Changeset 322f172
- Timestamp:
- 05/14/2005 04:03:04 PM (19 years ago)
- Branches:
- 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 6.1, 6.2, 6.2.0, 6.2.0-rc1, 6.2.0-rc2, 6.3, 6.3-rc1, 6.3-rc2, 6.3-rc3, 7.10, 7.4, 7.5, 7.6, 7.6-blfs, 7.6-systemd, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, gnome, kde5-13430, kde5-14269, kde5-14686, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, krejzi/svn, lazarus, lxqt, nosym, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, systemd-11177, systemd-13485, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal
- Children:
- d3469f0
- Parents:
- 2dbd7a5f
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
postlfs/security/shadow.xml
r2dbd7a5f r322f172 14 14 15 15 <sect1 id="shadow" xreflabel="Shadow-&shadow-version;"> 16 <sect1info> 17 <othername>$LastChangedBy$</othername> 18 <date>$Date$</date> 19 </sect1info> 20 <?dbhtml filename="shadow.html"?> 21 <title>Shadow-&shadow-version;</title> 22 <indexterm zone="shadow"> 23 <primary sortas="a-Shadow">Shadow</primary></indexterm> 24 25 <sect2> 26 <title>Introduction to <application>Shadow</application></title> 27 28 <para>Shadow was indeed installed in <acronym>LFS</acronym> and there is 29 no reason to reinstall it unless you installed 30 <application>Linux-<acronym>PAM</acronym></application>. If you did, 31 this will allow programs like <command>login</command> and 32 <command>su</command> to utilize 33 <acronym>PAM</acronym>.</para> 34 35 <sect3><title>Package information</title> 36 <itemizedlist spacing="compact"> 37 <listitem><para>Download (HTTP): 38 <ulink url="&shadow-download-http;"/></para></listitem> 39 <listitem><para>Download (FTP): 40 <ulink url="&shadow-download-ftp;"/></para></listitem> 41 <listitem><para>Download MD5 sum: 42 &shadow-md5sum;</para></listitem> 43 <listitem><para>Download size: 44 &shadow-size;</para></listitem> 45 <listitem><para>Estimated disk space required: 46 &shadow-buildsize;</para></listitem> 47 <listitem><para>Estimated build time: 48 &shadow-time;</para></listitem></itemizedlist> 49 </sect3> 50 51 <sect3><title>Additional downloads</title> 52 <itemizedlist spacing='compact'> 53 <listitem><para>Patch to fix a bug in the <command>lastlog</command> program: 54 <ulink url="&patch-root;/shadow-&shadow-version;-fix_lastlog-1.patch"/></para> 55 </listitem> 56 </itemizedlist> 57 </sect3> 58 59 <sect3><title><application>Shadow</application> dependencies</title> 60 <sect4><title>Required</title> 61 <para><xref linkend="Linux_PAM"/></para> 62 </sect4> 63 </sect3> 64 65 </sect2> 66 67 <sect2> 68 <title>Installation of <application>Shadow</application></title> 69 70 <para>Reinstall <application>Shadow</application> by running the following 71 commands:</para> 72 73 <screen><userinput><command>patch -Np1 -i ../shadow-&shadow-version;-fix_lastlog-1.patch && 16 <?dbhtml filename="shadow.html"?> 17 18 <sect1info> 19 <othername>$LastChangedBy$</othername> 20 <date>$Date$</date> 21 </sect1info> 22 23 <title>Shadow-&shadow-version;</title> 24 25 <indexterm zone="shadow"> 26 <primary sortas="a-Shadow">Shadow</primary> 27 </indexterm> 28 29 <sect2 role="package"> 30 <title>Introduction to Shadow</title> 31 32 <para><application>Shadow</application> was indeed installed in LFS and 33 there is no reason to reinstall it unless you installed 34 <application>Linux-PAM</application>. If you did, this will allow programs 35 like <command>login</command> and <command>su</command> to utilize PAM.</para> 36 37 <bridgehead renderas="sect3">Package Information</bridgehead> 38 <itemizedlist spacing="compact"> 39 <listitem> 40 <para>Download (HTTP): <ulink url="&shadow-download-http;"/></para> 41 </listitem> 42 <listitem> 43 <para>Download (FTP): <ulink url="&shadow-download-ftp;"/></para> 44 </listitem> 45 <listitem> 46 <para>Download MD5 sum: &shadow-md5sum;</para> 47 </listitem> 48 <listitem> 49 <para>Download size: &shadow-size;</para> 50 </listitem> 51 <listitem> 52 <para>Estimated disk space required: &shadow-buildsize;</para> 53 </listitem> 54 <listitem> 55 <para>Estimated build time: &shadow-time;</para> 56 </listitem> 57 </itemizedlist> 58 59 <bridgehead renderas="sect3">Additional Downloads</bridgehead> 60 <itemizedlist spacing='compact'> 61 <listitem> 62 <para>Patch to fix a bug in the <command>lastlog</command> program: 63 <ulink url="&patch-root;/shadow-&shadow-version;-fix_lastlog-1.patch"/></para> 64 </listitem> 65 </itemizedlist> 66 67 <bridgehead renderas="sect3">Shadow Dependencies</bridgehead> 68 69 <bridgehead renderas="sect4">Required</bridgehead> 70 <para><xref linkend="Linux_PAM"/></para> 71 72 </sect2> 73 74 <sect2 role="installation"> 75 <title>Installation of Shadow</title> 76 77 <para>Reinstall <application>Shadow</application> by running the following 78 commands:</para> 79 80 <screen><userinput>patch -Np1 -i ../shadow-&shadow-version;-fix_lastlog-1.patch && 74 81 ./configure --libdir=/lib --enable-shared \ 75 82 --with-libpam --without-libcrack && 76 83 sed -i 's/groups$(EXEEXT) //' src/Makefile && 77 84 sed -i '/groups/d' man/Makefile && 78 make</ command></userinput></screen>79 80 <para>Now, as the rootuser:</para>81 82 <screen ><userinput role='root'><command>make install &&85 make</userinput></screen> 86 87 <para>Now, as the <systemitem class="username">root</systemitem> user:</para> 88 89 <screen role="root"><userinput>make install && 83 90 mv -v /usr/bin/passwd /bin && 84 91 mv -v /lib/libshadow.*a /usr/lib && 85 92 rm -v /lib/libshadow.so && 86 ln -v -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so</command></userinput></screen> 87 88 </sect2> 89 90 <sect2> 91 <title>Command explanations</title> 92 93 <para><parameter>--without-libcrack</parameter>: This switch tells 94 <application>Shadow</application> not to use 95 <filename class='libraryfile'>libcrack</filename>. This is desired as 96 <application>Linux-<acronym>PAM</acronym></application> already contains 97 <filename class='libraryfile'>libcrack</filename>.</para> 98 99 <para><command>sed -i ...</command>: These commands are used to suppress the 100 installation of the <command>groups</command> program as the version from the 101 <application>Coreutils</application> package installed during 102 <acronym>LFS</acronym> is preferred.</para> 103 104 </sect2> 105 106 <sect2> 107 <title>Configuring <application>Linux-<acronym>PAM</acronym></application> to 108 work with <application>Shadow</application></title> 109 110 <sect3 id="pam.d"><title>Config files</title> 111 <para><filename>/etc/pam.d/*</filename>, or alternatively, 112 <filename>/etc/pam.conf</filename></para> 113 <indexterm zone="shadow pam.d"> 114 <primary sortas="e-etc-pam.d">/etc/pam.d/*</primary></indexterm> 115 <indexterm zone="shadow pam.d"> 116 <primary sortas="e-etc-pam.conf">/etc/pam.conf</primary></indexterm> 117 </sect3> 118 119 <sect3><title>Configuration Information</title> 120 121 <para>Add the following <application>Linux-<acronym>PAM</acronym></application> 122 configuration files to <filename class="directory">/etc/pam.d/</filename> (or 123 add them to <filename>/etc/pam.conf</filename> with the additional field for 124 the program).</para> 125 126 <sect4><title>login (with <application>cracklib</application>)</title> 127 128 <screen><userinput><command>cat > /etc/pam.d/login << "EOF"</command> 129 # Begin /etc/pam.d/login 93 ln -v -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so</userinput></screen> 94 95 </sect2> 96 97 <sect2 role="commands"> 98 <title>Command Explanations</title> 99 100 <para><parameter>--without-libcrack</parameter>: This switch tells 101 <application>Shadow</application> not to use 102 <filename class='libraryfile'>libcrack</filename>. This is desired as 103 <application>Linux-PAM</application> already contains 104 <filename class='libraryfile'>libcrack</filename>.</para> 105 106 <para><command>sed -i ...</command>: These commands are used to suppress 107 the installation of the <command>groups</command> program as the version 108 from the <application>Coreutils</application> package installed during 109 LFS is preferred.</para> 110 111 </sect2> 112 113 <sect2 role="configuration"> 114 <title>Configuring Linux-PAM to Work with Shadow</title> 115 116 <sect3 id="pam.d"> 117 <title>Config Files</title> 118 119 <para><filename>/etc/pam.d/*</filename>, or alternatively, 120 <filename>/etc/pam.conf</filename></para> 121 122 <indexterm zone="shadow pam.d"> 123 <primary sortas="e-etc-pam.d">/etc/pam.d/*</primary> 124 </indexterm> 125 126 <indexterm zone="shadow pam.d"> 127 <primary sortas="e-etc-pam.conf">/etc/pam.conf</primary> 128 </indexterm> 129 130 </sect3> 131 132 <sect3> 133 <title>Configuration Information</title> 134 135 <para>Add the following <application>Linux-PAM</application> configuration 136 files to <filename class="directory">/etc/pam.d/</filename> (or add them 137 to <filename>/etc/pam.conf</filename> with the additional field for 138 the program).</para> 139 140 <sect4> 141 <title>'login' (with Cracklib)</title> 142 143 <screen role="root"><userinput>cat > /etc/pam.d/login << "EOF" 144 <literal># Begin /etc/pam.d/login 130 145 131 146 auth requisite pam_securetty.so … … 145 160 password required pam_unix.so md5 shadow use_authtok 146 161 147 # End /etc/pam.d/login 148 <command>EOF</command></userinput></screen> 149 </sect4> 150 151 <sect4><title>login (without <application>cracklib</application>)</title> 152 153 <screen><userinput><command>cat > /etc/pam.d/login << "EOF"</command> 154 # Begin /etc/pam.d/login 162 # End /etc/pam.d/login</literal> 163 EOF</userinput></screen> 164 165 </sect4> 166 167 <sect4> 168 <title>'login' (without Cracklib)</title> 169 170 <screen role="root"><userinput>cat > /etc/pam.d/login << "EOF" 171 <literal># Begin /etc/pam.d/login 155 172 156 173 auth requisite pam_securetty.so … … 167 184 password required pam_unix.so md5 shadow 168 185 169 # End /etc/pam.d/login 170 <command>EOF</command></userinput></screen> 171 </sect4> 172 173 <sect4><title>passwd (with <application>cracklib</application>)</title> 174 175 <screen><userinput><command>cat > /etc/pam.d/passwd << "EOF"</command> 176 # Begin /etc/pam.d/passwd 186 # End /etc/pam.d/login</literal> 187 EOF</userinput></screen> 188 189 </sect4> 190 191 <sect4> 192 <title>'passwd' (with Cracklib)</title> 193 194 <screen role="root"><userinput>cat > /etc/pam.d/passwd << "EOF" 195 <literal># Begin /etc/pam.d/passwd 177 196 178 197 password required pam_cracklib.so retry=3 difok=8 minlen=5 \ … … 181 200 password required pam_unix.so md5 shadow use_authtok 182 201 183 # End /etc/pam.d/passwd 184 <command>EOF</command></userinput></screen> 185 </sect4> 186 187 <sect4><title>passwd (without <application>cracklib</application>)</title> 188 189 <screen><userinput><command>cat > /etc/pam.d/passwd << "EOF"</command> 190 # Begin /etc/pam.d/passwd 202 # End /etc/pam.d/passwd</literal> 203 EOF</userinput></screen> 204 205 </sect4> 206 207 <sect4> 208 <title>'passwd' (without Cracklib)</title> 209 210 <screen role="root"><userinput>cat > /etc/pam.d/passwd << "EOF" 211 <literal># Begin /etc/pam.d/passwd 191 212 192 213 password required pam_unix.so md5 shadow 193 214 194 # End /etc/pam.d/passwd 195 <command>EOF</command></userinput></screen> 196 </sect4> 197 198 <sect4><title>su</title> 199 200 <screen><userinput><command>cat > /etc/pam.d/su << "EOF"</command> 201 # Begin /etc/pam.d/su 215 # End /etc/pam.d/passwd</literal> 216 EOF</userinput></screen> 217 218 </sect4> 219 220 <sect4> 221 <title>'su'</title> 222 223 <screen role="root"><userinput>cat > /etc/pam.d/su << "EOF" 224 <literal># Begin /etc/pam.d/su 202 225 203 226 auth sufficient pam_rootok.so … … 207 230 session required pam_unix.so 208 231 209 # End /etc/pam.d/su 210 <command>EOF</command></userinput></screen> 211 </sect4> 212 213 <sect4><title>chage</title> 214 215 <screen><userinput><command>cat > /etc/pam.d/chage << "EOF"</command> 216 # Begin /etc/pam.d/chage 232 # End /etc/pam.d/su</literal> 233 EOF</userinput></screen> 234 235 </sect4> 236 237 <sect4> 238 <title>'chage'</title> 239 240 <screen role="root"><userinput>cat > /etc/pam.d/chage << "EOF" 241 <literal># Begin /etc/pam.d/chage 217 242 218 243 auth sufficient pam_rootok.so … … 222 247 password required pam_permit.so 223 248 224 # End /etc/pam.d/chage 225 <command>EOF</command></userinput></screen> 226 </sect4> 227 228 <sect4><title>chpasswd, newusers, groupadd, groupdel, groupmod, useradd, 229 userdel and usermod</title> 230 231 <screen><userinput><command>for PROGRAM in chpasswd newusers groupadd groupdel \ 249 # End /etc/pam.d/chage</literal> 250 EOF</userinput></screen> 251 252 </sect4> 253 254 <sect4> 255 <title>'chpasswd', 'newusers', 'groupadd', 'groupdel', 256 'groupmod', 'useradd', 'userdel', and 'usermod'</title> 257 258 <screen role="root"><userinput>for PROGRAM in chpasswd newusers groupadd groupdel \ 232 259 groupmod useradd userdel usermod 233 260 do 234 261 install -v -m644 /etc/pam.d/chage /etc/pam.d/$PROGRAM 235 262 sed -i -e "s/chage/$PROGRAM/" /etc/pam.d/$PROGRAM 236 done</command></userinput></screen> 237 </sect4> 238 239 <sect4><title>other</title> 240 241 <warning><para>At this point, you should do a simple test to see if 242 <application>Shadow</application> is 243 working as expected. Open another term and login as a user, then su to 244 to root. If you do not see any errors, then all is well and you should 245 proceed with the rest of the configuration. If you did 246 receive errors, stop now and double check the above configuration files 247 manually. If you cannot find, and fix the error, you should recompile 248 shadow replacing <parameter>--with-libpam</parameter> with 249 <parameter>--without-libpam</parameter> in the above 250 instructions. If you fail to do this and the errors remain, you 251 will be unable to log into your system.</para></warning> 252 253 <para>Currently, <filename>/etc/pam.d/other</filename> is configured to 254 allow anyone with an account on the machine to use 255 <acronym>PAM</acronym>-aware programs without a configuration file for that 256 program. After testing <application>Linux-<acronym>PAM</acronym></application> 257 for proper configuration, install a more restrictive 258 <filename>other</filename> file so that program-specific configuration files 259 are required:</para> 260 261 <screen><userinput><command>cat > /etc/pam.d/other << "EOF"</command> 262 # Begin /etc/pam.d/other 263 done</userinput></screen> 264 265 </sect4> 266 267 <sect4> 268 <title>Other</title> 269 270 <warning> 271 <para>At this point, you should do a simple test to see if 272 <application>Shadow</application> is working as expected. Open 273 another term and login as a user, then su to <systemitem 274 class="username">root</systemitem>. If you do not see any errors, 275 then all is well and you should proceed with the rest of the 276 configuration. If you did receive errors, stop now and double check 277 the above configuration files manually. If you cannot find, and 278 fix the error, you should recompile <application>Shadow</application> 279 replacing <option>--with-libpam</option> with 280 <option>--without-libpam</option> in the above instructions. If you 281 fail to do this and the errors remain, you will be unable to log into 282 your system.</para> 283 </warning> 284 285 <para>Currently, <filename>/etc/pam.d/other</filename> is configured 286 to allow anyone with an account on the machine to use PAM-aware 287 programs without a configuration file for that program. After testing 288 <application>Linux-PAM</application> for proper configuration, install 289 a more restrictive <filename>other</filename> file so that 290 program-specific configuration files are required:</para> 291 292 <screen role="root"><userinput>cat > /etc/pam.d/other << "EOF" 293 <literal># Begin /etc/pam.d/other 263 294 264 295 auth required pam_deny.so … … 269 300 password required pam_warn.so 270 301 271 # End /etc/pam.d/other 272 <command>EOF</command></userinput></screen> 273 </sect4> 274 275 <sect4 id="pam-access"><title>Configuring login access</title> 276 277 <para>Instead of using the <filename>/etc/login.access</filename> file for 278 controlling access to the system, 279 <application>Linux-<acronym>PAM</acronym></application> uses the 280 <filename class='libraryfile'>pam_access.so</filename> module along with the 281 <filename>/etc/security/access.conf</filename> file. Rename the 282 <filename>/etc/login.access</filename> file using the following 283 command:</para> 284 <indexterm zone="shadow pam-access"><primary 285 sortas="e-etc-security-access.conf">/etc/security/access.conf</primary> 286 </indexterm> 287 288 <screen><userinput><command>if [ -f /etc/login.access ]; then 302 # End /etc/pam.d/other</literal> 303 EOF</userinput></screen> 304 305 </sect4> 306 307 <sect4 id="pam-access"> 308 <title>Configuring Login Access</title> 309 310 <para>Instead of using the <filename>/etc/login.access</filename> 311 file for controlling access to the system, 312 <application>Linux-PAM</application> uses the 313 <filename class='libraryfile'>pam_access.so</filename> module along 314 with the <filename>/etc/security/access.conf</filename> file. Rename 315 the <filename>/etc/login.access</filename> file using the following 316 command:</para> 317 318 <indexterm zone="shadow pam-access"> 319 <primary sortas="e-etc-security-access.conf">/etc/security/access.conf</primary> 320 </indexterm> 321 322 <screen role="root"><userinput>if [ -f /etc/login.access ]; then 289 323 mv -v /etc/login.access /etc/login.access.NOUSE 290 fi</command></userinput></screen> 291 </sect4> 292 293 <sect4 id="pam-limits"><title>Configuring resource limits</title> 294 295 <para>Instead of using the <filename>/etc/limits</filename> file for 296 limiting usage of system resources, 297 <application>Linux-<acronym>PAM</acronym></application> uses the 298 <filename class='libraryfile'>pam_limits.so</filename> module along with the 299 <filename>/etc/security/limits.conf</filename> file. Rename the 300 <filename>/etc/limits</filename> file using the following 301 command:</para> 302 <indexterm zone="shadow pam-limits"><primary 303 sortas="e-etc-security-limits.conf">/etc/security/limits.conf</primary> 304 </indexterm> 305 306 <screen><userinput><command>if [ -f /etc/limits ]; then 324 fi</userinput></screen> 325 326 </sect4> 327 328 <sect4 id="pam-limits"> 329 <title>Configuring Resource Limits</title> 330 331 <para>Instead of using the <filename>/etc/limits</filename> file 332 for limiting usage of system resources, 333 <application>Linux-PAM</application> uses the 334 <filename class='libraryfile'>pam_limits.so</filename> module along 335 with the <filename>/etc/security/limits.conf</filename> file. Rename 336 the <filename>/etc/limits</filename> file using the following 337 command:</para> 338 339 <indexterm zone="shadow pam-limits"> 340 <primary sortas="e-etc-security-limits.conf">/etc/security/limits.conf</primary> 341 </indexterm> 342 343 <screen role="root"><userinput>if [ -f /etc/limits ]; then 307 344 mv -v /etc/limits /etc/limits.NOUSE 308 fi</command></userinput></screen> 309 </sect4> 310 311 <sect4 id="pam-login-defs"><title>Configuring /etc/login.defs</title> 312 313 <para>The <command>login</command> program currently performs many functions 314 which <application>Linux-<acronym>PAM</acronym></application> modules should 315 now handle. The following command will comment out the appropriate lines in 316 <filename>/etc/login.defs</filename>, and stop <command>login</command> from 317 performing these functions:</para> 318 <indexterm zone="shadow pam-login-defs"><primary 319 sortas="e-etc-login.defs">/etc/login.defs</primary> 320 </indexterm> 321 322 <screen><userinput><command>for FUNCTION in LASTLOG_ENAB MAIL_CHECK_ENAB \ 345 fi</userinput></screen> 346 347 </sect4> 348 349 <sect4 id="pam-login-defs"> 350 <title>Configuring /etc/login.defs</title> 351 352 <para>The <command>login</command> program currently performs many 353 functions which <application>Linux-PAM</application> modules should 354 now handle. The following command will comment out the appropriate 355 lines in <filename>/etc/login.defs</filename>, and stop 356 <command>login</command> from performing these functions:</para> 357 358 <indexterm zone="shadow pam-login-defs"> 359 <primary sortas="e-etc-login.defs">/etc/login.defs</primary> 360 </indexterm> 361 362 <screen role="root"><userinput>for FUNCTION in LASTLOG_ENAB MAIL_CHECK_ENAB \ 323 363 PORTTIME_CHECKS_ENAB CONSOLE \ 324 364 MOTD_FILE NOLOGINS_FILE PASS_MIN_LEN \ … … 327 367 do 328 368 sed -i -e "s/^$FUNCTION/# &/" /etc/login.defs 329 done</ command></userinput></screen>330 331 <para>If you have <application>cracklib</application> installed, also comment 332 out four more lines using the following command:</para>333 334 <screen ><userinput><command>for FUNCTION in OBSCURE_CHECKS_ENAB CRACKLIB_DICTPATH \369 done</userinput></screen> 370 371 <para>If you have <application>cracklib</application> installed, 372 also comment out four more lines using the following command:</para> 373 374 <screen role="root"><userinput>for FUNCTION in OBSCURE_CHECKS_ENAB CRACKLIB_DICTPATH \ 335 375 PASS_CHANGE_TRIES PASS_ALWAYS_WARN 336 376 do 337 377 sed -i -e "s/^$FUNCTION/# &/" /etc/login.defs 338 done</command></userinput></screen> 339 </sect4> 340 341 </sect3> 342 343 </sect2> 344 345 <sect2> 346 <title>Contents</title> 347 348 <para>A list of the installed files, along with their short descriptions can 349 be found at 350 <ulink url="&lfs-root;/chapter06/shadow.html#contents-shadow"/>.</para> 351 352 </sect2> 378 done</userinput></screen> 379 380 </sect4> 381 382 </sect3> 383 384 </sect2> 385 386 <sect2 role="content"> 387 <title>Contents</title> 388 389 <para>A list of the installed files, along with their short descriptions 390 can be found at 391 <ulink url="&lfs-root;/chapter06/shadow.html#contents-shadow"/>.</para> 392 393 </sect2> 353 394 354 395 </sect1>
Note:
See TracChangeset
for help on using the changeset viewer.