123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597 |
- <?xml version="1.0" encoding="ISO-8859-1"?>
- <!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
- "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
- <!ENTITY % general-entities SYSTEM "../general.ent">
- %general-entities;
- ]>
- <sect1 id="ch-system-shadow" role="wrap">
- <?dbhtml filename="shadow.html"?>
- <sect1info condition="script">
- <productname>shadow</productname>
- <productnumber>&shadow-version;</productnumber>
- <address>&shadow-url;</address>
- </sect1info>
- <title>Shadow-&shadow-version;</title>
- <indexterm zone="ch-system-shadow">
- <primary sortas="a-Shadow">Shadow</primary>
- </indexterm>
- <sect2 role="package">
- <title/>
- <para>The Shadow package contains programs for handling passwords in a secure
- way.</para>
- <segmentedlist>
- <segtitle>&buildtime;</segtitle>
- <segtitle>&diskspace;</segtitle>
- <seglistitem>
- <seg>&shadow-ch6-sbu;</seg>
- <seg>&shadow-ch6-du;</seg>
- </seglistitem>
- </segmentedlist>
- </sect2>
- <sect2 role="installation">
- <title>Installation of Shadow</title>
- <note>
- <para>If you would like to enforce the use of strong passwords, refer to
- <ulink url="&blfs-book;postlfs/cracklib.html"/> for installing
- CrackLib prior to building Shadow. Then add
- <parameter>--with-libcrack</parameter> to the <command>configure</command>
- command below.</para>
- </note>
- <para>Disable the installation of the <command>groups</command> program
- and its man pages, as Coreutils provides a better version. Also
- Prevent the installation of manual pages that were already installed in
- <xref linkend="ch-system-man-pages"/>:</para>
- <screen><userinput remap="pre">sed -i 's/groups$(EXEEXT) //' src/Makefile.in
- find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \;
- find man -name Makefile.in -exec sed -i 's/getspnam\.3 / /' {} \;
- find man -name Makefile.in -exec sed -i 's/passwd\.5 / /' {} \;</userinput></screen>
- <para id="shadow-login_defs">Instead of using the default
- <emphasis>crypt</emphasis> method, use the more secure
- <emphasis>SHA-512</emphasis> method of password encryption, which also
- allows passwords longer than 8 characters. It is also necessary to change
- the obsolete <filename class="directory">/var/spool/mail</filename> location
- for user mailboxes that Shadow uses by default to the <filename
- class="directory">/var/mail</filename> location used currently:</para>
- <screen><userinput remap="pre">sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \
- -e 's@/var/spool/mail@/var/mail@' etc/login.defs</userinput></screen>
- <note>
- <para>If you chose to build Shadow with Cracklib support, run the following:</para>
- <screen role="nodump"><userinput>sed -i 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' etc/login.defs</userinput></screen>
- </note>
- <para>Make a minor change to make the first group number generated
- by useradd 1000:</para>
- <screen><userinput remap="pre">sed -i 's/1000/999/' etc/useradd</userinput></screen>
- <para>Prepare Shadow for compilation:</para>
- <screen><userinput remap="configure">./configure --sysconfdir=/etc --with-group-name-max-length=32</userinput></screen>
- <variablelist>
- <title>The meaning of the configure option:</title>
- <varlistentry>
- <term><parameter>--with-group-name-max-length=32</parameter></term>
- <listitem>
- <para>The maximum user name is 32 characters. Make the maximum
- group name the same.</para>
- </listitem>
- </varlistentry>
- </variablelist>
- <para>Compile the package:</para>
- <screen><userinput remap="make">make</userinput></screen>
- <para>This package does not come with a test suite.</para>
- <para>Install the package:</para>
- <screen><userinput remap="install">make install</userinput></screen>
- <para>Move a misplaced program to its proper location:</para>
- <screen><userinput remap="install">mv -v /usr/bin/passwd /bin</userinput></screen>
- <!-- <para>Move Shadow's libraries to more appropriate locations:</para>
- <screen><userinput remap="install">mv -v /lib/libshadow.*a /usr/lib
- rm -v /lib/libshadow.so
- ln -sfv ../../lib/libshadow.so.0 /usr/lib/libshadow.so</userinput></screen> -->
- </sect2>
- <sect2 id="conf-shadow" role="configuration">
- <title>Configuring Shadow</title>
- <indexterm zone="conf-shadow">
- <primary sortas="a-Shadow">Shadow</primary>
- <secondary>configuring</secondary>
- </indexterm>
- <para>This package contains utilities to add, modify, and delete users and
- groups; set and change their passwords; and perform other administrative
- tasks. For a full explanation of what <emphasis>password shadowing</emphasis>
- means, see the <filename>doc/HOWTO</filename> file within the unpacked
- source tree. If using Shadow support, keep in mind that programs which need
- to verify passwords (display managers, FTP programs, pop3 daemons, etc.)
- must be Shadow-compliant. That is, they need to be able to work with
- shadowed passwords.</para>
- <para>To enable shadowed passwords, run the following command:</para>
- <screen><userinput>pwconv</userinput></screen>
- <para>To enable shadowed group passwords, run:</para>
- <screen><userinput>grpconv</userinput></screen>
- <para>Shadow's stock configuration for the <command>useradd</command>
- utility has a few caveats that need some explanation. First, the default
- action for the <command>useradd</command> utility is to create the user and
- a group of the same name as the user. By default the user ID (UID) and
- group ID (GID) numbers will begin with 1000. This means if you don't pass
- parameters to <command>useradd</command>, each user will be a member of a
- unique group on the system. If this behavior is undesirable, you'll need
- to pass the <parameter>-g</parameter> parameter to
- <command>useradd</command>. The default parameters are stored in the
- <filename>/etc/default/useradd</filename> file. You may need to modify two
- parameters in this file to suit your particular needs.</para>
- <variablelist>
- <title><filename>/etc/default/useradd</filename> Parameter Explanations</title>
- <varlistentry>
- <term><parameter>GROUP=1000</parameter></term>
- <listitem>
- <para>This parameter sets the beginning of the group numbers used in
- the /etc/group file. You can modify it to anything you desire. Note
- that <command>useradd</command> will never reuse a UID or GID. If the
- number identified in this parameter is used, it will use the next
- available number after this. Note also that if you don't have a group
- 1000 on your system the first time you use <command>useradd</command>
- without the <parameter>-g</parameter> parameter, you'll get a message
- displayed on the terminal that says:
- <computeroutput>useradd: unknown GID 1000</computeroutput>. You may
- disregard this message and group number 1000 will be used.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><parameter>CREATE_MAIL_SPOOL=yes</parameter></term>
- <listitem>
- <para>This parameter causes <command>useradd</command> to create a
- mailbox file for the newly created user. <command>useradd</command>
- will make the group ownership of this file to the
- <systemitem class="groupname">mail</systemitem> group with 0660
- permissions. If you would prefer that these mailbox files are not
- created by <command>useradd</command>, issue the following
- command:</para>
- <screen><userinput>sed -i 's/yes/no/' /etc/default/useradd</userinput></screen>
- </listitem>
- </varlistentry>
- </variablelist>
- </sect2>
- <sect2 role="configuration">
- <title>Setting the root password</title>
- <para>Choose a password for user <emphasis>root</emphasis> and set it
- by running:</para>
- <screen role="nodump"><userinput>passwd root</userinput></screen>
- </sect2>
- <sect2 id="contents-shadow" role="content">
- <title>Contents of Shadow</title>
- <segmentedlist>
- <segtitle>Installed programs</segtitle>
- <segtitle>Installed directory</segtitle>
- <seglistitem>
- <seg>chage, chfn, chgpasswd, chpasswd, chsh, expiry, faillog, gpasswd,
- groupadd, groupdel, groupmems, groupmod, grpck, grpconv, grpunconv,
- lastlog, login, logoutd, newgidmap, newgrp, newuidmap, newusers,
- nologin, passwd, pwck, pwconv, pwunconv, sg (link to newgrp), su,
- useradd, userdel, usermod, vigr (link to vipw), and vipw</seg>
- <seg>/etc/default</seg>
- </seglistitem>
- </segmentedlist>
- <variablelist>
- <bridgehead renderas="sect3">Short Descriptions</bridgehead>
- <?dbfo list-presentation="list"?>
- <?dbhtml list-presentation="table"?>
- <varlistentry id="chage">
- <term><command>chage</command></term>
- <listitem>
- <para>Used to change the maximum number of days between obligatory
- password changes</para>
- <indexterm zone="ch-system-shadow chage">
- <primary sortas="b-chage">chage</primary>
- </indexterm>
- </listitem>
- </varlistentry>
- <varlistentry id="chfn">
- <term><command>chfn</command></term>
- <listitem>
- <para>Used to change a user's full name and other information</para>
- <indexterm zone="ch-system-shadow chfn">
- <primary sortas="b-chfn">chfn</primary>
- </indexterm>
- </listitem>
- </varlistentry>
- <varlistentry id="chgpasswd">
- <term><command>chgpasswd</command></term>
- <listitem>
- <para>Used to update group passwords in batch mode</para>
- <indexterm zone="ch-system-shadow chgpasswd">
- <primary sortas="b-chgpasswd">chgpasswd</primary>
- </indexterm>
- </listitem>
- </varlistentry>
- <varlistentry id="chpasswd">
- <term><command>chpasswd</command></term>
- <listitem>
- <para>Used to update user passwords in batch mode</para>
- <indexterm zone="ch-system-shadow chpasswd">
- <primary sortas="b-chpasswd">chpasswd</primary>
- </indexterm>
- </listitem>
- </varlistentry>
- <varlistentry id="chsh">
- <term><command>chsh</command></term>
- <listitem>
- <para>Used to change a user's default login shell</para>
- <indexterm zone="ch-system-shadow chsh">
- <primary sortas="b-chsh">chsh</primary>
- </indexterm>
- </listitem>
- </varlistentry>
- <varlistentry id="expiry">
- <term><command>expiry</command></term>
- <listitem>
- <para>Checks and enforces the current password expiration policy</para>
- <indexterm zone="ch-system-shadow expiry">
- <primary sortas="b-expiry">expiry</primary>
- </indexterm>
- </listitem>
- </varlistentry>
- <varlistentry id="faillog">
- <term><command>faillog</command></term>
- <listitem>
- <para>Is used to examine the log of login failures, to set a maximum
- number of failures before an account is blocked, or to reset the
- failure count</para>
- <indexterm zone="ch-system-shadow faillog">
- <primary sortas="b-faillog">faillog</primary>
- </indexterm>
- </listitem>
- </varlistentry>
- <varlistentry id="gpasswd">
- <term><command>gpasswd</command></term>
- <listitem>
- <para>Is used to add and delete members and administrators to
- groups</para>
- <indexterm zone="ch-system-shadow gpasswd">
- <primary sortas="b-gpasswd">gpasswd</primary>
- </indexterm>
- </listitem>
- </varlistentry>
- <varlistentry id="groupadd">
- <term><command>groupadd</command></term>
- <listitem>
- <para>Creates a group with the given name</para>
- <indexterm zone="ch-system-shadow groupadd">
- <primary sortas="b-groupadd">groupadd</primary>
- </indexterm>
- </listitem>
- </varlistentry>
- <varlistentry id="groupdel">
- <term><command>groupdel</command></term>
- <listitem>
- <para>Deletes the group with the given name</para>
- <indexterm zone="ch-system-shadow groupdel">
- <primary sortas="b-groupdel">groupdel</primary>
- </indexterm>
- </listitem>
- </varlistentry>
- <varlistentry id="groupmems">
- <term><command>groupmems</command></term>
- <listitem>
- <para>Allows a user to administer his/her own group membership list
- without the requirement of super user privileges.</para>
- <indexterm zone="ch-system-shadow groupmems">
- <primary sortas="b-groupmems">groupmems</primary>
- </indexterm>
- </listitem>
- </varlistentry>
- <varlistentry id="groupmod">
- <term><command>groupmod</command></term>
- <listitem>
- <para>Is used to modify the given group's name or GID</para>
- <indexterm zone="ch-system-shadow groupmod">
- <primary sortas="b-groupmod">groupmod</primary>
- </indexterm>
- </listitem>
- </varlistentry>
- <varlistentry id="grpck">
- <term><command>grpck</command></term>
- <listitem>
- <para>Verifies the integrity of the group files
- <filename>/etc/group</filename> and
- <filename>/etc/gshadow</filename></para>
- <indexterm zone="ch-system-shadow grpck">
- <primary sortas="b-grpck">grpck</primary>
- </indexterm>
- </listitem>
- </varlistentry>
- <varlistentry id="grpconv">
- <term><command>grpconv</command></term>
- <listitem>
- <para>Creates or updates the shadow group file from the normal
- group file</para>
- <indexterm zone="ch-system-shadow grpconv">
- <primary sortas="b-grpconv">grpconv</primary>
- </indexterm>
- </listitem>
- </varlistentry>
- <varlistentry id="grpunconv">
- <term><command>grpunconv</command></term>
- <listitem>
- <para>Updates <filename>/etc/group</filename> from
- <filename>/etc/gshadow</filename> and then deletes the latter</para>
- <indexterm zone="ch-system-shadow grpunconv">
- <primary sortas="b-grpunconv">grpunconv</primary>
- </indexterm>
- </listitem>
- </varlistentry>
- <varlistentry id="lastlog">
- <term><command>lastlog</command></term>
- <listitem>
- <para>Reports the most recent login of all users or of a
- given user</para>
- <indexterm zone="ch-system-shadow lastlog">
- <primary sortas="b-lastlog">lastlog</primary>
- </indexterm>
- </listitem>
- </varlistentry>
- <varlistentry id="login">
- <term><command>login</command></term>
- <listitem>
- <para>Is used by the system to let users sign on</para>
- <indexterm zone="ch-system-shadow login">
- <primary sortas="b-login">login</primary>
- </indexterm>
- </listitem>
- </varlistentry>
- <varlistentry id="logoutd">
- <term><command>logoutd</command></term>
- <listitem>
- <para>Is a daemon used to enforce restrictions on log-on time
- and ports</para>
- <indexterm zone="ch-system-shadow logoutd">
- <primary sortas="b-logoutd">logoutd</primary>
- </indexterm>
- </listitem>
- </varlistentry>
- <varlistentry id="newgidmap">
- <term><command>newgidmap</command></term>
- <listitem>
- <para>Is used to set the gid mapping of a user namespace</para>
- <indexterm zone="ch-system-shadow newgidmap">
- <primary sortas="b-newgidmap">newgidmap</primary>
- </indexterm>
- </listitem>
- </varlistentry>
- <varlistentry id="newgrp">
- <term><command>newgrp</command></term>
- <listitem>
- <para>Is used to change the current GID during a login session</para>
- <indexterm zone="ch-system-shadow newgrp">
- <primary sortas="b-newgrp">newgrp</primary>
- </indexterm>
- </listitem>
- </varlistentry>
- <varlistentry id="newuidmap">
- <term><command>newuidmap</command></term>
- <listitem>
- <para>Is used to set the uid mapping of a user namespace</para>
- <indexterm zone="ch-system-shadow newuidmap">
- <primary sortas="b-newuidmap">newuidmap</primary>
- </indexterm>
- </listitem>
- </varlistentry>
- <varlistentry id="newusers">
- <term><command>newusers</command></term>
- <listitem>
- <para>Is used to create or update an entire series of user
- accounts</para>
- <indexterm zone="ch-system-shadow newusers">
- <primary sortas="b-newusers">newusers</primary>
- </indexterm>
- </listitem>
- </varlistentry>
- <varlistentry id="nologin">
- <term><command>nologin</command></term>
- <listitem>
- <para>Displays a message that an account is not available; it is designed
- to be used as the default shell for accounts that have been
- disabled</para>
- <indexterm zone="ch-system-shadow nologin">
- <primary sortas="b-nologin">nologin</primary>
- </indexterm>
- </listitem>
- </varlistentry>
- <varlistentry id="passwd">
- <term><command>passwd</command></term>
- <listitem>
- <para>Is used to change the password for a user or group account</para>
- <indexterm zone="ch-system-shadow passwd">
- <primary sortas="b-passwd">passwd</primary>
- </indexterm>
- </listitem>
- </varlistentry>
- <varlistentry id="pwck">
- <term><command>pwck</command></term>
- <listitem>
- <para>Verifies the integrity of the password files
- <filename>/etc/passwd</filename> and
- <filename>/etc/shadow</filename></para>
- <indexterm zone="ch-system-shadow pwck">
- <primary sortas="b-pwck">pwck</primary>
- </indexterm>
- </listitem>
- </varlistentry>
- <varlistentry id="pwconv">
- <term><command>pwconv</command></term>
- <listitem>
- <para>Creates or updates the shadow password file from the normal
- password file</para>
- <indexterm zone="ch-system-shadow pwconv">
- <primary sortas="b-pwconv">pwconv</primary>
- </indexterm>
- </listitem>
- </varlistentry>
- <varlistentry id="pwunconv">
- <term><command>pwunconv</command></term>
- <listitem>
- <para>Updates <filename>/etc/passwd</filename> from
- <filename>/etc/shadow</filename> and then deletes the latter</para>
- <indexterm zone="ch-system-shadow pwunconv">
- <primary sortas="b-pwunconv">pwunconv</primary>
- </indexterm>
- </listitem>
- </varlistentry>
- <varlistentry id="sg">
- <term><command>sg</command></term>
- <listitem>
- <para>Executes a given command while the user's GID
- is set to that of the given group</para>
- <indexterm zone="ch-system-shadow sg">
- <primary sortas="b-sg">sg</primary>
- </indexterm>
- </listitem>
- </varlistentry>
- <varlistentry id="su">
- <term><command>su</command></term>
- <listitem>
- <para>Runs a shell with substitute user and group IDs</para>
- <indexterm zone="ch-system-shadow su">
- <primary sortas="b-su">su</primary>
- </indexterm>
- </listitem>
- </varlistentry>
- <varlistentry id="useradd">
- <term><command>useradd</command></term>
- <listitem>
- <para>Creates a new user with the given name, or updates the default
- new-user information</para>
- <indexterm zone="ch-system-shadow useradd">
- <primary sortas="b-useradd">useradd</primary>
- </indexterm>
- </listitem>
- </varlistentry>
- <varlistentry id="userdel">
- <term><command>userdel</command></term>
- <listitem>
- <para>Deletes the given user account</para>
- <indexterm zone="ch-system-shadow userdel">
- <primary sortas="b-userdel">userdel</primary>
- </indexterm>
- </listitem>
- </varlistentry>
- <varlistentry id="usermod">
- <term><command>usermod</command></term>
- <listitem>
- <para>Is used to modify the given user's login name, User
- Identification (UID), shell, initial group, home directory, etc.</para>
- <indexterm zone="ch-system-shadow usermod">
- <primary sortas="b-usermod">usermod</primary>
- </indexterm>
- </listitem>
- </varlistentry>
- <varlistentry id="vigr">
- <term><command>vigr</command></term>
- <listitem>
- <para>Edits the <filename>/etc/group</filename> or
- <filename>/etc/gshadow</filename> files</para>
- <indexterm zone="ch-system-shadow vigr">
- <primary sortas="b-vigr">vigr</primary>
- </indexterm>
- </listitem>
- </varlistentry>
- <varlistentry id="vipw">
- <term><command>vipw</command></term>
- <listitem>
- <para>Edits the <filename>/etc/passwd</filename> or
- <filename>/etc/shadow</filename> files</para>
- <indexterm zone="ch-system-shadow vipw">
- <primary sortas="b-vipw">vipw</primary>
- </indexterm>
- </listitem>
- </varlistentry>
- </variablelist>
- </sect2>
- </sect1>
|