cvs commit: BLFS/BOOK/postlfs/security/shadow shadow-config.xml shadow-exp.xml shadow-inst.xml shadow.ent

larry at linuxfromscratch.org larry at linuxfromscratch.org
Sat Dec 7 07:24:45 PST 2002


larry       02/12/07 10:24:45

  Modified:    BOOK/introduction/welcome changelog.xml credits.xml
               BOOK/postlfs postlfs.ent
               BOOK/postlfs/security security.xml shadow.xml
  Added:       BOOK/postlfs/security/shadow shadow-config.xml
                        shadow-exp.xml shadow-inst.xml shadow.ent
  Log:
  added recompile of shadow to utilize PAM
  
  Revision  Changes    Path
  1.269     +3 -0      BLFS/BOOK/introduction/welcome/changelog.xml
  
  Index: changelog.xml
  ===================================================================
  RCS file: /home/cvsroot/BLFS/BOOK/introduction/welcome/changelog.xml,v
  retrieving revision 1.268
  retrieving revision 1.269
  diff -u -r1.268 -r1.269
  --- changelog.xml	6 Dec 2002 02:08:56 -0000	1.268
  +++ changelog.xml	7 Dec 2002 15:24:45 -0000	1.269
  @@ -10,6 +10,9 @@
   
   <itemizedlist>
   
  +<listitem><para>December 6th, 2002 [larry]: Postlfs: Add sections to
  +shadow to utilize PAM.</para></listitem>
  +
   <listitem><para>December 5th, 2002 [larry]: Postlfs: Updated to
   Linux-PAM-0.77.</para></listitem>
   
  
  
  
  1.90      +5 -1      BLFS/BOOK/introduction/welcome/credits.xml
  
  Index: credits.xml
  ===================================================================
  RCS file: /home/cvsroot/BLFS/BOOK/introduction/welcome/credits.xml,v
  retrieving revision 1.89
  retrieving revision 1.90
  diff -u -r1.89 -r1.90
  --- credits.xml	29 Nov 2002 23:51:35 -0000	1.89
  +++ credits.xml	7 Dec 2002 15:24:45 -0000	1.90
  @@ -87,7 +87,7 @@
   libgnomeui, libgtkhtml, libgtop, libIDL, libogg, librep, librsvg,
   libvorbis, libwnck, libxml2, libxslt, libzvt, linc, Lunux_PAM, MPlayer, mutt, nautilus, oaf,
   OpenSSH, ORBit, ORBit2, pan, Pango, pccts, pcre, pkgconfig, postfix,
  -procmail, Python, QT, rep-gtk, ruby, sawfish, scrollkeeper, unzip,
  +procmail, Python, QT, rep-gtk, ruby, sawfish, scrollkeeper, shadow, unzip,
   vorbis-tools, wget, XFce, xine, yelp and zip: <emphasis>Larry Lawrence</emphasis></para></listitem>
   
   <listitem><para>CDParanoia, mpg123, SDL and XMMS: <emphasis>Jeroen
  @@ -171,6 +171,10 @@
   <listitem><para><emphasis>Billy O'Connor</emphasis> for building gnome2
   so many times (I thought my four was a lot) and being very helpful with
   his comments on that section.</para></listitem>
  +
  +<listitem><para><emphasis>Ted Riley</emphasis> for writing the Linxu-PAM
  ++ CrackLib + Shadow hint on which reinstalling shadow to use PAM is
  +based.</para></listitem>
   
   </itemizedlist>
   </sect2>
  
  
  
  1.11      +2 -1      BLFS/BOOK/postlfs/postlfs.ent
  
  Index: postlfs.ent
  ===================================================================
  RCS file: /home/cvsroot/BLFS/BOOK/postlfs/postlfs.ent,v
  retrieving revision 1.10
  retrieving revision 1.11
  diff -u -r1.10 -r1.11
  --- postlfs.ent	2 Dec 2002 23:03:28 -0000	1.10
  +++ postlfs.ent	7 Dec 2002 15:24:45 -0000	1.11
  @@ -12,7 +12,6 @@
   
   <!-- Post-LFS Security -->
   <!ENTITY postlfs-security SYSTEM "security/security.xml">
  -<!ENTITY postlfs-security-shadow SYSTEM "security/shadow.xml">
   <!ENTITY % iptables SYSTEM "security/iptables/iptables.ent">
   %iptables;
   <!ENTITY % firewalling SYSTEM "security/firewalling/firewalling.ent">
  @@ -21,6 +20,8 @@
   <!ENTITY postlfs-security-tripwire SYSTEM "security/tripwire.xml">
   <!ENTITY % Linux_PAM SYSTEM "security/pam/linux_pam.ent">
   %Linux_PAM;
  +<!ENTITY % shadow SYSTEM "security/shadow/shadow.ent">
  +%shadow;
   <!ENTITY postlfs-security-syslog SYSTEM "security/syslog.xml">
   
   <!-- Filesystems -->
  
  
  
  1.3       +1 -1      BLFS/BOOK/postlfs/security/security.xml
  
  Index: security.xml
  ===================================================================
  RCS file: /home/cvsroot/BLFS/BOOK/postlfs/security/security.xml,v
  retrieving revision 1.2
  retrieving revision 1.3
  diff -u -r1.2 -r1.3
  --- security.xml	22 Sep 2002 16:01:27 -0000	1.2
  +++ security.xml	7 Dec 2002 15:24:45 -0000	1.3
  @@ -2,7 +2,7 @@
   <?dbhtml filename="security.html" dir="postlfs"?>
   <title>Security</title>
   
  -&postlfs-security-shadow;
  +&shadow;
   &iptables;
   &postlfs-security-fw;
   &postlfs-security-nessus;
  
  
  
  1.4       +4 -2      BLFS/BOOK/postlfs/security/shadow.xml
  
  Index: shadow.xml
  ===================================================================
  RCS file: /home/cvsroot/BLFS/BOOK/postlfs/security/shadow.xml,v
  retrieving revision 1.3
  retrieving revision 1.4
  diff -u -r1.3 -r1.4
  --- shadow.xml	9 Oct 2002 14:51:31 -0000	1.3
  +++ shadow.xml	7 Dec 2002 15:24:45 -0000	1.4
  @@ -1,4 +1,4 @@
  -<sect1 id="postlfs-security-shadow">
  +<sect1 id="shadow">
   <?dbhtml filename="shadow.html" dir="postlfs"?>
   <title>Configuring shadow</title>
   
  @@ -17,6 +17,8 @@
   <para>Passwords created after this change will be encrypted using MD5
   instead of using DES encryption.</para>
   
  -
  +&shadow-inst;
  +&shadow-exp;
  +&shadow-config;
   
   </sect1>
  
  
  
  1.1                  BLFS/BOOK/postlfs/security/shadow/shadow-config.xml
  
  Index: shadow-config.xml
  ===================================================================
  <sect2>
  <title>Configuring PAM to work with shadow</title>
  
  <sect3><title>Config files</title>
  <para><userinput>/etc/pam.d/login /etc/pam.d/passwd /etc/pam.d/su
  /etc/pam.d/shadow /etc/pam.d/useradd</userinput></para>
  </sect3>
  
  <sect3><title>Configuration Information</title>
  
  <para>Add the following PAM configuration files to
  <filename>/etc/pam.d</filename> (or add them to
  <filename>/etc/pam.conf</filename> with
  the additional field for the program).
  </para>
  <screen><userinput>cat > /etc/pam.d/login << "EOF"</userinput>
  # Begin /etc/pam.d/login
  
  auth        requisite      pam_securetty.so
  auth        requisite      pam_nologin.so
  auth        required       pam_env.so
  auth        required       pam_unix.so
  account     required       pam_access.so
  account     required       pam_unix.so
  session     required       pam_motd.so
  session     required       pam_limits.so
  session     optional       pam_mail.so     dir=/var/mail standard
  session     optional       pam_lastlog.so
  session     required       pam_unix.so
  
  # End /etc/pam.d/login
  <userinput>EOF
  cat > /etc/pam.d/other << "EOF"</userinput>
  # Begin /etc/pam.d/passwd
  
  password    required       pam_unix.so     md5 shadow use_authtok
  
  # End /etc/pam.d/passwd
  <userinput>EOF
  cat > /etc/pam.d/passwd << "EOF"</userinput>
  # Begin /etc/pam.d/shadow
  
  auth        sufficient      pam_rootok.so
  auth        required        pam_unix.so
  account     required        pam_unix.so
  session     required        pam_unix.so
  password    required        pam_permit.so
  
  # End /etc/pam.d/shadow
  <userinput>EOF
  cat > /etc/pam.d/su << "EOF"</userinput>
  # Begin /etc/pam.d/su
  
  auth        sufficient      pam_rootok.so
  auth        required        pam_unix.so
  account     required        pam_unix.so
  session     required        pam_unix.so
  
  # End /etc/pam.d/su
  <userinput>EOF
  cat > /etc/pam.d/useradd << "EOF"</userinput>
  # Begin /etc/pam.d/useradd
  
  auth        sufficient      pam_rootok.so
  auth        required        pam_unix.so
  account     required        pam_unix.so
  session     required        pam_unix.so
  password    required        pam_permit.so
  
  # End /etc/pam.d/useradd
  <userinput>EOF</userinput></screen>
  
  <para>Currently, <filename>/etc/pam.d/other</filename> is configured to
  allow anyone with an account on the machine to use programs
  that do not specifically have a configuration file of their own. After
  testing PAM for proper configuration, it can be changed to the
  following:</para>
  
  <screen><userinput>cat > /etc/pam.d/other << "EOF"</userinput>
  # Begin /etc/pam.d/other
  
  auth        required        pam_deny.so
  auth        required        pam_warn.so
  account     required        pam_deny.so
  session     required        pam_deny.so
  password    required        pam_deny.so
  password    required        pam_warn.so
  
  # End /etc/pam.d/other
  <userinput>EOF</userinput></screen>
  
  <para>Finally, edit <filename>/etc/login.defs</filename> by adding '#'
  to the beginning of the following lines:</para>
  <screen>DIALUPS_CHECK_ENAB
  LASTLOG_ENAB
  MAIL_CHECK_ENAB
  PORTTIME_CHECKS_ENAB
  CONSOLE
  MOTD_FILE
  NOLOGINS_FILE
  PASS_MIN_LEN
  SU_WHEEL_ONLY
  MD5_CRYPT_ENAB
  CONSOLE_GROUPS
  ENVIRON_FILE</screen>
  
  <para>This stops login from performing these functions, as they will now
  be performed by PAM modules.</para>
  
  </sect3>
  
  </sect2>
  
  
  
  
  1.1                  BLFS/BOOK/postlfs/security/shadow/shadow-exp.xml
  
  Index: shadow-exp.xml
  ===================================================================
  <sect2>
  <title>Command explanations</title>
  
  <para><userinput>cp debian/securetty /etc/securetty</userinput> : This
  command sets the tty's that allow logins through PAM.</para>
  
  </sect2>
  
  
  
  
  1.1                  BLFS/BOOK/postlfs/security/shadow/shadow-inst.xml
  
  Index: shadow-inst.xml
  ===================================================================
  <sect2>
  <title>Reinstallation of shadow to utilize PAM</title>
  
  <para>Reinstall shadow by running the following commands:</para>
  
  <para><screen><userinput>LDFLAGS="-lpam -lpam_misc" ./configure --prefix=/usr --enable-shared --with-libpam &&
  make &&
  make install &&
  rm /bin/vipw &&
  rm /bin/sg &&
  mv /lib/{libmisc.*a,libshadow.*a} /usr/lib &&
  cp debian/securetty /etc/securetty</userinput></screen></para>
  
  
  </sect2>
  
  
  
  
  1.1                  BLFS/BOOK/postlfs/security/shadow/shadow.ent
  
  Index: shadow.ent
  ===================================================================
  <!ENTITY shadow SYSTEM "../shadow.xml">
  <!ENTITY shadow-intro SYSTEM "shadow-intro.xml">
  <!ENTITY shadow-inst SYSTEM "shadow-inst.xml">
  <!ENTITY shadow-exp SYSTEM "shadow-exp.xml">
  <!ENTITY shadow-desc SYSTEM "shadow-desc.xml">
  <!ENTITY shadow-config SYSTEM "shadow-config.xml">
  
  
  
-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe blfs-book' in the subject header of the message



More information about the blfs-book mailing list