LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/HOWTO/Shadow-Password-HOWTO-3.html

113 lines
5.7 KiB
HTML
Raw Blame History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
<TITLE>Linux Shadow Password HOWTO: Getting the Shadow Suite.</TITLE>
<LINK HREF="Shadow-Password-HOWTO-4.html" REL=next>
<LINK HREF="Shadow-Password-HOWTO-2.html" REL=previous>
<LINK HREF="Shadow-Password-HOWTO.html#toc3" REL=contents>
</HEAD>
<BODY>
<A HREF="Shadow-Password-HOWTO-4.html">Next</A>
<A HREF="Shadow-Password-HOWTO-2.html">Previous</A>
<A HREF="Shadow-Password-HOWTO.html#toc3">Contents</A>
<HR>
<H2><A NAME="s3">3. Getting the Shadow Suite.</A></H2>
<H2><A NAME="ss3.1">3.1 History of the Shadow Suite for Linux</A>
</H2>
<P><EM>DO NOT USE THE PACKAGES IN THIS SECTION, THEY HAVE SECURITY PROBLEMS</EM>
<P>The original <EM>Shadow Suite</EM> was written by <CODE>John F. Haugh II</CODE>.
<P>There are several versions that have been used on Linux systems:
<UL>
<LI><CODE>shadow-3.3.1</CODE> is the original.</LI>
<LI><CODE>shadow-3.3.1-2</CODE> is Linux specific patch made by
<A HREF="mailto:flla@stud.uni-sb.de">Florian La Roche &lt;flla@stud.uni-sb.de></A> and contains some further
enhancements.</LI>
<LI><CODE>shadow-mk</CODE> was specifically packaged for Linux.</LI>
</UL>
<P>The <CODE>shadow-mk</CODE> package contains the <CODE>shadow-3.3.1</CODE> package
distributed by <CODE>John F. Haugh II</CODE> with the <CODE>shadow-3.3.1-2 patch</CODE>
installed, a few fixes made by
<A HREF="mailto:magnus@texas.net">Mohan Kokal &lt;magnus@texas.net></A>
that make installation a lot easier, a patch by <CODE>Joseph R.M. Zbiciak</CODE>
for <CODE>login1.c</CODE> (login.secure) that eliminates the -f, -h security
holes in /bin/login, and some other miscellaneous patches.
<P>The <CODE>shadow.mk</CODE> package was the <EM>previously</EM> recommended
package, but should be replaced due to a <EM>security problem</EM> with the
<CODE>login</CODE> program.
<P>There are <EM>security problems</EM> with Shadow versions 3.3.1, 3.3.1-2,
and shadow-mk involving the <CODE>login</CODE> program. This <CODE>login</CODE> bug
involves not checking the length of a login name. This causes the buffer to
overflow causing crashes or worse. It has been rumored that this buffer
overflow can allow someone with an account on the system to use this bug and
the shared libraries to gain <EM>root</EM> access. I won't discuss exactly
how this is possible because there are a lot of Linux systems that are
affected, but systems with these <EM>Shadow Suites</EM> installed, and
most pre-ELF distributions <EM>without</EM> the <EM>Shadow Suite</EM>
are vulnerable!
<P>For more information on this and other Linux security issues, see the
<A HREF="http://bach.cis.temple.edu/linux/linux-security/Linux-Security-FAQ/Linux-telnetd.html">Linux Security home page (Shared Libraries and login Program Vulnerability)</A><P>
<P>
<H2><A NAME="ss3.2">3.2 Where to get the Shadow Suite.</A>
</H2>
<P>The only recommended <EM>Shadow Suite</EM> is still in BETA testing, however
the latest versions are safe in a production environment and don't contain a
vulnerable <CODE>login</CODE> program.
<P>The package uses the following naming convention:
<BLOCKQUOTE><CODE>
<PRE>
shadow-YYMMDD.tar.gz
</PRE>
</CODE></BLOCKQUOTE>
where <CODE>YYMMDD</CODE> is the issue date of the Suite.
<P>This version will eventually be <EM>Version 3.3.3</EM> when it is released
from Beta testing, and is maintained by
<A HREF="mailto:marekm@i17linuxb.ists.pwr.wroc.pl">Marek Michalkiewicz &lt;marekm@i17linuxb.ists.pwr.wroc.pl></A>.
It's available as:
<A HREF="ftp://i17linuxb.ists.pwr.wroc.pl/pub/linux/shadow/shadow-current.tar.gz">shadow-current.tar.gz</A>.
<P>The following mirror sites have also been established:
<UL>
<LI>
<A HREF="ftp://ftp.icm.edu.pl/pub/Linux/shadow/shadow-current.tar.gz">ftp://ftp.icm.edu.pl/pub/Linux/shadow/shadow-current.tar.gz</A></LI>
<LI>
<A HREF="ftp://iguana.hut.fi/pub/linux/shadow/shadow-current.tar.gz">ftp://iguana.hut.fi/pub/linux/shadow/shadow-current.tar.gz</A></LI>
<LI>
<A HREF="ftp://ftp.cin.net/usr/ggallag/shadow/shadow-current.tar.gz">ftp://ftp.cin.net/usr/ggallag/shadow/shadow-current.tar.gz</A></LI>
<LI>
<A HREF="ftp://ftp.netural.com/pub/linux/shadow/shadow-current.tar.gz">ftp://ftp.netural.com/pub/linux/shadow/shadow-current.tar.gz</A></LI>
</UL>
<P>You should use the currently available version.
<P>You should NOT use a version <EM>older</EM> than <CODE>shadow-960129</CODE> as
they also have the <CODE>login</CODE> security problem discussed above.
<P>When this document refers to the <EM>Shadow Suite</EM> I am referring to the
this package. It is assumed that this is the package that you are using.
<P>For reference, I used <CODE>shadow-960129</CODE> to make these installation
instructions.
<P>If you were previously using <CODE>shadow-mk</CODE>, you should upgrade to this
version and rebuild everything that you originally compiled.
<P>
<H2><A NAME="ss3.3">3.3 What is included with the Shadow Suite.</A>
</H2>
<P>The <EM>Shadow Suite</EM> contains replacement programs for:
<P><CODE>su, login, passwd, newgrp, chfn, chsh, and id</CODE>
<P>The package also contains the new programs:
<P><CODE>chage, newusers, dpasswd, gpasswd, useradd, userdel, usermod, groupadd,
groupdel, groupmod, groups, pwck, grpck, lastlog, pwconv, and pwunconv</CODE>
<P>Additionally, the library: <CODE>libshadow.a</CODE> is included for writing and/or
compiling programs that need to access user passwords.
<P>Also, manual pages for the programs are also included.
<P>There is also a configuration file for the login program which will be
installed as <CODE>/etc/login.defs</CODE>.
<P>
<HR>
<A HREF="Shadow-Password-HOWTO-4.html">Next</A>
<A HREF="Shadow-Password-HOWTO-2.html">Previous</A>
<A HREF="Shadow-Password-HOWTO.html#toc3">Contents</A>
</BODY>
</HTML>
Reference in New Issue View Git Blame Copy Permalink