diff options
| author | Greg Schafer <greg@linuxfromscratch.org> | 2003-10-01 23:57:04 +0000 |
|---|---|---|
| committer | Greg Schafer <greg@linuxfromscratch.org> | 2003-10-01 23:57:04 +0000 |
| commit | d5d57b1660a5a3b739fb52203d4c01f7da491226 (patch) | |
| tree | e1deb024044f8d7f03bb4f1773f116d77b987c7a /chapter06 | |
| parent | bd10d482480b7ce74c00c400019d93a4f48fedd2 (diff) | |
Chapter 6 - Shadow: Enable MD5 passwords. Closes Bug 600.
git-svn-id: http://svn.linuxfromscratch.org/LFS/trunk/BOOK@2913 4aa44e1e-78dd-0310-a6d2-fbcd4c07a689
Diffstat (limited to 'chapter06')
| -rw-r--r-- | chapter06/config-shadowpwd.xml | 4 | ||||
| -rw-r--r-- | chapter06/shadowpwd-inst.xml | 39 |
2 files changed, 24 insertions, 19 deletions
diff --git a/chapter06/config-shadowpwd.xml b/chapter06/config-shadowpwd.xml index dad4275f9..a5e667b2c 100644 --- a/chapter06/config-shadowpwd.xml +++ b/chapter06/config-shadowpwd.xml @@ -20,5 +20,9 @@ command:</para> <para><screen><userinput>/usr/sbin/grpconv</userinput></screen></para> +<para>Under normal circumstances, you won't have created any passwords yet. +However, if returning to this section to enable shadowing, you should reset any +current user passwords with the <userinput>passwd</userinput> command or any +group passwords with the <userinput>gpasswd</userinput> command.</para> </sect2> diff --git a/chapter06/shadowpwd-inst.xml b/chapter06/shadowpwd-inst.xml index 010f0b3de..d487600e3 100644 --- a/chapter06/shadowpwd-inst.xml +++ b/chapter06/shadowpwd-inst.xml @@ -3,12 +3,6 @@ <sect2> <title>Installation of Shadow Password Suite</title> -<para>Before you install this package, you may want to have a look at -the Shadow hint. It discusses how you can make your system more secure -regarding passwords, such as how to enable the more secure MD5 passwords -and how to get the most out of this Shadow package. The Shadow hint can -be found at <ulink url="&hints-root;shadowpasswd_plus.txt"/>.</para> - <para>The <userinput>login</userinput>, <userinput>getty</userinput> and <userinput>init</userinput> programs (and some others) maintain a number of logfiles to record who are and who were logged in to the system. These @@ -31,13 +25,14 @@ or she last logged in, and the <filename>/var/log/btmp</filename> lists the bad login attempts.</para> <para>Shadow hard-wires the path to the <userinput>passwd</userinput> binary -within the binary itself, but does this the wrong way. If before installing -Shadow no <userinput>passwd</userinput> binary is present , the package wrongly -assumes it is going to be located at <filename>/bin/passwd</filename>, -but then installs it in <filename>/usr/bin/passwd</filename>. This will lead -to weird errors about not finding <filename>/bin/passwd</filename>. To work -around this bug, create a dummy <filename>passwd</filename> file, -so that it gets hard-wired properly:</para> +within the binary itself, but does this the wrong way. If a +<userinput>passwd</userinput> binary is not present before installing Shadow, +the package wrongly assumes it is going to be located at +<filename>/bin/passwd</filename>, but then installs it in +<filename>/usr/bin/passwd</filename>. This will lead to weird errors about not +finding <filename>/bin/passwd</filename>. To work around this bug, create a +dummy <filename>passwd</filename> file, so that it gets hard-wired +properly:</para> <para><screen><userinput>touch /usr/bin/passwd</userinput></screen></para> @@ -65,15 +60,21 @@ system. Install these two config files:</para> <para><screen><userinput>cp etc/{limits,login.access} /etc</userinput></screen></para> -<para>In the old days <filename class="directory">/var/spool/mail</filename> -was the location for the user mailboxes, but nowadays <filename -class="directory">/var/mail</filename> is used. Change the default mailbox -location in the relevant configuration file while copying it to its -destination:</para> +<para>We want to change the password method to enable MD5 passwords which are +theoretically more secure than the default "crypt" method and also allow +password lengths greater than 8 characters. We also need to change the old +<filename class="directory">/var/spool/mail</filename> location for user +mailboxes to the current location at +<filename class="directory">/var/mail</filename>. We do this by changing the +relevant configuration file while copying it to its destination:</para> -<para><screen><userinput>sed 's%/var/spool/mail%/var/mail%' \ +<para><screen><userinput>sed -e 's%/var/spool/mail%/var/mail%' \ + -e 's%#MD5_CRYPT_ENAB.no%MD5_CRYPT_ENAB yes%' \ etc/login.defs.linux > /etc/login.defs</userinput></screen></para> +<note><para>Be extra careful when typing all of the above. It is probably safer +to cut-and-paste it rather than try and type it all in.</para></note> + <para>According to the man page of <userinput>vipw</userinput>, a <userinput>vigr</userinput> program should exist too. Since the installation procedure doesn't create this program, create a symlink manually:</para> |