Changeset b4b71892 for postlfs/security/shadow.xml
- Timestamp:
- 06/10/2004 05:47:11 AM (20 years ago)
- Branches:
- 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 6.0, 6.1, 6.2, 6.2.0, 6.2.0-rc1, 6.2.0-rc2, 6.3, 6.3-rc1, 6.3-rc2, 6.3-rc3, 7.10, 7.4, 7.5, 7.6, 7.6-blfs, 7.6-systemd, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, gnome, kde5-13430, kde5-14269, kde5-14686, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, krejzi/svn, lazarus, lxqt, nosym, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, systemd-11177, systemd-13485, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal
- Children:
- cf43c83
- Parents:
- f8d632a
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
postlfs/security/shadow.xml
rf8d632a rb4b71892 1 <?xml version="1.0" encoding="ISO-8859-1"?> 2 <!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" 3 "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [ 4 <!ENTITY % general-entities SYSTEM "../../general.ent"> 5 %general-entities; 6 ]> 7 1 8 <sect1 id="shadow"> 2 9 <?dbhtml filename="shadow.html"?> … … 24 31 </sect2> 25 32 --> 26 &shadow-intro; 27 &shadow-inst; 28 &shadow-exp; 29 &shadow-config; 33 34 35 <sect2> 36 <title>Introduction to <application>Shadow</application></title> 37 38 <para>Shadow was indeed installed in <acronym>LFS</acronym> and there is 39 no reason to reinstall it unless you installed 40 <application>Linux-<acronym>PAM</acronym></application>. If you did, 41 this will allow programs like <command>login</command> and 42 <command>su</command> to utilize 43 <acronym>PAM</acronym>.</para> 44 45 <sect3><title>Additional downloads</title> 46 <itemizedlist spacing='compact'> 47 <listitem><para>Patch to fix linking against PAM: 48 <ulink url="&patch-root;/shadow-&shadow-version;-pam-1.patch"/></para></listitem> 49 </itemizedlist> 50 </sect3> 51 52 <sect3><title><application>Shadow</application> dependencies</title> 53 <sect4><title>Required</title> 54 <para><xref linkend="Linux_PAM"/></para></sect4> 55 </sect3> 56 </sect2> 57 58 59 <sect2> 60 <title>Installation of <application>shadow</application></title> 61 62 <para>Reinstall shadow by running the following commands:</para> 63 64 <screen><userinput><command>patch -Np1 -i ../shadow-&shadow-version;-pam-1.patch && 65 LIBS="-lpam -lpam_misc" ./configure --libdir=/usr/lib \ 66 --enable-shared --with-libpam --without-libcrack && 67 echo '#define HAVE_SETLOCALE 1' >> config.h && 68 make && 69 make install && 70 mv /bin/sg /usr/bin && 71 mv /bin/vigr /usr/sbin && 72 rm /bin/groups && 73 mv /usr/lib/lib{misc,shadow}.so.0* /lib && 74 ln -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so && 75 ln -sf ../../lib/libmisc.so.0 /usr/lib/libmisc.so</command></userinput></screen> 76 77 </sect2> 78 79 80 <sect2> 81 <title>Command explanations</title> 82 83 <para><parameter>--without-libcrack</parameter>: This switch tells shadow 84 not to use libcrack. This is desired as 85 <application>Linux-<acronym>PAM</acronym></application> already 86 contains libcrack.</para> 87 88 <!-- Leftover from older instructions???? 89 <para><command>cp debian/securetty /etc/securetty</command>: This 90 command sets the tty's that allow logins through <acronym>PAM</acronym>.</para> 91 --> 92 93 </sect2> 94 95 96 <sect2> 97 <title>Configuring <application><acronym>PAM</acronym></application> to work 98 with <application>shadow</application></title> 99 100 <sect3><title>Config files</title> 101 <para><filename>/etc/pam.d/login</filename>, 102 <filename>/etc/pam.d/passwd</filename>, 103 <filename>/etc/pam.d/su</filename>, 104 <filename>/etc/pam.d/shadow</filename>, and 105 <filename>/etc/pam.d/useradd</filename></para> 106 </sect3> 107 108 <sect3><title>Configuration Information</title> 109 110 <para>Add the following <application><acronym>PAM</acronym></application> 111 configuration files to <filename class="directory">/etc/pam.d</filename> (or add them to 112 <filename>/etc/pam.conf</filename> with the additional field for the program). 113 </para> 114 <screen><userinput><command>cat > /etc/pam.d/login << "EOF"</command> 115 # Begin /etc/pam.d/login 116 117 auth requisite pam_securetty.so 118 auth requisite pam_nologin.so 119 auth required pam_env.so 120 auth required pam_unix.so 121 account required pam_access.so 122 account required pam_unix.so 123 session required pam_motd.so 124 session required pam_limits.so 125 session optional pam_mail.so dir=/var/mail standard 126 session optional pam_lastlog.so 127 session required pam_unix.so 128 129 # End /etc/pam.d/login 130 <command>EOF 131 cat > /etc/pam.d/passwd << "EOF"</command> 132 # Begin /etc/pam.d/passwd 133 134 password required pam_unix.so md5 shadow 135 136 # End /etc/pam.d/passwd 137 <command>EOF 138 cat > /etc/pam.d/shadow << "EOF"</command> 139 # Begin /etc/pam.d/shadow 140 141 auth sufficient pam_rootok.so 142 auth required pam_unix.so 143 account required pam_unix.so 144 session required pam_unix.so 145 password required pam_permit.so 146 147 # End /etc/pam.d/shadow 148 <command>EOF 149 cat > /etc/pam.d/su << "EOF"</command> 150 # Begin /etc/pam.d/su 151 152 auth sufficient pam_rootok.so 153 auth required pam_unix.so 154 account required pam_unix.so 155 session required pam_unix.so 156 157 # End /etc/pam.d/su 158 <command>EOF 159 cat > /etc/pam.d/useradd << "EOF"</command> 160 # Begin /etc/pam.d/useradd 161 162 auth sufficient pam_rootok.so 163 auth required pam_unix.so 164 account required pam_unix.so 165 session required pam_unix.so 166 password required pam_permit.so 167 168 # End /etc/pam.d/useradd 169 <command>EOF 170 cat > /etc/pam.d/chage << "EOF"</command> 171 # Begin /etc/pam.d/chage 172 173 auth sufficient pam_rootok.so 174 auth required pam_unix.so 175 account required pam_unix.so 176 session required pam_unix.so 177 password required pam_permit.so 178 179 # End /etc/pam.d/chage 180 <command>EOF</command></userinput></screen> 181 182 <para>Currently, <filename>/etc/pam.d/other</filename> is configured to 183 allow anyone with an account on the machine to use programs 184 that do not specifically have a configuration file of their own. After 185 testing <application><acronym>PAM</acronym></application> for proper 186 configuration, it can be changed to the following:</para> 187 188 <screen><userinput><command>cat > /etc/pam.d/other << "EOF"</command> 189 # Begin /etc/pam.d/other 190 191 auth required pam_deny.so 192 auth required pam_warn.so 193 account required pam_deny.so 194 session required pam_deny.so 195 password required pam_deny.so 196 password required pam_warn.so 197 198 # End /etc/pam.d/other 199 <command>EOF</command></userinput></screen> 200 201 <para>Finally, edit <filename>/etc/login.defs</filename> by adding '#' 202 to the beginning of the following lines:</para> 203 <screen>LASTLOG_ENAB 204 MAIL_CHECK_ENAB 205 PORTTIME_CHECKS_ENAB 206 CONSOLE 207 MOTD_FILE 208 NOLOGINS_FILE 209 PASS_MIN_LEN 210 SU_WHEEL_ONLY 211 MD5_CRYPT_ENAB 212 CONSOLE_GROUPS 213 ENVIRON_FILE</screen> 214 215 <para>This stops <command>login</command> from performing these functions, as 216 they will now be performed by <acronym>PAM</acronym> modules.</para> 217 218 </sect3> 219 220 </sect2> 30 221 31 222 </sect1>
Note:
See TracChangeset
for help on using the changeset viewer.