From 322f17259d8e7fb5113081a75f887e2893ed9bc6 Mon Sep 17 00:00:00 2001 From: Manuel Canales Esparcia Date: Sat, 14 May 2005 16:03:04 +0000 Subject: [PATCH] Tagged shadow.xml git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@4208 af4574ff-66df-0310-9fd7-8a98e5e911e0 --- postlfs/security/shadow.xml | 439 ++++++++++++++++++++---------------- 1 file changed, 240 insertions(+), 199 deletions(-) diff --git a/postlfs/security/shadow.xml b/postlfs/security/shadow.xml index cad848e9d7..4508ffac8c 100644 --- a/postlfs/security/shadow.xml +++ b/postlfs/security/shadow.xml @@ -13,120 +13,135 @@ ]> - -$LastChangedBy$ -$Date$ - - -Shadow-&shadow-version; - -Shadow + - -Introduction to <application>Shadow</application> + + $LastChangedBy$ + $Date$ + -Shadow was indeed installed in LFS and there is -no reason to reinstall it unless you installed -Linux-PAM. If you did, -this will allow programs like login and -su to utilize -PAM. + Shadow-&shadow-version; -Package information - -Download (HTTP): - -Download (FTP): - -Download MD5 sum: -&shadow-md5sum; -Download size: -&shadow-size; -Estimated disk space required: -&shadow-buildsize; -Estimated build time: -&shadow-time; - + + Shadow + -Additional downloads - -Patch to fix a bug in the lastlog program: - - - - + + Introduction to Shadow -<application>Shadow</application> dependencies -Required - - - + Shadow was indeed installed in LFS and + there is no reason to reinstall it unless you installed + Linux-PAM. If you did, this will allow programs + like login and su to utilize PAM. - + Package Information + + + Download (HTTP): + + + Download (FTP): + + + Download MD5 sum: &shadow-md5sum; + + + Download size: &shadow-size; + + + Estimated disk space required: &shadow-buildsize; + + + Estimated build time: &shadow-time; + + - -Installation of <application>Shadow</application> + Additional Downloads + + + Patch to fix a bug in the lastlog program: + + + -Reinstall Shadow by running the following -commands: + Shadow Dependencies -patch -Np1 -i ../shadow-&shadow-version;-fix_lastlog-1.patch && + Required + + + + + + Installation of Shadow + + Reinstall Shadow by running the following + commands: + +patch -Np1 -i ../shadow-&shadow-version;-fix_lastlog-1.patch && ./configure --libdir=/lib --enable-shared \ --with-libpam --without-libcrack && sed -i 's/groups$(EXEEXT) //' src/Makefile && sed -i '/groups/d' man/Makefile && -make +make -Now, as the root user: + Now, as the root user: -make install && +make install && mv -v /usr/bin/passwd /bin && mv -v /lib/libshadow.*a /usr/lib && rm -v /lib/libshadow.so && -ln -v -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so +ln -v -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so - + - -Command explanations + + Command Explanations ---without-libcrack: This switch tells -Shadow not to use -libcrack. This is desired as -Linux-PAM already contains -libcrack. + --without-libcrack: This switch tells + Shadow not to use + libcrack. This is desired as + Linux-PAM already contains + libcrack. -sed -i ...: These commands are used to suppress the -installation of the groups program as the version from the -Coreutils package installed during -LFS is preferred. + sed -i ...: These commands are used to suppress + the installation of the groups program as the version + from the Coreutils package installed during + LFS is preferred. - + - -Configuring <application>Linux-<acronym>PAM</acronym></application> to -work with <application>Shadow</application> + + Configuring Linux-PAM to Work with Shadow -Config files -/etc/pam.d/*, or alternatively, -/etc/pam.conf - -/etc/pam.d/* - -/etc/pam.conf - + + Config Files -Configuration Information + /etc/pam.d/*, or alternatively, + /etc/pam.conf -Add the following Linux-PAM -configuration files to /etc/pam.d/ (or -add them to /etc/pam.conf with the additional field for -the program). + + /etc/pam.d/* + -login (with <application>cracklib</application>) + + /etc/pam.conf + -cat > /etc/pam.d/login << "EOF" -# Begin /etc/pam.d/login + + + + Configuration Information + + Add the following Linux-PAM configuration + files to /etc/pam.d/ (or add them + to /etc/pam.conf with the additional field for + the program). + + + 'login' (with Cracklib) + +cat > /etc/pam.d/login << "EOF" +# Begin /etc/pam.d/login auth requisite pam_securetty.so auth requisite pam_nologin.so @@ -144,14 +159,16 @@ password required pam_cracklib.so retry=3 difok=8 minlen=5 \ ucredit=2 lcredit=2 password required pam_unix.so md5 shadow use_authtok -# End /etc/pam.d/login -EOF - +# End /etc/pam.d/login +EOF -login (without <application>cracklib</application>) + -cat > /etc/pam.d/login << "EOF" -# Begin /etc/pam.d/login + + 'login' (without Cracklib) + +cat > /etc/pam.d/login << "EOF" +# Begin /etc/pam.d/login auth requisite pam_securetty.so auth requisite pam_nologin.so @@ -166,39 +183,45 @@ session optional pam_lastlog.so session required pam_unix.so password required pam_unix.so md5 shadow -# End /etc/pam.d/login -EOF - +# End /etc/pam.d/login +EOF -passwd (with <application>cracklib</application>) + -cat > /etc/pam.d/passwd << "EOF" -# Begin /etc/pam.d/passwd + + 'passwd' (with Cracklib) + +cat > /etc/pam.d/passwd << "EOF" +# Begin /etc/pam.d/passwd password required pam_cracklib.so retry=3 difok=8 minlen=5 \ dcredit=3 ocredit=3 \ ucredit=2 lcredit=2 password required pam_unix.so md5 shadow use_authtok -# End /etc/pam.d/passwd -EOF - +# End /etc/pam.d/passwd +EOF -passwd (without <application>cracklib</application>) + -cat > /etc/pam.d/passwd << "EOF" -# Begin /etc/pam.d/passwd + + 'passwd' (without Cracklib) + +cat > /etc/pam.d/passwd << "EOF" +# Begin /etc/pam.d/passwd password required pam_unix.so md5 shadow -# End /etc/pam.d/passwd -EOF - +# End /etc/pam.d/passwd +EOF -su + -cat > /etc/pam.d/su << "EOF" -# Begin /etc/pam.d/su + + 'su' + +cat > /etc/pam.d/su << "EOF" +# Begin /etc/pam.d/su auth sufficient pam_rootok.so auth required pam_unix.so @@ -206,14 +229,16 @@ account required pam_unix.so session optional pam_mail.so dir=/var/mail standard session required pam_unix.so -# End /etc/pam.d/su -EOF - +# End /etc/pam.d/su +EOF -chage + -cat > /etc/pam.d/chage << "EOF" -# Begin /etc/pam.d/chage + + 'chage' + +cat > /etc/pam.d/chage << "EOF" +# Begin /etc/pam.d/chage auth sufficient pam_rootok.so auth required pam_unix.so @@ -221,45 +246,51 @@ account required pam_unix.so session required pam_unix.so password required pam_permit.so -# End /etc/pam.d/chage -EOF - +# End /etc/pam.d/chage +EOF -chpasswd, newusers, groupadd, groupdel, groupmod, useradd, -userdel and usermod + -for PROGRAM in chpasswd newusers groupadd groupdel \ + + 'chpasswd', 'newusers', 'groupadd', 'groupdel', + 'groupmod', 'useradd', 'userdel', and 'usermod' + +for PROGRAM in chpasswd newusers groupadd groupdel \ groupmod useradd userdel usermod do install -v -m644 /etc/pam.d/chage /etc/pam.d/$PROGRAM sed -i -e "s/chage/$PROGRAM/" /etc/pam.d/$PROGRAM -done - +done -other + -At this point, you should do a simple test to see if -Shadow is -working as expected. Open another term and login as a user, then su to -to root. If you do not see any errors, then all is well and you should -proceed with the rest of the configuration. If you did -receive errors, stop now and double check the above configuration files -manually. If you cannot find, and fix the error, you should recompile -shadow replacing --with-libpam with ---without-libpam in the above -instructions. If you fail to do this and the errors remain, you -will be unable to log into your system. + + Other -Currently, /etc/pam.d/other is configured to -allow anyone with an account on the machine to use -PAM-aware programs without a configuration file for that -program. After testing Linux-PAM -for proper configuration, install a more restrictive -other file so that program-specific configuration files -are required: + + At this point, you should do a simple test to see if + Shadow is working as expected. Open + another term and login as a user, then su to root. If you do not see any errors, + then all is well and you should proceed with the rest of the + configuration. If you did receive errors, stop now and double check + the above configuration files manually. If you cannot find, and + fix the error, you should recompile Shadow + replacing with + in the above instructions. If you + fail to do this and the errors remain, you will be unable to log into + your system. + -cat > /etc/pam.d/other << "EOF" -# Begin /etc/pam.d/other + Currently, /etc/pam.d/other is configured + to allow anyone with an account on the machine to use PAM-aware + programs without a configuration file for that program. After testing + Linux-PAM for proper configuration, install + a more restrictive other file so that + program-specific configuration files are required: + +cat > /etc/pam.d/other << "EOF" +# Begin /etc/pam.d/other auth required pam_deny.so auth required pam_warn.so @@ -268,87 +299,97 @@ session required pam_deny.so password required pam_deny.so password required pam_warn.so -# End /etc/pam.d/other -EOF - +# End /etc/pam.d/other +EOF -Configuring login access + -Instead of using the /etc/login.access file for -controlling access to the system, -Linux-PAM uses the -pam_access.so module along with the -/etc/security/access.conf file. Rename the -/etc/login.access file using the following -command: -/etc/security/access.conf - + + Configuring Login Access -if [ -f /etc/login.access ]; then + Instead of using the /etc/login.access + file for controlling access to the system, + Linux-PAM uses the + pam_access.so module along + with the /etc/security/access.conf file. Rename + the /etc/login.access file using the following + command: + + + /etc/security/access.conf + + +if [ -f /etc/login.access ]; then mv -v /etc/login.access /etc/login.access.NOUSE -fi - +fi -Configuring resource limits + -Instead of using the /etc/limits file for -limiting usage of system resources, -Linux-PAM uses the -pam_limits.so module along with the -/etc/security/limits.conf file. Rename the -/etc/limits file using the following -command: -/etc/security/limits.conf - + + Configuring Resource Limits -if [ -f /etc/limits ]; then + Instead of using the /etc/limits file + for limiting usage of system resources, + Linux-PAM uses the + pam_limits.so module along + with the /etc/security/limits.conf file. Rename + the /etc/limits file using the following + command: + + + /etc/security/limits.conf + + +if [ -f /etc/limits ]; then mv -v /etc/limits /etc/limits.NOUSE -fi - +fi -Configuring /etc/login.defs + -The login program currently performs many functions -which Linux-PAM modules should -now handle. The following command will comment out the appropriate lines in -/etc/login.defs, and stop login from -performing these functions: -/etc/login.defs - + + Configuring /etc/login.defs -for FUNCTION in LASTLOG_ENAB MAIL_CHECK_ENAB \ + The login program currently performs many + functions which Linux-PAM modules should + now handle. The following command will comment out the appropriate + lines in /etc/login.defs, and stop + login from performing these functions: + + + /etc/login.defs + + +for FUNCTION in LASTLOG_ENAB MAIL_CHECK_ENAB \ PORTTIME_CHECKS_ENAB CONSOLE \ MOTD_FILE NOLOGINS_FILE PASS_MIN_LEN \ SU_WHEEL_ONLY MD5_CRYPT_ENAB \ CONSOLE_GROUPS ENVIRON_FILE do sed -i -e "s/^$FUNCTION/# &/" /etc/login.defs -done +done -If you have cracklib installed, also comment -out four more lines using the following command: + If you have cracklib installed, + also comment out four more lines using the following command: -for FUNCTION in OBSCURE_CHECKS_ENAB CRACKLIB_DICTPATH \ +for FUNCTION in OBSCURE_CHECKS_ENAB CRACKLIB_DICTPATH \ PASS_CHANGE_TRIES PASS_ALWAYS_WARN do sed -i -e "s/^$FUNCTION/# &/" /etc/login.defs -done - +done - + - + - -Contents + -A list of the installed files, along with their short descriptions can -be found at -. + + Contents - + A list of the installed files, along with their short descriptions + can be found at + . + +