Changeset b4b71892 for postlfs/security/shadow.xml

Timestamp:

06/10/2004 05:47:11 AM (20 years ago)

Author:

Bruce Dubbs <bdubbs@…>

Branches:

10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 6.0, 6.1, 6.2, 6.2.0, 6.2.0-rc1, 6.2.0-rc2, 6.3, 6.3-rc1, 6.3-rc2, 6.3-rc3, 7.10, 7.4, 7.5, 7.6, 7.6-blfs, 7.6-systemd, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, gnome, kde5-13430, kde5-14269, kde5-14686, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, krejzi/svn, lazarus, lxqt, nosym, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, systemd-11177, systemd-13485, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal

Children:

cf43c83

Parents:

f8d632a

Message:

New XML Chapter 4

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@2288 af4574ff-66df-0310-9fd7-8a98e5e911e0

File:

• postlfs/security/shadow.xml (modified) (2 diffs)

postlfs/security/shadow.xml

@@ +1 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+   "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
+  <!ENTITY % general-entities SYSTEM "../../general.ent">
+  %general-entities;
+]>
+
 <sect1 id="shadow">
 <?dbhtml filename="shadow.html"?>
@@ -24 +31 @@
 </sect2>
 -->
-&shadow-intro;
-&shadow-inst;
-&shadow-exp;
-&shadow-config;
+
+
+<sect2>
+<title>Introduction to <application>Shadow</application></title>
+
+<para>Shadow was indeed installed in <acronym>LFS</acronym> and there is
+no reason to reinstall it unless you installed
+<application>Linux-<acronym>PAM</acronym></application>.  If you did,
+this will allow programs like <command>login</command> and
+<command>su</command> to utilize
+<acronym>PAM</acronym>.</para>
+
+<sect3><title>Additional downloads</title>
+<itemizedlist spacing='compact'>
+<listitem><para>Patch to fix linking against PAM:
+<ulink url="&patch-root;/shadow-&shadow-version;-pam-1.patch"/></para></listitem>
+</itemizedlist>
+</sect3>
+
+<sect3><title><application>Shadow</application> dependencies</title>
+<sect4><title>Required</title>
+<para><xref linkend="Linux_PAM"/></para></sect4>
+</sect3>
+</sect2>
+
+
+<sect2>
+<title>Installation of <application>shadow</application></title>
+
+<para>Reinstall shadow by running the following commands:</para>
+
+<screen><userinput><command>patch -Np1 -i ../shadow-&shadow-version;-pam-1.patch &amp;&amp;
+LIBS="-lpam -lpam_misc" ./configure --libdir=/usr/lib \
+    --enable-shared --with-libpam --without-libcrack &amp;&amp;
+echo '#define HAVE_SETLOCALE 1' >> config.h &amp;&amp;
+make &amp;&amp;
+make install &amp;&amp;
+mv /bin/sg /usr/bin &amp;&amp;
+mv /bin/vigr /usr/sbin &amp;&amp;
+rm /bin/groups &amp;&amp;
+mv /usr/lib/lib{misc,shadow}.so.0* /lib &amp;&amp;
+ln -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so &amp;&amp;
+ln -sf ../../lib/libmisc.so.0 /usr/lib/libmisc.so</command></userinput></screen>
+
+</sect2>
+
+
+<sect2>
+<title>Command explanations</title>
+
+<para><parameter>--without-libcrack</parameter>: This switch tells shadow
+not to use libcrack. This is desired as
+<application>Linux-<acronym>PAM</acronym></application> already
+contains libcrack.</para>
+
+<!--  Leftover from older instructions????
+<para><command>cp debian/securetty /etc/securetty</command>: This
+command sets the tty's that allow logins through <acronym>PAM</acronym>.</para>
+-->
+
+</sect2>
+
+
+<sect2>
+<title>Configuring <application><acronym>PAM</acronym></application> to work 
+with <application>shadow</application></title>
+
+<sect3><title>Config files</title>
+<para><filename>/etc/pam.d/login</filename>,
+<filename>/etc/pam.d/passwd</filename>,
+<filename>/etc/pam.d/su</filename>,
+<filename>/etc/pam.d/shadow</filename>, and
+<filename>/etc/pam.d/useradd</filename></para>
+</sect3>
+
+<sect3><title>Configuration Information</title>
+
+<para>Add the following <application><acronym>PAM</acronym></application> 
+configuration files to <filename class="directory">/etc/pam.d</filename> (or add them to
+<filename>/etc/pam.conf</filename> with the additional field for the program).
+</para>
+<screen><userinput><command>cat &gt; /etc/pam.d/login &lt;&lt; "EOF"</command>
+# Begin /etc/pam.d/login
+
+auth        requisite      pam_securetty.so
+auth        requisite      pam_nologin.so
+auth        required       pam_env.so
+auth        required       pam_unix.so
+account     required       pam_access.so
+account     required       pam_unix.so
+session     required       pam_motd.so
+session     required       pam_limits.so
+session     optional       pam_mail.so     dir=/var/mail standard
+session     optional       pam_lastlog.so
+session     required       pam_unix.so
+
+# End /etc/pam.d/login
+<command>EOF
+cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"</command>
+# Begin /etc/pam.d/passwd
+
+password    required       pam_unix.so     md5 shadow 
+
+# End /etc/pam.d/passwd
+<command>EOF
+cat &gt; /etc/pam.d/shadow &lt;&lt; "EOF"</command>
+# Begin /etc/pam.d/shadow
+
+auth        sufficient      pam_rootok.so
+auth        required        pam_unix.so
+account     required        pam_unix.so
+session     required        pam_unix.so
+password    required        pam_permit.so
+
+# End /etc/pam.d/shadow
+<command>EOF
+cat &gt; /etc/pam.d/su &lt;&lt; "EOF"</command>
+# Begin /etc/pam.d/su
+
+auth        sufficient      pam_rootok.so
+auth        required        pam_unix.so
+account     required        pam_unix.so
+session     required        pam_unix.so
+
+# End /etc/pam.d/su
+<command>EOF
+cat &gt; /etc/pam.d/useradd &lt;&lt; "EOF"</command>
+# Begin /etc/pam.d/useradd
+
+auth        sufficient      pam_rootok.so
+auth        required        pam_unix.so
+account     required        pam_unix.so
+session     required        pam_unix.so
+password    required        pam_permit.so
+
+# End /etc/pam.d/useradd
+<command>EOF
+cat &gt; /etc/pam.d/chage &lt;&lt; "EOF"</command>
+# Begin /etc/pam.d/chage
+
+auth        sufficient      pam_rootok.so
+auth        required        pam_unix.so
+account     required        pam_unix.so
+session     required        pam_unix.so
+password    required        pam_permit.so
+
+# End /etc/pam.d/chage
+<command>EOF</command></userinput></screen>
+
+<para>Currently, <filename>/etc/pam.d/other</filename> is configured to
+allow anyone with an account on the machine to use programs
+that do not specifically have a configuration file of their own. After
+testing <application><acronym>PAM</acronym></application> for proper 
+configuration, it can be changed to the following:</para>
+
+<screen><userinput><command>cat &gt; /etc/pam.d/other &lt;&lt; "EOF"</command>
+# Begin /etc/pam.d/other
+
+auth        required        pam_deny.so
+auth        required        pam_warn.so
+account     required        pam_deny.so
+session     required        pam_deny.so
+password    required        pam_deny.so
+password    required        pam_warn.so
+
+# End /etc/pam.d/other
+<command>EOF</command></userinput></screen>
+
+<para>Finally, edit <filename>/etc/login.defs</filename> by adding '#'
+to the beginning of the following lines:</para>
+<screen>LASTLOG_ENAB
+MAIL_CHECK_ENAB
+PORTTIME_CHECKS_ENAB
+CONSOLE
+MOTD_FILE
+NOLOGINS_FILE
+PASS_MIN_LEN
+SU_WHEEL_ONLY
+MD5_CRYPT_ENAB
+CONSOLE_GROUPS
+ENVIRON_FILE</screen>
+
+<para>This stops <command>login</command> from performing these functions, as 
+they will now be performed by <acronym>PAM</acronym> modules.</para>
+
+</sect3>
+
+</sect2>
 
 </sect1>