source: BOOK/final-system/common/shadow.xml@ d767eb3

clfs-1.2 clfs-2.1 clfs-3.0.0-systemd clfs-3.0.0-sysvinit systemd sysvinit
Last change on this file since d767eb3 was cb3bd0d, checked in by Jim Gifford <clfs@…>, 18 years ago

r3800@server (orig r1716): chris | 2006-06-04 12:34:24 -0700
Removed obsolete paragraph from Shadow instructions

  • Property mode set to 100644
File size: 18.8 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
3 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6]>
7
8<sect1 id="ch-system-shadow" role="wrap">
9 <?dbhtml filename="shadow.html"?>
10
11 <title>Shadow-&shadow-version;</title>
12
13 <indexterm zone="ch-system-shadow">
14 <primary sortas="a-Shadow">Shadow</primary>
15 </indexterm>
16
17 <sect2 role="package">
18 <title/>
19
20 <para>The Shadow package contains programs for handling passwords in a
21 secure way.</para>
22
23 </sect2>
24
25 <sect2 role="installation">
26 <title>Installation of Shadow</title>
27
28 <note os="a">
29 <para>If you would like to enforce the use of strong passwords,
30 refer to <ulink url="&blfs-root;view/svn/postlfs/cracklib.html"/>
31 for installing Cracklib prior to building Shadow. Then add
32 <parameter>--with-libcrack</parameter> to the <command>configure</command>
33 command below.</para>
34 </note>
35
36 <para os="b">Prepare Shadow for compilation:</para>
37
38<screen os="c"><userinput>./configure --libdir=/lib --enable-shared \
39 --without-libpam --without-audit --without-selinux</userinput></screen>
40
41<para os="d">The meaning of the configure options:</para>
42
43 <variablelist os="e">
44 <varlistentry>
45 <term><parameter>--without-libpam</parameter></term>
46 <listitem><para>Support for Linux-PAM is enabled by default in Shadow,
47 however PAM is not installed on a base LFS system, so this switch
48 disables PAM support in Shadow. For instructions to install PAM and
49 link Shadow to it, you can look at
50 <ulink url="&blfs-root;view/svn/postlfs/shadow.html"/>.</para></listitem>
51 </varlistentry>
52 <varlistentry>
53 <term><parameter>--without-audit</parameter></term>
54 <listitem><para>Support for auditing is enabled by default, but a
55 a library that it needs is not installed in a base LFS system. This
56 switch disables auditing support.</para></listitem>
57 </varlistentry>
58 <varlistentry>
59 <term><parameter>--without-selinux</parameter></term>
60 <listitem><para>Support for selinux is enabled by default, but selinux
61 is not built in a base LFS system and configure will fail without this
62 switch.</para></listitem>
63 </varlistentry>
64 </variablelist>
65
66 <para os="f">Disable the installation of the <command>groups</command>
67 program and its man pages, as Coreutils provides a better version:</para>
68
69<screen os="g"><userinput>sed -i 's/groups$(EXEEXT) //' src/Makefile
70sed -i '/groups/d' man/Makefile</userinput></screen>
71
72 <para os="h">Compile the package:</para>
73
74<screen os="i"><userinput>make</userinput></screen>
75
76 <para os="j">This package does not come with a test suite.</para>
77
78 <para os="k">Install the package:</para>
79
80<screen os="l"><userinput>make install</userinput></screen>
81
82 <para id="shadow-limits-login_access" os="m">Shadow uses two files to configure
83 authentication settings for the system. Install these two configuration
84 files:</para>
85
86 <indexterm zone="shadow-limits-login_access" os="n">
87 <primary sortas="e-/etc/limits">/etc/limits</primary>
88 </indexterm>
89
90 <indexterm zone="shadow-limits-login_access" os="o">
91 <primary sortas="e-/etc/login.access">/etc/login.access</primary>
92 </indexterm>
93
94<screen os="p"><userinput>cp -v etc/{limits,login.access} /etc</userinput></screen>
95
96 <para id="shadow-login_defs" os="q">Instead of using the default
97 <emphasis>crypt</emphasis> method, use the more secure
98 <emphasis>MD5</emphasis> method of password encryption, which also allows
99 passwords longer than 8 characters. It is also necessary to change the
100 obsolete <filename class="directory">/var/spool/mail</filename> location
101 for user mailboxes that Shadow uses by default to the <filename
102 class="directory">/var/mail</filename> location used currently. Both of
103 these can be accomplished by changing the relevant configuration file
104 while copying it to its destination:</para>
105
106 <indexterm zone="shadow-login_defs" os="r">
107 <primary sortas="e-/etc/login.defs">/etc/login.defs</primary>
108 </indexterm>
109
110<screen os="s"><userinput>sed -e's@#MD5_CRYPT_ENAB.no@MD5_CRYPT_ENAB yes@' \
111 -e 's@/var/spool/mail@/var/mail@' \
112 etc/login.defs &gt; /etc/login.defs</userinput></screen>
113
114 <note os="t">
115 <para>If you built Shadow with Cracklib support, execute
116 this <command>sed</command> to correct the path to the Cracklib
117 dictionary:</para>
118
119<screen><userinput>sed -i 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' /etc/login.defs</userinput></screen>
120 </note>
121
122 <para os="u">Move a misplaced program to its proper location:</para>
123
124<screen os="v"><userinput>mv -v /usr/bin/passwd /bin</userinput></screen>
125
126 <para os="w">Move Shadow's dynamic libraries to a more appropriate
127 location:</para>
128
129<screen os="x"><userinput>mv -v /lib/libshadow.*a /usr/lib
130rm -v /lib/libshadow.so
131ln -svf ../../lib/libshadow.so.0 /usr/lib/libshadow.so</userinput></screen>
132
133 <para os="y">The <option>-D</option> option of the <command>useradd</command>
134 program requires the <filename class="directory">/etc/default</filename>
135 directory for it to work properly:</para>
136
137<screen os="z"><userinput>install -dv /etc/default</userinput></screen>
138
139 </sect2>
140
141 <sect2 id="conf-shadow" role="configuration">
142 <title>Configuring Shadow</title>
143
144 <indexterm zone="conf-shadow">
145 <primary sortas="a-Shadow">Shadow</primary>
146 <secondary>configuring</secondary>
147 </indexterm>
148
149 <para>This package contains utilities to add, modify, and delete users and
150 groups; set and change their passwords; and perform other administrative
151 tasks. For a full explanation of what <emphasis>password shadowing</emphasis>
152 means, see the <filename>doc/HOWTO</filename> file within the unpacked source
153 tree. If using Shadow support, keep in mind that programs which need to
154 verify passwords (display managers, FTP programs, pop3 daemons, etc.) must
155 be Shadow-compliant. That is, they need to be able to work with shadowed
156 passwords.</para>
157
158 <para>To enable shadowed passwords, run the following command:</para>
159
160<screen><userinput>pwconv</userinput></screen>
161
162 <para>To enable shadowed group passwords, run:</para>
163
164<screen role="nodump"><userinput>grpconv</userinput></screen>
165
166 </sect2>
167
168 <sect2 id="root-password" role="configuration">
169 <title>Setting the root password</title>
170
171 <para>Choose a password for user <systemitem
172 class="username">root</systemitem> and set it by running:</para>
173
174<screen role="nodump"><userinput>passwd root</userinput></screen>
175
176 </sect2>
177
178 <sect2 id="contents-shadow" role="content">
179 <title>Contents of Shadow</title>
180
181 <segmentedlist>
182 <segtitle>Installed programs</segtitle>
183 <segtitle>Installed libraries</segtitle>
184
185 <seglistitem>
186 <seg>chage, chfn, chpasswd, chgpasswd, chsh, expiry, faillog, gpasswd,
187 groupadd, groupdel, groupmod, grpck, grpconv, grpunconv, lastlog,
188 login, logoutd, newgrp, newusers, passwd, pwck, pwconv, pwunconv,
189 sg (link to newgrp), useradd, userdel, usermod, vigr (link to vipw),
190 and vipw</seg>
191 <seg>libshadow.[a,so]</seg>
192 </seglistitem>
193 </segmentedlist>
194
195 <variablelist>
196 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
197 <?dbfo list-presentation="list"?>
198 <?dbhtml list-presentation="table"?>
199
200 <varlistentry id="chage">
201 <term><command>chage</command></term>
202 <listitem>
203 <para>Used to change the maximum number of days between obligatory
204 password changes</para>
205 <indexterm zone="ch-system-shadow chage">
206 <primary sortas="b-chage">chage</primary>
207 </indexterm>
208 </listitem>
209 </varlistentry>
210
211 <varlistentry id="chfn">
212 <term><command>chfn</command></term>
213 <listitem>
214 <para>Used to change a user's full name and other information</para>
215 <indexterm zone="ch-system-shadow chfn">
216 <primary sortas="b-chfn">chfn</primary>
217 </indexterm>
218 </listitem>
219 </varlistentry>
220
221 <varlistentry id="chgpasswd">
222 <term><command>chgpasswd</command></term>
223 <listitem>
224 <para>Used to update group passwords in batch mode</para>
225 <indexterm zone="ch-system-shadow chgpasswd">
226 <primary sortas="b-chgpasswd">chgpasswd</primary>
227 </indexterm>
228 </listitem>
229 </varlistentry>
230
231 <varlistentry id="chpasswd">
232 <term><command>chpasswd</command></term>
233 <listitem>
234 <para>Used to update the passwords of an entire series of user
235 accounts</para>
236 <indexterm zone="ch-system-shadow chpasswd">
237 <primary sortas="b-chpasswd">chpasswd</primary>
238 </indexterm>
239 </listitem>
240 </varlistentry>
241
242 <varlistentry id="chsh">
243 <term><command>chsh</command></term>
244 <listitem>
245 <para>Used to change a user's default login shell</para>
246 <indexterm zone="ch-system-shadow chsh">
247 <primary sortas="b-chsh">chsh</primary>
248 </indexterm>
249 </listitem>
250 </varlistentry>
251
252 <varlistentry id="expiry">
253 <term><command>expiry</command></term>
254 <listitem>
255 <para>Checks and enforces the current password expiration policy</para>
256 <indexterm zone="ch-system-shadow expiry">
257 <primary sortas="b-expiry">expiry</primary>
258 </indexterm>
259 </listitem>
260 </varlistentry>
261
262 <varlistentry id="faillog">
263 <term><command>faillog</command></term>
264 <listitem>
265 <para>Is used to examine the log of login failures, to set a maximum
266 number of failures before an account is blocked, or to reset the
267 failure count</para>
268 <indexterm zone="ch-system-shadow faillog">
269 <primary sortas="b-faillog">faillog</primary>
270 </indexterm>
271 </listitem>
272 </varlistentry>
273
274 <varlistentry id="gpasswd">
275 <term><command>gpasswd</command></term>
276 <listitem>
277 <para>Is used to add and delete members and administrators to
278 groups</para>
279 <indexterm zone="ch-system-shadow gpasswd">
280 <primary sortas="b-gpasswd">gpasswd</primary>
281 </indexterm>
282 </listitem>
283 </varlistentry>
284
285 <varlistentry id="groupadd">
286 <term><command>groupadd</command></term>
287 <listitem>
288 <para>Creates a group with the given name</para>
289 <indexterm zone="ch-system-shadow groupadd">
290 <primary sortas="b-groupadd">groupadd</primary>
291 </indexterm>
292 </listitem>
293 </varlistentry>
294
295 <varlistentry id="groupdel">
296 <term><command>groupdel</command></term>
297 <listitem>
298 <para>Deletes the group with the given name</para>
299 <indexterm zone="ch-system-shadow groupdel">
300 <primary sortas="b-groupdel">groupdel</primary>
301 </indexterm>
302 </listitem>
303 </varlistentry>
304
305 <varlistentry id="groupmod">
306 <term><command>groupmod</command></term>
307 <listitem>
308 <para>Is used to modify the given group's name or GID</para>
309 <indexterm zone="ch-system-shadow groupmod">
310 <primary sortas="b-groupmod">groupmod</primary>
311 </indexterm>
312 </listitem>
313 </varlistentry>
314
315 <varlistentry id="grpck">
316 <term><command>grpck</command></term>
317 <listitem>
318 <para>Verifies the integrity of the group files
319 <filename>/etc/group</filename> and
320 <filename>/etc/gshadow</filename></para>
321 <indexterm zone="ch-system-shadow grpck">
322 <primary sortas="b-grpck">grpck</primary>
323 </indexterm>
324 </listitem>
325 </varlistentry>
326
327 <varlistentry id="grpconv">
328 <term><command>grpconv</command></term>
329 <listitem>
330 <para>Creates or updates the shadow group file from the normal
331 group file</para>
332 <indexterm zone="ch-system-shadow grpconv">
333 <primary sortas="b-grpconv">grpconv</primary>
334 </indexterm>
335 </listitem>
336 </varlistentry>
337
338 <varlistentry id="grpunconv">
339 <term><command>grpunconv</command></term>
340 <listitem>
341 <para>Updates <filename>/etc/group</filename> from
342 <filename>/etc/gshadow</filename> and then deletes the latter</para>
343 <indexterm zone="ch-system-shadow grpunconv">
344 <primary sortas="b-grpunconv">grpunconv</primary>
345 </indexterm>
346 </listitem>
347 </varlistentry>
348
349 <varlistentry id="lastlog">
350 <term><command>lastlog</command></term>
351 <listitem>
352 <para>Reports the most recent login of all users or of a
353 given user</para>
354 <indexterm zone="ch-system-shadow lastlog">
355 <primary sortas="b-lastlog">lastlog</primary>
356 </indexterm>
357 </listitem>
358 </varlistentry>
359
360 <varlistentry id="login">
361 <term><command>login</command></term>
362 <listitem>
363 <para>Is used by the system to let users sign on</para>
364 <indexterm zone="ch-system-shadow login">
365 <primary sortas="b-login">login</primary>
366 </indexterm>
367 </listitem>
368 </varlistentry>
369
370 <varlistentry id="logoutd">
371 <term><command>logoutd</command></term>
372 <listitem>
373 <para>Is a daemon used to enforce restrictions on log-on time
374 and ports</para>
375 <indexterm zone="ch-system-shadow logoutd">
376 <primary sortas="b-logoutd">logoutd</primary>
377 </indexterm>
378 </listitem>
379 </varlistentry>
380
381 <varlistentry id="newgrp">
382 <term><command>newgrp</command></term>
383 <listitem>
384 <para>Is used to change the current GID during a login session</para>
385 <indexterm zone="ch-system-shadow newgrp">
386 <primary sortas="b-newgrp">newgrp</primary>
387 </indexterm>
388 </listitem>
389 </varlistentry>
390
391 <varlistentry id="newusers">
392 <term><command>newusers</command></term>
393 <listitem>
394 <para>Is used to create or update an entire series of user
395 accounts</para>
396 <indexterm zone="ch-system-shadow newusers">
397 <primary sortas="b-newusers">newusers</primary>
398 </indexterm>
399 </listitem>
400 </varlistentry>
401
402 <varlistentry id="passwd">
403 <term><command>passwd</command></term>
404 <listitem>
405 <para>Is used to change the password for a user or group account</para>
406 <indexterm zone="ch-system-shadow passwd">
407 <primary sortas="b-passwd">passwd</primary>
408 </indexterm>
409 </listitem>
410 </varlistentry>
411
412 <varlistentry id="pwck">
413 <term><command>pwck</command></term>
414 <listitem>
415 <para>Verifies the integrity of the password files
416 <filename>/etc/passwd</filename> and
417 <filename>/etc/shadow</filename></para>
418 <indexterm zone="ch-system-shadow pwck">
419 <primary sortas="b-pwck">pwck</primary>
420 </indexterm>
421 </listitem>
422 </varlistentry>
423
424 <varlistentry id="pwconv">
425 <term><command>pwconv</command></term>
426 <listitem>
427 <para>Creates or updates the shadow password file from the normal
428 password file</para>
429 <indexterm zone="ch-system-shadow pwconv">
430 <primary sortas="b-pwconv">pwconv</primary>
431 </indexterm>
432 </listitem>
433 </varlistentry>
434
435 <varlistentry id="pwunconv">
436 <term><command>pwunconv</command></term>
437 <listitem>
438 <para>Updates <filename>/etc/passwd</filename> from
439 <filename>/etc/shadow</filename> and then deletes the latter</para>
440 <indexterm zone="ch-system-shadow pwunconv">
441 <primary sortas="b-pwunconv">pwunconv</primary>
442 </indexterm>
443 </listitem>
444 </varlistentry>
445
446 <varlistentry id="sg">
447 <term><command>sg</command></term>
448 <listitem>
449 <para>Executes a given command while the user's GID
450 is set to that of the given group</para>
451 <indexterm zone="ch-system-shadow sg">
452 <primary sortas="b-sg">sg</primary>
453 </indexterm>
454 </listitem>
455 </varlistentry>
456
457 <varlistentry id="su">
458 <term><command>su</command></term>
459 <listitem>
460 <para>Runs a shell with substitute user and group IDs</para>
461 <indexterm zone="ch-system-shadow su">
462 <primary sortas="b-su">su</primary>
463 </indexterm>
464 </listitem>
465 </varlistentry>
466
467 <varlistentry id="useradd">
468 <term><command>useradd</command></term>
469 <listitem>
470 <para>Creates a new user with the given name, or updates the default
471 new-user information</para>
472 <indexterm zone="ch-system-shadow useradd">
473 <primary sortas="b-useradd">useradd</primary>
474 </indexterm>
475 </listitem>
476 </varlistentry>
477
478 <varlistentry id="userdel">
479 <term><command>userdel</command></term>
480 <listitem>
481 <para>Deletes the given user account</para>
482 <indexterm zone="ch-system-shadow userdel">
483 <primary sortas="b-userdel">userdel</primary>
484 </indexterm>
485 </listitem>
486 </varlistentry>
487
488 <varlistentry id="usermod">
489 <term><command>usermod</command></term>
490 <listitem>
491 <para>Is used to modify the given user's login name, User
492 Identification (UID), shell, initial group, home directory, etc.</para>
493 <indexterm zone="ch-system-shadow usermod">
494 <primary sortas="b-usermod">usermod</primary>
495 </indexterm>
496 </listitem>
497 </varlistentry>
498
499 <varlistentry id="vigr">
500 <term><command>vigr</command></term>
501 <listitem>
502 <para>Edits the <filename>/etc/group</filename> or
503 <filename>/etc/gshadow</filename> files</para>
504 <indexterm zone="ch-system-shadow vigr">
505 <primary sortas="b-vigr">vigr</primary>
506 </indexterm>
507 </listitem>
508 </varlistentry>
509
510 <varlistentry id="vipw">
511 <term><command>vipw</command></term>
512 <listitem>
513 <para>Edits the <filename>/etc/passwd</filename> or
514 <filename>/etc/shadow</filename> files</para>
515 <indexterm zone="ch-system-shadow vipw">
516 <primary sortas="b-vipw">vipw</primary>
517 </indexterm>
518 </listitem>
519 </varlistentry>
520
521 <varlistentry id="libshadow">
522 <term><filename class="libraryfile">libshadow</filename></term>
523 <listitem>
524 <para>Contains functions used by most programs in this package</para>
525 <indexterm zone="ch-system-shadow libshadow">
526 <primary sortas="c-libshadow">libshadow</primary>
527 </indexterm>
528 </listitem>
529 </varlistentry>
530
531 </variablelist>
532
533 </sect2>
534
535</sect1>
Note: See TracBrowser for help on using the repository browser.