source: postlfs/security/shadow.xml@ f1d7196

10.0 10.1 11.0 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind lazarus nosym perl-modules qt5new trunk xry111/git-date xry111/git-date-for-trunk xry111/git-date-test
Last change on this file since f1d7196 was f1d7196, checked in by Pierre Labastie <pieere@…>, 5 years ago

Fix some option vs parameter tags in COmmand explanations ("Post LFS"
and "General" parts).

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@17872 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 19.8 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY shadow-download-http "http://pkg-shadow.alioth.debian.org/releases/shadow-&shadow-version;.tar.xz">
8 <!ENTITY shadow-download-ftp " ">
9 <!ENTITY shadow-md5sum "2bfafe7d4962682d31b5eba65dba4fc8">
10 <!ENTITY shadow-size "1.5 MB">
11 <!ENTITY shadow-buildsize "53 MB">
12 <!ENTITY shadow-time "0.2 SBU">
13]>
14
15<sect1 id="shadow" xreflabel="Shadow-&shadow-version;">
16 <?dbhtml filename="shadow.html"?>
17
18 <sect1info>
19 <othername>$LastChangedBy$</othername>
20 <date>$Date$</date>
21 </sect1info>
22
23 <title>Shadow-&shadow-version;</title>
24
25 <indexterm zone="shadow">
26 <primary sortas="a-Shadow">Shadow</primary>
27 </indexterm>
28
29 <sect2 role="package">
30 <title>Introduction to Shadow</title>
31
32 <para>
33 <application>Shadow</application> was indeed installed in LFS and there is
34 no reason to reinstall it unless you installed
35 <application>CrackLib</application> or
36 <application>Linux-PAM</application> after your LFS system was completed.
37 If you have installed <application>CrackLib</application> after LFS, then
38 reinstalling <application>Shadow</application> will enable strong password
39 support. If you have installed <application>Linux-PAM</application>,
40 reinstalling <application>Shadow</application> will allow programs such as
41 <command>login</command> and <command>su</command> to utilize PAM.
42 </para>
43
44 &lfs7a_checked;
45
46 <bridgehead renderas="sect3">Package Information</bridgehead>
47 <itemizedlist spacing="compact">
48 <listitem>
49 <para>
50 Download (HTTP): <ulink url="&shadow-download-http;"/>
51 </para>
52 </listitem>
53 <listitem>
54 <para>
55 Download (FTP): <ulink url="&shadow-download-ftp;"/>
56 </para>
57 </listitem>
58 <listitem>
59 <para>
60 Download MD5 sum: &shadow-md5sum;
61 </para>
62 </listitem>
63 <listitem>
64 <para>
65 Download size: &shadow-size;
66 </para>
67 </listitem>
68 <listitem>
69 <para>
70 Estimated disk space required: &shadow-buildsize;
71 </para>
72 </listitem>
73 <listitem>
74 <para>
75 Estimated build time: &shadow-time;
76 </para>
77 </listitem>
78 </itemizedlist>
79
80 <bridgehead renderas="sect3">Shadow Dependencies</bridgehead>
81
82 <bridgehead renderas="sect4">Required</bridgehead>
83 <para role="required">
84 <xref linkend="linux-pam"/> or
85 <xref linkend="cracklib"/>
86 </para>
87
88 <para condition="html" role="usernotes">
89 User Notes: <ulink url="&blfs-wiki;/shadow"/>
90 </para>
91 </sect2>
92
93 <sect2 role="installation">
94 <title>Installation of Shadow</title>
95
96 <important>
97 <para>
98 The installation commands shown below are for installations where
99 <application>Linux-PAM</application> has been installed (with or
100 without a <application>CrackLib</application> installation) and
101 <application>Shadow</application> is being reinstalled to support the
102 <application>Linux-PAM</application> installation.
103 </para>
104
105 <para>
106 If you are reinstalling <application>Shadow</application> to provide
107 strong password support using the <application>CrackLib</application>
108 library without using <application>Linux-PAM</application>, ensure you
109 add the <parameter>--with-libcrack</parameter> parameter to the
110 <command>configure</command> script below and also issue the following
111 command:
112 </para>
113
114<screen><userinput>sed -i 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' etc/login.defs</userinput></screen>
115 </important>
116
117 <para>
118 Reinstall <application>Shadow</application> by running the following
119 commands:
120 </para>
121
122<screen><userinput>sed -i 's/groups$(EXEEXT) //' src/Makefile.in &amp;&amp;
123find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; &amp;&amp;
124find man -name Makefile.in -exec sed -i 's/getspnam\.3 / /' {} \; &amp;&amp;
125find man -name Makefile.in -exec sed -i 's/passwd\.5 / /' {} \; &amp;&amp;
126
127sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \
128 -e 's@/var/spool/mail@/var/mail@' etc/login.defs &amp;&amp;
129
130sed -i 's/1000/999/' etc/useradd &amp;&amp;
131
132./configure --sysconfdir=/etc --with-group-name-max-length=32 &amp;&amp;
133make</userinput></screen>
134
135 <para>
136 This package does not come with a test suite.
137 </para>
138
139 <para>
140 Now, as the <systemitem class="username">root</systemitem> user:
141 </para>
142
143<screen role="root"><userinput>make install &amp;&amp;
144mv -v /usr/bin/passwd /bin</userinput></screen>
145 </sect2>
146
147 <sect2 role="commands">
148 <title>Command Explanations</title>
149
150 <para>
151 <command>sed -i 's/groups$(EXEEXT) //' src/Makefile.in</command>: This sed
152 is used to suppress the installation of the <command>groups</command>
153 program as the version from the <application>Coreutils</application>
154 package installed during LFS is preferred.
155 </para>
156
157 <para>
158 <command>find man -name Makefile.in -exec ... {} \;</command>: This
159 command is used to suppress the installation of the
160 <command>groups</command> man pages so the existing ones installed from
161 the <application>Coreutils</application> package are not replaced.
162 </para>
163
164 <para>
165 <command>sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' -e
166 's@/var/spool/mail@/var/mail@' etc/login.defs</command>: Instead of using
167 the default 'DES' method, this command modifies the installation to use
168 the more secure 'SHA512' method of hashing passwords, which also allows
169 passwords longer than eight characters. It also changes the obsolete
170 <filename class="directory">/var/spool/mail</filename> location for user
171 mailboxes that <application>Shadow</application> uses by default to the
172 <filename class="directory">/var/mail</filename> location.
173 </para>
174
175 <para>
176 <command>sed -i 's/1000/999/' etc/useradd</command>: Make a minor change
177 to make the default useradd consistent with the LFS groups file.
178 </para>
179
180 <para>
181 <parameter>--with-group-name-max-length=32</parameter>: The maximum
182 user name is 32 characters. Make the maximum group name the same.
183 </para>
184
185 <para>
186 <command>mv -v /usr/bin/passwd /bin</command>: The
187 <command>passwd</command> program may be needed during times when the
188 <filename class='directory'>/usr</filename> filesystem is not mounted so
189 it is moved into the root partition.
190 </para>
191 </sect2>
192
193 <sect2 role="configuration">
194 <title>Configuring Shadow</title>
195
196 <para>
197 <application>Shadow</application>'s stock configuration for the
198 <command>useradd</command> utility may not be desirable for your
199 installation. One default parameter causes <command>useradd</command> to
200 create a mailbox file for any newly created user.
201 <command>useradd</command> will make the group ownership of this file to
202 the <systemitem class="groupname">mail</systemitem> group with 0660
203 permissions. If you would prefer that these mailbox files are not created
204 by <command>useradd</command>, issue the following command as the
205 <systemitem class="username">root</systemitem> user:
206 </para>
207
208<screen role="root"><userinput>sed -i 's/yes/no/' /etc/default/useradd</userinput></screen>
209 </sect2>
210
211 <sect2 role="configuration">
212 <title>Configuring Linux-PAM to Work with Shadow</title>
213
214 <note>
215 <para>
216 The rest of this page is devoted to configuring
217 <application>Shadow</application> to work properly with
218 <application>Linux-PAM</application>. If you do not have
219 <application>Linux-PAM</application> installed, and you reinstalled
220 <application>Shadow</application> to support strong passwords via the
221 <application>CrackLib</application> library, no further configuration is
222 required.
223 </para>
224 </note>
225
226 <sect3 id="pam.d">
227 <title>Config Files</title>
228
229 <para>
230 <filename>/etc/pam.d/*</filename> or alternatively
231 <filename>/etc/pam.conf</filename>,
232 <filename>/etc/login.defs</filename> and
233 <filename>/etc/security/*</filename>
234 </para>
235
236 <indexterm zone="shadow pam.d">
237 <primary sortas="e-etc-pam.d">/etc/pam.d/*</primary>
238 </indexterm>
239
240 <indexterm zone="shadow pam.d">
241 <primary sortas="e-etc-pam.conf">/etc/pam.conf</primary>
242 </indexterm>
243
244 <indexterm zone="shadow pam.d">
245 <primary sortas="e-etc-login.defs">/etc/login.defs</primary>
246 </indexterm>
247
248 <indexterm zone="shadow pam.d">
249 <primary sortas="e-etc-security">/etc/security/*</primary>
250 </indexterm>
251 </sect3>
252
253 <sect3>
254 <title>Configuration Information</title>
255
256 <para>
257 Configuring your system to use <application>Linux-PAM</application> can
258 be a complex task. The information below will provide a basic setup so
259 that <application>Shadow</application>'s login and password
260 functionality will work effectively with
261 <application>Linux-PAM</application>. Review the information and links
262 on the <xref linkend="linux-pam"/> page for further configuration
263 information. For information specific to integrating
264 <application>Shadow</application>, <application>Linux-PAM</application>
265 and <application>CrackLib</application>, you can visit the following
266 link:
267 </para>
268
269 <itemizedlist spacing="compact">
270 <listitem>
271 <para>
272 <ulink url="http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html"/>
273 </para>
274 </listitem>
275 </itemizedlist>
276
277 <sect4 id="pam-login-defs">
278 <title>Configuring /etc/login.defs</title>
279
280 <para>
281 The <command>login</command> program currently performs many functions
282 which <application>Linux-PAM</application> modules should now handle.
283 The following <command>sed</command> command will comment out the
284 appropriate lines in <filename>/etc/login.defs</filename>, and stop
285 <command>login</command> from performing these functions (a backup
286 file named <filename>/etc/login.defs.orig</filename> is also created
287 to preserve the original file's contents). Issue the following
288 commands as the <systemitem class="username">root</systemitem> user:
289 </para>
290
291 <indexterm zone="shadow pam-login-defs">
292 <primary sortas="e-etc-login.defs">/etc/login.defs</primary>
293 </indexterm>
294
295<screen role="root"><userinput>install -v -m644 /etc/login.defs /etc/login.defs.orig &amp;&amp;
296for FUNCTION in FAIL_DELAY \
297 FAILLOG_ENAB \
298 LASTLOG_ENAB \
299 MAIL_CHECK_ENAB \
300 OBSCURE_CHECKS_ENAB \
301 PORTTIME_CHECKS_ENAB \
302 QUOTAS_ENAB \
303 CONSOLE MOTD_FILE \
304 FTMP_FILE NOLOGINS_FILE \
305 ENV_HZ PASS_MIN_LEN \
306 SU_WHEEL_ONLY \
307 CRACKLIB_DICTPATH \
308 PASS_CHANGE_TRIES \
309 PASS_ALWAYS_WARN \
310 CHFN_AUTH ENCRYPT_METHOD \
311 ENVIRON_FILE
312do
313 sed -i "s/^${FUNCTION}/# &amp;/" /etc/login.defs
314done</userinput></screen>
315 </sect4>
316
317 <sect4>
318 <title>Configuring the /etc/pam.d/ Files</title>
319
320 <para>
321 As mentioned previously in the <application>Linux-PAM</application>
322 instructions, <application>Linux-PAM</application> has two supported
323 methods for configuration. The commands below assume that you've
324 chosen to use a directory based configuration, where each program has
325 its own configuration file. You can optionally use a single
326 <filename>/etc/pam.conf</filename> configuration file by using the
327 text from the files below, and supplying the program name as an
328 additional first field for each line.
329 </para>
330
331 <para>
332 As the <systemitem class="username">root</systemitem> user, replace
333 the following <application>Linux-PAM</application> configuration files
334 in the <filename class="directory">/etc/pam.d/</filename> directory
335 (or add the contents to the <filename>/etc/pam.conf</filename> file)
336 using the following commands:
337 </para>
338 </sect4>
339
340 <sect4>
341 <title>'login'</title>
342
343<screen role="root"><userinput>cat &gt; /etc/pam.d/login &lt;&lt; "EOF"
344<literal># Begin /etc/pam.d/login
345
346# Set failure delay before next prompt to 3 seconds
347auth optional pam_faildelay.so delay=3000000
348
349# Check to make sure that the user is allowed to login
350auth requisite pam_nologin.so
351
352# Check to make sure that root is allowed to login
353# Disabled by default. You will need to create /etc/securetty
354# file for this module to function. See man 5 securetty.
355#auth required pam_securetty.so
356
357# Additional group memberships - disabled by default
358#auth optional pam_group.so
359
360# include the default auth settings
361auth include system-auth
362
363# check access for the user
364account required pam_access.so
365
366# include the default account settings
367account include system-account
368
369# Set default environment variables for the user
370session required pam_env.so
371
372# Set resource limits for the user
373session required pam_limits.so
374
375# Display date of last login - Disabled by default
376#session optional pam_lastlog.so
377
378# Display the message of the day - Disabled by default
379#session optional pam_motd.so
380
381# Check user's mail - Disabled by default
382#session optional pam_mail.so standard quiet
383
384# include the default session and password settings
385session include system-session
386password include system-password
387
388# End /etc/pam.d/login</literal>
389EOF</userinput></screen>
390 </sect4>
391
392 <sect4>
393 <title>'passwd'</title>
394
395<screen role="root"><userinput>cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"
396<literal># Begin /etc/pam.d/passwd
397
398password include system-password
399
400# End /etc/pam.d/passwd</literal>
401EOF</userinput></screen>
402 </sect4>
403
404 <sect4>
405 <title>'su'</title>
406
407<screen role="root"><userinput>cat &gt; /etc/pam.d/su &lt;&lt; "EOF"
408<literal># Begin /etc/pam.d/su
409
410# always allow root
411auth sufficient pam_rootok.so
412auth include system-auth
413
414# include the default account settings
415account include system-account
416
417# Set default environment variables for the service user
418session required pam_env.so
419
420# include system session defaults
421session include system-session
422
423# End /etc/pam.d/su</literal>
424EOF</userinput></screen>
425 </sect4>
426
427 <sect4>
428 <title>'chage'</title>
429
430<screen role="root"><userinput>cat &gt; /etc/pam.d/chage &lt;&lt; "EOF"
431<literal># Begin /etc/pam.d/chage
432
433# always allow root
434auth sufficient pam_rootok.so
435
436# include system defaults for auth account and session
437auth include system-auth
438account include system-account
439session include system-session
440
441# Always permit for authentication updates
442password required pam_permit.so
443
444# End /etc/pam.d/chage</literal>
445EOF</userinput></screen>
446 </sect4>
447
448 <sect4>
449 <title>Other common programs</title>
450 <!--<title>'chfn', 'chgpasswd', 'chgpasswd', 'chsh', 'groupadd', 'groupdel',
451 'groupmems', 'groupmod', 'newusers', 'useradd', 'userdel' and
452 'usermod'</title>-->
453
454<screen role="root"><userinput>for PROGRAM in chfn chgpasswd chpasswd chsh groupadd groupdel \
455 groupmems groupmod newusers useradd userdel usermod
456do
457 install -v -m644 /etc/pam.d/chage /etc/pam.d/${PROGRAM}
458 sed -i "s/chage/$PROGRAM/" /etc/pam.d/${PROGRAM}
459done</userinput></screen>
460
461 <para revision="systemd">Because the installation of
462 <application>systemd</application> is not yet complete, you will need
463 to remove the <filename>/run/nologin</filename> file before testing the
464 installation. Execute the following command as the
465 <systemitem class="username">root</systemitem> user:</para>
466
467<screen role="root" revision="systemd"><userinput>rm -f /run/nologin</userinput></screen>
468
469 <warning>
470 <para>
471 At this point, you should do a simple test to see if
472 <application>Shadow</application> is working as expected. Open
473 another terminal and log in as a user, then <command>su</command> to
474 <systemitem class="username">root</systemitem>. If you do not see
475 any errors, then all is well and you should proceed with the rest of
476 the configuration. If you did receive errors, stop now and double
477 check the above configuration files manually. You can also run the
478 test suite from the <application>Linux-PAM</application> package to
479 assist you in determining the problem. If you cannot find and fix
480 the error, you should recompile <application>Shadow</application>
481 adding the <option>--without-libpam</option> switch to the
482 <command>configure</command> command in the above instructions (also
483 move the <filename>/etc/login.defs.orig</filename> backup file to
484 <filename>/etc/login.defs</filename>). If you fail to do this and
485 the errors remain, you will be unable to log into your system.
486 </para>
487 </warning>
488 </sect4>
489
490 <sect4 id="pam-access">
491 <title>Configuring Login Access</title>
492
493 <para>
494 Instead of using the <filename>/etc/login.access</filename> file for
495 controlling access to the system, <application>Linux-PAM</application>
496 uses the <filename class='libraryfile'>pam_access.so</filename> module
497 along with the <filename>/etc/security/access.conf</filename> file.
498 Rename the <filename>/etc/login.access</filename> file using the
499 following command:
500 </para>
501
502 <indexterm zone="shadow pam-access">
503 <primary sortas="e-etc-security-access.conf">/etc/security/access.conf</primary>
504 </indexterm>
505
506<screen role="root"><userinput>[ -f /etc/login.access ] &amp;&amp; mv -v /etc/login.access{,.NOUSE}</userinput></screen>
507 </sect4>
508
509 <sect4 id="pam-limits">
510 <title>Configuring Resource Limits</title>
511
512 <para>
513 Instead of using the <filename>/etc/limits</filename> file for
514 limiting usage of system resources,
515 <application>Linux-PAM</application> uses the
516 <filename class='libraryfile'>pam_limits.so</filename> module along
517 with the <filename>/etc/security/limits.conf</filename> file. Rename
518 the <filename>/etc/limits</filename> file using the following command:
519 </para>
520
521 <indexterm zone="shadow pam-limits">
522 <primary sortas="e-etc-security-limits.conf">/etc/security/limits.conf</primary>
523 </indexterm>
524
525<screen role="root"><userinput>[ -f /etc/limits ] &amp;&amp; mv -v /etc/limits{,.NOUSE}</userinput></screen>
526
527 <caution><para>Be sure to test the login capabilities of the system
528 before logging out. Errors in the configuration can cause a permanent
529 lockout requiring a boot from an external source to correct the
530 problem.</para></caution>
531
532 </sect4>
533 </sect3>
534
535 </sect2>
536
537 <sect2 role="content">
538 <title>Contents</title>
539
540 <para>
541 A list of the installed files, along with their short descriptions can be
542 found at
543 <phrase revision="sysv">
544 <ulink url="&lfs-root;/chapter06/shadow.html#contents-shadow"/></phrase>
545 <phrase revision="systemd">
546 <ulink url="&lfs-rootd;/chapter06/shadow.html#contents-shadow"/></phrase>.
547 </para>
548
549 </sect2>
550
551</sect1>
Note: See TracBrowser for help on using the repository browser.