Changeset 4fcf20a


Ignore:
Timestamp:
03/23/2005 07:05:25 AM (17 years ago)
Author:
Randy McMurchy <randy@…>
Branches:
10.0, 10.1, 11.0, 11.1, 6.1, 6.2, 6.2.0, 6.2.0-rc1, 6.2.0-rc2, 6.3, 6.3-rc1, 6.3-rc2, 6.3-rc3, 7.10, 7.4, 7.5, 7.6, 7.6-blfs, 7.6-systemd, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, gnome, kde5-13430, kde5-14269, kde5-14686, krejzi/svn, lazarus, nosym, perl-modules, qt5new, systemd-11177, systemd-13485, trunk, upgradedb, xry111/intltool, xry111/test-20220226
Children:
fbbf93e
Parents:
f691f2b
Message:

Updated to Shadow-4.0.7

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@3567 af4574ff-66df-0310-9fd7-8a98e5e911e0

Files:
4 edited

Legend:

Unmodified
Added
Removed
  • general.ent

    rf691f2b r4fcf20a  
    1 <!ENTITY day          "22">
     1<!ENTITY day          "23">
    22<!ENTITY month        "03">
    33<!ENTITY year         "2005">
    44<!ENTITY version      "svn-&year;&month;&day;">
    5 <!ENTITY releasedate  "March &day;nd, &year;">
     5<!ENTITY releasedate  "March &day;rd, &year;">
    66<!ENTITY pubdate      "&year;-&month;-&day;"> <!-- metadata req. by TLDP -->
    77<!ENTITY blfs-version "cvs">                  <!-- cvs|[release #] -->
     
    3333<!ENTITY cracklib-version             "2.7">   
    3434<!ENTITY Linux_PAM-version            "0.78"> 
    35 <!ENTITY shadow-version               "4.0.4.1"> 
     35<!ENTITY shadow-version               "4.0.7"> 
    3636<!ENTITY iptables-version             "1.3.1">
    3737<!ENTITY gnupg-version                "1.4.0"> 
     
    132132<!-- Chapter 12 -->                 
    133133<!ENTITY Python-version               "2.4">
    134 <!ENTITY LFS-Perl-version             "5.8.5">
     134<!ENTITY LFS-Perl-version             "5.8.6">
    135135<!ENTITY Module-Info-version          "0.26">
    136136<!ENTITY Gtk-Perl-version             "0.7009">
  • introduction/welcome/changelog.xml

    rf691f2b r4fcf20a  
    2323<itemizedlist>
    2424
     25<listitem><para>March 23rd, 2005 [randy]: Updated to
     26Shadow-4.0.7</para></listitem>
     27
    2528<listitem><para>March 22nd, 2005 [randy]: Added the installation of
    2629documentation to the Linux-PAM instructions.</para></listitem>
  • introduction/welcome/credits.xml

    rf691f2b r4fcf20a  
    153153FOP, GNOME Doc Utils, GnuCash (many additions), Heimdal, HTML Tidy, JadeTeX,
    154154Java Access Bridge, libgail-gnome, libgnomecups, MPlayer (extensive overhaul),
    155 PDL, Perl Modules, pilot-link, Samba 3 (many additions), SANE (original
    156 instructions by Alex Kloss), SLIB, Stunnel and Sysstat:
     155PDL, Perl Modules, pilot-link, Samba 3 (many additions), Shadow (rewrite),
     156SANE (original instructions by Alex Kloss), SLIB, Stunnel and Sysstat:
    157157<emphasis>Randy McMurchy</emphasis></para></listitem>
    158158
  • postlfs/security/shadow.xml

    rf691f2b r4fcf20a  
    66
    77  <!ENTITY shadow-download-http " ">
    8   <!ENTITY shadow-download-ftp  "ftp://ftp.pld.org.pl/software/shadow/old/shadow-&shadow-version;.tar.bz2">
    9   <!ENTITY shadow-md5sum        "3a3d17d3d7c630b602baf66ae7434c61">
    10   <!ENTITY shadow-size          "814 KB">
    11   <!ENTITY shadow-buildsize     "14.1 MB">
    12   <!ENTITY shadow-time          "0.42 SBU">
     8  <!ENTITY shadow-download-ftp  "ftp://ftp.pld.org.pl/software/shadow/shadow-&shadow-version;.tar.bz2">
     9  <!ENTITY shadow-md5sum        "89ebec0d1c0d861a5bd5c4c63e5cb0cc">
     10  <!ENTITY shadow-size          "1.0 MB">
     11  <!ENTITY shadow-buildsize     "13.2 MB">
     12  <!ENTITY shadow-time          "0.31 SBU">
    1313]>
    1414
     
    2222<indexterm zone="shadow">
    2323<primary sortas="a-Shadow">Shadow</primary></indexterm>
    24 
    25 <!--
    26 <sect2>
    27 <title>Configuring shadow</title>
    28 
    29 <para>Shadow's Configuration File</para>
    30 
    31 <para><userinput>/etc/login.defs</userinput></para>
    32 
    33 <para>Enabling <acronym>MD</acronym>5 Passwords</para>
    34 
    35 <para>To enable <acronym>MD</acronym>5 Passwords, modify the line in the
    36 <filename>login.defs</filename> file that reads:
    37 <screen><userinput>#MD5_CRYPT_ENAB no</userinput></screen>
    38 to read:
    39 <screen><userinput>MD5_CRYPT_ENAB yes</userinput></screen>
    40 Passwords created after this change will be encrypted using
    41 <acronym>MD</acronym>5 (Message-Digest Algorithm) instead of using
    42 <acronym>DES</acronym> encryption.
    43 </para>
    44 </sect2>
    45 -->
    4624
    4725<sect2>
     
    7351<sect3><title>Additional downloads</title>
    7452<itemizedlist spacing='compact'>
    75 <listitem><para>Patch to fix linking against PAM:
    76 <ulink url="&patch-root;/shadow-&shadow-version;-pam-1.patch"/></para>
     53<listitem><para>Patch to fix a bug in the <command>lastlog</command> program:
     54<ulink url="&patch-root;/shadow-&shadow-version;-fix_lastlog-1.patch"/></para>
    7755</listitem>
    7856</itemizedlist>
     
    8159<sect3><title><application>Shadow</application> dependencies</title>
    8260<sect4><title>Required</title>
    83 <para><xref linkend="Linux_PAM"/></para></sect4>
    84 </sect3>
     61<para><xref linkend="Linux_PAM"/></para>
     62</sect4>
     63</sect3>
     64
    8565</sect2>
    8666
     
    9171commands:</para>
    9272
    93 <screen><userinput><command>patch -Np1 -i ../shadow-&shadow-version;-pam-1.patch &amp;&amp;
    94 LIBS="-lpam -lpam_misc" ./configure --libdir=/usr/lib \
    95     --enable-shared --with-libpam --without-libcrack &amp;&amp;
    96 echo '#define HAVE_SETLOCALE 1' >> config.h &amp;&amp;
    97 sed -i '/extern char/d' libmisc/xmalloc.c &amp;&amp;
     73<screen><userinput><command>patch -Np1 -i ../shadow-&shadow-version;-fix_lastlog-1.patch &amp;&amp;
     74./configure --libdir=/usr/lib --enable-shared \
     75    --with-libpam --without-libcrack &amp;&amp;
     76sed -i 's/groups$(EXEEXT) //' src/Makefile &amp;&amp;
     77sed -i '/groups/d' man/Makefile &amp;&amp;
    9878make</command></userinput></screen>
    9979
     
    10181
    10282<screen><userinput role='root'><command>make install &amp;&amp;
    103 mv /bin/sg /usr/bin &amp;&amp;
    104 mv /bin/vigr /usr/sbin &amp;&amp;
    105 mv /usr/bin/passwd /bin &amp;&amp;
    106 rm /bin/groups &amp;&amp;
    107 mv /usr/lib/lib{misc,shadow}.so.0* /lib &amp;&amp;
    108 ln -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so &amp;&amp;
    109 ln -sf ../../lib/libmisc.so.0 /usr/lib/libmisc.so</command></userinput></screen>
     83mv -v /usr/bin/passwd /bin &amp;&amp;
     84mv -v /lib/libshadow.*a /usr/lib &amp;&amp;
     85rm -v /lib/libshadow.so &amp;&amp;
     86ln -v -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so</command></userinput></screen>
    11087
    11188</sect2>
     
    12097<filename class='libraryfile'>libcrack</filename>.</para>
    12198
    122 <para><command>sed -i '/extern char/d' libmisc/xmalloc.c</command>: This
    123 fixes a compilation problem when using <application>GCC</application>-3.4.x.
    124 </para>
     99<para><command>sed -i ...</command>: These commands are used to suppress the
     100installation of the <command>groups</command> program as the version from the
     101<application>Coreutils</application> package installed during
     102<acronym>LFS</acronym> is preferred.</para>
    125103
    126104</sect2>
     
    131109
    132110<sect3 id="pam.d"><title>Config files</title>
    133 <para><filename>/etc/pam.d/login</filename>,
    134 <filename>/etc/pam.d/passwd</filename>,
    135 <filename>/etc/pam.d/su</filename>,
    136 <filename>/etc/pam.d/shadow</filename>,
    137 <filename>/etc/pam.d/useradd</filename>, and
    138 <filename>/etc/pam.d/chage</filename> &ndash;
    139 alternatively, <filename>/etc/pam.conf</filename></para>
     111<para><filename>/etc/pam.d/*</filename>, or alternatively,
     112<filename>/etc/pam.conf</filename></para>
    140113<indexterm zone="shadow pam.d">
    141114<primary sortas="e-etc-pam.d">/etc/pam.d/*</primary></indexterm>
     
    150123add them to <filename>/etc/pam.conf</filename> with the additional field for
    151124the program).</para>
     125
     126<sect4><title>login (with <application>cracklib</application>)</title>
    152127
    153128<screen><userinput><command>cat &gt; /etc/pam.d/login &lt;&lt; "EOF"</command>
     
    162137session     required       pam_motd.so
    163138session     required       pam_limits.so
    164 session     optional       pam_mail.so     dir=/var/mail standard
     139session     optional       pam_mail.so      dir=/var/mail standard
    165140session     optional       pam_lastlog.so
    166141session     required       pam_unix.so
     142password    required       pam_cracklib.so  retry=3 difok=8 minlen=5 \
     143                                            dcredit=3 ocredit=3 \
     144                                            ucredit=2 lcredit=2
     145password    required       pam_unix.so      md5 shadow use_authtok
    167146
    168147# End /etc/pam.d/login
    169 <command>EOF
    170 cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"</command>
     148<command>EOF</command></userinput></screen>
     149</sect4>
     150
     151<sect4><title>login (without <application>cracklib</application>)</title>
     152
     153<screen><userinput><command>cat &gt; /etc/pam.d/login &lt;&lt; "EOF"</command>
     154# Begin /etc/pam.d/login
     155
     156auth        requisite      pam_securetty.so
     157auth        requisite      pam_nologin.so
     158auth        required       pam_env.so
     159auth        required       pam_unix.so
     160account     required       pam_access.so
     161account     required       pam_unix.so
     162session     required       pam_motd.so
     163session     required       pam_limits.so
     164session     optional       pam_mail.so      dir=/var/mail standard
     165session     optional       pam_lastlog.so
     166session     required       pam_unix.so
     167password    required       pam_unix.so      md5 shadow
     168
     169# End /etc/pam.d/login
     170<command>EOF</command></userinput></screen>
     171</sect4>
     172
     173<sect4><title>passwd (with <application>cracklib</application>)</title>
     174
     175<screen><userinput><command>cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"</command>
    171176# Begin /etc/pam.d/passwd
    172177
    173 password    required       pam_unix.so     md5 shadow
     178password    required       pam_cracklib.so  retry=3 difok=8 minlen=5 \
     179                                            dcredit=3  ocredit=3 \
     180                                            ucredit=2  lcredit=2
     181password    required       pam_unix.so      md5 shadow use_authtok
    174182
    175183# End /etc/pam.d/passwd
    176 <command>EOF
    177 cat &gt; /etc/pam.d/shadow &lt;&lt; "EOF"</command>
    178 # Begin /etc/pam.d/shadow
     184<command>EOF</command></userinput></screen>
     185</sect4>
     186
     187<sect4><title>passwd (without <application>cracklib</application>)</title>
     188
     189<screen><userinput><command>cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"</command>
     190# Begin /etc/pam.d/passwd
     191
     192password    required       pam_unix.so      md5 shadow
     193
     194# End /etc/pam.d/passwd
     195<command>EOF</command></userinput></screen>
     196</sect4>
     197
     198<sect4><title>su</title>
     199
     200<screen><userinput><command>cat &gt; /etc/pam.d/su &lt;&lt; "EOF"</command>
     201# Begin /etc/pam.d/su
     202
     203auth        sufficient      pam_rootok.so
     204auth        required        pam_unix.so
     205account     required        pam_unix.so
     206session     optional        pam_mail.so     dir=/var/mail standard
     207session     required        pam_unix.so
     208
     209# End /etc/pam.d/su
     210<command>EOF</command></userinput></screen>
     211</sect4>
     212
     213<sect4><title>chage</title>
     214
     215<screen><userinput><command>cat &gt; /etc/pam.d/chage &lt;&lt; "EOF"</command>
     216# Begin /etc/pam.d/chage
    179217
    180218auth        sufficient      pam_rootok.so
     
    184222password    required        pam_permit.so
    185223
    186 # End /etc/pam.d/shadow
    187 <command>EOF
    188 cat &gt; /etc/pam.d/su &lt;&lt; "EOF"</command>
    189 # Begin /etc/pam.d/su
    190 
    191 auth        sufficient      pam_rootok.so
    192 auth        required        pam_unix.so
    193 account     required        pam_unix.so
    194 session     required        pam_unix.so
    195 
    196 # End /etc/pam.d/su
    197 <command>EOF
    198 cat &gt; /etc/pam.d/useradd &lt;&lt; "EOF"</command>
    199 # Begin /etc/pam.d/useradd
    200 
    201 auth        sufficient      pam_rootok.so
    202 auth        required        pam_unix.so
    203 account     required        pam_unix.so
    204 session     required        pam_unix.so
    205 password    required        pam_permit.so
    206 
    207 # End /etc/pam.d/useradd
    208 <command>EOF
    209 cat &gt; /etc/pam.d/chage &lt;&lt; "EOF"</command>
    210 # Begin /etc/pam.d/chage
    211 
    212 auth        sufficient      pam_rootok.so
    213 auth        required        pam_unix.so
    214 account     required        pam_unix.so
    215 session     required        pam_unix.so
    216 password    required        pam_permit.so
    217 
    218224# End /etc/pam.d/chage
    219225<command>EOF</command></userinput></screen>
    220 
    221 <note><para>If you've installed <application>cracklib</application>, replace
    222 <filename>/etc/pam.d/passwd</filename> with the following:</para></note>
    223 <screen><userinput><command>cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"</command>
    224 # Begin /etc/pam.d/passwd
    225 
    226 password    required    pam_cracklib.so     \
    227     retry=3  difok=8  minlen=5  dcredit=3  ocredit=3  ucredit=2  lcredit=2
    228 password    required    pam_unix.so     md5 shadow use_authtok
    229 
    230 # End /etc/pam.d/passwd
    231 <command>EOF</command></userinput></screen>
     226</sect4>
     227
     228<sect4><title>chpasswd, newusers, groupadd, groupdel, groupmod, useradd,
     229userdel and usermod</title>
     230
     231<screen><userinput><command>for PROGRAM in chpasswd newusers groupadd groupdel \
     232               groupmod useradd userdel usermod
     233do
     234    cp /etc/pam.d/chage /etc/pam.d/$PROGRAM
     235    sed -i -e "s/chage/$PROGRAM/" /etc/pam.d/$PROGRAM
     236done</command></userinput></screen>
     237</sect4>
     238
     239<sect4><title>other</title>
    232240
    233241<warning><para>At this point, you should do a simple test to see if
     
    238246receive errors, stop now and double check the above configuration files
    239247manually.  If you cannot find, and fix the error, you should recompile
    240 shadow replacing <envar>--with-libpam</envar> with
    241 <envar>--without-libpam</envar> in the above
     248shadow replacing <parameter>--with-libpam</parameter> with
     249<parameter>--without-libpam</parameter> in the above
    242250instructions.  If you fail to do this and the errors remain, you
    243251will be unable to log into your system.</para></warning>
    244252
    245253<para>Currently, <filename>/etc/pam.d/other</filename> is configured to
    246 allow anyone with an account on the machine to use programs
    247 that do not specifically have a configuration file of their own. After
    248 testing <application>Linux-<acronym>PAM</acronym></application> for proper
    249 configuration, it can be changed to the following:</para>
     254allow anyone with an account on the machine to use
     255<acronym>PAM</acronym>-aware programs without a configuration file for that
     256program. After testing <application>Linux-<acronym>PAM</acronym></application>
     257for proper configuration, install a more restrictive
     258<filename>other</filename> file so that program-specific configuration files
     259are required:</para>
    250260
    251261<screen><userinput><command>cat &gt; /etc/pam.d/other &lt;&lt; "EOF"</command>
     
    261271# End /etc/pam.d/other
    262272<command>EOF</command></userinput></screen>
    263 
    264 <para>Finally, edit <filename>/etc/login.defs</filename> by adding '#'
    265 to the beginning of the following lines:</para>
    266 <screen>LASTLOG_ENAB
    267 MAIL_CHECK_ENAB
    268 PORTTIME_CHECKS_ENAB
    269 CONSOLE
    270 MOTD_FILE
    271 NOLOGINS_FILE
    272 PASS_MIN_LEN
    273 SU_WHEEL_ONLY
    274 MD5_CRYPT_ENAB
    275 CONSOLE_GROUPS
    276 ENVIRON_FILE</screen>
    277 
    278 <para>This stops <command>login</command> from performing these functions, as
    279 they will now be performed by <acronym>PAM</acronym> modules. Additionally,
    280 add a '#' to the beginning of the following lines if you've installed
    281 <application>cracklib</application>:</para>
    282 <screen>OBSCURE_CHECKS_ENAB
    283 CRACKLIB_DICTPATH
    284 PASS_CHANGE_TRIES
    285 PASS_ALWAYS_WARN</screen>
     273</sect4>
     274
     275<sect4 id="pam-access"><title>Configuring login access</title>
     276
     277<para>Instead of using the <filename>/etc/login.access</filename> file for
     278controlling access to the system,
     279<application>Linux-<acronym>PAM</acronym></application> uses the
     280<filename class='libraryfile'>pam_access.so</filename> module along with the
     281<filename>/etc/security/access.conf</filename> file. Rename the
     282<filename>/etc/login.access</filename> file using the following
     283command:</para>
     284<indexterm zone="shadow pam-access"><primary
     285sortas="e-etc-security-access.conf">/etc/security/access.conf</primary>
     286</indexterm>
     287
     288<screen><userinput><command>if [ -f /etc/login.access ]; then
     289    mv -v /etc/login.access /etc/login.access.NOUSE
     290fi</command></userinput></screen>
     291</sect4>
     292
     293<sect4 id="pam-limits"><title>Configuring resource limits</title>
     294
     295<para>Instead of using the <filename>/etc/limits</filename> file for
     296limiting usage of system resources,
     297<application>Linux-<acronym>PAM</acronym></application> uses the
     298<filename class='libraryfile'>pam_limits.so</filename> module along with the
     299<filename>/etc/security/limits.conf</filename> file. Rename the
     300<filename>/etc/limits</filename> file using the following
     301command:</para>
     302<indexterm zone="shadow pam-limits"><primary
     303sortas="e-etc-security-limits.conf">/etc/security/limits.conf</primary>
     304</indexterm>
     305
     306<screen><userinput><command>if [ -f /etc/limits ]; then
     307    mv -v /etc/limits /etc/limits.NOUSE
     308fi</command></userinput></screen>
     309</sect4>
     310
     311<sect4 id="pam-login-defs"><title>Configuring /etc/login.defs</title>
     312
     313<para>The <command>login</command> program currently performs many functions
     314which <application>Linux-<acronym>PAM</acronym></application> modules should
     315now handle. The following command will comment out the appropriate lines in
     316<filename>/etc/login.defs</filename>, and stop <command>login</command> from
     317performing these functions:</para>
     318<indexterm zone="shadow pam-login-defs"><primary
     319sortas="e-etc-login.defs">/etc/login.defs</primary>
     320</indexterm>
     321
     322<screen><userinput><command>for FUNCTION in LASTLOG_ENAB MAIL_CHECK_ENAB \
     323                PORTTIME_CHECKS_ENAB CONSOLE \
     324                MOTD_FILE NOLOGINS_FILE PASS_MIN_LEN \
     325                SU_WHEEL_ONLY MD5_CRYPT_ENAB \
     326                CONSOLE_GROUPS ENVIRON_FILE
     327do
     328    sed -i -e "s/^$FUNCTION/# &amp;/" /etc/login.defs
     329done</command></userinput></screen>
     330
     331<para>If you have <application>cracklib</application> installed, also comment
     332out four more lines using the following command:</para>
     333
     334<screen><userinput><command>for FUNCTION in OBSCURE_CHECKS_ENAB CRACKLIB_DICTPATH \
     335                PASS_CHANGE_TRIES PASS_ALWAYS_WARN
     336do
     337    sed -i -e "s/^$FUNCTION/# &amp;/" /etc/login.defs
     338done</command></userinput></screen>
     339</sect4>
     340
    286341</sect3>
    287342
Note: See TracChangeset for help on using the changeset viewer.