Difference between revisions of "Shadow"
From CBLFS
Jump to navigationJump to searchm (I fixed the vertical alignment on the tables.) |
|||
(34 intermediate revisions by 10 users not shown) | |||
Line 2: | Line 2: | ||
|-valign="top" | |-valign="top" | ||
!Download Source: | !Download Source: | ||
− | | | + | | http://pkg-shadow.alioth.debian.org/releases/shadow-{{Shadow-Version}}.tar.bz2 |
− | + | |} | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | Shadow | + | {{Package-Introduction|Shadow, a login and password handling tool suit|http://pkg-shadow.alioth.debian.org/}} |
== Dependencies == | == Dependencies == | ||
=== Optional === | === Optional === | ||
− | *[[Cracklib]] | + | * [[Cracklib]] |
− | *[[PAM Library]] | + | * [[PAM Library]] |
+ | * [[libaudit]] | ||
+ | * [[libskey]] | ||
+ | * [[SELinux]] | ||
− | == | + | == Configuration Information == |
− | + | If you have not installed [[PAM Library]], then use this flag instead of ''--with-libpam'' in the instructions below. | |
− | + | --without-libpam | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | If you have not installed [[Cracklib]], then remove this flag from the instructions below. | |
− | + | --with-libcrack | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | == Non-Multilib == | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
Configure and compile the package: | Configure and compile the package: | ||
− | + | sed -i 's/groups$(EXEEXT) //' src/Makefile.in && | |
− | + | find man -name Makefile.in -exec sed -i '/groups\.1\.xml/d' '{}' \; && | |
+ | find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; && | ||
+ | ./configure --libdir=/lib --sysconfdir=/etc --enable-shared \ | ||
--without-audit --without-selinux --with-libcrack --with-libpam && | --without-audit --without-selinux --with-libcrack --with-libpam && | ||
− | |||
− | |||
make | make | ||
Line 85: | Line 40: | ||
make install && | make install && | ||
− | mv /usr/bin/passwd /bin | + | mv -v /usr/bin/passwd /bin |
− | |||
− | |||
− | |||
− | |||
− | == | + | == Multilib == |
− | + | === 64Bit === | |
− | + | sed -i 's/groups$(EXEEXT) //' src/Makefile.in && | |
− | CC="gcc ${ | + | find man -name Makefile.in -exec sed -i '/groups\.1\.xml/d' '{}' \; && |
+ | find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; && | ||
+ | CC="gcc ${BUILD64}" ./configure --libdir=/lib64 --sysconfdir=/etc --enable-shared \ | ||
--without-audit --without-selinux --with-libcrack --with-libpam && | --without-audit --without-selinux --with-libcrack --with-libpam && | ||
− | + | make | |
− | |||
− | |||
Install the package: | Install the package: | ||
make install && | make install && | ||
− | mv /usr/bin/passwd /bin | + | mv -v /usr/bin/passwd /bin |
− | |||
− | |||
− | |||
− | |||
− | == | + | == Configuring == |
− | + | === login.defs === | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
Setup Configuration files: | Setup Configuration files: | ||
cp etc/login.defs /etc/login.defs | cp etc/login.defs /etc/login.defs | ||
− | sed -i -e 's@# | + | sed -i -e 's@#\(ENCRYPT_METHOD \).*@\1SHA512@' \ |
-e 's@/var/spool/mail@/var/mail@' \ | -e 's@/var/spool/mail@/var/mail@' \ | ||
-e 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' /etc/login.defs | -e 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' /etc/login.defs | ||
+ | |||
FUNCTIONS="LASTLOG_ENAB MAIL_CHECK_ENAB PORTTIME_CHECKS_ENAB CONSOLE MOTD_FILE | FUNCTIONS="LASTLOG_ENAB MAIL_CHECK_ENAB PORTTIME_CHECKS_ENAB CONSOLE MOTD_FILE | ||
NOLOGINS_FILE PASS_MIN_LEN SU_WHEEL_ONLY MD5_CRYPT_ENAB CONSOLE_GROUPS | NOLOGINS_FILE PASS_MIN_LEN SU_WHEEL_ONLY MD5_CRYPT_ENAB CONSOLE_GROUPS | ||
Line 145: | Line 78: | ||
done | done | ||
− | === | + | === [[Linux-PAM]] Services === |
− | + | ==== /etc/pam.d/login ==== | |
− | /etc/ | + | |
+ | This is the file that controls the login program | ||
− | cat > /etc/ | + | cat > /etc/pam.d/login << "EOF" |
− | + | #%PAM-1.0 | |
− | + | # | |
− | + | # The common PAM configuration file for login | |
− | + | # | |
+ | auth required pam_shells.so | ||
+ | auth include system-auth | ||
+ | auth optional pam_securetty.so | ||
+ | |||
+ | account required pam_nologin.so | ||
+ | account include system-auth | ||
+ | |||
+ | password include system-auth | ||
+ | |||
+ | session include system-auth | ||
+ | session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 | ||
+ | session optional pam_lastlog.so nowtmp | ||
+ | session optional pam_mail.so dir=/var/mail standard | ||
EOF | EOF | ||
+ | |||
+ | Also make sure '''/etc/shells''' exists because the '''pam_shells.so''' module will only permit a login if your users login shell appears in '''/etc/shells'''. | ||
+ | |||
+ | ==== /etc/pam.d/{chage chfn chgpasswd chpasswd chsh groupadd groupdel groupmems groupmod newusers passwd useradd userdel usermod} ==== | ||
+ | |||
+ | These are the files that control changing of a password | ||
+ | |||
+ | for file in chage chfn chgpasswd chpasswd chsh groupadd groupdel groupmems \ | ||
+ | groupmod newusers passwd useradd userdel usermod; do | ||
+ | cat > /etc/pam.d/$file << "EOF" | ||
+ | #%PAM-1.0 | ||
+ | # | ||
+ | # The common PAM configuration file authentication only, root ok | ||
+ | # | ||
+ | auth sufficient pam_rootok.so | ||
+ | |||
+ | account required pam_permit.so | ||
+ | account include system-auth | ||
+ | |||
+ | password include system-auth | ||
+ | EOF | ||
+ | done | ||
+ | |||
+ | ==== /etc/pam.d/su ==== | ||
+ | |||
+ | This is the file that controls su access | ||
+ | |||
+ | cat > /etc/pam.d/su << "EOF" | ||
+ | #%PAM-1.0 | ||
+ | # | ||
+ | # The common PAM configuration file for su | ||
+ | # | ||
+ | auth sufficient pam_rootok.so | ||
+ | auth include system-auth | ||
+ | |||
+ | account include system-auth | ||
+ | |||
+ | password include system-auth | ||
+ | |||
+ | session include system-auth | ||
+ | session optional pam_xauth.so | ||
+ | EOF | ||
+ | |||
+ | |||
+ | === Where to go? === | ||
+ | |||
+ | See [[Configuring for Adding Users]] | ||
==Contents== | ==Contents== | ||
Line 161: | Line 155: | ||
{| style="text-align: left;" | {| style="text-align: left;" | ||
|-valign="top" | |-valign="top" | ||
− | ! | + | ! Installed Programs: |
|login, su, nologin, faillog, lastlog, chage, chfn, chsh, expiry, gpasswd, newgrp, passwd, chgpasswd, chpasswd, groupadd, groupdel, groupmems, groupmod, grpck, grpconv, grpunconv, logoutd, newusers, pwck, pwconv, pwunconv, useradd, userdel, usermod, vipw | |login, su, nologin, faillog, lastlog, chage, chfn, chsh, expiry, gpasswd, newgrp, passwd, chgpasswd, chpasswd, groupadd, groupdel, groupmems, groupmod, grpck, grpconv, grpunconv, logoutd, newusers, pwck, pwconv, pwunconv, useradd, userdel, usermod, vipw | ||
|-valign="top" | |-valign="top" | ||
− | ! | + | ! Installed Libraries: |
− | | | + | | |
|-valign="top" | |-valign="top" | ||
− | ! | + | ! Installed Directories: |
| /etc/pam.d | | /etc/pam.d | ||
|} | |} | ||
Line 175: | Line 169: | ||
{| style="text-align: left;" | {| style="text-align: left;" | ||
|-valign="top" | |-valign="top" | ||
− | ! | + | ! expiry |
| Checks and enforces the current password expiration policy | | Checks and enforces the current password expiration policy | ||
|-valign="top" | |-valign="top" | ||
− | ! | + | ! faillog |
| Is used to examine the log of login failures, to set a maximum number of failures before an account is blocked, or to reset the failure count | | Is used to examine the log of login failures, to set a maximum number of failures before an account is blocked, or to reset the failure count | ||
|-valign="top" | |-valign="top" | ||
− | ! | + | ! gpasswd |
| Is used to add and delete members and administrators to groups | | Is used to add and delete members and administrators to groups | ||
|-valign="top" | |-valign="top" | ||
− | ! | + | ! groupadd |
| Creates a group with the given name | | Creates a group with the given name | ||
|-valign="top" | |-valign="top" | ||
− | ! | + | ! groupdel |
| Deletes the group with the given name | | Deletes the group with the given name | ||
|-valign="top" | |-valign="top" | ||
− | ! | + | ! groupmod |
| Is used to modify the given group's name or GID | | Is used to modify the given group's name or GID | ||
|-valign="top" | |-valign="top" | ||
− | ! | + | ! grpck |
| Verifies the integrity of the group files /etc/group and /etc/gshadow | | Verifies the integrity of the group files /etc/group and /etc/gshadow | ||
|-valign="top" | |-valign="top" | ||
− | ! | + | ! grpconv |
| Creates or updates the shadow group file from the normal group file | | Creates or updates the shadow group file from the normal group file | ||
|-valign="top" | |-valign="top" | ||
− | ! | + | ! grpunconv |
| Updates /etc/group from /etc/gshadow and then deletes the latter | | Updates /etc/group from /etc/gshadow and then deletes the latter | ||
|-valign="top" | |-valign="top" | ||
− | ! | + | ! lastlog |
| Reports the most recent login of all users or of a given user | | Reports the most recent login of all users or of a given user | ||
|-valign="top" | |-valign="top" | ||
− | ! | + | ! login |
| Is used by the system to let users sign on | | Is used by the system to let users sign on | ||
|-valign="top" | |-valign="top" | ||
− | ! | + | ! logoutd |
| Is a daemon used to enforce restrictions on log-on time and ports | | Is a daemon used to enforce restrictions on log-on time and ports | ||
|-valign="top" | |-valign="top" | ||
− | ! | + | ! newgrp |
| Is used to change the current GID during a login session | | Is used to change the current GID during a login session | ||
|-valign="top" | |-valign="top" | ||
− | ! | + | ! newusers |
| Is used to create or update an entire series of user accounts | | Is used to create or update an entire series of user accounts | ||
|-valign="top" | |-valign="top" | ||
− | ! | + | ! nologin |
| Displays a message that an account is not available. Designed to be used as the default shell for accounts that have been disabled | | Displays a message that an account is not available. Designed to be used as the default shell for accounts that have been disabled | ||
|-valign="top" | |-valign="top" | ||
− | ! | + | ! passwd |
| Is used to change the password for a user or group account | | Is used to change the password for a user or group account | ||
|-valign="top" | |-valign="top" | ||
− | ! | + | ! pwck |
| Verifies the integrity of the password files /etc/passwd and /etc/shadow | | Verifies the integrity of the password files /etc/passwd and /etc/shadow | ||
|-valign="top" | |-valign="top" | ||
− | ! | + | ! pwconv |
| Creates or updates the shadow password file from the normal password file | | Creates or updates the shadow password file from the normal password file | ||
|-valign="top" | |-valign="top" | ||
− | ! | + | ! pwunconv |
| Updates /etc/passwd from /etc/shadow and then deletes the latter | | Updates /etc/passwd from /etc/shadow and then deletes the latter | ||
|-valign="top" | |-valign="top" | ||
− | ! | + | ! sg |
| Executes a given command while the user's GID is set to that of the given group | | Executes a given command while the user's GID is set to that of the given group | ||
|-valign="top" | |-valign="top" | ||
− | ! | + | ! su |
| Runs a shell with substitute user and group IDs | | Runs a shell with substitute user and group IDs | ||
|-valign="top" | |-valign="top" | ||
− | ! | + | ! useradd |
| Creates a new user with the given name, or updates the default new-user information | | Creates a new user with the given name, or updates the default new-user information | ||
|-valign="top" | |-valign="top" | ||
− | ! | + | ! userdel |
| Deletes the given user account | | Deletes the given user account | ||
|-valign="top" | |-valign="top" | ||
− | ! | + | ! usermod |
| Is used to modify the given user's login name, User Identification (UID), shell, initial group, home directory, etc. | | Is used to modify the given user's login name, User Identification (UID), shell, initial group, home directory, etc. | ||
|-valign="top" | |-valign="top" | ||
− | ! | + | ! vigr |
| Edits the /etc/group or /etc/gshadow files | | Edits the /etc/group or /etc/gshadow files | ||
|-valign="top" | |-valign="top" | ||
− | ! | + | ! vipw |
| Edits the /etc/passwd or /etc/shadow files | | Edits the /etc/passwd or /etc/shadow files | ||
− | |||
− | |||
− | |||
|} | |} |
Latest revision as of 19:46, 21 September 2012
Download Source: | http://pkg-shadow.alioth.debian.org/releases/shadow-4.1.5.1.tar.bz2 |
---|
Contents
Introduction to Shadow
Shadow, a login and password handling tool suit
Project Homepage: http://pkg-shadow.alioth.debian.org/
Dependencies
Optional
Configuration Information
If you have not installed PAM Library, then use this flag instead of --with-libpam in the instructions below.
--without-libpam
If you have not installed Cracklib, then remove this flag from the instructions below.
--with-libcrack
Non-Multilib
Configure and compile the package:
sed -i 's/groups$(EXEEXT) //' src/Makefile.in && find man -name Makefile.in -exec sed -i '/groups\.1\.xml/d' '{}' \; && find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; && ./configure --libdir=/lib --sysconfdir=/etc --enable-shared \ --without-audit --without-selinux --with-libcrack --with-libpam && make
Install the package:
make install && mv -v /usr/bin/passwd /bin
Multilib
64Bit
sed -i 's/groups$(EXEEXT) //' src/Makefile.in && find man -name Makefile.in -exec sed -i '/groups\.1\.xml/d' '{}' \; && find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; && CC="gcc ${BUILD64}" ./configure --libdir=/lib64 --sysconfdir=/etc --enable-shared \ --without-audit --without-selinux --with-libcrack --with-libpam && make
Install the package:
make install && mv -v /usr/bin/passwd /bin
Configuring
login.defs
Setup Configuration files:
cp etc/login.defs /etc/login.defs sed -i -e 's@#\(ENCRYPT_METHOD \).*@\1SHA512@' \ -e 's@/var/spool/mail@/var/mail@' \ -e 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' /etc/login.defs
FUNCTIONS="LASTLOG_ENAB MAIL_CHECK_ENAB PORTTIME_CHECKS_ENAB CONSOLE MOTD_FILE NOLOGINS_FILE PASS_MIN_LEN SU_WHEEL_ONLY MD5_CRYPT_ENAB CONSOLE_GROUPS ENVIRON_FILE ULIMIT ENV_TZ ENV_HZ ENV_SUPATH ENV_PATH QMAIL_DIR MAIL_DIR MAIL_FILE CHFN_AUTH FAILLOG_ENAB QUOTAS_ENAB FTMP_FILE OBSCURE_CHECKS_ENAB CRACKLIB_DICTPATH PASS_CHANGE_TRIES PASS_ALWAYS" for function in $FUNCTIONS; do sed -i "s/^$function/# &/" /etc/login.defs done
Linux-PAM Services
/etc/pam.d/login
This is the file that controls the login program
cat > /etc/pam.d/login << "EOF" #%PAM-1.0 # # The common PAM configuration file for login # auth required pam_shells.so auth include system-auth auth optional pam_securetty.so account required pam_nologin.so account include system-auth password include system-auth session include system-auth session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 session optional pam_lastlog.so nowtmp session optional pam_mail.so dir=/var/mail standard EOF
Also make sure /etc/shells exists because the pam_shells.so module will only permit a login if your users login shell appears in /etc/shells.
/etc/pam.d/{chage chfn chgpasswd chpasswd chsh groupadd groupdel groupmems groupmod newusers passwd useradd userdel usermod}
These are the files that control changing of a password
for file in chage chfn chgpasswd chpasswd chsh groupadd groupdel groupmems \ groupmod newusers passwd useradd userdel usermod; do cat > /etc/pam.d/$file << "EOF" #%PAM-1.0 # # The common PAM configuration file authentication only, root ok # auth sufficient pam_rootok.so account required pam_permit.so account include system-auth password include system-auth EOF done
/etc/pam.d/su
This is the file that controls su access
cat > /etc/pam.d/su << "EOF" #%PAM-1.0 # # The common PAM configuration file for su # auth sufficient pam_rootok.so auth include system-auth account include system-auth password include system-auth session include system-auth session optional pam_xauth.so EOF
Where to go?
See Configuring for Adding Users
Contents
Installed Programs: | login, su, nologin, faillog, lastlog, chage, chfn, chsh, expiry, gpasswd, newgrp, passwd, chgpasswd, chpasswd, groupadd, groupdel, groupmems, groupmod, grpck, grpconv, grpunconv, logoutd, newusers, pwck, pwconv, pwunconv, useradd, userdel, usermod, vipw |
---|---|
Installed Libraries: | |
Installed Directories: | /etc/pam.d |
Short Descriptions
expiry | Checks and enforces the current password expiration policy |
---|---|
faillog | Is used to examine the log of login failures, to set a maximum number of failures before an account is blocked, or to reset the failure count |
gpasswd | Is used to add and delete members and administrators to groups |
groupadd | Creates a group with the given name |
groupdel | Deletes the group with the given name |
groupmod | Is used to modify the given group's name or GID |
grpck | Verifies the integrity of the group files /etc/group and /etc/gshadow |
grpconv | Creates or updates the shadow group file from the normal group file |
grpunconv | Updates /etc/group from /etc/gshadow and then deletes the latter |
lastlog | Reports the most recent login of all users or of a given user |
login | Is used by the system to let users sign on |
logoutd | Is a daemon used to enforce restrictions on log-on time and ports |
newgrp | Is used to change the current GID during a login session |
newusers | Is used to create or update an entire series of user accounts |
nologin | Displays a message that an account is not available. Designed to be used as the default shell for accounts that have been disabled |
passwd | Is used to change the password for a user or group account |
pwck | Verifies the integrity of the password files /etc/passwd and /etc/shadow |
pwconv | Creates or updates the shadow password file from the normal password file |
pwunconv | Updates /etc/passwd from /etc/shadow and then deletes the latter |
sg | Executes a given command while the user's GID is set to that of the given group |
su | Runs a shell with substitute user and group IDs |
useradd | Creates a new user with the given name, or updates the default new-user information |
userdel | Deletes the given user account |
usermod | Is used to modify the given user's login name, User Identification (UID), shell, initial group, home directory, etc. |
vigr | Edits the /etc/group or /etc/gshadow files |
vipw | Edits the /etc/passwd or /etc/shadow files |