source: final-system/common/shadow.xml@ 1b9652e

Last change on this file since 1b9652e was 4e34ccf, checked in by Jim Gifford <clfs@…>, 18 years ago

r3584@server: jim | 2006-05-22 01:19:01 -0700
Fixed a issues with cracklib and shadow builds. Many times reported in IRC and support lists.

  • Property mode set to 100644
File size: 18.7 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
3 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6]>
7
8<sect1 id="ch-system-shadow" role="wrap">
9 <?dbhtml filename="shadow.html"?>
10
11 <title>Shadow-&shadow-version;</title>
12
13 <indexterm zone="ch-system-shadow">
14 <primary sortas="a-Shadow">Shadow</primary>
15 </indexterm>
16
17 <sect2 role="package">
18 <title/>
19
20 <para>The Shadow package contains programs for handling passwords in a
21 secure way.</para>
22
23 </sect2>
24
25 <sect2 role="installation">
26 <title>Installation of Shadow</title>
27
28 <note os="a">
29 <para>If you would like to enforce the use of strong passwords,
30 refer to <ulink url="&blfs-root;view/svn/postlfs/cracklib.html"/>
31 for installing Cracklib prior to building Shadow. Then add
32 <parameter>--with-libcrack</parameter> to the <command>configure</command>
33 command below.</para>
34 </note>
35
36 <para os="b">Prepare Shadow for compilation:</para>
37
38<screen os="c"><userinput>./configure --libdir=/lib --enable-shared \
39 --without-libpam --without-audit --without-selinux</userinput></screen>
40
41<para os="d">The meaning of the configure options:</para>
42
43 <variablelist os="e">
44 <varlistentry>
45 <term><parameter>--without-libpam</parameter></term>
46 <listitem><para>Support for Linux-PAM is enabled by default in Shadow,
47 however PAM is not installed on a base LFS system, so this switch
48 disables PAM support in Shadow. For instructions to install PAM and
49 link Shadow to it, you can look at
50 <ulink url="&blfs-root;view/svn/postlfs/shadow.html"/>.</para></listitem>
51 </varlistentry>
52 <varlistentry>
53 <term><parameter>--without-audit</parameter></term>
54 <listitem><para>Support for auditing is enabled by default, but a
55 a library that it needs is not installed in a base LFS system. This
56 switch disables auditing support.</para></listitem>
57 </varlistentry>
58 <varlistentry>
59 <term><parameter>--without-selinux</parameter></term>
60 <listitem><para>Support for selinux is enabled by default, but selinux
61 is not built in a base LFS system and configure will fail without this
62 switch.</para></listitem>
63 </varlistentry>
64 </variablelist>
65
66 <para os="f">Disable the installation of the <command>groups</command>
67 program and its man pages, as Coreutils provides a better version:</para>
68
69<screen os="g"><userinput>sed -i 's/groups$(EXEEXT) //' src/Makefile
70sed -i '/groups/d' man/Makefile</userinput></screen>
71
72 <para os="h">Compile the package:</para>
73
74<screen os="i"><userinput>make</userinput></screen>
75
76 <para os="j">This package does not come with a test suite.</para>
77
78 <para os="k">Install the package:</para>
79
80<screen os="l"><userinput>make install</userinput></screen>
81
82 <para id="shadow-limits-login_access" os="m">Shadow uses two files to configure
83 authentication settings for the system. Install these two configuration
84 files:</para>
85
86 <indexterm zone="shadow-limits-login_access" os="n">
87 <primary sortas="e-/etc/limits">/etc/limits</primary>
88 </indexterm>
89
90 <indexterm zone="shadow-limits-login_access" os="o">
91 <primary sortas="e-/etc/login.access">/etc/login.access</primary>
92 </indexterm>
93
94<screen os="p"><userinput>cp -v etc/{limits,login.access} /etc</userinput></screen>
95
96 <para id="shadow-login_defs" os="q">Instead of using the default
97 <emphasis>crypt</emphasis> method, use the more secure
98 <emphasis>MD5</emphasis> method of password encryption, which also allows
99 passwords longer than 8 characters. It is also necessary to change the
100 obsolete <filename class="directory">/var/spool/mail</filename> location
101 for user mailboxes that Shadow uses by default to the <filename
102 class="directory">/var/mail</filename> location used currently. Both of
103 these can be accomplished by changing the relevant configuration file
104 while copying it to its destination:</para>
105
106 <indexterm zone="shadow-login_defs" os="r">
107 <primary sortas="e-/etc/login.defs">/etc/login.defs</primary>
108 </indexterm>
109
110<screen os="s"><userinput>sed -e's@#MD5_CRYPT_ENAB.no@MD5_CRYPT_ENAB yes@' \
111 -e 's@/var/spool/mail@/var/mail@' \
112 etc/login.defs &gt; /etc/login.defs</userinput></screen>
113
114 <note os="t">
115 <para>If you built Shadow with Cracklib support, insert the following into
116 the <command>sed</command> given below:</para>
117
118<screen><literal>sed -i 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' /etc/login.defs</literal></screen>
119 </note>
120
121 <para os="u">Move a misplaced program to its proper location:</para>
122
123<screen os="v"><userinput>mv -v /usr/bin/passwd /bin</userinput></screen>
124
125 <para os="w">Move Shadow's dynamic libraries to a more appropriate
126 location:</para>
127
128<screen os="x"><userinput>mv -v /lib/libshadow.*a /usr/lib
129rm -v /lib/libshadow.so
130ln -svf ../../lib/libshadow.so.0 /usr/lib/libshadow.so</userinput></screen>
131
132 <para os="y">The <option>-D</option> option of the <command>useradd</command>
133 program requires the <filename class="directory">/etc/default</filename>
134 directory for it to work properly:</para>
135
136<screen os="z"><userinput>install -dv /etc/default</userinput></screen>
137
138 </sect2>
139
140 <sect2 id="conf-shadow" role="configuration">
141 <title>Configuring Shadow</title>
142
143 <indexterm zone="conf-shadow">
144 <primary sortas="a-Shadow">Shadow</primary>
145 <secondary>configuring</secondary>
146 </indexterm>
147
148 <para>This package contains utilities to add, modify, and delete users and
149 groups; set and change their passwords; and perform other administrative
150 tasks. For a full explanation of what <emphasis>password shadowing</emphasis>
151 means, see the <filename>doc/HOWTO</filename> file within the unpacked source
152 tree. If using Shadow support, keep in mind that programs which need to
153 verify passwords (display managers, FTP programs, pop3 daemons, etc.) must
154 be Shadow-compliant. That is, they need to be able to work with shadowed
155 passwords.</para>
156
157 <para>To enable shadowed passwords, run the following command:</para>
158
159<screen><userinput>pwconv</userinput></screen>
160
161 <para>To enable shadowed group passwords, run:</para>
162
163<screen role="nodump"><userinput>grpconv</userinput></screen>
164
165 <para>Under normal circumstances, passwords will not have been created
166 yet. However, if returning to this section later to enable shadowing,
167 reset any current user passwords with the <command>passwd</command>
168 command or any group passwords with the <command>gpasswd</command>
169 command.</para>
170
171 </sect2>
172
173 <sect2 id="root-password" role="configuration">
174 <title>Setting the root password</title>
175
176 <para>Choose a password for user <systemitem
177 class="username">root</systemitem> and set it by running:</para>
178
179<screen role="nodump"><userinput>passwd root</userinput></screen>
180
181 </sect2>
182
183 <sect2 id="contents-shadow" role="content">
184 <title>Contents of Shadow</title>
185
186 <segmentedlist>
187 <segtitle>Installed programs</segtitle>
188 <segtitle>Installed libraries</segtitle>
189
190 <seglistitem>
191 <seg>chage, chfn, chpasswd, chsh, expiry, faillog, gpasswd, groupadd,
192 groupdel, groupmod, grpck, grpconv, grpunconv, lastlog, login,
193 logoutd, newgrp, newusers, passwd, pwck, pwconv, pwunconv,
194 sg (link to newgrp), useradd, userdel, usermod, vigr (link to vipw),
195 and vipw</seg>
196 <seg>libshadow.[a,so]</seg>
197 </seglistitem>
198 </segmentedlist>
199
200 <variablelist>
201 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
202 <?dbfo list-presentation="list"?>
203 <?dbhtml list-presentation="table"?>
204
205 <varlistentry id="chage">
206 <term><command>chage</command></term>
207 <listitem>
208 <para>Used to change the maximum number of days between obligatory
209 password changes</para>
210 <indexterm zone="ch-system-shadow chage">
211 <primary sortas="b-chage">chage</primary>
212 </indexterm>
213 </listitem>
214 </varlistentry>
215
216 <varlistentry id="chfn">
217 <term><command>chfn</command></term>
218 <listitem>
219 <para>Used to change a user's full name and other information</para>
220 <indexterm zone="ch-system-shadow chfn">
221 <primary sortas="b-chfn">chfn</primary>
222 </indexterm>
223 </listitem>
224 </varlistentry>
225
226 <varlistentry id="chpasswd">
227 <term><command>chpasswd</command></term>
228 <listitem>
229 <para>Used to update the passwords of an entire series of user
230 accounts</para>
231 <indexterm zone="ch-system-shadow chpasswd">
232 <primary sortas="b-chpasswd">chpasswd</primary>
233 </indexterm>
234 </listitem>
235 </varlistentry>
236
237 <varlistentry id="chsh">
238 <term><command>chsh</command></term>
239 <listitem>
240 <para>Used to change a user's default login shell</para>
241 <indexterm zone="ch-system-shadow chsh">
242 <primary sortas="b-chsh">chsh</primary>
243 </indexterm>
244 </listitem>
245 </varlistentry>
246
247 <varlistentry id="expiry">
248 <term><command>expiry</command></term>
249 <listitem>
250 <para>Checks and enforces the current password expiration policy</para>
251 <indexterm zone="ch-system-shadow expiry">
252 <primary sortas="b-expiry">expiry</primary>
253 </indexterm>
254 </listitem>
255 </varlistentry>
256
257 <varlistentry id="faillog">
258 <term><command>faillog</command></term>
259 <listitem>
260 <para>Is used to examine the log of login failures, to set a maximum
261 number of failures before an account is blocked, or to reset the
262 failure count</para>
263 <indexterm zone="ch-system-shadow faillog">
264 <primary sortas="b-faillog">faillog</primary>
265 </indexterm>
266 </listitem>
267 </varlistentry>
268
269 <varlistentry id="gpasswd">
270 <term><command>gpasswd</command></term>
271 <listitem>
272 <para>Is used to add and delete members and administrators to
273 groups</para>
274 <indexterm zone="ch-system-shadow gpasswd">
275 <primary sortas="b-gpasswd">gpasswd</primary>
276 </indexterm>
277 </listitem>
278 </varlistentry>
279
280 <varlistentry id="groupadd">
281 <term><command>groupadd</command></term>
282 <listitem>
283 <para>Creates a group with the given name</para>
284 <indexterm zone="ch-system-shadow groupadd">
285 <primary sortas="b-groupadd">groupadd</primary>
286 </indexterm>
287 </listitem>
288 </varlistentry>
289
290 <varlistentry id="groupdel">
291 <term><command>groupdel</command></term>
292 <listitem>
293 <para>Deletes the group with the given name</para>
294 <indexterm zone="ch-system-shadow groupdel">
295 <primary sortas="b-groupdel">groupdel</primary>
296 </indexterm>
297 </listitem>
298 </varlistentry>
299
300 <varlistentry id="groupmod">
301 <term><command>groupmod</command></term>
302 <listitem>
303 <para>Is used to modify the given group's name or GID</para>
304 <indexterm zone="ch-system-shadow groupmod">
305 <primary sortas="b-groupmod">groupmod</primary>
306 </indexterm>
307 </listitem>
308 </varlistentry>
309
310 <varlistentry id="grpck">
311 <term><command>grpck</command></term>
312 <listitem>
313 <para>Verifies the integrity of the group files
314 <filename>/etc/group</filename> and
315 <filename>/etc/gshadow</filename></para>
316 <indexterm zone="ch-system-shadow grpck">
317 <primary sortas="b-grpck">grpck</primary>
318 </indexterm>
319 </listitem>
320 </varlistentry>
321
322 <varlistentry id="grpconv">
323 <term><command>grpconv</command></term>
324 <listitem>
325 <para>Creates or updates the shadow group file from the normal
326 group file</para>
327 <indexterm zone="ch-system-shadow grpconv">
328 <primary sortas="b-grpconv">grpconv</primary>
329 </indexterm>
330 </listitem>
331 </varlistentry>
332
333 <varlistentry id="grpunconv">
334 <term><command>grpunconv</command></term>
335 <listitem>
336 <para>Updates <filename>/etc/group</filename> from
337 <filename>/etc/gshadow</filename> and then deletes the latter</para>
338 <indexterm zone="ch-system-shadow grpunconv">
339 <primary sortas="b-grpunconv">grpunconv</primary>
340 </indexterm>
341 </listitem>
342 </varlistentry>
343
344 <varlistentry id="lastlog">
345 <term><command>lastlog</command></term>
346 <listitem>
347 <para>Reports the most recent login of all users or of a
348 given user</para>
349 <indexterm zone="ch-system-shadow lastlog">
350 <primary sortas="b-lastlog">lastlog</primary>
351 </indexterm>
352 </listitem>
353 </varlistentry>
354
355 <varlistentry id="login">
356 <term><command>login</command></term>
357 <listitem>
358 <para>Is used by the system to let users sign on</para>
359 <indexterm zone="ch-system-shadow login">
360 <primary sortas="b-login">login</primary>
361 </indexterm>
362 </listitem>
363 </varlistentry>
364
365 <varlistentry id="logoutd">
366 <term><command>logoutd</command></term>
367 <listitem>
368 <para>Is a daemon used to enforce restrictions on log-on time
369 and ports</para>
370 <indexterm zone="ch-system-shadow logoutd">
371 <primary sortas="b-logoutd">logoutd</primary>
372 </indexterm>
373 </listitem>
374 </varlistentry>
375
376 <varlistentry id="newgrp">
377 <term><command>newgrp</command></term>
378 <listitem>
379 <para>Is used to change the current GID during a login session</para>
380 <indexterm zone="ch-system-shadow newgrp">
381 <primary sortas="b-newgrp">newgrp</primary>
382 </indexterm>
383 </listitem>
384 </varlistentry>
385
386 <varlistentry id="newusers">
387 <term><command>newusers</command></term>
388 <listitem>
389 <para>Is used to create or update an entire series of user
390 accounts</para>
391 <indexterm zone="ch-system-shadow newusers">
392 <primary sortas="b-newusers">newusers</primary>
393 </indexterm>
394 </listitem>
395 </varlistentry>
396
397 <varlistentry id="passwd">
398 <term><command>passwd</command></term>
399 <listitem>
400 <para>Is used to change the password for a user or group account</para>
401 <indexterm zone="ch-system-shadow passwd">
402 <primary sortas="b-passwd">passwd</primary>
403 </indexterm>
404 </listitem>
405 </varlistentry>
406
407 <varlistentry id="pwck">
408 <term><command>pwck</command></term>
409 <listitem>
410 <para>Verifies the integrity of the password files
411 <filename>/etc/passwd</filename> and
412 <filename>/etc/shadow</filename></para>
413 <indexterm zone="ch-system-shadow pwck">
414 <primary sortas="b-pwck">pwck</primary>
415 </indexterm>
416 </listitem>
417 </varlistentry>
418
419 <varlistentry id="pwconv">
420 <term><command>pwconv</command></term>
421 <listitem>
422 <para>Creates or updates the shadow password file from the normal
423 password file</para>
424 <indexterm zone="ch-system-shadow pwconv">
425 <primary sortas="b-pwconv">pwconv</primary>
426 </indexterm>
427 </listitem>
428 </varlistentry>
429
430 <varlistentry id="pwunconv">
431 <term><command>pwunconv</command></term>
432 <listitem>
433 <para>Updates <filename>/etc/passwd</filename> from
434 <filename>/etc/shadow</filename> and then deletes the latter</para>
435 <indexterm zone="ch-system-shadow pwunconv">
436 <primary sortas="b-pwunconv">pwunconv</primary>
437 </indexterm>
438 </listitem>
439 </varlistentry>
440
441 <varlistentry id="sg">
442 <term><command>sg</command></term>
443 <listitem>
444 <para>Executes a given command while the user's GID
445 is set to that of the given group</para>
446 <indexterm zone="ch-system-shadow sg">
447 <primary sortas="b-sg">sg</primary>
448 </indexterm>
449 </listitem>
450 </varlistentry>
451
452 <varlistentry id="su">
453 <term><command>su</command></term>
454 <listitem>
455 <para>Runs a shell with substitute user and group IDs</para>
456 <indexterm zone="ch-system-shadow su">
457 <primary sortas="b-su">su</primary>
458 </indexterm>
459 </listitem>
460 </varlistentry>
461
462 <varlistentry id="useradd">
463 <term><command>useradd</command></term>
464 <listitem>
465 <para>Creates a new user with the given name, or updates the default
466 new-user information</para>
467 <indexterm zone="ch-system-shadow useradd">
468 <primary sortas="b-useradd">useradd</primary>
469 </indexterm>
470 </listitem>
471 </varlistentry>
472
473 <varlistentry id="userdel">
474 <term><command>userdel</command></term>
475 <listitem>
476 <para>Deletes the given user account</para>
477 <indexterm zone="ch-system-shadow userdel">
478 <primary sortas="b-userdel">userdel</primary>
479 </indexterm>
480 </listitem>
481 </varlistentry>
482
483 <varlistentry id="usermod">
484 <term><command>usermod</command></term>
485 <listitem>
486 <para>Is used to modify the given user's login name, User
487 Identification (UID), shell, initial group, home directory, etc.</para>
488 <indexterm zone="ch-system-shadow usermod">
489 <primary sortas="b-usermod">usermod</primary>
490 </indexterm>
491 </listitem>
492 </varlistentry>
493
494 <varlistentry id="vigr">
495 <term><command>vigr</command></term>
496 <listitem>
497 <para>Edits the <filename>/etc/group</filename> or
498 <filename>/etc/gshadow</filename> files</para>
499 <indexterm zone="ch-system-shadow vigr">
500 <primary sortas="b-vigr">vigr</primary>
501 </indexterm>
502 </listitem>
503 </varlistentry>
504
505 <varlistentry id="vipw">
506 <term><command>vipw</command></term>
507 <listitem>
508 <para>Edits the <filename>/etc/passwd</filename> or
509 <filename>/etc/shadow</filename> files</para>
510 <indexterm zone="ch-system-shadow vipw">
511 <primary sortas="b-vipw">vipw</primary>
512 </indexterm>
513 </listitem>
514 </varlistentry>
515
516 <varlistentry id="libshadow">
517 <term><filename class="libraryfile">libshadow</filename></term>
518 <listitem>
519 <para>Contains functions used by most programs in this package</para>
520 <indexterm zone="ch-system-shadow libshadow">
521 <primary sortas="c-libshadow">libshadow</primary>
522 </indexterm>
523 </listitem>
524 </varlistentry>
525
526 </variablelist>
527
528 </sect2>
529
530</sect1>
Note: See TracBrowser for help on using the repository browser.