Shadow的配置文件
/etc/login.defs
启用MD5密码
修改login.defs来启用MD5密码:
#MD5_CRYPT_ENAB no |
MD5_CRYPT_ENAB yes |
在作改动之后产生的密码都会用 MD5 加密,而不是 DE5。
shadow 依赖于: Linux_PAM-0.77 |
从 http://downloads.linuxfromscratch.org/blfs-patches 下载 shadow 的补丁。
用下面的命令重新安装shadow:
patch -Np1 -i ../shadow-4.0.3.patch && autoconf && LDFLAGS="-lpam -lpam_misc" ./configure --prefix=/usr --enable-shared --with-libpam && make && make install && rm /bin/vipw && rm /bin/sg && mv /lib/{libmisc.*a,libshadow.*a} /usr/lib && mv /lib/{libmisc.so,libshadow.so} /usr/lib && ln -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so && ln -sf ../../lib/libmisc.so.0 /usr/lib/libmisc.so && cp debian/securetty /etc/securetty |
将下面的PAM设置添加到 /etc/pam.d (或者 在/etc/pam.conf 中和其他的设置放在一起。)
cat > /etc/pam.d/login << "EOF" # Begin /etc/pam.d/login auth requisite pam_securetty.so auth requisite pam_nologin.so auth required pam_env.so auth required pam_unix.so account required pam_access.so account required pam_unix.so session required pam_motd.so session required pam_limits.so session optional pam_mail.so dir=/var/mail standard session optional pam_lastlog.so session required pam_unix.so # End /etc/pam.d/login EOF cat > /etc/pam.d/passwd << "EOF" # Begin /etc/pam.d/passwd password required pam_unix.so md5 shadow # End /etc/pam.d/passwd EOF cat > /etc/pam.d/shadow << "EOF" # Begin /etc/pam.d/shadow auth sufficient pam_rootok.so auth required pam_unix.so account required pam_unix.so session required pam_unix.so password required pam_permit.so # End /etc/pam.d/shadow EOF cat > /etc/pam.d/su << "EOF" # Begin /etc/pam.d/su auth sufficient pam_rootok.so auth required pam_unix.so account required pam_unix.so session required pam_unix.so # End /etc/pam.d/su EOF cat > /etc/pam.d/useradd << "EOF" # Begin /etc/pam.d/useradd auth sufficient pam_rootok.so auth required pam_unix.so account required pam_unix.so session required pam_unix.so password required pam_permit.so # End /etc/pam.d/useradd EOF cat > /etc/pam.d/chage << "EOF" # Begin /etc/pam.d/chage auth sufficient pam_rootok.so auth required pam_unix.so account required pam_unix.so session required pam_unix.so password required pam_permit.so # End /etc/pam.d/chage EOF |
迄今为止, /etc/pam.d/other 已经设好了,可以使所有人用一个帐户登陆而不需要指定自己的配置文件。然后, 对PAM的设置进行测试优化,比如作下列改动:
cat > /etc/pam.d/other << "EOF" # Begin /etc/pam.d/other auth required pam_deny.so auth required pam_warn.so account required pam_deny.so session required pam_deny.so password required pam_deny.so password required pam_warn.so # End /etc/pam.d/other EOF |
最后,编辑 /etc/login.defs 在下面这些行的开始加#号:
DIALUPS_CHECK_ENAB LASTLOG_ENAB MAIL_CHECK_ENAB PORTTIME_CHECKS_ENAB CONSOLE MOTD_FILE NOLOGINS_FILE PASS_MIN_LEN SU_WHEEL_ONLY MD5_CRYPT_ENAB CONSOLE_GROUPS ENVIRON_FILE |
这样就停止了登陆时的这些功能,而使用PAM的模块来实现。