Changes in postlfs/security/linux-pam.xml [bf1e213:3f2db3a6]

File:

• postlfs/security/linux-pam.xml (modified) (24 diffs)

postlfs/security/linux-pam.xml

@@ -23 +23 @@
   <?dbhtml filename="linux-pam.html"?>
 
-  <sect1info>
-    <date>$Date$</date>
-  </sect1info>
 
   <title>Linux-PAM-&linux-pam-version;</title>
@@ -38 +35 @@
     <para>
       The <application>Linux PAM</application> package contains
-      Pluggable Authentication Modules used to enable the local
-      system administrator to choose how applications authenticate
+      Pluggable Authentication Modules used by the local
+      system administrator to control how application programs authenticate
       users.
     </para>
 
-    &lfs110a_checked;
+    &lfs112_checked;
 
     <bridgehead renderas="sect3">Package Information</bridgehead>
@@ -107 +104 @@
       <xref linkend="libtirpc"/>,
       <ulink url="https://github.com/linux-audit/audit-userspace">libaudit</ulink>, and
-      <ulink url="http://www.prelude-siem.org">Prelude</ulink>
+      <ulink url="https://www.prelude-siem.org">Prelude</ulink>
     </para>
 
@@ -124 +121 @@
         <xref role="runtime" linkend="shadow"/>
         <phrase revision="systemd"> and <xref role="runtime" linkend="systemd"/>
-        need</phrase><phrase revision="sysv">needs</phrase> to be reinstalled
+        must</phrase><phrase revision="sysv">must</phrase> be reinstalled
+        and reconfigured
         after installing and configuring <application>Linux PAM</application>.
       </para>
@@ -130 +128 @@
       <para role="recommended">
          With Linux-PAM-1.4.0 and higher, the pam_cracklib module is not
-         installed by default. To enforce strong passwords, it is recommended
-         to use <xref role="runtime" linkend="libpwquality"/>.
+         installed by default. Use <xref role="runtime" linkend="libpwquality"/>
+         to enforce strong passwords.
       </para>
     </note>
@@ -144 +142 @@
 
     <para revision="sysv">
-      First prevent the installation of an unneeded systemd file:
+      First, prevent the installation of an unneeded systemd file:
     </para>
 
@@ -159 +157 @@
 
     <para>
-      If you instead want to regenerate the documentation, fix the
-      <command>configure</command> script so that it detects lynx if installed:
+      If you want to regenerate the documentation yourself, fix the
+      <command>configure</command> script so it will detect lynx:
     </para>
 
@@ -168 +166 @@
 
     <para>
-      Install <application>Linux PAM</application> by
+      Compile and link <application>Linux PAM</application> by
       running the following commands:
     </para>
@@ -186 +184 @@
 
     <caution>
-      <title>Reinstallation or upgrade of Linux PAM</title>
+      <title>Reinstallation or Upgrade of Linux PAM</title>
       <para>
         If you have a system with Linux PAM installed and working, be careful
@@ -193 +191 @@
         may become totally unusable. If you want to run the tests, you do not
         need to create another <filename>/etc/pam.d/other</filename> file. The
-        installed one can be used for that purpose.
+        existing file can be used for the tests.
       </para>
 
@@ -200 +198 @@
          overwrites the configuration files in
          <filename class="directory">/etc/security</filename> as well as
-         <filename>/etc/environment</filename>. In case you
+         <filename>/etc/environment</filename>. If you
          have modified those files, be sure to back them up.
       </para>
@@ -206 +204 @@
 
     <para>
-      For a first installation, create the configuration file by issuing the
+      For a first-time installation, create a configuration file by issuing the
       following commands as the <systemitem class="username">root</systemitem>
       user:
@@ -222 +220 @@
     <para>
       Now run the tests by issuing <command>make check</command>.
-      Ensure there are no errors produced by the tests before continuing the
-      installation. Note that the checks are quite long.  It may be useful to
-      redirect the output to a log file in order to inspect it thoroughly.
-    </para>
-
-    <para>
-      Only in case of a first installation, remove the configuration file
+      Be sure the tests produced no errors before continuing the
+      installation. Note that the tests are very long.
+      Redirect the output to a log file, so you can inspect it thoroughly.
+    </para>
+
+    <para>
+      For a first-time installation, remove the configuration file
       created earlier by issuing the following command as the
       <systemitem class="username">root</systemitem> user:
@@ -259 +257 @@
       linkend="libxslt"/>, and <xref linkend="lynx"/> or <ulink
       url="&w3m-url;">W3m</ulink>) are installed, the manual pages, and the
-      html and text documentations are (re)generated and installed.
+      html and text documentation files, are generated and installed.
       Furthermore, if <xref linkend="fop"/> is installed, the PDF
       documentation is generated and installed. Use this switch if you do not
@@ -267 +265 @@
     <para>
       <command>chmod -v 4755 /usr/sbin/unix_chkpwd</command>:
-      The <command>unix_chkpwd</command> helper program must be setuid
-      so that non-<systemitem class="username">root</systemitem>
+      The setuid bit for the <command>unix_chkpwd</command> helper program must be 
+      turned on, so that non-<systemitem class="username">root</systemitem>
       processes can access the shadow file.
     </para>
@@ -278 +276 @@
 
     <sect3 id="pam-config">
-      <title>Config Files</title>
+      <title>Configuration Files</title>
 
       <para>
@@ -301 +299 @@
         Configuration information is placed in
         <filename class="directory">/etc/pam.d/</filename>.
-        Below is an example file:
+        Here is a sample file:
       </para>
 
@@ -314 +312 @@
 
       <para>
-        Now set up some generic files.  As the
+        Now create some generic configuration files.  As the
         <systemitem class="username">root</systemitem> user:
       </para>
@@ -347 +345 @@
 # use sha512 hash for encryption, use shadow, and try to use any previously
 # defined authentication token (chosen password) set by any prior module
-password  required    pam_unix.so       sha512 shadow try_first_pass
+# Use the same number of rounds as shadow.
+password  required    pam_unix.so       sha512 shadow try_first_pass \
+                                        rounds=500000
 
 # End /etc/pam.d/system-password</literal>
@@ -356 +356 @@
        If you wish to enable strong password support, install
        <xref linkend="libpwquality"/>, and follow the
-       instructions in that page to configure the pam_pwquality
+       instructions on that page to configure the pam_pwquality
        PAM module with strong password support.
      </para>
 
 <!-- With the removal of the pam_cracklib module, we're supposed to be using
-     libpwquality. That already includes instructions in it's configuration
+     libpwquality. That already includes instructions in its configuration
      information page, so we'll use those instead.
 
@@ -367 +367 @@
      is built in, and the PAM module is built.
 -->
-<!--
+<!-- WARNING: If for any reason the instructions below are reinstated be
+     careful with the number of rounds, which should match the one in shadow.
       <para>
         The remaining generic file depends on whether <xref
@@ -417 +418 @@
 -->
       <para>
-        Now add a restrictive <filename>/etc/pam.d/other</filename>
+        Next, add a restrictive <filename>/etc/pam.d/other</filename>
         configuration file.  With this file, programs that are PAM aware will
         not run unless a configuration file specifically for that application
-        is created.
+        exists.
       </para>
 
@@ -440 +441 @@
       <para>
         The <application>PAM</application> man page (<command>man
-        pam</command>) provides a good starting point for descriptions
-        of fields and allowable entries. The
-        <ulink url="http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_SAG.html">
+        pam</command>) provides a good starting point to learn
+        about the several fields, and allowable entries.
+        <!-- not accessible 2022-09-08 -->
+        <!-- it's available at a different address 2022-10-23-->
+        The
+        <ulink url="https://www.docs4dev.com/docs/en/linux-pam/1.1.2/reference/Linux-PAM_SAG.html">
           Linux-PAM System Administrators' Guide
         </ulink> is recommended for additional information.
@@ -450 +454 @@
         <para>
           You should now reinstall the <xref linkend="shadow"/>
-          <phrase revision="sysv">package.</phrase>
+          <phrase revision="sysv">package</phrase>
           <phrase revision="systemd"> and <xref linkend="systemd"/>
-          packages.</phrase>
+          packages</phrase>.
         </para>
       </important>