lfs-book-zh_CN/chapter06/shadow.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
  "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
  <!ENTITY % general-entities SYSTEM "../general.ent">
  %general-entities;
]>

<sect1 id="ch-system-shadow" role="wrap">
  <?dbhtml filename="shadow.html"?>

  <sect1info condition="script">
    <productname>shadow</productname>
    <productnumber>&shadow-version;</productnumber>
    <address>&shadow-url;</address>
  </sect1info>

  <title>Shadow-&shadow-version;</title>

  <indexterm zone="ch-system-shadow">
    <primary sortas="a-Shadow">Shadow</primary>
  </indexterm>

  <sect2 role="package">
    <title/>

    <para>Shadow 软件包包含安全地处理密码的程序。</para>

    <segmentedlist>
      <segtitle>&buildtime;</segtitle>
      <segtitle>&diskspace;</segtitle>

      <seglistitem>
        <seg>&shadow-ch6-sbu;</seg>
        <seg>&shadow-ch6-du;</seg>
      </seglistitem>
    </segmentedlist>

  </sect2>

  <sect2 role="installation">
    <title>安装 Shadow</title>

    <note>
      <para>如果您希望强制使用强密码，参考
      <ulink url="&blfs-book;postlfs/cracklib.html"/> 以在构建 Shadow 前安装
	  CrackLib，然后为下面的 <command>configure</command> 命令附加
      <parameter>--with-libcrack</parameter> 参数。</para>
    </note>

    <para>禁止该软件包安装 <command>groups</command>
    程序和它的 man 页面，因为 Coreutils 会提供更好的版本。
	同样，避免安装 <xref linkend="ch-system-man-pages"/>
	软件包已经提供的 man 页面：</para>

<screen><userinput remap="pre">sed -i 's/groups$(EXEEXT) //' src/Makefile.in
find man -name Makefile.in -exec sed -i 's/groups\.1 / /'   {} \;
find man -name Makefile.in -exec sed -i 's/getspnam\.3 / /' {} \;
find man -name Makefile.in -exec sed -i 's/passwd\.5 / /'   {} \;</userinput></screen>

    <para id="shadow-login_defs"> 不使用默认的
    <emphasis>crypt</emphasis> 加密方法，使用更安全的
    <emphasis>SHA-512</emphasis> 方法加密密码，
    该方法也允许长度超过 8 个字符的密码。另外，还需要把 Shadow
	默认使用的用户邮箱位置
	<filename class="directory">/var/spool/mail</filename>
	改为当前普遍使用的 <filename class="directory">/var/mail</filename>
    目录：</para>

<screen><userinput remap="pre">sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \
       -e 's@/var/spool/mail@/var/mail@' etc/login.defs</userinput></screen>

    <note>
      <para>如果您选择构建有 Cracklib 支持的 Shadow，执行以下命令：</para>

<screen role="nodump"><userinput>sed -i 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' etc/login.defs</userinput></screen>
    </note>

    <para>进行微小的改动，使 useradd 使用 1000 作为第一个组编号：</para>

<screen><userinput remap="pre">sed -i 's/1000/999/' etc/useradd</userinput></screen>

    <para>准备安装 Shadow：</para>

<screen><userinput remap="configure">./configure --sysconfdir=/etc --with-group-name-max-length=32</userinput></screen>

    <variablelist>
      <title>配置选项的含义：</title>

      <varlistentry>
        <term><parameter>--with-group-name-max-length=32</parameter></term>
        <listitem>
          <para>最长用户名可以有 32 个字符，设定组名称最大长度为相同值。
          </para>
        </listitem>
      </varlistentry>

    </variablelist>

    <para>编译该软件包：</para>

<screen><userinput remap="make">make</userinput></screen>

    <para>该软件包不包含测试套件。</para>

    <para>安装该软件包：</para>

<screen><userinput remap="install">make install</userinput></screen>

    <para>将一个安装位置不正确的程序移动到正确位置：</para>

<screen><userinput remap="install">mv -v /usr/bin/passwd /bin</userinput></screen>

    <!-- <para>Move Shadow's libraries to more appropriate locations:</para>

<screen><userinput remap="install">mv -v /lib/libshadow.*a /usr/lib
rm -v /lib/libshadow.so
ln -sfv ../../lib/libshadow.so.0 /usr/lib/libshadow.so</userinput></screen> -->

  </sect2>

  <sect2 id="conf-shadow" role="configuration">
    <title>配置 Shadow</title>

    <indexterm zone="conf-shadow">
      <primary sortas="a-Shadow">Shadow</primary>
      <secondary>configuring</secondary>
    </indexterm>

    <!--para>This package contains utilities to add, modify, and delete users and
    groups; set and change their passwords; and perform other administrative
    tasks. For a full explanation of what <emphasis>password shadowing</emphasis>
    means, see the <filename>doc/HOWTO</filename> file within the unpacked
    source tree. If using Shadow support, keep in mind that programs which need
    to verify passwords (display managers, FTP programs, pop3 daemons, etc.)
    must be Shadow-compliant. That is, they need to be able to work with
    shadowed passwords.</para-->
    <para>该软件包包含用于添加、修改、删除用户和组，设定和修改它们的密码，
		以及进行其他管理任务的工具。如果希望查阅关于
		<emphasis>password shadowing</emphasis> 的详细解释，
		阅读解压得到源代码目录树中的 <filename>doc/HOWTO</filename>
		文件。如果使用 Shadow 支持，记住所有需要验证密码的程序
		（如显示管理器、FTP 程序、pop3 守护进程等）都必须和 Shadow
		兼容。换句话说，它们必须能使用 Shadow 加密的密码。</para>
	<note><title>译注</title>
		<para>大多数 Linux 程序要么本身支持 Shadow，要么通过 Linux PAM
			支持 Shadow。为了提高安全性，建议启用 Shadow 加密。
		</para>
	</note>

    <para>执行以下命令，对用户密码启用 Shadow 加密：</para>

<screen><userinput>pwconv</userinput></screen>

    <para>执行命令，对组密码启用 Shadow 加密：</para>

<screen><userinput>grpconv</userinput></screen>

    <!--para>Shadow's stock configuration for the <command>useradd</command>
    utility has a few caveats that need some explanation. First, the default
    action for the <command>useradd</command> utility is to create the user and
    a group of the same name as the user. By default the user ID (UID) and
    group ID (GID) numbers will begin with 1000. This means if you don't pass
    parameters to <command>useradd</command>, each user will be a member of a
    unique group on the system. If this behavior is undesirable, you'll need
    to pass the <parameter>-g</parameter> parameter to
    <command>useradd</command>. The default parameters are stored in the
    <filename>/etc/default/useradd</filename> file. You may need to modify two
    parameters in this file to suit your particular needs.</para-->
    <para>Shadow 为 <command>useradd</command>
        提供的配置文件有一些需要解释的事项。首先，<command>useradd</command>
		的默认操作是创建一个用户，以及一个名字和用户名相同的组。
		默认情况下，用户 ID （UID）和组 ID （GID）会从 1000 开始。
		这意味着，如果您不向 <command>useradd</command> 传递参数，
		每个用户都会属于一个不同的组。如果您不希望这样，
		就要向 <command>useradd</command> 传递 <parameter>-g</parameter>
		参数。默认参数保存在 <filename>/etc/default/useradd</filename>
		文件中，您可以编辑其中的两个参数，以满足您的特定需求：
	</para>

    <variablelist>
      <title><filename>/etc/default/useradd</filename> 参数解释</title>

      <varlistentry>
        <term><parameter>GROUP=1000</parameter></term>
        <listitem>
          <!--para>This parameter sets the beginning of the group numbers used in
          the /etc/group file. You can modify it to anything you desire. Note
          that <command>useradd</command> will never reuse a UID or GID. If the
          number identified in this parameter is used, it will use the next
          available number after this. Note also that if you don't have a group
          1000 on your system the first time you use <command>useradd</command>
          without the <parameter>-g</parameter> parameter, you'll get a message
          displayed on the terminal that says:
          <computeroutput>useradd: unknown GID 1000</computeroutput>. You may
          disregard this message and group number 1000 will be used.</para-->
          <para>该参数设定 /etc/group 文件中使用的第一个组编号，
			  您可以将它修改为您希望的任何值。注意
			  <command>useradd</command> 绝不会重用 UID 或 GID，
			  如果该参数指定的数字已经被使用了，它就会使用下一个可用的数字。
			  另外，如果在您第一次不加 <parameter>-g</parameter>
			  参数使用 <command>useradd</command> 时没有编号 1000 的组，
			  您就会在终端看到一条消息：
			  <computeroutput>useradd: unknown GID 1000</computeroutput>。
			  您可以忽略这条消息，它会使用组编号 1000 。</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><parameter>CREATE_MAIL_SPOOL=yes</parameter></term>
        <listitem>
          <!--para>This parameter causes <command>useradd</command> to create a
          mailbox file for the newly created user. <command>useradd</command>
          will make the group ownership of this file to the
          <systemitem class="groupname">mail</systemitem> group with 0660
          permissions. If you would prefer that these mailbox files are not
          created by <command>useradd</command>, issue the following
          command:</para-->
          <para>该参数使得 <command>useradd</command>
			  为新创建的用户建立邮箱文件。<command>useradd</command>
			  会使得 <systemitem class="groupname">mail</systemitem>
			  为拥有该文件的组，并为文件赋予 0660 权限码。
			  如果您不希望 <command>useradd</command> 创建这些邮箱文件，
			  执行以下命令：</para>

<screen><userinput>sed -i 's/yes/no/' /etc/default/useradd</userinput></screen>
        </listitem>
      </varlistentry>

    </variablelist>


  </sect2>

  <sect2 role="configuration">
    <title>设定 root 密码</title>

	<para>为用户 <emphasis>root</emphasis> 选择一个密码，
		并执行以下命令设定它：</para>

<screen role="nodump"><userinput>passwd root</userinput></screen>

  </sect2>

  <sect2 id="contents-shadow" role="content">
    <title>Shadow 的内容</title>

    <segmentedlist>
      <segtitle>安装的程序</segtitle>
      <segtitle>安装的目录</segtitle>

      <seglistitem>
        <seg>chage, chfn, chgpasswd, chpasswd, chsh, expiry, faillog, gpasswd,
        groupadd, groupdel, groupmems, groupmod, grpck, grpconv, grpunconv,
        lastlog, login, logoutd, newgidmap, newgrp, newuidmap, newusers,
        nologin, passwd, pwck, pwconv, pwunconv, sg (到 newgrp的链接), su,
        useradd, userdel, usermod, vigr (到 vipw 的链接), 以及 vipw</seg>
        <seg>/etc/default</seg>
      </seglistitem>
    </segmentedlist>

    <variablelist>
      <bridgehead renderas="sect3">简要描述</bridgehead>
      <?dbfo list-presentation="list"?>
      <?dbhtml list-presentation="table"?>

      <varlistentry id="chage">
        <term><command>chage</command></term>
        <listitem>
          <para>用于修改强制性密码更新的最大天数</para>
          <indexterm zone="ch-system-shadow chage">
            <primary sortas="b-chage">chage</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="chfn">
        <term><command>chfn</command></term>
        <listitem>
          <para>用于修改用户全名和其他信息</para>
          <indexterm zone="ch-system-shadow chfn">
            <primary sortas="b-chfn">chfn</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="chgpasswd">
        <term><command>chgpasswd</command></term>
        <listitem>
          <para>用于批量更新组密码</para>
          <indexterm zone="ch-system-shadow chgpasswd">
            <primary sortas="b-chgpasswd">chgpasswd</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="chpasswd">
        <term><command>chpasswd</command></term>
        <listitem>
          <para>用于批量更新用户密码</para>
          <indexterm zone="ch-system-shadow chpasswd">
            <primary sortas="b-chpasswd">chpasswd</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="chsh">
        <term><command>chsh</command></term>
        <listitem>
          <para>用于改变用户的默认登录 shell</para>
          <indexterm zone="ch-system-shadow chsh">
            <primary sortas="b-chsh">chsh</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="expiry">
        <term><command>expiry</command></term>
        <listitem>
          <para>检查并强制当前密码过期策略</para>
          <indexterm zone="ch-system-shadow expiry">
            <primary sortas="b-expiry">expiry</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="faillog">
        <term><command>faillog</command></term>
        <listitem>
          <para>用于检查失败登录日志，设定锁定账户的最大失败次数，
          或重置失败次数</para>
          <indexterm zone="ch-system-shadow faillog">
            <primary sortas="b-faillog">faillog</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="gpasswd">
        <term><command>gpasswd</command></term>
        <listitem>
          <para>用于增加或删除组的用户和管理员</para>
          <indexterm zone="ch-system-shadow gpasswd">
            <primary sortas="b-gpasswd">gpasswd</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="groupadd">
        <term><command>groupadd</command></term>
        <listitem>
          <para>以指定名称创建组</para>
          <indexterm zone="ch-system-shadow groupadd">
            <primary sortas="b-groupadd">groupadd</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="groupdel">
        <term><command>groupdel</command></term>
        <listitem>
          <para>删除指定的组</para>
          <indexterm zone="ch-system-shadow groupdel">
            <primary sortas="b-groupdel">groupdel</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="groupmems">
        <term><command>groupmems</command></term>
        <listitem>
          <para>在不需要超级用户权限的情况下，
          	  允许用户管理自己的组成员列表</para>
          <indexterm zone="ch-system-shadow groupmems">
            <primary sortas="b-groupmems">groupmems</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="groupmod">
        <term><command>groupmod</command></term>
        <listitem>
          <para>用于修改给定的组名称或 GID</para>
          <indexterm zone="ch-system-shadow groupmod">
            <primary sortas="b-groupmod">groupmod</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="grpck">
        <term><command>grpck</command></term>
        <listitem>
          <para>验证组文件
          <filename>/etc/group</filename> 和
          <filename>/etc/gshadow</filename> 的完整性</para>
          <indexterm zone="ch-system-shadow grpck">
            <primary sortas="b-grpck">grpck</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="grpconv">
        <term><command>grpconv</command></term>
        <listitem>
          <para>根据普通组文件创建或更新加密组文件</para>
          <indexterm zone="ch-system-shadow grpconv">
            <primary sortas="b-grpconv">grpconv</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="grpunconv">
        <term><command>grpunconv</command></term>
        <listitem>
          <para>根据 <filename>/etc/gshadow</filename> 文件更新
          <filename>/etc/gshadow</filename> 文件，并删除前者</para>
          <indexterm zone="ch-system-shadow grpunconv">
            <primary sortas="b-grpunconv">grpunconv</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="lastlog">
        <term><command>lastlog</command></term>
        <listitem>
          <para>报告所有用户或给定用户最后一次登录的信息</para>
          <indexterm zone="ch-system-shadow lastlog">
            <primary sortas="b-lastlog">lastlog</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="login">
        <term><command>login</command></term>
        <listitem>
          <para>被系统用于允许用户登录</para>
          <indexterm zone="ch-system-shadow login">
            <primary sortas="b-login">login</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="logoutd">
        <term><command>logoutd</command></term>
        <listitem>
          <para>是一个限制登录时间和端口的守护进程</para>
          <indexterm zone="ch-system-shadow logoutd">
            <primary sortas="b-logoutd">logoutd</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="newgidmap">
        <term><command>newgidmap</command></term>
        <listitem>
          <para>用于设定一个用户命名空间的 gid 映射</para>
          <indexterm zone="ch-system-shadow newgidmap">
            <primary sortas="b-newgidmap">newgidmap</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="newgrp">
        <term><command>newgrp</command></term>
        <listitem>
          <para>用于在登录会话中修改当前 GID</para>
          <indexterm zone="ch-system-shadow newgrp">
            <primary sortas="b-newgrp">newgrp</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="newuidmap">
        <term><command>newuidmap</command></term>
        <listitem>
          <para>用于设定用户命名空间的 uid 映射</para>
          <indexterm zone="ch-system-shadow newuidmap">
            <primary sortas="b-newuidmap">newuidmap</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="newusers">
        <term><command>newusers</command></term>
        <listitem>
          <para>用于批量创建或更新用户账户</para>
          <indexterm zone="ch-system-shadow newusers">
            <primary sortas="b-newusers">newusers</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="nologin">
        <term><command>nologin</command></term>
        <listitem>
          <para>显示一条账户不可用的消息，
          	  它被设计为用来当作被禁用的账户的默认 shell</para>
          <indexterm zone="ch-system-shadow nologin">
            <primary sortas="b-nologin">nologin</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="passwd">
        <term><command>passwd</command></term>
        <listitem>
          <para>用于修改用户或组账户的密码</para>
          <indexterm zone="ch-system-shadow passwd">
            <primary sortas="b-passwd">passwd</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="pwck">
        <term><command>pwck</command></term>
        <listitem>
          <para>检验密码文件
          <filename>/etc/passwd</filename> 和
          <filename>/etc/shadow</filename> 的完整性</para>
          <indexterm zone="ch-system-shadow pwck">
            <primary sortas="b-pwck">pwck</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="pwconv">
        <term><command>pwconv</command></term>
        <listitem>
          <para>从普通密码文件创建或更新加密密码文件</para>
          <indexterm zone="ch-system-shadow pwconv">
            <primary sortas="b-pwconv">pwconv</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="pwunconv">
        <term><command>pwunconv</command></term>
        <listitem>
          <para>根据 <filename>/etc/shadow</filename> 更新
          <filename>/etc/shadow</filename> 并删除前者</para>
          <indexterm zone="ch-system-shadow pwunconv">
            <primary sortas="b-pwunconv">pwunconv</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="sg">
        <term><command>sg</command></term>
        <listitem>
          <para>在用户 GID 设为给定组 ID 的情况下，执行给定命令</para>
          <indexterm zone="ch-system-shadow sg">
            <primary sortas="b-sg">sg</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="su">
        <term><command>su</command></term>
        <listitem>
          <para>用替换的用户和组 ID 运行 shell</para>
          <indexterm zone="ch-system-shadow su">
            <primary sortas="b-su">su</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="useradd">
        <term><command>useradd</command></term>
        <listitem>
          <para>以指定名称创建新用户，或更新新用户默认信息</para>
          <indexterm zone="ch-system-shadow useradd">
            <primary sortas="b-useradd">useradd</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="userdel">
        <term><command>userdel</command></term>
        <listitem>
          <para>删除给定用户</para>
          <indexterm zone="ch-system-shadow userdel">
            <primary sortas="b-userdel">userdel</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="usermod">
        <term><command>usermod</command></term>
        <listitem>
          <para>修改给定用户的登录名称、用户 ID、shell、初始组、
          home 目录等信息</para>
          <indexterm zone="ch-system-shadow usermod">
            <primary sortas="b-usermod">usermod</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="vigr">
        <term><command>vigr</command></term>
        <listitem>
          <para>编辑 <filename>/etc/group</filename> 或
          <filename>/etc/gshadow</filename> 文件</para>
          <indexterm zone="ch-system-shadow vigr">
            <primary sortas="b-vigr">vigr</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="vipw">
        <term><command>vipw</command></term>
        <listitem>
          <para>编辑 <filename>/etc/passwd</filename> 或
          <filename>/etc/shadow</filename> 文件</para>
          <indexterm zone="ch-system-shadow vipw">
            <primary sortas="b-vipw">vipw</primary>
          </indexterm>
        </listitem>
      </varlistentry>

    </variablelist>

  </sect2>

</sect1>