151 lines
5.6 KiB
HTML
151 lines
5.6 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|
|
<HTML>
|
|
<HEAD>
|
|
<META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
|
|
<TITLE>Linux Shadow Password HOWTO: Installing</TITLE>
|
|
<LINK HREF="Shadow-Password-HOWTO-6.html" REL=next>
|
|
<LINK HREF="Shadow-Password-HOWTO-4.html" REL=previous>
|
|
<LINK HREF="Shadow-Password-HOWTO.html#toc5" REL=contents>
|
|
</HEAD>
|
|
<BODY>
|
|
<A HREF="Shadow-Password-HOWTO-6.html">Next</A>
|
|
<A HREF="Shadow-Password-HOWTO-4.html">Previous</A>
|
|
<A HREF="Shadow-Password-HOWTO.html#toc5">Contents</A>
|
|
<HR>
|
|
<H2><A NAME="s5">5. Installing</A></H2>
|
|
|
|
<H2><A NAME="ss5.1">5.1 Have a boot disk handy in case you break anything.</A>
|
|
</H2>
|
|
|
|
<P>If something goes terribly wrong, it would be handy to have a boot disk.
|
|
If you have a boot/root combination from your installation, that will work,
|
|
otherwise see the
|
|
<A HREF="http://sunsite.unc.edu/mdw/HOWTO/Bootdisk-HOWTO.html">Bootdisk-HOWTO</A>, which describes how to make a bootable disk.
|
|
<P>
|
|
<H2><A NAME="ss5.2">5.2 Removing duplicate man pages</A>
|
|
</H2>
|
|
|
|
<P>You should also move the manual pages that are about to be replaced. Even
|
|
if you are brave enough install the Shadow Suite without making backups, you
|
|
will still want to remove the old manual pages. The new manual pages won't
|
|
normally overwrite the old ones because the old ones are probably compressed.
|
|
<P>You can use a combination of: <CODE>man -aW command</CODE> and <CODE>locate
|
|
command</CODE> to locate the manual pages that need to be (re)moved. It's
|
|
generally easier to figure out which are the older pages before you run
|
|
<CODE>make install</CODE>.
|
|
<P>If you are using the Slackware 3.0 distribution, then the manual pages you
|
|
want to remove are:
|
|
<UL>
|
|
<LI>/usr/man/man1/chfn.1.gz</LI>
|
|
<LI>/usr/man/man1/chsh.1.gz</LI>
|
|
<LI>/usr/man/man1/id.1.gz</LI>
|
|
<LI>/usr/man/man1/login.1.gz</LI>
|
|
<LI>/usr/man/man1/passwd.1.gz</LI>
|
|
<LI>/usr/man/man1/su.1.gz</LI>
|
|
<LI>/usr/man/man5/passwd.5.gz</LI>
|
|
</UL>
|
|
<P>There may also be man pages of the same name in the <CODE>/var/man/cat[1-9]</CODE>
|
|
subdirectories that should also be deleted.
|
|
<P>
|
|
<H2><A NAME="ss5.3">5.3 Running make install</A>
|
|
</H2>
|
|
|
|
<P>You are now ready to type: (do this as root)
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
make install
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
<P>This will install the new and replacement programs and fix-up the file
|
|
permissions. It will also install the man pages.
|
|
<P>This also takes care of installing the Shadow Suite include files in the
|
|
correct places in <CODE>/usr/include/shadow</CODE>.
|
|
<P>Using the BETA package you must manually copy the file <CODE>login.defs</CODE>
|
|
to the <CODE>/etc</CODE> subdirectory and make sure that only <EM>root</EM> can
|
|
make changes to it.
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
cp login.defs /etc
|
|
chmod 700 /etc/login.defs
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
<P>This file is the configuration file for the <EM>login</EM> program.
|
|
You should review and make changes to this file for your particular system.
|
|
This is where you decide which tty's root can login from, and set other
|
|
security policy settings (like password expiration defaults).
|
|
<P>
|
|
<H2><A NAME="ss5.4">5.4 Running pwconv</A>
|
|
</H2>
|
|
|
|
<P>The next step is to run <CODE>pwconv</CODE>. This must also be done as
|
|
<EM>root</EM>, and is best done from the <CODE>/etc</CODE> subdirectory:
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
cd /etc
|
|
/usr/sbin/pwconv
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
<P><CODE>pwconv</CODE> takes your <CODE>/etc/passwd</CODE> file and strips out the
|
|
fields to create two files: <CODE>/etc/npasswd</CODE> and <CODE>/etc/nshadow</CODE>.
|
|
<P>A <CODE>pwunconv</CODE> program is also provided if you need to make a normal
|
|
<CODE>/etc/passwd</CODE> file out of an <CODE>/etc/passwd</CODE> and
|
|
<CODE>/etc/shadow</CODE> combination.
|
|
<P>
|
|
<H2><A NAME="ss5.5">5.5 Renaming npasswd and nshadow</A>
|
|
</H2>
|
|
|
|
<P>Now that you have run <CODE>pwconv</CODE> you have created the files
|
|
<CODE>/etc/npasswd</CODE> and <CODE>/etc/nshadow</CODE>. These need to be copied
|
|
over to <CODE>/etc/passwd</CODE> and <CODE>/etc/shadow</CODE>. We also want to make
|
|
a backup copy of the original <CODE>/etc/passwd</CODE> file, and make sure only
|
|
root can read it. We'll put the backup in root's home directory:
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
cd /etc
|
|
cp passwd ~passwd
|
|
chmod 600 ~passwd
|
|
mv npasswd passwd
|
|
mv nshadow shadow
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
<P>You should also ensure that the file ownerships and permissions are
|
|
correct. If you are going to be using <EM>X-Windows</EM>, the
|
|
<CODE>xlock</CODE> and <CODE>xdm</CODE> programs need to be able to read the
|
|
<CODE>shadow</CODE> file (but not write it).
|
|
<P>There are two ways that this can be done. You can set <CODE>xlock</CODE> to
|
|
suid root (<CODE>xdm</CODE> is usually run as root anyway). Or you can make
|
|
the <CODE>shadow</CODE> file owned by <CODE>root</CODE> with a group of
|
|
<CODE>shadow</CODE>, but before you do this, make sure that you have a shadow
|
|
group (look in <CODE>/etc/group</CODE>). None of the users on the system
|
|
should actually be in the shadow group.
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
chown root.root passwd
|
|
chown root.shadow shadow
|
|
chmod 0644 passwd
|
|
chmod 0640 shadow
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
<P>Your system now has the password file shadowed. You <EM>should</EM> now pop
|
|
over to another virtual terminal and verify that you can login.
|
|
<P><EM>Really, do this now!</EM>
|
|
<P>If you can't, then something is wrong! To get back to a non-shadowed state,
|
|
do the following the following:
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
cd /etc
|
|
cp ~passwd passwd
|
|
chmod 644 passwd
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
<P>You would then restore the files that you saved earlier to their proper
|
|
locations.
|
|
<P>
|
|
<P>
|
|
<HR>
|
|
<A HREF="Shadow-Password-HOWTO-6.html">Next</A>
|
|
<A HREF="Shadow-Password-HOWTO-4.html">Previous</A>
|
|
<A HREF="Shadow-Password-HOWTO.html#toc5">Contents</A>
|
|
</BODY>
|
|
</HTML>
|