lfs/master
1
0
Fork 0
mirror of https://github.com/LCTT/LFS-BOOK-7.7-systemd.git synced 2026-01-14 00:49:09 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
0579374b40b8b2be2314f7f361da154094de64e6
master/chapter06/shadow.html
wxy 6a56597c87 修正打印 css 位置错误 
原文有误
2015-05-23 18:50:06 +08:00

791 lines
28 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content=
"application/xhtml+xml; charset=utf-8" />
<title>
6.25.&nbsp;Shadow-4.2.1
</title>
<link rel="stylesheet" type="text/css" href="../stylesheets/lfs.css" />
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1" />
<link rel="stylesheet" href="../stylesheets/lfs-print.css" type="text/css"
media="print" />
</head>
<body class="lfs" id="lfs-7.7-systemd">
<div class="navheader">
<h4>
Linux From Scratch - Version 7.7-systemd
</h4>
<h3>
第六章&nbsp;安装基本的系统软件
</h3>
<ul>
<li class="prev">
<a accesskey="p" href="sed.html" title="Sed-4.2.2">上一页</a>
<p>
Sed-4.2.2
</p>
</li>
<li class="next">
<a accesskey="n" href="psmisc.html" title="Psmisc-22.21">下一页</a>
<p>
Psmisc-22.21
</p>
</li>
<li class="up">
<a accesskey="u" href="chapter06.html" title=
"第六章&nbsp;安装基本的系统软件">返回</a>
</li>
<li class="home">
<a accesskey="h" href="../index.html" title=
"Linux From Scratch - Version 7.7-systemd">主页</a>
</li>
</ul>
</div>
<div class="wrap" lang="en" xml:lang="en">
<h1 class="sect1">
<a id="ch-system-shadow" name="ch-system-shadow"></a>6.25.
Shadow-4.2.1
</h1>
<div class="package" lang="en" xml:lang="en">
<p>
Shadow 软件包包含以安全方式处理密码的程序。
</p>
<div class="segmentedlist">
<div class="seglistitem">
<div class="seg">
<strong class="segtitle">大概编译时间:</strong>
<span class="segbody">0.2 SBU</span>
</div>
<div class="seg">
<strong class="segtitle">需要磁盘空间:</strong>
<span class="segbody">52 MB</span>
</div>
</div>
</div>
</div>
<div class="installation" lang="en" xml:lang="en">
<h2 class="sect2">
6.25.1. 安装 Shadow
</h2>
<div class="admon note">
<img alt="[Note]" src="../images/note.png" />
<h3>
注意
</h3>
<p>
如果你喜欢强制使用更强的密码,在编译 Shadow 之前可以根据 <a class="ulink" href=
"http://www.linuxfromscratch.org/blfs/view/systemd/postlfs/cracklib.html">
http://www.linuxfromscratch.org/blfs/view/systemd/postlfs/cracklib.html</a>
安装 CrackLib。然后在下面的 <span class="command"><strong>configure</strong></span>
命令中增加 <em class="parameter"><code>--with-libcrack</code></em>
</p>
</div>
<p>
取消安装 <span class=
"command"><strong>groups</strong></span> 程序以及它的 man 文档,
因为 Coreutils 提供了一个更好的版本:
</p>
<pre class="userinput">
<kbd class="command">sed -i 's/groups$(EXEEXT) //' src/Makefile.in
find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \;</kbd>
</pre>
<p>
<a id="shadow-login_defs" name="shadow-login_defs"></a>比起默认的
<span class="emphasis"><em>crypt</em></span> 方法,用更安全的
<span class=
"emphasis"><em>SHA-512</em></span> 方法加密密码,它允许密码长度
超过 8 个字符。也需要把 Shadow 默认使用的用户邮箱由陈旧的
<code class=
"filename">/var/spool/mail</code> 位置改为正在使用的<code class=
"filename">/var/mail</code> 位置:
</p>
<pre class="userinput">
<kbd class=
"command">sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \
-e 's@/var/spool/mail@/var/mail@' etc/login.defs</kbd>
</pre>
<div class="admon note">
<img alt="[Note]" src="../images/note.png" />
<h3>
注意
</h3>
<p>
如果你选择编译支持 Cracklib 的 Shadow运行下面的命令
</p>
<pre class="userinput">
<kbd class=
"command">sed -i 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' etc/login.defs</kbd>
</pre>
</div>
<p>
做个小的改动使默认的 useradd 和 LFS 组文件一致:
</p>
<pre class="userinput">
<kbd class="command">sed -i 's/1000/999/' etc/useradd</kbd>
</pre>
<p>
准备编译 Shadow
</p>
<pre class="userinput">
<kbd class=
"command">./configure --sysconfdir=/etc --with-group-name-max-length=32</kbd>
</pre>
<div class="variablelist">
<p class="title">
<strong>配置选项的含义:</strong>
</p>
<dl class="variablelist">
<dt>
<span class="term"><em class=
"parameter"><code>--with-group-name-max-length=32</code></em></span>
</dt>
<dd>
<p>
最长用户名为 32 个字符。使组名称也一样。
</p>
</dd>
</dl>
</div>
<p>
编译软件包:
</p>
<pre class="userinput">
<kbd class="command">make</kbd>
</pre>
<p>
该软件包没有测试套件。
</p>
<p>
安装软件包:
</p>
<pre class="userinput">
<kbd class="command">make install</kbd>
</pre>
<p>
移动错误位置的程序到正确的位置:
</p>
<pre class="userinput">
<kbd class="command">mv -v /usr/bin/passwd /bin</kbd>
</pre>
</div>
<div class="configuration" lang="en" xml:lang="en">
<h2 class="sect2">
<a id="conf-shadow" name="conf-shadow"></a>6.25.2. 配置 Shadow
</h2>
<p>
该软件包包含增加、更改、以及删除用户和组的工具;设置和修改密码;
进行其它特权级任务。软件包解压后的 <code class="filename">doc/HOWTO</code>
文件有关于 <span class=
"emphasis"><em>password shadowing</em></span> 的完整解释。如果使用
Shadow 支持,记住需要验证密码(显示管理器、FTP 程序、pop3 守护进程,等)的程序必须和 Shadow 兼容。
也就是说,它们要能使用 Shadow 加密的密码。
</p>
<p>
运行下面的命令启用 shadow 密码;
</p>
<pre class="userinput">
<kbd class="command">pwconv</kbd>
</pre>
<p>
运行下面的命令启用shadow 组密码:
</p>
<pre class="userinput">
<kbd class="command">grpconv</kbd>
</pre>
<p>
用于 <span class=
"command"><strong>useradd</strong></span> 工具的 Shadow 配置有一些需要解释的
注意事项。首先,<span class="command"><strong>useradd</strong></span> 工具
的默认操作是创建用户以及和用户名相同的组。默认用户 ID(UID) 和 组 ID(GID) 数字
从 1000开始。这意味着如果你不传递参数给 <span class=
"command"><strong>useradd</strong></span>,系统中的每个用户都会属于一个不同的组。
如果不需要这样的结果,你需要传递参数 <em class=
"parameter"><code>-g</code></em><span class=
"command"><strong>useradd</strong></span>。默认参数保存在 <code class=
"filename">/etc/default/useradd</code> 文件中。你需要修改该文件中的两个参数来实现你的
特定需求。
</p>
<div class="variablelist">
<p class="title">
<strong><code class="filename">/etc/default/useradd</code>
参数解释</strong>
</p>
<dl class="variablelist">
<dt>
<span class="term"><em class=
"parameter"><code>GROUP=1000</code></em></span>
</dt>
<dd>
<p>
该参数设定 /etc/group 文件中使用的起始组序号。你可以把它更改
为任何你需要的数字。注意 <span class=
"command"><strong>useradd</strong></span> 永远不会重用 UID 或 GID。
如果该参数指定的数字已经被使用了,会使用它之后的下一个可用数字。
另外注意如果你系统中没有序号为 1000 的组,第一次使用<span class=
"command"><strong>useradd</strong></span> 而没有参数 <em class="parameter"><code>-g</code></em>
你会在终端中看到一个提示信息:
<code class="computeroutput">useradd: unknown GID
1000</code>。你可以忽视这个信息然后就会使用组号 1000。
</p>
</dd>
<dt>
<span class="term"><em class=
"parameter"><code>CREATE_MAIL_SPOOL=yes</code></em></span>
</dt>
<dd>
<p>
这个参数会为 <span class=
"command"><strong>useradd</strong></span> 新添加的用户
创建邮箱文件。<span class=
"command"><strong>useradd</strong></span> 会使组 <code class=
"systemitem">mail</code> 拥有该文件的所有权,并赋予组 0660 的权限。
如果你希望 <span class="command"><strong>useradd</strong></span>
不会创建这些邮箱文件,你可以运行下面的命令:
</p>
<pre class="userinput">
<kbd class="command">sed -i 's/yes/no/' /etc/default/useradd</kbd>
</pre>
</dd>
</dl>
</div>
</div>
<div class="configuration" lang="en" xml:lang="en">
<h2 class="sect2">
6.25.3. 设置 root 密码
</h2>
<p>
运行下面的命令为用户 <span class=
"emphasis"><em>root</em></span> 设置密码:
</p>
<pre class="userinput">
<kbd class="command">passwd root</kbd>
</pre>
</div>
<div class="content" lang="en" xml:lang="en">
<h2 class="sect2">
<a id="contents-shadow" name="contents-shadow"></a>6.25.4. Shadow 的内容
</h2>
<div class="segmentedlist">
<div class="seglistitem">
<div class="seg">
<strong class="segtitle">安装的程序:</strong>
<span class="segbody">chage, chfn, chgpasswd, chpasswd, chsh,
expiry, faillog, gpasswd, groupadd, groupdel, groupmems,
groupmod, grpck, grpconv, grpunconv, lastlog, login, logoutd,
newgrp, newusers, nologin, passwd, pwck, pwconv, pwunconv, sg
(link to newgrp), su, useradd, userdel, usermod, vigr (link to
vipw), 以及 vipw</span>
</div>
<div class="seg">
<strong class="segtitle">安装目录:</strong>
<span class="segbody">/etc/default</span>
</div>
</div>
</div>
<div class="variablelist">
<h3>
简要介绍
</h3>
<table border="0" class="variablelist">
<colgroup>
<col align="left" valign="top" />
<col />
</colgroup>
<tbody>
<tr>
<td>
<p>
<a id="chage" name="chage"></a><span class=
"term"><span class=
"command"><strong>chage</strong></span></span>
</p>
</td>
<td>
<p>
用来更改强制性密码更新的最大天数
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="chfn" name="chfn"></a><span class=
"term"><span class=
"command"><strong>chfn</strong></span></span>
</p>
</td>
<td>
<p>
用来更改用户的完整名称以及其它信息
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="chgpasswd" name="chgpasswd"></a><span class=
"term"><span class=
"command"><strong>chgpasswd</strong></span></span>
</p>
</td>
<td>
<p>
用来以批处理模式更新组密码
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="chpasswd" name="chpasswd"></a><span class=
"term"><span class=
"command"><strong>chpasswd</strong></span></span>
</p>
</td>
<td>
<p>
用来以批处理模式更新用户密码
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="chsh" name="chsh"></a><span class=
"term"><span class=
"command"><strong>chsh</strong></span></span>
</p>
</td>
<td>
<p>
用来更改用户登录时默认使用的 shell
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="expiry" name="expiry"></a><span class=
"term"><span class=
"command"><strong>expiry</strong></span></span>
</p>
</td>
<td>
<p>
检查并强制执行当前密码过期策略
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="faillog" name="faillog"></a><span class=
"term"><span class=
"command"><strong>faillog</strong></span></span>
</p>
</td>
<td>
<p>
用来检查登录失败的日志文件,设置锁定用户的最大失败次数,
或者重置失败次数
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="gpasswd" name="gpasswd"></a><span class=
"term"><span class=
"command"><strong>gpasswd</strong></span></span>
</p>
</td>
<td>
<p>
用来给组增加、删除成员以及管理员
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="groupadd" name="groupadd"></a><span class=
"term"><span class=
"command"><strong>groupadd</strong></span></span>
</p>
</td>
<td>
<p>
用指定的名称创建组
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="groupdel" name="groupdel"></a><span class=
"term"><span class=
"command"><strong>groupdel</strong></span></span>
</p>
</td>
<td>
<p>
用指定的名称删除组
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="groupmems" name="groupmems"></a><span class=
"term"><span class=
"command"><strong>groupmems</strong></span></span>
</p>
</td>
<td>
<p>
允许用户管理他/她自己的组成员列表而不需要超级用户权限。
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="groupmod" name="groupmod"></a><span class=
"term"><span class=
"command"><strong>groupmod</strong></span></span>
</p>
</td>
<td>
<p>
用于更改指定组的名称或 GID
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="grpck" name="grpck"></a><span class=
"term"><span class=
"command"><strong>grpck</strong></span></span>
</p>
</td>
<td>
<p>
验证组文件<code class=
"filename">/etc/group</code><code class=
"filename">/etc/gshadow</code> 的完整性
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="grpconv" name="grpconv"></a><span class=
"term"><span class=
"command"><strong>grpconv</strong></span></span>
</p>
</td>
<td>
<p>
从普通组文件创建或升级 shadow 组文件
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="grpunconv" name="grpunconv"></a><span class=
"term"><span class=
"command"><strong>grpunconv</strong></span></span>
</p>
</td>
<td>
<p>
<code class="filename">/etc/gshadow</code> 升级
<code class="filename">/etc/group</code> 然后删除前者
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="lastlog" name="lastlog"></a><span class=
"term"><span class=
"command"><strong>lastlog</strong></span></span>
</p>
</td>
<td>
<p>
报告所有用户或指定用户的最近一次登录
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="login" name="login"></a><span class=
"term"><span class=
"command"><strong>login</strong></span></span>
</p>
</td>
<td>
<p>
系统用于允许用户登录
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="logoutd" name="logoutd"></a><span class=
"term"><span class=
"command"><strong>logoutd</strong></span></span>
</p>
</td>
<td>
<p>
用于强制限制登录时间和端口的守护进程
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="newgrp" name="newgrp"></a><span class=
"term"><span class=
"command"><strong>newgrp</strong></span></span>
</p>
</td>
<td>
<p>
用于在一次登录会话中更改当前 GID
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="newusers" name="newusers"></a><span class=
"term"><span class=
"command"><strong>newusers</strong></span></span>
</p>
</td>
<td>
<p>
用于创建或更新整个系列的用户账户
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="nologin" name="nologin"></a><span class=
"term"><span class=
"command"><strong>nologin</strong></span></span>
</p>
</td>
<td>
<p>
显示账户不可用信息;设计来作为不可用账户登录的默认 shell
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="passwd" name="passwd"></a><span class=
"term"><span class=
"command"><strong>passwd</strong></span></span>
</p>
</td>
<td>
<p>
用来更改用户或组账户的密码
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="pwck" name="pwck"></a><span class=
"term"><span class=
"command"><strong>pwck</strong></span></span>
</p>
</td>
<td>
<p>
验证密码文件 <code class=
"filename">/etc/passwd</code><code class=
"filename">/etc/shadow</code> 的完整性
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="pwconv" name="pwconv"></a><span class=
"term"><span class=
"command"><strong>pwconv</strong></span></span>
</p>
</td>
<td>
<p>
从普通密码文件创建或升级 shadow 密码文件
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="pwunconv" name="pwunconv"></a><span class=
"term"><span class=
"command"><strong>pwunconv</strong></span></span>
</p>
</td>
<td>
<p>
<code class="filename">/etc/shadow</code> 升级
<code class="filename">/etc/passwd</code> 然后删除前者
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="sg" name="sg"></a><span class="term"><span class=
"command"><strong>sg</strong></span></span>
</p>
</td>
<td>
<p>
当用户的 GID 被设置为指定组的 GID 时执行一个特定命令
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="su" name="su"></a><span class="term"><span class=
"command"><strong>su</strong></span></span>
</p>
</td>
<td>
<p>
用替换的用户和组 ID 运行 Shell
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="useradd" name="useradd"></a><span class=
"term"><span class=
"command"><strong>useradd</strong></span></span>
</p>
</td>
<td>
<p>
用指定的名称新建用户或更新新用户的默认信息
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="userdel" name="userdel"></a><span class=
"term"><span class=
"command"><strong>userdel</strong></span></span>
</p>
</td>
<td>
<p>
删除指定的用户账户
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="usermod" name="usermod"></a><span class=
"term"><span class=
"command"><strong>usermod</strong></span></span>
</p>
</td>
<td>
<p>
用于更改指定用户的登录名称、UID、shell、初始组、home 目录,等
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="vigr" name="vigr"></a><span class=
"term"><span class=
"command"><strong>vigr</strong></span></span>
</p>
</td>
<td>
<p>
编辑 <code class="filename">/etc/group</code>
<code class="filename">/etc/gshadow</code> 文件
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="vipw" name="vipw"></a><span class=
"term"><span class=
"command"><strong>vipw</strong></span></span>
</p>
</td>
<td>
<p>
编辑 <code class="filename">/etc/passwd</code>
<code class="filename">/etc/shadow</code> 文件
</p>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<div class="navfooter">
<div class="book">
<div class="titlepage">
<div class="author">
<span class="firstname">翻译团队:<a href="http://lctt.github.io/" target="_blank">LCTT</a></span>
<span class="surname">译者/校对:<a href="http://github.com/ictlyh" target="_blank">ictlyh</a>,</span>
</div>
</div>
</div>
<ul>
<li class="prev">
<a accesskey="p" href="sed.html" title="Sed-4.2.2">上一页</a>
<p>
Sed-4.2.2
</p>
</li>
<li class="next">
<a accesskey="n" href="psmisc.html" title="Psmisc-22.21">下一页</a>
<p>
Psmisc-22.21
</p>
</li>
<li class="up">
<a accesskey="u" href="chapter06.html" title=
"第六章&nbsp;安装基本的系统软件">返回</a>
</li>
<li class="home">
<a accesskey="h" href="../index.html" title=
"Linux From Scratch - Version 7.7-systemd">主页</a>
</li>
</ul>
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink