linux-from-scratch/glfs
1
0
Fork 0
mirror of https://github.com/Zeckmathederg/glfs.git synced 2025-02-01 04:52:12 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity
8a67713c6b
glfs/postlfs/security/shadow.xml
Randy McMurchy 55e186207f Fixed a typo in the Shadow instructions 
git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@8656 af4574ff-66df-0310-9fd7-8a98e5e911e0
2010-11-01 23:13:37 +00:00

639 lines
23 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
<!ENTITY shadow-download-http " ">
<!ENTITY shadow-download-ftp "ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-&shadow-version;.tar.bz2">
<!ENTITY shadow-md5sum "d593a9cab93c48ee0a6ba056db8c1997">
<!ENTITY shadow-size "1.8 MB">
<!ENTITY shadow-buildsize "30 MB">
<!ENTITY shadow-time "0.3 SBU">
]>
<sect1 id="shadow" xreflabel="Shadow-&shadow-version;">
<?dbhtml filename="shadow.html"?>
<sect1info>
<othername>$LastChangedBy$</othername>
<date>$Date$</date>
</sect1info>
<title>Shadow-&shadow-version;</title>
<indexterm zone="shadow">
<primary sortas="a-Shadow">Shadow</primary>
</indexterm>
<sect2 role="package">
<title>Introduction to Shadow</title>
<para><application>Shadow</application> was indeed installed in LFS and
there is no reason to reinstall it unless you installed
<application>CrackLib</application> or
<application>Linux-PAM</application> after your LFS system was completed.
If you have installed <application>CrackLib</application> after LFS, then
reinstalling <application>Shadow</application> will enable strong password
support. If you have installed <application>Linux-PAM</application>,
reinstalling <application>Shadow</application> will allow programs such as
<command>login</command> and <command>su</command> to utilize PAM.</para>
&lfs67_checked;
<bridgehead renderas="sect3">Package Information</bridgehead>
<itemizedlist spacing="compact">
<listitem>
<para>Download (HTTP): <ulink url="&shadow-download-http;"/></para>
</listitem>
<listitem>
<para>Download (FTP): <ulink url="&shadow-download-ftp;"/></para>
</listitem>
<listitem>
<para>Download MD5 sum: &shadow-md5sum;</para>
</listitem>
<listitem>
<para>Download size: &shadow-size;</para>
</listitem>
<listitem>
<para>Estimated disk space required: &shadow-buildsize;</para>
</listitem>
<listitem>
<para>Estimated build time: &shadow-time;</para>
</listitem>
</itemizedlist>
<!-- <bridgehead renderas="sect3">Additional Downloads</bridgehead>
<itemizedlist spacing='compact'>
<listitem>
<para>Required patch: <ulink
url="&patch-root;/shadow-&shadow-version;-useradd_fix-2.patch"/></para>
</listitem>
</itemizedlist> -->
<bridgehead renderas="sect3">Shadow Dependencies</bridgehead>
<bridgehead renderas="sect4">Required</bridgehead>
<para role="required"><xref linkend="linux-pam"/> and/or
<xref linkend="cracklib"/></para>
<para condition="html" role="usernotes">User Notes:
<ulink url="&blfs-wiki;/shadow"/></para>
</sect2>
<sect2 role="installation">
<title>Installation of Shadow</title>
<important>
<para>The installation commands shown below are for installations where
<application>Linux-PAM</application> has been installed (with or
without a <application>CrackLib</application> installation) and
<application>Shadow</application> is being reinstalled to support the
<application>Linux-PAM</application> installation.</para>
<para> If you are reinstalling <application>Shadow</application> to
provide strong password support using the
<application>CrackLib</application> library without using
<application>Linux-PAM</application>, ensure you add the
<parameter>--with-libcrack</parameter> parameter to the
<command>configure</command> script below and also issue the following
command:</para>
<screen><userinput>sed -i 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' etc/login.defs</userinput></screen>
</important>
<para>Reinstall <application>Shadow</application> by running the following
commands:</para>
<screen><userinput>sed -i 's/groups$(EXEEXT) //' src/Makefile.in &amp;&amp;
find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; &amp;&amp;
sed -i -e 's/ ko//' -e 's/ zh_CN zh_TW//' man/Makefile.in &amp;&amp;
sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD MD5@' \
-e 's@/var/spool/mail@/var/mail@' etc/login.defs &amp;&amp;
./configure --sysconfdir=/etc &amp;&amp;
make</userinput></screen>
<para>This package does not come with a test suite.</para>
<para>Now, as the <systemitem class="username">root</systemitem> user:</para>
<screen role="root"><userinput>make install &amp;&amp;
mv -v /usr/bin/passwd /bin</userinput></screen>
</sect2>
<sect2 role="commands">
<title>Command Explanations</title>
<para><command>sed -i 's/groups$(EXEEXT) //' src/Makefile.in</command>:
This command is used to suppress the installation of the
<command>groups</command> program as the version from the
<application>Coreutils</application> package installed during LFS is
preferred.</para>
<para><command>find man -name Makefile.in -exec ... {} \;</command>: This
command is used to suppress the installation of the
<command>groups</command> man pages so the existing ones installed from
the <application>Coreutils</application> package are not replaced.</para>
<para><command>sed -i -e '...' -e '...' man/Makefile.in</command>: This
command disables the installation of Chinese and Korean manual pages, since
<application>Man-DB</application> cannot format them properly.</para>
<para><command>sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD MD5@'
-e 's@/var/spool/mail@/var/mail@' etc/login.defs</command>:
Instead of using the default 'crypt' method, this command modifies the
installation to use the more secure 'MD5' method of password encryption,
which also allows passwords longer than eight characters. It also changes
the obsolete <filename class="directory">/var/spool/mail</filename>
location for user mailboxes that <application>Shadow</application> uses by
default to the <filename class="directory">/var/mail</filename>
location.</para>
<para><command>mv -v /usr/bin/passwd /bin</command>: The
<command>passwd</command> program may be needed during times when the
<filename class='directory'>/usr</filename> filesystem is not mounted so
it is moved into the root partition.</para>
</sect2>
<sect2 role="configuration">
<title>Configuring Shadow</title>
<para><application>Shadow</application>'s stock configuration for the
<command>useradd</command> utility may not be desirable for your
installation. One default parameter causes <command>useradd</command> to
create a mailbox file for any newly created user.
<command>useradd</command> will make the group ownership of this file to
the <systemitem class="groupname">mail</systemitem> group with 0660
permissions. If you would prefer that these mailbox files are not created
by <command>useradd</command>, issue the
following command as the <systemitem class="username">root</systemitem> user:</para>
<screen role="root"><userinput>sed -i 's/yes/no/' /etc/default/useradd</userinput></screen>
</sect2>
<sect2 role="configuration">
<title>Configuring Linux-PAM to Work with Shadow</title>
<note>
<para>The rest of this page is devoted to configuring
<application>Shadow</application> to work properly with
<application>Linux-PAM</application>. If you do not have
<application>Linux-PAM</application> installed, and you reinstalled
<application>Shadow</application> to support strong passwords via
the <application>CrackLib</application> library, no further configuration
is required.</para>
</note>
<sect3 id="pam.d">
<title>Config Files</title>
<para><filename>/etc/pam.d/*</filename> or alternatively
<filename>/etc/pam.conf, /etc/login.defs, and
/etc/security/*</filename></para>
<indexterm zone="shadow pam.d">
<primary sortas="e-etc-pam.d">/etc/pam.d/*</primary>
</indexterm>
<indexterm zone="shadow pam.d">
<primary sortas="e-etc-pam.conf">/etc/pam.conf</primary>
</indexterm>
<indexterm zone="shadow pam.d">
<primary sortas="e-etc-login.defs">/etc/login.defs</primary>
</indexterm>
<indexterm zone="shadow pam.d">
<primary sortas="e-etc-security">/etc/security/*</primary>
</indexterm>
</sect3>
<sect3>
<title>Configuration Information</title>
<para>Configuring your system to use <application>Linux-PAM</application>
can be a complex task. The information below will provide a basic setup
so that <application>Shadow</application>'s login and password
functionality will work effectively with
<application>Linux-PAM</application>. Review the information and links on
the <xref linkend="linux-pam"/> page for further configuration
information. For information specific to integrating
<application>Shadow</application>, <application>Linux-PAM</application>
and <application>CrackLib</application>, you can visit the following
links:</para>
<itemizedlist spacing="compact">
<listitem>
<para><ulink
url="http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_cracklib.html"/></para>
</listitem>
<listitem>
<para><ulink
url="http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html"/></para>
</listitem>
</itemizedlist>
<sect4 id="pam-login-defs">
<title>Configuring /etc/login.defs</title>
<para>The <command>login</command> program currently performs many
functions which <application>Linux-PAM</application> modules should
now handle. The following <command>sed</command> command will comment
out the appropriate lines in <filename>/etc/login.defs</filename>, and
stop <command>login</command> from performing these functions (a backup
file named <filename>/etc/login.defs.orig</filename> is also created
to preserve the original file's contents). Issue the following commands
as the <systemitem class="username">root</systemitem> user:</para>
<indexterm zone="shadow pam-login-defs">
<primary sortas="e-etc-login.defs">/etc/login.defs</primary>
</indexterm>
<screen role="root"><userinput>install -v -m644 /etc/login.defs /etc/login.defs.orig &amp;&amp;
for FUNCTION in LASTLOG_ENAB MAIL_CHECK_ENAB \
PORTTIME_CHECKS_ENAB CONSOLE \
MOTD_FILE NOLOGINS_FILE PASS_MIN_LEN \
SU_WHEEL_ONLY MD5_CRYPT_ENAB \
CONSOLE_GROUPS ENVIRON_FILE \
ULIMIT ENV_TZ ENV_HZ ENV_SUPATH \
ENV_PATH QMAIL_DIR MAIL_DIR MAIL_FILE \
CHFN_AUTH FAILLOG_ENAB QUOTAS_ENAB FTMP_FILE \
OBSCURE_CHECKS_ENAB CRACKLIB_DICTPATH \
PASS_CHANGE_TRIES PASS_ALWAYS_WARN ISSUE_FILE
do
sed -i "s/^$FUNCTION/# &amp;/" /etc/login.defs
done</userinput></screen>
</sect4>
<sect4>
<title>Configuring the /etc/pam.d/ Files</title>
<para>As mentioned previously in the
<application>Linux-PAM</application> instructions,
<application>Linux-PAM</application> has two supported methods for
configuration. The commands below assume that you've chosen to use
a directory based configuration, where each program has its own
configuration file. You can optionally use a single
<filename>/etc/pam.conf</filename> configuration file by using the
text from the files below, and supplying the program name as an
additional first field for each line.</para>
<para>As the <systemitem class="username">root</systemitem> user,
replace the following <application>Linux-PAM</application>
configuration files in the
<filename class="directory">/etc/pam.d/</filename> directory (or
add the contents to the <filename>/etc/pam.conf</filename> file) using
the following commands:</para>
</sect4>
<sect4>
<title>'system-account'</title>
<screen role="root"><userinput>cat &gt; /etc/pam.d/system-account &lt;&lt; "EOF"
<literal># Begin /etc/pam.d/system-account
account required pam_unix.so
# End /etc/pam.d/system-account</literal>
EOF</userinput></screen>
</sect4>
<sect4>
<title>'system-auth'</title>
<screen role="root"><userinput>cat &gt; /etc/pam.d/system-auth &lt;&lt; "EOF"
<literal># Begin /etc/pam.d/system-auth
auth required pam_unix.so
# End /etc/pam.d/system-auth</literal>
EOF</userinput></screen>
</sect4>
<sect4>
<title>'system-passwd' (with cracklib)</title>
<screen role="root"><userinput>cat &gt; /etc/pam.d/system-password &lt;&lt; "EOF"
<literal># Begin /etc/pam.d/system-password
# check new passwords for strength (man pam_cracklib)
password required pam_cracklib.so type=Linux retry=3 difok=5 \
difignore=23 minlen=9 dcredit=1 \
ucredit=1 lcredit=1 ocredit=1 \
dictpath=/lib/cracklib/pw_dict
# use sha512 hash for encryption, use shadow, and use the
# authentication token (chosen password) set by pam_cracklib
# above (or any previous modules)
password required pam_unix.so sha512 shadow use_authtok
# End /etc/pam.d/system-password</literal>
EOF</userinput></screen>
<note><para>In its default configuration, owing to credits,
pam_cracklib will allow multiple case passwords as short as 6
characters, even with the <parameter>minlen</parameter> value
set to 11. You should review the pam_cracklib(8) man page and
determine if these default values are acceptable for the security
of your system.</para></note>
</sect4>
<sect4>
<title>'system-passwd' (without cracklib)</title>
<screen role="root"><userinput>cat &gt; /etc/pam.d/system-password &lt;&lt; "EOF"
<literal># Begin /etc/pam.d/system-password
# use sha512 hash for encryption, use shadow, and try to use any perviously
# defined authentication token (chosen password) set by any prior module
password required pam_unix.so sha512 shadow try_first_pass
# End /etc/pam.d/system-password</literal>
EOF</userinput></screen>
</sect4>
<sect4>
<title>'system-session'</title>
<screen role="root"><userinput>cat &gt; /etc/pam.d/system-session &lt;&lt; "EOF"
<literal># Begin /etc/pam.d/system-session
session required pam_unix.so
# End /etc/pam.d/system-session</literal>
EOF</userinput></screen>
</sect4>
<sect4>
<title>'login'</title>
<screen role="root"><userinput>cat &gt; /etc/pam.d/login &lt;&lt; "EOF"
<literal># Begin /etc/pam.d/login
# Set failure delay before next prompt to 3 seconds
auth optional pam_faildelay.so delay=3000000
# Check to make sure that the user is allowed to login
auth requisite pam_nologin.so
# Check to make sure that root is allowed to login
auth required pam_securetty.so
# Additional group memberships - disabled by default
#auth optional pam_group.so
# include the default auth settings
auth include system-auth
# check access for the user
account required pam_access.so
# include the default account settings
account include system-account
# Set default environment variables for the user
session required pam_env.so
# Set resource limits for the user
session required pam_limits.so
# Display date of last login - Disabled by default
#session optional pam_lastlog.so
# Display the message of the day - Disabled by default
#session optional pam_motd.so
# Check user's mail - Disabled by default
#session optional pam_mail.so standard quiet
# Use xauth keys (if available)
session optional pam_xauth.so
# include the default session and password settings
session include system-session
password include system-password
# End /etc/pam.d/login</literal>
EOF</userinput></screen>
</sect4>
<sect4>
<title>'passwd'</title>
<screen role="root"><userinput>cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"
<literal># Begin /etc/pam.d/passwd
password include system-password
# End /etc/pam.d/passwd</literal>
EOF</userinput></screen>
</sect4>
<sect4>
<title>'su'</title>
<screen role="root"><userinput>cat &gt; /etc/pam.d/su &lt;&lt; "EOF"
<literal># Begin /etc/pam.d/su
# always allow root
auth sufficient pam_rootok.so
auth include system-auth
# include the default account settings
account include system-account
# Use xauth keys (if available)
session optional pam_xauth.so
# Set default environment variables for the service user
session required pam_env.so
# include system session defaults
session include system-session
# End /etc/pam.d/su</literal>
EOF</userinput></screen>
</sect4>
<sect4>
<title>'chage'</title>
<screen role="root"><userinput>cat &gt; /etc/pam.d/chage &lt;&lt; "EOF"
<literal>#Begin /etc/pam.d/chage
# always allow root
auth sufficient pam_rootok.so
# include system defaults for auth account and session
auth include system-auth
account include system-account
session include system-session
# Always permit for authentication updates
password required pam_permit.so
# End /etc/pam.d/chage</literal>
EOF</userinput></screen>
</sect4>
<sect4>
<title>'chfn', 'chgpasswd', 'chgpasswd', 'chsh', 'groupadd',
'groupdel', 'groupmems', 'groupmod', 'newusers', 'useradd', 'userdel'
and 'usermod'</title>
<screen role="root"><userinput>for PROGRAM in chfn chgpasswd chpasswd chsh groupadd groupdel \
groupmems groupmod newusers useradd userdel usermod
do
install -v -m644 /etc/pam.d/chage /etc/pam.d/$PROGRAM
sed -i "s/chage/$PROGRAM/" /etc/pam.d/$PROGRAM
done</userinput></screen>
<warning>
<para>At this point, you should do a simple test to see if
<application>Shadow</application> is working as expected. Open
another terminal and log in as a user, then <command>su</command> to
<systemitem class="username">root</systemitem>. If you do not see any
errors, then all is well and you should proceed with the rest of the
configuration. If you did receive errors, stop now and double check
the above configuration files manually. You can also run the test
suite from the <application>Linux-PAM</application> package to assist
you in determining the problem. If you cannot find and
fix the error, you should recompile <application>Shadow</application>
adding the <option>--without-libpam</option> switch to the
<command>configure</command> command in the above instructions
(also move the <filename>/etc/login.defs.orig</filename> backup
file to <filename>/etc/login.defs</filename>). If you
fail to do this and the errors remain, you will be unable to log into
your system.</para>
</warning>
</sect4>
<sect4>
<title>Other</title>
<para>Currently, <filename>/etc/pam.d/other</filename> is configured
to allow anyone with an account on the machine to use PAM-aware
programs without a configuration file for that program. After testing
<application>Linux-PAM</application> for proper configuration, install
a more restrictive <filename>other</filename> file so that
program-specific configuration files are required:</para>
<screen role="root"><userinput>cat &gt; /etc/pam.d/other &lt;&lt; "EOF"
<literal># Begin /etc/pam.d/other
auth required pam_warn.so
auth required pam_deny.so
account required pam_warn.so
account required pam_deny.so
password required pam_warn.so
password required pam_deny.so
session required pam_warn.so
session required pam_deny.so
# End /etc/pam.d/other</literal>
EOF</userinput></screen>
</sect4>
<sect4 id="pam-access">
<title>Configuring Login Access</title>
<para>Instead of using the <filename>/etc/login.access</filename>
file for controlling access to the system,
<application>Linux-PAM</application> uses the
<filename class='libraryfile'>pam_access.so</filename> module along
with the <filename>/etc/security/access.conf</filename> file. Rename
the <filename>/etc/login.access</filename> file using the following
command:</para>
<indexterm zone="shadow pam-access">
<primary sortas="e-etc-security-access.conf">/etc/security/access.conf</primary>
</indexterm>
<screen role="root"><userinput>if [ -f /etc/login.access ]; then
mv -v /etc/login.access /etc/login.access.NOUSE
fi</userinput></screen>
</sect4>
<sect4 id="pam-limits">
<title>Configuring Resource Limits</title>
<para>Instead of using the <filename>/etc/limits</filename> file
for limiting usage of system resources,
<application>Linux-PAM</application> uses the
<filename class='libraryfile'>pam_limits.so</filename> module along
with the <filename>/etc/security/limits.conf</filename> file. Rename
the <filename>/etc/limits</filename> file using the following
command:</para>
<indexterm zone="shadow pam-limits">
<primary sortas="e-etc-security-limits.conf">/etc/security/limits.conf</primary>
</indexterm>
<screen role="root"><userinput>if [ -f /etc/limits ]; then
mv -v /etc/limits /etc/limits.NOUSE
fi</userinput></screen>
</sect4>
<sect4 id="pam-env">
<title>Configuring Default Environment</title>
<para>During previous configuration, several items were removed from
<filename>/etc/login.defs</filename>. Some of these items are now
controlled by the <filename class='libraryfile'>pam_env.so</filename>
module and the <filename>/etc/security/pam_env.conf</filename>
configuration file. In particular, the default path has been
changed. To recover your default path, execute the following
commands:</para>
<screen role="root"><userinput>ENV_PATH=`grep '^ENV_PATH' /etc/login.defs.orig | \
awk '{ print $2 }' | sed 's/PATH=//'` &amp;&amp;
echo 'PATH DEFAULT='`echo "${ENV_PATH}"`\
' OVERRIDE=${PATH}' \
>> /etc/security/pam_env.conf &amp;&amp;
unset ENV_PATH</userinput></screen>
<note>
<para>The ENV_SUPATH option used to modify root's default path
does not work with PAM. You have to set the path in root's login
scripts instead.
</para>
</note>
</sect4>
</sect3>
</sect2>
<sect2 role="content">
<title>Contents</title>
<para>A list of the installed files, along with their short descriptions
can be found at
<ulink url="&lfs-root;/chapter06/shadow.html#contents-shadow"/>.</para>
</sect2>
</sect1>
Reference in New Issue View Git Blame Copy Permalink