1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
|
<sect1 id="ch-system-shadow" xreflabel="Shadow">
<title>Installing Shadow-&shadow-version;</title>
<?dbhtml filename="shadow.html" dir="chapter06"?>
<para>The Shadow package contains programs for handling passwords in a secure
way.</para>
<screen>&buildtime; &shadow-time;
&diskspace; &shadow-compsize;</screen>
&aa-shadow-down;
&aa-shadow-dep;
<sect2><title> </title><para> </para></sect2>
<sect2>
<title>Installation of Shadow</title>
<para>Shadow hard-wires the path to the <command>passwd</command> binary within
the binary itself, but does this the wrong way. If a <command>passwd</command>
binary is not present before installing Shadow, the package incorrectly assumes
it is going to be located at <filename>/bin/passwd</filename>, but then
installs it as <filename>/usr/bin/passwd</filename>. This will lead to errors
about not finding <filename>/bin/passwd</filename>. To work around this bug,
create a dummy <filename>passwd</filename> file, so that it gets hard-wired
properly:</para>
<screen><userinput>touch /usr/bin/passwd</userinput></screen>
<para>Now prepare Shadow for compilation:</para>
<screen><userinput>./configure --libdir=/usr/lib --enable-shared</userinput></screen>
<para>Work around a problem that prevents Shadow's internationalization from
working:</para>
<screen><userinput>echo '#define HAVE_SETLOCALE 1' >> config.h</userinput></screen>
<para>Compile the package:</para>
<screen><userinput>make</userinput></screen>
<para>And install it:</para>
<screen><userinput>make install</userinput></screen>
<para>Shadow uses two files to configure authentication settings for the
system. Install these two config files:</para>
<screen><userinput>cp etc/{limits,login.access} /etc</userinput></screen>
<para>Instead of using the default <emphasis>crypt</emphasis> method, we want
to use the more secure <emphasis>MD5</emphasis> method of password encryption,
which in addition allows passwords longer than 8 characters. We also need to
change the obsolete <filename class="directory">/var/spool/mail</filename>
location for user mailboxes that Shadow uses by default to the <filename
class="directory">/var/mail</filename> location used nowadays. We accomplish
both these things by changing the relevant configuration file while copying it
to its destination (it's probably better to cut-and-paste this rather than try
and type it all in):</para>
<screen><userinput>sed -e 's%#MD5_CRYPT_ENAB.no%MD5_CRYPT_ENAB yes%' \
-e 's%/var/spool/mail%/var/mail%' \
etc/login.defs.linux > /etc/login.defs</userinput></screen>
<para>Move some misplaced symlinks to their proper locations:</para>
<screen><userinput>mv /bin/sg /usr/bin
mv /bin/vigr /usr/sbin</userinput></screen>
<para>And move Shadow's dynamic libraries to a more appropriate location:</para>
<screen><userinput>mv /usr/lib/lib{shadow,misc}.so.0* /lib</userinput></screen>
<para>As some packages expect to find the just-moved libraries in
<filename>/usr/lib</filename>, create the following symlinks:</para>
<screen><userinput>ln -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so
ln -sf ../../lib/libmisc.so.0 /usr/lib/libmisc.so</userinput></screen>
<para>The -D option of the <filename>useradd</filename> program requires this
directory for it to work properly:</para>
<screen><userinput>mkdir /etc/default</userinput></screen>
<para>Coreutils has already installed a better <command>groups</command>
program in <filename class="directory">/usr/bin</filename>. Remove the one
installed by Shadow:</para>
<screen><userinput>rm /bin/groups</userinput></screen>
</sect2>
<sect2><title> </title><para> </para></sect2>
<sect2><title>Configuring Shadow</title>
<para>This package contains utilities to add, modify and delete users and
groups, set and change their passwords, and other such administrative tasks.
For a full explanation of what <emphasis>password shadowing</emphasis> means,
see the <filename>doc/HOWTO</filename> file within the unpacked source tree.
There's one thing to keep in mind if you decide to use Shadow support: programs
that need to verify passwords (display managers, ftp programs, pop3 daemons,
and the like) need to be <emphasis>shadow-compliant</emphasis>, that is they
need to be able to work with shadowed passwords.</para>
<para>To enable shadowed passwords, run the following command:</para>
<screen><userinput>/usr/sbin/pwconv</userinput></screen>
<para>And to enable shadowed group passwords, run:</para>
<screen><userinput>/usr/sbin/grpconv</userinput></screen>
<para>Under normal circumstances, you won't have created any passwords yet.
However, if returning to this section later to enable shadowing, you should
reset any current user passwords with the <command>passwd</command> command or
any group passwords with the <command>gpasswd</command> command.</para>
</sect2>
<sect2><title> </title><para> </para></sect2>
<sect2>
<title>Setting the root password</title>
<para>Choose a password for user root and set it via:</para>
<screen><userinput>passwd root</userinput></screen>
</sect2>
&aa-shadow-shortdesc;
&aa-shadow-desc;
</sect1>
|
