lfs/master
1
0
Fork 0
mirror of https://github.com/LCTT/LFS-BOOK-7.7-systemd.git synced 2026-02-01 13:47:25 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
da9ee76fb3ee23cb9ea899cd9cf724fedc87dfdc
master/chapter06/shadow.html
wxy efa9c8bd8b 重新设置了页面字符集 
如有冲突,手工解决一下。
2015-04-23 00:48:01 +08:00

826 lines
29 KiB
HTML
Raw Blame History

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content=
"application/xhtml+xml; charset=utf-8" />
<title>
6.25.&nbsp;Shadow-4.2.1
</title>
<link rel="stylesheet" type="text/css" href="../stylesheets/lfs.css" />
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1" />
<link rel="stylesheet" href="stylesheets/lfs-print.css" type="text/css"
media="print" />
</head>
<body class="lfs" id="lfs-7.7-systemd">
<div class="navheader">
<h4>
Linux From Scratch - Version 7.7-systemd
</h4>
<h3>
Chapter&nbsp;6.&nbsp;Installing Basic System Software
</h3>
<ul>
<li class="prev">
<a accesskey="p" href="sed.html" title="Sed-4.2.2">Prev</a>
<p>
Sed-4.2.2
</p>
</li>
<li class="next">
<a accesskey="n" href="psmisc.html" title="Psmisc-22.21">Next</a>
<p>
Psmisc-22.21
</p>
</li>
<li class="up">
<a accesskey="u" href="chapter06.html" title=
"Chapter&nbsp;6.&nbsp;Installing Basic System Software">Up</a>
</li>
<li class="home">
<a accesskey="h" href="../index.html" title=
"Linux From Scratch - Version 7.7-systemd">Home</a>
</li>
</ul>
</div>
<div class="wrap" lang="en" xml:lang="en">
<h1 class="sect1">
<a id="ch-system-shadow" name="ch-system-shadow"></a>6.25.
Shadow-4.2.1
</h1>
<div class="package" lang="en" xml:lang="en">
<p>
The Shadow package contains programs for handling passwords in a
secure way.
</p>
<div class="segmentedlist">
<div class="seglistitem">
<div class="seg">
<strong class="segtitle">Approximate build time:</strong>
<span class="segbody">0.2 SBU</span>
</div>
<div class="seg">
<strong class="segtitle">Required disk space:</strong>
<span class="segbody">52 MB</span>
</div>
</div>
</div>
</div>
<div class="installation" lang="en" xml:lang="en">
<h2 class="sect2">
6.25.1. Installation of Shadow
</h2>
<div class="admon note">
<img alt="[Note]" src="../images/note.png" />
<h3>
Note
</h3>
<p>
If you would like to enforce the use of strong passwords, refer
to <a class="ulink" href=
"http://www.linuxfromscratch.org/blfs/view/systemd/postlfs/cracklib.html">
http://www.linuxfromscratch.org/blfs/view/systemd/postlfs/cracklib.html</a>
for installing CrackLib prior to building Shadow. Then add
<em class="parameter"><code>--with-libcrack</code></em> to the
<span class="command"><strong>configure</strong></span> command
below.
</p>
</div>
<p>
Disable the installation of the <span class=
"command"><strong>groups</strong></span> program and its man pages,
as Coreutils provides a better version:
</p>
<pre class="userinput">
<kbd class="command">sed -i 's/groups$(EXEEXT) //' src/Makefile.in
find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \;</kbd>
</pre>
<p>
<a id="shadow-login_defs" name="shadow-login_defs"></a>Instead of
using the default <span class="emphasis"><em>crypt</em></span>
method, use the more secure <span class=
"emphasis"><em>SHA-512</em></span> method of password encryption,
which also allows passwords longer than 8 characters. It is also
necessary to change the obsolete <code class=
"filename">/var/spool/mail</code> location for user mailboxes that
Shadow uses by default to the <code class=
"filename">/var/mail</code> location used currently:
</p>
<pre class="userinput">
<kbd class=
"command">sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \
-e 's@/var/spool/mail@/var/mail@' etc/login.defs</kbd>
</pre>
<div class="admon note">
<img alt="[Note]" src="../images/note.png" />
<h3>
Note
</h3>
<p>
If you chose to build Shadow with Cracklib support, run the
following:
</p>
<pre class="userinput">
<kbd class=
"command">sed -i 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' etc/login.defs</kbd>
</pre>
</div>
<p>
Make a minor change to make the default useradd consistent with the
LFS groups file:
</p>
<pre class="userinput">
<kbd class="command">sed -i 's/1000/999/' etc/useradd</kbd>
</pre>
<p>
Prepare Shadow for compilation:
</p>
<pre class="userinput">
<kbd class=
"command">./configure --sysconfdir=/etc --with-group-name-max-length=32</kbd>
</pre>
<div class="variablelist">
<p class="title">
<strong>The meaning of the configure option:</strong>
</p>
<dl class="variablelist">
<dt>
<span class="term"><em class=
"parameter"><code>--with-group-name-max-length=32</code></em></span>
</dt>
<dd>
<p>
The maximum user name is 32 characters. Make the maximum
group name the same.
</p>
</dd>
</dl>
</div>
<p>
Compile the package:
</p>
<pre class="userinput">
<kbd class="command">make</kbd>
</pre>
<p>
This package does not come with a test suite.
</p>
<p>
Install the package:
</p>
<pre class="userinput">
<kbd class="command">make install</kbd>
</pre>
<p>
Move a misplaced program to its proper location:
</p>
<pre class="userinput">
<kbd class="command">mv -v /usr/bin/passwd /bin</kbd>
</pre>
</div>
<div class="configuration" lang="en" xml:lang="en">
<h2 class="sect2">
<a id="conf-shadow" name="conf-shadow"></a>6.25.2. Configuring
Shadow
</h2>
<p>
This package contains utilities to add, modify, and delete users
and groups; set and change their passwords; and perform other
administrative tasks. For a full explanation of what <span class=
"emphasis"><em>password shadowing</em></span> means, see the
<code class="filename">doc/HOWTO</code> file within the unpacked
source tree. If using Shadow support, keep in mind that programs
which need to verify passwords (display managers, FTP programs,
pop3 daemons, etc.) must be Shadow-compliant. That is, they need to
be able to work with shadowed passwords.
</p>
<p>
To enable shadowed passwords, run the following command:
</p>
<pre class="userinput">
<kbd class="command">pwconv</kbd>
</pre>
<p>
To enable shadowed group passwords, run:
</p>
<pre class="userinput">
<kbd class="command">grpconv</kbd>
</pre>
<p>
Shadow's stock configuration for the <span class=
"command"><strong>useradd</strong></span> utility has a few caveats
that need some explanation. First, the default action for the
<span class="command"><strong>useradd</strong></span> utility is to
create the user and a group of the same name as the user. By
default the user ID (UID) and group ID (GID) numbers will begin
with 1000. This means if you don't pass parameters to <span class=
"command"><strong>useradd</strong></span>, each user will be a
member of a unique group on the system. If this behaviour is
undesirable, you'll need to pass the <em class=
"parameter"><code>-g</code></em> parameter to <span class=
"command"><strong>useradd</strong></span>. The default parameters
are stored in the <code class=
"filename">/etc/default/useradd</code> file. You may need to modify
two parameters in this file to suit your particular needs.
</p>
<div class="variablelist">
<p class="title">
<strong><code class="filename">/etc/default/useradd</code>
Parameter Explanations</strong>
</p>
<dl class="variablelist">
<dt>
<span class="term"><em class=
"parameter"><code>GROUP=1000</code></em></span>
</dt>
<dd>
<p>
This parameter sets the beginning of the group numbers used
in the /etc/group file. You can modify it to anything you
desire. Note that <span class=
"command"><strong>useradd</strong></span> will never reuse a
UID or GID. If the number identified in this parameter is
used, it will use the next available number after this. Note
also that if you don't have a group 1000 on your system the
first time you use <span class=
"command"><strong>useradd</strong></span> without the
<em class="parameter"><code>-g</code></em> parameter, you'll
get a message displayed on the terminal that says:
<code class="computeroutput">useradd: unknown GID
1000</code>. You may disregard this message and group number
1000 will be used.
</p>
</dd>
<dt>
<span class="term"><em class=
"parameter"><code>CREATE_MAIL_SPOOL=yes</code></em></span>
</dt>
<dd>
<p>
This parameter causes <span class=
"command"><strong>useradd</strong></span> to create a mailbox
file for the newly created user. <span class=
"command"><strong>useradd</strong></span> will make the group
ownership of this file to the <code class=
"systemitem">mail</code> group with 0660 permissions. If you
would prefer that these mailbox files are not created by
<span class="command"><strong>useradd</strong></span>, issue
the following command:
</p>
<pre class="userinput">
<kbd class="command">sed -i 's/yes/no/' /etc/default/useradd</kbd>
</pre>
</dd>
</dl>
</div>
</div>
<div class="configuration" lang="en" xml:lang="en">
<h2 class="sect2">
6.25.3. Setting the root password
</h2>
<p>
Choose a password for user <span class=
"emphasis"><em>root</em></span> and set it by running:
</p>
<pre class="userinput">
<kbd class="command">passwd root</kbd>
</pre>
</div>
<div class="content" lang="en" xml:lang="en">
<h2 class="sect2">
<a id="contents-shadow" name="contents-shadow"></a>6.25.4. Contents
of Shadow
</h2>
<div class="segmentedlist">
<div class="seglistitem">
<div class="seg">
<strong class="segtitle">Installed programs:</strong>
<span class="segbody">chage, chfn, chgpasswd, chpasswd, chsh,
expiry, faillog, gpasswd, groupadd, groupdel, groupmems,
groupmod, grpck, grpconv, grpunconv, lastlog, login, logoutd,
newgrp, newusers, nologin, passwd, pwck, pwconv, pwunconv, sg
(link to newgrp), su, useradd, userdel, usermod, vigr (link to
vipw), and vipw</span>
</div>
<div class="seg">
<strong class="segtitle">Installed directory:</strong>
<span class="segbody">/etc/default</span>
</div>
</div>
</div>
<div class="variablelist">
<h3>
Short Descriptions
</h3>
<table border="0" class="variablelist">
<colgroup>
<col align="left" valign="top" />
<col />
</colgroup>
<tbody>
<tr>
<td>
<p>
<a id="chage" name="chage"></a><span class=
"term"><span class=
"command"><strong>chage</strong></span></span>
</p>
</td>
<td>
<p>
Used to change the maximum number of days between
obligatory password changes
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="chfn" name="chfn"></a><span class=
"term"><span class=
"command"><strong>chfn</strong></span></span>
</p>
</td>
<td>
<p>
Used to change a user's full name and other information
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="chgpasswd" name="chgpasswd"></a><span class=
"term"><span class=
"command"><strong>chgpasswd</strong></span></span>
</p>
</td>
<td>
<p>
Used to update group passwords in batch mode
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="chpasswd" name="chpasswd"></a><span class=
"term"><span class=
"command"><strong>chpasswd</strong></span></span>
</p>
</td>
<td>
<p>
Used to update user passwords in batch mode
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="chsh" name="chsh"></a><span class=
"term"><span class=
"command"><strong>chsh</strong></span></span>
</p>
</td>
<td>
<p>
Used to change a user's default login shell
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="expiry" name="expiry"></a><span class=
"term"><span class=
"command"><strong>expiry</strong></span></span>
</p>
</td>
<td>
<p>
Checks and enforces the current password expiration
policy
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="faillog" name="faillog"></a><span class=
"term"><span class=
"command"><strong>faillog</strong></span></span>
</p>
</td>
<td>
<p>
Is used to examine the log of login failures, to set a
maximum number of failures before an account is blocked,
or to reset the failure count
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="gpasswd" name="gpasswd"></a><span class=
"term"><span class=
"command"><strong>gpasswd</strong></span></span>
</p>
</td>
<td>
<p>
Is used to add and delete members and administrators to
groups
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="groupadd" name="groupadd"></a><span class=
"term"><span class=
"command"><strong>groupadd</strong></span></span>
</p>
</td>
<td>
<p>
Creates a group with the given name
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="groupdel" name="groupdel"></a><span class=
"term"><span class=
"command"><strong>groupdel</strong></span></span>
</p>
</td>
<td>
<p>
Deletes the group with the given name
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="groupmems" name="groupmems"></a><span class=
"term"><span class=
"command"><strong>groupmems</strong></span></span>
</p>
</td>
<td>
<p>
Allows a user to administer his/her own group membership
list without the requirement of super user privileges.
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="groupmod" name="groupmod"></a><span class=
"term"><span class=
"command"><strong>groupmod</strong></span></span>
</p>
</td>
<td>
<p>
Is used to modify the given group's name or GID
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="grpck" name="grpck"></a><span class=
"term"><span class=
"command"><strong>grpck</strong></span></span>
</p>
</td>
<td>
<p>
Verifies the integrity of the group files <code class=
"filename">/etc/group</code> and <code class=
"filename">/etc/gshadow</code>
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="grpconv" name="grpconv"></a><span class=
"term"><span class=
"command"><strong>grpconv</strong></span></span>
</p>
</td>
<td>
<p>
Creates or updates the shadow group file from the normal
group file
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="grpunconv" name="grpunconv"></a><span class=
"term"><span class=
"command"><strong>grpunconv</strong></span></span>
</p>
</td>
<td>
<p>
Updates <code class="filename">/etc/group</code> from
<code class="filename">/etc/gshadow</code> and then
deletes the latter
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="lastlog" name="lastlog"></a><span class=
"term"><span class=
"command"><strong>lastlog</strong></span></span>
</p>
</td>
<td>
<p>
Reports the most recent login of all users or of a given
user
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="login" name="login"></a><span class=
"term"><span class=
"command"><strong>login</strong></span></span>
</p>
</td>
<td>
<p>
Is used by the system to let users sign on
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="logoutd" name="logoutd"></a><span class=
"term"><span class=
"command"><strong>logoutd</strong></span></span>
</p>
</td>
<td>
<p>
Is a daemon used to enforce restrictions on log-on time
and ports
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="newgrp" name="newgrp"></a><span class=
"term"><span class=
"command"><strong>newgrp</strong></span></span>
</p>
</td>
<td>
<p>
Is used to change the current GID during a login session
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="newusers" name="newusers"></a><span class=
"term"><span class=
"command"><strong>newusers</strong></span></span>
</p>
</td>
<td>
<p>
Is used to create or update an entire series of user
accounts
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="nologin" name="nologin"></a><span class=
"term"><span class=
"command"><strong>nologin</strong></span></span>
</p>
</td>
<td>
<p>
Displays a message that an account is not available; it
is designed to be used as the default shell for accounts
that have been disabled
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="passwd" name="passwd"></a><span class=
"term"><span class=
"command"><strong>passwd</strong></span></span>
</p>
</td>
<td>
<p>
Is used to change the password for a user or group
account
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="pwck" name="pwck"></a><span class=
"term"><span class=
"command"><strong>pwck</strong></span></span>
</p>
</td>
<td>
<p>
Verifies the integrity of the password files <code class=
"filename">/etc/passwd</code> and <code class=
"filename">/etc/shadow</code>
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="pwconv" name="pwconv"></a><span class=
"term"><span class=
"command"><strong>pwconv</strong></span></span>
</p>
</td>
<td>
<p>
Creates or updates the shadow password file from the
normal password file
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="pwunconv" name="pwunconv"></a><span class=
"term"><span class=
"command"><strong>pwunconv</strong></span></span>
</p>
</td>
<td>
<p>
Updates <code class="filename">/etc/passwd</code> from
<code class="filename">/etc/shadow</code> and then
deletes the latter
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="sg" name="sg"></a><span class="term"><span class=
"command"><strong>sg</strong></span></span>
</p>
</td>
<td>
<p>
Executes a given command while the user's GID is set to
that of the given group
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="su" name="su"></a><span class="term"><span class=
"command"><strong>su</strong></span></span>
</p>
</td>
<td>
<p>
Runs a shell with substitute user and group IDs
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="useradd" name="useradd"></a><span class=
"term"><span class=
"command"><strong>useradd</strong></span></span>
</p>
</td>
<td>
<p>
Creates a new user with the given name, or updates the
default new-user information
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="userdel" name="userdel"></a><span class=
"term"><span class=
"command"><strong>userdel</strong></span></span>
</p>
</td>
<td>
<p>
Deletes the given user account
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="usermod" name="usermod"></a><span class=
"term"><span class=
"command"><strong>usermod</strong></span></span>
</p>
</td>
<td>
<p>
Is used to modify the given user's login name, User
Identification (UID), shell, initial group, home
directory, etc.
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="vigr" name="vigr"></a><span class=
"term"><span class=
"command"><strong>vigr</strong></span></span>
</p>
</td>
<td>
<p>
Edits the <code class="filename">/etc/group</code> or
<code class="filename">/etc/gshadow</code> files
</p>
</td>
</tr>
<tr>
<td>
<p>
<a id="vipw" name="vipw"></a><span class=
"term"><span class=
"command"><strong>vipw</strong></span></span>
</p>
</td>
<td>
<p>
Edits the <code class="filename">/etc/passwd</code> or
<code class="filename">/etc/shadow</code> files
</p>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<div class="navfooter">
<ul>
<li class="prev">
<a accesskey="p" href="sed.html" title="Sed-4.2.2">Prev</a>
<p>
Sed-4.2.2
</p>
</li>
<li class="next">
<a accesskey="n" href="psmisc.html" title="Psmisc-22.21">Next</a>
<p>
Psmisc-22.21
</p>
</li>
<li class="up">
<a accesskey="u" href="chapter06.html" title=
"Chapter&nbsp;6.&nbsp;Installing Basic System Software">Up</a>
</li>
<li class="home">
<a accesskey="h" href="../index.html" title=
"Linux From Scratch - Version 7.7-systemd">Home</a>
</li>
</ul>
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink