lfs-book/chapter06/shadow.xml

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
  <!ENTITY % general-entities SYSTEM "../general.ent">
  %general-entities;
]>
<sect1 id="ch-system-shadow" xreflabel="Shadow" role="wrap">
<title>Shadow-&shadow-version;</title>
<?dbhtml filename="shadow.html"?>

<indexterm zone="ch-system-shadow"><primary sortas="a-Shadow">Shadow</primary></indexterm>

<sect2 role="package"><title/>
<para>The Shadow package contains programs for handling passwords in a secure
way.</para>

<segmentedlist>
<segtitle>&buildtime;</segtitle>
<segtitle>&diskspace;</segtitle>
<seglistitem><seg>0.4 SBU</seg><seg>11 MB</seg></seglistitem>
</segmentedlist>

<segmentedlist>
<segtitle>Shadow installation depends on</segtitle>
<seglistitem><seg>Bash, Binutils, Bison, Coreutils,
Diffutils, GCC, Gettext, Glibc, Grep, Make, Sed</seg></seglistitem>
</segmentedlist>
</sect2>

<sect2 role="installation">
<title>Installation of Shadow</title>

<para>Prepare Shadow for compilation:</para>

<screen><userinput>./configure --libdir=/lib --enable-shared</userinput></screen>

<para>Compile the package:</para>

<screen><userinput>make</userinput></screen>

<para>Then install it:</para>

<screen><userinput>make install</userinput></screen>

<para>Shadow uses two files to configure authentication settings for the
system. Install these two config files:</para>

<screen><userinput>cp etc/{limits,login.access} /etc</userinput></screen>

<para>Instead of using the default <emphasis>crypt</emphasis> method, we want
to use the more secure <emphasis>MD5</emphasis> method of password encryption,
which also allows passwords longer than 8 characters. We also need to
change the obsolete <filename class="directory">/var/spool/mail</filename>
location for user mailboxes that Shadow uses by default to the <filename 
class="directory">/var/mail</filename> location used currently. We accomplish
both these things by changing the relevant configuration file while copying it
to its destination (it's probably better to cut-and-paste this rather than try
and type it all in):</para>

<screen><userinput>sed -e's@#MD5_CRYPT_ENAB.no@MD5_CRYPT_ENAB yes@' \
    -e 's@/var/spool/mail@/var/mail@' \
    &lt; etc/login.defs.linux &gt; /etc/login.defs</userinput></screen>

<para>Move some misplaced symlinks/programs to their proper locations:</para>

<screen><userinput>mv /usr/bin/passwd /bin</userinput></screen>

<para>And move Shadow's static library to a more appropriate location:</para>

<screen><userinput>mv /lib/libshadow.*a /usr/lib</userinput></screen>

<para>As some packages expect to find the libraries in
<filename class="directory">/usr/lib</filename>, create the following symlinks:</para>

<screen><userinput>rm /lib/libshadow.so
ln -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so</userinput></screen>

<para>The <parameter>-D</parameter> option of the <command>useradd</command> program requires this
directory for it to work properly:</para>

<screen><userinput>mkdir /etc/default</userinput></screen>

<para>Coreutils has already installed a better <command>groups</command>
program in <filename class="directory">/usr/bin</filename>. Remove the one
installed by Shadow:</para>

<screen><userinput>rm /bin/groups</userinput></screen>

</sect2>


<sect2 id="conf-shadow" role="configuration"><title>Configuring Shadow</title>
<indexterm zone="conf-shadow">
<primary sortas="a-Shadow">Shadow</primary>
<secondary>configuring</secondary></indexterm>

<para>This package contains utilities to add, modify and delete users and
groups, set and change their passwords, and other such administrative tasks.
For a full explanation of what <emphasis>password shadowing</emphasis> means,
see the <filename>doc/HOWTO</filename> file within the unpacked source tree.
There's one thing to keep in mind if you decide to use Shadow support: programs
that need to verify passwords (display managers, ftp programs, pop3 daemons,
and the like) need to be <emphasis>shadow-compliant</emphasis>, that is they
need to be able to work with shadowed passwords.</para>

<para>To enable shadowed passwords, run the following command:</para>

<screen><userinput>pwconv</userinput></screen>

<para>To enable shadowed group passwords, run:</para>

<screen><userinput>grpconv</userinput></screen>

<para>Under normal circumstances, you won't have created any passwords yet.
However, if returning to this section later to enable shadowing, you should
reset any current user passwords with the <command>passwd</command> command or
any group passwords with the <command>gpasswd</command> command.</para>

</sect2>


<sect2 role="configuration">
<title>Setting the root password</title>

<para>Choose a password for user root and set it via:</para>

<screen><userinput>passwd root</userinput></screen>

</sect2>


<sect2 id="contents-shadow" role="content"><title>Contents of Shadow</title>

<segmentedlist>
<segtitle>Installed programs</segtitle>
<seglistitem><seg>chage, chfn, chpasswd, chsh, expiry, faillog, gpasswd,
groupadd, groupdel, groupmod, groups, grpck, grpconv, grpunconv, lastlog, login,
logoutd, mkpasswd, newgrp, newusers, passwd, pwck, pwconv, pwunconv, sg
(link to newgrp), useradd, userdel, usermod, vigr (link to vipw) and vipw</seg>
</seglistitem>
</segmentedlist>

<variablelist><title>Short descriptions</title>

<varlistentry id="chage">
<term><command>chage</command></term>
<listitem>
<indexterm zone="ch-system-shadow chage"><primary sortas="b-chage">chage</primary></indexterm>
<para>is used to change the maximum number of
days between obligatory password changes.</para>
</listitem>
</varlistentry>

<varlistentry id="chfn">
<term><command>chfn</command></term>
<listitem>
<indexterm zone="ch-system-shadow chfn"><primary sortas="b-chfn">chfn</primary></indexterm>
<para>is used to change a user's full name and some other info.</para>
</listitem>
</varlistentry>

<varlistentry id="chpasswd">
<term><command>chpasswd</command></term>
<listitem>
<indexterm zone="ch-system-shadow chpasswd"><primary sortas="b-chpasswd">chpasswd</primary></indexterm>
<para>is used to update the passwords of a
whole series of user accounts in one go.</para>
</listitem>
</varlistentry>

<varlistentry id="chsh">
<term><command>chsh</command></term>
<listitem>
<indexterm zone="ch-system-shadow chsh"><primary sortas="b-chsh">chsh</primary></indexterm>
<para>is used to change a user's default  login shell.</para>
</listitem>
</varlistentry>

<varlistentry id="expiry">
<term><command>expiry</command></term>
<listitem>
<indexterm zone="ch-system-shadow expiry"><primary sortas="b-expiry">expiry</primary></indexterm>
<para>checks and enforces the current password expiration policy.</para>
</listitem>
</varlistentry>

<varlistentry id="faillog">
<term><command>faillog</command></term>
<listitem>
<indexterm zone="ch-system-shadow faillog"><primary sortas="b-faillog">faillog</primary></indexterm>
<para>is used to examine the log of login failures, to set a maximum number of 
failures before an account is blocked, or to reset the failure count.</para>
</listitem>
</varlistentry>

<varlistentry id="gpasswd">
<term><command>gpasswd</command></term>
<listitem>
<indexterm zone="ch-system-shadow gpasswd"><primary sortas="b-gpasswd">gpasswd</primary></indexterm>
<para>is used to add and delete members and administrators to groups.</para>
</listitem>
</varlistentry>

<varlistentry id="groupadd">
<term><command>groupadd</command></term>
<listitem>
<indexterm zone="ch-system-shadow groupadd"><primary sortas="b-groupadd">groupadd</primary></indexterm>
<para>creates a group with the given name.</para>
</listitem>
</varlistentry>

<varlistentry id="groupdel">
<term><command>groupdel</command></term>
<listitem>
<indexterm zone="ch-system-shadow groupdel"><primary sortas="b-groupdel">groupdel</primary></indexterm>
<para>deletes the group with the given name.</para>
</listitem>
</varlistentry>

<varlistentry id="groupmod">
<term><command>groupmod</command></term>
<listitem>
<indexterm zone="ch-system-shadow groupmod"><primary sortas="b-groupmod">groupmod</primary></indexterm>
<para>is used to modify the given group's name or GID.</para>
</listitem>
</varlistentry>

<varlistentry id="groups">
<term><command>groups</command></term>
<listitem>
<indexterm zone="ch-system-shadow groups"><primary sortas="b-groups">groups</primary></indexterm>
<para>reports the groups of which the given users are members.</para>
</listitem>
</varlistentry>

<varlistentry id="grpck">
<term><command>grpck</command></term>
<listitem>
<indexterm zone="ch-system-shadow grpck"><primary sortas="b-grpck">grpck</primary></indexterm>
<para>verifies the integrity of the group files, <filename>/etc/group</filename> 
and <filename>/etc/gshadow</filename>.</para>
</listitem>
</varlistentry>

<varlistentry id="grpconv">
<term><command>grpconv</command></term>
<listitem>
<indexterm zone="ch-system-shadow grpconv"><primary sortas="b-grpconv">grpconv</primary></indexterm>
<para>creates or updates the shadow group file from the normal group file.</para>
</listitem>
</varlistentry>

<varlistentry id="grpunconv">
<term><command>grpunconv</command></term>
<listitem>
<indexterm zone="ch-system-shadow grpunconv"><primary sortas="b-grpunconv">grpunconv</primary></indexterm>
<para>updates <filename>/etc/group</filename>
from <filename>/etc/gshadow</filename> and then deletes the latter.</para>
</listitem>
</varlistentry>

<varlistentry id="lastlog">
<term><command>lastlog</command></term>
<listitem>
<indexterm zone="ch-system-shadow lastlog"><primary sortas="b-lastlog">lastlog</primary></indexterm>
<para>reports the most recent login of all users, or of a given user.</para>
</listitem>
</varlistentry>

<varlistentry id="login">
<term><command>login</command></term>
<listitem>
<indexterm zone="ch-system-shadow login"><primary sortas="b-login">login</primary></indexterm>
<para>is used by the system to let users sign on.</para>
</listitem>
</varlistentry>

<varlistentry id="logoutd">
<term><command>logoutd</command></term>
<listitem>
<indexterm zone="ch-system-shadow logoutd"><primary sortas="b-logoutd">logoutd</primary></indexterm>
<para>is a daemon used to enforce restrictions on log-on time and ports.</para>
</listitem>
</varlistentry>

<varlistentry id="mkpasswd">
<term><command>mkpasswd</command></term>
<listitem>
<indexterm zone="ch-system-shadow mkpasswd"><primary sortas="b-mkpasswd">mkpasswd</primary></indexterm>
<para>encrypts the given password using the also given perturbation.</para>
</listitem>
</varlistentry>

<varlistentry id="newgrp">
<term><command>newgrp</command></term>
<listitem>
<indexterm zone="ch-system-shadow newgrp"><primary sortas="b-newgrp">newgrp</primary></indexterm>
<para>is used to change the current GID during a login session.</para>
</listitem>
</varlistentry>

<varlistentry id="newusers">
<term><command>newusers</command></term>
<listitem>
<indexterm zone="ch-system-shadow newusers"><primary sortas="b-newusers">newusers</primary></indexterm>
<para>is used to create or update a whole series of user accounts in one go.</para>
</listitem>
</varlistentry>

<varlistentry id="passwd">
<term><command>passwd</command></term>
<listitem>
<indexterm zone="ch-system-shadow passwd"><primary sortas="b-passwd">passwd</primary></indexterm>
<para>is used to change the password for a user or group account.</para>
</listitem>
</varlistentry>

<varlistentry id="pwck">
<term><command>pwck</command></term>
<listitem>
<indexterm zone="ch-system-shadow pwck"><primary sortas="b-pwck">pwck</primary></indexterm>
<para>verifies the integrity of the password files, 
<filename>/etc/passwd</filename> and <filename>/etc/shadow</filename>.</para>
</listitem>
</varlistentry>

<varlistentry id="pwconv">
<term><command>pwconv</command></term>
<listitem>
<indexterm zone="ch-system-shadow pwconv"><primary sortas="b-pwconv">pwconv</primary></indexterm>
<para>creates or updates the shadow password file
from the normal password file.</para>
</listitem>
</varlistentry>

<varlistentry id="pwunconv">
<term><command>pwunconv</command></term>
<listitem>
<indexterm zone="ch-system-shadow pwunconv"><primary sortas="b-pwunconv">pwunconv</primary></indexterm>
<para>updates <filename>/etc/passwd</filename>
from <filename>/etc/shadow</filename> and then deletes the latter.</para>
</listitem>
</varlistentry>

<varlistentry id="sg">
<term><command>sg</command></term>
<listitem>
<indexterm zone="ch-system-shadow sg"><primary sortas="b-sg">sg</primary></indexterm>
<para>executes a given command while the user's GID
is set to that of the given group.</para>
</listitem>
</varlistentry>

<varlistentry id="su">
<term><command>su</command></term>
<listitem>
<indexterm zone="ch-system-shadow su"><primary sortas="b-su">su</primary></indexterm>
<para>runs a shell with substitute user and group IDs.</para>
</listitem>
</varlistentry>

<varlistentry id="useradd">
<term><command>useradd</command></term>
<listitem>
<indexterm zone="ch-system-shadow useradd"><primary sortas="b-useradd">useradd</primary></indexterm>
<para>creates a new user with the given name,
or updates the default new-user information.</para>
</listitem>
</varlistentry>

<varlistentry id="userdel">
<term><command>userdel</command></term>
<listitem>
<indexterm zone="ch-system-shadow userdel"><primary sortas="b-userdel">userdel</primary></indexterm>
<para>deletes the given user account.</para>
</listitem>
</varlistentry>

<varlistentry id="usermod">
<term><command>usermod</command></term>
<listitem>
<indexterm zone="ch-system-shadow usermod"><primary sortas="b-usermod">usermod</primary></indexterm>
<para>is used to modify the given user's login name, UID (User Identification), 
shell, initial group, home directory, and the like.</para>
</listitem>
</varlistentry>

<varlistentry id="vigr">
<term><command>vigr</command></term>
<listitem>
<indexterm zone="ch-system-shadow vigr"><primary sortas="b-vigr">vigr</primary></indexterm>
<para>can be used to edit the <filename>/etc/group</filename> or 
<filename>/etc/gshadow</filename> files.</para>
</listitem>
</varlistentry>

<varlistentry id="vipw">
<term><command>vipw</command></term>
<listitem>
<indexterm zone="ch-system-shadow vipw"><primary sortas="b-vipw">vipw</primary></indexterm>
<para>can be used to edit the <filename>/etc/passwd</filename> or 
<filename>/etc/shadow</filename> files.</para>
</listitem>
</varlistentry>

<varlistentry id="libmisc">
<term><filename class="libraryfile">libmisc</filename></term>
<listitem>
<indexterm zone="ch-system-shadow libmisc"><primary sortas="c-libmisc">libmisc</primary></indexterm>
<para>...</para>
</listitem>
</varlistentry>

<varlistentry id="libshadow">
<term><filename class="libraryfile">libshadow</filename></term>
<listitem>
<indexterm zone="ch-system-shadow libshadow"><primary sortas="c-libshadow">libshadow</primary></indexterm>
<para>contains functions used by most programs in this package.</para>
</listitem>
</varlistentry>
</variablelist>

</sect2>

</sect1>