| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137 |
- <sect1 id="ch-system-shadow" xreflabel="Shadow">
- <title>Installing Shadow-&shadow-version;</title>
- <?dbhtml filename="shadow.html" dir="chapter06"?>
- <para>The Shadow package contains programs for handling passwords in a secure
- way.</para>
- <screen>&buildtime; &shadow-time;
- &diskspace; &shadow-compsize;</screen>
- &aa-shadow-down;
- &aa-shadow-dep;
- <sect2><title> </title><para> </para></sect2>
- <sect2>
- <title>Installation of Shadow</title>
- <para>Shadow hard-wires the path to the <command>passwd</command> binary within
- the binary itself, but does this the wrong way. If a <command>passwd</command>
- binary is not present before installing Shadow, the package incorrectly assumes
- it is going to be located at <filename>/bin/passwd</filename>, but then
- installs it as <filename>/usr/bin/passwd</filename>. This will lead to errors
- about not finding <filename>/bin/passwd</filename>. To work around this bug,
- create a dummy <filename>passwd</filename> file, so that it gets hard-wired
- properly:</para>
- <screen><userinput>touch /usr/bin/passwd</userinput></screen>
- <para>Now prepare Shadow for compilation:</para>
- <screen><userinput>./configure --libdir=/usr/lib --enable-shared</userinput></screen>
- <para>Work around a problem that prevents Shadow's internationalization from
- working:</para>
- <screen><userinput>echo '#define HAVE_SETLOCALE 1' >> config.h</userinput></screen>
- <para>Compile the package:</para>
- <screen><userinput>make</userinput></screen>
- <para>And install it:</para>
- <screen><userinput>make install</userinput></screen>
- <para>Shadow uses two files to configure authentication settings for the
- system. Install these two config files:</para>
- <screen><userinput>cp etc/{limits,login.access} /etc</userinput></screen>
- <para>Instead of using the default <emphasis>crypt</emphasis> method, we want
- to use the more secure <emphasis>MD5</emphasis> method of password encryption,
- which in addition allows passwords longer than 8 characters. We also need to
- change the obsolete <filename class="directory">/var/spool/mail</filename>
- location for user mailboxes that Shadow uses by default to the <filename
- class="directory">/var/mail</filename> location used nowadays. We accomplish
- both these things by changing the relevant configuration file while copying it
- to its destination (it's probably better to cut-and-paste this rather than try
- and type it all in):</para>
- <screen><userinput>sed -e 's%#MD5_CRYPT_ENAB.no%MD5_CRYPT_ENAB yes%' \
- -e 's%/var/spool/mail%/var/mail%' \
- etc/login.defs.linux > /etc/login.defs</userinput></screen>
- <para>Move some misplaced symlinks to their proper locations:</para>
- <screen><userinput>mv /bin/sg /usr/bin
- mv /bin/vigr /usr/sbin</userinput></screen>
- <para>And move Shadow's dynamic libraries to a more appropriate location:</para>
- <screen><userinput>mv /usr/lib/lib{shadow,misc}.so.0* /lib</userinput></screen>
- <para>As some packages expect to find the just-moved libraries in
- <filename>/usr/lib</filename>, create the following symlinks:</para>
- <screen><userinput>ln -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so
- ln -sf ../../lib/libmisc.so.0 /usr/lib/libmisc.so</userinput></screen>
- <para>The -D option of the <filename>useradd</filename> program requires this
- directory for it to work properly:</para>
- <screen><userinput>mkdir /etc/default</userinput></screen>
- <para>Coreutils has already installed a better <command>groups</command>
- program in <filename class="directory">/usr/bin</filename>. Remove the one
- installed by Shadow:</para>
- <screen><userinput>rm /bin/groups</userinput></screen>
- </sect2>
- <sect2><title> </title><para> </para></sect2>
- <sect2><title>Configuring Shadow</title>
- <para>This package contains utilities to add, modify and delete users and
- groups, set and change their passwords, and other such administrative tasks.
- For a full explanation of what <emphasis>password shadowing</emphasis> means,
- see the <filename>doc/HOWTO</filename> file within the unpacked source tree.
- There's one thing to keep in mind if you decide to use Shadow support: programs
- that need to verify passwords (display managers, ftp programs, pop3 daemons,
- and the like) need to be <emphasis>shadow-compliant</emphasis>, that is they
- need to be able to work with shadowed passwords.</para>
- <para>To enable shadowed passwords, run the following command:</para>
- <screen><userinput>pwconv</userinput></screen>
- <para>And to enable shadowed group passwords, run:</para>
- <screen><userinput>grpconv</userinput></screen>
- <para>Under normal circumstances, you won't have created any passwords yet.
- However, if returning to this section later to enable shadowing, you should
- reset any current user passwords with the <command>passwd</command> command or
- any group passwords with the <command>gpasswd</command> command.</para>
- </sect2>
- <sect2><title> </title><para> </para></sect2>
- <sect2>
- <title>Setting the root password</title>
- <para>Choose a password for user root and set it via:</para>
- <screen><userinput>passwd root</userinput></screen>
- </sect2>
- &aa-shadow-shortdesc;
- &aa-shadow-desc;
- </sect1>
|
