Beyond Linux From Scratch - Version 6.2.0

Chapter 4. Security

Shadow-4.0.15

Introduction to Shadow

Shadow was indeed installed in LFS and there is no reason to reinstall it unless you installed CrackLib or Linux-PAM after your LFS system was completed. If you have installed CrackLib after LFS, then reinstalling Shadow will enable strong password support. If you have installed Linux-PAM, reinstalling Shadow will allow programs such as login and su to utilize PAM.

Package Information

Shadow Dependencies

Required

Linux-PAM-0.99.4.0 and/or CrackLib-2.8.9

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/shadow

Installation of Shadow

[Important]

Important

The installation shown below is for a situation where Linux-PAM has been installed (with or without a CrackLib installation) and Shadow is being reinstalled to support the Linux-PAM installation. If you are reinstalling Shadow to provide strong password support via the CrackLib library and you have not installed Linux-PAM, ensure you add the --with-libcrack parameter to the configure script below.

Reinstall Shadow by running the following commands: 

./configure --libdir=/lib \
            --enable-shared \
            --without-selinux &&
sed -i 's/groups$(EXEEXT) //' src/Makefile &&
find man -name Makefile -exec sed -i '/groups/d' {} \; &&
sed -i -e 's/ ko//' \
       -e 's/ zh_CN zh_TW//' \
    man/Makefile &&

for i in de es fi fr id it pt_BR; do
    convert-mans UTF-8 ISO-8859-1 man/${i}/*.?
done &&

for i in cs hu pl; do
    convert-mans UTF-8 ISO-8859-2 man/${i}/*.?
done &&

convert-mans UTF-8 EUC-JP man/ja/*.? &&
convert-mans UTF-8 KOI8-R man/ru/*.? &&
convert-mans UTF-8 ISO-8859-9 man/tr/*.? &&

make

This package does not come with a test suite.

Now, as the root user: 

make install &&
mv -v /usr/bin/passwd /bin &&
mv -v /lib/libshadow.*a /usr/lib &&
rm -v /lib/libshadow.so &&
ln -v -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so

Command Explanations

--without-selinux: Support for selinux is enabled by default, but selinux is not built in a base LFS system. The configure script will fail if this option is not used.

sed -i 's/groups$(EXEEXT) //' src/Makefile: This command is used to suppress the installation of the groups program as the version from the Coreutils package installed during LFS is preferred.

find man -name Makefile -exec ... {} \;: This command is used to suppress the installation of the groups man pages so the existing ones installed from the Coreutils package are not replaced.

sed -i -e '...' -e '...' man/Makefile: This command disables the installation of Chinese and Korean manual pages, since Man-DB cannot format them properly.

convert-mans ...: These commands are used to convert some of the man pages so that Man-DB will display them in the expected encodings.

mv -v /usr/bin/passwd /bin: The passwd program may be needed during times when the /usr filesystem is not mounted so it is moved into the root partition.

mv -v ...; rm -v ...; ln -v ...: These commands are used to move the libshadow library to the root partition to support the moving of the passwd program earlier.

Configuring Linux-PAM to Work with Shadow

[Note]

Note

The rest of this page is devoted to configuring Shadow to work properly with Linux-PAM. If you do not have Linux-PAM installed, and you reinstalled Shadow to support strong passwords via the CrackLib library, no further configuration is required.

Config Files

/etc/pam.d/* or alternatively /etc/pam.conf, /etc/login.defs and /etc/security/*

Configuration Information

Configuring your system to use Linux-PAM can be a complex task. The information below will provide a basic setup so that Shadow's login and password functionality will work effectively with Linux-PAM. Review the information and links on the Linux-PAM-0.99.4.0 page for further configuration information. For information specific to integrating Shadow, Linux-PAM and CrackLib, you can visit the following links:

Configuring /etc/login.defs

The login program currently performs many functions which Linux-PAM modules should now handle. The following sed command will comment out the appropriate lines in /etc/login.defs, and stop login from performing these functions (a backup file named /etc/login.defs.orig is also created to preserve the original file's contents). Issue the following commands as the root user: 

install -v -m644 /etc/login.defs /etc/login.defs.orig &&
for FUNCTION in LASTLOG_ENAB MAIL_CHECK_ENAB \
                PORTTIME_CHECKS_ENAB CONSOLE \
                MOTD_FILE NOLOGINS_FILE PASS_MIN_LEN \
                SU_WHEEL_ONLY MD5_CRYPT_ENAB \
                CONSOLE_GROUPS ENVIRON_FILE \
                ULIMIT ENV_TZ ENV_HZ ENV_SUPATH \
                ENV_PATH QMAIL_DIR MAIL_DIR MAIL_FILE \
                CHFN_AUTH FAILLOG_ENAB QUOTAS_ENAB FTMP_FILE \
                OBSCURE_CHECKS_ENAB CRACKLIB_DICTPATH \
                PASS_CHANGE_TRIES PASS_ALWAYS_WARN
do
    sed -i "s/^$FUNCTION/# &/" /etc/login.defs
done
Configuring the /etc/pam.d/ Files

As mentioned previously in the Linux-PAM instructions, Linux-PAM has two supported methods for configuration. The commands below assume that you've chosen to use a directory based configuration, where each program has its own configuration file. You can optionally use a single /etc/pam.conf configuration file by using the text from the files below, and supplying the program name as an additional first field for each line.

As the root user, create the /etc/pam.d directory with the following command: 

install -v -d -m755 /etc/pam.d

While still the root user, add the following Linux-PAM configuration files to the /etc/pam.d/ directory (or add the contents to the /etc/pam.conf file) with the following commands:

'login' (with CrackLib) 
cat > /etc/pam.d/login << "EOF"
# Begin /etc/pam.d/login

auth        requisite      pam_securetty.so
auth        requisite      pam_nologin.so
auth        required       pam_unix.so
account     required       pam_access.so
account     required       pam_unix.so
session     required       pam_env.so
session     required       pam_motd.so
session     required       pam_limits.so
session     optional       pam_mail.so      dir=/var/mail standard
session     optional       pam_lastlog.so
session     required       pam_unix.so
password    required       pam_cracklib.so  retry=3 difok=8 minlen=5 \
                                            dcredit=3 ocredit=3 \
                                            ucredit=2 lcredit=2
password    required       pam_unix.so      md5 shadow use_authtok

# End /etc/pam.d/login
EOF
'login' (without CrackLib) 
cat > /etc/pam.d/login << "EOF"
# Begin /etc/pam.d/login

auth        requisite      pam_securetty.so
auth        requisite      pam_nologin.so
auth        required       pam_env.so
auth        required       pam_unix.so
account     required       pam_access.so
account     required       pam_unix.so
session     required       pam_motd.so
session     required       pam_limits.so
session     optional       pam_mail.so      dir=/var/mail standard
session     optional       pam_lastlog.so
session     required       pam_unix.so
password    required       pam_unix.so      md5 shadow

# End /etc/pam.d/login
EOF
'passwd' (with CrackLib) 
cat > /etc/pam.d/passwd << "EOF"
# Begin /etc/pam.d/passwd

password    required       pam_cracklib.so  retry=3 difok=8 minlen=5 \
                                            dcredit=3  ocredit=3 \
                                            ucredit=2  lcredit=2
password    required       pam_unix.so      md5 shadow use_authtok

# End /etc/pam.d/passwd
EOF
'passwd' (without CrackLib) 
cat > /etc/pam.d/passwd << "EOF"
# Begin /etc/pam.d/passwd

password    required       pam_unix.so      md5 shadow

# End /etc/pam.d/passwd
EOF
'su' 
cat > /etc/pam.d/su << "EOF"
# Begin /etc/pam.d/su

auth        sufficient      pam_rootok.so
auth        required        pam_unix.so
account     required        pam_unix.so
session     optional        pam_mail.so     dir=/var/mail standard
session     required        pam_env.so
session     required        pam_unix.so

# End /etc/pam.d/su
EOF
'chage' 
cat > /etc/pam.d/chage << "EOF"
# Begin /etc/pam.d/chage

auth        sufficient      pam_rootok.so
auth        required        pam_unix.so
account     required        pam_unix.so
session     required        pam_unix.so
password    required        pam_permit.so

# End /etc/pam.d/chage
EOF
'chpasswd', 'newusers', 'groupadd', 'groupdel', 'groupmod', 'useradd', 'userdel', and 'usermod' 
for PROGRAM in chpasswd newusers groupadd groupdel \
               groupmod useradd userdel usermod
do
    install -v -m644 /etc/pam.d/chage /etc/pam.d/$PROGRAM
    sed -i "s/chage/$PROGRAM/" /etc/pam.d/$PROGRAM
done
[Warning]

Warning

At this point, you should do a simple test to see if Shadow is working as expected. Open another terminal and log in as a user, then su to root. If you do not see any errors, then all is well and you should proceed with the rest of the configuration. If you did receive errors, stop now and double check the above configuration files manually. You can also run the test suite from the Linux-PAM package to assist you in determining the problem. If you cannot find and fix the error, you should recompile Shadow replacing --with-libpam with --without-libpam in the above instructions (also move the /etc/login.defs.orig backup file to /etc/login.defs). If you fail to do this and the errors remain, you will be unable to log into your system.

Other

Currently, /etc/pam.d/other is configured to allow anyone with an account on the machine to use PAM-aware programs without a configuration file for that program. After testing Linux-PAM for proper configuration, install a more restrictive other file so that program-specific configuration files are required: 

cat > /etc/pam.d/other << "EOF"
# Begin /etc/pam.d/other

auth        required        pam_deny.so
auth        required        pam_warn.so
account     required        pam_deny.so
session     required        pam_deny.so
password    required        pam_deny.so
password    required        pam_warn.so

# End /etc/pam.d/other
EOF

If you preserved the source tree from the Linux-PAM package (or you feel like unpacking that tarball, then running configure and make), now would be a good time to run the test suite from this package. This test suite will use the configuration you just finished during the tests. All the tests should pass.

Configuring Login Access

Instead of using the /etc/login.access file for controlling access to the system, Linux-PAM uses the pam_access.so module along with the /etc/security/access.conf file. Rename the /etc/login.access file using the following command: 

if [ -f /etc/login.access ]; then
    mv -v /etc/login.access /etc/login.access.NOUSE
fi
Configuring Resource Limits

Instead of using the /etc/limits file for limiting usage of system resources, Linux-PAM uses the pam_limits.so module along with the /etc/security/limits.conf file. Rename the /etc/limits file using the following command: 

if [ -f /etc/limits ]; then
    mv -v /etc/limits /etc/limits.NOUSE
fi
Configuring Default Environment

During previous configuration, several items were removed from /etc/login.defs. Some of these items are now controlled by the pam_env.so module and the /etc/security/pam_env.conf configuration file. In particular, the default path has been changed. To recover your default path, execute the following commands: 

ENV_PATH=`grep '^ENV_PATH' /etc/login.defs.orig | \
    awk '{ print $2 }' | sed 's/PATH=//'` &&
echo 'PATH        DEFAULT='`echo "${ENV_PATH}"`\
'        OVERRIDE=${PATH}' \
    >> /etc/security/pam_env.conf &&
unset ENV_PATH
[Note]

Note

ENV_SUPATH is no longer supported. You must create a valid /root/.bashrc file to provide a modified path for the super-user.

Contents

A list of the installed files, along with their short descriptions can be found at ../../../../lfs/view/6.2/chapter06/shadow.html#contents-shadow.

Last updated on 2007-01-30 14:24:11 -0600