source: postlfs/security/shadow.xml@ d5d6554

10.0 10.1 11.0 6.0 6.1 6.2 6.2.0 6.2.0-rc1 6.2.0-rc2 6.3 6.3-rc1 6.3-rc2 6.3-rc3 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 ken/refactor-virt krejzi/svn lazarus nosym perl-modules qt5new systemd-11177 systemd-13485 trunk xry111/git-date xry111/git-date-for-trunk xry111/git-date-test
Last change on this file since d5d6554 was d5d6554, checked in by Larry Lawrence <larry@…>, 17 years ago

Index errors

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@3257 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 9.0 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
3 "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6]>
7
8<sect1 id="shadow">
9<sect1info>
10<othername>$LastChangedBy$</othername>
11<date>$Date$</date>
12</sect1info>
13<?dbhtml filename="shadow.html"?>
14<title>Shadow-&shadow-version;</title>
15<indexterm zone="shadow">
16<primary sortas="a-Shadow">Shadow</primary></indexterm>
17
18<!--
19<sect2>
20<title>Configuring shadow</title>
21
22<para>Shadow's Configuration File</para>
23
24<para><userinput>/etc/login.defs</userinput></para>
25
26<para>Enabling <acronym>MD</acronym>5 Passwords</para>
27
28<para>To enable <acronym>MD</acronym>5 Passwords, modify the line in the
29<filename>login.defs</filename> file that reads:
30<screen><userinput>#MD5_CRYPT_ENAB no</userinput></screen>
31to read:
32<screen><userinput>MD5_CRYPT_ENAB yes</userinput></screen>
33Passwords created after this change will be encrypted using
34<acronym>MD</acronym>5 (Message-Digest Algorithm) instead of using
35<acronym>DES</acronym> encryption.
36</para>
37</sect2>
38-->
39
40<sect2>
41<title>Introduction to <application>Shadow</application></title>
42
43<para>Shadow was indeed installed in <acronym>LFS</acronym> and there is
44no reason to reinstall it unless you installed
45<application>Linux-<acronym>PAM</acronym></application>. If you did,
46this will allow programs like <command>login</command> and
47<command>su</command> to utilize
48<acronym>PAM</acronym>.</para>
49
50<sect3><title>Additional downloads</title>
51<itemizedlist spacing='compact'>
52<listitem><para>Patch to fix linking against PAM:
53<ulink url="&patch-root;/shadow-&shadow-version;-pam-1.patch"/></para></listitem>
54</itemizedlist>
55</sect3>
56
57<sect3><title><application>Shadow</application> dependencies</title>
58<sect4><title>Required</title>
59<para><xref linkend="Linux_PAM"/></para></sect4>
60</sect3>
61</sect2>
62
63<sect2>
64<title>Installation of <application>Shadow</application></title>
65
66<para>Reinstall <application>Shadow</application> by running the following
67commands:</para>
68
69<screen><userinput><command>patch -Np1 -i ../shadow-&shadow-version;-pam-1.patch &amp;&amp;
70LIBS="-lpam -lpam_misc" ./configure --libdir=/usr/lib \
71 --enable-shared --with-libpam --without-libcrack &amp;&amp;
72echo '#define HAVE_SETLOCALE 1' >> config.h &amp;&amp;
73sed -i '/extern char/d' libmisc/xmalloc.c &amp;&amp;
74make &amp;&amp;
75make install &amp;&amp;
76mv /bin/sg /usr/bin &amp;&amp;
77mv /bin/vigr /usr/sbin &amp;&amp;
78mv /usr/bin/passwd /bin &amp;&amp;
79rm /bin/groups &amp;&amp;
80mv /usr/lib/lib{misc,shadow}.so.0* /lib &amp;&amp;
81ln -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so &amp;&amp;
82ln -sf ../../lib/libmisc.so.0 /usr/lib/libmisc.so</command></userinput></screen>
83
84</sect2>
85
86<sect2>
87<title>Command explanations</title>
88
89<para><parameter>--without-libcrack</parameter>: This switch tells
90<application>Shadow</application> not to use
91<filename class='libraryfile'>libcrack</filename>. This is desired as
92<application>Linux-<acronym>PAM</acronym></application> already contains
93<filename class='libraryfile'>libcrack</filename>.</para>
94
95<para><command>sed -i '/extern char/d' libmisc/xmalloc.c</command>: This
96fixes a compilation problem when using <application>GCC</application>-3.4.x.
97</para>
98
99<!-- Leftover from older instructions????
100<para><command>cp debian/securetty /etc/securetty</command>: This
101command sets the tty's that allow logins through <acronym>PAM</acronym>.</para>
102-->
103
104</sect2>
105
106<sect2>
107<title>Configuring <application>Linux-<acronym>PAM</acronym></application> to work
108with <application>Shadow</application></title>
109
110<sect3 id="pam.d"><title>Config files</title>
111<para><filename>/etc/pam.d/login</filename>,
112<filename>/etc/pam.d/passwd</filename>,
113<filename>/etc/pam.d/su</filename>,
114<filename>/etc/pam.d/shadow</filename>,
115<filename>/etc/pam.d/useradd</filename>, and
116<filename>/etc/pam.d/chage</filename> &ndash;
117alternatively, <filename>/etc/pam.conf</filename></para>
118<indexterm zone="shadow pam.d">
119<primary sortas="e-pam-pam.d">/etc/pam.d/</primary></indexterm>
120<indexterm zone="shadow pam.d">
121<primary sortas="e-pam-pam.conf">/etc/pam.conf</primary></indexterm>
122</sect3>
123
124<sect3><title>Configuration Information</title>
125
126<para>Add the following <application>Linux-<acronym>PAM</acronym></application>
127configuration files to <filename class="directory">/etc/pam.d/</filename> (or
128add them to <filename>/etc/pam.conf</filename> with the additional field for
129the program).</para>
130
131<screen><userinput><command>cat &gt; /etc/pam.d/login &lt;&lt; "EOF"</command>
132# Begin /etc/pam.d/login
133
134auth requisite pam_securetty.so
135auth requisite pam_nologin.so
136auth required pam_env.so
137auth required pam_unix.so
138account required pam_access.so
139account required pam_unix.so
140session required pam_motd.so
141session required pam_limits.so
142session optional pam_mail.so dir=/var/mail standard
143session optional pam_lastlog.so
144session required pam_unix.so
145
146# End /etc/pam.d/login
147<command>EOF
148cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"</command>
149# Begin /etc/pam.d/passwd
150
151password required pam_unix.so md5 shadow
152
153# End /etc/pam.d/passwd
154<command>EOF
155cat &gt; /etc/pam.d/shadow &lt;&lt; "EOF"</command>
156# Begin /etc/pam.d/shadow
157
158auth sufficient pam_rootok.so
159auth required pam_unix.so
160account required pam_unix.so
161session required pam_unix.so
162password required pam_permit.so
163
164# End /etc/pam.d/shadow
165<command>EOF
166cat &gt; /etc/pam.d/su &lt;&lt; "EOF"</command>
167# Begin /etc/pam.d/su
168
169auth sufficient pam_rootok.so
170auth required pam_unix.so
171account required pam_unix.so
172session required pam_unix.so
173
174# End /etc/pam.d/su
175<command>EOF
176cat &gt; /etc/pam.d/useradd &lt;&lt; "EOF"</command>
177# Begin /etc/pam.d/useradd
178
179auth sufficient pam_rootok.so
180auth required pam_unix.so
181account required pam_unix.so
182session required pam_unix.so
183password required pam_permit.so
184
185# End /etc/pam.d/useradd
186<command>EOF
187cat &gt; /etc/pam.d/chage &lt;&lt; "EOF"</command>
188# Begin /etc/pam.d/chage
189
190auth sufficient pam_rootok.so
191auth required pam_unix.so
192account required pam_unix.so
193session required pam_unix.so
194password required pam_permit.so
195
196# End /etc/pam.d/chage
197<command>EOF</command></userinput></screen>
198
199<note><para>If you've installed <application>cracklib</application>, replace
200<filename>/etc/pam.d/passwd</filename> with the following:</para></note>
201<screen><userinput><command>cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"</command>
202# Begin /etc/pam.d/passwd
203
204password required pam_cracklib.so \
205 retry=3 difok=8 minlen=5 dcredit=3 ocredit=3 ucredit=2 lcredit=2
206password required pam_unix.so md5 shadow use_authtok
207
208# End /etc/pam.d/passwd
209<command>EOF</command></userinput></screen>
210
211<warning><para>At this point, you should do a simple test to see if
212<application>Shadow</application> is
213working as expected. Open another term and login as a user, then su to
214to root. If you do not see any errors, then all is well and you should
215proceed with the rest of the configuration. If you did
216receive errors, stop now and double check the above configuration files
217manually. If you cannot find, and fix the error, you should recompile
218shadow replacing <envar>--with-libpam</envar> with
219<envar>--without-libpam</envar> in the above
220instructions. If you fail to do this and the errors remain, you
221will be unable to log into your system.</para></warning>
222
223<para>Currently, <filename>/etc/pam.d/other</filename> is configured to
224allow anyone with an account on the machine to use programs
225that do not specifically have a configuration file of their own. After
226testing <application>Linux-<acronym>PAM</acronym></application> for proper
227configuration, it can be changed to the following:</para>
228
229<screen><userinput><command>cat &gt; /etc/pam.d/other &lt;&lt; "EOF"</command>
230# Begin /etc/pam.d/other
231
232auth required pam_deny.so
233auth required pam_warn.so
234account required pam_deny.so
235session required pam_deny.so
236password required pam_deny.so
237password required pam_warn.so
238
239# End /etc/pam.d/other
240<command>EOF</command></userinput></screen>
241
242<para>Finally, edit <filename>/etc/login.defs</filename> by adding '#'
243to the beginning of the following lines:</para>
244<screen>LASTLOG_ENAB
245MAIL_CHECK_ENAB
246PORTTIME_CHECKS_ENAB
247CONSOLE
248MOTD_FILE
249NOLOGINS_FILE
250PASS_MIN_LEN
251SU_WHEEL_ONLY
252MD5_CRYPT_ENAB
253CONSOLE_GROUPS
254ENVIRON_FILE</screen>
255
256<para>This stops <command>login</command> from performing these functions, as
257they will now be performed by <acronym>PAM</acronym> modules. Additionally,
258add a '#' to the beginning of the following lines if you've installed
259<application>cracklib</application>:</para>
260<screen>OBSCURE_CHECKS_ENAB
261CRACKLIB_DICTPATH
262PASS_CHANGE_TRIES
263PASS_ALWAYS_WARN</screen>
264
265</sect3>
266
267</sect2>
268
269</sect1>
Note: See TracBrowser for help on using the repository browser.