Context Navigation

shadow.xml@ cf43c83

Visit:

10.0 10.1 11.0 11.1 11.2 11.3 12.0 12.1 6.0 6.1 6.2 6.2.0 6.2.0-rc1 6.2.0-rc2 6.3 6.3-rc1 6.3-rc2 6.3-rc3 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts krejzi/svn lazarus lxqt nosym perl-modules plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition systemd-11177 systemd-13485 trunk upgradedb xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal

Last change on this file since cf43c83 was b4b71892, checked in by Bruce Dubbs <bdubbs@…>, 20 years ago

New XML Chapter 4

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@2288 af4574ff-66df-0310-9fd7-8a98e5e911e0

Property mode set to 100644

File size: 6.8 KB

Line
1	<?xml version="1.0" encoding="ISO-8859-1"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
3	"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6	]>
7
8	<sect1 id="shadow">
9	<?dbhtml filename="shadow.html"?>
10	<title>Shadow-&shadow-version;</title>
11
12	<!--
13	<sect2>
14	<title>Configuring shadow</title>
15
16	<para>Shadow's Configuration File</para>
17
18	<para><userinput>/etc/login.defs</userinput></para>
19
20	<para>Enabling <acronym>MD</acronym>5 Passwords</para>
21
22	<para>To enable <acronym>MD</acronym>5 Passwords, modify the line in the
23	<filename>login.defs</filename> file that reads:
24	<screen><userinput>#MD5_CRYPT_ENAB no</userinput></screen>
25	to read:
26	<screen><userinput>MD5_CRYPT_ENAB yes</userinput></screen>
27	Passwords created after this change will be encrypted using
28	<acronym>MD</acronym>5 (Message-Digest Algorithm) instead of using
29	<acronym>DES</acronym> encryption.
30	</para>
31	</sect2>
32	-->
33
34
35	<sect2>
36	<title>Introduction to <application>Shadow</application></title>
37
38	<para>Shadow was indeed installed in <acronym>LFS</acronym> and there is
39	no reason to reinstall it unless you installed
40	<application>Linux-<acronym>PAM</acronym></application>. If you did,
41	this will allow programs like <command>login</command> and
42	<command>su</command> to utilize
43	<acronym>PAM</acronym>.</para>
44
45	<sect3><title>Additional downloads</title>
46	<itemizedlist spacing='compact'>
47	<listitem><para>Patch to fix linking against PAM:
48	<ulink url="&patch-root;/shadow-&shadow-version;-pam-1.patch"/></para></listitem>
49	</itemizedlist>
50	</sect3>
51
52	<sect3><title><application>Shadow</application> dependencies</title>
53	<sect4><title>Required</title>
54	<para><xref linkend="Linux_PAM"/></para></sect4>
55	</sect3>
56	</sect2>
57
58
59	<sect2>
60	<title>Installation of <application>shadow</application></title>
61
62	<para>Reinstall shadow by running the following commands:</para>
63
64	<screen><userinput><command>patch -Np1 -i ../shadow-&shadow-version;-pam-1.patch &&
65	LIBS="-lpam -lpam_misc" ./configure --libdir=/usr/lib \
66	--enable-shared --with-libpam --without-libcrack &&
67	echo '#define HAVE_SETLOCALE 1' >> config.h &&
68	make &&
69	make install &&
70	mv /bin/sg /usr/bin &&
71	mv /bin/vigr /usr/sbin &&
72	rm /bin/groups &&
73	mv /usr/lib/lib{misc,shadow}.so.0* /lib &&
74	ln -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so &&
75	ln -sf ../../lib/libmisc.so.0 /usr/lib/libmisc.so</command></userinput></screen>
76
77	</sect2>
78
79
80	<sect2>
81	<title>Command explanations</title>
82
83	<para><parameter>--without-libcrack</parameter>: This switch tells shadow
84	not to use libcrack. This is desired as
85	<application>Linux-<acronym>PAM</acronym></application> already
86	contains libcrack.</para>
87
88	<!-- Leftover from older instructions????
89	<para><command>cp debian/securetty /etc/securetty</command>: This
90	command sets the tty's that allow logins through <acronym>PAM</acronym>.</para>
91	-->
92
93	</sect2>
94
95
96	<sect2>
97	<title>Configuring <application><acronym>PAM</acronym></application> to work
98	with <application>shadow</application></title>
99
100	<sect3><title>Config files</title>
101	<para><filename>/etc/pam.d/login</filename>,
102	<filename>/etc/pam.d/passwd</filename>,
103	<filename>/etc/pam.d/su</filename>,
104	<filename>/etc/pam.d/shadow</filename>, and
105	<filename>/etc/pam.d/useradd</filename></para>
106	</sect3>
107
108	<sect3><title>Configuration Information</title>
109
110	<para>Add the following <application><acronym>PAM</acronym></application>
111	configuration files to <filename class="directory">/etc/pam.d</filename> (or add them to
112	<filename>/etc/pam.conf</filename> with the additional field for the program).
113	</para>
114	<screen><userinput><command>cat > /etc/pam.d/login << "EOF"</command>
115	# Begin /etc/pam.d/login
116
117	auth requisite pam_securetty.so
118	auth requisite pam_nologin.so
119	auth required pam_env.so
120	auth required pam_unix.so
121	account required pam_access.so
122	account required pam_unix.so
123	session required pam_motd.so
124	session required pam_limits.so
125	session optional pam_mail.so dir=/var/mail standard
126	session optional pam_lastlog.so
127	session required pam_unix.so
128
129	# End /etc/pam.d/login
130	<command>EOF
131	cat > /etc/pam.d/passwd << "EOF"</command>
132	# Begin /etc/pam.d/passwd
133
134	password required pam_unix.so md5 shadow
135
136	# End /etc/pam.d/passwd
137	<command>EOF
138	cat > /etc/pam.d/shadow << "EOF"</command>
139	# Begin /etc/pam.d/shadow
140
141	auth sufficient pam_rootok.so
142	auth required pam_unix.so
143	account required pam_unix.so
144	session required pam_unix.so
145	password required pam_permit.so
146
147	# End /etc/pam.d/shadow
148	<command>EOF
149	cat > /etc/pam.d/su << "EOF"</command>
150	# Begin /etc/pam.d/su
151
152	auth sufficient pam_rootok.so
153	auth required pam_unix.so
154	account required pam_unix.so
155	session required pam_unix.so
156
157	# End /etc/pam.d/su
158	<command>EOF
159	cat > /etc/pam.d/useradd << "EOF"</command>
160	# Begin /etc/pam.d/useradd
161
162	auth sufficient pam_rootok.so
163	auth required pam_unix.so
164	account required pam_unix.so
165	session required pam_unix.so
166	password required pam_permit.so
167
168	# End /etc/pam.d/useradd
169	<command>EOF
170	cat > /etc/pam.d/chage << "EOF"</command>
171	# Begin /etc/pam.d/chage
172
173	auth sufficient pam_rootok.so
174	auth required pam_unix.so
175	account required pam_unix.so
176	session required pam_unix.so
177	password required pam_permit.so
178
179	# End /etc/pam.d/chage
180	<command>EOF</command></userinput></screen>
181
182	<para>Currently, <filename>/etc/pam.d/other</filename> is configured to
183	allow anyone with an account on the machine to use programs
184	that do not specifically have a configuration file of their own. After
185	testing <application><acronym>PAM</acronym></application> for proper
186	configuration, it can be changed to the following:</para>
187
188	<screen><userinput><command>cat > /etc/pam.d/other << "EOF"</command>
189	# Begin /etc/pam.d/other
190
191	auth required pam_deny.so
192	auth required pam_warn.so
193	account required pam_deny.so
194	session required pam_deny.so
195	password required pam_deny.so
196	password required pam_warn.so
197
198	# End /etc/pam.d/other
199	<command>EOF</command></userinput></screen>
200
201	<para>Finally, edit <filename>/etc/login.defs</filename> by adding '#'
202	to the beginning of the following lines:</para>
203	<screen>LASTLOG_ENAB
204	MAIL_CHECK_ENAB
205	PORTTIME_CHECKS_ENAB
206	CONSOLE
207	MOTD_FILE
208	NOLOGINS_FILE
209	PASS_MIN_LEN
210	SU_WHEEL_ONLY
211	MD5_CRYPT_ENAB
212	CONSOLE_GROUPS
213	ENVIRON_FILE</screen>
214
215	<para>This stops <command>login</command> from performing these functions, as
216	they will now be performed by <acronym>PAM</acronym> modules.</para>
217
218	</sect3>
219
220	</sect2>
221
222	</sect1>

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: postlfs/security/shadow.xml@ cf43c83

Download in other formats: