diff options
Diffstat (limited to 'chapter06/shadow.xml')
-rw-r--r-- | chapter06/shadow.xml | 137 |
1 files changed, 137 insertions, 0 deletions
diff --git a/chapter06/shadow.xml b/chapter06/shadow.xml new file mode 100644 index 000000000..69aaf0150 --- /dev/null +++ b/chapter06/shadow.xml @@ -0,0 +1,137 @@ +<sect1 id="ch-system-shadow" xreflabel="Shadow"> +<title>Installing Shadow-&shadow-version;</title> +<?dbhtml filename="shadow.html" dir="chapter06"?> + +<para>The Shadow package contains programs for handling passwords in a secure +way.</para> + +<screen>&buildtime; &shadow-time; +&diskspace; &shadow-compsize;</screen> + +&aa-shadow-down; +&aa-shadow-dep; + +<sect2><title> </title><para> </para></sect2> + +<sect2> +<title>Installation of Shadow</title> + +<para>Shadow hard-wires the path to the <command>passwd</command> binary +within the binary itself, but does this the wrong way. If a +<command>passwd</command> binary is not present before installing Shadow, +the package incorrectly assumes it is going to be located at +<filename>/bin/passwd</filename>, but then installs it in +<filename>/usr/bin/passwd</filename>. This will lead to errors about not finding +<filename>/bin/passwd</filename>. To work around this bug, create a dummy +<filename>passwd</filename> file, so that it gets hard-wired properly:</para> + +<screen><userinput>touch /usr/bin/passwd</userinput></screen> + +<para>Now prepare Shadow for compilation:</para> + +<screen><userinput>./configure --libdir=/usr/lib --enable-shared</userinput></screen> + +<para>Work around a problem that prevents Shadow's internationalization from +working:</para> + +<screen><userinput>echo '#define HAVE_SETLOCALE 1' >> config.h</userinput></screen> + +<para>Compile the package:</para> + +<screen><userinput>make</userinput></screen> + +<para>And install it:</para> + +<screen><userinput>make install</userinput></screen> + +<para>Shadow uses two files to configure authentication settings for the +system. Install these two config files:</para> + +<screen><userinput>cp etc/{limits,login.access} /etc</userinput></screen> + +<para>We want to change the password method to enable MD5 passwords which are +theoretically more secure than the default crypt method and also allow +password lengths greater than 8 characters. We also need to change the old +<filename class="directory">/var/spool/mail</filename> location for user +mailboxes to the current location at +<filename class="directory">/var/mail</filename>. We do this by changing the +relevant configuration file while copying it to its destination:</para> + +<screen><userinput>sed -e 's%/var/spool/mail%/var/mail%' \ + -e 's%#MD5_CRYPT_ENAB.no%MD5_CRYPT_ENAB yes%' \ + etc/login.defs.linux > /etc/login.defs</userinput></screen> + +<note><para>Be extra careful when typing all of the above. It is probably safer +to cut-and-paste it rather than try and type it all in.</para></note> + +<para>Move some misplaced symlinks to their proper locations:</para> + +<screen><userinput>mv /bin/sg /usr/bin +mv /bin/vigr /usr/sbin</userinput></screen> + +<para>And move Shadow's dynamic libraries to a more appropriate location:</para> + +<screen><userinput>mv /usr/lib/lib{shadow,misc}.so.0* /lib</userinput></screen> + +<para>As some packages expect to find the just-moved libraries in +<filename>/usr/lib</filename>, create the following symlinks:</para> + +<screen><userinput>ln -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so +ln -sf ../../lib/libmisc.so.0 /usr/lib/libmisc.so</userinput></screen> + +<para>The -D option of the <filename>useradd</filename> program requires this +directory for it to work properly:</para> + +<screen><userinput>mkdir /etc/default</userinput></screen> + +<para>Coreutils has already installed a better <command>groups</command> +program in <filename>/usr/bin</filename>. Remove the one installed by +Shadow:</para> + +<screen><userinput>rm /bin/groups</userinput></screen> + +</sect2> + +<sect2><title> </title><para> </para></sect2> + +<sect2><title>Configuring Shadow</title> + +<para>This package contains utilities to modify users' passwords, add +or delete users and groups, and the like. We're not going to explain what +'password shadowing' means. A full explanation can be found in the +<filename>doc/HOWTO</filename> +file within the unpacked Shadow source tree. There's one +thing to keep in mind if you decide to use Shadow support: programs that +need to verify passwords (for example xdm, ftp daemons, pop3 daemons) need +to be 'shadow-compliant', that is they need to be able to work with +shadowed passwords.</para> + +<para>To enable shadowed passwords, run the following command:</para> + +<screen><userinput>/usr/sbin/pwconv</userinput></screen> + +<para>And to enable shadowed group passwords, run the following +command:</para> + +<screen><userinput>/usr/sbin/grpconv</userinput></screen> + +<para>Under normal circumstances, you won't have created any passwords yet. +However, if returning to this section to enable shadowing, you should reset any +current user passwords with the <command>passwd</command> command or any +group passwords with the <command>gpasswd</command> command.</para> +</sect2> + +<sect2> +<title>Setting the root password</title> + +<para>Choose a password for user root and set it via:</para> + +<screen><userinput>passwd root</userinput></screen> + +</sect2> + +&aa-shadow-shortdesc; +&aa-shadow-desc; + +</sect1> + |