diff options
Diffstat (limited to 'chapter06/shadow.xml')
| -rw-r--r-- | chapter06/shadow.xml | 608 |
1 files changed, 0 insertions, 608 deletions
diff --git a/chapter06/shadow.xml b/chapter06/shadow.xml deleted file mode 100644 index 425112cbd..000000000 --- a/chapter06/shadow.xml +++ /dev/null @@ -1,608 +0,0 @@ -<?xml version="1.0" encoding="ISO-8859-1"?> -<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" - "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [ - <!ENTITY % general-entities SYSTEM "../general.ent"> - %general-entities; -]> - -<sect1 id="ch-system-shadow" role="wrap"> - <?dbhtml filename="shadow.html"?> - - <sect1info condition="script"> - <productname>shadow</productname> - <productnumber>&shadow-version;</productnumber> - <address>&shadow-url;</address> - </sect1info> - - <title>Shadow-&shadow-version;</title> - - <indexterm zone="ch-system-shadow"> - <primary sortas="a-Shadow">Shadow</primary> - </indexterm> - - <sect2 role="package"> - <title/> - - <para>The Shadow package contains programs for handling passwords in a secure - way.</para> - - <segmentedlist> - <segtitle>&buildtime;</segtitle> - <segtitle>&diskspace;</segtitle> - - <seglistitem> - <seg>&shadow-ch6-sbu;</seg> - <seg>&shadow-ch6-du;</seg> - </seglistitem> - </segmentedlist> - - </sect2> - - <sect2 role="installation"> - <title>Installation of Shadow</title> - - <note> - <para>If you would like to enforce the use of strong passwords, refer to - <ulink url="&blfs-book;postlfs/cracklib.html"/> for installing - CrackLib prior to building Shadow. Then add - <parameter>--with-libcrack</parameter> to the <command>configure</command> - command below.</para> - </note> - - <para>Disable the installation of the <command>groups</command> program - and its man pages, as Coreutils provides a better version. Also, - prevent the installation of manual pages that were already installed in - <xref linkend="ch-system-man-pages"/>:</para> - -<screen><userinput remap="pre">sed -i 's/groups$(EXEEXT) //' src/Makefile.in -find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; -find man -name Makefile.in -exec sed -i 's/getspnam\.3 / /' {} \; -find man -name Makefile.in -exec sed -i 's/passwd\.5 / /' {} \;</userinput></screen> - - <para id="shadow-login_defs">Instead of using the default - <emphasis>crypt</emphasis> method, use the more secure - <emphasis>SHA-512</emphasis> method of password encryption, which also - allows passwords longer than 8 characters. It is also necessary to change - the obsolete <filename class="directory">/var/spool/mail</filename> location - for user mailboxes that Shadow uses by default to the <filename - class="directory">/var/mail</filename> location used currently:</para> - -<screen><userinput remap="pre">sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \ - -e 's@/var/spool/mail@/var/mail@' etc/login.defs</userinput></screen> - - <note> - <para>If you chose to build Shadow with Cracklib support, run the following:</para> - -<screen role="nodump"><userinput>sed -i 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' etc/login.defs</userinput></screen> - </note> - - <para>Make a minor change to make the first group number generated - by useradd 1000:</para> - -<screen><userinput remap="pre">sed -i 's/1000/999/' etc/useradd</userinput></screen> - - <para>Prepare Shadow for compilation:</para> - -<screen><userinput remap="configure">touch /usr/bin/passwd -./configure --sysconfdir=/etc \ - --with-group-name-max-length=32</userinput></screen> - - <variablelist> - <title>The meaning of the configure option:</title> - - <varlistentry> - <term><command>touch /usr/bin/passwd</command></term> - <listitem> - <para>The file <filename>/usr/bin/passwd</filename> needs - to exist because its location is harcoded in some programs, and - the default location if it does not exist is not right.</para> - </listitem> - </varlistentry> - <varlistentry> - <term><parameter>--with-group-name-max-length=32</parameter></term> - <listitem> - <para>The maximum user name is 32 characters. Make the maximum - group name the same.</para> - </listitem> - </varlistentry> - - </variablelist> - - <para>Compile the package:</para> - -<screen><userinput remap="make">make</userinput></screen> - - <para>This package does not come with a test suite.</para> - - <para>Install the package:</para> - -<screen><userinput remap="install">make install</userinput></screen> - <!-- - <para>Move a misplaced program to its proper location:</para> - -<screen><userinput remap="install">mv -v /usr/bin/passwd /bin</userinput></screen> - --> - - <!-- <para>Move Shadow's libraries to more appropriate locations:</para> - -<screen><userinput remap="install">mv -v /lib/libshadow.*a /usr/lib -rm -v /lib/libshadow.so -ln -sfv ../../lib/libshadow.so.0 /usr/lib/libshadow.so</userinput></screen> --> - - </sect2> - - <sect2 id="conf-shadow" role="configuration"> - <title>Configuring Shadow</title> - - <indexterm zone="conf-shadow"> - <primary sortas="a-Shadow">Shadow</primary> - <secondary>configuring</secondary> - </indexterm> - - <para>This package contains utilities to add, modify, and delete users and - groups; set and change their passwords; and perform other administrative - tasks. For a full explanation of what <emphasis>password shadowing</emphasis> - means, see the <filename>doc/HOWTO</filename> file within the unpacked - source tree. If using Shadow support, keep in mind that programs which need - to verify passwords (display managers, FTP programs, pop3 daemons, etc.) - must be Shadow-compliant. That is, they need to be able to work with - shadowed passwords.</para> - - <para>To enable shadowed passwords, run the following command:</para> - -<screen><userinput>pwconv</userinput></screen> - - <para>To enable shadowed group passwords, run:</para> - -<screen><userinput>grpconv</userinput></screen> - - <para>Shadow's stock configuration for the <command>useradd</command> - utility has a few caveats that need some explanation. First, the default - action for the <command>useradd</command> utility is to create the user and - a group of the same name as the user. By default the user ID (UID) and - group ID (GID) numbers will begin with 1000. This means if you don't pass - parameters to <command>useradd</command>, each user will be a member of a - unique group on the system. If this behavior is undesirable, you'll need - to pass the <parameter>-g</parameter> parameter to - <command>useradd</command>. The default parameters are stored in the - <filename>/etc/default/useradd</filename> file. You may need to modify two - parameters in this file to suit your particular needs.</para> - - <variablelist> - <title><filename>/etc/default/useradd</filename> Parameter Explanations</title> - - <varlistentry> - <term><parameter>GROUP=1000</parameter></term> - <listitem> - <para>This parameter sets the beginning of the group numbers used in - the /etc/group file. You can modify it to anything you desire. Note - that <command>useradd</command> will never reuse a UID or GID. If the - number identified in this parameter is used, it will use the next - available number after this. Note also that if you don't have a group - 1000 on your system the first time you use <command>useradd</command> - without the <parameter>-g</parameter> parameter, you'll get a message - displayed on the terminal that says: - <computeroutput>useradd: unknown GID 1000</computeroutput>. You may - disregard this message and group number 1000 will be used.</para> - </listitem> - </varlistentry> - <varlistentry> - <term><parameter>CREATE_MAIL_SPOOL=yes</parameter></term> - <listitem> - <para>This parameter causes <command>useradd</command> to create a - mailbox file for the newly created user. <command>useradd</command> - will make the group ownership of this file to the - <systemitem class="groupname">mail</systemitem> group with 0660 - permissions. If you would prefer that these mailbox files are not - created by <command>useradd</command>, issue the following - command:</para> - -<screen><userinput>sed -i 's/yes/no/' /etc/default/useradd</userinput></screen> - </listitem> - </varlistentry> - - </variablelist> - - - </sect2> - - <sect2 role="configuration"> - <title>Setting the root password</title> - - <para>Choose a password for user <emphasis>root</emphasis> and set it - by running:</para> - -<screen role="nodump"><userinput>passwd root</userinput></screen> - - </sect2> - - <sect2 id="contents-shadow" role="content"> - <title>Contents of Shadow</title> - - <segmentedlist> - <segtitle>Installed programs</segtitle> - <segtitle>Installed directory</segtitle> - - <seglistitem> - <seg>chage, chfn, chgpasswd, chpasswd, chsh, expiry, faillog, gpasswd, - groupadd, groupdel, groupmems, groupmod, grpck, grpconv, grpunconv, - lastlog, login, logoutd, newgidmap, newgrp, newuidmap, newusers, - nologin, passwd, pwck, pwconv, pwunconv, sg (link to newgrp), su, - useradd, userdel, usermod, vigr (link to vipw), and vipw</seg> - <seg>/etc/default</seg> - </seglistitem> - </segmentedlist> - - <variablelist> - <bridgehead renderas="sect3">Short Descriptions</bridgehead> - <?dbfo list-presentation="list"?> - <?dbhtml list-presentation="table"?> - - <varlistentry id="chage"> - <term><command>chage</command></term> - <listitem> - <para>Used to change the maximum number of days between obligatory - password changes</para> - <indexterm zone="ch-system-shadow chage"> - <primary sortas="b-chage">chage</primary> - </indexterm> - </listitem> - </varlistentry> - - <varlistentry id="chfn"> - <term><command>chfn</command></term> - <listitem> - <para>Used to change a user's full name and other information</para> - <indexterm zone="ch-system-shadow chfn"> - <primary sortas="b-chfn">chfn</primary> - </indexterm> - </listitem> - </varlistentry> - - <varlistentry id="chgpasswd"> - <term><command>chgpasswd</command></term> - <listitem> - <para>Used to update group passwords in batch mode</para> - <indexterm zone="ch-system-shadow chgpasswd"> - <primary sortas="b-chgpasswd">chgpasswd</primary> - </indexterm> - </listitem> - </varlistentry> - - <varlistentry id="chpasswd"> - <term><command>chpasswd</command></term> - <listitem> - <para>Used to update user passwords in batch mode</para> - <indexterm zone="ch-system-shadow chpasswd"> - <primary sortas="b-chpasswd">chpasswd</primary> - </indexterm> - </listitem> - </varlistentry> - - <varlistentry id="chsh"> - <term><command>chsh</command></term> - <listitem> - <para>Used to change a user's default login shell</para> - <indexterm zone="ch-system-shadow chsh"> - <primary sortas="b-chsh">chsh</primary> - </indexterm> - </listitem> - </varlistentry> - - <varlistentry id="expiry"> - <term><command>expiry</command></term> - <listitem> - <para>Checks and enforces the current password expiration policy</para> - <indexterm zone="ch-system-shadow expiry"> - <primary sortas="b-expiry">expiry</primary> - </indexterm> - </listitem> - </varlistentry> - - <varlistentry id="faillog"> - <term><command>faillog</command></term> - <listitem> - <para>Is used to examine the log of login failures, to set a maximum - number of failures before an account is blocked, or to reset the - failure count</para> - <indexterm zone="ch-system-shadow faillog"> - <primary sortas="b-faillog">faillog</primary> - </indexterm> - </listitem> - </varlistentry> - - <varlistentry id="gpasswd"> - <term><command>gpasswd</command></term> - <listitem> - <para>Is used to add and delete members and administrators to - groups</para> - <indexterm zone="ch-system-shadow gpasswd"> - <primary sortas="b-gpasswd">gpasswd</primary> - </indexterm> - </listitem> - </varlistentry> - - <varlistentry id="groupadd"> - <term><command>groupadd</command></term> - <listitem> - <para>Creates a group with the given name</para> - <indexterm zone="ch-system-shadow groupadd"> - <primary sortas="b-groupadd">groupadd</primary> - </indexterm> - </listitem> - </varlistentry> - - <varlistentry id="groupdel"> - <term><command>groupdel</command></term> - <listitem> - <para>Deletes the group with the given name</para> - <indexterm zone="ch-system-shadow groupdel"> - <primary sortas="b-groupdel">groupdel</primary> - </indexterm> - </listitem> - </varlistentry> - - <varlistentry id="groupmems"> - <term><command>groupmems</command></term> - <listitem> - <para>Allows a user to administer his/her own group membership list - without the requirement of super user privileges.</para> - <indexterm zone="ch-system-shadow groupmems"> - <primary sortas="b-groupmems">groupmems</primary> - </indexterm> - </listitem> - </varlistentry> - - <varlistentry id="groupmod"> - <term><command>groupmod</command></term> - <listitem> - <para>Is used to modify the given group's name or GID</para> - <indexterm zone="ch-system-shadow groupmod"> - <primary sortas="b-groupmod">groupmod</primary> - </indexterm> - </listitem> - </varlistentry> - - <varlistentry id="grpck"> - <term><command>grpck</command></term> - <listitem> - <para>Verifies the integrity of the group files - <filename>/etc/group</filename> and - <filename>/etc/gshadow</filename></para> - <indexterm zone="ch-system-shadow grpck"> - <primary sortas="b-grpck">grpck</primary> - </indexterm> - </listitem> - </varlistentry> - - <varlistentry id="grpconv"> - <term><command>grpconv</command></term> - <listitem> - <para>Creates or updates the shadow group file from the normal - group file</para> - <indexterm zone="ch-system-shadow grpconv"> - <primary sortas="b-grpconv">grpconv</primary> - </indexterm> - </listitem> - </varlistentry> - - <varlistentry id="grpunconv"> - <term><command>grpunconv</command></term> - <listitem> - <para>Updates <filename>/etc/group</filename> from - <filename>/etc/gshadow</filename> and then deletes the latter</para> - <indexterm zone="ch-system-shadow grpunconv"> - <primary sortas="b-grpunconv">grpunconv</primary> - </indexterm> - </listitem> - </varlistentry> - - <varlistentry id="lastlog"> - <term><command>lastlog</command></term> - <listitem> - <para>Reports the most recent login of all users or of a - given user</para> - <indexterm zone="ch-system-shadow lastlog"> - <primary sortas="b-lastlog">lastlog</primary> - </indexterm> - </listitem> - </varlistentry> - - <varlistentry id="login"> - <term><command>login</command></term> - <listitem> - <para>Is used by the system to let users sign on</para> - <indexterm zone="ch-system-shadow login"> - <primary sortas="b-login">login</primary> - </indexterm> - </listitem> - </varlistentry> - - <varlistentry id="logoutd"> - <term><command>logoutd</command></term> - <listitem> - <para>Is a daemon used to enforce restrictions on log-on time - and ports</para> - <indexterm zone="ch-system-shadow logoutd"> - <primary sortas="b-logoutd">logoutd</primary> - </indexterm> - </listitem> - </varlistentry> - - <varlistentry id="newgidmap"> - <term><command>newgidmap</command></term> - <listitem> - <para>Is used to set the gid mapping of a user namespace</para> - <indexterm zone="ch-system-shadow newgidmap"> - <primary sortas="b-newgidmap">newgidmap</primary> - </indexterm> - </listitem> - </varlistentry> - - <varlistentry id="newgrp"> - <term><command>newgrp</command></term> - <listitem> - <para>Is used to change the current GID during a login session</para> - <indexterm zone="ch-system-shadow newgrp"> - <primary sortas="b-newgrp">newgrp</primary> - </indexterm> - </listitem> - </varlistentry> - - <varlistentry id="newuidmap"> - <term><command>newuidmap</command></term> - <listitem> - <para>Is used to set the uid mapping of a user namespace</para> - <indexterm zone="ch-system-shadow newuidmap"> - <primary sortas="b-newuidmap">newuidmap</primary> - </indexterm> - </listitem> - </varlistentry> - - <varlistentry id="newusers"> - <term><command>newusers</command></term> - <listitem> - <para>Is used to create or update an entire series of user - accounts</para> - <indexterm zone="ch-system-shadow newusers"> - <primary sortas="b-newusers">newusers</primary> - </indexterm> - </listitem> - </varlistentry> - - <varlistentry id="nologin"> - <term><command>nologin</command></term> - <listitem> - <para>Displays a message that an account is not available; it is designed - to be used as the default shell for accounts that have been - disabled</para> - <indexterm zone="ch-system-shadow nologin"> - <primary sortas="b-nologin">nologin</primary> - </indexterm> - </listitem> - </varlistentry> - - <varlistentry id="passwd"> - <term><command>passwd</command></term> - <listitem> - <para>Is used to change the password for a user or group account</para> - <indexterm zone="ch-system-shadow passwd"> - <primary sortas="b-passwd">passwd</primary> - </indexterm> - </listitem> - </varlistentry> - - <varlistentry id="pwck"> - <term><command>pwck</command></term> - <listitem> - <para>Verifies the integrity of the password files - <filename>/etc/passwd</filename> and - <filename>/etc/shadow</filename></para> - <indexterm zone="ch-system-shadow pwck"> - <primary sortas="b-pwck">pwck</primary> - </indexterm> - </listitem> - </varlistentry> - - <varlistentry id="pwconv"> - <term><command>pwconv</command></term> - <listitem> - <para>Creates or updates the shadow password file from the normal - password file</para> - <indexterm zone="ch-system-shadow pwconv"> - <primary sortas="b-pwconv">pwconv</primary> - </indexterm> - </listitem> - </varlistentry> - - <varlistentry id="pwunconv"> - <term><command>pwunconv</command></term> - <listitem> - <para>Updates <filename>/etc/passwd</filename> from - <filename>/etc/shadow</filename> and then deletes the latter</para> - <indexterm zone="ch-system-shadow pwunconv"> - <primary sortas="b-pwunconv">pwunconv</primary> - </indexterm> - </listitem> - </varlistentry> - - <varlistentry id="sg"> - <term><command>sg</command></term> - <listitem> - <para>Executes a given command while the user's GID - is set to that of the given group</para> - <indexterm zone="ch-system-shadow sg"> - <primary sortas="b-sg">sg</primary> - </indexterm> - </listitem> - </varlistentry> - - <varlistentry id="su"> - <term><command>su</command></term> - <listitem> - <para>Runs a shell with substitute user and group IDs</para> - <indexterm zone="ch-system-shadow su"> - <primary sortas="b-su">su</primary> - </indexterm> - </listitem> - </varlistentry> - - <varlistentry id="useradd"> - <term><command>useradd</command></term> - <listitem> - <para>Creates a new user with the given name, or updates the default - new-user information</para> - <indexterm zone="ch-system-shadow useradd"> - <primary sortas="b-useradd">useradd</primary> - </indexterm> - </listitem> - </varlistentry> - - <varlistentry id="userdel"> - <term><command>userdel</command></term> - <listitem> - <para>Deletes the given user account</para> - <indexterm zone="ch-system-shadow userdel"> - <primary sortas="b-userdel">userdel</primary> - </indexterm> - </listitem> - </varlistentry> - - <varlistentry id="usermod"> - <term><command>usermod</command></term> - <listitem> - <para>Is used to modify the given user's login name, User - Identification (UID), shell, initial group, home directory, etc.</para> - <indexterm zone="ch-system-shadow usermod"> - <primary sortas="b-usermod">usermod</primary> - </indexterm> - </listitem> - </varlistentry> - - <varlistentry id="vigr"> - <term><command>vigr</command></term> - <listitem> - <para>Edits the <filename>/etc/group</filename> or - <filename>/etc/gshadow</filename> files</para> - <indexterm zone="ch-system-shadow vigr"> - <primary sortas="b-vigr">vigr</primary> - </indexterm> - </listitem> - </varlistentry> - - <varlistentry id="vipw"> - <term><command>vipw</command></term> - <listitem> - <para>Edits the <filename>/etc/passwd</filename> or - <filename>/etc/shadow</filename> files</para> - <indexterm zone="ch-system-shadow vipw"> - <primary sortas="b-vipw">vipw</primary> - </indexterm> - </listitem> - </varlistentry> - - </variablelist> - - </sect2> - -</sect1> |