Difference between revisions of "Shadow"
From CBLFS
Jump to navigationJump to search (Update description) |
|||
Line 30: | Line 30: | ||
Configure and compile the package: | Configure and compile the package: | ||
+ | sed -i 's/groups$(EXEEXT) //' src/Makefile.in && | ||
+ | find man -name Makefile.in -exec sed -i '/groups\.1\.xml/d' '{}' \; && | ||
+ | find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; && | ||
./configure --libdir=/lib --sysconfdir=/etc --enable-shared \ | ./configure --libdir=/lib --sysconfdir=/etc --enable-shared \ | ||
--without-audit --without-selinux --with-libcrack --with-libpam && | --without-audit --without-selinux --with-libcrack --with-libpam && | ||
− | |||
− | |||
− | |||
make | make | ||
Line 46: | Line 46: | ||
=== 64Bit === | === 64Bit === | ||
+ | sed -i 's/groups$(EXEEXT) //' src/Makefile.in && | ||
+ | find man -name Makefile.in -exec sed -i '/groups\.1\.xml/d' '{}' \; && | ||
+ | find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; && | ||
CC="gcc ${BUILD64}" ./configure --libdir=/lib64 --sysconfdir=/etc --enable-shared \ | CC="gcc ${BUILD64}" ./configure --libdir=/lib64 --sysconfdir=/etc --enable-shared \ | ||
--without-audit --without-selinux --with-libcrack --with-libpam && | --without-audit --without-selinux --with-libcrack --with-libpam && | ||
− | + | make | |
− | |||
− | |||
− | |||
Install the package: | Install the package: | ||
Line 65: | Line 65: | ||
cp etc/login.defs /etc/login.defs | cp etc/login.defs /etc/login.defs | ||
− | sed -i -e 's@# | + | sed -i -e 's@#\(ENCRYPT_METHOD \).*@\1SHA512@' \ |
-e 's@/var/spool/mail@/var/mail@' \ | -e 's@/var/spool/mail@/var/mail@' \ | ||
-e 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' /etc/login.defs | -e 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' /etc/login.defs |
Latest revision as of 19:46, 21 September 2012
Download Source: | http://pkg-shadow.alioth.debian.org/releases/shadow-4.1.5.1.tar.bz2 |
---|
Contents
Introduction to Shadow
Shadow, a login and password handling tool suit
Project Homepage: http://pkg-shadow.alioth.debian.org/
Dependencies
Optional
Configuration Information
If you have not installed PAM Library, then use this flag instead of --with-libpam in the instructions below.
--without-libpam
If you have not installed Cracklib, then remove this flag from the instructions below.
--with-libcrack
Non-Multilib
Configure and compile the package:
sed -i 's/groups$(EXEEXT) //' src/Makefile.in && find man -name Makefile.in -exec sed -i '/groups\.1\.xml/d' '{}' \; && find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; && ./configure --libdir=/lib --sysconfdir=/etc --enable-shared \ --without-audit --without-selinux --with-libcrack --with-libpam && make
Install the package:
make install && mv -v /usr/bin/passwd /bin
Multilib
64Bit
sed -i 's/groups$(EXEEXT) //' src/Makefile.in && find man -name Makefile.in -exec sed -i '/groups\.1\.xml/d' '{}' \; && find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; && CC="gcc ${BUILD64}" ./configure --libdir=/lib64 --sysconfdir=/etc --enable-shared \ --without-audit --without-selinux --with-libcrack --with-libpam && make
Install the package:
make install && mv -v /usr/bin/passwd /bin
Configuring
login.defs
Setup Configuration files:
cp etc/login.defs /etc/login.defs sed -i -e 's@#\(ENCRYPT_METHOD \).*@\1SHA512@' \ -e 's@/var/spool/mail@/var/mail@' \ -e 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' /etc/login.defs
FUNCTIONS="LASTLOG_ENAB MAIL_CHECK_ENAB PORTTIME_CHECKS_ENAB CONSOLE MOTD_FILE NOLOGINS_FILE PASS_MIN_LEN SU_WHEEL_ONLY MD5_CRYPT_ENAB CONSOLE_GROUPS ENVIRON_FILE ULIMIT ENV_TZ ENV_HZ ENV_SUPATH ENV_PATH QMAIL_DIR MAIL_DIR MAIL_FILE CHFN_AUTH FAILLOG_ENAB QUOTAS_ENAB FTMP_FILE OBSCURE_CHECKS_ENAB CRACKLIB_DICTPATH PASS_CHANGE_TRIES PASS_ALWAYS" for function in $FUNCTIONS; do sed -i "s/^$function/# &/" /etc/login.defs done
Linux-PAM Services
/etc/pam.d/login
This is the file that controls the login program
cat > /etc/pam.d/login << "EOF" #%PAM-1.0 # # The common PAM configuration file for login # auth required pam_shells.so auth include system-auth auth optional pam_securetty.so account required pam_nologin.so account include system-auth password include system-auth session include system-auth session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 session optional pam_lastlog.so nowtmp session optional pam_mail.so dir=/var/mail standard EOF
Also make sure /etc/shells exists because the pam_shells.so module will only permit a login if your users login shell appears in /etc/shells.
/etc/pam.d/{chage chfn chgpasswd chpasswd chsh groupadd groupdel groupmems groupmod newusers passwd useradd userdel usermod}
These are the files that control changing of a password
for file in chage chfn chgpasswd chpasswd chsh groupadd groupdel groupmems \ groupmod newusers passwd useradd userdel usermod; do cat > /etc/pam.d/$file << "EOF" #%PAM-1.0 # # The common PAM configuration file authentication only, root ok # auth sufficient pam_rootok.so account required pam_permit.so account include system-auth password include system-auth EOF done
/etc/pam.d/su
This is the file that controls su access
cat > /etc/pam.d/su << "EOF" #%PAM-1.0 # # The common PAM configuration file for su # auth sufficient pam_rootok.so auth include system-auth account include system-auth password include system-auth session include system-auth session optional pam_xauth.so EOF
Where to go?
See Configuring for Adding Users
Contents
Installed Programs: | login, su, nologin, faillog, lastlog, chage, chfn, chsh, expiry, gpasswd, newgrp, passwd, chgpasswd, chpasswd, groupadd, groupdel, groupmems, groupmod, grpck, grpconv, grpunconv, logoutd, newusers, pwck, pwconv, pwunconv, useradd, userdel, usermod, vipw |
---|---|
Installed Libraries: | |
Installed Directories: | /etc/pam.d |
Short Descriptions
expiry | Checks and enforces the current password expiration policy |
---|---|
faillog | Is used to examine the log of login failures, to set a maximum number of failures before an account is blocked, or to reset the failure count |
gpasswd | Is used to add and delete members and administrators to groups |
groupadd | Creates a group with the given name |
groupdel | Deletes the group with the given name |
groupmod | Is used to modify the given group's name or GID |
grpck | Verifies the integrity of the group files /etc/group and /etc/gshadow |
grpconv | Creates or updates the shadow group file from the normal group file |
grpunconv | Updates /etc/group from /etc/gshadow and then deletes the latter |
lastlog | Reports the most recent login of all users or of a given user |
login | Is used by the system to let users sign on |
logoutd | Is a daemon used to enforce restrictions on log-on time and ports |
newgrp | Is used to change the current GID during a login session |
newusers | Is used to create or update an entire series of user accounts |
nologin | Displays a message that an account is not available. Designed to be used as the default shell for accounts that have been disabled |
passwd | Is used to change the password for a user or group account |
pwck | Verifies the integrity of the password files /etc/passwd and /etc/shadow |
pwconv | Creates or updates the shadow password file from the normal password file |
pwunconv | Updates /etc/passwd from /etc/shadow and then deletes the latter |
sg | Executes a given command while the user's GID is set to that of the given group |
su | Runs a shell with substitute user and group IDs |
useradd | Creates a new user with the given name, or updates the default new-user information |
userdel | Deletes the given user account |
usermod | Is used to modify the given user's login name, User Identification (UID), shell, initial group, home directory, etc. |
vigr | Edits the /etc/group or /etc/gshadow files |
vipw | Edits the /etc/passwd or /etc/shadow files |