From c21999c677ff9383c9e1220675f76658a1d42438 Mon Sep 17 00:00:00 2001 From: Alex Gronenwoud Date: Sat, 7 Feb 2004 10:48:44 +0000 Subject: Brushing up the Shadow page. git-svn-id: http://svn.linuxfromscratch.org/LFS/trunk/BOOK@3233 4aa44e1e-78dd-0310-a6d2-fbcd4c07a689 --- chapter06/shadow.xml | 74 ++++++++++++++++++++++++++-------------------------- 1 file changed, 37 insertions(+), 37 deletions(-) (limited to 'chapter06') diff --git a/chapter06/shadow.xml b/chapter06/shadow.xml index 69aaf0150..5d4c12a61 100644 --- a/chapter06/shadow.xml +++ b/chapter06/shadow.xml @@ -16,14 +16,14 @@ way. Installation of Shadow -Shadow hard-wires the path to the passwd binary -within the binary itself, but does this the wrong way. If a -passwd binary is not present before installing Shadow, -the package incorrectly assumes it is going to be located at -/bin/passwd, but then installs it in -/usr/bin/passwd. This will lead to errors about not finding -/bin/passwd. To work around this bug, create a dummy -passwd file, so that it gets hard-wired properly: +Shadow hard-wires the path to the passwd binary within +the binary itself, but does this the wrong way. If a passwd +binary is not present before installing Shadow, the package incorrectly assumes +it is going to be located at /bin/passwd, but then +installs it as /usr/bin/passwd. This will lead to errors +about not finding /bin/passwd. To work around this bug, +create a dummy passwd file, so that it gets hard-wired +properly: touch /usr/bin/passwd @@ -49,21 +49,20 @@ system. Install these two config files: cp etc/{limits,login.access} /etc -We want to change the password method to enable MD5 passwords which are -theoretically more secure than the default crypt method and also allow -password lengths greater than 8 characters. We also need to change the old -/var/spool/mail location for user -mailboxes to the current location at -/var/mail. We do this by changing the -relevant configuration file while copying it to its destination: - -sed -e 's%/var/spool/mail%/var/mail%' \ -    -e 's%#MD5_CRYPT_ENAB.no%MD5_CRYPT_ENAB yes%' \ +Instead of using the default crypt method, we want +to use the more secure MD5 method of password encryption, +which in addition allows passwords longer than 8 characters. We also need to +change the obsolete /var/spool/mail +location for user mailboxes that Shadow uses by default to the /var/mail location used nowadays. We accomplish +both these things by changing the relevant configuration file while copying it +to its destination (it's probably better to cut-and-paste this rather than try +and type it all in): + +sed -e 's%#MD5_CRYPT_ENAB.no%MD5_CRYPT_ENAB yes%' \ +    -e 's%/var/spool/mail%/var/mail%' \     etc/login.defs.linux > /etc/login.defs -Be extra careful when typing all of the above. It is probably safer -to cut-and-paste it rather than try and type it all in. - Move some misplaced symlinks to their proper locations: mv /bin/sg /usr/bin @@ -85,8 +84,8 @@ directory for it to work properly: mkdir /etc/default Coreutils has already installed a better groups -program in /usr/bin. Remove the one installed by -Shadow: +program in /usr/bin. Remove the one +installed by Shadow: rm /bin/groups @@ -96,31 +95,32 @@ Shadow: Configuring Shadow -This package contains utilities to modify users' passwords, add -or delete users and groups, and the like. We're not going to explain what -'password shadowing' means. A full explanation can be found in the -doc/HOWTO -file within the unpacked Shadow source tree. There's one -thing to keep in mind if you decide to use Shadow support: programs that -need to verify passwords (for example xdm, ftp daemons, pop3 daemons) need -to be 'shadow-compliant', that is they need to be able to work with -shadowed passwords. +This package contains utilities to add, modify and delete users and +groups, set and change their passwords, and other such administrative tasks. +For a full explanation of what password shadowing means, +see the doc/HOWTO file within the unpacked source tree. +There's one thing to keep in mind if you decide to use Shadow support: programs +that need to verify passwords (display managers, ftp programs, pop3 daemons, +and the like) need to be shadow-compliant, that is they +need to be able to work with shadowed passwords. To enable shadowed passwords, run the following command: /usr/sbin/pwconv -And to enable shadowed group passwords, run the following -command: +And to enable shadowed group passwords, run: /usr/sbin/grpconv Under normal circumstances, you won't have created any passwords yet. -However, if returning to this section to enable shadowing, you should reset any -current user passwords with the passwd command or any -group passwords with the gpasswd command. +However, if returning to this section later to enable shadowing, you should +reset any current user passwords with the passwd command or +any group passwords with the gpasswd command. + +   + Setting the root password -- cgit v1.2.3-54-g00ecf