source: chapter06/shadow.xml@ 0c43171

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
  <!ENTITY % general-entities SYSTEM "../general.ent">
  %general-entities;
]>
<sect1 id="ch-system-shadow" xreflabel="Shadow">
<title>Shadow-&shadow-version;</title>
<?dbhtml filename="shadow.html"?>

<indexterm zone="ch-system-shadow"><primary sortas="a-Shadow">Shadow</primary></indexterm>

<para>The Shadow package contains programs for handling passwords in a secure
way.</para>

<screen>&buildtime; 0.4 SBU
&diskspace; 11 MB</screen>

<para>Shadow installation depends on: Bash, Binutils, Bison, Coreutils,
Diffutils, GCC, Gettext, Glibc, Grep, Make, Sed.</para>



<sect2>
<title>Installation of Shadow</title>

<para>Shadow hard-wires the path to the <command>passwd</command> binary within
the binary itself, but does this the wrong way. If a <command>passwd</command>
binary is not present before installing Shadow, the package incorrectly assumes
it is going to be located at <filename>/bin/passwd</filename>, but then
installs it as <filename>/usr/bin/passwd</filename>. This will lead to errors
about not finding <filename>/bin/passwd</filename>. To work around this bug,
create a dummy <filename>passwd</filename> file, so that it gets hard-wired
properly:</para>

<screen><userinput>touch /usr/bin/passwd</userinput></screen>

<para>Now prepare Shadow for compilation:</para>

<screen><userinput>./configure --libdir=/usr/lib --enable-shared</userinput></screen>

<para>Work around a problem that prevents Shadow's internationalization from
working:</para>

<screen><userinput>echo '#define HAVE_SETLOCALE 1' &gt;&gt; config.h</userinput></screen>

<para>Compile the package:</para>

<screen><userinput>make</userinput></screen>

<para>Then install it:</para>

<screen><userinput>make install</userinput></screen>

<para>Shadow uses two files to configure authentication settings for the
system. Install these two config files:</para>

<screen><userinput>cp etc/{limits,login.access} /etc</userinput></screen>

<para>Instead of using the default <emphasis>crypt</emphasis> method, we want
to use the more secure <emphasis>MD5</emphasis> method of password encryption,
which also allows passwords longer than 8 characters. We also need to
change the obsolete <filename class="directory">/var/spool/mail</filename>
location for user mailboxes that Shadow uses by default to the <filename 
class="directory">/var/mail</filename> location used currently. We accomplish
both these things by changing the relevant configuration file while copying it
to its destination (it's probably better to cut-and-paste this rather than try
and type it all in):</para>

<screen><userinput>sed -e 's%#MD5_CRYPT_ENAB.no%MD5_CRYPT_ENAB yes%' \
    -e 's%/var/spool/mail%/var/mail%' \
    etc/login.defs.linux &gt; /etc/login.defs</userinput></screen>

<para>Move some misplaced symlinks to their proper locations:</para>

<screen><userinput>mv /bin/sg /usr/bin
mv /bin/vigr /usr/sbin</userinput></screen>

<para>And move Shadow's dynamic libraries to a more appropriate location:</para>

<screen><userinput>mv /usr/lib/lib{shadow,misc}.so.0* /lib</userinput></screen>

<para>As some packages expect to find the just-moved libraries in
<filename>/usr/lib</filename>, create the following symlinks:</para>

<screen><userinput>ln -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so
ln -sf ../../lib/libmisc.so.0 /usr/lib/libmisc.so</userinput></screen>

<para>The -D option of the <filename>useradd</filename> program requires this
directory for it to work properly:</para>

<screen><userinput>mkdir /etc/default</userinput></screen>

<para>Coreutils has already installed a better <command>groups</command>
program in <filename class="directory">/usr/bin</filename>. Remove the one
installed by Shadow:</para>

<screen><userinput>rm /bin/groups</userinput></screen>

</sect2>


<sect2 id="conf-shadow"><title>Configuring Shadow</title>
<indexterm zone="conf-shadow">
<primary sortas="a-Shadow">Shadow</primary>
<secondary>configuring</secondary></indexterm>

<para>This package contains utilities to add, modify and delete users and
groups, set and change their passwords, and other such administrative tasks.
For a full explanation of what <emphasis>password shadowing</emphasis> means,
see the <filename>doc/HOWTO</filename> file within the unpacked source tree.
There's one thing to keep in mind if you decide to use Shadow support: programs
that need to verify passwords (display managers, ftp programs, pop3 daemons,
and the like) need to be <emphasis>shadow-compliant</emphasis>, that is they
need to be able to work with shadowed passwords.</para>

<para>To enable shadowed passwords, run the following command:</para>

<screen><userinput>pwconv</userinput></screen>

<para>To enable shadowed group passwords, run:</para>

<screen><userinput>grpconv</userinput></screen>

<para>Under normal circumstances, you won't have created any passwords yet.
However, if returning to this section later to enable shadowing, you should
reset any current user passwords with the <command>passwd</command> command or
any group passwords with the <command>gpasswd</command> command.</para>

</sect2>


<sect2>
<title>Setting the root password</title>

<para>Choose a password for user root and set it via:</para>

<screen><userinput>passwd root</userinput></screen>

</sect2>


<sect2 id="contents-shadow"><title>Contents of Shadow</title>

<para><emphasis>Installed programs</emphasis>: chage, chfn, chpasswd, chsh,
dpasswd, expiry, faillog, gpasswd, groupadd, groupdel, groupmod, groups, grpck,
grpconv, grpunconv, lastlog, login, logoutd, mkpasswd, newgrp, newusers,
passwd, pwck, pwconv, pwunconv, sg (link to newgrp), useradd, userdel, usermod,
vigr (link to vipw) and vipw</para>

</sect2>

<sect2><title>Short descriptions</title>

<indexterm zone="ch-system-shadow chage"><primary sortas="b-chage">chage</primary></indexterm>
<para id="chage"><command>chage</command> is used to change the maximum number of
days between obligatory password changes.</para>

<indexterm zone="ch-system-shadow chfn"><primary sortas="b-chfn">chfn</primary></indexterm>
<para id="chfn"><command>chfn</command> is used to change a user's full name and
some other info.</para>

<indexterm zone="ch-system-shadow chpasswd"><primary sortas="b-chpasswd">chpasswd</primary></indexterm>
<para id="chpasswd"><command>chpasswd</command> is used to update the passwords of a
whole series of user accounts in one go.</para>

<indexterm zone="ch-system-shadow chsh"><primary sortas="b-chsh">chsh</primary></indexterm>
<para id="chsh"><command>chsh</command> is used to change a user's default
 login shell.</para>

<indexterm zone="ch-system-shadow dpasswd"><primary sortas="b-dpasswd">dpasswd</primary></indexterm>
<para id="dpasswd"><command>dpasswd</command> is used to change dial-up passwords for
user login shells.</para>

<indexterm zone="ch-system-shadow expiry"><primary sortas="b-expiry">expiry</primary></indexterm>
<para id="expiry"><command>expiry</command> checks and enforces the current password
expiration policy.</para>

<indexterm zone="ch-system-shadow faillog"><primary sortas="b-faillog">faillog</primary></indexterm>
<para id="faillog"><command>faillog</command> is used to examine the log of login
failures, to set a maximum number of failures before an account is blocked,
or to reset the failure count.</para>

<indexterm zone="ch-system-shadow gpasswd"><primary sortas="b-gpasswd">gpasswd</primary></indexterm>
<para id="gpasswd"><command>gpasswd</command> is used to add and delete members and
administrators to groups.</para>

<indexterm zone="ch-system-shadow groupadd"><primary sortas="b-groupadd">groupadd</primary></indexterm>
<para id="groupadd"><command>groupadd</command> creates a group with the given
name.</para>

<indexterm zone="ch-system-shadow groupdel"><primary sortas="b-groupdel">groupdel</primary></indexterm>
<para id="groupdel"><command>groupdel</command> deletes the group with the given
name.</para>

<indexterm zone="ch-system-shadow groupmod"><primary sortas="b-groupmod">groupmod</primary></indexterm>
<para id="groupmod"><command>groupmod</command> is used to modify the given group's
name or GID.</para>

<indexterm zone="ch-system-shadow groups"><primary sortas="b-groups">groups</primary></indexterm>
<para id="groups"><command>groups</command> reports the groups of which the given
users are members.</para>

<indexterm zone="ch-system-shadow grpck"><primary sortas="b-grpck">grpck</primary></indexterm>
<para id="grpck"><command>grpck</command> verifies the integrity of the group files,
<filename>/etc/group</filename> and <filename>/etc/gshadow</filename>.</para>

<indexterm zone="ch-system-shadow grpconv"><primary sortas="b-grpconv">grpconv</primary></indexterm>
<para id="grpconv"><command>grpconv</command> creates or updates the shadow group file
from the normal group file.</para>

<indexterm zone="ch-system-shadow grpunconv"><primary sortas="b-grpunconv">grpunconv</primary></indexterm>
<para id="grpunconv"><command>grpunconv</command> updates <filename>/etc/group</filename>
from <filename>/etc/gshadow</filename> and then deletes the latter.</para>

<indexterm zone="ch-system-shadow lastlog"><primary sortas="b-lastlog">lastlog</primary></indexterm>
<para id="lastlog"><command>lastlog</command> reports the most recent login of all
users, or of a given user.</para>

<indexterm zone="ch-system-shadow login"><primary sortas="b-login">login</primary></indexterm>
<para id="login"><command>login</command> is used by the system to let users sign on.</para>

<indexterm zone="ch-system-shadow logoutd"><primary sortas="b-logoutd">logoutd</primary></indexterm>
<para id="logoutd"><command>logoutd</command> is a daemon used to enforce restrictions
on log-on time and ports.</para>

<indexterm zone="ch-system-shadow mkpasswd"><primary sortas="b-mkpasswd">mkpasswd</primary></indexterm>
<para id="mkpasswd"><command>mkpasswd</command> encrypts the given password using the
also given perturbation.</para>

<indexterm zone="ch-system-shadow newgrp"><primary sortas="b-newgrp">newgrp</primary></indexterm>
<para id="newgrp"><command>newgrp</command> is used to change the current GID during
a login session.</para>

<indexterm zone="ch-system-shadow newusers"><primary sortas="b-newusers">newusers</primary></indexterm>
<para id="newusers"><command>newusers</command> is used to create or update a whole
series of user accounts in one go.</para>

<indexterm zone="ch-system-shadow passwd"><primary sortas="b-passwd">passwd</primary></indexterm>
<para id="passwd"><command>passwd</command> is used to change the password for a user
or group account.</para>

<indexterm zone="ch-system-shadow pwck"><primary sortas="b-pwck">pwck</primary></indexterm>
<para id="pwck"><command>pwck</command> verifies the integrity of the password files,
<filename>/etc/passwd</filename> and <filename>/etc/shadow</filename>.</para>

<indexterm zone="ch-system-shadow pwconv"><primary sortas="b-pwconv">pwconv</primary></indexterm>
<para id="pwconv"><command>pwconv</command> creates or updates the shadow password file
from the normal password file.</para>

<indexterm zone="ch-system-shadow pwunconv"><primary sortas="b-pwunconv">pwunconv</primary></indexterm>
<para id="pwunconv"><command>pwunconv</command> updates <filename>/etc/passwd</filename>
from <filename>/etc/shadow</filename> and then deletes the latter.</para>

<indexterm zone="ch-system-shadow sg"><primary sortas="b-sg">sg</primary></indexterm>
<para id="sg"><command>sg</command> executes a given command while the user's GID
is set to that of the given group.</para>

<indexterm zone="ch-system-shadow useradd"><primary sortas="b-useradd">useradd</primary></indexterm>
<para id="useradd"><command>useradd</command> creates a new user with the given name,
or updates the default new-user information.</para>

<indexterm zone="ch-system-shadow userdel"><primary sortas="b-userdel">userdel</primary></indexterm>
<para id="userdel"><command>userdel</command> deletes the given user account.</para>

<indexterm zone="ch-system-shadow usermod"><primary sortas="b-usermod">usermod</primary></indexterm>
<para id="usermod"><command>usermod</command> is used to modify the given user's
login name, UID (User Identification), shell, initial group, home directory, and the like.</para>

<indexterm zone="ch-system-shadow vigr"><primary sortas="b-vigr">vigr</primary></indexterm>
<para id="vigr"><command>vigr</command> can be used to edit the
<filename>/etc/group</filename> or <filename>/etc/gshadow</filename>
files.</para>

<indexterm zone="ch-system-shadow vipw"><primary sortas="b-vipw">vipw</primary></indexterm>
<para id="vipw"><command>vipw</command> can be used to edit the
<filename>/etc/passwd</filename> or <filename>/etc/shadow</filename>
files.</para>

<indexterm zone="ch-system-shadow libmisc"><primary sortas="c-libmisc">libmisc</primary></indexterm>
<para id="libmisc"><command>libmisc</command>...</para>

<indexterm zone="ch-system-shadow libshadow"><primary sortas="c-libshadow">libshadow</primary></indexterm>
<para id="libshadow"><command>libshadow</command> contains functions used by most
programs in this package.</para>

</sect2>



</sect1>