Shadow
From CBLFS
Jump to navigationJump to search| Download Source: | http://pkg-shadow.alioth.debian.org/releases/shadow-4.1.5.1.tar.bz2 |
|---|
Contents
Introduction to Shadow
Shadow, a login and password handling tool suit
Project Homepage: http://pkg-shadow.alioth.debian.org/
Dependencies
Optional
Configuration Information
If you have not installed PAM Library, then use this flag instead of --with-libpam in the instructions below.
--without-libpam
If you have not installed Cracklib, then remove this flag from the instructions below.
--with-libcrack
Non-Multilib
Configure and compile the package:
sed -i 's/groups$(EXEEXT) //' src/Makefile.in &&
find man -name Makefile.in -exec sed -i '/groups\.1\.xml/d' '{}' \; &&
find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; &&
./configure --libdir=/lib --sysconfdir=/etc --enable-shared \
--without-audit --without-selinux --with-libcrack --with-libpam &&
make
Install the package:
make install && mv -v /usr/bin/passwd /bin
Multilib
64Bit
sed -i 's/groups$(EXEEXT) //' src/Makefile.in &&
find man -name Makefile.in -exec sed -i '/groups\.1\.xml/d' '{}' \; &&
find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; &&
CC="gcc ${BUILD64}" ./configure --libdir=/lib64 --sysconfdir=/etc --enable-shared \
--without-audit --without-selinux --with-libcrack --with-libpam &&
make
Install the package:
make install && mv -v /usr/bin/passwd /bin
Configuring
login.defs
Setup Configuration files:
cp etc/login.defs /etc/login.defs
sed -i -e 's@#\(ENCRYPT_METHOD \).*@\1SHA512@' \
-e 's@/var/spool/mail@/var/mail@' \
-e 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' /etc/login.defs
FUNCTIONS="LASTLOG_ENAB MAIL_CHECK_ENAB PORTTIME_CHECKS_ENAB CONSOLE MOTD_FILE
NOLOGINS_FILE PASS_MIN_LEN SU_WHEEL_ONLY MD5_CRYPT_ENAB CONSOLE_GROUPS
ENVIRON_FILE ULIMIT ENV_TZ ENV_HZ ENV_SUPATH ENV_PATH QMAIL_DIR MAIL_DIR
MAIL_FILE CHFN_AUTH FAILLOG_ENAB QUOTAS_ENAB FTMP_FILE OBSCURE_CHECKS_ENAB
CRACKLIB_DICTPATH PASS_CHANGE_TRIES PASS_ALWAYS"
for function in $FUNCTIONS; do
sed -i "s/^$function/# &/" /etc/login.defs
done
Linux-PAM Services
/etc/pam.d/login
This is the file that controls the login program
cat > /etc/pam.d/login << "EOF" #%PAM-1.0 # # The common PAM configuration file for login # auth required pam_shells.so auth include system-auth auth optional pam_securetty.so account required pam_nologin.so account include system-auth password include system-auth session include system-auth session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 session optional pam_lastlog.so nowtmp session optional pam_mail.so dir=/var/mail standard EOF
Also make sure /etc/shells exists because the pam_shells.so module will only permit a login if your users login shell appears in /etc/shells.
/etc/pam.d/{chage chfn chgpasswd chpasswd chsh groupadd groupdel groupmems groupmod newusers passwd useradd userdel usermod}
These are the files that control changing of a password
for file in chage chfn chgpasswd chpasswd chsh groupadd groupdel groupmems \
groupmod newusers passwd useradd userdel usermod; do
cat > /etc/pam.d/$file << "EOF"
#%PAM-1.0
#
# The common PAM configuration file authentication only, root ok
#
auth sufficient pam_rootok.so
account required pam_permit.so
account include system-auth
password include system-auth
EOF
done
/etc/pam.d/su
This is the file that controls su access
cat > /etc/pam.d/su << "EOF" #%PAM-1.0 # # The common PAM configuration file for su # auth sufficient pam_rootok.so auth include system-auth account include system-auth password include system-auth session include system-auth session optional pam_xauth.so EOF
Where to go?
See Configuring for Adding Users
Contents
| Installed Programs: | login, su, nologin, faillog, lastlog, chage, chfn, chsh, expiry, gpasswd, newgrp, passwd, chgpasswd, chpasswd, groupadd, groupdel, groupmems, groupmod, grpck, grpconv, grpunconv, logoutd, newusers, pwck, pwconv, pwunconv, useradd, userdel, usermod, vipw |
|---|---|
| Installed Libraries: | |
| Installed Directories: | /etc/pam.d |
Short Descriptions
| expiry | Checks and enforces the current password expiration policy |
|---|---|
| faillog | Is used to examine the log of login failures, to set a maximum number of failures before an account is blocked, or to reset the failure count |
| gpasswd | Is used to add and delete members and administrators to groups |
| groupadd | Creates a group with the given name |
| groupdel | Deletes the group with the given name |
| groupmod | Is used to modify the given group's name or GID |
| grpck | Verifies the integrity of the group files /etc/group and /etc/gshadow |
| grpconv | Creates or updates the shadow group file from the normal group file |
| grpunconv | Updates /etc/group from /etc/gshadow and then deletes the latter |
| lastlog | Reports the most recent login of all users or of a given user |
| login | Is used by the system to let users sign on |
| logoutd | Is a daemon used to enforce restrictions on log-on time and ports |
| newgrp | Is used to change the current GID during a login session |
| newusers | Is used to create or update an entire series of user accounts |
| nologin | Displays a message that an account is not available. Designed to be used as the default shell for accounts that have been disabled |
| passwd | Is used to change the password for a user or group account |
| pwck | Verifies the integrity of the password files /etc/passwd and /etc/shadow |
| pwconv | Creates or updates the shadow password file from the normal password file |
| pwunconv | Updates /etc/passwd from /etc/shadow and then deletes the latter |
| sg | Executes a given command while the user's GID is set to that of the given group |
| su | Runs a shell with substitute user and group IDs |
| useradd | Creates a new user with the given name, or updates the default new-user information |
| userdel | Deletes the given user account |
| usermod | Is used to modify the given user's login name, User Identification (UID), shell, initial group, home directory, etc. |
| vigr | Edits the /etc/group or /etc/gshadow files |
| vipw | Edits the /etc/passwd or /etc/shadow files |
