Changeset 9a3142c
- Timestamp:
- 03/15/2012 04:25:36 PM (12 years ago)
- Branches:
- 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 7.10, 7.4, 7.5, 7.6, 7.6-blfs, 7.6-systemd, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, gnome, kde5-13430, kde5-14269, kde5-14686, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, krejzi/svn, lazarus, lxqt, nosym, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, systemd-11177, systemd-13485, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal
- Children:
- 5e32204
- Parents:
- 8eeb3dd8
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
postlfs/security/shadow.xml
r8eeb3dd8 r9a3142c 5 5 %general-entities; 6 6 7 <!ENTITY shadow-download-http "http://pkg-shadow.alioth.debian.org/releases/shadow-&shadow-version;.tar.bz2 "> 7 <!ENTITY shadow-download-http 8 "http://pkg-shadow.alioth.debian.org/releases/shadow-&shadow-version;.tar.bz2 "> 8 9 <!ENTITY shadow-download-ftp " "> 9 10 <!ENTITY shadow-md5sum "d5f7a588fadb79faeb4b08b1eee82e9a"> … … 30 31 <title>Introduction to Shadow</title> 31 32 32 <para><application>Shadow</application> was indeed installed in LFS and 33 there is no reason to reinstall it unless you installed 34 <application>CrackLib</application> or 35 <application>Linux-PAM</application> after your LFS system was completed. 36 If you have installed <application>CrackLib</application> after LFS, then 37 reinstalling <application>Shadow</application> will enable strong password 38 support. If you have installed <application>Linux-PAM</application>, 39 reinstalling <application>Shadow</application> will allow programs such as 40 <command>login</command> and <command>su</command> to utilize PAM.</para> 41 42 &lfs70_checked; 33 <para> 34 <application>Shadow</application> was indeed installed in LFS and there is 35 no reason to reinstall it unless you installed 36 <application>CrackLib</application> or 37 <application>Linux-PAM</application> after your LFS system was completed. 38 If you have installed <application>CrackLib</application> after LFS, then 39 reinstalling <application>Shadow</application> will enable strong password 40 support. If you have installed <application>Linux-PAM</application>, 41 reinstalling <application>Shadow</application> will allow programs such as 42 <command>login</command> and <command>su</command> to utilize PAM. 43 </para> 44 45 &lfs71_checked; 43 46 44 47 <bridgehead renderas="sect3">Package Information</bridgehead> 45 48 <itemizedlist spacing="compact"> 46 49 <listitem> 47 <para>Download (HTTP): <ulink url="&shadow-download-http;"/></para> 50 <para> 51 Download (HTTP): <ulink url="&shadow-download-http;"/> 52 </para> 48 53 </listitem> 49 54 <listitem> 50 <para>Download (FTP): <ulink url="&shadow-download-ftp;"/></para> 55 <para> 56 Download (FTP): <ulink url="&shadow-download-ftp;"/> 57 </para> 51 58 </listitem> 52 59 <listitem> 53 <para>Download MD5 sum: &shadow-md5sum;</para> 60 <para> 61 Download MD5 sum: &shadow-md5sum; 62 </para> 54 63 </listitem> 55 64 <listitem> 56 <para>Download size: &shadow-size;</para> 65 <para> 66 Download size: &shadow-size; 67 </para> 57 68 </listitem> 58 69 <listitem> 59 <para>Estimated disk space required: &shadow-buildsize;</para> 70 <para> 71 Estimated disk space required: &shadow-buildsize; 72 </para> 60 73 </listitem> 61 74 <listitem> 62 <para>Estimated build time: &shadow-time;</para> 75 <para> 76 Estimated build time: &shadow-time; 77 </para> 63 78 </listitem> 64 79 </itemizedlist> … … 67 82 <itemizedlist spacing='compact'> 68 83 <listitem> 69 <para>Required patch: <ulink 70 url="http://www.&lfs-domainname;/patches/lfs/development/shadow-&shadow-version;-nscd-1.patch"/> 84 <para> 85 Required patch: <ulink 86 url="http://www.&lfs-domainname;/patches/lfs/development/shadow-&shadow-version;-nscd-1.patch"/> 71 87 </para> 72 88 </listitem> … … 76 92 77 93 <bridgehead renderas="sect4">Required</bridgehead> 78 <para role="required"><xref linkend="linux-pam"/> or 79 <xref linkend="cracklib"/></para> 80 81 <para condition="html" role="usernotes">User Notes: 82 <ulink url="&blfs-wiki;/shadow"/></para> 83 94 <para role="required"> 95 <xref linkend="linux-pam"/> or 96 <xref linkend="cracklib"/> 97 </para> 98 99 <para condition="html" role="usernotes"> 100 User Notes: <ulink url="&blfs-wiki;/shadow"/> 101 </para> 84 102 </sect2> 85 103 … … 88 106 89 107 <important> 90 <para>The installation commands shown below are for installations where 91 <application>Linux-PAM</application> has been installed (with or 92 without a <application>CrackLib</application> installation) and 93 <application>Shadow</application> is being reinstalled to support the 94 <application>Linux-PAM</application> installation.</para> 95 96 <para> If you are reinstalling <application>Shadow</application> to 97 provide strong password support using the 98 <application>CrackLib</application> library without using 99 <application>Linux-PAM</application>, ensure you add the 100 <parameter>--with-libcrack</parameter> parameter to the 101 <command>configure</command> script below and also issue the following 102 command:</para> 108 <para> 109 The installation commands shown below are for installations where 110 <application>Linux-PAM</application> has been installed (with or 111 without a <application>CrackLib</application> installation) and 112 <application>Shadow</application> is being reinstalled to support the 113 <application>Linux-PAM</application> installation. 114 </para> 115 116 <para> 117 If you are reinstalling <application>Shadow</application> to provide 118 strong password support using the <application>CrackLib</application> 119 library without using <application>Linux-PAM</application>, ensure you 120 add the <parameter>--with-libcrack</parameter> parameter to the 121 <command>configure</command> script below and also issue the following 122 command: 123 </para> 103 124 104 125 <screen><userinput>sed -i 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' etc/login.defs</userinput></screen> 105 126 </important> 106 127 107 <para>Reinstall <application>Shadow</application> by running the following 108 commands:</para> 128 <para> 129 Reinstall <application>Shadow</application> by running the following 130 commands: 131 </para> 109 132 110 133 <screen><userinput>sed -i 's/groups$(EXEEXT) //' src/Makefile.in && 111 134 find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; && 112 135 sed -i -e 's/ ko//' -e 's/ zh_CN zh_TW//' man/Makefile.in && 136 sed -i '/<stdio.h>/a#include <stdarg.h>' libmisc/copydir.c && 113 137 114 138 sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \ … … 120 144 patch -Np1 -i ../shadow-&shadow-version;-nscd-1.patch && 121 145 122 ./configure --prefix=/usr --sysconfdir=/etc \ 123 --without-acl --without-attr && 146 ./configure --prefix=/usr --sysconfdir=/etc && 124 147 make</userinput></screen> 125 148 126 <para>This package does not come with a test suite.</para> 127 128 <para>Now, as the <systemitem class="username">root</systemitem> user:</para> 149 <para> 150 This package does not come with a test suite. 151 </para> 152 153 <para> 154 Now, as the <systemitem class="username">root</systemitem> user: 155 </para> 129 156 130 157 <screen role="root"><userinput>make install && 131 158 mv -v /usr/bin/passwd /bin</userinput></screen> 132 133 159 </sect2> 134 160 … … 136 162 <title>Command Explanations</title> 137 163 138 <para><command>sed -i 's/groups$(EXEEXT) //' src/Makefile.in</command>: 139 This command is used to suppress the installation of the 140 <command>groups</command> program as the version from the 141 <application>Coreutils</application> package installed during LFS is 142 preferred.</para> 143 144 <para><command>find man -name Makefile.in -exec ... {} \;</command>: This 145 command is used to suppress the installation of the 146 <command>groups</command> man pages so the existing ones installed from 147 the <application>Coreutils</application> package are not replaced.</para> 148 149 <para><command>sed -i -e '...' -e '...' man/Makefile.in</command>: This 150 command disables the installation of Chinese and Korean manual pages, since 151 <application>Man-DB</application> cannot format them properly.</para> 152 153 <para><command>sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' 154 -e 's@/var/spool/mail@/var/mail@' etc/login.defs</command>: 155 Instead of using the default 'DES' method, this command modifies the 156 installation to use the more secure 'SHA512' method of hashing passwords, 157 which also allows passwords longer than eight characters. It also changes 158 the obsolete <filename class="directory">/var/spool/mail</filename> 159 location for user mailboxes that <application>Shadow</application> uses by 160 default to the <filename class="directory">/var/mail</filename> 161 location.</para> 162 163 <para><command>sed -i -e 164 's@PATH=/sbin:/bin:/usr/sbin:/usr/bin@&:/usr/local/sbin:/usr/local/bin@' 165 -e 's@PATH=/bin:/usr/bin@&:/usr/local/bin@' etc/login.defs</command>: 166 This sed expands PATH to <filename class="directory">/usr/local/bin</filename> 167 for normal and <systemitem class="username">root</systemitem> user and to 168 <filename class="directory">/usr/local/sbin</filename> for 169 <systemitem class="username">root</systemitem> user only.</para> 170 171 <para><command>--without-acl</command>: Disables linking with <xref linkend="acl"/> 172 since <application>Shadow</application> fails to compile if it is present.</para> 173 174 <para><command>--without-attr</command>: Disables linking with <xref linkend="attr"/> 175 since <application>Shadow</application> fails to compile if it is present.</para> 176 177 <para><command>mv -v /usr/bin/passwd /bin</command>: The 178 <command>passwd</command> program may be needed during times when the 179 <filename class='directory'>/usr</filename> filesystem is not mounted so 180 it is moved into the root partition.</para> 181 164 <para> 165 <command>sed -i 's/groups$(EXEEXT) //' src/Makefile.in</command>: This sed 166 is used to suppress the installation of the <command>groups</command> 167 program as the version from the <application>Coreutils</application> 168 package installed during LFS is preferred. 169 </para> 170 171 <para> 172 <command>find man -name Makefile.in -exec ... {} \;</command>: This 173 command is used to suppress the installation of the 174 <command>groups</command> man pages so the existing ones installed from 175 the <application>Coreutils</application> package are not replaced. 176 </para> 177 178 <para> 179 <command>sed -i -e '...' -e '...' man/Makefile.in</command>: This command 180 disables the installation of Chinese and Korean manual pages, since 181 <application>Man-DB</application> cannot format them properly. 182 </para> 183 184 <para> 185 <command>sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' -e 186 's@/var/spool/mail@/var/mail@' etc/login.defs</command>: Instead of using 187 the default 'DES' method, this command modifies the installation to use 188 the more secure 'SHA512' method of hashing passwords, which also allows 189 passwords longer than eight characters. It also changes the obsolete 190 <filename class="directory">/var/spool/mail</filename> location for user 191 mailboxes that <application>Shadow</application> uses by default to the 192 <filename class="directory">/var/mail</filename> location. 193 </para> 194 195 <para> 196 <command>sed -i -e 197 's@PATH=/sbin:/bin:/usr/sbin:/usr/bin@&:/usr/local/sbin:/usr/local/bin@' 198 -e 's@PATH=/bin:/usr/bin@&:/usr/local/bin@' etc/login.defs</command>: 199 This sed expands PATH to 200 <filename class="directory">/usr/local/bin</filename> for normal and 201 <systemitem class="username">root</systemitem> user and to 202 <filename class="directory">/usr/local/sbin</filename> for 203 <systemitem class="username">root</systemitem> user only. 204 </para> 205 206 <para> 207 <command>sed -i '/<stdio.h>/a#include <stdarg.h>' 208 libmisc/copydir.c</command>: This sed fixes a bug which would make the 209 build fail if <xref linkend="acl"/> is installed. 210 </para> 211 212 <para> 213 <command>mv -v /usr/bin/passwd /bin</command>: The 214 <command>passwd</command> program may be needed during times when the 215 <filename class='directory'>/usr</filename> filesystem is not mounted so 216 it is moved into the root partition. 217 </para> 182 218 </sect2> 183 219 … … 185 221 <title>Configuring Shadow</title> 186 222 187 <para><application>Shadow</application>'s stock configuration for the 188 <command>useradd</command> utility may not be desirable for your 189 installation. One default parameter causes <command>useradd</command> to 190 create a mailbox file for any newly created user. 191 <command>useradd</command> will make the group ownership of this file to 192 the <systemitem class="groupname">mail</systemitem> group with 0660 193 permissions. If you would prefer that these mailbox files are not created 194 by <command>useradd</command>, issue the 195 following command as the <systemitem class="username">root</systemitem> user:</para> 223 <para> 224 <application>Shadow</application>'s stock configuration for the 225 <command>useradd</command> utility may not be desirable for your 226 installation. One default parameter causes <command>useradd</command> to 227 create a mailbox file for any newly created user. 228 <command>useradd</command> will make the group ownership of this file to 229 the <systemitem class="groupname">mail</systemitem> group with 0660 230 permissions. If you would prefer that these mailbox files are not created 231 by <command>useradd</command>, issue the following command as the 232 <systemitem class="username">root</systemitem> user: 233 </para> 196 234 197 235 <screen role="root"><userinput>sed -i 's/yes/no/' /etc/default/useradd</userinput></screen> 198 199 236 </sect2> 200 237 … … 203 240 204 241 <note> 205 <para>The rest of this page is devoted to configuring 206 <application>Shadow</application> to work properly with 207 <application>Linux-PAM</application>. If you do not have 208 <application>Linux-PAM</application> installed, and you reinstalled 209 <application>Shadow</application> to support strong passwords via 210 the <application>CrackLib</application> library, no further configuration 211 is required.</para> 242 <para> 243 The rest of this page is devoted to configuring 244 <application>Shadow</application> to work properly with 245 <application>Linux-PAM</application>. If you do not have 246 <application>Linux-PAM</application> installed, and you reinstalled 247 <application>Shadow</application> to support strong passwords via the 248 <application>CrackLib</application> library, no further configuration is 249 required. 250 </para> 212 251 </note> 213 252 … … 215 254 <title>Config Files</title> 216 255 217 <para><filename>/etc/pam.d/*</filename> or alternatively 218 <filename>/etc/pam.conf, /etc/login.defs, and 219 /etc/security/*</filename></para> 256 <para> 257 <filename>/etc/pam.d/*</filename> or alternatively 258 <filename>/etc/pam.conf</filename>, 259 <filename>/etc/login.defs</filename> and 260 <filename>/etc/security/*</filename> 261 </para> 220 262 221 263 <indexterm zone="shadow pam.d"> … … 234 276 <primary sortas="e-etc-security">/etc/security/*</primary> 235 277 </indexterm> 236 237 278 </sect3> 238 279 … … 240 281 <title>Configuration Information</title> 241 282 242 <para>Configuring your system to use <application>Linux-PAM</application> 243 can be a complex task. The information below will provide a basic setup 244 so that <application>Shadow</application>'s login and password 245 functionality will work effectively with 246 <application>Linux-PAM</application>. Review the information and links on 247 the <xref linkend="linux-pam"/> page for further configuration 248 information. For information specific to integrating 249 <application>Shadow</application>, <application>Linux-PAM</application> 250 and <application>CrackLib</application>, you can visit the following 251 link:</para> 283 <para> 284 Configuring your system to use <application>Linux-PAM</application> can 285 be a complex task. The information below will provide a basic setup so 286 that <application>Shadow</application>'s login and password 287 functionality will work effectively with 288 <application>Linux-PAM</application>. Review the information and links 289 on the <xref linkend="linux-pam"/> page for further configuration 290 information. For information specific to integrating 291 <application>Shadow</application>, <application>Linux-PAM</application> 292 and <application>CrackLib</application>, you can visit the following 293 link: 294 </para> 252 295 253 296 <itemizedlist spacing="compact"> 254 <listitem> 255 <para><ulink 256 url="http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html"/></para> 257 </listitem> 297 <listitem> 298 <para> 299 <ulink url="http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html"/> 300 </para> 301 </listitem> 258 302 </itemizedlist> 259 303 … … 261 305 <title>Configuring /etc/login.defs</title> 262 306 263 <para>The <command>login</command> program currently performs many 264 functions which <application>Linux-PAM</application> modules should 265 now handle. The following <command>sed</command> command will comment 266 out the appropriate lines in <filename>/etc/login.defs</filename>, and 267 stop <command>login</command> from performing these functions (a backup 268 file named <filename>/etc/login.defs.orig</filename> is also created 269 to preserve the original file's contents). Issue the following commands 270 as the <systemitem class="username">root</systemitem> user:</para> 307 <para> 308 The <command>login</command> program currently performs many functions 309 which <application>Linux-PAM</application> modules should now handle. 310 The following <command>sed</command> command will comment out the 311 appropriate lines in <filename>/etc/login.defs</filename>, and stop 312 <command>login</command> from performing these functions (a backup 313 file named <filename>/etc/login.defs.orig</filename> is also created 314 to preserve the original file's contents). Issue the following 315 commands as the <systemitem class="username">root</systemitem> user: 316 </para> 271 317 272 318 <indexterm zone="shadow pam-login-defs"> … … 289 335 CHFN_AUTH ENVIRON_FILE 290 336 do 291 sed -i "s/^$ FUNCTION/# &/" /etc/login.defs337 sed -i "s/^${FUNCTION}/# &/" /etc/login.defs 292 338 done</userinput></screen> 293 294 339 </sect4> 295 340 … … 297 342 <title>Configuring the /etc/pam.d/ Files</title> 298 343 299 <para>As mentioned previously in the 300 <application>Linux-PAM</application> instructions, 301 <application>Linux-PAM</application> has two supported methods for 302 configuration. The commands below assume that you've chosen to use 303 a directory based configuration, where each program has its own 304 configuration file. You can optionally use a single 305 <filename>/etc/pam.conf</filename> configuration file by using the 306 text from the files below, and supplying the program name as an 307 additional first field for each line.</para> 308 309 <para>As the <systemitem class="username">root</systemitem> user, 310 replace the following <application>Linux-PAM</application> 311 configuration files in the 312 <filename class="directory">/etc/pam.d/</filename> directory (or 313 add the contents to the <filename>/etc/pam.conf</filename> file) using 314 the following commands:</para> 315 344 <para> 345 As mentioned previously in the <application>Linux-PAM</application> 346 instructions, <application>Linux-PAM</application> has two supported 347 methods for configuration. The commands below assume that you've 348 chosen to use a directory based configuration, where each program has 349 its own configuration file. You can optionally use a single 350 <filename>/etc/pam.conf</filename> configuration file by using the 351 text from the files below, and supplying the program name as an 352 additional first field for each line. 353 </para> 354 355 <para> 356 As the <systemitem class="username">root</systemitem> user, replace 357 the following <application>Linux-PAM</application> configuration files 358 in the <filename class="directory">/etc/pam.d/</filename> directory 359 (or add the contents to the <filename>/etc/pam.conf</filename> file) 360 using the following commands: 361 </para> 316 362 </sect4> 317 363 … … 326 372 # End /etc/pam.d/system-account</literal> 327 373 EOF</userinput></screen> 328 329 374 </sect4> 330 375 … … 339 384 # End /etc/pam.d/system-auth</literal> 340 385 EOF</userinput></screen> 341 342 386 </sect4> 343 387 … … 361 405 EOF</userinput></screen> 362 406 363 <note><para>In its default configuration, owing to credits, 364 pam_cracklib will allow multiple case passwords as short as 6 365 characters, even with the <parameter>minlen</parameter> value 366 set to 11. You should review the pam_cracklib(8) man page and 367 determine if these default values are acceptable for the security 368 of your system.</para></note> 369 407 <note> 408 <para> 409 In its default configuration, owing to credits, pam_cracklib will 410 allow multiple case passwords as short as 6 characters, even with 411 the <parameter>minlen</parameter> value set to 11. You should review 412 the pam_cracklib(8) man page and determine if these default values 413 are acceptable for the security of your system. 414 </para> 415 </note> 370 416 </sect4> 371 417 … … 382 428 # End /etc/pam.d/system-password</literal> 383 429 EOF</userinput></screen> 384 385 430 </sect4> 386 431 … … 395 440 # End /etc/pam.d/system-session</literal> 396 441 EOF</userinput></screen> 397 398 442 </sect4> 399 443 … … 448 492 # End /etc/pam.d/login</literal> 449 493 EOF</userinput></screen> 450 451 494 </sect4> 452 495 … … 461 504 # End /etc/pam.d/passwd</literal> 462 505 EOF</userinput></screen> 463 464 506 </sect4> 465 507 … … 485 527 # End /etc/pam.d/su</literal> 486 528 EOF</userinput></screen> 487 488 529 </sect4> 489 530 … … 507 548 # End /etc/pam.d/chage</literal> 508 549 EOF</userinput></screen> 509 510 </sect4> 511 512 <sect4> 513 <title>'chfn', 'chgpasswd', 'chgpasswd', 'chsh', 'groupadd', 514 'groupdel', 'groupmems', 'groupmod', 'newusers', 'useradd', 'userdel' 515 and 'usermod'</title> 550 </sect4> 551 552 <sect4> 553 <title>'chfn', 'chgpasswd', 'chgpasswd', 'chsh', 'groupadd', 'groupdel', 554 'groupmems', 'groupmod', 'newusers', 'useradd', 'userdel' and 555 'usermod'</title> 516 556 517 557 <screen role="root"><userinput>for PROGRAM in chfn chgpasswd chpasswd chsh groupadd groupdel \ 518 558 groupmems groupmod newusers useradd userdel usermod 519 559 do 520 install -v -m644 /etc/pam.d/chage /etc/pam.d/$ PROGRAM521 sed -i "s/chage/$PROGRAM/" /etc/pam.d/$ PROGRAM560 install -v -m644 /etc/pam.d/chage /etc/pam.d/${PROGRAM} 561 sed -i "s/chage/$PROGRAM/" /etc/pam.d/${PROGRAM} 522 562 done</userinput></screen> 523 563 524 564 <warning> 525 <para>At this point, you should do a simple test to see if 526 <application>Shadow</application> is working as expected. Open 527 another terminal and log in as a user, then <command>su</command> to 528 <systemitem class="username">root</systemitem>. If you do not see any 529 errors, then all is well and you should proceed with the rest of the 530 configuration. If you did receive errors, stop now and double check 531 the above configuration files manually. You can also run the test 532 suite from the <application>Linux-PAM</application> package to assist 533 you in determining the problem. If you cannot find and 534 fix the error, you should recompile <application>Shadow</application> 535 adding the <option>--without-libpam</option> switch to the 536 <command>configure</command> command in the above instructions 537 (also move the <filename>/etc/login.defs.orig</filename> backup 538 file to <filename>/etc/login.defs</filename>). If you 539 fail to do this and the errors remain, you will be unable to log into 540 your system.</para> 565 <para> 566 At this point, you should do a simple test to see if 567 <application>Shadow</application> is working as expected. Open 568 another terminal and log in as a user, then <command>su</command> to 569 <systemitem class="username">root</systemitem>. If you do not see 570 any errors, then all is well and you should proceed with the rest of 571 the configuration. If you did receive errors, stop now and double 572 check the above configuration files manually. You can also run the 573 test suite from the <application>Linux-PAM</application> package to 574 assist you in determining the problem. If you cannot find and fix 575 the error, you should recompile <application>Shadow</application> 576 adding the <option>--without-libpam</option> switch to the 577 <command>configure</command> command in the above instructions (also 578 move the <filename>/etc/login.defs.orig</filename> backup file to 579 <filename>/etc/login.defs</filename>). If you fail to do this and 580 the errors remain, you will be unable to log into your system. 581 </para> 541 582 </warning> 542 543 583 </sect4> 544 584 … … 546 586 <title>Other</title> 547 587 548 <para>Currently, <filename>/etc/pam.d/other</filename> is configured 549 to allow anyone with an account on the machine to use PAM-aware 550 programs without a configuration file for that program. After testing 551 <application>Linux-PAM</application> for proper configuration, install 552 a more restrictive <filename>other</filename> file so that 553 program-specific configuration files are required:</para> 588 <para> 589 Currently, <filename>/etc/pam.d/other</filename> is configured to 590 allow anyone with an account on the machine to use PAM-aware programs 591 without a configuration file for that program. After testing 592 <application>Linux-PAM</application> for proper configuration, install 593 a more restrictive <filename>other</filename> file so that 594 program-specific configuration files are required: 595 </para> 554 596 555 597 <screen role="root"><userinput>cat > /etc/pam.d/other << "EOF" … … 567 609 # End /etc/pam.d/other</literal> 568 610 EOF</userinput></screen> 569 570 611 </sect4> 571 612 … … 573 614 <title>Configuring Login Access</title> 574 615 575 <para>Instead of using the <filename>/etc/login.access</filename> 576 file for controlling access to the system, 577 <application>Linux-PAM</application> uses the 578 <filename class='libraryfile'>pam_access.so</filename> module along 579 with the <filename>/etc/security/access.conf</filename> file. Rename 580 the <filename>/etc/login.access</filename> file using the following 581 command:</para> 616 <para> 617 Instead of using the <filename>/etc/login.access</filename> file for 618 controlling access to the system, <application>Linux-PAM</application> 619 uses the <filename class='libraryfile'>pam_access.so</filename> module 620 along with the <filename>/etc/security/access.conf</filename> file. 621 Rename the <filename>/etc/login.access</filename> file using the 622 following command: 623 </para> 582 624 583 625 <indexterm zone="shadow pam-access"> … … 585 627 </indexterm> 586 628 587 <screen role="root"><userinput>if [ -f /etc/login.access ]; then 588 mv -v /etc/login.access /etc/login.access.NOUSE 589 fi</userinput></screen> 590 629 <screen role="root"><userinput>[ -f /etc/login.access ] && mv -v /etc/login.access{,.NOUSE}</userinput></screen> 591 630 </sect4> 592 631 … … 594 633 <title>Configuring Resource Limits</title> 595 634 596 <para>Instead of using the <filename>/etc/limits</filename> file 597 for limiting usage of system resources, 598 <application>Linux-PAM</application> uses the 599 <filename class='libraryfile'>pam_limits.so</filename> module along 600 with the <filename>/etc/security/limits.conf</filename> file. Rename 601 the <filename>/etc/limits</filename> file using the following 602 command:</para> 635 <para> 636 Instead of using the <filename>/etc/limits</filename> file for 637 limiting usage of system resources, 638 <application>Linux-PAM</application> uses the 639 <filename class='libraryfile'>pam_limits.so</filename> module along 640 with the <filename>/etc/security/limits.conf</filename> file. Rename 641 the <filename>/etc/limits</filename> file using the following command: 642 </para> 603 643 604 644 <indexterm zone="shadow pam-limits"> … … 606 646 </indexterm> 607 647 608 <screen role="root"><userinput>if [ -f /etc/limits ]; then 609 mv -v /etc/limits /etc/limits.NOUSE 610 fi</userinput></screen> 611 612 </sect4> 613 648 <screen role="root"><userinput>[ -f /etc/limits ] && mv -v /etc/limits{,.NOUSE}</userinput></screen> 649 </sect4> 614 650 </sect3> 615 616 651 </sect2> 617 652 … … 619 654 <title>Contents</title> 620 655 621 <para> A list of the installed files, along with their short descriptions622 can be found at623 <ulink url="&lfs-root;/chapter06/shadow.html#contents-shadow"/>.</para>624 656 <para> 657 A list of the installed files, along with their short descriptions can be 658 found at <ulink url="&lfs-root;/chapter06/shadow.html#contents-shadow"/>. 659 </para> 625 660 </sect2> 626 627 661 </sect1>
Note:
See TracChangeset
for help on using the changeset viewer.