From fcc027677da55c41dcaea045f5b9ff8b088e6495 Mon Sep 17 00:00:00 2001 From: Bruce Dubbs Date: Sun, 7 Jun 2020 20:16:00 +0000 Subject: Initial commit of alternative cross LFS git-svn-id: http://svn.linuxfromscratch.org/LFS/branches/cross2@11897 4aa44e1e-78dd-0310-a6d2-fbcd4c07a689 --- chapter08/shadow.xml | 608 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 608 insertions(+) create mode 100644 chapter08/shadow.xml (limited to 'chapter08/shadow.xml') diff --git a/chapter08/shadow.xml b/chapter08/shadow.xml new file mode 100644 index 000000000..425112cbd --- /dev/null +++ b/chapter08/shadow.xml @@ -0,0 +1,608 @@ + + + %general-entities; +]> + + + + + + shadow + &shadow-version; +
&shadow-url;
+ + + Shadow-&shadow-version; + + + Shadow + + + + + + <para>The Shadow package contains programs for handling passwords in a secure + way.</para> + + <segmentedlist> + <segtitle>&buildtime;</segtitle> + <segtitle>&diskspace;</segtitle> + + <seglistitem> + <seg>&shadow-ch6-sbu;</seg> + <seg>&shadow-ch6-du;</seg> + </seglistitem> + </segmentedlist> + + </sect2> + + <sect2 role="installation"> + <title>Installation of Shadow + + + If you would like to enforce the use of strong passwords, refer to + for installing + CrackLib prior to building Shadow. Then add + --with-libcrack to the configure + command below. + + + Disable the installation of the groups program + and its man pages, as Coreutils provides a better version. Also, + prevent the installation of manual pages that were already installed in + : + +sed -i 's/groups$(EXEEXT) //' src/Makefile.in +find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; +find man -name Makefile.in -exec sed -i 's/getspnam\.3 / /' {} \; +find man -name Makefile.in -exec sed -i 's/passwd\.5 / /' {} \; + + Instead of using the default + crypt method, use the more secure + SHA-512 method of password encryption, which also + allows passwords longer than 8 characters. It is also necessary to change + the obsolete /var/spool/mail location + for user mailboxes that Shadow uses by default to the /var/mail location used currently: + +sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \ + -e 's@/var/spool/mail@/var/mail@' etc/login.defs + + + If you chose to build Shadow with Cracklib support, run the following: + +sed -i 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' etc/login.defs + + + Make a minor change to make the first group number generated + by useradd 1000: + +sed -i 's/1000/999/' etc/useradd + + Prepare Shadow for compilation: + +touch /usr/bin/passwd +./configure --sysconfdir=/etc \ + --with-group-name-max-length=32 + + + The meaning of the configure option: + + + touch /usr/bin/passwd + + The file /usr/bin/passwd needs + to exist because its location is harcoded in some programs, and + the default location if it does not exist is not right. + + + + --with-group-name-max-length=32 + + The maximum user name is 32 characters. Make the maximum + group name the same. + + + + + + Compile the package: + +make + + This package does not come with a test suite. + + Install the package: + +make install + + + + + + + + Configuring Shadow + + + Shadow + configuring + + + This package contains utilities to add, modify, and delete users and + groups; set and change their passwords; and perform other administrative + tasks. For a full explanation of what password shadowing + means, see the doc/HOWTO file within the unpacked + source tree. If using Shadow support, keep in mind that programs which need + to verify passwords (display managers, FTP programs, pop3 daemons, etc.) + must be Shadow-compliant. That is, they need to be able to work with + shadowed passwords. + + To enable shadowed passwords, run the following command: + +pwconv + + To enable shadowed group passwords, run: + +grpconv + + Shadow's stock configuration for the useradd + utility has a few caveats that need some explanation. First, the default + action for the useradd utility is to create the user and + a group of the same name as the user. By default the user ID (UID) and + group ID (GID) numbers will begin with 1000. This means if you don't pass + parameters to useradd, each user will be a member of a + unique group on the system. If this behavior is undesirable, you'll need + to pass the -g parameter to + useradd. The default parameters are stored in the + /etc/default/useradd file. You may need to modify two + parameters in this file to suit your particular needs. + + + <filename>/etc/default/useradd</filename> Parameter Explanations + + + GROUP=1000 + + This parameter sets the beginning of the group numbers used in + the /etc/group file. You can modify it to anything you desire. Note + that useradd will never reuse a UID or GID. If the + number identified in this parameter is used, it will use the next + available number after this. Note also that if you don't have a group + 1000 on your system the first time you use useradd + without the -g parameter, you'll get a message + displayed on the terminal that says: + useradd: unknown GID 1000. You may + disregard this message and group number 1000 will be used. + + + + CREATE_MAIL_SPOOL=yes + + This parameter causes useradd to create a + mailbox file for the newly created user. useradd + will make the group ownership of this file to the + mail group with 0660 + permissions. If you would prefer that these mailbox files are not + created by useradd, issue the following + command: + +sed -i 's/yes/no/' /etc/default/useradd + + + + + + + + + + Setting the root password + + Choose a password for user root and set it + by running: + +passwd root + + + + + Contents of Shadow + + + Installed programs + Installed directory + + + chage, chfn, chgpasswd, chpasswd, chsh, expiry, faillog, gpasswd, + groupadd, groupdel, groupmems, groupmod, grpck, grpconv, grpunconv, + lastlog, login, logoutd, newgidmap, newgrp, newuidmap, newusers, + nologin, passwd, pwck, pwconv, pwunconv, sg (link to newgrp), su, + useradd, userdel, usermod, vigr (link to vipw), and vipw + /etc/default + + + + + Short Descriptions + + + + + chage + + Used to change the maximum number of days between obligatory + password changes + + chage + + + + + + chfn + + Used to change a user's full name and other information + + chfn + + + + + + chgpasswd + + Used to update group passwords in batch mode + + chgpasswd + + + + + + chpasswd + + Used to update user passwords in batch mode + + chpasswd + + + + + + chsh + + Used to change a user's default login shell + + chsh + + + + + + expiry + + Checks and enforces the current password expiration policy + + expiry + + + + + + faillog + + Is used to examine the log of login failures, to set a maximum + number of failures before an account is blocked, or to reset the + failure count + + faillog + + + + + + gpasswd + + Is used to add and delete members and administrators to + groups + + gpasswd + + + + + + groupadd + + Creates a group with the given name + + groupadd + + + + + + groupdel + + Deletes the group with the given name + + groupdel + + + + + + groupmems + + Allows a user to administer his/her own group membership list + without the requirement of super user privileges. + + groupmems + + + + + + groupmod + + Is used to modify the given group's name or GID + + groupmod + + + + + + grpck + + Verifies the integrity of the group files + /etc/group and + /etc/gshadow + + grpck + + + + + + grpconv + + Creates or updates the shadow group file from the normal + group file + + grpconv + + + + + + grpunconv + + Updates /etc/group from + /etc/gshadow and then deletes the latter + + grpunconv + + + + + + lastlog + + Reports the most recent login of all users or of a + given user + + lastlog + + + + + + login + + Is used by the system to let users sign on + + login + + + + + + logoutd + + Is a daemon used to enforce restrictions on log-on time + and ports + + logoutd + + + + + + newgidmap + + Is used to set the gid mapping of a user namespace + + newgidmap + + + + + + newgrp + + Is used to change the current GID during a login session + + newgrp + + + + + + newuidmap + + Is used to set the uid mapping of a user namespace + + newuidmap + + + + + + newusers + + Is used to create or update an entire series of user + accounts + + newusers + + + + + + nologin + + Displays a message that an account is not available; it is designed + to be used as the default shell for accounts that have been + disabled + + nologin + + + + + + passwd + + Is used to change the password for a user or group account + + passwd + + + + + + pwck + + Verifies the integrity of the password files + /etc/passwd and + /etc/shadow + + pwck + + + + + + pwconv + + Creates or updates the shadow password file from the normal + password file + + pwconv + + + + + + pwunconv + + Updates /etc/passwd from + /etc/shadow and then deletes the latter + + pwunconv + + + + + + sg + + Executes a given command while the user's GID + is set to that of the given group + + sg + + + + + + su + + Runs a shell with substitute user and group IDs + + su + + + + + + useradd + + Creates a new user with the given name, or updates the default + new-user information + + useradd + + + + + + userdel + + Deletes the given user account + + userdel + + + + + + usermod + + Is used to modify the given user's login name, User + Identification (UID), shell, initial group, home directory, etc. + + usermod + + + + + + vigr + + Edits the /etc/group or + /etc/gshadow files + + vigr + + + + + + vipw + + Edits the /etc/passwd or + /etc/shadow files + + vipw + + + + + + + + + -- cgit v1.2.3-54-g00ecf