Shadow's Configuration File
/etc/login.defs
Enabling MD5 Passwords
To enable MD5 Passwords, modify the line in the login.defs file that reads:
#MD5_CRYPT_ENAB no |
MD5_CRYPT_ENAB yes |
Passwords created after this change will be encrypted using MD5 instead of using DES encryption.
shadow requires: Linux_PAM-0.77 |
Download the patch for shadow from http://downloads.linuxfromscratch.org/blfs-patches.
Reinstall shadow by running the following commands:
patch -Np1 -i ../shadow-4.0.3.patch &&
autoconf &&
LDFLAGS="-lpam -lpam_misc" ./configure --prefix=/usr --enable-shared --with-libpam &&
make &&
make install &&
rm /bin/vipw &&
rm /bin/sg &&
mv /lib/{libmisc.*a,libshadow.*a} /usr/lib &&
mv /lib/{libmisc.so,libshadow.so} /usr/lib &&
ln -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so &&
ln -sf ../../lib/libmisc.so.0 /usr/lib/libmisc.so &&
cp debian/securetty /etc/securetty |
cp debian/securetty /etc/securetty : This command sets the tty's that allow logins through PAM.
/etc/pam.d/login, /etc/pam.d/passwd, /etc/pam.d/su, /etc/pam.d/shadow, /etc/pam.d/useradd
Add the following PAM configuration files to /etc/pam.d (or add them to /etc/pam.conf with the additional field for the program).
cat > /etc/pam.d/login << "EOF" # Begin /etc/pam.d/login auth requisite pam_securetty.so auth requisite pam_nologin.so auth required pam_env.so auth required pam_unix.so account required pam_access.so account required pam_unix.so session required pam_motd.so session required pam_limits.so session optional pam_mail.so dir=/var/mail standard session optional pam_lastlog.so session required pam_unix.so # End /etc/pam.d/login EOF cat > /etc/pam.d/passwd << "EOF" # Begin /etc/pam.d/passwd password required pam_unix.so md5 shadow # End /etc/pam.d/passwd EOF cat > /etc/pam.d/shadow << "EOF" # Begin /etc/pam.d/shadow auth sufficient pam_rootok.so auth required pam_unix.so account required pam_unix.so session required pam_unix.so password required pam_permit.so # End /etc/pam.d/shadow EOF cat > /etc/pam.d/su << "EOF" # Begin /etc/pam.d/su auth sufficient pam_rootok.so auth required pam_unix.so account required pam_unix.so session required pam_unix.so # End /etc/pam.d/su EOF cat > /etc/pam.d/useradd << "EOF" # Begin /etc/pam.d/useradd auth sufficient pam_rootok.so auth required pam_unix.so account required pam_unix.so session required pam_unix.so password required pam_permit.so # End /etc/pam.d/useradd EOF cat > /etc/pam.d/chage << "EOF" # Begin /etc/pam.d/chage auth sufficient pam_rootok.so auth required pam_unix.so account required pam_unix.so session required pam_unix.so password required pam_permit.so # End /etc/pam.d/chage EOF |
Currently, /etc/pam.d/other is configured to allow anyone with an account on the machine to use programs that do not specifically have a configuration file of their own. After testing PAM for proper configuration, it can be changed to the following:
cat > /etc/pam.d/other << "EOF" # Begin /etc/pam.d/other auth required pam_deny.so auth required pam_warn.so account required pam_deny.so session required pam_deny.so password required pam_deny.so password required pam_warn.so # End /etc/pam.d/other EOF |
Finally, edit /etc/login.defs by adding '#' to the beginning of the following lines:
DIALUPS_CHECK_ENAB LASTLOG_ENAB MAIL_CHECK_ENAB PORTTIME_CHECKS_ENAB CONSOLE MOTD_FILE NOLOGINS_FILE PASS_MIN_LEN SU_WHEEL_ONLY MD5_CRYPT_ENAB CONSOLE_GROUPS ENVIRON_FILE |
This stops login from performing these functions, as they will now be performed by PAM modules.