PAM oil 4.0.1 and goodies

tchiwam tchiwam at invers.fi
Sat Jan 12 22:15:55 PST 2002


#######################################################
#
# LFS CVS (20020109)
#
# Original Authors
# 	Jeffrey Allen Neitzel <jan at belvento.org> hint shadow_plus
#	Scott Alfter <salfter at salfter.dyndns.org> hint shadow4
#  	??? f.fracassi at gmx.net LFS pam+md5 hint ?
#
# Merging all the stuff:
#	Philippe Trottier <bj-45 at netsonic.fi>
#
#  What I did here, I combined hints of PAM , shadow + , shadow4
# added libcrack, some dictionaries, and migrated the whole thing to
# Shadow 4.0.1 . Some text have been cut and paste here
#
# My platform was a Apple 9500 750PPC-200MHZ, and so far it works
# my guess is it would work on many other platforms.
#
# When you get to the Shadow password part of the LFS book do this
# instead
#
# Information:
# 	http://hints.linuxfromscratch.org/hints/shadowpasswd_plus.txt
# 	http://hints.linuxfromscratch.org/hints/shadow4.txt
#
# Sources:
#  	Shadow password    ftp://ftp.pld.org.pl/software/shadow/
#       Linux-Pam          http://www.kernel.org/pub/linux/libs/pam/
#	cracklib    	   http://www.users.dircon.co.uk/~crypto/
#	Dict               ftp://ftp.cerias.purdue.edu/pub/dict
#	Dict               ftp://ftp.ox.ac.uk/pub/wordlists
#
# /usr/src/PACKAGES/SOURCE is where I put all the big tar balls
#



##############################################
#
# Set dictionaries in /usr/share/dict
#
#

cd /usr/share/dict
cp /usr/src/PACKAGES/SOURCE/words.* .
gunzip *.Z

#################################################
#
# Installing cracklib_2.7
#

tar -zxf PACKAGES/SOURCE/cracklib_2.7.tgz &&
cd cracklib,2.7/ &&
vi Makefile &&
#
# Edit Makefile and set SRCDICTS=/usr/share/dict/words.<language>
#
make all &&
make install

##########################################
#
# Installing LibPAM-0.75
#
#

	tar -zxf PACKAGES/SOURCE/Linux-PAM-0.75.tar.gz
	cd Linux-PAM-0.75/
	./configure
	make
	make install


#########################################
#
# Configuring LibPAM
#
#

cat > /etc/pam.d/login << "EOF"
# /etc/pam.d/login
auth     required       /lib/security/pam_unix_auth.so
account  required       /lib/security/pam_unix_acct.so
password required       /lib/security/pam_unix_passwd.so nullok shadow md5
session  required       /lib/security/pam_unix_session.so
# END /etc/pam.d/login
EOF

cat > /etc/pam.d/passwd << "EOF"
# /etc/pam.d/passwd
password   required   pam_unix.so nullok shadow md5
# END /etc/pam.d/passwd
EOF

cat > /etc/pam.d/shadow << "EOF"
# /etc/pam.d/shadow
auth     required       /lib/security/pam_rootok.so
account  required       /lib/security/pam_permit.so
password required       /lib/security/pam_permit.so
# END /etc/pam.d/shadow
EOF

cat > /etc/pam.d/other << "EOF"
# /etc/pam.d/other
auth     required       /lib/security/pam_warn.so
auth     required       /lib/security/pam_deny.so
account  required       /lib/security/pam_deny.so
password required       /lib/security/pam_warn.so
password required       /lib/security/pam_deny.so
session  required       /lib/security/pam_deny.so
# END /etc/pam.d/other
EOF

#################################################################
#
# Installing Shadow-4.0.1
# Estimated build time:           3 minutes
# Estimated required disk space:  6 MB
#
#

cd /usr/src
tar -jxf PACKAGES/SOURCE/shadow-4.0.1.tar.bz2
cd shadow-4.0.1/

./configure --prefix=/usr &&
make &&
make install &&
cd etc &&
cp limits login.access /etc &&
# The second expression below will enable MD5-based password
# encoding in your /etc/login.defs file.
sed 's%/var/spool/mail%/var/mail%
     s%^#MD5_CRYPT_ENAB.*no%MD5_CRYPT_ENAB yes%' login.defs.linux \
   > /etc/login.defs &&
# Move some libs around and make a couple symlinks.
cd /lib &&
mv libshadow.a /usr/lib &&
mv libshadow.la /usr/lib &&
ln -sf libshadow.so.0 libshadow.so &&
cd /usr/lib &&
ln -sf ../../lib/libshadow.so

cd /usr/sbin &&
ln -sf vipw vigr &&
cd /usr/share/man/man8 &&
ln -sf vipw.8 vigr.8

# To be done on new systems
#
# /usr/sbin/groupadd users
# /usr/sbin/useradd -g users joe
# /usr/bin/passwd joe

#
# Restrict permissions on /bin/login and /bin/su .
# Refer to [1] below for explanation of why.
#
# Before restricting su to a privileged group, you must first create this
# group with groupadd (man 8 groupadd for details) or vigr . For example,
# replace "admin" below with whatever groupname you chose to use. Then, be
# sure to add yourself, or whoever this privileged user is, to your newly
# created "admin" group. Then run the following commands.
chmod -c 0700 /bin/login &&
chgrp -c admin /bin/su &&
chmod -c o-rx /bin/su

# Some other programs that should be restricted.
# Refer to [2] below for explanation of why.
#
# The following will remove group/other execute permissions from these programs.
# Since only root can effectively use any of these you might as well make them
# to be 0700 and be done with it. Then, privileged user can su to root and do
# user administration.
cd /usr/sbin &&
chmod -c go-rx chpasswd dpasswd group* grp[cu]* logoutd \
               mkpasswd newusers pw[cu]* user* vipw


####################################
#
# Configuring Shadow Password Suite
#
/usr/sbin/pwconv



-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe hints' in the subject header of the message



More information about the hints mailing list