Changes in postlfs/security/linux-pam.xml [bf1e213:3f2db3a6]
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
postlfs/security/linux-pam.xml
rbf1e213 r3f2db3a6 23 23 <?dbhtml filename="linux-pam.html"?> 24 24 25 <sect1info>26 <date>$Date$</date>27 </sect1info>28 25 29 26 <title>Linux-PAM-&linux-pam-version;</title> … … 38 35 <para> 39 36 The <application>Linux PAM</application> package contains 40 Pluggable Authentication Modules used to enablethe local41 system administrator to c hoose how applications authenticate37 Pluggable Authentication Modules used by the local 38 system administrator to control how application programs authenticate 42 39 users. 43 40 </para> 44 41 45 &lfs11 0a_checked;42 &lfs112_checked; 46 43 47 44 <bridgehead renderas="sect3">Package Information</bridgehead> … … 107 104 <xref linkend="libtirpc"/>, 108 105 <ulink url="https://github.com/linux-audit/audit-userspace">libaudit</ulink>, and 109 <ulink url="http ://www.prelude-siem.org">Prelude</ulink>106 <ulink url="https://www.prelude-siem.org">Prelude</ulink> 110 107 </para> 111 108 … … 124 121 <xref role="runtime" linkend="shadow"/> 125 122 <phrase revision="systemd"> and <xref role="runtime" linkend="systemd"/> 126 need</phrase><phrase revision="sysv">needs</phrase> to be reinstalled 123 must</phrase><phrase revision="sysv">must</phrase> be reinstalled 124 and reconfigured 127 125 after installing and configuring <application>Linux PAM</application>. 128 126 </para> … … 130 128 <para role="recommended"> 131 129 With Linux-PAM-1.4.0 and higher, the pam_cracklib module is not 132 installed by default. To enforce strong passwords, it is recommended133 to use <xref role="runtime" linkend="libpwquality"/>.130 installed by default. Use <xref role="runtime" linkend="libpwquality"/> 131 to enforce strong passwords. 134 132 </para> 135 133 </note> … … 144 142 145 143 <para revision="sysv"> 146 First prevent the installation of an unneeded systemd file:144 First, prevent the installation of an unneeded systemd file: 147 145 </para> 148 146 … … 159 157 160 158 <para> 161 If you instead want to regenerate the documentation, fix the162 <command>configure</command> script so that it detects lynx if installed:159 If you want to regenerate the documentation yourself, fix the 160 <command>configure</command> script so it will detect lynx: 163 161 </para> 164 162 … … 168 166 169 167 <para> 170 Install<application>Linux PAM</application> by168 Compile and link <application>Linux PAM</application> by 171 169 running the following commands: 172 170 </para> … … 186 184 187 185 <caution> 188 <title>Reinstallation or upgrade of Linux PAM</title>186 <title>Reinstallation or Upgrade of Linux PAM</title> 189 187 <para> 190 188 If you have a system with Linux PAM installed and working, be careful … … 193 191 may become totally unusable. If you want to run the tests, you do not 194 192 need to create another <filename>/etc/pam.d/other</filename> file. The 195 installed one can be used for that purpose.193 existing file can be used for the tests. 196 194 </para> 197 195 … … 200 198 overwrites the configuration files in 201 199 <filename class="directory">/etc/security</filename> as well as 202 <filename>/etc/environment</filename>. I n caseyou200 <filename>/etc/environment</filename>. If you 203 201 have modified those files, be sure to back them up. 204 202 </para> … … 206 204 207 205 <para> 208 For a first installation, create theconfiguration file by issuing the206 For a first-time installation, create a configuration file by issuing the 209 207 following commands as the <systemitem class="username">root</systemitem> 210 208 user: … … 222 220 <para> 223 221 Now run the tests by issuing <command>make check</command>. 224 Ensure there are no errors produced by the tests before continuing the225 installation. Note that the checks are quite long. It may be useful to226 redirect the output to a log file in order toinspect it thoroughly.227 </para> 228 229 <para> 230 Only in case of a firstinstallation, remove the configuration file222 Be sure the tests produced no errors before continuing the 223 installation. Note that the tests are very long. 224 Redirect the output to a log file, so you can inspect it thoroughly. 225 </para> 226 227 <para> 228 For a first-time installation, remove the configuration file 231 229 created earlier by issuing the following command as the 232 230 <systemitem class="username">root</systemitem> user: … … 259 257 linkend="libxslt"/>, and <xref linkend="lynx"/> or <ulink 260 258 url="&w3m-url;">W3m</ulink>) are installed, the manual pages, and the 261 html and text documentation s are (re)generated and installed.259 html and text documentation files, are generated and installed. 262 260 Furthermore, if <xref linkend="fop"/> is installed, the PDF 263 261 documentation is generated and installed. Use this switch if you do not … … 267 265 <para> 268 266 <command>chmod -v 4755 /usr/sbin/unix_chkpwd</command>: 269 The <command>unix_chkpwd</command> helper program must be setuid270 so that non-<systemitem class="username">root</systemitem>267 The setuid bit for the <command>unix_chkpwd</command> helper program must be 268 turned on, so that non-<systemitem class="username">root</systemitem> 271 269 processes can access the shadow file. 272 270 </para> … … 278 276 279 277 <sect3 id="pam-config"> 280 <title>Config Files</title>278 <title>Configuration Files</title> 281 279 282 280 <para> … … 301 299 Configuration information is placed in 302 300 <filename class="directory">/etc/pam.d/</filename>. 303 Below is an example file:301 Here is a sample file: 304 302 </para> 305 303 … … 314 312 315 313 <para> 316 Now set up some genericfiles. As the314 Now create some generic configuration files. As the 317 315 <systemitem class="username">root</systemitem> user: 318 316 </para> … … 347 345 # use sha512 hash for encryption, use shadow, and try to use any previously 348 346 # defined authentication token (chosen password) set by any prior module 349 password required pam_unix.so sha512 shadow try_first_pass 347 # Use the same number of rounds as shadow. 348 password required pam_unix.so sha512 shadow try_first_pass \ 349 rounds=500000 350 350 351 351 # End /etc/pam.d/system-password</literal> … … 356 356 If you wish to enable strong password support, install 357 357 <xref linkend="libpwquality"/>, and follow the 358 instructions in that page to configure the pam_pwquality358 instructions on that page to configure the pam_pwquality 359 359 PAM module with strong password support. 360 360 </para> 361 361 362 362 <!-- With the removal of the pam_cracklib module, we're supposed to be using 363 libpwquality. That already includes instructions in it 's configuration363 libpwquality. That already includes instructions in its configuration 364 364 information page, so we'll use those instead. 365 365 … … 367 367 is built in, and the PAM module is built. 368 368 --> 369 <!-- 369 <!-- WARNING: If for any reason the instructions below are reinstated be 370 careful with the number of rounds, which should match the one in shadow. 370 371 <para> 371 372 The remaining generic file depends on whether <xref … … 417 418 --> 418 419 <para> 419 N owadd a restrictive <filename>/etc/pam.d/other</filename>420 Next, add a restrictive <filename>/etc/pam.d/other</filename> 420 421 configuration file. With this file, programs that are PAM aware will 421 422 not run unless a configuration file specifically for that application 422 is created.423 exists. 423 424 </para> 424 425 … … 440 441 <para> 441 442 The <application>PAM</application> man page (<command>man 442 pam</command>) provides a good starting point for descriptions 443 of fields and allowable entries. The 444 <ulink url="http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_SAG.html"> 443 pam</command>) provides a good starting point to learn 444 about the several fields, and allowable entries. 445 <!-- not accessible 2022-09-08 --> 446 <!-- it's available at a different address 2022-10-23--> 447 The 448 <ulink url="https://www.docs4dev.com/docs/en/linux-pam/1.1.2/reference/Linux-PAM_SAG.html"> 445 449 Linux-PAM System Administrators' Guide 446 450 </ulink> is recommended for additional information. … … 450 454 <para> 451 455 You should now reinstall the <xref linkend="shadow"/> 452 <phrase revision="sysv">package .</phrase>456 <phrase revision="sysv">package</phrase> 453 457 <phrase revision="systemd"> and <xref linkend="systemd"/> 454 packages .</phrase>458 packages</phrase>. 455 459 </para> 456 460 </important>
Note:
See TracChangeset
for help on using the changeset viewer.