Context Navigation

source: postlfs/security/shadow.xml@ dba76a7

Visit:

11.0 11.1 11.2 11.3 12.0 12.1 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts lazarus lxqt plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition trunk upgradedb xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal

Last change on this file since dba76a7 was dba76a7, checked in by Xi Ruoyao <xry111@…>, 3 years ago
shadow: adjust for merged /usr
Property mode set to `100644`
File size: 20.3 KB

Line
1	<?xml version="1.0" encoding="ISO-8859-1"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!ENTITY shadow-download-http "https://github.com/shadow-maint/shadow/releases/download/&shadow-version;/shadow-&shadow-version;.tar.xz">
8	<!ENTITY shadow-download-ftp " ">
9	<!ENTITY shadow-md5sum "4b05eff8a427cf50e615bda324b5bc45">
10	<!ENTITY shadow-size "1.5 MB">
11	<!ENTITY shadow-buildsize "33 MB">
12	<!ENTITY shadow-time "0.2 SBU">
13	]>
14
15	<sect1 id="shadow" xreflabel="Shadow-&shadow-version;">
16	<?dbhtml filename="shadow.html"?>
17
18	<sect1info>
19	<date>$Date$</date>
20	</sect1info>
21
22	<title>Shadow-&shadow-version;</title>
23
24	<indexterm zone="shadow">
25	<primary sortas="a-Shadow">Shadow</primary>
26	</indexterm>
27
28	<sect2 role="package">
29	<title>Introduction to Shadow</title>
30
31	<para>
32	<application>Shadow</application> was indeed installed in LFS and there is
33	no reason to reinstall it unless you installed
34	<application>CrackLib</application> or
35	<application>Linux-PAM</application> after your LFS system was completed.
36	If you have installed <application>CrackLib</application> after LFS, then
37	reinstalling <application>Shadow</application> will enable strong password
38	support. If you have installed <application>Linux-PAM</application>,
39	reinstalling <application>Shadow</application> will allow programs such as
40	<command>login</command> and <command>su</command> to utilize PAM.
41	</para>
42
43	&lfs101_checked;
44
45	<bridgehead renderas="sect3">Package Information</bridgehead>
46	<itemizedlist spacing="compact">
47	<listitem>
48	<para>
49	Download (HTTP): <ulink url="&shadow-download-http;"/>
50	</para>
51	</listitem>
52	<listitem>
53	<para>
54	Download (FTP): <ulink url="&shadow-download-ftp;"/>
55	</para>
56	</listitem>
57	<listitem>
58	<para>
59	Download MD5 sum: &shadow-md5sum;
60	</para>
61	</listitem>
62	<listitem>
63	<para>
64	Download size: &shadow-size;
65	</para>
66	</listitem>
67	<listitem>
68	<para>
69	Estimated disk space required: &shadow-buildsize;
70	</para>
71	</listitem>
72	<listitem>
73	<para>
74	Estimated build time: &shadow-time;
75	</para>
76	</listitem>
77	</itemizedlist>
78
79	<bridgehead renderas="sect3">Shadow Dependencies</bridgehead>
80
81	<bridgehead renderas="sect4">Required</bridgehead>
82	<para role="required">
83	<xref linkend="linux-pam"/> or
84	<xref role="nodep" linkend="cracklib"/>
85	</para>
86
87	<para condition="html" role="usernotes">
88	User Notes: <ulink url="&blfs-wiki;/shadow"/>
89	</para>
90	</sect2>
91
92	<sect2 role="installation">
93	<title>Installation of Shadow</title>
94
95	<important>
96	<para>
97	The installation commands shown below are for installations where
98	<application>Linux-PAM</application> has been installed and
99	<application>Shadow</application> is being reinstalled to support the
100	<application>Linux-PAM</application> installation.
101	</para>
102
103	<para>
104	If you are reinstalling <application>Shadow</application> to provide
105	strong password support using the <application>CrackLib</application>
106	library without using <application>Linux-PAM</application>, ensure you
107	add the <parameter>--with-libcrack</parameter> parameter to the
108	<command>configure</command> script below and also issue the following
109	command:
110	</para>
111
112	<screen role="nodump"><userinput>sed -i 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' etc/login.defs</userinput></screen>
113	</important>
114
115	<para>
116	Reinstall <application>Shadow</application> by running the following
117	commands:
118	</para>
119
120	<screen><userinput>sed -i 's/groups$(EXEEXT) //' src/Makefile.in &&
121
122	find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; &&
123	find man -name Makefile.in -exec sed -i 's/getspnam\.3 / /' {} \; &&
124	find man -name Makefile.in -exec sed -i 's/passwd\.5 / /' {} \; &&
125
126	sed -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \
127	-e 's@/var/spool/mail@/var/mail@' \
128	-e '/PATH=/{s@/sbin:@@;s@/bin:@@}' \
129	-i etc/login.defs &&
130
131	sed -i 's/1000/999/' etc/useradd &&
132
133	./configure --sysconfdir=/etc --with-group-name-max-length=32 &&
134	make</userinput></screen>
135
136	<para>
137	This package does not come with a test suite.
138	</para>
139
140	<para>
141	Now, as the <systemitem class="username">root</systemitem> user:
142	</para>
143
144	<screen role="root"><userinput>make exec_prefix=/usr install</userinput></screen>
145
146	</sect2>
147
148	<sect2 role="commands">
149	<title>Command Explanations</title>
150
151	<para>
152	<command>sed -i 's/groups$(EXEEXT) //' src/Makefile.in</command>: This sed
153	is used to suppress the installation of the <command>groups</command>
154	program as the version from the <application>Coreutils</application>
155	package installed during LFS is preferred.
156	</para>
157
158	<para>
159	<command>find man -name Makefile.in -exec ... {} \;</command>: This
160	command is used to suppress the installation of the
161	<command>groups</command> man pages so the existing ones installed from
162	the <application>Coreutils</application> package are not replaced.
163	</para>
164
165	<para>
166	<command>sed -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' -e
167	's@/var/spool/mail@/var/mail@' -e '/PATH=/{s@/sbin:@@;s@/bin:@@}'
168	-i etc/login.defs</command>: Instead of using
169	the default 'DES' method, this command modifies the installation to use
170	the more secure 'SHA512' method of hashing passwords, which also allows
171	passwords longer than eight characters. It also changes the obsolete
172	<filename class="directory">/var/spool/mail</filename> location for user
173	mailboxes that <application>Shadow</application> uses by default to the
174	<filename class="directory">/var/mail</filename> location. It also
175	changes the default path to be consistent with that set in LFS.
176	</para>
177
178	<para>
179	<command>sed -i 's/1000/999/' etc/useradd</command>: Make a minor change
180	to make the default useradd consistent with the LFS groups file.
181	</para>
182
183	<para>
184	<parameter>--with-group-name-max-length=32</parameter>: The maximum
185	user name is 32 characters. Make the maximum group name the same.
186	</para>
187
188	<!-- No longer needed as of 4.8
189	<para>
190	<command>mv -v /usr/bin/passwd /bin</command>: The
191	<command>passwd</command> program may be needed during times when the
192	<filename class='directory'>/usr</filename> filesystem is not mounted so
193	it is moved into the root partition.
194	</para>
195	-->
196
197	</sect2>
198
199	<sect2 role="configuration">
200	<title>Configuring Shadow</title>
201
202	<para>
203	<application>Shadow</application>'s stock configuration for the
204	<command>useradd</command> utility may not be desirable for your
205	installation. One default parameter causes <command>useradd</command> to
206	create a mailbox file for any newly created user.
207	<command>useradd</command> will make the group ownership of this file to
208	the <systemitem class="groupname">mail</systemitem> group with 0660
209	permissions. If you would prefer that these mailbox files are not created
210	by <command>useradd</command>, issue the following command as the
211	<systemitem class="username">root</systemitem> user:
212	</para>
213
214	<screen role="root"><userinput>sed -i 's/yes/no/' /etc/default/useradd</userinput></screen>
215	</sect2>
216
217	<sect2 role="configuration">
218	<title>Configuring Linux-PAM to Work with Shadow</title>
219
220	<note>
221	<para>
222	The rest of this page is devoted to configuring
223	<application>Shadow</application> to work properly with
224	<application>Linux-PAM</application>. If you do not have
225	<application>Linux-PAM</application> installed, and you reinstalled
226	<application>Shadow</application> to support strong passwords via the
227	<application>CrackLib</application> library, no further configuration is
228	required.
229	</para>
230	</note>
231
232	<sect3 id="pam.d">
233	<title>Config Files</title>
234
235	<para>
236	<filename>/etc/pam.d/*</filename> or alternatively
237	<filename>/etc/pam.conf</filename>,
238	<filename>/etc/login.defs</filename> and
239	<filename>/etc/security/*</filename>
240	</para>
241
242	<indexterm zone="shadow pam.d">
243	<primary sortas="e-etc-pam.d">/etc/pam.d/*</primary>
244	</indexterm>
245
246	<indexterm zone="shadow pam.d">
247	<primary sortas="e-etc-pam.conf">/etc/pam.conf</primary>
248	</indexterm>
249
250	<indexterm zone="shadow pam.d">
251	<primary sortas="e-etc-login.defs">/etc/login.defs</primary>
252	</indexterm>
253
254	<indexterm zone="shadow pam.d">
255	<primary sortas="e-etc-security">/etc/security/*</primary>
256	</indexterm>
257	</sect3>
258
259	<sect3>
260	<title>Configuration Information</title>
261
262	<para>
263	Configuring your system to use <application>Linux-PAM</application> can
264	be a complex task. The information below will provide a basic setup so
265	that <application>Shadow</application>'s login and password
266	functionality will work effectively with
267	<application>Linux-PAM</application>. Review the information and links
268	on the <xref linkend="linux-pam"/> page for further configuration
269	information. For information specific to integrating
270	<application>Shadow</application>, <application>Linux-PAM</application>
271	and <application>libpwquality</application>, you can visit the
272	following link:
273	</para>
274
275	<itemizedlist spacing="compact">
276	<listitem>
277	<!-- New URL for the below link, according to it's author. -->
278	<para>
279	<ulink url="http://www.deer-run.com/~hal/linux_passwords_pam.html"/>
280	</para>
281	</listitem>
282	</itemizedlist>
283
284	<sect4 id="pam-login-defs">
285	<title>Configuring /etc/login.defs</title>
286
287	<para>
288	The <command>login</command> program currently performs many functions
289	which <application>Linux-PAM</application> modules should now handle.
290	The following <command>sed</command> command will comment out the
291	appropriate lines in <filename>/etc/login.defs</filename>, and stop
292	<command>login</command> from performing these functions (a backup
293	file named <filename>/etc/login.defs.orig</filename> is also created
294	to preserve the original file's contents). Issue the following
295	commands as the <systemitem class="username">root</systemitem> user:
296	</para>
297
298	<indexterm zone="shadow pam-login-defs">
299	<primary sortas="e-etc-login.defs">/etc/login.defs</primary>
300	</indexterm>
301
302	<screen role="root"><userinput>install -v -m644 /etc/login.defs /etc/login.defs.orig &&
303	for FUNCTION in FAIL_DELAY \
304	FAILLOG_ENAB \
305	LASTLOG_ENAB \
306	MAIL_CHECK_ENAB \
307	OBSCURE_CHECKS_ENAB \
308	PORTTIME_CHECKS_ENAB \
309	QUOTAS_ENAB \
310	CONSOLE MOTD_FILE \
311	FTMP_FILE NOLOGINS_FILE \
312	ENV_HZ PASS_MIN_LEN \
313	SU_WHEEL_ONLY \
314	CRACKLIB_DICTPATH \
315	PASS_CHANGE_TRIES \
316	PASS_ALWAYS_WARN \
317	CHFN_AUTH ENCRYPT_METHOD \
318	ENVIRON_FILE
319	do
320	sed -i "s/^${FUNCTION}/# &/" /etc/login.defs
321	done</userinput></screen>
322	</sect4>
323
324	<sect4>
325	<title>Configuring the /etc/pam.d/ Files</title>
326
327	<para>
328	As mentioned previously in the <application>Linux-PAM</application>
329	instructions, <application>Linux-PAM</application> has two supported
330	methods for configuration. The commands below assume that you've
331	chosen to use a directory based configuration, where each program has
332	its own configuration file. You can optionally use a single
333	<filename>/etc/pam.conf</filename> configuration file by using the
334	text from the files below, and supplying the program name as an
335	additional first field for each line.
336	</para>
337
338	<para>
339	As the <systemitem class="username">root</systemitem> user, create
340	the following <application>Linux-PAM</application> configuration files
341	in the <filename class="directory">/etc/pam.d/</filename> directory
342	(or add the contents to the <filename>/etc/pam.conf</filename> file)
343	using the following commands:
344	</para>
345	</sect4>
346
347	<sect4>
348	<title>'login'</title>
349
350	<screen role="root"><userinput>cat > /etc/pam.d/login << "EOF"
351	<literal># Begin /etc/pam.d/login
352
353	# Set failure delay before next prompt to 3 seconds
354	auth optional pam_faildelay.so delay=3000000
355
356	# Check to make sure that the user is allowed to login
357	auth requisite pam_nologin.so
358
359	# Check to make sure that root is allowed to login
360	# Disabled by default. You will need to create /etc/securetty
361	# file for this module to function. See man 5 securetty.
362	#auth required pam_securetty.so
363
364	# Additional group memberships - disabled by default
365	#auth optional pam_group.so
366
367	# include system auth settings
368	auth include system-auth
369
370	# check access for the user
371	account required pam_access.so
372
373	# include system account settings
374	account include system-account
375
376	# Set default environment variables for the user
377	session required pam_env.so
378
379	# Set resource limits for the user
380	session required pam_limits.so
381
382	# Display date of last login - Disabled by default
383	#session optional pam_lastlog.so
384
385	# Display the message of the day - Disabled by default
386	#session optional pam_motd.so
387
388	# Check user's mail - Disabled by default
389	#session optional pam_mail.so standard quiet
390
391	# include system session and password settings
392	session include system-session
393	password include system-password
394
395	# End /etc/pam.d/login</literal>
396	EOF</userinput></screen>
397	</sect4>
398
399	<sect4>
400	<title>'passwd'</title>
401
402	<screen role="root"><userinput>cat > /etc/pam.d/passwd << "EOF"
403	<literal># Begin /etc/pam.d/passwd
404
405	password include system-password
406
407	# End /etc/pam.d/passwd</literal>
408	EOF</userinput></screen>
409	</sect4>
410
411	<sect4>
412	<title>'su'</title>
413
414	<screen role="root"><userinput>cat > /etc/pam.d/su << "EOF"
415	<literal># Begin /etc/pam.d/su
416
417	# always allow root
418	auth sufficient pam_rootok.so
419
420	# Allow users in the wheel group to execute su without a password
421	# disabled by default
422	#auth sufficient pam_wheel.so trust use_uid
423
424	# include system auth settings
425	auth include system-auth
426
427	# limit su to users in the wheel group
428	auth required pam_wheel.so use_uid
429
430	# include system account settings
431	account include system-account
432
433	# Set default environment variables for the service user
434	session required pam_env.so
435
436	# include system session settings
437	session include system-session
438
439	# End /etc/pam.d/su</literal>
440	EOF</userinput></screen>
441	</sect4>
442
443	<sect4>
444	<title>'chage'</title>
445
446	<screen role="root"><userinput>cat > /etc/pam.d/chage << "EOF"
447	<literal># Begin /etc/pam.d/chage
448
449	# always allow root
450	auth sufficient pam_rootok.so
451
452	# include system auth, account, and session settings
453	auth include system-auth
454	account include system-account
455	session include system-session
456
457	# Always permit for authentication updates
458	password required pam_permit.so
459
460	# End /etc/pam.d/chage</literal>
461	EOF</userinput></screen>
462	</sect4>
463
464	<sect4>
465	<title>Other common programs</title>
466	<!--<title>'chfn', 'chgpasswd', 'chgpasswd', 'chsh', 'groupadd', 'groupdel',
467	'groupmems', 'groupmod', 'newusers', 'useradd', 'userdel' and
468	'usermod'</title>-->
469
470	<screen role="root"><userinput>for PROGRAM in chfn chgpasswd chpasswd chsh groupadd groupdel \
471	groupmems groupmod newusers useradd userdel usermod
472	do
473	install -v -m644 /etc/pam.d/chage /etc/pam.d/${PROGRAM}
474	sed -i "s/chage/$PROGRAM/" /etc/pam.d/${PROGRAM}
475	done</userinput></screen>
476
477	<warning>
478	<para>
479	At this point, you should do a simple test to see if
480	<application>Shadow</application> is working as expected. Open
481	another terminal and log in as a user, then <command>su</command> to
482	<systemitem class="username">root</systemitem>. If you do not see
483	any errors, then all is well and you should proceed with the rest of
484	the configuration. If you did receive errors, stop now and double
485	check the above configuration files manually. One obvious reason
486	for an error is if the user is not in group <systemitem
487	class="groupname">wheel</systemitem>. You may want to run (as
488	<systemitem class="username">root</systemitem>): <command>usermod
489	-a -G wheel <replaceable><user></replaceable></command>.
490	Any other error is the sign of an error in the above procedure.
491	You can also run the
492	test suite from the <application>Linux-PAM</application> package to
493	assist you in determining the problem. If you cannot find and fix
494	the error, you should recompile <application>Shadow</application>
495	adding the <option>--without-libpam</option> switch to the
496	<command>configure</command> command in the above instructions (also
497	move the <filename>/etc/login.defs.orig</filename> backup file to
498	<filename>/etc/login.defs</filename>). If you fail to do this and
499	the errors remain, you will be unable to log into your system.
500	</para>
501	</warning>
502	</sect4>
503
504	<sect4 id="pam-access">
505	<title>Configuring Login Access</title>
506
507	<para>
508	Instead of using the <filename>/etc/login.access</filename> file for
509	controlling access to the system, <application>Linux-PAM</application>
510	uses the <filename class='libraryfile'>pam_access.so</filename> module
511	along with the <filename>/etc/security/access.conf</filename> file.
512	Rename the <filename>/etc/login.access</filename> file using the
513	following command:
514	</para>
515
516	<indexterm zone="shadow pam-access">
517	<primary sortas="e-etc-security-access.conf">/etc/security/access.conf</primary>
518	</indexterm>
519
520	<screen role="root"><userinput>[ -f /etc/login.access ] && mv -v /etc/login.access{,.NOUSE}</userinput></screen>
521	</sect4>
522
523	<sect4 id="pam-limits">
524	<title>Configuring Resource Limits</title>
525
526	<para>
527	Instead of using the <filename>/etc/limits</filename> file for
528	limiting usage of system resources,
529	<application>Linux-PAM</application> uses the
530	<filename class='libraryfile'>pam_limits.so</filename> module along
531	with the <filename>/etc/security/limits.conf</filename> file. Rename
532	the <filename>/etc/limits</filename> file using the following command:
533	</para>
534
535	<indexterm zone="shadow pam-limits">
536	<primary sortas="e-etc-security-limits.conf">/etc/security/limits.conf</primary>
537	</indexterm>
538
539	<screen role="root"><userinput>[ -f /etc/limits ] && mv -v /etc/limits{,.NOUSE}</userinput></screen>
540
541	<caution>
542	<para>
543	Be sure to test the login capabilities of the system before logging
544	out. Errors in the configuration can cause a permanent
545	lockout requiring a boot from an external source to correct the
546	problem.
547	</para>
548	</caution>
549
550	</sect4>
551	</sect3>
552
553	</sect2>
554
555	<sect2 role="content">
556	<title>Contents</title>
557
558	<para>
559	A list of the installed files, along with their short descriptions can be
560	found at
561	<phrase revision="sysv">
562	<ulink url="&lfs-root;/chapter08/shadow.html#contents-shadow"/></phrase>
563	<phrase revision="systemd">
564	<ulink url="&lfs-rootd;/chapter08/shadow.html#contents-shadow"/></phrase>.
565	</para>
566
567	</sect2>
568
569	</sect1>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: