|
|
@@ -3,12 +3,6 @@
|
|
|
<sect2>
|
|
|
<title>Installation of Shadow Password Suite</title>
|
|
|
|
|
|
-<para>Before you install this package, you may want to have a look at
|
|
|
-the Shadow hint. It discusses how you can make your system more secure
|
|
|
-regarding passwords, such as how to enable the more secure MD5 passwords
|
|
|
-and how to get the most out of this Shadow package. The Shadow hint can
|
|
|
-be found at <ulink url="&hints-root;shadowpasswd_plus.txt"/>.</para>
|
|
|
-
|
|
|
<para>The <userinput>login</userinput>, <userinput>getty</userinput> and
|
|
|
<userinput>init</userinput> programs (and some others) maintain a number
|
|
|
of logfiles to record who are and who were logged in to the system. These
|
|
|
@@ -31,13 +25,14 @@ or she last logged in, and the <filename>/var/log/btmp</filename> lists the
|
|
|
bad login attempts.</para>
|
|
|
|
|
|
<para>Shadow hard-wires the path to the <userinput>passwd</userinput> binary
|
|
|
-within the binary itself, but does this the wrong way. If before installing
|
|
|
-Shadow no <userinput>passwd</userinput> binary is present , the package wrongly
|
|
|
-assumes it is going to be located at <filename>/bin/passwd</filename>,
|
|
|
-but then installs it in <filename>/usr/bin/passwd</filename>. This will lead
|
|
|
-to weird errors about not finding <filename>/bin/passwd</filename>. To work
|
|
|
-around this bug, create a dummy <filename>passwd</filename> file,
|
|
|
-so that it gets hard-wired properly:</para>
|
|
|
+within the binary itself, but does this the wrong way. If a
|
|
|
+<userinput>passwd</userinput> binary is not present before installing Shadow,
|
|
|
+the package wrongly assumes it is going to be located at
|
|
|
+<filename>/bin/passwd</filename>, but then installs it in
|
|
|
+<filename>/usr/bin/passwd</filename>. This will lead to weird errors about not
|
|
|
+finding <filename>/bin/passwd</filename>. To work around this bug, create a
|
|
|
+dummy <filename>passwd</filename> file, so that it gets hard-wired
|
|
|
+properly:</para>
|
|
|
|
|
|
<para><screen><userinput>touch /usr/bin/passwd</userinput></screen></para>
|
|
|
|
|
|
@@ -65,15 +60,21 @@ system. Install these two config files:</para>
|
|
|
|
|
|
<para><screen><userinput>cp etc/{limits,login.access} /etc</userinput></screen></para>
|
|
|
|
|
|
-<para>In the old days <filename class="directory">/var/spool/mail</filename>
|
|
|
-was the location for the user mailboxes, but nowadays <filename
|
|
|
-class="directory">/var/mail</filename> is used. Change the default mailbox
|
|
|
-location in the relevant configuration file while copying it to its
|
|
|
-destination:</para>
|
|
|
+<para>We want to change the password method to enable MD5 passwords which are
|
|
|
+theoretically more secure than the default "crypt" method and also allow
|
|
|
+password lengths greater than 8 characters. We also need to change the old
|
|
|
+<filename class="directory">/var/spool/mail</filename> location for user
|
|
|
+mailboxes to the current location at
|
|
|
+<filename class="directory">/var/mail</filename>. We do this by changing the
|
|
|
+relevant configuration file while copying it to its destination:</para>
|
|
|
|
|
|
-<para><screen><userinput>sed 's%/var/spool/mail%/var/mail%' \
|
|
|
+<para><screen><userinput>sed -e 's%/var/spool/mail%/var/mail%' \
|
|
|
+ -e 's%#MD5_CRYPT_ENAB.no%MD5_CRYPT_ENAB yes%' \
|
|
|
etc/login.defs.linux > /etc/login.defs</userinput></screen></para>
|
|
|
|
|
|
+<note><para>Be extra careful when typing all of the above. It is probably safer
|
|
|
+to cut-and-paste it rather than try and type it all in.</para></note>
|
|
|
+
|
|
|
<para>According to the man page of <userinput>vipw</userinput>, a
|
|
|
<userinput>vigr</userinput> program should exist too. Since the installation
|
|
|
procedure doesn't create this program, create a symlink manually:</para>
|
Greg Schafer