LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/HOWTO/Shadow-Password-HOWTO-5.html

151 lines
5.6 KiB
HTML
Raw Permalink Blame History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
<TITLE>Linux Shadow Password HOWTO: Installing</TITLE>
<LINK HREF="Shadow-Password-HOWTO-6.html" REL=next>
<LINK HREF="Shadow-Password-HOWTO-4.html" REL=previous>
<LINK HREF="Shadow-Password-HOWTO.html#toc5" REL=contents>
</HEAD>
<BODY>
<A HREF="Shadow-Password-HOWTO-6.html">Next</A>
<A HREF="Shadow-Password-HOWTO-4.html">Previous</A>
<A HREF="Shadow-Password-HOWTO.html#toc5">Contents</A>
<HR>
<H2><A NAME="s5">5. Installing</A></H2>
<H2><A NAME="ss5.1">5.1 Have a boot disk handy in case you break anything.</A>
</H2>
<P>If something goes terribly wrong, it would be handy to have a boot disk.
If you have a boot/root combination from your installation, that will work,
otherwise see the
<A HREF="http://sunsite.unc.edu/mdw/HOWTO/Bootdisk-HOWTO.html">Bootdisk-HOWTO</A>, which describes how to make a bootable disk.
<P>
<H2><A NAME="ss5.2">5.2 Removing duplicate man pages</A>
</H2>
<P>You should also move the manual pages that are about to be replaced. Even
if you are brave enough install the Shadow Suite without making backups, you
will still want to remove the old manual pages. The new manual pages won't
normally overwrite the old ones because the old ones are probably compressed.
<P>You can use a combination of: <CODE>man -aW command</CODE> and <CODE>locate
command</CODE> to locate the manual pages that need to be (re)moved. It's
generally easier to figure out which are the older pages before you run
<CODE>make install</CODE>.
<P>If you are using the Slackware 3.0 distribution, then the manual pages you
want to remove are:
<UL>
<LI>/usr/man/man1/chfn.1.gz</LI>
<LI>/usr/man/man1/chsh.1.gz</LI>
<LI>/usr/man/man1/id.1.gz</LI>
<LI>/usr/man/man1/login.1.gz</LI>
<LI>/usr/man/man1/passwd.1.gz</LI>
<LI>/usr/man/man1/su.1.gz</LI>
<LI>/usr/man/man5/passwd.5.gz</LI>
</UL>
<P>There may also be man pages of the same name in the <CODE>/var/man/cat[1-9]</CODE>
subdirectories that should also be deleted.
<P>
<H2><A NAME="ss5.3">5.3 Running make install</A>
</H2>
<P>You are now ready to type: (do this as root)
<BLOCKQUOTE><CODE>
<PRE>
make install
</PRE>
</CODE></BLOCKQUOTE>
<P>This will install the new and replacement programs and fix-up the file
permissions. It will also install the man pages.
<P>This also takes care of installing the Shadow Suite include files in the
correct places in <CODE>/usr/include/shadow</CODE>.
<P>Using the BETA package you must manually copy the file <CODE>login.defs</CODE>
to the <CODE>/etc</CODE> subdirectory and make sure that only <EM>root</EM> can
make changes to it.
<BLOCKQUOTE><CODE>
<PRE>
cp login.defs /etc
chmod 700 /etc/login.defs
</PRE>
</CODE></BLOCKQUOTE>
<P>This file is the configuration file for the <EM>login</EM> program.
You should review and make changes to this file for your particular system.
This is where you decide which tty's root can login from, and set other
security policy settings (like password expiration defaults).
<P>
<H2><A NAME="ss5.4">5.4 Running pwconv</A>
</H2>
<P>The next step is to run <CODE>pwconv</CODE>. This must also be done as
<EM>root</EM>, and is best done from the <CODE>/etc</CODE> subdirectory:
<BLOCKQUOTE><CODE>
<PRE>
cd /etc
/usr/sbin/pwconv
</PRE>
</CODE></BLOCKQUOTE>
<P><CODE>pwconv</CODE> takes your <CODE>/etc/passwd</CODE> file and strips out the
fields to create two files: <CODE>/etc/npasswd</CODE> and <CODE>/etc/nshadow</CODE>.
<P>A <CODE>pwunconv</CODE> program is also provided if you need to make a normal
<CODE>/etc/passwd</CODE> file out of an <CODE>/etc/passwd</CODE> and
<CODE>/etc/shadow</CODE> combination.
<P>
<H2><A NAME="ss5.5">5.5 Renaming npasswd and nshadow</A>
</H2>
<P>Now that you have run <CODE>pwconv</CODE> you have created the files
<CODE>/etc/npasswd</CODE> and <CODE>/etc/nshadow</CODE>. These need to be copied
over to <CODE>/etc/passwd</CODE> and <CODE>/etc/shadow</CODE>. We also want to make
a backup copy of the original <CODE>/etc/passwd</CODE> file, and make sure only
root can read it. We'll put the backup in root's home directory:
<BLOCKQUOTE><CODE>
<PRE>
cd /etc
cp passwd ~passwd
chmod 600 ~passwd
mv npasswd passwd
mv nshadow shadow
</PRE>
</CODE></BLOCKQUOTE>
<P>You should also ensure that the file ownerships and permissions are
correct. If you are going to be using <EM>X-Windows</EM>, the
<CODE>xlock</CODE> and <CODE>xdm</CODE> programs need to be able to read the
<CODE>shadow</CODE> file (but not write it).
<P>There are two ways that this can be done. You can set <CODE>xlock</CODE> to
suid root (<CODE>xdm</CODE> is usually run as root anyway). Or you can make
the <CODE>shadow</CODE> file owned by <CODE>root</CODE> with a group of
<CODE>shadow</CODE>, but before you do this, make sure that you have a shadow
group (look in <CODE>/etc/group</CODE>). None of the users on the system
should actually be in the shadow group.
<BLOCKQUOTE><CODE>
<PRE>
chown root.root passwd
chown root.shadow shadow
chmod 0644 passwd
chmod 0640 shadow
</PRE>
</CODE></BLOCKQUOTE>
<P>Your system now has the password file shadowed. You <EM>should</EM> now pop
over to another virtual terminal and verify that you can login.
<P><EM>Really, do this now!</EM>
<P>If you can't, then something is wrong! To get back to a non-shadowed state,
do the following the following:
<BLOCKQUOTE><CODE>
<PRE>
cd /etc
cp ~passwd passwd
chmod 644 passwd
</PRE>
</CODE></BLOCKQUOTE>
<P>You would then restore the files that you saved earlier to their proper
locations.
<P>
<P>
<HR>
<A HREF="Shadow-Password-HOWTO-6.html">Next</A>
<A HREF="Shadow-Password-HOWTO-4.html">Previous</A>
<A HREF="Shadow-Password-HOWTO.html#toc5">Contents</A>
</BODY>
</HTML>
Reference in New Issue View Git Blame Copy Permalink