| 1 | <sect1 id="ch06-shadow" xreflabel="Shadow">
|
|---|
| 2 | <title>Installing Shadow-&shadow-version;</title>
|
|---|
| 3 | <?dbhtml filename="shadow.html" dir="chapter06"?>
|
|---|
| 4 |
|
|---|
| 5 | <para>The Shadow package contains programs for handling passwords in a secure
|
|---|
| 6 | way.</para>
|
|---|
| 7 |
|
|---|
| 8 | <screen>Estimated build time: &shadow-time;
|
|---|
| 9 | Estimated required disk space: &shadow-compsize;</screen>
|
|---|
| 10 |
|
|---|
| 11 | &aa-shadowpwd-down;
|
|---|
| 12 | &aa-shadowpwd-dep;
|
|---|
| 13 |
|
|---|
| 14 | <sect2><title> </title><para> </para></sect2>
|
|---|
| 15 |
|
|---|
| 16 | <sect2>
|
|---|
| 17 | <title>Installation of Shadow</title>
|
|---|
| 18 |
|
|---|
| 19 | <para>The <userinput>login</userinput>, <userinput>getty</userinput> and
|
|---|
| 20 | <userinput>init</userinput> programs (and some others) maintain a number
|
|---|
| 21 | of logfiles to record who are and who were logged in to the system. These
|
|---|
| 22 | programs, however, don't create these logfiles when they don't exist, so if
|
|---|
| 23 | you want this logging to occur you will have to create the files yourself.
|
|---|
| 24 | The Shadow package needs to detect these files in their proper place, so we
|
|---|
| 25 | create them now, with their proper permissions:</para>
|
|---|
| 26 |
|
|---|
| 27 | <screen><userinput>touch /var/run/utmp /var/log/{btmp,lastlog,wtmp}
|
|---|
| 28 | chmod 644 /var/run/utmp /var/log/{btmp,lastlog,wtmp}</userinput></screen>
|
|---|
| 29 |
|
|---|
| 30 | <para>The <filename>/var/run/utmp</filename> file lists the users that are
|
|---|
| 31 | currently logged in, the <filename>/var/log/wtmp</filename> file who
|
|---|
| 32 | <emphasis>were</emphasis> logged in and when.
|
|---|
| 33 | The <filename>/var/log/lastlog</filename> file shows for each user when he
|
|---|
| 34 | or she last logged in, and the <filename>/var/log/btmp</filename> lists the
|
|---|
| 35 | bad login attempts.</para>
|
|---|
| 36 |
|
|---|
| 37 | <para>Shadow hard-wires the path to the <userinput>passwd</userinput> binary
|
|---|
| 38 | within the binary itself, but does this the wrong way. If a
|
|---|
| 39 | <userinput>passwd</userinput> binary is not present before installing Shadow,
|
|---|
| 40 | the package incorrectly assumes it is going to be located at
|
|---|
| 41 | <filename>/bin/passwd</filename>, but then installs it in
|
|---|
| 42 | <filename>/usr/bin/passwd</filename>. This will lead to errors about not finding
|
|---|
| 43 | <filename>/bin/passwd</filename>. To work around this bug, create a dummy
|
|---|
| 44 | <filename>passwd</filename> file, so that it gets hard-wired properly:</para>
|
|---|
| 45 |
|
|---|
| 46 | <screen><userinput>touch /usr/bin/passwd</userinput></screen>
|
|---|
| 47 |
|
|---|
| 48 | <para>The current Shadow suite has a problem that causes the
|
|---|
| 49 | <userinput>newgrp</userinput> command to fail. The following patch (also
|
|---|
| 50 | appearing in Shadow's CVS code) fixes this problem:</para>
|
|---|
| 51 |
|
|---|
| 52 | <screen><userinput>patch -Np1 -i ../&shadow-patch;</userinput></screen>
|
|---|
| 53 |
|
|---|
| 54 | <para>Now prepare Shadow for compilation:</para>
|
|---|
| 55 |
|
|---|
| 56 | <screen><userinput>./configure --prefix=/usr --libdir=/usr/lib --enable-shared</userinput></screen>
|
|---|
| 57 |
|
|---|
| 58 | <para>Compile the package:</para>
|
|---|
| 59 |
|
|---|
| 60 | <screen><userinput>make</userinput></screen>
|
|---|
| 61 |
|
|---|
| 62 | <para>And install it:</para>
|
|---|
| 63 |
|
|---|
| 64 | <screen><userinput>make install</userinput></screen>
|
|---|
| 65 |
|
|---|
| 66 | <para>Shadow uses two files to configure authentication settings for the
|
|---|
| 67 | system. Install these two config files:</para>
|
|---|
| 68 |
|
|---|
| 69 | <screen><userinput>cp etc/{limits,login.access} /etc</userinput></screen>
|
|---|
| 70 |
|
|---|
| 71 | <para>We want to change the password method to enable MD5 passwords which are
|
|---|
| 72 | theoretically more secure than the default "crypt" method and also allow
|
|---|
| 73 | password lengths greater than 8 characters. We also need to change the old
|
|---|
| 74 | <filename class="directory">/var/spool/mail</filename> location for user
|
|---|
| 75 | mailboxes to the current location at
|
|---|
| 76 | <filename class="directory">/var/mail</filename>. We do this by changing the
|
|---|
| 77 | relevant configuration file while copying it to its destination:</para>
|
|---|
| 78 |
|
|---|
| 79 | <screen><userinput>sed -e 's%/var/spool/mail%/var/mail%' \
|
|---|
| 80 | -e 's%#MD5_CRYPT_ENAB.no%MD5_CRYPT_ENAB yes%' \
|
|---|
| 81 | etc/login.defs.linux > /etc/login.defs</userinput></screen>
|
|---|
| 82 |
|
|---|
| 83 | <note><para>Be extra careful when typing all of the above. It is probably safer
|
|---|
| 84 | to cut-and-paste it rather than try and type it all in.</para></note>
|
|---|
| 85 |
|
|---|
| 86 | <para>According to the man page of <userinput>vipw</userinput>, a
|
|---|
| 87 | <userinput>vigr</userinput> program should exist too. Since the installation
|
|---|
| 88 | procedure doesn't create this program, create a symlink manually:</para>
|
|---|
| 89 |
|
|---|
| 90 | <screen><userinput>ln -s vipw /usr/sbin/vigr</userinput></screen>
|
|---|
| 91 |
|
|---|
| 92 | <para>As the <filename>/bin/vipw</filename> symlink is redundant (and even
|
|---|
| 93 | pointing to a non-existent file), remove it:</para>
|
|---|
| 94 |
|
|---|
| 95 | <screen><userinput>rm /bin/vipw</userinput></screen>
|
|---|
| 96 |
|
|---|
| 97 | <para>Now move the <userinput>sg</userinput> program to its proper place:</para>
|
|---|
| 98 |
|
|---|
| 99 | <screen><userinput>mv /bin/sg /usr/bin</userinput></screen>
|
|---|
| 100 |
|
|---|
| 101 | <para>And move Shadow's dynamic libraries to a more appropriate location:</para>
|
|---|
| 102 |
|
|---|
| 103 | <screen><userinput>mv /usr/lib/lib{shadow,misc}.so.0* /lib</userinput></screen>
|
|---|
| 104 |
|
|---|
| 105 | <para>As some packages expect to find the just-moved libraries in
|
|---|
| 106 | <filename>/usr/lib</filename>, create the following symlinks:</para>
|
|---|
| 107 |
|
|---|
| 108 | <screen><userinput>ln -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so
|
|---|
| 109 | ln -sf ../../lib/libmisc.so.0 /usr/lib/libmisc.so</userinput></screen>
|
|---|
| 110 |
|
|---|
| 111 | <para>The -D option of the <filename>useradd</filename> program requires this
|
|---|
| 112 | directory for it to work properly:</para>
|
|---|
| 113 |
|
|---|
| 114 | <screen><userinput>mkdir /etc/default</userinput></screen>
|
|---|
| 115 |
|
|---|
| 116 | <para>Coreutils has already installed a <userinput>groups</userinput> program
|
|---|
| 117 | in <filename>/usr/bin</filename>. If you wish, you can remove the one
|
|---|
| 118 | installed by Shadow:</para>
|
|---|
| 119 |
|
|---|
| 120 | <screen><userinput>rm /bin/groups</userinput></screen>
|
|---|
| 121 |
|
|---|
| 122 | </sect2>
|
|---|
| 123 |
|
|---|
| 124 | &c6-cf-shadowpwd;
|
|---|
| 125 | &c6-cf-password;
|
|---|
| 126 |
|
|---|
| 127 | &aa-shadowpwd-shortdesc;
|
|---|
| 128 | &aa-shadowpwd-desc;
|
|---|
| 129 |
|
|---|
| 130 | </sect1>
|
|---|
| 131 |
|
|---|
