linux-from-scratch/glfs
1
0
Fork 0
mirror of https://github.com/Zeckmathederg/glfs.git synced 2025-02-01 13:02:35 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity
5c140f2d3d
glfs/postlfs/security/shadow/shadow-config.xml
Larry Lawrence d46cb5360d removed DIALUP-CHECK-ENAB, no longer in login.defs 
git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@1848 af4574ff-66df-0310-9fd7-8a98e5e911e0
2004-02-24 21:50:29 +00:00

127 lines
3.8 KiB
XML
Raw Blame History

<sect2>
<title>Configuring <application><acronym>PAM</acronym></application> to work
with <application>shadow</application></title>
<sect3><title>Config files</title>
<para><filename>/etc/pam.d/login</filename>,
<filename>/etc/pam.d/passwd</filename>,
<filename>/etc/pam.d/su</filename>,
<filename>/etc/pam.d/shadow</filename>,
<filename>/etc/pam.d/useradd</filename></para>
</sect3>
<sect3><title>Configuration Information</title>
<para>Add the following <application><acronym>PAM</acronym></application>
configuration files to <filename class="directory">/etc/pam.d</filename> (or add them to
<filename>/etc/pam.conf</filename> with the additional field for the program).
</para>
<screen><userinput><command>cat &gt; /etc/pam.d/login &lt;&lt; "EOF"</command>
# Begin /etc/pam.d/login
auth requisite pam_securetty.so
auth requisite pam_nologin.so
auth required pam_env.so
auth required pam_unix.so
account required pam_access.so
account required pam_unix.so
session required pam_motd.so
session required pam_limits.so
session optional pam_mail.so dir=/var/mail standard
session optional pam_lastlog.so
session required pam_unix.so
# End /etc/pam.d/login
<command>EOF
cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"</command>
# Begin /etc/pam.d/passwd
password required pam_unix.so md5 shadow
# End /etc/pam.d/passwd
<command>EOF
cat &gt; /etc/pam.d/shadow &lt;&lt; "EOF"</command>
# Begin /etc/pam.d/shadow
auth sufficient pam_rootok.so
auth required pam_unix.so
account required pam_unix.so
session required pam_unix.so
password required pam_permit.so
# End /etc/pam.d/shadow
<command>EOF
cat &gt; /etc/pam.d/su &lt;&lt; "EOF"</command>
# Begin /etc/pam.d/su
auth sufficient pam_rootok.so
auth required pam_unix.so
account required pam_unix.so
session required pam_unix.so
# End /etc/pam.d/su
<command>EOF
cat &gt; /etc/pam.d/useradd &lt;&lt; "EOF"</command>
# Begin /etc/pam.d/useradd
auth sufficient pam_rootok.so
auth required pam_unix.so
account required pam_unix.so
session required pam_unix.so
password required pam_permit.so
# End /etc/pam.d/useradd
<command>EOF
cat &gt; /etc/pam.d/chage &lt;&lt; "EOF"</command>
# Begin /etc/pam.d/chage
auth sufficient pam_rootok.so
auth required pam_unix.so
account required pam_unix.so
session required pam_unix.so
password required pam_permit.so
# End /etc/pam.d/chage
<command>EOF</command></userinput></screen>
<para>Currently, <filename>/etc/pam.d/other</filename> is configured to
allow anyone with an account on the machine to use programs
that do not specifically have a configuration file of their own. After
testing <application><acronym>PAM</acronym></application> for proper
configuration, it can be changed to the following:</para>
<screen><userinput><command>cat &gt; /etc/pam.d/other &lt;&lt; "EOF"</command>
# Begin /etc/pam.d/other
auth required pam_deny.so
auth required pam_warn.so
account required pam_deny.so
session required pam_deny.so
password required pam_deny.so
password required pam_warn.so
# End /etc/pam.d/other
<command>EOF</command></userinput></screen>
<para>Finally, edit <filename>/etc/login.defs</filename> by adding '#'
to the beginning of the following lines:</para>
<screen>LASTLOG_ENAB
MAIL_CHECK_ENAB
PORTTIME_CHECKS_ENAB
CONSOLE
MOTD_FILE
NOLOGINS_FILE
PASS_MIN_LEN
SU_WHEEL_ONLY
MD5_CRYPT_ENAB
CONSOLE_GROUPS
ENVIRON_FILE</screen>
<para>This stops <command>login</command> from performing these functions, as
they will now be performed by <acronym>PAM</acronym> modules.</para>
</sect3>
</sect2>
Reference in New Issue View Git Blame Copy Permalink