glfs/postlfs/security/shadow/shadow-config.xml

<sect2>
<title>Configuring PAM to work with shadow</title>

<sect3><title>Config files</title>
<para><userinput>/etc/pam.d/login /etc/pam.d/passwd /etc/pam.d/su
/etc/pam.d/shadow /etc/pam.d/useradd</userinput></para>
</sect3>

<sect3><title>Configuration Information</title>

<para>Add the following PAM configuration files to
<filename>/etc/pam.d</filename> (or add them to
<filename>/etc/pam.conf</filename> with
the additional field for the program).
</para>
<screen><userinput>cat &gt; /etc/pam.d/login &lt;&lt; "EOF"</userinput>
# Begin /etc/pam.d/login

auth        requisite      pam_securetty.so
auth        requisite      pam_nologin.so
auth        required       pam_env.so
auth        required       pam_unix.so
account     required       pam_access.so
account     required       pam_unix.so
session     required       pam_motd.so
session     required       pam_limits.so
session     optional       pam_mail.so     dir=/var/mail standard
session     optional       pam_lastlog.so
session     required       pam_unix.so

# End /etc/pam.d/login
<userinput>EOF
cat &gt; /etc/pam.d/other &lt;&lt; "EOF"</userinput>
# Begin /etc/pam.d/passwd

password    required       pam_unix.so     md5 shadow use_authtok

# End /etc/pam.d/passwd
<userinput>EOF
cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"</userinput>
# Begin /etc/pam.d/shadow

auth        sufficient      pam_rootok.so
auth        required        pam_unix.so
account     required        pam_unix.so
session     required        pam_unix.so
password    required        pam_permit.so

# End /etc/pam.d/shadow
<userinput>EOF
cat &gt; /etc/pam.d/su &lt;&lt; "EOF"</userinput>
# Begin /etc/pam.d/su

auth        sufficient      pam_rootok.so
auth        required        pam_unix.so
account     required        pam_unix.so
session     required        pam_unix.so

# End /etc/pam.d/su
<userinput>EOF
cat &gt; /etc/pam.d/useradd &lt;&lt; "EOF"</userinput>
# Begin /etc/pam.d/useradd

auth        sufficient      pam_rootok.so
auth        required        pam_unix.so
account     required        pam_unix.so
session     required        pam_unix.so
password    required        pam_permit.so

# End /etc/pam.d/useradd
<userinput>EOF</userinput></screen>

<para>Currently, <filename>/etc/pam.d/other</filename> is configured to
allow anyone with an account on the machine to use programs
that do not specifically have a configuration file of their own. After
testing PAM for proper configuration, it can be changed to the
following:</para>

<screen><userinput>cat &gt; /etc/pam.d/other &lt;&lt; "EOF"</userinput>
# Begin /etc/pam.d/other

auth        required        pam_deny.so
auth        required        pam_warn.so
account     required        pam_deny.so
session     required        pam_deny.so
password    required        pam_deny.so
password    required        pam_warn.so

# End /etc/pam.d/other
<userinput>EOF</userinput></screen>

<para>Finally, edit <filename>/etc/login.defs</filename> by adding '#'
to the beginning of the following lines:</para>
<screen>DIALUPS_CHECK_ENAB
LASTLOG_ENAB
MAIL_CHECK_ENAB
PORTTIME_CHECKS_ENAB
CONSOLE
MOTD_FILE
NOLOGINS_FILE
PASS_MIN_LEN
SU_WHEEL_ONLY
MD5_CRYPT_ENAB
CONSOLE_GROUPS
ENVIRON_FILE</screen>

<para>This stops login from performing these functions, as they will now
be performed by PAM modules.</para>

</sect3>

</sect2>
added recompile of shadow to utilize PAM git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@443 af4574ff-66df-0310-9fd7-8a98e5e911e0 2002-12-07 23:24:45 +08:00			`<sect2>`
			`<title>Configuring PAM to work with shadow</title>`

			`<sect3><title>Config files</title>`
			`<para><userinput>/etc/pam.d/login /etc/pam.d/passwd /etc/pam.d/su`
			`/etc/pam.d/shadow /etc/pam.d/useradd</userinput></para>`
			`</sect3>`

			`<sect3><title>Configuration Information</title>`

			`<para>Add the following PAM configuration files to`
			`<filename>/etc/pam.d</filename> (or add them to`
			`<filename>/etc/pam.conf</filename> with`
			`the additional field for the program).`
			`</para>`
			`<screen><userinput>cat > /etc/pam.d/login << "EOF"</userinput>`
			`# Begin /etc/pam.d/login`

			`auth requisite pam_securetty.so`
			`auth requisite pam_nologin.so`
			`auth required pam_env.so`
			`auth required pam_unix.so`
			`account required pam_access.so`
			`account required pam_unix.so`
			`session required pam_motd.so`
			`session required pam_limits.so`
			`session optional pam_mail.so dir=/var/mail standard`
			`session optional pam_lastlog.so`
			`session required pam_unix.so`

			`# End /etc/pam.d/login`
			`<userinput>EOF`
			`cat > /etc/pam.d/other << "EOF"</userinput>`
			`# Begin /etc/pam.d/passwd`

			`password required pam_unix.so md5 shadow use_authtok`

			`# End /etc/pam.d/passwd`
			`<userinput>EOF`
			`cat > /etc/pam.d/passwd << "EOF"</userinput>`
			`# Begin /etc/pam.d/shadow`

			`auth sufficient pam_rootok.so`
			`auth required pam_unix.so`
			`account required pam_unix.so`
			`session required pam_unix.so`
			`password required pam_permit.so`

			`# End /etc/pam.d/shadow`
			`<userinput>EOF`
			`cat > /etc/pam.d/su << "EOF"</userinput>`
			`# Begin /etc/pam.d/su`

			`auth sufficient pam_rootok.so`
			`auth required pam_unix.so`
			`account required pam_unix.so`
			`session required pam_unix.so`

			`# End /etc/pam.d/su`
			`<userinput>EOF`
			`cat > /etc/pam.d/useradd << "EOF"</userinput>`
			`# Begin /etc/pam.d/useradd`

			`auth sufficient pam_rootok.so`
			`auth required pam_unix.so`
			`account required pam_unix.so`
			`session required pam_unix.so`
			`password required pam_permit.so`

			`# End /etc/pam.d/useradd`
			`<userinput>EOF</userinput></screen>`

			`<para>Currently, <filename>/etc/pam.d/other</filename> is configured to`
			`allow anyone with an account on the machine to use programs`
			`that do not specifically have a configuration file of their own. After`
			`testing PAM for proper configuration, it can be changed to the`
			`following:</para>`

			`<screen><userinput>cat > /etc/pam.d/other << "EOF"</userinput>`
			`# Begin /etc/pam.d/other`

			`auth required pam_deny.so`
			`auth required pam_warn.so`
			`account required pam_deny.so`
			`session required pam_deny.so`
			`password required pam_deny.so`
			`password required pam_warn.so`

			`# End /etc/pam.d/other`
			`<userinput>EOF</userinput></screen>`

			`<para>Finally, edit <filename>/etc/login.defs</filename> by adding '#'`
			`to the beginning of the following lines:</para>`
			`<screen>DIALUPS_CHECK_ENAB`
			`LASTLOG_ENAB`
			`MAIL_CHECK_ENAB`
			`PORTTIME_CHECKS_ENAB`
			`CONSOLE`
			`MOTD_FILE`
			`NOLOGINS_FILE`
			`PASS_MIN_LEN`
			`SU_WHEEL_ONLY`
			`MD5_CRYPT_ENAB`
			`CONSOLE_GROUPS`
			`ENVIRON_FILE</screen>`

			`<para>This stops login from performing these functions, as they will now`
			`be performed by PAM modules.</para>`

			`</sect3>`

			`</sect2>`