Changes in postlfs/security/linux-pam.xml [3f2db3a6:bf1e213]
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
postlfs/security/linux-pam.xml
r3f2db3a6 rbf1e213 23 23 <?dbhtml filename="linux-pam.html"?> 24 24 25 <sect1info> 26 <date>$Date$</date> 27 </sect1info> 25 28 26 29 <title>Linux-PAM-&linux-pam-version;</title> … … 35 38 <para> 36 39 The <application>Linux PAM</application> package contains 37 Pluggable Authentication Modules used bythe local38 system administrator to c ontrol how application programs authenticate40 Pluggable Authentication Modules used to enable the local 41 system administrator to choose how applications authenticate 39 42 users. 40 43 </para> 41 44 42 &lfs11 2_checked;45 &lfs110a_checked; 43 46 44 47 <bridgehead renderas="sect3">Package Information</bridgehead> … … 104 107 <xref linkend="libtirpc"/>, 105 108 <ulink url="https://github.com/linux-audit/audit-userspace">libaudit</ulink>, and 106 <ulink url="http s://www.prelude-siem.org">Prelude</ulink>109 <ulink url="http://www.prelude-siem.org">Prelude</ulink> 107 110 </para> 108 111 … … 121 124 <xref role="runtime" linkend="shadow"/> 122 125 <phrase revision="systemd"> and <xref role="runtime" linkend="systemd"/> 123 must</phrase><phrase revision="sysv">must</phrase> be reinstalled 124 and reconfigured 126 need</phrase><phrase revision="sysv">needs</phrase> to be reinstalled 125 127 after installing and configuring <application>Linux PAM</application>. 126 128 </para> … … 128 130 <para role="recommended"> 129 131 With Linux-PAM-1.4.0 and higher, the pam_cracklib module is not 130 installed by default. Use <xref role="runtime" linkend="libpwquality"/>131 to enforce strong passwords.132 installed by default. To enforce strong passwords, it is recommended 133 to use <xref role="runtime" linkend="libpwquality"/>. 132 134 </para> 133 135 </note> … … 142 144 143 145 <para revision="sysv"> 144 First ,prevent the installation of an unneeded systemd file:146 First prevent the installation of an unneeded systemd file: 145 147 </para> 146 148 … … 157 159 158 160 <para> 159 If you want to regenerate the documentation yourself, fix the160 <command>configure</command> script so it will detect lynx:161 If you instead want to regenerate the documentation, fix the 162 <command>configure</command> script so that it detects lynx if installed: 161 163 </para> 162 164 … … 166 168 167 169 <para> 168 Compile and link<application>Linux PAM</application> by170 Install <application>Linux PAM</application> by 169 171 running the following commands: 170 172 </para> … … 184 186 185 187 <caution> 186 <title>Reinstallation or Upgrade of Linux PAM</title>188 <title>Reinstallation or upgrade of Linux PAM</title> 187 189 <para> 188 190 If you have a system with Linux PAM installed and working, be careful … … 191 193 may become totally unusable. If you want to run the tests, you do not 192 194 need to create another <filename>/etc/pam.d/other</filename> file. The 193 existing file can be used for the tests.195 installed one can be used for that purpose. 194 196 </para> 195 197 … … 198 200 overwrites the configuration files in 199 201 <filename class="directory">/etc/security</filename> as well as 200 <filename>/etc/environment</filename>. I fyou202 <filename>/etc/environment</filename>. In case you 201 203 have modified those files, be sure to back them up. 202 204 </para> … … 204 206 205 207 <para> 206 For a first -time installation, create aconfiguration file by issuing the208 For a first installation, create the configuration file by issuing the 207 209 following commands as the <systemitem class="username">root</systemitem> 208 210 user: … … 220 222 <para> 221 223 Now run the tests by issuing <command>make check</command>. 222 Be sure the tests produced no errors before continuing the223 installation. Note that the tests are very long.224 Redirect the output to a log file, so you caninspect it thoroughly.225 </para> 226 227 <para> 228 For a first-timeinstallation, remove the configuration file224 Ensure there are no errors produced by the tests before continuing the 225 installation. Note that the checks are quite long. It may be useful to 226 redirect the output to a log file in order to inspect it thoroughly. 227 </para> 228 229 <para> 230 Only in case of a first installation, remove the configuration file 229 231 created earlier by issuing the following command as the 230 232 <systemitem class="username">root</systemitem> user: … … 257 259 linkend="libxslt"/>, and <xref linkend="lynx"/> or <ulink 258 260 url="&w3m-url;">W3m</ulink>) are installed, the manual pages, and the 259 html and text documentation files, aregenerated and installed.261 html and text documentations are (re)generated and installed. 260 262 Furthermore, if <xref linkend="fop"/> is installed, the PDF 261 263 documentation is generated and installed. Use this switch if you do not … … 265 267 <para> 266 268 <command>chmod -v 4755 /usr/sbin/unix_chkpwd</command>: 267 The setuid bit for the <command>unix_chkpwd</command> helper program must be268 turned on,so that non-<systemitem class="username">root</systemitem>269 The <command>unix_chkpwd</command> helper program must be setuid 270 so that non-<systemitem class="username">root</systemitem> 269 271 processes can access the shadow file. 270 272 </para> … … 276 278 277 279 <sect3 id="pam-config"> 278 <title>Config urationFiles</title>280 <title>Config Files</title> 279 281 280 282 <para> … … 299 301 Configuration information is placed in 300 302 <filename class="directory">/etc/pam.d/</filename>. 301 Here is a sample file:303 Below is an example file: 302 304 </para> 303 305 … … 312 314 313 315 <para> 314 Now create some generic configurationfiles. As the316 Now set up some generic files. As the 315 317 <systemitem class="username">root</systemitem> user: 316 318 </para> … … 345 347 # use sha512 hash for encryption, use shadow, and try to use any previously 346 348 # defined authentication token (chosen password) set by any prior module 347 # Use the same number of rounds as shadow. 348 password required pam_unix.so sha512 shadow try_first_pass \ 349 rounds=500000 349 password required pam_unix.so sha512 shadow try_first_pass 350 350 351 351 # End /etc/pam.d/system-password</literal> … … 356 356 If you wish to enable strong password support, install 357 357 <xref linkend="libpwquality"/>, and follow the 358 instructions on that page to configure the pam_pwquality358 instructions in that page to configure the pam_pwquality 359 359 PAM module with strong password support. 360 360 </para> 361 361 362 362 <!-- With the removal of the pam_cracklib module, we're supposed to be using 363 libpwquality. That already includes instructions in it s configuration363 libpwquality. That already includes instructions in it's configuration 364 364 information page, so we'll use those instead. 365 365 … … 367 367 is built in, and the PAM module is built. 368 368 --> 369 <!-- WARNING: If for any reason the instructions below are reinstated be 370 careful with the number of rounds, which should match the one in shadow. 369 <!-- 371 370 <para> 372 371 The remaining generic file depends on whether <xref … … 418 417 --> 419 418 <para> 420 N ext,add a restrictive <filename>/etc/pam.d/other</filename>419 Now add a restrictive <filename>/etc/pam.d/other</filename> 421 420 configuration file. With this file, programs that are PAM aware will 422 421 not run unless a configuration file specifically for that application 423 exists.422 is created. 424 423 </para> 425 424 … … 441 440 <para> 442 441 The <application>PAM</application> man page (<command>man 443 pam</command>) provides a good starting point to learn 444 about the several fields, and allowable entries. 445 <!-- not accessible 2022-09-08 --> 446 <!-- it's available at a different address 2022-10-23--> 447 The 448 <ulink url="https://www.docs4dev.com/docs/en/linux-pam/1.1.2/reference/Linux-PAM_SAG.html"> 442 pam</command>) provides a good starting point for descriptions 443 of fields and allowable entries. The 444 <ulink url="http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_SAG.html"> 449 445 Linux-PAM System Administrators' Guide 450 446 </ulink> is recommended for additional information. … … 454 450 <para> 455 451 You should now reinstall the <xref linkend="shadow"/> 456 <phrase revision="sysv">package </phrase>452 <phrase revision="sysv">package.</phrase> 457 453 <phrase revision="systemd"> and <xref linkend="systemd"/> 458 packages </phrase>.454 packages.</phrase> 459 455 </para> 460 456 </important>
Note:
See TracChangeset
for help on using the changeset viewer.