version 1.1, 2002/05/08 13:35:53 |
version 1.2, 2002/06/10 21:07:52 |
| |
AUTHOR: Ted Riley <reesonline@messages.to> | AUTHOR: Ted Riley <reesonline@messages.to> |
| |
SYNOPSIS: | SYNOPSIS: |
How to configure cracklib, Linux-PAM and the current shadow | How to configure cracklib, Linux-PAM and the Shadow suite |
| |
HINT: | HINT: |
| |
CONTENTS | CONTENTS |
======== | ======== |
1. Introduction | 1. Introduction |
2. Resources | 2. Changelog |
3. CrackLib | 3. Resources |
4. Linux-PAM | 4. CrackLib |
5. Shadow | 5. Linux-PAM |
6. PAM Configuration | 6. Shadow |
7. Closing | 7. PAM Configuration |
| 8. Trouble |
| 9. Other Programs |
| 10. Closing |
| |
| |
INTRODUCTION | INTRODUCTION |
============ | ============ |
We're going to install cracklib and Linux-PAM, and then re-compile the | We're going to install cracklib, Linux-PAM and the shadow package, in |
shadow package to use both. Afterwards, we will create and/or modify the | that order. (Shadow requires the PAM libraries, which require the |
needed configuration files to get everything up and running smoothly. | cracklib libraries.) This hint can be used if you already have an LFS |
Please do not log out until all the configuration files have been | installation in place or if you are installing LFS for the first time. |
| Once the binaries are in place, we will create and/or modify the |
| necessary configuration files to get everything up and running smoothly. |
| Please note: Do not log out until all the configuration files have been |
created, since you will not be able to log back in. In fact, the safest | created, since you will not be able to log back in. In fact, the safest |
thing to do is test your configurations in a separate virtual terminal | thing to do is test your configurations in a separate virtual terminal |
before ending your session. | before ending your session. |
| |
| |
| CHANGELOG |
| ========= |
| Current Version |
| 1.2 - 2002.06.10 |
| Modified hint to work "in-line" with LFS installation |
| Replaced shadow patch with make flags |
| Replaced cracklib 'sed' command with make flags |
| |
| 1.1 - 2002.05.31 |
| Corrected directories in shadow patch |
| Added troubleshooting section |
| Added other programs section |
| Added /usr/share/dict/words symbolic link and explained |
| |
| 1.0 - 2002.05.07 |
| Updated explanation of shadow/PAM incompatibility |
| Cosmetic/grammatical changes |
| |
| 0.9 - 2002.04.28 |
| Original draft |
| |
| |
RESOURCES | RESOURCES |
========= | ========= |
You will need the following packages: | You will need the following packages: |
| |
http://www.cotse.com/wordlists/allwords | http://www.cotse.com/wordlists/allwords |
NOTE: This website also has a dictionary called 'cracklib' but it is | NOTE: This website also has a dictionary called 'cracklib' but it is |
15.6MB compared to 'allwords' which is 467KB. I have had cracklib | 15.6MB compared to 'allwords' which is 467KB. I have had cracklib |
seg fault with the larger dictionary, but not with the smaller. YMMV. | seg fault with the larger dictionary, but not with the smaller. I know |
| others (with better systems than mine) who have used the 'cracklib' |
| dictionary successfully. Your mileage may vary. |
| |
Linux-PAM (0.75 as of this hint): | Linux-PAM (0.75 as of this hint): |
http://wwww.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-0.75.tar.gz | http://wwww.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-0.75.tar.gz |
| |
| |
Shadow (4.0.3 as of this hint): | Shadow (4.0.3 as of this hint): |
ftp://ftp.pld.org.pl/software/shadow/shadow-4.0.3.tar.gz | ftp://ftp.pld.org.pl/software/shadow/shadow-4.0.3.tar.gz |
NOTE: Okay, there's no note for this one, but I wanted to be consistent. | NOTE: There is no note for this one; insert humor attempt here. |
| |
| |
CRACKLIB | CRACKLIB |
| |
| |
From the directory where you downloaded the dictionary: | From the directory where you downloaded the dictionary: |
| |
cp allwords /usr/share/dict/ | cp allwords /usr/share/dict/ && |
| cd /usr/share/dict && |
| ln -s allwords words |
| |
| One note about the above commands: Traditionally, the /usr/share/dict |
| directory had only one file: words. The FHS standard does not prohibit |
| other files from being here as long as they are wordlists as well. I |
| like to remember what dictionary I used, which is why I do not simply |
| rename 'allwords' to 'words.' Creating the link to 'words' helps other |
| programs which might look in the standard location for a dictionary |
| (that is, the '/usr/share/dict/words' file). |
| |
Next, in the cracklib directory, we need to create a couple files: | Next, in the cracklib directory, we need to create a couple files: |
| |
| |
echo "/usr/lib/cracklib_dict.*" | echo "/usr/lib/cracklib_dict.*" |
echo | echo |
echo "Example:" | echo "Example:" |
echo "$0 /usr/dict/words" | echo "$0 /usr/share/dict/words" |
else | else |
/usr/sbin/mkdict $* | /usr/sbin/packer /usr/lib/cracklib_dict | /usr/sbin/mkdict $* | /usr/sbin/packer /usr/lib/cracklib_dict |
fi | fi |
| |
| |
And finally we compile cracklib from the source directory: | And finally we compile cracklib from the source directory: |
| |
cp Makefile Makefile.orig && | make DICTPATH=/usr/lib/cracklib_dict SRCDICTS=/usr/share/dict/words install && |
sed -e 's%/usr/local/lib/pw_dict%/usr/lib/cracklib_dict%' \ | |
-e 's%/usr/dict/words%/usr/share/dict/allwords%' Makefile.orig > \ | |
Makefile && | |
make all && | |
make install && | |
cp cracklib/libcrack.a /usr/lib && | cp cracklib/libcrack.a /usr/lib && |
cp crack.h /usr/include && | cp crack.h /usr/include && |
cp util/mkdict util/packer util/create_cracklib_dict /usr/sbin | cp util/{mkdict,packer,create_cracklib_dict} /usr/sbin |
| |
Command Explanations: | Command Explanations: |
| |
| |
cat >> util/create_cracklib_dict ... : These commands create a script | cat >> util/create_cracklib_dict ... : These commands create a script |
which takes a wordlist as an argument and creates a new cracklib | which takes a wordlist as an argument and creates a new cracklib |
dictionary. | dictionary. |
cp Makefile Makefile.orig && sed -e ... Makefile : This command fixes | make ... install : Makes the cracklib libraries with the correct |
in the Makefile the location of the wordlist and the location | dictionary locations |
where the cracklib dictionary will be created. | |
cp cracklib.a /usr/lib : The make install command does not install the | cp cracklib.a /usr/lib : The make install command does not install the |
static cracklib library, so we do it here. | static cracklib library, so we do it here. |
cp crack.h /usr/include : This command copies the header file we created. | cp crack.h /usr/include : This command copies the header file we created. |
| |
the latest versions of Linux-PAM. For the record, the maintainer of the | the latest versions of Linux-PAM. For the record, the maintainer of the |
shadow package believes the incompatibility lies in the PAM libraries, | shadow package believes the incompatibility lies in the PAM libraries, |
not in shadow. Therefore, he advises using a different version of PAM. | not in shadow. Therefore, he advises using a different version of PAM. |
(available from ftp://ftp.pld.org.pl/software/pam/). However, I have | (available from ftp://ftp.pld.org.pl/software/pam/). However, I prefer |
chosen to patch shadow to make it work with the current version of PAM | to use the latest versions of both packages; the compiler flags below |
(so I can have the latest versions of both). The patch below will | will accomplish this. |
accomplish this. The commands below assume that you already have the | |
shadow suite installed (without PAM) as part of LFS; therefore, we will | |
not recreate or copy the config files. | |
| |
From the shadow source directory: | |
| |
cat >> ../shadow-4.0.3-PAM.patch << "EOF" | |
# Begin Patch | |
diff -ur shadow-4.0.3/configure.in shadow-4.0.3-new/configure.in | |
--- shadow-4.0.3/configure.in Wed Mar 13 03:36:40 2002 | |
+++ shadow-4.0.3-new/configure.in Sat Apr 27 15:15:10 2002 | |
@@ -267,7 +267,8 @@ | |
LIBPAM="-lpam" | |
AC_CHECK_LIB(pam_misc, main, | |
[LIBPAM="$LIBPAM -lpam_misc"], | |
- AC_MSG_ERROR(libpam_misc is missing) | |
+ AC_MSG_ERROR(libpam_misc is missing), | |
+ [-lpam] | |
)] | |
[AC_MSG_CHECKING(use login access checking if PAM not used) | |
AC_DEFINE(LOGIN_ACCESS) | |
diff -ur shadow-4.0.3/libmisc/Makefile.am shadow-4.0.3-new/libmisc/Makefile.am | |
--- shadow-4.0.3/libmisc/Makefile.am Sun Mar 10 02:11:55 2002 | |
+++ shadow-4.0.3-new/libmisc/Makefile.am Sat Apr 27 15:28:02 2002 | |
@@ -58,4 +58,4 @@ | |
valid.c \ | |
xmalloc.c | |
| |
-libmisc_la_LIBADD = $(LIBCRACK) | |
+libmisc_la_LIBADD = $(LIBCRACK) $(LIBPAM) | |
# End Patch | |
EOF | |
| |
Now to compile shadow: | |
| |
patch -Np1 -i ../shadow-4.0.3-PAM.patch && | LDFLAGS="-lpam -lpam_misc" ./configure --prefix=/usr --enable-shared \ |
aclocal && | --with-libpam --without-libcrack && |
autoconf && | |
automake && | |
./configure --enable-shared --with-libpam --prefix=/usr && | |
make && | make && |
make install && | make install && |
cd /usr/sbin && | cd /usr/sbin && |
ln -sf vipw vigr && | ln -sf vipw vigr && |
rm /bin/vipw && | rm /bin/vipw && |
mv /bin/sg /usr/bin && | mv /bin/sg /usr/bin && |
cd /lib && | mv /lib/{libmisc.*a,libshadow.*a} /usr/lib && |
mv libmisc.*a libshadow.*a /usr/lib && | |
cd /usr/lib && | cd /usr/lib && |
ln -s ../../lib/libshadow.so | ln -sf ../../lib/libshadow.so |
| sed 's%/var/spool/mail%/var/mail%' etc/login.defs.linux > /etc/login.defs |
| cp debian/securetty /etc/securetty |
| |
Command Explanations: | Command Explanations: |
patch -Np1 -i ../shadow-4.0.3-PAM.patch : This applies the patch. | LDFLAGS="..." ./configure : The compiler flags allow the shadow package |
aclocal && autoconf && automake : These commands recreate the configure | to link correctly against the PAM libraries; they must be |
and make files after applying the patch. | entered on the same line as the configure command. |
./configure --enable-shared : Shadow no longer creates shared libraries | --enable-shared : Shadow no longer creates shared libraries by default, |
by default, so this flag is used. | so this flag is used. |
--with-libpam : Compiles with PAM support | --with-libpam : This flag compiles with PAM support. |
| --without-libcrack : Cracklib will be called through PAM, so we do not |
| need it here. |
ln -sf vipw vigr ... ln -s ../../lib/libshadow.so : These commands fix | ln -sf vipw vigr ... ln -s ../../lib/libshadow.so : These commands fix |
broken links and un-installed libraries. They are also useful for | broken links and un-installed libraries. They are also useful for |
refreshing the time-stamps on the files if you use a time-stamp | refreshing the time-stamps on the files if you use a time-stamp |
sensitive installer (like install-log). | sensitive installer (like install-log). |
| sed ... login.defs : This will create the /etc/login.defs file (if you |
| don't already have one) and will make the mail directory |
| FHS-compliant. |
| cp debian/securetty /etc/securetty : This will create the securetty file |
| which prevents root logons from all but listed terminals. |
| |
Please note: We no longer need the 'limits' and 'login.access' files in | Please note: We no longer need the 'limits' and 'login.access' files in |
/etc since PAM will handle these functions. You may safely delete these | /etc since PAM will handle these functions. You may safely delete these |
| |
CONSOLE_GROUPS (pam_groups.so) | CONSOLE_GROUPS (pam_groups.so) |
ENVIRON_FILE (pam_env.so) | ENVIRON_FILE (pam_env.so) |
| |
If you are using the pam_securetty.so module, create the /etc/securetty | |
file as follows. Please note that you only need entries for ttys you | |
have available. I prefer being able to expand later without having | |
to remember to update this file as well, so I include the extra ttys. | |
| |
cat > /etc/securetty << "EOF" | |
tty1 | |
tty2 | |
tty3 | |
tty4 | |
tty5 | |
tty6 | |
tty7 | |
tty8 | |
tty9 | |
tty10 | |
tty11 | |
tty12 | |
EOF | |
| |
Several people have noticed a small problem with pam_issue.so. | Several people have noticed a small problem with pam_issue.so. |
Specifically, if you enter the correct password the first time, the login | Specifically, if you enter the correct password the first time, the login |
fails, even if pam_issue is set to optional. However, if the wrong password | fails, even if pam_issue is set to optional. However, if the wrong password |
| |
anyone knows how to fix this, please let me know. | anyone knows how to fix this, please let me know. |
| |
If you want to use the access or limits modules (among others), you can edit | If you want to use the access or limits modules (among others), you can edit |
the configuration files in /etc/security/. Currently, my files are stil | the configuration files in /etc/security/. Currently, my files are still |
fully commented out (the default), so I'm not much help for suggestions | fully commented out (the default), so I'm not much help for suggestions |
on those. If anyone is using these files, I would love to hear from | on those. If anyone is using these files, I would love to hear from |
them, though. | them, though. |
| |
interface with PAM as 'shadow' instead of their own program name. | interface with PAM as 'shadow' instead of their own program name. |
| |
| |
| TROUBLE |
| ======= |
| Here are a couple problems that crept up while I was installing the above |
| programs myself. Just in case you run in these problems yourself, here |
| are some tips to help you resolve them. Of course, you will not need |
| these because everything will work great the first time. ;-) |
| |
| Cracklib Seg Fault: |
| With a large dictionary file, cracklib gave a segmentation fault the |
| second time I tried to change a password. (The first time worked.) |
| To fix this, I ran the script create_cracklib_dict, as listed below (I |
| was using the 'cracklib' dictionary at the time): |
| |
| create_cracklib_dict /usr/share/dict/cracklib |
| |
| This command rebuilt the cracklib dictionary files and cracklib worked |
| fine the next time I changed a password. Then it crashed again the |
| following time. However, when I ran the above command with the |
| 'allwords' dictionary listed above, cracklib worked and has worked since. |
| |
| As noted above, this error may be a result of my computer's limited RAM |
| and swap space. Other people have stated that the cracklib dictionary |
| has worked fine for them. |
| |
| Incorrect Root Password: |
| Later, due to a misconfiguration, I found myself unable to log in as root. |
| To fix this, I used a boot disk (the Slackware boot disk, to be exact) |
| which allowed me to log in as root without a password. Once I was |
| logged in, I mounted my LFS system. Then, I renamed the pam.d directory |
| and created a new pam.d directory with only the 'other' file. This |
| temporary file is listed below: |
| |
| # Begin temporary /etc/pam.d/other |
| auth required pam_unix.so nullok |
| account required pam_unix.so |
| session required pam_unix.so |
| password required pam.unix.so nullok |
| # End temporary /etc/pam.d/other |
| |
| I also edited my /etc/passwd file (after making a backup, of course) and |
| removed the password field for root. After rebooting, I was able to log |
| in as root without a password. Then, I copied my original pam.d directory |
| back in place and changed the root password, testing the configuration |
| in another virtual terminal. |
| |
| |
| OTHER PROGRAMS |
| ============== |
| |
| The main reason to install PAM (at least for me) was so that different |
| programs could use it. Below are a few programs that utilize PAM, as |
| well as instructions how to compile PAM support into them. |
| |
| SSH: |
| OpenSSH (from http://www.openssh.com/) has a compile option for PAM. |
| Simply specify the --with-pam flag when you run the configure script. |
| The PAM configuration file I use for ssh is almost identical to the one |
| used for login, with one exception: the securetty line is removed (so we |
| can log in through ssh from anywhere). For simplicity's sake, the file |
| is listed below: |
| |
| /etc/pam.d/sshd: |
| # Begin /etc/pam.d/sshd |
| auth requisite pam_nologin.so |
| auth required pam_env.so |
| auth required pam_unix.so |
| account required pam_access.so |
| account required pam_unix.so |
| session required pam_motd.so |
| session required pam_limits.so |
| session optional pam_mail.so dir=/var/mail standard |
| session optional pam_lastlog.so |
| session required pam_unix.so |
| # End /etc/pam.d/sshd |
| |
| PPPD: |
| Another program that is useful if you use a modem (including DSL) is |
| the pppd program (available from http://www.samba.org/ppp/). To enable |
| PAM in pppd, simple add the USE_PAM=y flag after the make command. |
| My configuration file for ppp is sparce compared to sshd and login, |
| simply because I do not use ppp except to dial out. The configuration |
| file for pppd is listed below: |
| |
| /etc/pam.d/ppp: |
| # Begin /etc/pam.d/ppp |
| auth requisite pam_nologon.so |
| auth required pam_unix.so |
| account required pam_unix.so |
| session required pam_unix.so |
| # End /etc/pam.d/ppp |
| |
| Please note that the file is called ppp, not pppd. This is because the |
| ppp daemon uses "ppp" to interface with PAM instead of "pppd." |
| |
| |
CLOSING | CLOSING |
======= | ======= |
Many thanks to Yannick Tousignant for writing the previous pam hint and | Many thanks to Yannick Tousignant for writing the previous pam hint and |
helping me get my foot in the door. And of course, thanks to Gerard | helping me get my foot in the door. And of course, thanks to Gerard |
Beekmans and the rest of the LFS crew. | Beekmans and the rest of the LFS crew. |
| |
| Also, thanks to the following individuals for their contributions: |
| Thien Vu |
| Adrian Woffenden |
| |
If you need additional help, be sure to check out the Linux-PAM manuals | If you need additional help, be sure to check out the Linux-PAM manuals |
at http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/ | at http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/ |