1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
|
<sect1 id="ch-system-shadow" xreflabel="Shadow">
<title>Installing Shadow-&shadow-version;</title>
<?dbhtml filename="shadow.html" dir="chapter06"?>
<para>The Shadow package contains programs for handling passwords in a secure
way.</para>
<screen>&buildtime; &shadow-time;
&diskspace; &shadow-compsize;</screen>
&aa-shadow-down;
&aa-shadow-dep;
<sect2><title> </title><para> </para></sect2>
<sect2>
<title>Installation of Shadow</title>
<para>Shadow hard-wires the path to the <command>passwd</command> binary
within the binary itself, but does this the wrong way. If a
<command>passwd</command> binary is not present before installing Shadow,
the package incorrectly assumes it is going to be located at
<filename>/bin/passwd</filename>, but then installs it in
<filename>/usr/bin/passwd</filename>. This will lead to errors about not finding
<filename>/bin/passwd</filename>. To work around this bug, create a dummy
<filename>passwd</filename> file, so that it gets hard-wired properly:</para>
<screen><userinput>touch /usr/bin/passwd</userinput></screen>
<para>Now prepare Shadow for compilation:</para>
<screen><userinput>./configure --libdir=/usr/lib --enable-shared</userinput></screen>
<para>Work around a problem that prevents Shadow's internationalization from
working:</para>
<screen><userinput>echo '#define HAVE_SETLOCALE 1' >> config.h</userinput></screen>
<para>Compile the package:</para>
<screen><userinput>make</userinput></screen>
<para>And install it:</para>
<screen><userinput>make install</userinput></screen>
<para>Shadow uses two files to configure authentication settings for the
system. Install these two config files:</para>
<screen><userinput>cp etc/{limits,login.access} /etc</userinput></screen>
<para>We want to change the password method to enable MD5 passwords which are
theoretically more secure than the default crypt method and also allow
password lengths greater than 8 characters. We also need to change the old
<filename class="directory">/var/spool/mail</filename> location for user
mailboxes to the current location at
<filename class="directory">/var/mail</filename>. We do this by changing the
relevant configuration file while copying it to its destination:</para>
<screen><userinput>sed -e 's%/var/spool/mail%/var/mail%' \
-e 's%#MD5_CRYPT_ENAB.no%MD5_CRYPT_ENAB yes%' \
etc/login.defs.linux > /etc/login.defs</userinput></screen>
<note><para>Be extra careful when typing all of the above. It is probably safer
to cut-and-paste it rather than try and type it all in.</para></note>
<para>Move some misplaced symlinks to their proper locations:</para>
<screen><userinput>mv /bin/sg /usr/bin
mv /bin/vigr /usr/sbin</userinput></screen>
<para>And move Shadow's dynamic libraries to a more appropriate location:</para>
<screen><userinput>mv /usr/lib/lib{shadow,misc}.so.0* /lib</userinput></screen>
<para>As some packages expect to find the just-moved libraries in
<filename>/usr/lib</filename>, create the following symlinks:</para>
<screen><userinput>ln -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so
ln -sf ../../lib/libmisc.so.0 /usr/lib/libmisc.so</userinput></screen>
<para>The -D option of the <filename>useradd</filename> program requires this
directory for it to work properly:</para>
<screen><userinput>mkdir /etc/default</userinput></screen>
<para>Coreutils has already installed a better <command>groups</command>
program in <filename>/usr/bin</filename>. Remove the one installed by
Shadow:</para>
<screen><userinput>rm /bin/groups</userinput></screen>
</sect2>
<sect2><title> </title><para> </para></sect2>
<sect2><title>Configuring Shadow</title>
<para>This package contains utilities to modify users' passwords, add
or delete users and groups, and the like. We're not going to explain what
'password shadowing' means. A full explanation can be found in the
<filename>doc/HOWTO</filename>
file within the unpacked Shadow source tree. There's one
thing to keep in mind if you decide to use Shadow support: programs that
need to verify passwords (for example xdm, ftp daemons, pop3 daemons) need
to be 'shadow-compliant', that is they need to be able to work with
shadowed passwords.</para>
<para>To enable shadowed passwords, run the following command:</para>
<screen><userinput>/usr/sbin/pwconv</userinput></screen>
<para>And to enable shadowed group passwords, run the following
command:</para>
<screen><userinput>/usr/sbin/grpconv</userinput></screen>
<para>Under normal circumstances, you won't have created any passwords yet.
However, if returning to this section to enable shadowing, you should reset any
current user passwords with the <command>passwd</command> command or any
group passwords with the <command>gpasswd</command> command.</para>
</sect2>
<sect2>
<title>Setting the root password</title>
<para>Choose a password for user root and set it via:</para>
<screen><userinput>passwd root</userinput></screen>
</sect2>
&aa-shadow-shortdesc;
&aa-shadow-desc;
</sect1>
|
