mirror of
https://github.com/Zeckmathederg/glfs.git
synced 2025-01-31 20:42:34 +08:00
ff769b8c61
git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@3656 af4574ff-66df-0310-9fd7-8a98e5e911e0
355 lines
13 KiB
XML
355 lines
13 KiB
XML
<?xml version="1.0" encoding="ISO-8859-1"?>
|
|
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd" [
|
|
<!ENTITY % general-entities SYSTEM "../../general.ent">
|
|
%general-entities;
|
|
|
|
<!ENTITY shadow-download-http " ">
|
|
<!ENTITY shadow-download-ftp "ftp://ftp.pld.org.pl/software/shadow/shadow-&shadow-version;.tar.bz2">
|
|
<!ENTITY shadow-md5sum "89ebec0d1c0d861a5bd5c4c63e5cb0cc">
|
|
<!ENTITY shadow-size "1.0 MB">
|
|
<!ENTITY shadow-buildsize "13.2 MB">
|
|
<!ENTITY shadow-time "0.31 SBU">
|
|
]>
|
|
|
|
<sect1 id="shadow" xreflabel="Shadow-&shadow-version;">
|
|
<sect1info>
|
|
<othername>$LastChangedBy$</othername>
|
|
<date>$Date$</date>
|
|
</sect1info>
|
|
<?dbhtml filename="shadow.html"?>
|
|
<title>Shadow-&shadow-version;</title>
|
|
<indexterm zone="shadow">
|
|
<primary sortas="a-Shadow">Shadow</primary></indexterm>
|
|
|
|
<sect2>
|
|
<title>Introduction to <application>Shadow</application></title>
|
|
|
|
<para>Shadow was indeed installed in <acronym>LFS</acronym> and there is
|
|
no reason to reinstall it unless you installed
|
|
<application>Linux-<acronym>PAM</acronym></application>. If you did,
|
|
this will allow programs like <command>login</command> and
|
|
<command>su</command> to utilize
|
|
<acronym>PAM</acronym>.</para>
|
|
|
|
<sect3><title>Package information</title>
|
|
<itemizedlist spacing="compact">
|
|
<listitem><para>Download (HTTP):
|
|
<ulink url="&shadow-download-http;"/></para></listitem>
|
|
<listitem><para>Download (FTP):
|
|
<ulink url="&shadow-download-ftp;"/></para></listitem>
|
|
<listitem><para>Download MD5 sum:
|
|
&shadow-md5sum;</para></listitem>
|
|
<listitem><para>Download size:
|
|
&shadow-size;</para></listitem>
|
|
<listitem><para>Estimated disk space required:
|
|
&shadow-buildsize;</para></listitem>
|
|
<listitem><para>Estimated build time:
|
|
&shadow-time;</para></listitem></itemizedlist>
|
|
</sect3>
|
|
|
|
<sect3><title>Additional downloads</title>
|
|
<itemizedlist spacing='compact'>
|
|
<listitem><para>Patch to fix a bug in the <command>lastlog</command> program:
|
|
<ulink url="&patch-root;/shadow-&shadow-version;-fix_lastlog-1.patch"/></para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</sect3>
|
|
|
|
<sect3><title><application>Shadow</application> dependencies</title>
|
|
<sect4><title>Required</title>
|
|
<para><xref linkend="Linux_PAM"/></para>
|
|
</sect4>
|
|
</sect3>
|
|
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>Installation of <application>Shadow</application></title>
|
|
|
|
<para>Reinstall <application>Shadow</application> by running the following
|
|
commands:</para>
|
|
|
|
<screen><userinput><command>patch -Np1 -i ../shadow-&shadow-version;-fix_lastlog-1.patch &&
|
|
./configure --libdir=/lib --enable-shared \
|
|
--with-libpam --without-libcrack &&
|
|
sed -i 's/groups$(EXEEXT) //' src/Makefile &&
|
|
sed -i '/groups/d' man/Makefile &&
|
|
make</command></userinput></screen>
|
|
|
|
<para>Now, as the root user:</para>
|
|
|
|
<screen><userinput role='root'><command>make install &&
|
|
mv -v /usr/bin/passwd /bin &&
|
|
mv -v /lib/libshadow.*a /usr/lib &&
|
|
rm -v /lib/libshadow.so &&
|
|
ln -v -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so</command></userinput></screen>
|
|
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>Command explanations</title>
|
|
|
|
<para><parameter>--without-libcrack</parameter>: This switch tells
|
|
<application>Shadow</application> not to use
|
|
<filename class='libraryfile'>libcrack</filename>. This is desired as
|
|
<application>Linux-<acronym>PAM</acronym></application> already contains
|
|
<filename class='libraryfile'>libcrack</filename>.</para>
|
|
|
|
<para><command>sed -i ...</command>: These commands are used to suppress the
|
|
installation of the <command>groups</command> program as the version from the
|
|
<application>Coreutils</application> package installed during
|
|
<acronym>LFS</acronym> is preferred.</para>
|
|
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>Configuring <application>Linux-<acronym>PAM</acronym></application> to
|
|
work with <application>Shadow</application></title>
|
|
|
|
<sect3 id="pam.d"><title>Config files</title>
|
|
<para><filename>/etc/pam.d/*</filename>, or alternatively,
|
|
<filename>/etc/pam.conf</filename></para>
|
|
<indexterm zone="shadow pam.d">
|
|
<primary sortas="e-etc-pam.d">/etc/pam.d/*</primary></indexterm>
|
|
<indexterm zone="shadow pam.d">
|
|
<primary sortas="e-etc-pam.conf">/etc/pam.conf</primary></indexterm>
|
|
</sect3>
|
|
|
|
<sect3><title>Configuration Information</title>
|
|
|
|
<para>Add the following <application>Linux-<acronym>PAM</acronym></application>
|
|
configuration files to <filename class="directory">/etc/pam.d/</filename> (or
|
|
add them to <filename>/etc/pam.conf</filename> with the additional field for
|
|
the program).</para>
|
|
|
|
<sect4><title>login (with <application>cracklib</application>)</title>
|
|
|
|
<screen><userinput><command>cat > /etc/pam.d/login << "EOF"</command>
|
|
# Begin /etc/pam.d/login
|
|
|
|
auth requisite pam_securetty.so
|
|
auth requisite pam_nologin.so
|
|
auth required pam_env.so
|
|
auth required pam_unix.so
|
|
account required pam_access.so
|
|
account required pam_unix.so
|
|
session required pam_motd.so
|
|
session required pam_limits.so
|
|
session optional pam_mail.so dir=/var/mail standard
|
|
session optional pam_lastlog.so
|
|
session required pam_unix.so
|
|
password required pam_cracklib.so retry=3 difok=8 minlen=5 \
|
|
dcredit=3 ocredit=3 \
|
|
ucredit=2 lcredit=2
|
|
password required pam_unix.so md5 shadow use_authtok
|
|
|
|
# End /etc/pam.d/login
|
|
<command>EOF</command></userinput></screen>
|
|
</sect4>
|
|
|
|
<sect4><title>login (without <application>cracklib</application>)</title>
|
|
|
|
<screen><userinput><command>cat > /etc/pam.d/login << "EOF"</command>
|
|
# Begin /etc/pam.d/login
|
|
|
|
auth requisite pam_securetty.so
|
|
auth requisite pam_nologin.so
|
|
auth required pam_env.so
|
|
auth required pam_unix.so
|
|
account required pam_access.so
|
|
account required pam_unix.so
|
|
session required pam_motd.so
|
|
session required pam_limits.so
|
|
session optional pam_mail.so dir=/var/mail standard
|
|
session optional pam_lastlog.so
|
|
session required pam_unix.so
|
|
password required pam_unix.so md5 shadow
|
|
|
|
# End /etc/pam.d/login
|
|
<command>EOF</command></userinput></screen>
|
|
</sect4>
|
|
|
|
<sect4><title>passwd (with <application>cracklib</application>)</title>
|
|
|
|
<screen><userinput><command>cat > /etc/pam.d/passwd << "EOF"</command>
|
|
# Begin /etc/pam.d/passwd
|
|
|
|
password required pam_cracklib.so retry=3 difok=8 minlen=5 \
|
|
dcredit=3 ocredit=3 \
|
|
ucredit=2 lcredit=2
|
|
password required pam_unix.so md5 shadow use_authtok
|
|
|
|
# End /etc/pam.d/passwd
|
|
<command>EOF</command></userinput></screen>
|
|
</sect4>
|
|
|
|
<sect4><title>passwd (without <application>cracklib</application>)</title>
|
|
|
|
<screen><userinput><command>cat > /etc/pam.d/passwd << "EOF"</command>
|
|
# Begin /etc/pam.d/passwd
|
|
|
|
password required pam_unix.so md5 shadow
|
|
|
|
# End /etc/pam.d/passwd
|
|
<command>EOF</command></userinput></screen>
|
|
</sect4>
|
|
|
|
<sect4><title>su</title>
|
|
|
|
<screen><userinput><command>cat > /etc/pam.d/su << "EOF"</command>
|
|
# Begin /etc/pam.d/su
|
|
|
|
auth sufficient pam_rootok.so
|
|
auth required pam_unix.so
|
|
account required pam_unix.so
|
|
session optional pam_mail.so dir=/var/mail standard
|
|
session required pam_unix.so
|
|
|
|
# End /etc/pam.d/su
|
|
<command>EOF</command></userinput></screen>
|
|
</sect4>
|
|
|
|
<sect4><title>chage</title>
|
|
|
|
<screen><userinput><command>cat > /etc/pam.d/chage << "EOF"</command>
|
|
# Begin /etc/pam.d/chage
|
|
|
|
auth sufficient pam_rootok.so
|
|
auth required pam_unix.so
|
|
account required pam_unix.so
|
|
session required pam_unix.so
|
|
password required pam_permit.so
|
|
|
|
# End /etc/pam.d/chage
|
|
<command>EOF</command></userinput></screen>
|
|
</sect4>
|
|
|
|
<sect4><title>chpasswd, newusers, groupadd, groupdel, groupmod, useradd,
|
|
userdel and usermod</title>
|
|
|
|
<screen><userinput><command>for PROGRAM in chpasswd newusers groupadd groupdel \
|
|
groupmod useradd userdel usermod
|
|
do
|
|
install -v -m644 /etc/pam.d/chage /etc/pam.d/$PROGRAM
|
|
sed -i -e "s/chage/$PROGRAM/" /etc/pam.d/$PROGRAM
|
|
done</command></userinput></screen>
|
|
</sect4>
|
|
|
|
<sect4><title>other</title>
|
|
|
|
<warning><para>At this point, you should do a simple test to see if
|
|
<application>Shadow</application> is
|
|
working as expected. Open another term and login as a user, then su to
|
|
to root. If you do not see any errors, then all is well and you should
|
|
proceed with the rest of the configuration. If you did
|
|
receive errors, stop now and double check the above configuration files
|
|
manually. If you cannot find, and fix the error, you should recompile
|
|
shadow replacing <parameter>--with-libpam</parameter> with
|
|
<parameter>--without-libpam</parameter> in the above
|
|
instructions. If you fail to do this and the errors remain, you
|
|
will be unable to log into your system.</para></warning>
|
|
|
|
<para>Currently, <filename>/etc/pam.d/other</filename> is configured to
|
|
allow anyone with an account on the machine to use
|
|
<acronym>PAM</acronym>-aware programs without a configuration file for that
|
|
program. After testing <application>Linux-<acronym>PAM</acronym></application>
|
|
for proper configuration, install a more restrictive
|
|
<filename>other</filename> file so that program-specific configuration files
|
|
are required:</para>
|
|
|
|
<screen><userinput><command>cat > /etc/pam.d/other << "EOF"</command>
|
|
# Begin /etc/pam.d/other
|
|
|
|
auth required pam_deny.so
|
|
auth required pam_warn.so
|
|
account required pam_deny.so
|
|
session required pam_deny.so
|
|
password required pam_deny.so
|
|
password required pam_warn.so
|
|
|
|
# End /etc/pam.d/other
|
|
<command>EOF</command></userinput></screen>
|
|
</sect4>
|
|
|
|
<sect4 id="pam-access"><title>Configuring login access</title>
|
|
|
|
<para>Instead of using the <filename>/etc/login.access</filename> file for
|
|
controlling access to the system,
|
|
<application>Linux-<acronym>PAM</acronym></application> uses the
|
|
<filename class='libraryfile'>pam_access.so</filename> module along with the
|
|
<filename>/etc/security/access.conf</filename> file. Rename the
|
|
<filename>/etc/login.access</filename> file using the following
|
|
command:</para>
|
|
<indexterm zone="shadow pam-access"><primary
|
|
sortas="e-etc-security-access.conf">/etc/security/access.conf</primary>
|
|
</indexterm>
|
|
|
|
<screen><userinput><command>if [ -f /etc/login.access ]; then
|
|
mv -v /etc/login.access /etc/login.access.NOUSE
|
|
fi</command></userinput></screen>
|
|
</sect4>
|
|
|
|
<sect4 id="pam-limits"><title>Configuring resource limits</title>
|
|
|
|
<para>Instead of using the <filename>/etc/limits</filename> file for
|
|
limiting usage of system resources,
|
|
<application>Linux-<acronym>PAM</acronym></application> uses the
|
|
<filename class='libraryfile'>pam_limits.so</filename> module along with the
|
|
<filename>/etc/security/limits.conf</filename> file. Rename the
|
|
<filename>/etc/limits</filename> file using the following
|
|
command:</para>
|
|
<indexterm zone="shadow pam-limits"><primary
|
|
sortas="e-etc-security-limits.conf">/etc/security/limits.conf</primary>
|
|
</indexterm>
|
|
|
|
<screen><userinput><command>if [ -f /etc/limits ]; then
|
|
mv -v /etc/limits /etc/limits.NOUSE
|
|
fi</command></userinput></screen>
|
|
</sect4>
|
|
|
|
<sect4 id="pam-login-defs"><title>Configuring /etc/login.defs</title>
|
|
|
|
<para>The <command>login</command> program currently performs many functions
|
|
which <application>Linux-<acronym>PAM</acronym></application> modules should
|
|
now handle. The following command will comment out the appropriate lines in
|
|
<filename>/etc/login.defs</filename>, and stop <command>login</command> from
|
|
performing these functions:</para>
|
|
<indexterm zone="shadow pam-login-defs"><primary
|
|
sortas="e-etc-login.defs">/etc/login.defs</primary>
|
|
</indexterm>
|
|
|
|
<screen><userinput><command>for FUNCTION in LASTLOG_ENAB MAIL_CHECK_ENAB \
|
|
PORTTIME_CHECKS_ENAB CONSOLE \
|
|
MOTD_FILE NOLOGINS_FILE PASS_MIN_LEN \
|
|
SU_WHEEL_ONLY MD5_CRYPT_ENAB \
|
|
CONSOLE_GROUPS ENVIRON_FILE
|
|
do
|
|
sed -i -e "s/^$FUNCTION/# &/" /etc/login.defs
|
|
done</command></userinput></screen>
|
|
|
|
<para>If you have <application>cracklib</application> installed, also comment
|
|
out four more lines using the following command:</para>
|
|
|
|
<screen><userinput><command>for FUNCTION in OBSCURE_CHECKS_ENAB CRACKLIB_DICTPATH \
|
|
PASS_CHANGE_TRIES PASS_ALWAYS_WARN
|
|
do
|
|
sed -i -e "s/^$FUNCTION/# &/" /etc/login.defs
|
|
done</command></userinput></screen>
|
|
</sect4>
|
|
|
|
</sect3>
|
|
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>Contents</title>
|
|
|
|
<para>A list of the installed files, along with their short descriptions can
|
|
be found at
|
|
<ulink url="&lfs-root;/chapter06/shadow.html#contents-shadow"/>.</para>
|
|
|
|
</sect2>
|
|
|
|
</sect1>
|