source: chapter06/shadow.xml@ 470b5d4

10.0 10.0-rc1 10.1 10.1-rc1 11.0 11.0-rc1 11.0-rc2 11.0-rc3 11.1 11.1-rc1 11.2 11.2-rc1 11.3 11.3-rc1 12.0 12.0-rc1 12.1 12.1-rc1 6.3 6.4 6.5 6.6 6.7 6.8 7.0 7.1 7.2 7.3 7.4 7.5 7.5-systemd 7.6 7.6-systemd 7.7 7.7-systemd 7.8 7.8-systemd 7.9 7.9-systemd 8.0 8.1 8.2 8.3 8.4 9.0 9.1 arm bdubbs/gcc13 ml-11.0 multilib renodr/libudev-from-systemd s6-init trunk xry111/arm64 xry111/arm64-12.0 xry111/clfs-ng xry111/lfs-next xry111/loongarch xry111/loongarch-12.0 xry111/loongarch-12.1 xry111/mips64el xry111/pip3 xry111/rust-wip-20221008 xry111/update-glibc
Last change on this file since 470b5d4 was 470b5d4, checked in by Archaic <archaic@…>, 18 years ago

Added chgpasswd to the list of installed files for Shadow.

git-svn-id: http://svn.linuxfromscratch.org/LFS/trunk/BOOK@7511 4aa44e1e-78dd-0310-a6d2-fbcd4c07a689
  • Property mode set to 100644
File size: 19.3 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
3 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../general.ent">
5 %general-entities;
6]>
7
8<sect1 id="ch-system-shadow" role="wrap">
9 <?dbhtml filename="shadow.html"?>
10
11 <title>Shadow-&shadow-version;</title>
12
13 <indexterm zone="ch-system-shadow">
14 <primary sortas="a-Shadow">Shadow</primary>
15 </indexterm>
16
17 <sect2 role="package">
18 <title/>
19
20 <para>The Shadow package contains programs for handling passwords in a secure
21 way.</para>
22
23 <segmentedlist>
24 <segtitle>&buildtime;</segtitle>
25 <segtitle>&diskspace;</segtitle>
26
27 <seglistitem>
28 <seg>0.3 SBU</seg>
29 <seg>18.6 MB</seg>
30 </seglistitem>
31 </segmentedlist>
32
33 <segmentedlist>
34 <segtitle>&dependencies;</segtitle>
35
36 <seglistitem>
37 <seg>Bash, Binutils, Bison, Coreutils, Diffutils, GCC, Gettext,
38 Glibc, Grep, Make, and Sed</seg>
39 </seglistitem>
40 </segmentedlist>
41
42 </sect2>
43
44 <sect2 role="installation">
45 <title>Installation of Shadow</title>
46
47 <note>
48 <para>If you would like to enforce the use of strong passwords, refer to
49 <ulink url="&blfs-root;view/svn/postlfs/cracklib.html"/> for installing
50 Cracklib prior to building Shadow. Then add
51 <parameter>--with-libcrack</parameter> to the <command>configure</command>
52 command below.</para>
53 </note>
54
55 <para>Prepare Shadow for compilation:</para>
56
57<screen><userinput>./configure --libdir=/lib --enable-shared --without-selinux</userinput></screen>
58
59 <variablelist>
60 <title>The meaning of the configure options:</title>
61
62 <varlistentry>
63 <term><parameter>--without-selinux</parameter></term>
64 <listitem>
65 <para>Support for selinux is enabled by default, but selinux is not
66 built in a base LFS system. The <command>configure</command> script
67 will fail if this option is not used.</para>
68 </listitem>
69 </varlistentry>
70
71 </variablelist>
72
73 <para>Disable the installation of the <command>groups</command> program
74 and its man page, as Coreutils provides a better version:</para>
75
76<screen><userinput>sed -i 's/groups$(EXEEXT) //' src/Makefile
77find man -name Makefile -exec sed -i '/groups/d' {} \;</userinput></screen>
78
79 <para>Disable the installation of Chinese and Korean manual pages, since
80 Man-DB cannot format them properly:</para>
81
82<screen><userinput>sed -i -e 's/ ko//' -e 's/ zh_CN zh_TW//' man/Makefile</userinput></screen>
83
84 <para>Shadow supplies other manual pages in a UTF-8 encoding. Man-DB
85 can display these in the recommended encodings by using the convert-mans
86 script which we installed.</para>
87
88<screen><userinput> for i in de es fi fr id it pt_BR; do
89 convert-mans UTF-8 ISO-8859-1 man/${i}/*.?
90done
91
92for i in cs hu pl; do
93 convert-mans UTF-8 ISO-8859-2 man/${i}/*.?
94done
95
96convert-mans UTF-8 EUC-JP man/ja/*.?
97convert-mans UTF-8 KOI8-R man/ru/*.?
98convert-mans UTF-8 ISO-8859-9 man/tr/*.?</userinput></screen>
99
100 <para>Compile the package:</para>
101
102<screen><userinput>make</userinput></screen>
103
104 <para>This package does not come with a test suite.</para>
105
106 <para>Install the package:</para>
107
108<screen><userinput>make install</userinput></screen>
109
110 <para id="shadow-limits-login_access">Shadow uses two files to configure
111 authentication settings for the system. Install these two configuration
112 files:</para>
113
114 <indexterm zone="shadow-limits-login_access">
115 <primary sortas="e-/etc/limits">/etc/limits</primary>
116 </indexterm>
117
118 <indexterm zone="shadow-limits-login_access">
119 <primary sortas="e-/etc/login.access">/etc/login.access</primary>
120 </indexterm>
121
122<screen><userinput>cp -v etc/{limits,login.access} /etc</userinput></screen>
123
124 <para id="shadow-login_defs">Instead of using the default
125 <emphasis>crypt</emphasis> method, use the more secure
126 <emphasis>MD5</emphasis> method of password encryption, which also allows
127 passwords longer than 8 characters. It is also necessary to change the
128 obsolete <filename class="directory">/var/spool/mail</filename> location
129 for user mailboxes that Shadow uses by default to the <filename
130 class="directory">/var/mail</filename> location used currently. Both of
131 these can be accomplished by changing the relevant configuration file
132 while copying it to its destination:</para>
133
134 <indexterm zone="shadow-login_defs">
135 <primary sortas="e-/etc/login.defs">/etc/login.defs</primary>
136 </indexterm>
137
138 <note>
139 <para>If you built Shadow with Cracklib support, insert the following into
140 the <command>sed</command> given below:</para>
141
142<screen><literal>-e 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@'</literal></screen>
143 </note>
144
145<screen><userinput>sed -e's@#MD5_CRYPT_ENAB.no@MD5_CRYPT_ENAB yes@' \
146 -e 's@/var/spool/mail@/var/mail@' \
147 etc/login.defs &gt; /etc/login.defs</userinput></screen>
148
149 <para>Move a misplaced program to its proper location:</para>
150
151<screen><userinput>mv -v /usr/bin/passwd /bin</userinput></screen>
152
153 <para>Move Shadow's libraries to more appropriate locations:</para>
154
155<screen><userinput>mv -v /lib/libshadow.*a /usr/lib
156rm -v /lib/libshadow.so
157ln -sfv ../../lib/libshadow.so.0 /usr/lib/libshadow.so</userinput></screen>
158
159 <para>The <parameter>-D</parameter> option of the
160 <command>useradd</command> program requires the <filename
161 class="directory">/etc/default</filename> directory for it to work
162 properly:</para>
163
164<screen><userinput>mkdir -v /etc/default</userinput></screen>
165
166 </sect2>
167
168 <sect2 id="conf-shadow" role="configuration">
169 <title>Configuring Shadow</title>
170
171 <indexterm zone="conf-shadow">
172 <primary sortas="a-Shadow">Shadow</primary>
173 <secondary>configuring</secondary>
174 </indexterm>
175
176 <para>This package contains utilities to add, modify, and delete users and
177 groups; set and change their passwords; and perform other administrative
178 tasks. For a full explanation of what <emphasis>password shadowing</emphasis>
179 means, see the <filename>doc/HOWTO</filename> file within the unpacked
180 source tree. If using Shadow support, keep in mind that programs which need
181 to verify passwords (display managers, FTP programs, pop3 daemons, etc.)
182 must be Shadow-compliant. That is, they need to be able to work with
183 shadowed passwords.</para>
184
185 <para>To enable shadowed passwords, run the following command:</para>
186
187<screen><userinput>pwconv</userinput></screen>
188
189 <para>To enable shadowed group passwords, run:</para>
190
191<screen><userinput>grpconv</userinput></screen>
192
193 <para>Under normal circumstances, passwords will not have been created
194 yet. However, if returning to this section later to enable shadowing,
195 reset any current user passwords with the <command>passwd</command>
196 command or any group passwords with the <command>gpasswd</command>
197 command.</para>
198
199 </sect2>
200
201 <sect2 role="configuration">
202 <title>Setting the root password</title>
203
204 <para>Choose a password for user <emphasis>root</emphasis> and set it
205 by running:</para>
206
207<screen role="nodump"><userinput>passwd root</userinput></screen>
208
209 </sect2>
210
211 <sect2 id="contents-shadow" role="content">
212 <title>Contents of Shadow</title>
213
214 <segmentedlist>
215 <segtitle>Installed programs</segtitle>
216 <segtitle>Installed libraries</segtitle>
217
218 <seglistitem>
219 <seg>chage, chfn, chgpasswd, chpasswd, chsh, expiry, faillog, gpasswd,
220 groupadd, groupdel, groupmod, grpck, grpconv, grpunconv, lastlog, login,
221 logoutd, newgrp, newusers, passwd, pwck, pwconv, pwunconv, sg (link to
222 newgrp), su, useradd, userdel, usermod, vigr (link to vipw), and
223 vipw</seg>
224 <seg>libshadow.[a,so]</seg>
225 </seglistitem>
226 </segmentedlist>
227
228 <variablelist>
229 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
230 <?dbfo list-presentation="list"?>
231 <?dbhtml list-presentation="table"?>
232
233 <varlistentry id="chage">
234 <term><command>chage</command></term>
235 <listitem>
236 <para>Used to change the maximum number of days between obligatory
237 password changes</para>
238 <indexterm zone="ch-system-shadow chage">
239 <primary sortas="b-chage">chage</primary>
240 </indexterm>
241 </listitem>
242 </varlistentry>
243
244 <varlistentry id="chfn">
245 <term><command>chfn</command></term>
246 <listitem>
247 <para>Used to change a user's full name and other information</para>
248 <indexterm zone="ch-system-shadow chfn">
249 <primary sortas="b-chfn">chfn</primary>
250 </indexterm>
251 </listitem>
252 </varlistentry>
253
254 <varlistentry id="chgpasswd">
255 <term><command>chgpasswd</command></term>
256 <listitem>
257 <para>Used to update group passwords in batch mode</para>
258 <indexterm zone="ch-system-shadow chgpasswd">
259 <primary sortas="b-chgpasswd">chgpasswd</primary>
260 </indexterm>
261 </listitem>
262 </varlistentry>
263
264 <varlistentry id="chpasswd">
265 <term><command>chpasswd</command></term>
266 <listitem>
267 <para>Used to update user passwords in batch mode</para>
268 <indexterm zone="ch-system-shadow chpasswd">
269 <primary sortas="b-chpasswd">chpasswd</primary>
270 </indexterm>
271 </listitem>
272 </varlistentry>
273
274 <varlistentry id="chsh">
275 <term><command>chsh</command></term>
276 <listitem>
277 <para>Used to change a user's default login shell</para>
278 <indexterm zone="ch-system-shadow chsh">
279 <primary sortas="b-chsh">chsh</primary>
280 </indexterm>
281 </listitem>
282 </varlistentry>
283
284 <varlistentry id="expiry">
285 <term><command>expiry</command></term>
286 <listitem>
287 <para>Checks and enforces the current password expiration policy</para>
288 <indexterm zone="ch-system-shadow expiry">
289 <primary sortas="b-expiry">expiry</primary>
290 </indexterm>
291 </listitem>
292 </varlistentry>
293
294 <varlistentry id="faillog">
295 <term><command>faillog</command></term>
296 <listitem>
297 <para>Is used to examine the log of login failures, to set a maximum
298 number of failures before an account is blocked, or to reset the
299 failure count</para>
300 <indexterm zone="ch-system-shadow faillog">
301 <primary sortas="b-faillog">faillog</primary>
302 </indexterm>
303 </listitem>
304 </varlistentry>
305
306 <varlistentry id="gpasswd">
307 <term><command>gpasswd</command></term>
308 <listitem>
309 <para>Is used to add and delete members and administrators to
310 groups</para>
311 <indexterm zone="ch-system-shadow gpasswd">
312 <primary sortas="b-gpasswd">gpasswd</primary>
313 </indexterm>
314 </listitem>
315 </varlistentry>
316
317 <varlistentry id="groupadd">
318 <term><command>groupadd</command></term>
319 <listitem>
320 <para>Creates a group with the given name</para>
321 <indexterm zone="ch-system-shadow groupadd">
322 <primary sortas="b-groupadd">groupadd</primary>
323 </indexterm>
324 </listitem>
325 </varlistentry>
326
327 <varlistentry id="groupdel">
328 <term><command>groupdel</command></term>
329 <listitem>
330 <para>Deletes the group with the given name</para>
331 <indexterm zone="ch-system-shadow groupdel">
332 <primary sortas="b-groupdel">groupdel</primary>
333 </indexterm>
334 </listitem>
335 </varlistentry>
336
337 <varlistentry id="groupmod">
338 <term><command>groupmod</command></term>
339 <listitem>
340 <para>Is used to modify the given group's name or GID</para>
341 <indexterm zone="ch-system-shadow groupmod">
342 <primary sortas="b-groupmod">groupmod</primary>
343 </indexterm>
344 </listitem>
345 </varlistentry>
346
347 <varlistentry id="grpck">
348 <term><command>grpck</command></term>
349 <listitem>
350 <para>Verifies the integrity of the group files
351 <filename>/etc/group</filename> and
352 <filename>/etc/gshadow</filename></para>
353 <indexterm zone="ch-system-shadow grpck">
354 <primary sortas="b-grpck">grpck</primary>
355 </indexterm>
356 </listitem>
357 </varlistentry>
358
359 <varlistentry id="grpconv">
360 <term><command>grpconv</command></term>
361 <listitem>
362 <para>Creates or updates the shadow group file from the normal
363 group file</para>
364 <indexterm zone="ch-system-shadow grpconv">
365 <primary sortas="b-grpconv">grpconv</primary>
366 </indexterm>
367 </listitem>
368 </varlistentry>
369
370 <varlistentry id="grpunconv">
371 <term><command>grpunconv</command></term>
372 <listitem>
373 <para>Updates <filename>/etc/group</filename> from
374 <filename>/etc/gshadow</filename> and then deletes the latter</para>
375 <indexterm zone="ch-system-shadow grpunconv">
376 <primary sortas="b-grpunconv">grpunconv</primary>
377 </indexterm>
378 </listitem>
379 </varlistentry>
380
381 <varlistentry id="lastlog">
382 <term><command>lastlog</command></term>
383 <listitem>
384 <para>Reports the most recent login of all users or of a
385 given user</para>
386 <indexterm zone="ch-system-shadow lastlog">
387 <primary sortas="b-lastlog">lastlog</primary>
388 </indexterm>
389 </listitem>
390 </varlistentry>
391
392 <varlistentry id="login">
393 <term><command>login</command></term>
394 <listitem>
395 <para>Is used by the system to let users sign on</para>
396 <indexterm zone="ch-system-shadow login">
397 <primary sortas="b-login">login</primary>
398 </indexterm>
399 </listitem>
400 </varlistentry>
401
402 <varlistentry id="logoutd">
403 <term><command>logoutd</command></term>
404 <listitem>
405 <para>Is a daemon used to enforce restrictions on log-on time
406 and ports</para>
407 <indexterm zone="ch-system-shadow logoutd">
408 <primary sortas="b-logoutd">logoutd</primary>
409 </indexterm>
410 </listitem>
411 </varlistentry>
412
413 <varlistentry id="newgrp">
414 <term><command>newgrp</command></term>
415 <listitem>
416 <para>Is used to change the current GID during a login session</para>
417 <indexterm zone="ch-system-shadow newgrp">
418 <primary sortas="b-newgrp">newgrp</primary>
419 </indexterm>
420 </listitem>
421 </varlistentry>
422
423 <varlistentry id="newusers">
424 <term><command>newusers</command></term>
425 <listitem>
426 <para>Is used to create or update an entire series of user
427 accounts</para>
428 <indexterm zone="ch-system-shadow newusers">
429 <primary sortas="b-newusers">newusers</primary>
430 </indexterm>
431 </listitem>
432 </varlistentry>
433
434 <varlistentry id="passwd">
435 <term><command>passwd</command></term>
436 <listitem>
437 <para>Is used to change the password for a user or group account</para>
438 <indexterm zone="ch-system-shadow passwd">
439 <primary sortas="b-passwd">passwd</primary>
440 </indexterm>
441 </listitem>
442 </varlistentry>
443
444 <varlistentry id="pwck">
445 <term><command>pwck</command></term>
446 <listitem>
447 <para>Verifies the integrity of the password files
448 <filename>/etc/passwd</filename> and
449 <filename>/etc/shadow</filename></para>
450 <indexterm zone="ch-system-shadow pwck">
451 <primary sortas="b-pwck">pwck</primary>
452 </indexterm>
453 </listitem>
454 </varlistentry>
455
456 <varlistentry id="pwconv">
457 <term><command>pwconv</command></term>
458 <listitem>
459 <para>Creates or updates the shadow password file from the normal
460 password file</para>
461 <indexterm zone="ch-system-shadow pwconv">
462 <primary sortas="b-pwconv">pwconv</primary>
463 </indexterm>
464 </listitem>
465 </varlistentry>
466
467 <varlistentry id="pwunconv">
468 <term><command>pwunconv</command></term>
469 <listitem>
470 <para>Updates <filename>/etc/passwd</filename> from
471 <filename>/etc/shadow</filename> and then deletes the latter</para>
472 <indexterm zone="ch-system-shadow pwunconv">
473 <primary sortas="b-pwunconv">pwunconv</primary>
474 </indexterm>
475 </listitem>
476 </varlistentry>
477
478 <varlistentry id="sg">
479 <term><command>sg</command></term>
480 <listitem>
481 <para>Executes a given command while the user's GID
482 is set to that of the given group</para>
483 <indexterm zone="ch-system-shadow sg">
484 <primary sortas="b-sg">sg</primary>
485 </indexterm>
486 </listitem>
487 </varlistentry>
488
489 <varlistentry id="su">
490 <term><command>su</command></term>
491 <listitem>
492 <para>Runs a shell with substitute user and group IDs</para>
493 <indexterm zone="ch-system-shadow su">
494 <primary sortas="b-su">su</primary>
495 </indexterm>
496 </listitem>
497 </varlistentry>
498
499 <varlistentry id="useradd">
500 <term><command>useradd</command></term>
501 <listitem>
502 <para>Creates a new user with the given name, or updates the default
503 new-user information</para>
504 <indexterm zone="ch-system-shadow useradd">
505 <primary sortas="b-useradd">useradd</primary>
506 </indexterm>
507 </listitem>
508 </varlistentry>
509
510 <varlistentry id="userdel">
511 <term><command>userdel</command></term>
512 <listitem>
513 <para>Deletes the given user account</para>
514 <indexterm zone="ch-system-shadow userdel">
515 <primary sortas="b-userdel">userdel</primary>
516 </indexterm>
517 </listitem>
518 </varlistentry>
519
520 <varlistentry id="usermod">
521 <term><command>usermod</command></term>
522 <listitem>
523 <para>Is used to modify the given user's login name, User
524 Identification (UID), shell, initial group, home directory, etc.</para>
525 <indexterm zone="ch-system-shadow usermod">
526 <primary sortas="b-usermod">usermod</primary>
527 </indexterm>
528 </listitem>
529 </varlistentry>
530
531 <varlistentry id="vigr">
532 <term><command>vigr</command></term>
533 <listitem>
534 <para>Edits the <filename>/etc/group</filename> or
535 <filename>/etc/gshadow</filename> files</para>
536 <indexterm zone="ch-system-shadow vigr">
537 <primary sortas="b-vigr">vigr</primary>
538 </indexterm>
539 </listitem>
540 </varlistentry>
541
542 <varlistentry id="vipw">
543 <term><command>vipw</command></term>
544 <listitem>
545 <para>Edits the <filename>/etc/passwd</filename> or
546 <filename>/etc/shadow</filename> files</para>
547 <indexterm zone="ch-system-shadow vipw">
548 <primary sortas="b-vipw">vipw</primary>
549 </indexterm>
550 </listitem>
551 </varlistentry>
552
553 <varlistentry id="libshadow">
554 <term><filename class="libraryfile">libshadow</filename></term>
555 <listitem>
556 <para>Contains functions used by most programs in this package</para>
557 <indexterm zone="ch-system-shadow libshadow">
558 <primary sortas="c-libshadow">libshadow</primary>
559 </indexterm>
560 </listitem>
561 </varlistentry>
562
563 </variablelist>
564
565 </sect2>
566
567</sect1>
Note: See TracBrowser for help on using the repository browser.