BBS水木清华站∶精华区
发信人: bibble (什么), 信区: Linux
标 题: Shadow-Password-HOWTO
发信站: BBS 水木清华站 (Sat Apr 3 23:29:21 1999)
Linux Shadow Password HOWTO
Michael H. Jackson, mhjack@tscnet.com
v1.3, 3 April 1996
This document aims to describe how to obtain, install, and configure
the Linux password Shadow Suite. It also discusses obtaining, and
reinstalling other software and network daemons that require access to
user passwords. This other software is not actually part of the
Shadow Suite, but these programs will need to be recompiled to support
the Shadow Suite. This document also contains a programming example
for adding shadow support to a program. Answers to some of the more
frequently asked questions are included near the end of this document.
1. Introduction.
This is the Linux Shadow-Password-HOWTO. This document describes why
and how to add shadow password support on a Linux system. Some
examples of how to use some of the Shadow Suite's features is also
included.
When installing the Shadow Suite and when using many of the utility
programs, you must be logged in as root. When installing the Shadow
Suite you will be making changes to system software, and it is highly
recommended that you make backup copies of programs as indicated. I
also recommend that you read and understand all the instructions
before you begin.
1.1. Changes from the previous release.
Additions:
Added a sub-section on why you might not want to install shadow
Added a sub-section on updating the xdm program
Added a section on how to put Shadow Suite features to work
Added a section containing frequently asked questions
Corrections/Updates:
Corrected html references on Sunsite
Corrected section on wu-ftp to reflect adding -lshadow to the Makefile
Corrected minor spelling and verbiage errors
Changed section on wu-ftpd to support ELF
Updated to reflect security problems in various login programs
Updated to recommend the Linux Shadow Suite by Marek Michalkiewicz
1.2. New versions of this document.
The latest released version of this document can always be retrieved
by anonymous FTP from:
sunsite.unc.edu
/pub/Linux/docs/HOWTO/Shadow-Password-HOWTO
or:
/pub/Linux/docs/HOWTO/other-formats/Shadow-Password-HOWTO{-html.tar,ps,dvi}.gz
or via the World Wide Web from the Linux Documentation Project Web
Server <http://sunsite.unc.edu/mdw/linux.html>, at page: Shadow-
Password-HOWTO <http://sunsite.unc.edu/linux/HOWTO/Shadow-Password-
HOWTO.html> or directly from me, <mhjack@tscnet.com>. It will also be
posted to the newsgroup: comp.os.linux.answers
This document is now packaged with the Shadow-YYDDMM packages.
1.3. Feedback.
Please send any comments, updates, or suggestions to me: Michael H.
Jackson <mhjack@tscnet.com> The sooner I get feedback, the sooner I
can update and correct this document. If you find any problems with
it, please mail me directly as I very rarely stay up-to-date on the
newsgroups.
2. Why shadow your passwd file?
By default, most current Linux distributions do not contain the Shadow
Suite installed. This includes Slackware 2.3, Slackware 3.0, and
other popular distributions. One of the reasons for this is that the
copyright notices in the original Shadow Suite were not clear on
redistribution if a fee was charged. Linux uses a GNU Copyright
(sometimes refereed to as a Copyleft) that allows people to package it
into a convenient package (like a CD-ROM distribution) and charge a
fee for it.
The current maintainer of the Shadow Suite, Marek Michalkiewicz
<marekm@i17linuxb.ists.pwr.wroc.pl> received the source code from the
original author under a BSD style copyright that allowed
redistribution. Now that the copyright issues are resolved, it is
expected that future distributions will contain password shadowing by
default. Until then, you will need to install it yourself.
If you installed your distribution from a CD-ROM, you may find that,
even though the distribution did not have the Shadow Suite installed,
some of the files you need to install the Shadow Suite may be on the
CD-ROM.
However, Shadow Suite versions 3.3.1, 3.3.1-2, and shadow-mk all have
security problems with their login program and several other suid root
programs that came with them, and should no longer be used.
All of the necessary files may be obtained via anonymous FTP or
through the World Wide Web.
On a Linux system without the Shadow Suite installed, user information
including passwords is stored in the /etc/passwd file. The password
is stored in an encrypted format. If you ask a cryptography expert,
however, he or she will tell you that the password is actually in an
encoded rather than encrypted format because when using crypt(3), the
text is set to null andld get a ppp connection by setting
their PAP to user ppp and a password of null.
We fixed this also by returning UPAP_AUTHNAK instead of UPAP_AUTHACK
if the password field was empty.
Interestingly enough, pppd-2.2.0 has the same problem.
Next we need to modify the Makefile so that two things occur:
USE_SHADOW must be defined, and libshadow.a needs to be added to the
linking process.
Edit the Makefile, and add:
LIBS = -lshadow
Then we find the line:
COMPILE_FLAGS = -I.. -D_linux_=1 -DGIDSET_TYPE=gid_t
And change it to:
COMPILE_FLAGS = -I.. -D_linux_=1 -DGIDSET_TYPE=gid_t -DUSE_SHADOW
Now make and install.
9. Frequently Asked Questions.
Q: I used to control which tty's root could log into using the file
/etc/securettys, but it doesn't seem to work anymore, what's going on?
A: The file /etc/securettys does absolutely nothing now that the
Shadow Suite is installed. The tty's that root can use are now
located in the login configuration file /etc/login.defs. The entry in
this file may point to another file.
Q: I installed the Shadow Suite, but now I can't login, what did I
miss?
A: You probably installed the Shadow programs, but didn't run pwconv
or you forgot to copy /etc/npasswd to /etc/passwd and /etc/nshadow to
/etc/shadow. Also, you may need to copy login.defs to /etc.
Q: In the section on xlock, it said to change the group ownership of
the /etc/shadow file to shadow. I don't have a shadow group, what do
I do?
A: You can add one. Simply edit the /etc/group file, and insert a
line for the shadow group. You need to ensure that the group number
is not used by another group, and you need to insert it before the
nogroup entry. Or you can simply suid xlock to root.
Q: Is there a mailing list for the Linux Shadow Password Suite?
A: Yes, but it's for the development and beta testing of the next
Shadow Suite for Linux. You can get added to the list by mailing to:
shadow-list-request@neptune.cin.net with a subject of: subscribe. The
list is actually for discussions of the Linux shadow-YYMMSS series of
releases. You should join if you want to get involved in further
development or if you install the Suite on your system and want to get
information on newer releases.
Q: I installed the Shadow Suite, but when I use the userdel command, I
get "userdel: cannot open shadow group file", what did I do wrong?
A: You compiled the Shadow Suite with the SHADOWGRP option enabled,
but you don't have an /etc/gshadow file. You need to either edit the
config.h file and recompile, or create an /etc/group file. See the
section on shadow groups.
Q: I installed the Shadow Suite but now I'm getting encoded passwords
back in my /etc/passwd file, what's wrong?
A: You either enabled the AUTOSHADOW option in the Shadow config.h
file, or your libc was compiled with the SAHDOW_COMPAT option. You
need to determine which is the problem, and recompile.
10. Copyright Message.
The Linux Shadow Password HOWTO is Copyright (c) 1996 Michael H.
Jackson.
Permission is granted to make and distribute verbatim copies of this
document provided the copyright notice and this permission notice are
preserved on all copies.
Permission is granted to copy and distribute modified versions of this
document under the conditions for verbatim copies above, provided a
notice clearly stating that the document is a modified version is also
included in the modified document.
Permission is granted to copy and distribute translations of this
document into another language, under the conditions specified above
for modified versions.
Permission is granted to convert this document into another media
under the conditions specified above for modified versions provided
the requirement to acknowledge the source document is fulfilled by
inclusion of an obvious reference to the source document in the new
media. Where there is any doubt as to what defines 'obvious' the
copyright owner reserves the right to decide.
11. Miscellaneous and Acknowledgments.
The code examples for auth.c are taken from pppd-1.2.1d and
ppp-2.1.0e, Copyright (c) 1993 and The Australian National University
and Copyright (c) 1989 Carnegie Mellon University.
Thanks to Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl> for
writing and maintaining the Shadow Suite for Linux, and for his review
and comments on this document.
Thanks to Ron Tidd <rtidd@tscnet.com> for his helpful review and
testing.
Thanks to everyone who has sent me feedback to help improve this
document.
Please, if you have any comments or suggestions then mail them to me.
regards
Michael H. Jackson <mhjack@tscnet.com>
--
网内存知己 比邻若天涯
※ 来源:·BBS 水木清华站 bbs.net.tsinghua.edu.cn·[FROM: 162.105.181.204]
BBS水木清华站∶精华区