt;&lt; "EOF"</command>
189# Begin /etc/pam.d/other
190
191auth required pam_deny.so
192auth required pam_warn.so
193account required pam_deny.so
194session required pam_deny.so
195password required pam_deny.so
196password required pam_warn.so
197
198# End /etc/pam.d/other
199<command>EOF</command></userinput></screen>
200
201<para>Finally, edit <filename>/etc/login.defs</filename> by adding '#'
202to the beginning of the following lines:</para>
203<screen>LASTLOG_ENAB
204MAIL_CHECK_ENAB
205PORTTIME_CHECKS_ENAB
206CONSOLE
207MOTD_FILE
208NOLOGINS_FILE
209PASS_MIN_LEN
210SU_WHEEL_ONLY
211MD5_CRYPT_ENAB
212CONSOLE_GROUPS
213ENVIRON_FILE</screen>
214
215<para>This stops <command>login</command> from performing these functions, as
216they will now be performed by <acronym>PAM</acronym> modules.</para>
217
218</sect3>
219
220</sect2>
221
222</sect1>
Note: See TracBrowser for help on using the repository browser.