linux-from-scratch/glfs
1
0
Fork 0
mirror of https://github.com/Zeckmathederg/glfs.git synced 2025-02-03 14:47:17 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Tagged shadow.xml

Browse Source 
git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@4208 af4574ff-66df-0310-9fd7-8a98e5e911e0
This commit is contained in:
Manuel Canales Esparcia 2005-05-14 16:03:04 +00:00
parent 2dbd7a5f82
commit 322f17259d
1 changed files with 240 additions and 199 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

439
postlfs/security/shadow.xml
View File

@ -13,120 +13,135 @@
]>
<sect1 id="shadow" xreflabel="Shadow-&shadow-version;">
<sect1info>
<othername>$LastChangedBy$</othername>
<date>$Date$</date>
</sect1info>
<?dbhtml filename="shadow.html"?>
<title>Shadow-&shadow-version;</title>
<indexterm zone="shadow">
<primary sortas="a-Shadow">Shadow</primary></indexterm>
<?dbhtml filename="shadow.html"?>
<sect2>
<title>Introduction to <application>Shadow</application></title>
<sect1info>
<othername>$LastChangedBy$</othername>
<date>$Date$</date>
</sect1info>
<para>Shadow was indeed installed in <acronym>LFS</acronym> and there is
no reason to reinstall it unless you installed
<application>Linux-<acronym>PAM</acronym></application>. If you did,
this will allow programs like <command>login</command> and
<command>su</command> to utilize
<acronym>PAM</acronym>.</para>
<title>Shadow-&shadow-version;</title>
<sect3><title>Package information</title>
<itemizedlist spacing="compact">
<listitem><para>Download (HTTP):
<ulink url="&shadow-download-http;"/></para></listitem>
<listitem><para>Download (FTP):
<ulink url="&shadow-download-ftp;"/></para></listitem>
<listitem><para>Download MD5 sum:
&shadow-md5sum;</para></listitem>
<listitem><para>Download size:
&shadow-size;</para></listitem>
<listitem><para>Estimated disk space required:
&shadow-buildsize;</para></listitem>
<listitem><para>Estimated build time:
&shadow-time;</para></listitem></itemizedlist>
</sect3>
<indexterm zone="shadow">
<primary sortas="a-Shadow">Shadow</primary>
</indexterm>
<sect3><title>Additional downloads</title>
<itemizedlist spacing='compact'>
<listitem><para>Patch to fix a bug in the <command>lastlog</command> program:
<ulink url="&patch-root;/shadow-&shadow-version;-fix_lastlog-1.patch"/></para>
</listitem>
</itemizedlist>
</sect3>
<sect2 role="package">
<title>Introduction to Shadow</title>
<sect3><title><application>Shadow</application> dependencies</title>
<sect4><title>Required</title>
<para><xref linkend="Linux_PAM"/></para>
</sect4>
</sect3>
<para><application>Shadow</application> was indeed installed in LFS and
there is no reason to reinstall it unless you installed
<application>Linux-PAM</application>. If you did, this will allow programs
like <command>login</command> and <command>su</command> to utilize PAM.</para>
</sect2>
<bridgehead renderas="sect3">Package Information</bridgehead>
<itemizedlist spacing="compact">
<listitem>
<para>Download (HTTP): <ulink url="&shadow-download-http;"/></para>
</listitem>
<listitem>
<para>Download (FTP): <ulink url="&shadow-download-ftp;"/></para>
</listitem>
<listitem>
<para>Download MD5 sum: &shadow-md5sum;</para>
</listitem>
<listitem>
<para>Download size: &shadow-size;</para>
</listitem>
<listitem>
<para>Estimated disk space required: &shadow-buildsize;</para>
</listitem>
<listitem>
<para>Estimated build time: &shadow-time;</para>
</listitem>
</itemizedlist>
<sect2>
<title>Installation of <application>Shadow</application></title>
<bridgehead renderas="sect3">Additional Downloads</bridgehead>
<itemizedlist spacing='compact'>
<listitem>
<para>Patch to fix a bug in the <command>lastlog</command> program:
<ulink url="&patch-root;/shadow-&shadow-version;-fix_lastlog-1.patch"/></para>
</listitem>
</itemizedlist>
<para>Reinstall <application>Shadow</application> by running the following
commands:</para>
<bridgehead renderas="sect3">Shadow Dependencies</bridgehead>
<screen><userinput><command>patch -Np1 -i ../shadow-&shadow-version;-fix_lastlog-1.patch &amp;&amp;
<bridgehead renderas="sect4">Required</bridgehead>
<para><xref linkend="Linux_PAM"/></para>
</sect2>
<sect2 role="installation">
<title>Installation of Shadow</title>
<para>Reinstall <application>Shadow</application> by running the following
commands:</para>
<screen><userinput>patch -Np1 -i ../shadow-&shadow-version;-fix_lastlog-1.patch &amp;&amp;
./configure --libdir=/lib --enable-shared \
--with-libpam --without-libcrack &amp;&amp;
sed -i 's/groups$(EXEEXT) //' src/Makefile &amp;&amp;
sed -i '/groups/d' man/Makefile &amp;&amp;
make</command></userinput></screen>
make</userinput></screen>
<para>Now, as the root user:</para>
<para>Now, as the <systemitem class="username">root</systemitem> user:</para>
<screen><userinput role='root'><command>make install &amp;&amp;
<screen role="root"><userinput>make install &amp;&amp;
mv -v /usr/bin/passwd /bin &amp;&amp;
mv -v /lib/libshadow.*a /usr/lib &amp;&amp;
rm -v /lib/libshadow.so &amp;&amp;
ln -v -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so</command></userinput></screen>
ln -v -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so</userinput></screen>
</sect2>
</sect2>
<sect2>
<title>Command explanations</title>
<sect2 role="commands">
<title>Command Explanations</title>
<para><parameter>--without-libcrack</parameter>: This switch tells
<application>Shadow</application> not to use
<filename class='libraryfile'>libcrack</filename>. This is desired as
<application>Linux-<acronym>PAM</acronym></application> already contains
<filename class='libraryfile'>libcrack</filename>.</para>
<para><parameter>--without-libcrack</parameter>: This switch tells
<application>Shadow</application> not to use
<filename class='libraryfile'>libcrack</filename>. This is desired as
<application>Linux-PAM</application> already contains
<filename class='libraryfile'>libcrack</filename>.</para>
<para><command>sed -i ...</command>: These commands are used to suppress the
installation of the <command>groups</command> program as the version from the
<application>Coreutils</application> package installed during
<acronym>LFS</acronym> is preferred.</para>
<para><command>sed -i ...</command>: These commands are used to suppress
the installation of the <command>groups</command> program as the version
from the <application>Coreutils</application> package installed during
LFS is preferred.</para>
</sect2>
</sect2>
<sect2>
<title>Configuring <application>Linux-<acronym>PAM</acronym></application> to
work with <application>Shadow</application></title>
<sect2 role="configuration">
<title>Configuring Linux-PAM to Work with Shadow</title>
<sect3 id="pam.d"><title>Config files</title>
<para><filename>/etc/pam.d/*</filename>, or alternatively,
<filename>/etc/pam.conf</filename></para>
<indexterm zone="shadow pam.d">
<primary sortas="e-etc-pam.d">/etc/pam.d/*</primary></indexterm>
<indexterm zone="shadow pam.d">
<primary sortas="e-etc-pam.conf">/etc/pam.conf</primary></indexterm>
</sect3>
<sect3 id="pam.d">
<title>Config Files</title>
<sect3><title>Configuration Information</title>
<para><filename>/etc/pam.d/*</filename>, or alternatively,
<filename>/etc/pam.conf</filename></para>
<para>Add the following <application>Linux-<acronym>PAM</acronym></application>
configuration files to <filename class="directory">/etc/pam.d/</filename> (or
add them to <filename>/etc/pam.conf</filename> with the additional field for
the program).</para>
<indexterm zone="shadow pam.d">
<primary sortas="e-etc-pam.d">/etc/pam.d/*</primary>
</indexterm>
<sect4><title>login (with <application>cracklib</application>)</title>
<indexterm zone="shadow pam.d">
<primary sortas="e-etc-pam.conf">/etc/pam.conf</primary>
</indexterm>
<screen><userinput><command>cat &gt; /etc/pam.d/login &lt;&lt; "EOF"</command>
# Begin /etc/pam.d/login
</sect3>
<sect3>
<title>Configuration Information</title>
<para>Add the following <application>Linux-PAM</application> configuration
files to <filename class="directory">/etc/pam.d/</filename> (or add them
to <filename>/etc/pam.conf</filename> with the additional field for
the program).</para>
<sect4>
<title>'login' (with Cracklib)</title>
<screen role="root"><userinput>cat &gt; /etc/pam.d/login &lt;&lt; "EOF"
<literal># Begin /etc/pam.d/login
auth requisite pam_securetty.so
auth requisite pam_nologin.so
@ -144,14 +159,16 @@ password required pam_cracklib.so retry=3 difok=8 minlen=5 \
ucredit=2 lcredit=2
password required pam_unix.so md5 shadow use_authtok
# End /etc/pam.d/login
<command>EOF</command></userinput></screen>
</sect4>
# End /etc/pam.d/login</literal>
EOF</userinput></screen>
<sect4><title>login (without <application>cracklib</application>)</title>
</sect4>
<screen><userinput><command>cat &gt; /etc/pam.d/login &lt;&lt; "EOF"</command>
# Begin /etc/pam.d/login
<sect4>
<title>'login' (without Cracklib)</title>
<screen role="root"><userinput>cat &gt; /etc/pam.d/login &lt;&lt; "EOF"
<literal># Begin /etc/pam.d/login
auth requisite pam_securetty.so
auth requisite pam_nologin.so
@ -166,39 +183,45 @@ session optional pam_lastlog.so
session required pam_unix.so
password required pam_unix.so md5 shadow
# End /etc/pam.d/login
<command>EOF</command></userinput></screen>
</sect4>
# End /etc/pam.d/login</literal>
EOF</userinput></screen>
<sect4><title>passwd (with <application>cracklib</application>)</title>
</sect4>
<screen><userinput><command>cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"</command>
# Begin /etc/pam.d/passwd
<sect4>
<title>'passwd' (with Cracklib)</title>
<screen role="root"><userinput>cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"
<literal># Begin /etc/pam.d/passwd
password required pam_cracklib.so retry=3 difok=8 minlen=5 \
dcredit=3 ocredit=3 \
ucredit=2 lcredit=2
password required pam_unix.so md5 shadow use_authtok
# End /etc/pam.d/passwd
<command>EOF</command></userinput></screen>
</sect4>
# End /etc/pam.d/passwd</literal>
EOF</userinput></screen>
<sect4><title>passwd (without <application>cracklib</application>)</title>
</sect4>
<screen><userinput><command>cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"</command>
# Begin /etc/pam.d/passwd
<sect4>
<title>'passwd' (without Cracklib)</title>
<screen role="root"><userinput>cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"
<literal># Begin /etc/pam.d/passwd
password required pam_unix.so md5 shadow
# End /etc/pam.d/passwd
<command>EOF</command></userinput></screen>
</sect4>
# End /etc/pam.d/passwd</literal>
EOF</userinput></screen>
<sect4><title>su</title>
</sect4>
<screen><userinput><command>cat &gt; /etc/pam.d/su &lt;&lt; "EOF"</command>
# Begin /etc/pam.d/su
<sect4>
<title>'su'</title>
<screen role="root"><userinput>cat &gt; /etc/pam.d/su &lt;&lt; "EOF"
<literal># Begin /etc/pam.d/su
auth sufficient pam_rootok.so
auth required pam_unix.so
@ -206,14 +229,16 @@ account required pam_unix.so
session optional pam_mail.so dir=/var/mail standard
session required pam_unix.so
# End /etc/pam.d/su
<command>EOF</command></userinput></screen>
</sect4>
# End /etc/pam.d/su</literal>
EOF</userinput></screen>
<sect4><title>chage</title>
</sect4>
<screen><userinput><command>cat &gt; /etc/pam.d/chage &lt;&lt; "EOF"</command>
# Begin /etc/pam.d/chage
<sect4>
<title>'chage'</title>
<screen role="root"><userinput>cat &gt; /etc/pam.d/chage &lt;&lt; "EOF"
<literal># Begin /etc/pam.d/chage
auth sufficient pam_rootok.so
auth required pam_unix.so
@ -221,45 +246,51 @@ account required pam_unix.so
session required pam_unix.so
password required pam_permit.so
# End /etc/pam.d/chage
<command>EOF</command></userinput></screen>
</sect4>
# End /etc/pam.d/chage</literal>
EOF</userinput></screen>
<sect4><title>chpasswd, newusers, groupadd, groupdel, groupmod, useradd,
userdel and usermod</title>
</sect4>
<screen><userinput><command>for PROGRAM in chpasswd newusers groupadd groupdel \
<sect4>
<title>'chpasswd', 'newusers', 'groupadd', 'groupdel',
'groupmod', 'useradd', 'userdel', and 'usermod'</title>
<screen role="root"><userinput>for PROGRAM in chpasswd newusers groupadd groupdel \
groupmod useradd userdel usermod
do
install -v -m644 /etc/pam.d/chage /etc/pam.d/$PROGRAM
sed -i -e "s/chage/$PROGRAM/" /etc/pam.d/$PROGRAM
done</command></userinput></screen>
</sect4>
done</userinput></screen>
<sect4><title>other</title>
</sect4>
<warning><para>At this point, you should do a simple test to see if
<application>Shadow</application> is
working as expected. Open another term and login as a user, then su to
to root. If you do not see any errors, then all is well and you should
proceed with the rest of the configuration. If you did
receive errors, stop now and double check the above configuration files
manually. If you cannot find, and fix the error, you should recompile
shadow replacing <parameter>--with-libpam</parameter> with
<parameter>--without-libpam</parameter> in the above
instructions. If you fail to do this and the errors remain, you
will be unable to log into your system.</para></warning>
<sect4>
<title>Other</title>
<para>Currently, <filename>/etc/pam.d/other</filename> is configured to
allow anyone with an account on the machine to use
<acronym>PAM</acronym>-aware programs without a configuration file for that
program. After testing <application>Linux-<acronym>PAM</acronym></application>
for proper configuration, install a more restrictive
<filename>other</filename> file so that program-specific configuration files
are required:</para>
<warning>
<para>At this point, you should do a simple test to see if
<application>Shadow</application> is working as expected. Open
another term and login as a user, then su to <systemitem
class="username">root</systemitem>. If you do not see any errors,
then all is well and you should proceed with the rest of the
configuration. If you did receive errors, stop now and double check
the above configuration files manually. If you cannot find, and
fix the error, you should recompile <application>Shadow</application>
replacing <option>--with-libpam</option> with
<option>--without-libpam</option> in the above instructions. If you
fail to do this and the errors remain, you will be unable to log into
your system.</para>
</warning>
<screen><userinput><command>cat &gt; /etc/pam.d/other &lt;&lt; "EOF"</command>
# Begin /etc/pam.d/other
<para>Currently, <filename>/etc/pam.d/other</filename> is configured
to allow anyone with an account on the machine to use PAM-aware
programs without a configuration file for that program. After testing
<application>Linux-PAM</application> for proper configuration, install
a more restrictive <filename>other</filename> file so that
program-specific configuration files are required:</para>
<screen role="root"><userinput>cat &gt; /etc/pam.d/other &lt;&lt; "EOF"
<literal># Begin /etc/pam.d/other
auth required pam_deny.so
auth required pam_warn.so
@ -268,87 +299,97 @@ session required pam_deny.so
password required pam_deny.so
password required pam_warn.so
# End /etc/pam.d/other
<command>EOF</command></userinput></screen>
</sect4>
# End /etc/pam.d/other</literal>
EOF</userinput></screen>
<sect4 id="pam-access"><title>Configuring login access</title>
</sect4>
<para>Instead of using the <filename>/etc/login.access</filename> file for
controlling access to the system,
<application>Linux-<acronym>PAM</acronym></application> uses the
<filename class='libraryfile'>pam_access.so</filename> module along with the
<filename>/etc/security/access.conf</filename> file. Rename the
<filename>/etc/login.access</filename> file using the following
command:</para>
<indexterm zone="shadow pam-access"><primary
sortas="e-etc-security-access.conf">/etc/security/access.conf</primary>
</indexterm>
<sect4 id="pam-access">
<title>Configuring Login Access</title>
<screen><userinput><command>if [ -f /etc/login.access ]; then
<para>Instead of using the <filename>/etc/login.access</filename>
file for controlling access to the system,
<application>Linux-PAM</application> uses the
<filename class='libraryfile'>pam_access.so</filename> module along
with the <filename>/etc/security/access.conf</filename> file. Rename
the <filename>/etc/login.access</filename> file using the following
command:</para>
<indexterm zone="shadow pam-access">
<primary sortas="e-etc-security-access.conf">/etc/security/access.conf</primary>
</indexterm>
<screen role="root"><userinput>if [ -f /etc/login.access ]; then
mv -v /etc/login.access /etc/login.access.NOUSE
fi</command></userinput></screen>
</sect4>
fi</userinput></screen>
<sect4 id="pam-limits"><title>Configuring resource limits</title>
</sect4>
<para>Instead of using the <filename>/etc/limits</filename> file for
limiting usage of system resources,
<application>Linux-<acronym>PAM</acronym></application> uses the
<filename class='libraryfile'>pam_limits.so</filename> module along with the
<filename>/etc/security/limits.conf</filename> file. Rename the
<filename>/etc/limits</filename> file using the following
command:</para>
<indexterm zone="shadow pam-limits"><primary
sortas="e-etc-security-limits.conf">/etc/security/limits.conf</primary>
</indexterm>
<sect4 id="pam-limits">
<title>Configuring Resource Limits</title>
<screen><userinput><command>if [ -f /etc/limits ]; then
<para>Instead of using the <filename>/etc/limits</filename> file
for limiting usage of system resources,
<application>Linux-PAM</application> uses the
<filename class='libraryfile'>pam_limits.so</filename> module along
with the <filename>/etc/security/limits.conf</filename> file. Rename
the <filename>/etc/limits</filename> file using the following
command:</para>
<indexterm zone="shadow pam-limits">
<primary sortas="e-etc-security-limits.conf">/etc/security/limits.conf</primary>
</indexterm>
<screen role="root"><userinput>if [ -f /etc/limits ]; then
mv -v /etc/limits /etc/limits.NOUSE
fi</command></userinput></screen>
</sect4>
fi</userinput></screen>
<sect4 id="pam-login-defs"><title>Configuring /etc/login.defs</title>
</sect4>
<para>The <command>login</command> program currently performs many functions
which <application>Linux-<acronym>PAM</acronym></application> modules should
now handle. The following command will comment out the appropriate lines in
<filename>/etc/login.defs</filename>, and stop <command>login</command> from
performing these functions:</para>
<indexterm zone="shadow pam-login-defs"><primary
sortas="e-etc-login.defs">/etc/login.defs</primary>
</indexterm>
<sect4 id="pam-login-defs">
<title>Configuring /etc/login.defs</title>
<screen><userinput><command>for FUNCTION in LASTLOG_ENAB MAIL_CHECK_ENAB \
<para>The <command>login</command> program currently performs many
functions which <application>Linux-PAM</application> modules should
now handle. The following command will comment out the appropriate
lines in <filename>/etc/login.defs</filename>, and stop
<command>login</command> from performing these functions:</para>
<indexterm zone="shadow pam-login-defs">
<primary sortas="e-etc-login.defs">/etc/login.defs</primary>
</indexterm>
<screen role="root"><userinput>for FUNCTION in LASTLOG_ENAB MAIL_CHECK_ENAB \
PORTTIME_CHECKS_ENAB CONSOLE \
MOTD_FILE NOLOGINS_FILE PASS_MIN_LEN \
SU_WHEEL_ONLY MD5_CRYPT_ENAB \
CONSOLE_GROUPS ENVIRON_FILE
do
sed -i -e "s/^$FUNCTION/# &amp;/" /etc/login.defs
done</command></userinput></screen>
done</userinput></screen>
<para>If you have <application>cracklib</application> installed, also comment
out four more lines using the following command:</para>
<para>If you have <application>cracklib</application> installed,
also comment out four more lines using the following command:</para>
<screen><userinput><command>for FUNCTION in OBSCURE_CHECKS_ENAB CRACKLIB_DICTPATH \
<screen role="root"><userinput>for FUNCTION in OBSCURE_CHECKS_ENAB CRACKLIB_DICTPATH \
PASS_CHANGE_TRIES PASS_ALWAYS_WARN
do
sed -i -e "s/^$FUNCTION/# &amp;/" /etc/login.defs
done</command></userinput></screen>
</sect4>
done</userinput></screen>
</sect3>
</sect4>
</sect2>
</sect3>
<sect2>
<title>Contents</title>
</sect2>
<para>A list of the installed files, along with their short descriptions can
be found at
<ulink url="&lfs-root;/chapter06/shadow.html#contents-shadow"/>.</para>
<sect2 role="content">
<title>Contents</title>
</sect2>
<para>A list of the installed files, along with their short descriptions
can be found at
<ulink url="&lfs-root;/chapter06/shadow.html#contents-shadow"/>.</para>
</sect2>
</sect1>