glfs/postlfs/security/shadow.xml

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
   "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
  <!ENTITY % general-entities SYSTEM "../../general.ent">
  %general-entities;
]>

<sect1 id="shadow">
<?dbhtml filename="shadow.html"?>
<title>Shadow-&shadow-version;</title>

<!--
<sect2>
<title>Configuring shadow</title>

<para>Shadow's Configuration File</para>

<para><userinput>/etc/login.defs</userinput></para>

<para>Enabling <acronym>MD</acronym>5 Passwords</para>

<para>To enable <acronym>MD</acronym>5 Passwords, modify the line in the
<filename>login.defs</filename> file that reads:
<screen><userinput>#MD5_CRYPT_ENAB no</userinput></screen>
to read:
<screen><userinput>MD5_CRYPT_ENAB yes</userinput></screen>
Passwords created after this change will be encrypted using
<acronym>MD</acronym>5 (Message-Digest Algorithm) instead of using 
<acronym>DES</acronym> encryption.
</para>
</sect2>
-->


<sect2>
<title>Introduction to <application>Shadow</application></title>

<para>Shadow was indeed installed in <acronym>LFS</acronym> and there is
no reason to reinstall it unless you installed
<application>Linux-<acronym>PAM</acronym></application>.  If you did,
this will allow programs like <command>login</command> and
<command>su</command> to utilize
<acronym>PAM</acronym>.</para>

<sect3><title>Additional downloads</title>
<itemizedlist spacing='compact'>
<listitem><para>Patch to fix linking against PAM:
<ulink url="&patch-root;/shadow-&shadow-version;-pam-1.patch"/></para></listitem>
</itemizedlist>
</sect3>

<sect3><title><application>Shadow</application> dependencies</title>
<sect4><title>Required</title>
<para><xref linkend="Linux_PAM"/></para></sect4>
</sect3>
</sect2>


<sect2>
<title>Installation of <application>shadow</application></title>

<para>Reinstall shadow by running the following commands:</para>

<screen><userinput><command>patch -Np1 -i ../shadow-&shadow-version;-pam-1.patch &amp;&amp;
LIBS="-lpam -lpam_misc" ./configure --libdir=/usr/lib \
    --enable-shared --with-libpam --without-libcrack &amp;&amp;
echo '#define HAVE_SETLOCALE 1' >> config.h &amp;&amp;
make &amp;&amp;
make install &amp;&amp;
mv /bin/sg /usr/bin &amp;&amp;
mv /bin/vigr /usr/sbin &amp;&amp;
rm /bin/groups &amp;&amp;
mv /usr/lib/lib{misc,shadow}.so.0* /lib &amp;&amp;
ln -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so &amp;&amp;
ln -sf ../../lib/libmisc.so.0 /usr/lib/libmisc.so</command></userinput></screen>

</sect2>


<sect2>
<title>Command explanations</title>

<para><parameter>--without-libcrack</parameter>: This switch tells shadow
not to use libcrack. This is desired as
<application>Linux-<acronym>PAM</acronym></application> already
contains libcrack.</para>

<!--  Leftover from older instructions????
<para><command>cp debian/securetty /etc/securetty</command>: This
command sets the tty's that allow logins through <acronym>PAM</acronym>.</para>
-->

</sect2>


<sect2>
<title>Configuring <application><acronym>PAM</acronym></application> to work 
with <application>shadow</application></title>

<sect3><title>Config files</title>
<para><filename>/etc/pam.d/login</filename>,
<filename>/etc/pam.d/passwd</filename>,
<filename>/etc/pam.d/su</filename>,
<filename>/etc/pam.d/shadow</filename>, and
<filename>/etc/pam.d/useradd</filename></para>
</sect3>

<sect3><title>Configuration Information</title>

<para>Add the following <application><acronym>PAM</acronym></application> 
configuration files to <filename class="directory">/etc/pam.d</filename> (or add them to
<filename>/etc/pam.conf</filename> with the additional field for the program).
</para>
<screen><userinput><command>cat &gt; /etc/pam.d/login &lt;&lt; "EOF"</command>
# Begin /etc/pam.d/login

auth        requisite      pam_securetty.so
auth        requisite      pam_nologin.so
auth        required       pam_env.so
auth        required       pam_unix.so
account     required       pam_access.so
account     required       pam_unix.so
session     required       pam_motd.so
session     required       pam_limits.so
session     optional       pam_mail.so     dir=/var/mail standard
session     optional       pam_lastlog.so
session     required       pam_unix.so

# End /etc/pam.d/login
<command>EOF
cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"</command>
# Begin /etc/pam.d/passwd

password    required       pam_unix.so     md5 shadow 

# End /etc/pam.d/passwd
<command>EOF
cat &gt; /etc/pam.d/shadow &lt;&lt; "EOF"</command>
# Begin /etc/pam.d/shadow

auth        sufficient      pam_rootok.so
auth        required        pam_unix.so
account     required        pam_unix.so
session     required        pam_unix.so
password    required        pam_permit.so

# End /etc/pam.d/shadow
<command>EOF
cat &gt; /etc/pam.d/su &lt;&lt; "EOF"</command>
# Begin /etc/pam.d/su

auth        sufficient      pam_rootok.so
auth        required        pam_unix.so
account     required        pam_unix.so
session     required        pam_unix.so

# End /etc/pam.d/su
<command>EOF
cat &gt; /etc/pam.d/useradd &lt;&lt; "EOF"</command>
# Begin /etc/pam.d/useradd

auth        sufficient      pam_rootok.so
auth        required        pam_unix.so
account     required        pam_unix.so
session     required        pam_unix.so
password    required        pam_permit.so

# End /etc/pam.d/useradd
<command>EOF
cat &gt; /etc/pam.d/chage &lt;&lt; "EOF"</command>
# Begin /etc/pam.d/chage

auth        sufficient      pam_rootok.so
auth        required        pam_unix.so
account     required        pam_unix.so
session     required        pam_unix.so
password    required        pam_permit.so

# End /etc/pam.d/chage
<command>EOF</command></userinput></screen>

<para>Currently, <filename>/etc/pam.d/other</filename> is configured to
allow anyone with an account on the machine to use programs
that do not specifically have a configuration file of their own. After
testing <application><acronym>PAM</acronym></application> for proper 
configuration, it can be changed to the following:</para>

<screen><userinput><command>cat &gt; /etc/pam.d/other &lt;&lt; "EOF"</command>
# Begin /etc/pam.d/other

auth        required        pam_deny.so
auth        required        pam_warn.so
account     required        pam_deny.so
session     required        pam_deny.so
password    required        pam_deny.so
password    required        pam_warn.so

# End /etc/pam.d/other
<command>EOF</command></userinput></screen>

<para>Finally, edit <filename>/etc/login.defs</filename> by adding '#'
to the beginning of the following lines:</para>
<screen>LASTLOG_ENAB
MAIL_CHECK_ENAB
PORTTIME_CHECKS_ENAB
CONSOLE
MOTD_FILE
NOLOGINS_FILE
PASS_MIN_LEN
SU_WHEEL_ONLY
MD5_CRYPT_ENAB
CONSOLE_GROUPS
ENVIRON_FILE</screen>

<para>This stops <command>login</command> from performing these functions, as 
they will now be performed by <acronym>PAM</acronym> modules.</para>

</sect3>

</sect2>

</sect1>