r4897 - in trunk/BOOK: introduction/welcome postlfs/security

randy at linuxfromscratch.org randy at linuxfromscratch.org
Mon Aug 8 17:14:31 PDT 2005


Author: randy
Date: 2005-08-08 18:14:30 -0600 (Mon, 08 Aug 2005)
New Revision: 4897

Modified:
   trunk/BOOK/introduction/welcome/changelog.xml
   trunk/BOOK/postlfs/security/shadow.xml
Log:
Modified the Shadow instructions so that configuration errors do not appear when testing the new configuration

Modified: trunk/BOOK/introduction/welcome/changelog.xml
===================================================================
--- trunk/BOOK/introduction/welcome/changelog.xml	2005-08-08 22:44:12 UTC (rev 4896)
+++ trunk/BOOK/introduction/welcome/changelog.xml	2005-08-09 00:14:30 UTC (rev 4897)
@@ -25,6 +25,12 @@
   <itemizedlist>
 
     <listitem>
+      <para>August 8th, 2005 [randy]: Modified the Shadow instructions so
+      that builders will not receive configuration errors during the testing
+      recommended by the warning note.</para>
+    </listitem>
+
+    <listitem>
       <para>August 8th, 2005 [randy]: Added instructions to install patches
       to Ruby and NASM that fix security vulnerabilities discovered in both
       packages, thanks to Ken Moffat for the suggestions.</para>

Modified: trunk/BOOK/postlfs/security/shadow.xml
===================================================================
--- trunk/BOOK/postlfs/security/shadow.xml	2005-08-08 22:44:12 UTC (rev 4896)
+++ trunk/BOOK/postlfs/security/shadow.xml	2005-08-09 00:14:30 UTC (rev 4897)
@@ -117,8 +117,9 @@
     <sect3 id="pam.d">
       <title>Config Files</title>
 
-      <para><filename>/etc/pam.d/*</filename>, or alternatively,
-      <filename>/etc/pam.conf</filename></para>
+      <para><filename>/etc/pam.d/*</filename> or alternatively
+      <filename>/etc/pam.conf, /etc/login.defs and
+      /etc/security/*</filename></para>
 
       <indexterm zone="shadow pam.d">
         <primary sortas="e-etc-pam.d">/etc/pam.d/*</primary>
@@ -128,17 +129,69 @@
         <primary sortas="e-etc-pam.conf">/etc/pam.conf</primary>
       </indexterm>
 
+      <indexterm zone="shadow pam.d">
+        <primary sortas="e-etc-login.defs">/etc/login.defs</primary>
+      </indexterm>
+
+      <indexterm zone="shadow pam.d">
+        <primary sortas="e-etc-security">/etc/security/*</primary>
+      </indexterm>
+
     </sect3>
 
     <sect3>
       <title>Configuration Information</title>
 
-      <para>Add the following <application>Linux-PAM</application> configuration
-      files to <filename class="directory">/etc/pam.d/</filename> (or add them
-      to <filename>/etc/pam.conf</filename> with the additional field for
-      the program).</para>
+      <sect4 id="pam-login-defs">
+        <title>Configuring /etc/login.defs</title>
 
+        <para>The <command>login</command> program currently performs many
+        functions which <application>Linux-PAM</application> modules should
+        now handle. The following <command>sed</command> command will comment
+        out the appropriate lines in <filename>/etc/login.defs</filename>, and
+        stop <command>login</command> from performing these functions (a backup
+        file named <filename>/etc/login.defs.orig</filename> is also created
+        to preserve the original file's contents):</para>
+
+        <indexterm zone="shadow pam-login-defs">
+          <primary sortas="e-etc-login.defs">/etc/login.defs</primary>
+        </indexterm>
+
+<screen role="root"><userinput>install -v -m644 /etc/login.defs /etc/login.defs.orig &&
+for FUNCTION in LASTLOG_ENAB MAIL_CHECK_ENAB \
+                PORTTIME_CHECKS_ENAB CONSOLE \
+                MOTD_FILE NOLOGINS_FILE PASS_MIN_LEN \
+                SU_WHEEL_ONLY MD5_CRYPT_ENAB \
+                CONSOLE_GROUPS ENVIRON_FILE \
+                ULIMIT ENV_TZ ENV_HZ ENV_SUPATH \
+                ENV_PATH QMAIL_DIR MAIL_DIR MAIL_FILE \
+                CHFN_AUTH FAILLOG_ENAB QUOTAS_ENAB FTMP_FILE
+do
+    sed -i -e "s/^$FUNCTION/# &/" /etc/login.defs
+done</userinput></screen>
+
+        <para>If you have <application>CrackLib</application> installed,
+        also comment out four more lines using the following command:</para>
+
+<screen role="root"><userinput>for FUNCTION in OBSCURE_CHECKS_ENAB CRACKLIB_DICTPATH \
+                PASS_CHANGE_TRIES PASS_ALWAYS_WARN
+do
+    sed -i -e "s/^$FUNCTION/# &/" /etc/login.defs
+done</userinput></screen>
+
+      </sect4>
+
       <sect4>
+        <title>Configuring the /etc/pam.d/ Files</title>
+
+        <para>Add the following <application>Linux-PAM</application> configuration
+        files to <filename class="directory">/etc/pam.d/</filename> (or add them
+        to <filename>/etc/pam.conf</filename> with the additional field for
+        the program).</para>
+
+      </sect4>
+
+      <sect4>
         <title>'login' (with CrackLib)</title>
 
 <screen role="root"><userinput>cat > /etc/pam.d/login << "EOF"
@@ -266,14 +319,16 @@
         <warning>
           <para>At this point, you should do a simple test to see if
           <application>Shadow</application> is working as expected. Open
-          another term and log in as a user, then <command>su</command> to
+          another terminal and log in as a user, then <command>su</command> to
           <systemitem class="username">root</systemitem>. If you do not see any
           errors, then all is well and you should proceed with the rest of the
           configuration. If you did receive errors, stop now and double check
           the above configuration files manually.  If you cannot find and
           fix the error, you should recompile <application>Shadow</application>
           replacing <option>--with-libpam</option> with
-          <option>--without-libpam</option> in the above instructions. If you
+          <option>--without-libpam</option> in the above instructions (also move
+          the <filename>/etc/login.defs.orig</filename> backup file to
+          <filename>/etc/login.defs</filename>). If you
           fail to do this and the errors remain, you will be unable to log into
           your system.</para>
         </warning>
@@ -347,42 +402,6 @@
 
       </sect4>
 
-      <sect4 id="pam-login-defs">
-        <title>Configuring /etc/login.defs</title>
-
-        <para>The <command>login</command> program currently performs many
-        functions which <application>Linux-PAM</application> modules should
-        now handle. The following command will comment out the appropriate
-        lines in <filename>/etc/login.defs</filename>, and stop
-        <command>login</command> from performing these functions:</para>
-
-        <indexterm zone="shadow pam-login-defs">
-          <primary sortas="e-etc-login.defs">/etc/login.defs</primary>
-        </indexterm>
-
-<screen role="root"><userinput>for FUNCTION in LASTLOG_ENAB MAIL_CHECK_ENAB \
-                PORTTIME_CHECKS_ENAB CONSOLE \
-                MOTD_FILE NOLOGINS_FILE PASS_MIN_LEN \
-                SU_WHEEL_ONLY MD5_CRYPT_ENAB \
-                CONSOLE_GROUPS ENVIRON_FILE \
-                ULIMIT ENV_TZ ENV_HZ ENV_SUPATH \
-                ENV_PATH QMAIL_DIR MAIL_DIR MAIL_FILE \
-                CHFN_AUTH FAILLOG_ENAB QUOTAS_ENAB FTMP_FILE
-do
-    sed -i -e "s/^$FUNCTION/# &/" /etc/login.defs
-done</userinput></screen>
-
-        <para>If you have <application>CrackLib</application> installed,
-        also comment out four more lines using the following command:</para>
-
-<screen role="root"><userinput>for FUNCTION in OBSCURE_CHECKS_ENAB CRACKLIB_DICTPATH \
-                PASS_CHANGE_TRIES PASS_ALWAYS_WARN
-do
-    sed -i -e "s/^$FUNCTION/# &/" /etc/login.defs
-done</userinput></screen>
-
-      </sect4>
-
     </sect3>
 
   </sect2>




More information about the blfs-book mailing list