1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
|
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../general.ent">
%general-entities;
]>
<sect1 id="ch-system-shadow" xreflabel="Shadow" role="wrap">
<title>Shadow-&shadow-version;</title>
<?dbhtml filename="shadow.html"?>
<indexterm zone="ch-system-shadow"><primary sortas="a-Shadow">Shadow</primary></indexterm>
<sect2 role="package"><title/>
<para>The Shadow package contains programs for handling passwords in a secure
way.</para>
<segmentedlist>
<segtitle>&buildtime;</segtitle>
<segtitle>&diskspace;</segtitle>
<seglistitem><seg>0.4 SBU</seg><seg>11 MB</seg></seglistitem>
</segmentedlist>
<segmentedlist>
<segtitle>Shadow installation depends on</segtitle>
<seglistitem><seg>Bash, Binutils, Bison, Coreutils,
Diffutils, GCC, Gettext, Glibc, Grep, Make, Sed</seg></seglistitem>
</segmentedlist>
</sect2>
<sect2 role="installation">
<title>Installation of Shadow</title>
<para>Prepare Shadow for compilation:</para>
<screen><userinput>./configure --libdir=/usr/lib --enable-shared</userinput></screen>
<para>Compile the package:</para>
<screen><userinput>make</userinput></screen>
<para>Then install it:</para>
<screen><userinput>make install</userinput></screen>
<para>Shadow uses two files to configure authentication settings for the
system. Install these two config files:</para>
<screen><userinput>cp etc/{limits,login.access} /etc</userinput></screen>
<para>Instead of using the default <emphasis>crypt</emphasis> method, we want
to use the more secure <emphasis>MD5</emphasis> method of password encryption,
which also allows passwords longer than 8 characters. We also need to
change the obsolete <filename class="directory">/var/spool/mail</filename>
location for user mailboxes that Shadow uses by default to the <filename
class="directory">/var/mail</filename> location used currently. We accomplish
both these things by changing the relevant configuration file while copying it
to its destination (it's probably better to cut-and-paste this rather than try
and type it all in):</para>
<screen><userinput>cp etc/login.defs.linux /etc/login.defs
sed -i -e 's@#MD5_CRYPT_ENAB.no@MD5_CRYPT_ENAB yes@' \
-e 's@/var/spool/mail@/var/mail@' /etc/login.defs</userinput></screen>
<para>Move some misplaced symlinks/programs to their proper locations:</para>
<screen><userinput>mv /usr/bin/passwd /bin</userinput></screen>
<para>And move Shadow's dynamic libraries to a more appropriate location:</para>
<screen><userinput>mv /usr/lib/libshadow.so.0* /lib</userinput></screen>
<para>As some packages expect to find the just-moved libraries in
<filename class="directory">/usr/lib</filename>, create the following symlinks:</para>
<screen><userinput>ln -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so</userinput></screen>
<para>The <parameter>-D</parameter> option of the <command>useradd</command> program requires this
directory for it to work properly:</para>
<screen><userinput>mkdir /etc/default</userinput></screen>
<para>Coreutils has already installed a better <command>groups</command>
program in <filename class="directory">/usr/bin</filename>. Remove the one
installed by Shadow:</para>
<screen><userinput>rm /bin/groups</userinput></screen>
</sect2>
<sect2 id="conf-shadow" role="configuration"><title>Configuring Shadow</title>
<indexterm zone="conf-shadow">
<primary sortas="a-Shadow">Shadow</primary>
<secondary>configuring</secondary></indexterm>
<para>This package contains utilities to add, modify and delete users and
groups, set and change their passwords, and other such administrative tasks.
For a full explanation of what <emphasis>password shadowing</emphasis> means,
see the <filename>doc/HOWTO</filename> file within the unpacked source tree.
There's one thing to keep in mind if you decide to use Shadow support: programs
that need to verify passwords (display managers, ftp programs, pop3 daemons,
and the like) need to be <emphasis>shadow-compliant</emphasis>, that is they
need to be able to work with shadowed passwords.</para>
<para>To enable shadowed passwords, run the following command:</para>
<screen><userinput>pwconv</userinput></screen>
<para>To enable shadowed group passwords, run:</para>
<screen><userinput>grpconv</userinput></screen>
<para>Under normal circumstances, you won't have created any passwords yet.
However, if returning to this section later to enable shadowing, you should
reset any current user passwords with the <command>passwd</command> command or
any group passwords with the <command>gpasswd</command> command.</para>
</sect2>
<sect2 role="configuration">
<title>Setting the root password</title>
<para>Choose a password for user root and set it via:</para>
<screen><userinput>passwd root</userinput></screen>
</sect2>
<sect2 id="contents-shadow" role="content"><title>Contents of Shadow</title>
<segmentedlist>
<segtitle>Installed programs</segtitle>
<seglistitem><seg>chage, chfn, chpasswd, chsh, expiry, faillog, gpasswd,
groupadd, groupdel, groupmod, groups, grpck, grpconv, grpunconv, lastlog, login,
logoutd, mkpasswd, newgrp, newusers, passwd, pwck, pwconv, pwunconv, sg
(link to newgrp), useradd, userdel, usermod, vigr (link to vipw) and vipw</seg>
</seglistitem>
</segmentedlist>
<variablelist><title>Short descriptions</title>
<varlistentry id="chage">
<term><command>chage</command></term>
<listitem>
<indexterm zone="ch-system-shadow chage"><primary sortas="b-chage">chage</primary></indexterm>
<para>is used to change the maximum number of
days between obligatory password changes.</para>
</listitem>
</varlistentry>
<varlistentry id="chfn">
<term><command>chfn</command></term>
<listitem>
<indexterm zone="ch-system-shadow chfn"><primary sortas="b-chfn">chfn</primary></indexterm>
<para>is used to change a user's full name and some other info.</para>
</listitem>
</varlistentry>
<varlistentry id="chpasswd">
<term><command>chpasswd</command></term>
<listitem>
<indexterm zone="ch-system-shadow chpasswd"><primary sortas="b-chpasswd">chpasswd</primary></indexterm>
<para>is used to update the passwords of a
whole series of user accounts in one go.</para>
</listitem>
</varlistentry>
<varlistentry id="chsh">
<term><command>chsh</command></term>
<listitem>
<indexterm zone="ch-system-shadow chsh"><primary sortas="b-chsh">chsh</primary></indexterm>
<para>is used to change a user's default login shell.</para>
</listitem>
</varlistentry>
<varlistentry id="expiry">
<term><command>expiry</command></term>
<listitem>
<indexterm zone="ch-system-shadow expiry"><primary sortas="b-expiry">expiry</primary></indexterm>
<para>checks and enforces the current password expiration policy.</para>
</listitem>
</varlistentry>
<varlistentry id="faillog">
<term><command>faillog</command></term>
<listitem>
<indexterm zone="ch-system-shadow faillog"><primary sortas="b-faillog">faillog</primary></indexterm>
<para>is used to examine the log of login failures, to set a maximum number of
failures before an account is blocked, or to reset the failure count.</para>
</listitem>
</varlistentry>
<varlistentry id="gpasswd">
<term><command>gpasswd</command></term>
<listitem>
<indexterm zone="ch-system-shadow gpasswd"><primary sortas="b-gpasswd">gpasswd</primary></indexterm>
<para>is used to add and delete members and administrators to groups.</para>
</listitem>
</varlistentry>
<varlistentry id="groupadd">
<term><command>groupadd</command></term>
<listitem>
<indexterm zone="ch-system-shadow groupadd"><primary sortas="b-groupadd">groupadd</primary></indexterm>
<para>creates a group with the given name.</para>
</listitem>
</varlistentry>
<varlistentry id="groupdel">
<term><command>groupdel</command></term>
<listitem>
<indexterm zone="ch-system-shadow groupdel"><primary sortas="b-groupdel">groupdel</primary></indexterm>
<para>deletes the group with the given name.</para>
</listitem>
</varlistentry>
<varlistentry id="groupmod">
<term><command>groupmod</command></term>
<listitem>
<indexterm zone="ch-system-shadow groupmod"><primary sortas="b-groupmod">groupmod</primary></indexterm>
<para>is used to modify the given group's name or GID.</para>
</listitem>
</varlistentry>
<varlistentry id="groups">
<term><command>groups</command></term>
<listitem>
<indexterm zone="ch-system-shadow groups"><primary sortas="b-groups">groups</primary></indexterm>
<para>reports the groups of which the given users are members.</para>
</listitem>
</varlistentry>
<varlistentry id="grpck">
<term><command>grpck</command></term>
<listitem>
<indexterm zone="ch-system-shadow grpck"><primary sortas="b-grpck">grpck</primary></indexterm>
<para>verifies the integrity of the group files, <filename>/etc/group</filename>
and <filename>/etc/gshadow</filename>.</para>
</listitem>
</varlistentry>
<varlistentry id="grpconv">
<term><command>grpconv</command></term>
<listitem>
<indexterm zone="ch-system-shadow grpconv"><primary sortas="b-grpconv">grpconv</primary></indexterm>
<para>creates or updates the shadow group file from the normal group file.</para>
</listitem>
</varlistentry>
<varlistentry id="grpunconv">
<term><command>grpunconv</command></term>
<listitem>
<indexterm zone="ch-system-shadow grpunconv"><primary sortas="b-grpunconv">grpunconv</primary></indexterm>
<para>updates <filename>/etc/group</filename>
from <filename>/etc/gshadow</filename> and then deletes the latter.</para>
</listitem>
</varlistentry>
<varlistentry id="lastlog">
<term><command>lastlog</command></term>
<listitem>
<indexterm zone="ch-system-shadow lastlog"><primary sortas="b-lastlog">lastlog</primary></indexterm>
<para>reports the most recent login of all users, or of a given user.</para>
</listitem>
</varlistentry>
<varlistentry id="login">
<term><command>login</command></term>
<listitem>
<indexterm zone="ch-system-shadow login"><primary sortas="b-login">login</primary></indexterm>
<para>is used by the system to let users sign on.</para>
</listitem>
</varlistentry>
<varlistentry id="logoutd">
<term><command>logoutd</command></term>
<listitem>
<indexterm zone="ch-system-shadow logoutd"><primary sortas="b-logoutd">logoutd</primary></indexterm>
<para>is a daemon used to enforce restrictions on log-on time and ports.</para>
</listitem>
</varlistentry>
<varlistentry id="mkpasswd">
<term><command>mkpasswd</command></term>
<listitem>
<indexterm zone="ch-system-shadow mkpasswd"><primary sortas="b-mkpasswd">mkpasswd</primary></indexterm>
<para>encrypts the given password using the also given perturbation.</para>
</listitem>
</varlistentry>
<varlistentry id="newgrp">
<term><command>newgrp</command></term>
<listitem>
<indexterm zone="ch-system-shadow newgrp"><primary sortas="b-newgrp">newgrp</primary></indexterm>
<para>is used to change the current GID during a login session.</para>
</listitem>
</varlistentry>
<varlistentry id="newusers">
<term><command>newusers</command></term>
<listitem>
<indexterm zone="ch-system-shadow newusers"><primary sortas="b-newusers">newusers</primary></indexterm>
<para>is used to create or update a whole series of user accounts in one go.</para>
</listitem>
</varlistentry>
<varlistentry id="passwd">
<term><command>passwd</command></term>
<listitem>
<indexterm zone="ch-system-shadow passwd"><primary sortas="b-passwd">passwd</primary></indexterm>
<para>is used to change the password for a user or group account.</para>
</listitem>
</varlistentry>
<varlistentry id="pwck">
<term><command>pwck</command></term>
<listitem>
<indexterm zone="ch-system-shadow pwck"><primary sortas="b-pwck">pwck</primary></indexterm>
<para>verifies the integrity of the password files,
<filename>/etc/passwd</filename> and <filename>/etc/shadow</filename>.</para>
</listitem>
</varlistentry>
<varlistentry id="pwconv">
<term><command>pwconv</command></term>
<listitem>
<indexterm zone="ch-system-shadow pwconv"><primary sortas="b-pwconv">pwconv</primary></indexterm>
<para>creates or updates the shadow password file
from the normal password file.</para>
</listitem>
</varlistentry>
<varlistentry id="pwunconv">
<term><command>pwunconv</command></term>
<listitem>
<indexterm zone="ch-system-shadow pwunconv"><primary sortas="b-pwunconv">pwunconv</primary></indexterm>
<para>updates <filename>/etc/passwd</filename>
from <filename>/etc/shadow</filename> and then deletes the latter.</para>
</listitem>
</varlistentry>
<varlistentry id="sg">
<term><command>sg</command></term>
<listitem>
<indexterm zone="ch-system-shadow sg"><primary sortas="b-sg">sg</primary></indexterm>
<para>executes a given command while the user's GID
is set to that of the given group.</para>
</listitem>
</varlistentry>
<varlistentry id="su">
<term><command>su</command></term>
<listitem>
<indexterm zone="ch-system-shadow su"><primary sortas="b-su">su</primary></indexterm>
<para>runs a shell with substitute user and group IDs.</para>
</listitem>
</varlistentry>
<varlistentry id="useradd">
<term><command>useradd</command></term>
<listitem>
<indexterm zone="ch-system-shadow useradd"><primary sortas="b-useradd">useradd</primary></indexterm>
<para>creates a new user with the given name,
or updates the default new-user information.</para>
</listitem>
</varlistentry>
<varlistentry id="userdel">
<term><command>userdel</command></term>
<listitem>
<indexterm zone="ch-system-shadow userdel"><primary sortas="b-userdel">userdel</primary></indexterm>
<para>deletes the given user account.</para>
</listitem>
</varlistentry>
<varlistentry id="usermod">
<term><command>usermod</command></term>
<listitem>
<indexterm zone="ch-system-shadow usermod"><primary sortas="b-usermod">usermod</primary></indexterm>
<para>is used to modify the given user's login name, UID (User Identification),
shell, initial group, home directory, and the like.</para>
</listitem>
</varlistentry>
<varlistentry id="vigr">
<term><command>vigr</command></term>
<listitem>
<indexterm zone="ch-system-shadow vigr"><primary sortas="b-vigr">vigr</primary></indexterm>
<para>can be used to edit the <filename>/etc/group</filename> or
<filename>/etc/gshadow</filename> files.</para>
</listitem>
</varlistentry>
<varlistentry id="vipw">
<term><command>vipw</command></term>
<listitem>
<indexterm zone="ch-system-shadow vipw"><primary sortas="b-vipw">vipw</primary></indexterm>
<para>can be used to edit the <filename>/etc/passwd</filename> or
<filename>/etc/shadow</filename> files.</para>
</listitem>
</varlistentry>
<varlistentry id="libmisc">
<term><filename class="libraryfile">libmisc</filename></term>
<listitem>
<indexterm zone="ch-system-shadow libmisc"><primary sortas="c-libmisc">libmisc</primary></indexterm>
<para>...</para>
</listitem>
</varlistentry>
<varlistentry id="libshadow">
<term><filename class="libraryfile">libshadow</filename></term>
<listitem>
<indexterm zone="ch-system-shadow libshadow"><primary sortas="c-libshadow">libshadow</primary></indexterm>
<para>contains functions used by most programs in this package.</para>
</listitem>
</varlistentry>
</variablelist>
</sect2>
</sect1>
|
