From d5d57b1660a5a3b739fb52203d4c01f7da491226 Mon Sep 17 00:00:00 2001 From: Greg Schafer Date: Wed, 1 Oct 2003 23:57:04 +0000 Subject: Chapter 6 - Shadow: Enable MD5 passwords. Closes Bug 600. git-svn-id: http://svn.linuxfromscratch.org/LFS/trunk/BOOK@2913 4aa44e1e-78dd-0310-a6d2-fbcd4c07a689 --- chapter06/config-shadowpwd.xml | 4 ++++ chapter06/shadowpwd-inst.xml | 39 ++++++++++++++++++++------------------- 2 files changed, 24 insertions(+), 19 deletions(-) (limited to 'chapter06') diff --git a/chapter06/config-shadowpwd.xml b/chapter06/config-shadowpwd.xml index dad4275f9..a5e667b2c 100644 --- a/chapter06/config-shadowpwd.xml +++ b/chapter06/config-shadowpwd.xml @@ -20,5 +20,9 @@ command: /usr/sbin/grpconv +Under normal circumstances, you won't have created any passwords yet. +However, if returning to this section to enable shadowing, you should reset any +current user passwords with the passwd command or any +group passwords with the gpasswd command. diff --git a/chapter06/shadowpwd-inst.xml b/chapter06/shadowpwd-inst.xml index 010f0b3de..d487600e3 100644 --- a/chapter06/shadowpwd-inst.xml +++ b/chapter06/shadowpwd-inst.xml @@ -3,12 +3,6 @@ Installation of Shadow Password Suite -Before you install this package, you may want to have a look at -the Shadow hint. It discusses how you can make your system more secure -regarding passwords, such as how to enable the more secure MD5 passwords -and how to get the most out of this Shadow package. The Shadow hint can -be found at . - The login, getty and init programs (and some others) maintain a number of logfiles to record who are and who were logged in to the system. These @@ -31,13 +25,14 @@ or she last logged in, and the /var/log/btmp lists the bad login attempts. Shadow hard-wires the path to the passwd binary -within the binary itself, but does this the wrong way. If before installing -Shadow no passwd binary is present , the package wrongly -assumes it is going to be located at /bin/passwd, -but then installs it in /usr/bin/passwd. This will lead -to weird errors about not finding /bin/passwd. To work -around this bug, create a dummy passwd file, -so that it gets hard-wired properly: +within the binary itself, but does this the wrong way. If a +passwd binary is not present before installing Shadow, +the package wrongly assumes it is going to be located at +/bin/passwd, but then installs it in +/usr/bin/passwd. This will lead to weird errors about not +finding /bin/passwd. To work around this bug, create a +dummy passwd file, so that it gets hard-wired +properly: touch /usr/bin/passwd @@ -65,15 +60,21 @@ system. Install these two config files: cp etc/{limits,login.access} /etc -In the old days /var/spool/mail -was the location for the user mailboxes, but nowadays /var/mail is used. Change the default mailbox -location in the relevant configuration file while copying it to its -destination: +We want to change the password method to enable MD5 passwords which are +theoretically more secure than the default "crypt" method and also allow +password lengths greater than 8 characters. We also need to change the old +/var/spool/mail location for user +mailboxes to the current location at +/var/mail. We do this by changing the +relevant configuration file while copying it to its destination: -sed 's%/var/spool/mail%/var/mail%' \ +sed -e 's%/var/spool/mail%/var/mail%' \ +    -e 's%#MD5_CRYPT_ENAB.no%MD5_CRYPT_ENAB yes%' \     etc/login.defs.linux > /etc/login.defs +Be extra careful when typing all of the above. It is probably safer +to cut-and-paste it rather than try and type it all in. + According to the man page of vipw, a vigr program should exist too. Since the installation procedure doesn't create this program, create a symlink manually: -- cgit v1.2.3-54-g00ecf