source: postlfs/security/shadow.xml@ e8ea43e

10.0 10.1 11.0 7.10 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 ken/refactor-virt krejzi/svn lazarus nosym perl-modules qt5new systemd-11177 systemd-13485 trunk upgradedb xry111/git-date xry111/git-date-for-trunk xry111/git-date-test
Last change on this file since e8ea43e was e8ea43e, checked in by Bruce Dubbs <bdubbs@…>, 8 years ago

Update shadow url and md5sum

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@12499 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 22.8 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY shadow-download-http "http://cdn.debian.net/debian/pool/main/s/shadow//shadow_&shadow-version;.orig.tar.gz">
8 <!ENTITY shadow-download-ftp " ">
9 <!ENTITY shadow-md5sum "ae66de9953f840fb3a97f6148bc39a30">
10 <!ENTITY shadow-size "3.4 MB">
11 <!ENTITY shadow-buildsize "38 MB">
12 <!ENTITY shadow-time "0.3 SBU">
13]>
14
15<sect1 id="shadow" xreflabel="Shadow-&shadow-version;">
16 <?dbhtml filename="shadow.html"?>
17
18 <sect1info>
19 <othername>$LastChangedBy$</othername>
20 <date>$Date$</date>
21 </sect1info>
22
23 <title>Shadow-&shadow-version;</title>
24
25 <indexterm zone="shadow">
26 <primary sortas="a-Shadow">Shadow</primary>
27 </indexterm>
28
29 <sect2 role="package">
30 <title>Introduction to Shadow</title>
31
32 <para>
33 <application>Shadow</application> was indeed installed in LFS and there is
34 no reason to reinstall it unless you installed
35 <application>CrackLib</application> or
36 <application>Linux-PAM</application> after your LFS system was completed.
37 If you have installed <application>CrackLib</application> after LFS, then
38 reinstalling <application>Shadow</application> will enable strong password
39 support. If you have installed <application>Linux-PAM</application>,
40 reinstalling <application>Shadow</application> will allow programs such as
41 <command>login</command> and <command>su</command> to utilize PAM.
42 </para>
43
44 &lfs74_checked;
45
46 <bridgehead renderas="sect3">Package Information</bridgehead>
47 <itemizedlist spacing="compact">
48 <listitem>
49 <para>
50 Download (HTTP): <ulink url="&shadow-download-http;"/>
51 </para>
52 </listitem>
53 <listitem>
54 <para>
55 Download (FTP): <ulink url="&shadow-download-ftp;"/>
56 </para>
57 </listitem>
58 <listitem>
59 <para>
60 Download MD5 sum: &shadow-md5sum;
61 </para>
62 </listitem>
63 <listitem>
64 <para>
65 Download size: &shadow-size;
66 </para>
67 </listitem>
68 <listitem>
69 <para>
70 Estimated disk space required: &shadow-buildsize;
71 </para>
72 </listitem>
73 <listitem>
74 <para>
75 Estimated build time: &shadow-time;
76 </para>
77 </listitem>
78 </itemizedlist>
79
80 <bridgehead renderas="sect3">Shadow Dependencies</bridgehead>
81
82 <bridgehead renderas="sect4">Required</bridgehead>
83 <para role="required">
84 <xref linkend="linux-pam"/> or
85 <xref linkend="cracklib"/>
86 </para>
87
88 <para condition="html" role="usernotes">
89 User Notes: <ulink url="&blfs-wiki;/shadow"/>
90 </para>
91 </sect2>
92
93 <sect2 role="installation">
94 <title>Installation of Shadow</title>
95
96 <important>
97 <para>
98 The installation commands shown below are for installations where
99 <application>Linux-PAM</application> has been installed (with or
100 without a <application>CrackLib</application> installation) and
101 <application>Shadow</application> is being reinstalled to support the
102 <application>Linux-PAM</application> installation.
103 </para>
104
105 <para>
106 If you are reinstalling <application>Shadow</application> to provide
107 strong password support using the <application>CrackLib</application>
108 library without using <application>Linux-PAM</application>, ensure you
109 add the <parameter>--with-libcrack</parameter> parameter to the
110 <command>configure</command> script below and also issue the following
111 command:
112 </para>
113
114<screen><userinput>sed -i 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' etc/login.defs</userinput></screen>
115 </important>
116
117 <para>
118 Reinstall <application>Shadow</application> by running the following
119 commands:
120 </para>
121
122<screen><userinput>sed -i 's/groups$(EXEEXT) //' src/Makefile.in &amp;&amp;
123find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; &amp;&amp;
124sed -i -e 's/ ko//' -e 's/ zh_CN zh_TW//' man/Makefile.in &amp;&amp;
125
126sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \
127 -e 's@/var/spool/mail@/var/mail@' etc/login.defs &amp;&amp;
128
129sed -i -e 's@PATH=/sbin:/bin:/usr/sbin:/usr/bin@&amp;:/usr/local/sbin:/usr/local/bin@' \
130 -e 's@PATH=/bin:/usr/bin@&amp;:/usr/local/bin@' etc/login.defs &amp;&amp;
131
132./configure --prefix=/usr --sysconfdir=/etc &amp;&amp;
133make</userinput></screen>
134
135 <para>
136 This package does not come with a test suite.
137 </para>
138
139 <para>
140 Now, as the <systemitem class="username">root</systemitem> user:
141 </para>
142
143<screen role="root"><userinput>make install &amp;&amp;
144mv -v /usr/bin/passwd /bin</userinput></screen>
145 </sect2>
146
147 <sect2 role="commands">
148 <title>Command Explanations</title>
149
150 <para>
151 <command>sed -i 's/groups$(EXEEXT) //' src/Makefile.in</command>: This sed
152 is used to suppress the installation of the <command>groups</command>
153 program as the version from the <application>Coreutils</application>
154 package installed during LFS is preferred.
155 </para>
156
157 <para>
158 <command>find man -name Makefile.in -exec ... {} \;</command>: This
159 command is used to suppress the installation of the
160 <command>groups</command> man pages so the existing ones installed from
161 the <application>Coreutils</application> package are not replaced.
162 </para>
163
164 <para>
165 <command>sed -i -e '...' -e '...' man/Makefile.in</command>: This command
166 disables the installation of Chinese and Korean manual pages, since
167 <application>Man-DB</application> cannot format them properly.
168 </para>
169
170 <para>
171 <command>sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' -e
172 's@/var/spool/mail@/var/mail@' etc/login.defs</command>: Instead of using
173 the default 'DES' method, this command modifies the installation to use
174 the more secure 'SHA512' method of hashing passwords, which also allows
175 passwords longer than eight characters. It also changes the obsolete
176 <filename class="directory">/var/spool/mail</filename> location for user
177 mailboxes that <application>Shadow</application> uses by default to the
178 <filename class="directory">/var/mail</filename> location.
179 </para>
180
181 <para>
182 <command>sed -i -e
183 's@PATH=/sbin:/bin:/usr/sbin:/usr/bin@&amp;:/usr/local/sbin:/usr/local/bin@'
184 -e 's@PATH=/bin:/usr/bin@&amp;:/usr/local/bin@' etc/login.defs</command>:
185 This sed expands PATH to
186 <filename class="directory">/usr/local/bin</filename> for normal and
187 <systemitem class="username">root</systemitem> user and to
188 <filename class="directory">/usr/local/sbin</filename> for
189 <systemitem class="username">root</systemitem> user only.
190 </para>
191
192 <para>
193 <command>mv -v /usr/bin/passwd /bin</command>: The
194 <command>passwd</command> program may be needed during times when the
195 <filename class='directory'>/usr</filename> filesystem is not mounted so
196 it is moved into the root partition.
197 </para>
198 </sect2>
199
200 <sect2 role="configuration">
201 <title>Configuring Shadow</title>
202
203 <para>
204 <application>Shadow</application>'s stock configuration for the
205 <command>useradd</command> utility may not be desirable for your
206 installation. One default parameter causes <command>useradd</command> to
207 create a mailbox file for any newly created user.
208 <command>useradd</command> will make the group ownership of this file to
209 the <systemitem class="groupname">mail</systemitem> group with 0660
210 permissions. If you would prefer that these mailbox files are not created
211 by <command>useradd</command>, issue the following command as the
212 <systemitem class="username">root</systemitem> user:
213 </para>
214
215<screen role="root"><userinput>sed -i 's/yes/no/' /etc/default/useradd</userinput></screen>
216 </sect2>
217
218 <sect2 role="configuration">
219 <title>Configuring Linux-PAM to Work with Shadow</title>
220
221 <note>
222 <para>
223 The rest of this page is devoted to configuring
224 <application>Shadow</application> to work properly with
225 <application>Linux-PAM</application>. If you do not have
226 <application>Linux-PAM</application> installed, and you reinstalled
227 <application>Shadow</application> to support strong passwords via the
228 <application>CrackLib</application> library, no further configuration is
229 required.
230 </para>
231 </note>
232
233 <sect3 id="pam.d">
234 <title>Config Files</title>
235
236 <para>
237 <filename>/etc/pam.d/*</filename> or alternatively
238 <filename>/etc/pam.conf</filename>,
239 <filename>/etc/login.defs</filename> and
240 <filename>/etc/security/*</filename>
241 </para>
242
243 <indexterm zone="shadow pam.d">
244 <primary sortas="e-etc-pam.d">/etc/pam.d/*</primary>
245 </indexterm>
246
247 <indexterm zone="shadow pam.d">
248 <primary sortas="e-etc-pam.conf">/etc/pam.conf</primary>
249 </indexterm>
250
251 <indexterm zone="shadow pam.d">
252 <primary sortas="e-etc-login.defs">/etc/login.defs</primary>
253 </indexterm>
254
255 <indexterm zone="shadow pam.d">
256 <primary sortas="e-etc-security">/etc/security/*</primary>
257 </indexterm>
258 </sect3>
259
260 <sect3>
261 <title>Configuration Information</title>
262
263 <para>
264 Configuring your system to use <application>Linux-PAM</application> can
265 be a complex task. The information below will provide a basic setup so
266 that <application>Shadow</application>'s login and password
267 functionality will work effectively with
268 <application>Linux-PAM</application>. Review the information and links
269 on the <xref linkend="linux-pam"/> page for further configuration
270 information. For information specific to integrating
271 <application>Shadow</application>, <application>Linux-PAM</application>
272 and <application>CrackLib</application>, you can visit the following
273 link:
274 </para>
275
276 <itemizedlist spacing="compact">
277 <listitem>
278 <para>
279 <ulink url="http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html"/>
280 </para>
281 </listitem>
282 </itemizedlist>
283
284 <sect4 id="pam-login-defs">
285 <title>Configuring /etc/login.defs</title>
286
287 <para>
288 The <command>login</command> program currently performs many functions
289 which <application>Linux-PAM</application> modules should now handle.
290 The following <command>sed</command> command will comment out the
291 appropriate lines in <filename>/etc/login.defs</filename>, and stop
292 <command>login</command> from performing these functions (a backup
293 file named <filename>/etc/login.defs.orig</filename> is also created
294 to preserve the original file's contents). Issue the following
295 commands as the <systemitem class="username">root</systemitem> user:
296 </para>
297
298 <indexterm zone="shadow pam-login-defs">
299 <primary sortas="e-etc-login.defs">/etc/login.defs</primary>
300 </indexterm>
301
302<screen role="root"><userinput>install -v -m644 /etc/login.defs /etc/login.defs.orig &amp;&amp;
303for FUNCTION in FAIL_DELAY FAILLOG_ENAB \
304 LASTLOG_ENAB \
305 MAIL_CHECK_ENAB \
306 OBSCURE_CHECKS_ENAB \
307 PORTTIME_CHECKS_ENAB \
308 QUOTAS_ENAB \
309 CONSOLE MOTD_FILE \
310 FTMP_FILE NOLOGINS_FILE \
311 ENV_HZ PASS_MIN_LEN \
312 SU_WHEEL_ONLY \
313 CRACKLIB_DICTPATH \
314 PASS_CHANGE_TRIES \
315 PASS_ALWAYS_WARN \
316 CHFN_AUTH ENCRYPT_METHOD \
317 ENVIRON_FILE
318do
319 sed -i "s/^${FUNCTION}/# &amp;/" /etc/login.defs
320done</userinput></screen>
321 </sect4>
322
323 <sect4>
324 <title>Configuring the /etc/pam.d/ Files</title>
325
326 <para>
327 As mentioned previously in the <application>Linux-PAM</application>
328 instructions, <application>Linux-PAM</application> has two supported
329 methods for configuration. The commands below assume that you've
330 chosen to use a directory based configuration, where each program has
331 its own configuration file. You can optionally use a single
332 <filename>/etc/pam.conf</filename> configuration file by using the
333 text from the files below, and supplying the program name as an
334 additional first field for each line.
335 </para>
336
337 <para>
338 As the <systemitem class="username">root</systemitem> user, replace
339 the following <application>Linux-PAM</application> configuration files
340 in the <filename class="directory">/etc/pam.d/</filename> directory
341 (or add the contents to the <filename>/etc/pam.conf</filename> file)
342 using the following commands:
343 </para>
344 </sect4>
345
346 <sect4>
347 <title>'system-account'</title>
348
349<screen role="root"><userinput>cat &gt; /etc/pam.d/system-account &lt;&lt; "EOF"
350<literal># Begin /etc/pam.d/system-account
351
352account required pam_unix.so
353
354# End /etc/pam.d/system-account</literal>
355EOF</userinput></screen>
356 </sect4>
357
358 <sect4>
359 <title>'system-auth'</title>
360
361<screen role="root"><userinput>cat &gt; /etc/pam.d/system-auth &lt;&lt; "EOF"
362<literal># Begin /etc/pam.d/system-auth
363
364auth required pam_unix.so
365
366# End /etc/pam.d/system-auth</literal>
367EOF</userinput></screen>
368 </sect4>
369
370 <sect4>
371 <title>'system-passwd' (with cracklib)</title>
372
373<screen role="root"><userinput>cat &gt; /etc/pam.d/system-password &lt;&lt; "EOF"
374<literal># Begin /etc/pam.d/system-password
375
376# check new passwords for strength (man pam_cracklib)
377password required pam_cracklib.so type=Linux retry=3 difok=5 \
378 difignore=23 minlen=9 dcredit=1 \
379 ucredit=1 lcredit=1 ocredit=1 \
380 dictpath=/lib/cracklib/pw_dict
381# use sha512 hash for encryption, use shadow, and use the
382# authentication token (chosen password) set by pam_cracklib
383# above (or any previous modules)
384password required pam_unix.so sha512 shadow use_authtok
385
386# End /etc/pam.d/system-password</literal>
387EOF</userinput></screen>
388
389 <note>
390 <para>
391 In its default configuration, owing to credits, pam_cracklib will
392 allow multiple case passwords as short as 6 characters, even with
393 the <parameter>minlen</parameter> value set to 11. You should review
394 the pam_cracklib(8) man page and determine if these default values
395 are acceptable for the security of your system.
396 </para>
397 </note>
398 </sect4>
399
400 <sect4>
401 <title>'system-passwd' (without cracklib)</title>
402
403<screen role="root"><userinput>cat &gt; /etc/pam.d/system-password &lt;&lt; "EOF"
404<literal># Begin /etc/pam.d/system-password
405
406# use sha512 hash for encryption, use shadow, and try to use any previously
407# defined authentication token (chosen password) set by any prior module
408password required pam_unix.so sha512 shadow try_first_pass
409
410# End /etc/pam.d/system-password</literal>
411EOF</userinput></screen>
412 </sect4>
413
414 <sect4>
415 <title>'system-session'</title>
416
417<screen role="root"><userinput>cat &gt; /etc/pam.d/system-session &lt;&lt; "EOF"
418<literal># Begin /etc/pam.d/system-session
419
420session required pam_unix.so
421
422# End /etc/pam.d/system-session</literal>
423EOF</userinput></screen>
424 </sect4>
425
426 <sect4>
427 <title>'login'</title>
428
429<screen role="root"><userinput>cat &gt; /etc/pam.d/login &lt;&lt; "EOF"
430<literal># Begin /etc/pam.d/login
431
432# Set failure delay before next prompt to 3 seconds
433auth optional pam_faildelay.so delay=3000000
434
435# Check to make sure that the user is allowed to login
436auth requisite pam_nologin.so
437
438# Check to make sure that root is allowed to login
439# Disabled by default. You will need to create /etc/securetty
440# file for this module to function. See man 5 securetty.
441#auth required pam_securetty.so
442
443# Additional group memberships - disabled by default
444#auth optional pam_group.so
445
446# include the default auth settings
447auth include system-auth
448
449# check access for the user
450account required pam_access.so
451
452# include the default account settings
453account include system-account
454
455# Set default environment variables for the user
456session required pam_env.so
457
458# Set resource limits for the user
459session required pam_limits.so
460
461# Display date of last login - Disabled by default
462#session optional pam_lastlog.so
463
464# Display the message of the day - Disabled by default
465#session optional pam_motd.so
466
467# Check user's mail - Disabled by default
468#session optional pam_mail.so standard quiet
469
470# include the default session and password settings
471session include system-session
472password include system-password
473
474# End /etc/pam.d/login</literal>
475EOF</userinput></screen>
476 </sect4>
477
478 <sect4>
479 <title>'passwd'</title>
480
481<screen role="root"><userinput>cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"
482<literal># Begin /etc/pam.d/passwd
483
484password include system-password
485
486# End /etc/pam.d/passwd</literal>
487EOF</userinput></screen>
488 </sect4>
489
490 <sect4>
491 <title>'su'</title>
492
493<screen role="root"><userinput>cat &gt; /etc/pam.d/su &lt;&lt; "EOF"
494<literal># Begin /etc/pam.d/su
495
496# always allow root
497auth sufficient pam_rootok.so
498auth include system-auth
499
500# include the default account settings
501account include system-account
502
503# Set default environment variables for the service user
504session required pam_env.so
505
506# include system session defaults
507session include system-session
508
509# End /etc/pam.d/su</literal>
510EOF</userinput></screen>
511 </sect4>
512
513 <sect4>
514 <title>'chage'</title>
515
516<screen role="root"><userinput>cat &gt; /etc/pam.d/chage &lt;&lt; "EOF"
517<literal>#Begin /etc/pam.d/chage
518
519# always allow root
520auth sufficient pam_rootok.so
521
522# include system defaults for auth account and session
523auth include system-auth
524account include system-account
525session include system-session
526
527# Always permit for authentication updates
528password required pam_permit.so
529
530# End /etc/pam.d/chage</literal>
531EOF</userinput></screen>
532 </sect4>
533
534 <sect4>
535 <title>'chfn', 'chgpasswd', 'chgpasswd', 'chsh', 'groupadd', 'groupdel',
536 'groupmems', 'groupmod', 'newusers', 'useradd', 'userdel' and
537 'usermod'</title>
538
539<screen role="root"><userinput>for PROGRAM in chfn chgpasswd chpasswd chsh groupadd groupdel \
540 groupmems groupmod newusers useradd userdel usermod
541do
542 install -v -m644 /etc/pam.d/chage /etc/pam.d/${PROGRAM}
543 sed -i "s/chage/$PROGRAM/" /etc/pam.d/${PROGRAM}
544done</userinput></screen>
545
546 <warning>
547 <para>
548 At this point, you should do a simple test to see if
549 <application>Shadow</application> is working as expected. Open
550 another terminal and log in as a user, then <command>su</command> to
551 <systemitem class="username">root</systemitem>. If you do not see
552 any errors, then all is well and you should proceed with the rest of
553 the configuration. If you did receive errors, stop now and double
554 check the above configuration files manually. You can also run the
555 test suite from the <application>Linux-PAM</application> package to
556 assist you in determining the problem. If you cannot find and fix
557 the error, you should recompile <application>Shadow</application>
558 adding the <option>--without-libpam</option> switch to the
559 <command>configure</command> command in the above instructions (also
560 move the <filename>/etc/login.defs.orig</filename> backup file to
561 <filename>/etc/login.defs</filename>). If you fail to do this and
562 the errors remain, you will be unable to log into your system.
563 </para>
564 </warning>
565 </sect4>
566
567 <sect4>
568 <title>Other</title>
569
570 <para>
571 Currently, <filename>/etc/pam.d/other</filename> is configured to
572 allow anyone with an account on the machine to use PAM-aware programs
573 without a configuration file for that program. After testing
574 <application>Linux-PAM</application> for proper configuration, install
575 a more restrictive <filename>other</filename> file so that
576 program-specific configuration files are required:
577 </para>
578
579<screen role="root"><userinput>cat &gt; /etc/pam.d/other &lt;&lt; "EOF"
580<literal># Begin /etc/pam.d/other
581
582auth required pam_warn.so
583auth required pam_deny.so
584account required pam_warn.so
585account required pam_deny.so
586password required pam_warn.so
587password required pam_deny.so
588session required pam_warn.so
589session required pam_deny.so
590
591# End /etc/pam.d/other</literal>
592EOF</userinput></screen>
593 </sect4>
594
595 <sect4 id="pam-access">
596 <title>Configuring Login Access</title>
597
598 <para>
599 Instead of using the <filename>/etc/login.access</filename> file for
600 controlling access to the system, <application>Linux-PAM</application>
601 uses the <filename class='libraryfile'>pam_access.so</filename> module
602 along with the <filename>/etc/security/access.conf</filename> file.
603 Rename the <filename>/etc/login.access</filename> file using the
604 following command:
605 </para>
606
607 <indexterm zone="shadow pam-access">
608 <primary sortas="e-etc-security-access.conf">/etc/security/access.conf</primary>
609 </indexterm>
610
611<screen role="root"><userinput>[ -f /etc/login.access ] &amp;&amp; mv -v /etc/login.access{,.NOUSE}</userinput></screen>
612 </sect4>
613
614 <sect4 id="pam-limits">
615 <title>Configuring Resource Limits</title>
616
617 <para>
618 Instead of using the <filename>/etc/limits</filename> file for
619 limiting usage of system resources,
620 <application>Linux-PAM</application> uses the
621 <filename class='libraryfile'>pam_limits.so</filename> module along
622 with the <filename>/etc/security/limits.conf</filename> file. Rename
623 the <filename>/etc/limits</filename> file using the following command:
624 </para>
625
626 <indexterm zone="shadow pam-limits">
627 <primary sortas="e-etc-security-limits.conf">/etc/security/limits.conf</primary>
628 </indexterm>
629
630<screen role="root"><userinput>[ -f /etc/limits ] &amp;&amp; mv -v /etc/limits{,.NOUSE}</userinput></screen>
631 </sect4>
632 </sect3>
633 </sect2>
634
635 <sect2 role="content">
636 <title>Contents</title>
637
638 <para>
639 A list of the installed files, along with their short descriptions can be
640 found at <ulink url="&lfs-root;/chapter06/shadow.html#contents-shadow"/>.
641 </para>
642
643 </sect2>
644
645</sect1>
Note: See TracBrowser for help on using the repository browser.