[BACK] Return to pam+shadow+cracklib.txt CVS log [TXT][DIR] Up to [LinuxFromScratch] / hints

Diff for /hints/pam+shadow+cracklib.txt between version 1.1 and 1.2

version 1.1, 2002/05/08 13:35:53 version 1.2, 2002/06/10 21:07:52
Line 3 
Line 3 
 AUTHOR:         Ted Riley <reesonline@messages.to> AUTHOR:         Ted Riley <reesonline@messages.to>
  
 SYNOPSIS: SYNOPSIS:
         How to configure cracklib, Linux-PAM and the current shadow         How to configure cracklib, Linux-PAM and the Shadow suite
  
 HINT: HINT:
  
 CONTENTS CONTENTS
 ======== ========
         1. Introduction         1. Introduction
         2. Resources          2. Changelog
         3. CrackLib          3. Resources
         4. Linux-PAM          4. CrackLib
         5. Shadow          5. Linux-PAM
         6. PAM Configuration          6. Shadow
         7. Closing          7. PAM Configuration
           8. Trouble
           9. Other Programs
          10. Closing
  
  
 INTRODUCTION INTRODUCTION
 ============ ============
 We're going to install cracklib and Linux-PAM, and then re-compile the We're going to install cracklib, Linux-PAM and the shadow package, in
 shadow package to use both.  Afterwards, we will create and/or modify the that order.  (Shadow requires the PAM libraries, which require the
 needed configuration files to get everything up and running smoothly. cracklib libraries.)  This hint can be used if you already have an LFS
 Please do not log out until all the configuration files have been installation in place or if you are installing LFS for the first time.
  Once the binaries are in place, we will create and/or modify the
  necessary configuration files to get everything up and running smoothly.
  Please note:  Do not log out until all the configuration files have been
 created, since you will not be able to log back in.  In fact, the safest created, since you will not be able to log back in.  In fact, the safest
 thing to do is test your configurations in a separate virtual terminal thing to do is test your configurations in a separate virtual terminal
 before ending your session. before ending your session.
  
  
  CHANGELOG
  =========
  Current Version
  1.2 - 2002.06.10
          Modified hint to work "in-line" with LFS installation
          Replaced shadow patch with make flags
          Replaced cracklib 'sed' command with make flags
  
  1.1 - 2002.05.31
          Corrected directories in shadow patch
          Added troubleshooting section
          Added other programs section
          Added /usr/share/dict/words symbolic link and explained
  
  1.0 - 2002.05.07
          Updated explanation of shadow/PAM incompatibility
          Cosmetic/grammatical changes
  
  0.9 - 2002.04.28
          Original draft
  
  
 RESOURCES RESOURCES
 ========= =========
 You will need the following packages: You will need the following packages:
Line 41 
Line 69 
    http://www.cotse.com/wordlists/allwords    http://www.cotse.com/wordlists/allwords
 NOTE: This website also has a dictionary called 'cracklib' but it is NOTE: This website also has a dictionary called 'cracklib' but it is
 15.6MB compared to 'allwords' which is 467KB.  I have had cracklib 15.6MB compared to 'allwords' which is 467KB.  I have had cracklib
 seg fault with the larger dictionary, but not with the smaller.  YMMV. seg fault with the larger dictionary, but not with the smaller.  I know
  others (with better systems than mine) who have used the 'cracklib'
  dictionary successfully.  Your mileage may vary.
  
 Linux-PAM (0.75 as of this hint): Linux-PAM (0.75 as of this hint):
    http://wwww.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-0.75.tar.gz    http://wwww.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-0.75.tar.gz
Line 51 
Line 81 
  
 Shadow (4.0.3 as of this hint): Shadow (4.0.3 as of this hint):
    ftp://ftp.pld.org.pl/software/shadow/shadow-4.0.3.tar.gz    ftp://ftp.pld.org.pl/software/shadow/shadow-4.0.3.tar.gz
 NOTE: Okay, there's no note for this one, but I wanted to be consistent. NOTE: There is no note for this one; insert humor attempt here.
  
  
 CRACKLIB CRACKLIB
Line 62 
Line 92 
  
 From the directory where you downloaded the dictionary: From the directory where you downloaded the dictionary:
                  
 cp allwords /usr/share/dict/ cp allwords /usr/share/dict/ &&
  cd /usr/share/dict &&
  ln -s allwords words
  
  One note about the above commands:  Traditionally, the /usr/share/dict
  directory had only one file: words.  The FHS standard does not prohibit
  other files from being here as long as they are wordlists as well.  I
  like to remember what dictionary I used, which is why I do not simply
  rename 'allwords' to 'words.'  Creating the link to 'words' helps other
  programs which might look in the standard location for a dictionary
  (that is, the '/usr/share/dict/words' file).
  
 Next, in the cracklib directory, we need to create a couple files: Next, in the cracklib directory, we need to create a couple files:
                  
Line 92 
Line 132 
         echo "/usr/lib/cracklib_dict.*"         echo "/usr/lib/cracklib_dict.*"
         echo         echo
         echo "Example:"         echo "Example:"
         echo "$0 /usr/dict/words"         echo "$0 /usr/share/dict/words"
 else else
         /usr/sbin/mkdict $* | /usr/sbin/packer /usr/lib/cracklib_dict         /usr/sbin/mkdict $* | /usr/sbin/packer /usr/lib/cracklib_dict
 fi fi
Line 100 
Line 140 
  
 And finally we compile cracklib from the source directory: And finally we compile cracklib from the source directory:
  
 cp Makefile Makefile.orig && make DICTPATH=/usr/lib/cracklib_dict SRCDICTS=/usr/share/dict/words install &&
 sed -e 's%/usr/local/lib/pw_dict%/usr/lib/cracklib_dict%' \ 
         -e 's%/usr/dict/words%/usr/share/dict/allwords%' Makefile.orig > \ 
         Makefile && 
 make all && 
 make install && 
 cp cracklib/libcrack.a /usr/lib && cp cracklib/libcrack.a /usr/lib &&
 cp crack.h /usr/include && cp crack.h /usr/include &&
 cp util/mkdict util/packer util/create_cracklib_dict /usr/sbin cp util/{mkdict,packer,create_cracklib_dict} /usr/sbin
  
 Command Explanations: Command Explanations:
  
Line 117 
Line 152 
 cat >> util/create_cracklib_dict ... : These commands create a script cat >> util/create_cracklib_dict ... : These commands create a script
         which takes a wordlist as an argument and creates a new cracklib         which takes a wordlist as an argument and creates a new cracklib
         dictionary.         dictionary.
 cp Makefile Makefile.orig && sed -e ... Makefile : This command fixes make ... install : Makes the cracklib libraries with the correct
         in the Makefile the location of the wordlist and the location         dictionary locations
         where the cracklib dictionary will be created. 
 cp cracklib.a /usr/lib : The make install command does not install the cp cracklib.a /usr/lib : The make install command does not install the
         static cracklib library, so we do it here.         static cracklib library, so we do it here.
 cp crack.h /usr/include : This command copies the header file we created. cp crack.h /usr/include : This command copies the header file we created.
Line 181 
Line 215 
 the latest versions of Linux-PAM.  For the record, the maintainer of the the latest versions of Linux-PAM.  For the record, the maintainer of the
 shadow package believes the incompatibility lies in the PAM libraries, shadow package believes the incompatibility lies in the PAM libraries,
 not in shadow.  Therefore, he advises using a different version of PAM. not in shadow.  Therefore, he advises using a different version of PAM.
 (available from ftp://ftp.pld.org.pl/software/pam/).  However, I have (available from ftp://ftp.pld.org.pl/software/pam/).  However, I prefer
 chosen to patch shadow to make it work with the current version of PAM to use the latest versions of both packages; the compiler flags below
 (so I can have the latest versions of both).  The patch below will will accomplish this.
 accomplish this.  The commands below assume that you already have the 
 shadow suite installed (without PAM) as part of LFS; therefore, we will 
 not recreate or copy the config files. 
  
 From the shadow source directory: 
  
 cat >> ../shadow-4.0.3-PAM.patch << "EOF" 
 # Begin Patch 
 diff -ur shadow-4.0.3/configure.in shadow-4.0.3-new/configure.in 
 --- shadow-4.0.3/configure.in   Wed Mar 13 03:36:40 2002 
 +++ shadow-4.0.3-new/configure.in       Sat Apr 27 15:15:10 2002 
 @@ -267,7 +267,8 @@ 
                 LIBPAM="-lpam" 
                 AC_CHECK_LIB(pam_misc, main, 
                         [LIBPAM="$LIBPAM -lpam_misc"], 
 -                       AC_MSG_ERROR(libpam_misc is missing) 
 +                       AC_MSG_ERROR(libpam_misc is missing), 
 +                       [-lpam] 
                 )] 
                 [AC_MSG_CHECKING(use login access checking if PAM not used) 
                 AC_DEFINE(LOGIN_ACCESS) 
 diff -ur shadow-4.0.3/libmisc/Makefile.am shadow-4.0.3-new/libmisc/Makefile.am 
 --- shadow-4.0.3/libmisc/Makefile.am    Sun Mar 10 02:11:55 2002 
 +++ shadow-4.0.3-new/libmisc/Makefile.am        Sat Apr 27 15:28:02 2002 
 @@ -58,4 +58,4 @@ 
         valid.c \ 
         xmalloc.c 
   
 -libmisc_la_LIBADD = $(LIBCRACK) 
 +libmisc_la_LIBADD = $(LIBCRACK) $(LIBPAM) 
 # End Patch 
 EOF 
  
 Now to compile shadow: 
  
 patch -Np1 -i ../shadow-4.0.3-PAM.patch && LDFLAGS="-lpam -lpam_misc" ./configure --prefix=/usr --enable-shared \
 aclocal &&         --with-libpam --without-libcrack &&
 autoconf && 
 automake && 
 ./configure --enable-shared --with-libpam --prefix=/usr && 
 make && make &&
 make install && make install &&
 cd /usr/sbin && cd /usr/sbin &&
 ln -sf vipw vigr && ln -sf vipw vigr &&
 rm /bin/vipw && rm /bin/vipw &&
 mv /bin/sg /usr/bin && mv /bin/sg /usr/bin &&
 cd /lib && mv /lib/{libmisc.*a,libshadow.*a} /usr/lib &&
 mv libmisc.*a libshadow.*a /usr/lib && 
 cd /usr/lib && cd /usr/lib &&
 ln -s ../../lib/libshadow.so ln -sf ../../lib/libshadow.so
  sed 's%/var/spool/mail%/var/mail%' etc/login.defs.linux > /etc/login.defs
  cp debian/securetty /etc/securetty
  
 Command Explanations: Command Explanations:
 patch -Np1 -i ../shadow-4.0.3-PAM.patch : This applies the patch. LDFLAGS="..." ./configure : The compiler flags allow the shadow package
 aclocal && autoconf && automake : These commands recreate the configure         to link correctly against the PAM libraries; they must be
         and make files after applying the patch.         entered on the same line as the configure command.
 ./configure --enable-shared : Shadow no longer creates shared libraries --enable-shared : Shadow no longer creates shared libraries by default,
         by default, so this flag is used.         so this flag is used.
 --with-libpam : Compiles with PAM support --with-libpam : This flag compiles with PAM support.
  --without-libcrack : Cracklib will be called through PAM, so we do not
          need it here.
 ln -sf vipw vigr ... ln -s ../../lib/libshadow.so : These commands fix ln -sf vipw vigr ... ln -s ../../lib/libshadow.so : These commands fix
         broken links and un-installed libraries.  They are also useful for         broken links and un-installed libraries.  They are also useful for
         refreshing the time-stamps on the files if you use a time-stamp         refreshing the time-stamps on the files if you use a time-stamp
         sensitive installer (like install-log).         sensitive installer (like install-log).
  sed ... login.defs : This will create the /etc/login.defs file (if you
          don't already have one) and will make the mail directory
          FHS-compliant.
  cp debian/securetty /etc/securetty : This will create the securetty file
          which prevents root logons from all but listed terminals.
  
 Please note:  We no longer need the 'limits' and 'login.access' files in Please note:  We no longer need the 'limits' and 'login.access' files in
 /etc since PAM will handle these functions.  You may safely delete these /etc since PAM will handle these functions.  You may safely delete these
Line 279 
Line 284 
 CONSOLE_GROUPS          (pam_groups.so) CONSOLE_GROUPS          (pam_groups.so)
 ENVIRON_FILE            (pam_env.so) ENVIRON_FILE            (pam_env.so)
  
 If you are using the pam_securetty.so module, create the /etc/securetty 
 file as follows.  Please note that you only need entries for ttys you 
 have available.  I prefer being able to expand later without having 
 to remember to update this file as well, so I include the extra ttys. 
  
 cat > /etc/securetty << "EOF" 
 tty1 
 tty2 
 tty3 
 tty4 
 tty5 
 tty6 
 tty7 
 tty8 
 tty9 
 tty10 
 tty11 
 tty12 
 EOF 
  
 Several people have noticed a small problem with pam_issue.so. Several people have noticed a small problem with pam_issue.so.
 Specifically, if you enter the correct password the first time, the login Specifically, if you enter the correct password the first time, the login
 fails, even if pam_issue is set to optional.  However, if the wrong password fails, even if pam_issue is set to optional.  However, if the wrong password
Line 311 
Line 296 
 anyone knows how to fix this, please let me know. anyone knows how to fix this, please let me know.
  
 If you want to use the access or limits modules (among others), you can edit If you want to use the access or limits modules (among others), you can edit
 the configuration files in /etc/security/.  Currently, my files are stil the configuration files in /etc/security/.  Currently, my files are still
 fully commented out (the default), so I'm not much help for suggestions fully commented out (the default), so I'm not much help for suggestions
 on those.  If anyone is using these files, I would love to hear from on those.  If anyone is using these files, I would love to hear from
 them, though. them, though.
Line 386 
Line 371 
 interface with PAM as 'shadow' instead of their own program name. interface with PAM as 'shadow' instead of their own program name.
  
  
  TROUBLE
  =======
  Here are a couple problems that crept up while I was installing the above
  programs myself.  Just in case you run in these problems yourself, here
  are some tips to help you resolve them.  Of course, you will not need
  these because everything will work great the first time. ;-)
  
  Cracklib Seg Fault:
  With a large dictionary file, cracklib gave a segmentation fault the
  second time I tried to change a password.  (The first time worked.)
  To fix this, I ran the script create_cracklib_dict, as listed below (I
  was using the 'cracklib' dictionary at the time):
  
  create_cracklib_dict /usr/share/dict/cracklib
  
  This command rebuilt the cracklib dictionary files and cracklib worked
  fine the next time I changed a password.  Then it crashed again the
  following time.  However, when I ran the above command with the
  'allwords' dictionary listed above, cracklib worked and has worked since.
  
  As noted above, this error may be a result of my computer's limited RAM
  and swap space.  Other people have stated that the cracklib dictionary
  has worked fine for them.
  
  Incorrect Root Password:
  Later, due to a misconfiguration, I found myself unable to log in as root.
  To fix this, I used a boot disk (the Slackware boot disk, to be exact)
  which allowed me to log in as root without a password.  Once I was
  logged in, I mounted my LFS system.  Then, I renamed the pam.d directory
  and created a new pam.d directory with only the 'other' file.  This
  temporary file is listed below:
  
  # Begin temporary /etc/pam.d/other
  auth            required        pam_unix.so        nullok
  account         required        pam_unix.so
  session         required        pam_unix.so
  password        required        pam.unix.so        nullok
  # End temporary /etc/pam.d/other
  
  I also edited my /etc/passwd file (after making a backup, of course) and
  removed the password field for root.  After rebooting, I was able to log
  in as root without a password.  Then, I copied my original pam.d directory
  back in place and changed the root password, testing the configuration
  in another virtual terminal.
  
  
  OTHER PROGRAMS
  ==============
  
  The main reason to install PAM (at least for me) was so that different
  programs could use it.  Below are a few programs that utilize PAM, as
  well as instructions how to compile PAM support into them.
  
  SSH:
  OpenSSH (from http://www.openssh.com/) has a compile option for PAM.
  Simply specify the --with-pam flag when you run the configure script.
  The PAM configuration file I use for ssh is almost identical to the one
  used for login, with one exception: the securetty line is removed (so we
  can log in through ssh from anywhere).  For simplicity's sake, the file
  is listed below:
  
  /etc/pam.d/sshd:
  # Begin /etc/pam.d/sshd
  auth    requisite        pam_nologin.so
  auth    required        pam_env.so
  auth    required        pam_unix.so
  account required        pam_access.so
  account required        pam_unix.so
  session required        pam_motd.so
  session required        pam_limits.so
  session optional        pam_mail.so        dir=/var/mail standard
  session optional        pam_lastlog.so
  session required        pam_unix.so
  # End /etc/pam.d/sshd
  
  PPPD:
  Another program that is useful if you use a modem (including DSL) is
  the pppd program (available from http://www.samba.org/ppp/).  To enable
  PAM in pppd, simple add the USE_PAM=y flag after the make command.
  My configuration file for ppp is sparce compared to sshd and login,
  simply because I do not use ppp except to dial out.  The configuration
  file for pppd is listed below:
  
  /etc/pam.d/ppp:
  # Begin /etc/pam.d/ppp
  auth    requisite        pam_nologon.so
  auth    required        pam_unix.so
  account required        pam_unix.so
  session required        pam_unix.so
  # End /etc/pam.d/ppp
  
  Please note that the file is called ppp, not pppd.  This is because the
  ppp daemon uses "ppp" to interface with PAM instead of "pppd."
  
  
 CLOSING CLOSING
 ======= =======
 Many thanks to Yannick Tousignant for writing the previous pam hint and Many thanks to Yannick Tousignant for writing the previous pam hint and
 helping me get my foot in the door.  And of course, thanks to Gerard helping me get my foot in the door.  And of course, thanks to Gerard
 Beekmans and the rest of the LFS crew. Beekmans and the rest of the LFS crew.
  
  Also, thanks to the following individuals for their contributions:
  Thien Vu
  Adrian Woffenden
  
 If you need additional help, be sure to check out the Linux-PAM manuals If you need additional help, be sure to check out the Linux-PAM manuals
 at http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/ at http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/


Legend:
Removed from v.1.1 
changed lines
 Added in v.1.2