Difference between revisions of "Shadow"
From CBLFS
Jump to navigationJump to search(43 intermediate revisions by 14 users not shown) | |||
Line 1: | Line 1: | ||
{| style="text-align: left; background-color: AliceBlue;" | {| style="text-align: left; background-color: AliceBlue;" | ||
− | |- | + | |-valign="top" |
!Download Source: | !Download Source: | ||
− | | | + | | http://pkg-shadow.alioth.debian.org/releases/shadow-{{Shadow-Version}}.tar.bz2 |
− | + | |} | |
− | |||
− | |||
− | |||
− | |||
− | -- | + | {{Package-Introduction|Shadow, a login and password handling tool suit|http://pkg-shadow.alioth.debian.org/}} |
== Dependencies == | == Dependencies == | ||
=== Optional === | === Optional === | ||
− | *[[Cracklib]] | + | * [[Cracklib]] |
− | *[[PAM Library]] | + | * [[PAM Library]] |
+ | * [[libaudit]] | ||
+ | * [[libskey]] | ||
+ | * [[SELinux]] | ||
+ | |||
+ | == Configuration Information == | ||
+ | |||
+ | If you have not installed [[PAM Library]], then use this flag instead of ''--with-libpam'' in the instructions below. | ||
+ | |||
+ | --without-libpam | ||
+ | |||
+ | If you have not installed [[Cracklib]], then remove this flag from the instructions below. | ||
+ | |||
+ | --with-libcrack | ||
== Non-Multilib == | == Non-Multilib == | ||
Line 21: | Line 30: | ||
Configure and compile the package: | Configure and compile the package: | ||
− | + | sed -i 's/groups$(EXEEXT) //' src/Makefile.in && | |
− | ./configure --libdir=/lib -sysconfdir=/etc --enable-shared \ | + | find man -name Makefile.in -exec sed -i '/groups\.1\.xml/d' '{}' \; && |
+ | find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; && | ||
+ | ./configure --libdir=/lib --sysconfdir=/etc --enable-shared \ | ||
--without-audit --without-selinux --with-libcrack --with-libpam && | --without-audit --without-selinux --with-libcrack --with-libpam && | ||
− | |||
− | |||
make | make | ||
Line 31: | Line 40: | ||
make install && | make install && | ||
− | mv /usr/bin/passwd /bin | + | mv -v /usr/bin/passwd /bin |
− | + | ||
− | + | == Multilib == | |
− | + | ||
− | + | === 64Bit === | |
− | install - | + | |
+ | sed -i 's/groups$(EXEEXT) //' src/Makefile.in && | ||
+ | find man -name Makefile.in -exec sed -i '/groups\.1\.xml/d' '{}' \; && | ||
+ | find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; && | ||
+ | CC="gcc ${BUILD64}" ./configure --libdir=/lib64 --sysconfdir=/etc --enable-shared \ | ||
+ | --without-audit --without-selinux --with-libcrack --with-libpam && | ||
+ | make | ||
+ | |||
+ | Install the package: | ||
+ | |||
+ | make install && | ||
+ | mv -v /usr/bin/passwd /bin | ||
+ | |||
+ | == Configuring == | ||
+ | |||
+ | === login.defs === | ||
Setup Configuration files: | Setup Configuration files: | ||
− | |||
− | |||
cp etc/login.defs /etc/login.defs | cp etc/login.defs /etc/login.defs | ||
− | sed -i -e 's@# | + | sed -i -e 's@#\(ENCRYPT_METHOD \).*@\1SHA512@' \ |
-e 's@/var/spool/mail@/var/mail@' \ | -e 's@/var/spool/mail@/var/mail@' \ | ||
-e 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' /etc/login.defs | -e 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' /etc/login.defs | ||
+ | |||
FUNCTIONS="LASTLOG_ENAB MAIL_CHECK_ENAB PORTTIME_CHECKS_ENAB CONSOLE MOTD_FILE | FUNCTIONS="LASTLOG_ENAB MAIL_CHECK_ENAB PORTTIME_CHECKS_ENAB CONSOLE MOTD_FILE | ||
NOLOGINS_FILE PASS_MIN_LEN SU_WHEEL_ONLY MD5_CRYPT_ENAB CONSOLE_GROUPS | NOLOGINS_FILE PASS_MIN_LEN SU_WHEEL_ONLY MD5_CRYPT_ENAB CONSOLE_GROUPS | ||
Line 55: | Line 78: | ||
done | done | ||
− | === | + | === [[Linux-PAM]] Services === |
− | + | ==== /etc/pam.d/login ==== | |
− | /etc/ | + | |
+ | This is the file that controls the login program | ||
− | cat > /etc/ | + | cat > /etc/pam.d/login << "EOF" |
− | + | #%PAM-1.0 | |
− | + | # | |
− | + | # The common PAM configuration file for login | |
− | + | # | |
+ | auth required pam_shells.so | ||
+ | auth include system-auth | ||
+ | auth optional pam_securetty.so | ||
+ | |||
+ | account required pam_nologin.so | ||
+ | account include system-auth | ||
+ | |||
+ | password include system-auth | ||
+ | |||
+ | session include system-auth | ||
+ | session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 | ||
+ | session optional pam_lastlog.so nowtmp | ||
+ | session optional pam_mail.so dir=/var/mail standard | ||
EOF | EOF | ||
− | + | Also make sure '''/etc/shells''' exists because the '''pam_shells.so''' module will only permit a login if your users login shell appears in '''/etc/shells'''. | |
− | === | + | ==== /etc/pam.d/{chage chfn chgpasswd chpasswd chsh groupadd groupdel groupmems groupmod newusers passwd useradd userdel usermod} ==== |
− | + | These are the files that control changing of a password | |
− | + | for file in chage chfn chgpasswd chpasswd chsh groupadd groupdel groupmems \ | |
− | + | groupmod newusers passwd useradd userdel usermod; do | |
− | - | + | cat > /etc/pam.d/$file << "EOF" |
− | + | #%PAM-1.0 | |
− | + | # | |
− | + | # The common PAM configuration file authentication only, root ok | |
+ | # | ||
+ | auth sufficient pam_rootok.so | ||
+ | |||
+ | account required pam_permit.so | ||
+ | account include system-auth | ||
+ | |||
+ | password include system-auth | ||
+ | EOF | ||
+ | done | ||
− | + | ==== /etc/pam.d/su ==== | |
− | + | This is the file that controls su access | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | cat > /etc/pam.d/su << "EOF" | |
+ | #%PAM-1.0 | ||
+ | # | ||
+ | # The common PAM configuration file for su | ||
+ | # | ||
+ | auth sufficient pam_rootok.so | ||
+ | auth include system-auth | ||
+ | |||
+ | account include system-auth | ||
+ | |||
+ | password include system-auth | ||
+ | |||
+ | session include system-auth | ||
+ | session optional pam_xauth.so | ||
+ | EOF | ||
− | |||
− | + | === Where to go? === | |
− | |||
− | + | See [[Configuring for Adding Users]] | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | == | + | ==Contents== |
− | + | {| style="text-align: left;" | |
− | + | |-valign="top" | |
+ | ! Installed Programs: | ||
+ | |login, su, nologin, faillog, lastlog, chage, chfn, chsh, expiry, gpasswd, newgrp, passwd, chgpasswd, chpasswd, groupadd, groupdel, groupmems, groupmod, grpck, grpconv, grpunconv, logoutd, newusers, pwck, pwconv, pwunconv, useradd, userdel, usermod, vipw | ||
+ | |-valign="top" | ||
+ | ! Installed Libraries: | ||
+ | | | ||
+ | |-valign="top" | ||
+ | ! Installed Directories: | ||
+ | | /etc/pam.d | ||
+ | |} | ||
− | + | === Short Descriptions === | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | {| style="text-align: left;" | |
− | + | |-valign="top" | |
− | + | ! expiry | |
− | + | | Checks and enforces the current password expiration policy | |
− | + | |-valign="top" | |
− | + | ! faillog | |
− | + | | Is used to examine the log of login failures, to set a maximum number of failures before an account is blocked, or to reset the failure count | |
− | + | |-valign="top" | |
− | + | ! gpasswd | |
− | + | | Is used to add and delete members and administrators to groups | |
− | + | |-valign="top" | |
− | + | ! groupadd | |
− | + | | Creates a group with the given name | |
− | + | |-valign="top" | |
− | + | ! groupdel | |
− | + | | Deletes the group with the given name | |
− | + | |-valign="top" | |
− | + | ! groupmod | |
− | + | | Is used to modify the given group's name or GID | |
− | + | |-valign="top" | |
− | + | ! grpck | |
− | + | | Verifies the integrity of the group files /etc/group and /etc/gshadow | |
− | + | |-valign="top" | |
− | + | ! grpconv | |
− | + | | Creates or updates the shadow group file from the normal group file | |
− | = | + | |-valign="top" |
− | + | ! grpunconv | |
− | + | | Updates /etc/group from /etc/gshadow and then deletes the latter | |
− | + | |-valign="top" | |
− | + | ! lastlog | |
− | + | | Reports the most recent login of all users or of a given user | |
− | + | |-valign="top" | |
− | + | ! login | |
− | + | | Is used by the system to let users sign on | |
− | + | |-valign="top" | |
− | + | ! logoutd | |
+ | | Is a daemon used to enforce restrictions on log-on time and ports | ||
+ | |-valign="top" | ||
+ | ! newgrp | ||
+ | | Is used to change the current GID during a login session | ||
+ | |-valign="top" | ||
+ | ! newusers | ||
+ | | Is used to create or update an entire series of user accounts | ||
+ | |-valign="top" | ||
+ | ! nologin | ||
+ | | Displays a message that an account is not available. Designed to be used as the default shell for accounts that have been disabled | ||
+ | |-valign="top" | ||
+ | ! passwd | ||
+ | | Is used to change the password for a user or group account | ||
+ | |-valign="top" | ||
+ | ! pwck | ||
+ | | Verifies the integrity of the password files /etc/passwd and /etc/shadow | ||
+ | |-valign="top" | ||
+ | ! pwconv | ||
+ | | Creates or updates the shadow password file from the normal password file | ||
+ | |-valign="top" | ||
+ | ! pwunconv | ||
+ | | Updates /etc/passwd from /etc/shadow and then deletes the latter | ||
+ | |-valign="top" | ||
+ | ! sg | ||
+ | | Executes a given command while the user's GID is set to that of the given group | ||
+ | |-valign="top" | ||
+ | ! su | ||
+ | | Runs a shell with substitute user and group IDs | ||
+ | |-valign="top" | ||
+ | ! useradd | ||
+ | | Creates a new user with the given name, or updates the default new-user information | ||
+ | |-valign="top" | ||
+ | ! userdel | ||
+ | | Deletes the given user account | ||
+ | |-valign="top" | ||
+ | ! usermod | ||
+ | | Is used to modify the given user's login name, User Identification (UID), shell, initial group, home directory, etc. | ||
+ | |-valign="top" | ||
+ | ! vigr | ||
+ | | Edits the /etc/group or /etc/gshadow files | ||
+ | |-valign="top" | ||
+ | ! vipw | ||
+ | | Edits the /etc/passwd or /etc/shadow files | ||
+ | |} |
Latest revision as of 19:46, 21 September 2012
Download Source: | http://pkg-shadow.alioth.debian.org/releases/shadow-4.1.5.1.tar.bz2 |
---|
Contents
Introduction to Shadow
Shadow, a login and password handling tool suit
Project Homepage: http://pkg-shadow.alioth.debian.org/
Dependencies
Optional
Configuration Information
If you have not installed PAM Library, then use this flag instead of --with-libpam in the instructions below.
--without-libpam
If you have not installed Cracklib, then remove this flag from the instructions below.
--with-libcrack
Non-Multilib
Configure and compile the package:
sed -i 's/groups$(EXEEXT) //' src/Makefile.in && find man -name Makefile.in -exec sed -i '/groups\.1\.xml/d' '{}' \; && find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; && ./configure --libdir=/lib --sysconfdir=/etc --enable-shared \ --without-audit --without-selinux --with-libcrack --with-libpam && make
Install the package:
make install && mv -v /usr/bin/passwd /bin
Multilib
64Bit
sed -i 's/groups$(EXEEXT) //' src/Makefile.in && find man -name Makefile.in -exec sed -i '/groups\.1\.xml/d' '{}' \; && find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; && CC="gcc ${BUILD64}" ./configure --libdir=/lib64 --sysconfdir=/etc --enable-shared \ --without-audit --without-selinux --with-libcrack --with-libpam && make
Install the package:
make install && mv -v /usr/bin/passwd /bin
Configuring
login.defs
Setup Configuration files:
cp etc/login.defs /etc/login.defs sed -i -e 's@#\(ENCRYPT_METHOD \).*@\1SHA512@' \ -e 's@/var/spool/mail@/var/mail@' \ -e 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' /etc/login.defs
FUNCTIONS="LASTLOG_ENAB MAIL_CHECK_ENAB PORTTIME_CHECKS_ENAB CONSOLE MOTD_FILE NOLOGINS_FILE PASS_MIN_LEN SU_WHEEL_ONLY MD5_CRYPT_ENAB CONSOLE_GROUPS ENVIRON_FILE ULIMIT ENV_TZ ENV_HZ ENV_SUPATH ENV_PATH QMAIL_DIR MAIL_DIR MAIL_FILE CHFN_AUTH FAILLOG_ENAB QUOTAS_ENAB FTMP_FILE OBSCURE_CHECKS_ENAB CRACKLIB_DICTPATH PASS_CHANGE_TRIES PASS_ALWAYS" for function in $FUNCTIONS; do sed -i "s/^$function/# &/" /etc/login.defs done
Linux-PAM Services
/etc/pam.d/login
This is the file that controls the login program
cat > /etc/pam.d/login << "EOF" #%PAM-1.0 # # The common PAM configuration file for login # auth required pam_shells.so auth include system-auth auth optional pam_securetty.so account required pam_nologin.so account include system-auth password include system-auth session include system-auth session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 session optional pam_lastlog.so nowtmp session optional pam_mail.so dir=/var/mail standard EOF
Also make sure /etc/shells exists because the pam_shells.so module will only permit a login if your users login shell appears in /etc/shells.
/etc/pam.d/{chage chfn chgpasswd chpasswd chsh groupadd groupdel groupmems groupmod newusers passwd useradd userdel usermod}
These are the files that control changing of a password
for file in chage chfn chgpasswd chpasswd chsh groupadd groupdel groupmems \ groupmod newusers passwd useradd userdel usermod; do cat > /etc/pam.d/$file << "EOF" #%PAM-1.0 # # The common PAM configuration file authentication only, root ok # auth sufficient pam_rootok.so account required pam_permit.so account include system-auth password include system-auth EOF done
/etc/pam.d/su
This is the file that controls su access
cat > /etc/pam.d/su << "EOF" #%PAM-1.0 # # The common PAM configuration file for su # auth sufficient pam_rootok.so auth include system-auth account include system-auth password include system-auth session include system-auth session optional pam_xauth.so EOF
Where to go?
See Configuring for Adding Users
Contents
Installed Programs: | login, su, nologin, faillog, lastlog, chage, chfn, chsh, expiry, gpasswd, newgrp, passwd, chgpasswd, chpasswd, groupadd, groupdel, groupmems, groupmod, grpck, grpconv, grpunconv, logoutd, newusers, pwck, pwconv, pwunconv, useradd, userdel, usermod, vipw |
---|---|
Installed Libraries: | |
Installed Directories: | /etc/pam.d |
Short Descriptions
expiry | Checks and enforces the current password expiration policy |
---|---|
faillog | Is used to examine the log of login failures, to set a maximum number of failures before an account is blocked, or to reset the failure count |
gpasswd | Is used to add and delete members and administrators to groups |
groupadd | Creates a group with the given name |
groupdel | Deletes the group with the given name |
groupmod | Is used to modify the given group's name or GID |
grpck | Verifies the integrity of the group files /etc/group and /etc/gshadow |
grpconv | Creates or updates the shadow group file from the normal group file |
grpunconv | Updates /etc/group from /etc/gshadow and then deletes the latter |
lastlog | Reports the most recent login of all users or of a given user |
login | Is used by the system to let users sign on |
logoutd | Is a daemon used to enforce restrictions on log-on time and ports |
newgrp | Is used to change the current GID during a login session |
newusers | Is used to create or update an entire series of user accounts |
nologin | Displays a message that an account is not available. Designed to be used as the default shell for accounts that have been disabled |
passwd | Is used to change the password for a user or group account |
pwck | Verifies the integrity of the password files /etc/passwd and /etc/shadow |
pwconv | Creates or updates the shadow password file from the normal password file |
pwunconv | Updates /etc/passwd from /etc/shadow and then deletes the latter |
sg | Executes a given command while the user's GID is set to that of the given group |
su | Runs a shell with substitute user and group IDs |
useradd | Creates a new user with the given name, or updates the default new-user information |
userdel | Deletes the given user account |
usermod | Is used to modify the given user's login name, User Identification (UID), shell, initial group, home directory, etc. |
vigr | Edits the /etc/group or /etc/gshadow files |
vipw | Edits the /etc/passwd or /etc/shadow files |