Shadow: Difference between revisions

From CBLFS
Jump to navigationJump to search
← Older edit
Kalessin (talk | contribs)
skipcaptcha
536 edits
I completed the "Contents" section.
Kb0iic (talk | contribs)
Bureaucrats, skipcaptcha, Administrators
308 edits
No edit summary
 
(35 intermediate revisions by 10 users not shown)
Line 1: Line 1:
{| style="text-align: left; background-color: AliceBlue;"
{| style="text-align: left; background-color: AliceBlue;"
|-
|-valign="top"
!Download Source:
!Download Source:
| ftp://ftp.pld.org.pl/software/shadow/shadow-4.0.18.1.tar.bz2
| http://pkg-shadow.alioth.debian.org/releases/shadow-{{Shadow-Version}}.tar.bz2
|-
|}
!Download Patch:
| http://svn.cross-lfs.org/svn/repos/cross-lfs/trunk/patches/shadow-4.0.18.1-useradd_fix-1.patch
|-
|-|}
 
== Introduction to Shadow ==


Shadow was indeed installed in CLFS and there is no reason to reinstall it unless you installed CrackLib or Linux-PAM after your CLFS system was completed. If you have installed CrackLib  after CLFS, then reinstalling Shadow will enable strong password support. If you have installed Linux-PAM, reinstalling Shadow will allow programs such as login and su to utilize PAM.
{{Package-Introduction|Shadow, a login and password handling tool suit|http://pkg-shadow.alioth.debian.org/}}


== Dependencies ==
== Dependencies ==


=== Optional ===
=== Optional ===
*[[Cracklib]]
* [[Cracklib]]
*[[PAM Library]]
* [[PAM Library]]
 
* [[libaudit]]
== Non-Multilib ==
* [[libskey]]
* [[SELinux]]


Configure and compile the package:
== Configuration Information ==
 
patch -Np1 -i ../shadow-4.0.18.1-useradd_fix-1.patch &&
./configure --libdir=/lib -sysconfdir=/etc --enable-shared \
  --without-audit --without-selinux --with-libcrack --with-libpam &&
sed -i 's/groups$(EXEEXT) //' src/Makefile &&
sed -i '/groups/d' man/Makefile &&
make


Install the package:
If you have not installed [[PAM Library]], then use this flag instead of ''--with-libpam'' in the instructions below.


  make install &&
  --without-libpam
mv /usr/bin/passwd /bin &&
mv /lib/libshadow.{a,la} /usr/lib &&
rm /lib/libshadow.so &&
LIBNAME=`cat lib/libshadow.la | grep library_names | cut -f2 -d"'" | cut -f2 -d" "` &&
ln -sf ../../lib/$LIBNAME /usr/lib/libshadow.so &&
install -d /etc/default


Setup Configuration files:
If you have not installed [[Cracklib]], then remove this flag from the instructions below.


This section makes sure login.defs is compatible with PAM
--with-libcrack


cp etc/login.defs /etc/login.defs
== Non-Multilib ==
sed -i -e 's@#MD5_CRYPT_ENAB.no@MD5_CRYPT_ENAB yes@' \
        -e 's@/var/spool/mail@/var/mail@' \
        -e 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' /etc/login.defs
FUNCTIONS="LASTLOG_ENAB MAIL_CHECK_ENAB PORTTIME_CHECKS_ENAB CONSOLE MOTD_FILE
            NOLOGINS_FILE PASS_MIN_LEN SU_WHEEL_ONLY MD5_CRYPT_ENAB CONSOLE_GROUPS
            ENVIRON_FILE ULIMIT ENV_TZ ENV_HZ ENV_SUPATH ENV_PATH QMAIL_DIR MAIL_DIR
            MAIL_FILE CHFN_AUTH FAILLOG_ENAB QUOTAS_ENAB FTMP_FILE OBSCURE_CHECKS_ENAB
            CRACKLIB_DICTPATH PASS_CHANGE_TRIES PASS_ALWAYS"
for function in $FUNCTIONS; do
      sed -i "s/^$function/# &/" /etc/login.defs
done
 
=== /etc/default/useradd ===
 
With the PAM configuration that is in CBLFS, this is the only information needed in
/etc/default/useradd.
 
cat > /etc/default/useradd << "EOF"
HOME=/home
INACTIVE=-1
SHELL=/bin/bash
CREATE_MAIL_SPOOL=no
EOF
 
== Multilib ==
 
=== 32Bit ===


Configure and compile the package:
Configure and compile the package:


  patch -Np1 -i ../shadow-4.0.18.1-useradd_fix-1.patch &&
  sed -i 's/groups$(EXEEXT) //' src/Makefile.in &&
  CC="gcc ${BUILD32}" ./configure --libdir=/lib -sysconfdir=/etc --enable-shared \
find man -name Makefile.in -exec sed -i '/groups\.1\.xml/d' '{}' \; &&
find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; &&
  ./configure --libdir=/lib --sysconfdir=/etc --enable-shared \
   --without-audit --without-selinux --with-libcrack --with-libpam &&
   --without-audit --without-selinux --with-libcrack --with-libpam &&
sed -i 's/groups$(EXEEXT) //' src/Makefile &&
sed -i '/groups/d' man/Makefile &&
  make
  make


Line 85: Line 40:


  make install &&
  make install &&
  mv /usr/bin/passwd /bin &&
  mv -v /usr/bin/passwd /bin
mv /lib/libshadow.{a,la} /usr/lib &&
rm /lib/libshadow.so &&
LIBNAME=`cat lib/libshadow.la | grep library_names | cut -f2 -d"'" | cut -f2 -d" "` &&
ln -sf ../../lib/$LIBNAME /usr/lib/libshadow.so


=== N32 ===
== Multilib ==


Configure and compile the package:
=== 64Bit ===


  patch -Np1 -i ../shadow-4.0.18.1-useradd_fix-1.patch &&
  sed -i 's/groups$(EXEEXT) //' src/Makefile.in &&
  CC="gcc ${BUILDN32}" ./configure --libdir=/lib32 -sysconfdir=/etc --enable-shared \
find man -name Makefile.in -exec sed -i '/groups\.1\.xml/d' '{}' \; &&
find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; &&
  CC="gcc ${BUILD64}" ./configure --libdir=/lib64 --sysconfdir=/etc --enable-shared \
   --without-audit --without-selinux --with-libcrack --with-libpam &&
   --without-audit --without-selinux --with-libcrack --with-libpam &&
sed -i 's/groups$(EXEEXT) //' src/Makefile &&
  make
sed -i '/groups/d' man/Makefile &&
make


Install the package:
Install the package:


  make install &&
  make install &&
  mv /usr/bin/passwd /bin &&
  mv -v /usr/bin/passwd /bin
mv /lib32/libshadow.{a,la} /usr/lib32 &&
rm /lib32/libshadow.so &&
LIBNAME=`cat lib/libshadow.la | grep library_names | cut -f2 -d"'" | cut -f2 -d" "` &&
ln -sf ../../lib32/$LIBNAME /usr/lib32/libshadow.so
 
=== 64Bit ===


patch -Np1 -i ../shadow-4.0.18.1-useradd_fix-1.patch &&
== Configuring ==
CC="gcc ${BUILD64}" ./configure --libdir=/lib64 -sysconfdir=/etc --enable-shared \
  --without-audit --without-selinux --with-libcrack --with-libpam &&
sed -i 's/groups$(EXEEXT) //' src/Makefile &&
sed -i '/groups/d' man/Makefile &&
make


Install the package:
=== login.defs ===
 
make install &&
mv /usr/bin/passwd /bin &&
mv /lib64/libshadow.{a,la} /usr/lib64 &&
rm /lib64/libshadow.so &&
LIBNAME=`cat lib/libshadow.la | grep library_names | cut -f2 -d"'" | cut -f2 -d" "` &&
ln -sf ../../lib64/$LIBNAME /usr/lib64/libshadow.so
install -d /etc/default


Setup Configuration files:
Setup Configuration files:


  cp etc/login.defs /etc/login.defs  
  cp etc/login.defs /etc/login.defs  
  sed -i -e 's@#MD5_CRYPT_ENAB.no@MD5_CRYPT_ENAB yes@' \
  sed -i -e 's@#\(ENCRYPT_METHOD \).*@\1SHA512@' \
         -e 's@/var/spool/mail@/var/mail@' \
         -e 's@/var/spool/mail@/var/mail@' \
         -e 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' /etc/login.defs
         -e 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' /etc/login.defs
  FUNCTIONS="LASTLOG_ENAB MAIL_CHECK_ENAB PORTTIME_CHECKS_ENAB CONSOLE MOTD_FILE
  FUNCTIONS="LASTLOG_ENAB MAIL_CHECK_ENAB PORTTIME_CHECKS_ENAB CONSOLE MOTD_FILE
             NOLOGINS_FILE PASS_MIN_LEN SU_WHEEL_ONLY MD5_CRYPT_ENAB CONSOLE_GROUPS
             NOLOGINS_FILE PASS_MIN_LEN SU_WHEEL_ONLY MD5_CRYPT_ENAB CONSOLE_GROUPS
Line 145: Line 78:
  done
  done


=== /etc/default/useradd ===
=== [[Linux-PAM]] Services ===


With the PAM configuration that is in CBLFS, this is the only information needed in
==== /etc/pam.d/login ====
/etc/default/useradd.
This is the file that controls the login program


  cat > /etc/default/useradd << "EOF"
  cat > /etc/pam.d/login << "EOF"
  HOME=/home
  #%PAM-1.0
  INACTIVE=-1
#
  SHELL=/bin/bash
# The common PAM configuration file for login
  CREATE_MAIL_SPOOL=no
#
auth      required    pam_shells.so
auth      include      system-auth
auth      optional    pam_securetty.so
account    required    pam_nologin.so
account    include      system-auth
password  include      system-auth
  session    include      system-auth
  session    required    pam_mkhomedir.so skel=/etc/skel/ umask=0022
  session    optional    pam_lastlog.so nowtmp
session    optional    pam_mail.so dir=/var/mail standard
  EOF
  EOF
Also make sure '''/etc/shells''' exists because the '''pam_shells.so''' module will only permit a login if your users login shell appears in '''/etc/shells'''.
==== /etc/pam.d/{chage chfn chgpasswd chpasswd chsh groupadd groupdel groupmems groupmod newusers passwd useradd userdel usermod} ====
These are the files that control changing of a password
for file in chage chfn chgpasswd chpasswd chsh groupadd groupdel groupmems \
  groupmod newusers passwd useradd userdel usermod; do
        cat > /etc/pam.d/$file << "EOF"
#%PAM-1.0
#
# The common PAM configuration file authentication only, root ok
#
auth      sufficient  pam_rootok.so
account    required    pam_permit.so
account    include      system-auth
password  include      system-auth
EOF
done
==== /etc/pam.d/su ====
This is the file that controls su access
cat > /etc/pam.d/su << "EOF"
#%PAM-1.0
#
# The common PAM configuration file for su
#
auth            sufficient      pam_rootok.so
auth            include        system-auth
account        include        system-auth
password        include        system-auth
session        include        system-auth
session        optional        pam_xauth.so
EOF
=== Where to go? ===
See [[Configuring for Adding Users]]


==Contents==
==Contents==


{| style="text-align: left;"
{| style="text-align: left;"
|-
|-valign="top"
! '''Installed Programs:'''
! Installed Programs:
|login, su, nologin, faillog, lastlog, chage, chfn, chsh, expiry, gpasswd, newgrp, passwd, chgpasswd, chpasswd, groupadd, groupdel, groupmems, groupmod, grpck, grpconv, grpunconv, logoutd, newusers, pwck, pwconv, pwunconv, useradd, userdel, usermod, vipw
|login, su, nologin, faillog, lastlog, chage, chfn, chsh, expiry, gpasswd, newgrp, passwd, chgpasswd, chpasswd, groupadd, groupdel, groupmems, groupmod, grpck, grpconv, grpunconv, logoutd, newusers, pwck, pwconv, pwunconv, useradd, userdel, usermod, vipw
|-
|-valign="top"
! '''Installed Libraries:'''
! Installed Libraries:
| libshadow.{so,la,a}
|  
|-
|-valign="top"
! '''Installed Directories:'''
! Installed Directories:
| /etc/pam.d
| /etc/pam.d
|}
|}
Line 174: Line 168:


{| style="text-align: left;"
{| style="text-align: left;"
|-
|-valign="top"
! '''expiry'''
! expiry
| Checks and enforces the current password expiration policy  
| Checks and enforces the current password expiration policy  
|-
|-valign="top"
! '''faillog'''
! faillog
| Is used to examine the log of login failures, to set a maximum number of failures before an account is blocked, or to reset the failure count  
| Is used to examine the log of login failures, to set a maximum number of failures before an account is blocked, or to reset the failure count  
|-
|-valign="top"
! '''gpasswd'''
! gpasswd
| Is used to add and delete members and administrators to groups  
| Is used to add and delete members and administrators to groups  
|-
|-valign="top"
! '''groupadd'''
! groupadd
| Creates a group with the given name  
| Creates a group with the given name  
|-
|-valign="top"
! '''groupdel'''
! groupdel
| Deletes the group with the given name  
| Deletes the group with the given name  
|-
|-valign="top"
! '''groupmod'''
! groupmod
| Is used to modify the given group's name or GID  
| Is used to modify the given group's name or GID  
|-
|-valign="top"
! '''grpck'''
! grpck
| Verifies the integrity of the group files /etc/group and /etc/gshadow  
| Verifies the integrity of the group files /etc/group and /etc/gshadow  
|-
|-valign="top"
! '''grpconv'''
! grpconv
| Creates or updates the shadow group file from the normal group file  
| Creates or updates the shadow group file from the normal group file  
|-
|-valign="top"
! '''grpunconv'''
! grpunconv
| Updates /etc/group from /etc/gshadow and then deletes the latter  
| Updates /etc/group from /etc/gshadow and then deletes the latter  
|-
|-valign="top"
! '''lastlog'''
! lastlog
| Reports the most recent login of all users or of a given user  
| Reports the most recent login of all users or of a given user  
|-
|-valign="top"
! '''login'''
! login
| Is used by the system to let users sign on  
| Is used by the system to let users sign on  
|-
|-valign="top"
! '''logoutd'''
! logoutd
| Is a daemon used to enforce restrictions on log-on time and ports  
| Is a daemon used to enforce restrictions on log-on time and ports  
|-
|-valign="top"
! '''newgrp'''
! newgrp
| Is used to change the current GID during a login session  
| Is used to change the current GID during a login session  
|-
|-valign="top"
! '''newusers'''
! newusers
| Is used to create or update an entire series of user accounts  
| Is used to create or update an entire series of user accounts  
|-
|-valign="top"
! '''nologin'''
! nologin
| Displays a message that an account is not available. Designed to be used as the default shell for accounts that have been disabled  
| Displays a message that an account is not available. Designed to be used as the default shell for accounts that have been disabled  
|-
|-valign="top"
! '''passwd'''
! passwd
| Is used to change the password for a user or group account  
| Is used to change the password for a user or group account  
|-
|-valign="top"
! '''pwck'''
! pwck
| Verifies the integrity of the password files /etc/passwd and /etc/shadow  
| Verifies the integrity of the password files /etc/passwd and /etc/shadow  
|-
|-valign="top"
! '''pwconv'''
! pwconv
| Creates or updates the shadow password file from the normal password file  
| Creates or updates the shadow password file from the normal password file  
|-
|-valign="top"
! '''pwunconv'''
! pwunconv
| Updates /etc/passwd from /etc/shadow and then deletes the latter  
| Updates /etc/passwd from /etc/shadow and then deletes the latter  
|-
|-valign="top"
! '''sg'''
! sg
| Executes a given command while the user's GID is set to that of the given group  
| Executes a given command while the user's GID is set to that of the given group  
|-
|-valign="top"
! '''su'''
! su
| Runs a shell with substitute user and group IDs  
| Runs a shell with substitute user and group IDs  
|-
|-valign="top"
! '''useradd'''
! useradd
| Creates a new user with the given name, or updates the default new-user information  
| Creates a new user with the given name, or updates the default new-user information  
|-
|-valign="top"
! '''userdel'''
! userdel
| Deletes the given user account  
| Deletes the given user account  
|-
|-valign="top"
! '''usermod'''
! usermod
| Is used to modify the given user's login name, User Identification (UID), shell, initial group, home directory, etc.  
| Is used to modify the given user's login name, User Identification (UID), shell, initial group, home directory, etc.  
|-
|-valign="top"
! '''vigr'''
! vigr
| Edits the /etc/group or /etc/gshadow files  
| Edits the /etc/group or /etc/gshadow files  
|-
|-valign="top"
! '''vipw'''
! vipw
| Edits the /etc/passwd or /etc/shadow files  
| Edits the /etc/passwd or /etc/shadow files  
|-
! '''libshadow.{so,la,a}'''
| Contains functions used by most programs in this package
|}
|}

Latest revision as of 19:46, 21 September 2012

Download Source: http://pkg-shadow.alioth.debian.org/releases/shadow-4.1.5.1.tar.bz2

Introduction to Shadow

Shadow, a login and password handling tool suit

Project Homepage: http://pkg-shadow.alioth.debian.org/

Dependencies

Optional

Configuration Information

If you have not installed PAM Library, then use this flag instead of --with-libpam in the instructions below. 

--without-libpam

If you have not installed Cracklib, then remove this flag from the instructions below. 

--with-libcrack

Non-Multilib

Configure and compile the package: 

sed -i 's/groups$(EXEEXT) //' src/Makefile.in &&
find man -name Makefile.in -exec sed -i '/groups\.1\.xml/d' '{}' \; &&
find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; &&
./configure --libdir=/lib --sysconfdir=/etc --enable-shared \
  --without-audit --without-selinux --with-libcrack --with-libpam &&
make

Install the package: 

make install &&
mv -v /usr/bin/passwd /bin

Multilib

64Bit

sed -i 's/groups$(EXEEXT) //' src/Makefile.in &&
find man -name Makefile.in -exec sed -i '/groups\.1\.xml/d' '{}' \; &&
find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; &&
CC="gcc ${BUILD64}" ./configure --libdir=/lib64 --sysconfdir=/etc --enable-shared \
  --without-audit --without-selinux --with-libcrack --with-libpam &&
 make

Install the package: 

make install &&
mv -v /usr/bin/passwd /bin

Configuring

login.defs

Setup Configuration files: 

cp etc/login.defs /etc/login.defs 
sed -i -e 's@#\(ENCRYPT_METHOD \).*@\1SHA512@' \
       -e 's@/var/spool/mail@/var/mail@' \
       -e 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' /etc/login.defs

FUNCTIONS="LASTLOG_ENAB MAIL_CHECK_ENAB PORTTIME_CHECKS_ENAB CONSOLE MOTD_FILE
           NOLOGINS_FILE PASS_MIN_LEN SU_WHEEL_ONLY MD5_CRYPT_ENAB CONSOLE_GROUPS
           ENVIRON_FILE ULIMIT ENV_TZ ENV_HZ ENV_SUPATH ENV_PATH QMAIL_DIR MAIL_DIR
           MAIL_FILE CHFN_AUTH FAILLOG_ENAB QUOTAS_ENAB FTMP_FILE OBSCURE_CHECKS_ENAB
           CRACKLIB_DICTPATH PASS_CHANGE_TRIES PASS_ALWAYS"
for function in $FUNCTIONS; do
     sed -i "s/^$function/# &/" /etc/login.defs
done

Linux-PAM Services

/etc/pam.d/login

This is the file that controls the login program 

cat > /etc/pam.d/login << "EOF"
#%PAM-1.0
#
# The common PAM configuration file for login
#
auth       required     pam_shells.so
auth       include      system-auth
auth       optional     pam_securetty.so

account    required     pam_nologin.so
account    include      system-auth

password   include      system-auth

session    include      system-auth
session    required     pam_mkhomedir.so skel=/etc/skel/ umask=0022
session    optional     pam_lastlog.so nowtmp
session    optional     pam_mail.so dir=/var/mail standard
EOF

Also make sure /etc/shells exists because the pam_shells.so module will only permit a login if your users login shell appears in /etc/shells.

/etc/pam.d/{chage chfn chgpasswd chpasswd chsh groupadd groupdel groupmems groupmod newusers passwd useradd userdel usermod}

These are the files that control changing of a password 

for file in chage chfn chgpasswd chpasswd chsh groupadd groupdel groupmems \
  groupmod newusers passwd useradd userdel usermod; do
       cat > /etc/pam.d/$file << "EOF"
#%PAM-1.0
#
# The common PAM configuration file authentication only, root ok
#
auth       sufficient   pam_rootok.so

account    required     pam_permit.so
account    include      system-auth

password   include      system-auth
EOF
done

/etc/pam.d/su

This is the file that controls su access 

cat > /etc/pam.d/su << "EOF"
#%PAM-1.0
#
# The common PAM configuration file for su
#
auth            sufficient      pam_rootok.so
auth            include         system-auth

account         include         system-auth

password        include         system-auth

session         include         system-auth
session         optional        pam_xauth.so
EOF


Where to go?

See Configuring for Adding Users

Contents

Installed Programs: login, su, nologin, faillog, lastlog, chage, chfn, chsh, expiry, gpasswd, newgrp, passwd, chgpasswd, chpasswd, groupadd, groupdel, groupmems, groupmod, grpck, grpconv, grpunconv, logoutd, newusers, pwck, pwconv, pwunconv, useradd, userdel, usermod, vipw
Installed Libraries:
Installed Directories: /etc/pam.d

Short Descriptions

expiry Checks and enforces the current password expiration policy
faillog Is used to examine the log of login failures, to set a maximum number of failures before an account is blocked, or to reset the failure count
gpasswd Is used to add and delete members and administrators to groups
groupadd Creates a group with the given name
groupdel Deletes the group with the given name
groupmod Is used to modify the given group's name or GID
grpck Verifies the integrity of the group files /etc/group and /etc/gshadow
grpconv Creates or updates the shadow group file from the normal group file
grpunconv Updates /etc/group from /etc/gshadow and then deletes the latter
lastlog Reports the most recent login of all users or of a given user
login Is used by the system to let users sign on
logoutd Is a daemon used to enforce restrictions on log-on time and ports
newgrp Is used to change the current GID during a login session
newusers Is used to create or update an entire series of user accounts
nologin Displays a message that an account is not available. Designed to be used as the default shell for accounts that have been disabled
passwd Is used to change the password for a user or group account
pwck Verifies the integrity of the password files /etc/passwd and /etc/shadow
pwconv Creates or updates the shadow password file from the normal password file
pwunconv Updates /etc/passwd from /etc/shadow and then deletes the latter
sg Executes a given command while the user's GID is set to that of the given group
su Runs a shell with substitute user and group IDs
useradd Creates a new user with the given name, or updates the default new-user information
userdel Deletes the given user account
usermod Is used to modify the given user's login name, User Identification (UID), shell, initial group, home directory, etc.
vigr Edits the /etc/group or /etc/gshadow files
vipw Edits the /etc/passwd or /etc/shadow files
Retrieved from "?title=Shadow&oldid=21410"