Linux Shadow Password HOWTO
Michael H. Jackson, mhjack@tscnet.com
v1.3, 1996N43ú
¡´PÃ, fujiwara@linux.or.jp
±Ì¶Í Linux ÌpX[hð shadow »·é Shadow Suit ÌüèAC
Xg[yÑÝèÌû@É¢ÄྷéàÌÅ·BܽA[UÌpX[
hFØðs¤\tgEFAâf[Ì(Ä)CXg[É¢ÄàðàµÜ
·B±êçÌvOÍ Shadow Suit ÌêÅÍ èܹñªAShadow
Suit ðT|[g·é½ßÉÍÄRpC·éKvª èÜ·BܽA±Ì
¶ÉÍ shadow pX[hðT|[g·évOÌáà¢Ä èÜ
·B«ÌüèÅÍæ·©êé¿âÖÌñà³çÉÁ¦éÂàèÅ·B
______________________________________________________________________
Ú
1. ͶßÉ
1.1 ÈOÌÅ©çÌÏX_
1.2 ±Ì¶ÌÅVÅÉ¢Ä
1.3 tB[hobN
2. shadow pX[hðg¤×«R
2.1 shadow pX[hðgíÈ¢Ù¤ªÇ¢ê
2.2 /etc/passwd t@CÌtH[}bg
2.3 shadow t@CÌtH[}bg
2.4 crypt(3) ÌTv
3. Shadow Suite Ìüè
3.1 Linux pÌ Shadow Suite Ìðj
3.2 Shadow Suite Ìüè
3.3 Shadow Suite ÉͽªÜÜêÄ¢é©
4. vOÌRpC
4.1 A[JCuÌWJ
4.2 config.h ÉæéÝè
4.3 ³ÌvOÌobNAbvÌì¬
4.4 Make ÌÀs
5. CXg[
5.1 VXejóÉõ¦ÄÌu[gfBXNì¬
5.2 d¡·éIC}j
AÌí
5.3 make install ÌÀs
5.4 pwconv ÌÀs
5.5 npasswd Æ nshadow Ìl[
6. AbvO[h·é©pb`ðÄéKvª évO
6.1 Slackware adduser program
6.2 wu_ftpd T[o
6.3 WÌ ftpd
6.4 pop3d (Post Office Protocol 3)
6.5 xlock
6.6 xdm
6.7 sudo
6.8 imapd (E-Mail [pine pbP[W])
6.9 pppd (PPP vgRT[o)
7. Shadow Suite ðgÁÄÝé
7.1 [UÌÇÁAÏXAí
7.1.1 useradd
7.1.2 usermod
7.1.3 userdel
7.2 passwd R}hÆpX[hÌúÀÝè
7.3 login.defs t@C
7.4 O[vÌpX[h
7.5 êÑ«ð`FbN·évO
7.5.1 pwck
7.5.2 grpck
7.6 _CAAbvEpX[h
8. CvOð Shadow Suite Éγ¹éû@
8.1 wb_t@C
8.2 libshadow.a Cu
8.3 Shadow \¢Ì
8.4 Shadow T|[g̽ßÌÖ
8.5 áè
9. æ·©êé¿â(Frequently Asked Questions).
10. Copyright Message(ì \¦)
11. »Ì¼ / Ó«
12. óÒæè
______________________________________________________________________
1. ͶßÉ
±Ì¶Í Linux Shadow-Password-HOWTO Å·B±Ì¶Í Linux VXe
ÉȺ shadow pX[hð±ü·éÌ©AܽÇÌæ¤É±ü·éÌ©ðà
¾µÜ·BShadow Suite Ì@\Ìp@É¢ÄÌà¾à èÜ·B
Shadow Suite ðCXg[·éâA[eBeBðg¤ÉÍ root
ÅȯêÎÈèܹñBShadow Suite ðCXg[·éÛÉÍVXeÌ
î²\tgEFAÌÏXªsíêéÌÅAãÅྷéæ¤ÉobNAbvð
æé׫ŷBܽìÆðnßéOÉÍA±ê©çs¤à¾ð·×ÄÇÝA
ðµÄ¨×«Åµå¤B
1.1. ÈOÌÅ©çÌÏX_
ÇÁ:
shadow pX[hðCXg[µÈ¢Ù¤ªæ¢êÉ¢ÄÌßðÇÁ
xdm ÌXVÉ¢ÄÌßðÇÁ
Shadwo Sutie Ì®ì̳¹©½É¢ÄÌÍðÇÁ
æ·©êé¿âÉ¢ÄÌÍðÇÁ
ù³/XV:
Sunsite Ì html ÖÌQÆðù³
wu-ftp ÌÍÅ Makefile É -lshadow ð Makefile ÉÁ¦éæ¤ù³
ëEÌù³
wu-ftp ÌÍÅ ELF ðT|[g·éæ¤ÏX
vO'login'Ũ±éZL
eBãÌâèðXV
Marek Michalkiewicz Éæé Linux Shadow Suite ð§·éæ¤XV
1.2. ±Ì¶ÌÅVÅÉ¢Ä
±Ì¶ÌÅVÅÍȺÌTCg©ç anonymous FTP ÅüèÅ«Ü·:
sunsite.unc.edu
/pub/Linux/docs/HOWTO/Shadow-Password-HOWTO
é¢Í:
/pub/Linux/docs/HOWTO/other-formats/Shadow-Password-HOWTO{-html.tar,ps,dvi}.gz
é¢ÍAWWW ðpµÄA Linux Documentation Project Web Server
<http://sunsite.unc.edu/mdw/linux.html> Ì Shadow-Password-HOWTO
<http://sunsite.unc.edu/linux/HOWTO/Shadow-Password-HOWTO.html> Ìy[
W©çüè·é±ÆàÅ«Ü·B
ܽAMÒ(<mhjack@tscnet.com>) ©ç¼Úüè·é±ÆàÅ«Ü·µA
comp.os.linux.answers j
[XO[vÉàe³êÜ·B
±Ì¶Í»ÝÍ Shadow-YYDDMM pbP[WÉàÜÜêéæ¤ÉÈèܵ
½B
ó: ú{êóÌÅVÅÉ¢ÄÍ WWWªpÅ«éÈçÎ JF-INDEX
<http://jf.linux.or.jp/JF/JF-ftp/other-formats/INDEX-JF.html> ©çA
ftp ªpÅ«éÈçÎ jf.linux.or.jp Ì/Linux/JF/fBNgÈÇ©ç
üèÅ«Ü·B
1.3. tB[hobN
Rgâù³AñÄÈÇÍMÒ(Michael H. Jackson
<mhjack@tscnet.com>)ÉÁĺ³¢BtB[hobNð¾çêêÎA»
꾯±Ì¶ð¼·±ÆªÅ«Ü·B Üèlbgj
[XÍ©Ä¢È
¢ÌÅAsïð©Â¯½êÉͼÚ[ðÁĺ³¢B
2. shadow pX[hðg¤×«R
»ÝÍÙÆñÇÌ Linux ÌpbP[WÅÍ Shadow Suite ÍWÅÍCX
g[³êܹñBSlackware 2.3, Slackware 3.0 â¼Ì|s
[Èpb
P[WÅ»¤ÈÁĢܷB±ÌRÌêÂÍIWiÌ Shadow Suite Ì
ì \¦ÍA³¿zzÅÈ¢êÉ¢Äs¾m¾©çÅ·BLinux Í CD-
ROM Ìæ¤ÈzzÉÖÈfBAÖpbP[W»µA±êÉηéñVðó
¯æé±Æªs¢â·¢ GNU Copyright (Copyleft Æà¾íêÜ·ª)ðÌp
µÄ¢Ü·B
»ÝShadow SuiteðeiXµÄ¢é, Marek Michalkiewicz
<marekm@i17linuxb.ists.pwr.wroc.pl> ͳÌìÒ©çAÄzzÌÅ«é
BSD X^CÌì ÌàÆÉ\[XR[hðó¯æÁĢܷB»ÝÍì
ÌâèÍðµÄ¢éÌÅA«ÍWÅ Linux ÌpbP[WÉ Shadow
Suite ªÜÜêé±ÆÉÈéŵå¤B»êÜÅÍA[Uª©ª©gÅC
Xg[µÈ¯êÎÈèܹñB
pbP[Wð CD-ROM ©çCXg[·éêÉÍApbP[W©ÌÍ
Shadow Suite ðCXg[µÈÄàAShadow Suite ÌCXg[ÉK
vÈt@CÍ CD-ROM ÉÜÜêÄ¢é±Æª èÜ·B
µ©µAo[W3.3.1, 3.3.1-2Ì Shadow Suite Æ shadow-mk ÅÍ
login vOÆroot É suid ³ê½vOÅZL
eBãÌâè
ðN±µÜ·BÅ·©çA±êçðgÁÄÍ¢¯Ü¹ñB
KvÈt@CÍ anonymous FTP â WWW ðpµÄüè·é±ÆªÅ«Ü
·B
Shadow Suite ªCXg[³êĢȢ Linux VXeÅÍpX[hð
Üß½[UîñÍ /etc/passwd t@CÉL^³êĢܷBà¿ëñA
pX[hÍû³ê½óÔÅL^³êĢܷBµ©µAÃÌêåÆÉ
¾í¹éƱêÍû(encrypt)ÅÍÈGR[h(encode)É߬Ȣ»
¤Å·Bcrypt(3) ðp¢éê̶ñªóÅ êÎpX[hÍL[É
ÈÁĵܤ©çÅ·B±ÌR©çA±êÈ~̶ÅÍ'û'ÅÍÈ
'GR[h'Ìêðp¢Ü·B
±±ÅpX[hðGR[h·é½ßÉp¢çêéASYÍAZpI
ÉÍPûüÌnbV
ÖƾíêéàÌÅ·B±êÍA éûüÉÍvZµ
â·¢¯êÇA»ÌtûüÌvZÍñíÉﵢƢ¤ASYÅ·BÀ
ÛÌASYÉ¢ÄÌæèÚµ¢à¾Í 2.4ß© crypt(3) Ì}j
A
ðQƵĺ³¢B
[Uª épX[hðß½êA±ÌpX[hÍ_Éßçê
½ salt ÆÄÎêélðp¢ÄGR[h³êÜ·B±¤·é±ÆÅêÂ̶
ñªGR[h³ê½ÊƵÄæè¤éÊÍ 4096 ÊèÉÈèÜ
·Bsalt ÌlÍGR[h³ê½pX[hÆêÉL^³êÜ·B
[UªOCÉpX[hðüÍ·éÆAܸ salt ªGR[h³ê
Ä¢épX[h©çæèo³êÜ·B»µÄAüͳê½pX[hð
salt ðp¢ÄGR[hµÄ»ÌÊðGR[h³ê½¶ñÆärµÜ
·B±êªêvµ½êɳµ¢[UƵÄFصܷB
_ÉGR[h³ê½pX[hðüèµA³ÌpX[hð³·é
±ÆÍvZÌ_©ç¢ïÅ·(sÂ\ÅÍÈ¢)Bµ©µA¡ÈãÌlªg¤
VXeÅÍÈ©ç¸ÌpX[hÍ èÓê½Pê( é¢Í èÓê½
PêðµÏ¦½¾¯ÌàÌ)ÉÈÁĢܷB
NbJ[ͱÌæ¤ÈîðæmÁÄ¢éÌÅ 4096 ÂSÄÌ salt ðp
¢Ä«ÌPêÆægí껤ÈpX[hð 究ßGR[hµÄ¨
«Ü·B»µÄA/etc/passwd É©êÄ¢éGR[hµ½pX[hð±
ÌÊÆärµÜ·B±±Åêv·éà̪©Â©êÎANbJ[ͼlÌ
pX[hðjÁ½±ÆÉÈéí¯Å·B±êÍu«UvÆÄÎêéàÌ
ÅA³KÌFØðó¯¸ÉVXeÉANZX·é½ßÌí
èiÅ·B
é 8 ¶©çÈépX[hÍ A13 ¶©ç¬é 4096 Êè̶ñÌ
Çê©ÉGR[h³êÜ·Bµ½ªÁÄAî{êâÅL¼Æ»êÉÈPÈ
Ï»ð¯½àÌðWßÄìÁ½400,000 êöxÌ«Í 4GB Ìn[hfB
XNÉ\ªûÜéç¢Ì嫳ŷBNbJ[ͱêçð\[gµÄ¨
«A /etc/passwd ̶ñÆêv·é©Ç¤©ð²×龯Åæ¢ÌÅ
·B4GB Ìn[hfBXNÍ 1,000 hȺŦéç¢Å·©çAåï
ÌNbJ[ÍÁÄ¢éÆl¦é׫ŷB
ܽANbJ[ªÅÉ È½Ì /etc/passwd t@CðèÉüê½ê
ÉÍNbJ[ͱÌt@CÉÜÜêÄ¢ésaltðgÁÄ«ðGR[h
µÄä¯Î梾¯ÉÈÁĵܢܷBfBXNSKoCgÆ486N
XÌCPUðÂ}Vª êÎA±Ìöx̱ÆÍqÅàūĵܢÜ
·B
åÊÌfBXNªÈÄà crack(1) Ìæ¤È[eBeBðp¢êÎA
éöxÈãÌÌ[Uª¢éVXeÌÈÆàêÂÍpX[hðjé
±ÆªÅ«Ü·B([UÍ©ªÅe©ÌpX[hðßéàÌƵܷB)
/etc/passwd t@CÉͽÌVXevOªg¤[U ID âO
[vID Ìæ¤Èîñª©êĢܷB]ÁÄA±Ìt@CÍ¢E©ç
ANZXūȯêÎÈèܹñBá¦ÎA /etc/passwd t@CðNàÇ
ßÈ¢æ¤ÉµÄµÜÁ½çAÄÁÍßÉÈéŵå¤B
Shadow Suite ÍpX[hðÊÌêÉÚ·±ÆűÌâèððµÜ·(Ê
íÍ /etc/shadow)B±Ìt@CÍNàÇßÈ¢æ¤ÉÝè³êÜ
·Broot¾¯ª /etc/shadow t@CðÇÝ«Å«Ü·B¢Â©Ìv
O(xlock ÈÇ)Í /etc/shadow ðÏXÍÅ«ÈÄࢢŷªApX
[hÌmFÍs¤Kvª èÜ·B±Ìæ¤ÈvOÍ root É SUID
·é©Ashadow O[vÉ®·éKvª èÜ·BpX[hðmF·é½
ß¾¯É root É SUID ·éæèÍAshadow É SGID ·éûªÇ¢l¦Æ¾
¦Ü·B
pX[hð /etc/shadow ÉÚ®³¹é±ÆÉæÁÄANbJ[ªGR
[h³ê½pX[hÉANZXµÄ«UÉp·é±Æðh°Ü·B
Á¦ÄAShadow Suite ÍȺÌæ¤ÈÁ·ðÁĢܷ:
o OCÌftHgðÝè·éRtBO[Vt@C
(/etc/login.defs)
o [UAJEgâO[vðÇÁAC³Aí·é½ßÌ[eB
eB
o âpX[hÌ`FbNâúÀÝè
o AJEgÌúÀÝèÆbLO
o {·pX[h (16¶ÌpX[h) [§µÜ¹ñ]
o [UÌpX[hèð§äµâ·¢
o _CAAbvEpX[h
o 2FØvO [§µÜ¹ñ]
Shadow Suit ðCXg[·é±ÆÅVXeÌZL
eBð»·é±
ƪūܷªALinux VXeÌZL
eBðæè»·é½ßÉÍA¼
Éàâé׫±Æͽ èÜ·BZL
eB»Ìû@ÆZL
eB
ÉÖW·ébèÉ¢Äðà·é Linux Security HOWTO V[Yª»Ì¤¿
Å«é±Æŵå¤B
ùmÌZL
eBz[É¢ÄÌxÈÇA Linux ÌZL
eBÉÂ
¢ÄÌÅVÌîñð¾é½ßÉÍLinux Security z[y[W
<http://bach.cis.temple.edu/linux/linux-security/> ðQƵĺ³¢B
2.1. shadow pX[hðgíÈ¢Ù¤ªÇ¢ê
Shadow SuiteðCXg[·é±Æª©È縵àÇ¢±ÆÅÍȢ«â
VXe\¬à èÜ·B
o VXeÉ[UAJEgªÈ¢êB
o Rs
[^ª LAN ÉqªÁÄ¢ÄA[U¼âpX[hÍ NIS
(Network Information Services) oRÅlbg[Nã̼Ì}V©ç
¾Ä¢éêB(±êÍ{¶ÌÍÍðOêÄ¢é_ÆA ÜèZL
eBüãÍ]ßÈ¢ÌÅྵܹñ)
o VXeª NFS (Network File System)â NIS ÈÇðp¢Ä[UFØð
·é½ßÉ^[~iT[oÉæÁÄp³êéê
o [UFØÍ·éªAshadow pX[hÉεĨç¸A\[XR[h
à³¢\tgEFAðgíȯêÎÈçÈ¢ê
2.2. /etc/passwd t@CÌtH[}bg
shadow »³êĢȢ /etc/passwd t@CÍȺÌæ¤ÈtH[}bgÉ
ÈÁĢܷ:
username:passwd:UID:GID:full_name:directory:shell
±±ÅA
username
[UÌOCl[
passwd
GR[h³ê½pX[h
UID
[U ID (l)
GID
ftHgÌO[v ID (l)
full_name
[UÌ{¼BÀÛÉͱÌtB[hÍ GECOS (General Electric
Comprehensive Operating System) tB[hÆÄÎêA[UÌ{¼
ÈOÌîñàÛÅ«Ü·BShadow Suite ÌR}h¨æÑIC
}j
AÅÍRgtB[hƵÄLq³êĢܷB
directory
[UÌz[fBNg
shell
[UÌOCVF(âÎpXLq)
á¦ÎÌæ¤ÉÈèÜ·:
username:Npge08pfz4wuk:503:100:Full Name:/home/username:/bin/sh
±±ÅAæ2tB[hÌ Np Í salt ÅAge08pfz4wuk ÍGR[h³ê½
pX[hÅ·B¯¶pX[hÅàAsalt/pX[hÌgÝí¹Í kbe-
MVnZM0oL7I Ìæ¤ÉÈéêà èÜ·B éêÂÌpX[hÉÖµÄG
R[h³ê¾éÂ\«Í 4096ÊèÅ·B(±ÌáÅp¢½ 'password' Æ¢
¤pX[hÍjçêâ·¢_ɨ¢ÄñíÉ«¢pX[hÅ·B)
Shadow suite ªCXg[³êéÆA/etc/passwd t@CÍȺÌæ¤
ÉÈèÜ·:
username:x:503:100:FullName:/home/username:/bin/sh
±ÌêÌ2ÔÚÌtB[hÌ 'x' ÍPÉêðßĢ龯ŷBG
R[h³ê½pX[hÍÜÜêÈÈèÜ·ªA /etc/passwd t@CÌ
tH[}bg©ÌÍÏíèܹñB]ÁÄA /etc/passwd t@CðÇÞ¯
êÇpX[hFØÍsíÈ¢vOÍÈOÌÊèÉ®ìµÜ·B
pX[hÍ shadow t@C(Êí /etc/shadow) ÉÚ³êÜ·B
2.3. shadow t@CÌtH[}bg
/etc/shadowt@CÉÍȺÌæ¤ÈîñªLq³êĢܷ:
username:passwd:last:may:must:warn:expire:disable:reserved
àeÍȺÌæ¤ÈÓ¡ð¿Ü·:
username
[U¼
passwd
GR[h³ê½pX[h
last
1970N11ú©çApX[hªÅãÉXV³ê½úÜÅÌú
may
½úOÉpX[hªÏX³ê½Ævíêé©
must
pX[hðÏXµÈ¯êÎÈçÈ¢úÀ
warn
pX[hÌúÀØê̽úOÉ[UÉx·é©
expire
pX[húÀØê̽úãÉAJEgðÁ·é©
disable
1970N11ú©çAAJEgªÁ³ê½úÜÅÌú
reserved
\ñtB[h
³«ÙÇƯ¶áÅÍ /etc/shadow ͱÌæ¤ÉÈèÜ·:
username:Npge08pfz4wuk:9479:0:10000::::
2.4. crypt(3) ÌTv
crypt(3) ÌIC}j
Aæè:
"cryptÍpX[hÌûÖÅ éB±êÍ Data Encryption Standard
(DES) ÌASYÉAÁÉL[õÌn[hEFAÀðµÉ·é±
ÆðÁÉÓ}µ½Ï»ð¯½àÌÉîâĢéB
L[Í[UÌü͵½pX[hÅ éB [GR[h³ê½¶ñÍ·×
ÄNULLÅ éB]
salt Í [a-zA-Z0-9./] Ì©ç2¶ðIñ¾¶ñÅ éB±Ì¶ñÍ
ASYÌÅ4096ÊèÌÙÈéÊ©çêÂðKÉIÑo·½ßÉp
¢çêéB
L[Ìe¶ÌºÊ7rbgðæèo·±ÆÅ 56rbgÌL[ª¾çêéB±
Ì56rbgÌL[Íè¶ñ(ÊíÍSÄ0̶ñðÜÞ)ðJèÔµÃ
»·é½ßÉp¢çêéBßµlÍû³ê½pX[hÖÌ|C^Å
èA±ÌpX[hÍ13¶Ì ASCII ¶Å é(ÅÌ2¶Ísalt»Ìà
ÌÅ é)BßµlÌ|C^ªw·ÌæÍÄÑoµ²ÆÉ㫳êéÃI
Èf[^Å éB
x:L[óÔÍ 2Ì56æ(=7.2e16)ÂÌlðæé±ÆªÅ«éB±ÌL[óÔ
ÍåÊÌÀñvZ@ðp¢êÎSTõ·é±ÆªÂ\Å éBܽAcrack(1)
Ìæ¤È\tgEFAÍlÔªpX[hÉp¢»¤ÈPêªìéL[óÔÌ
ªóÔÉiÁÄõðs¤B]ÁÄApX[hÌIðÅÍ èÓê½Pê
â¼OÌgpÍð¯é׫ŠéBpX[hðßéÛÉÍjçêâ·¢p
X[hÌ`FbNðs¤ passwd(1) vOðp·éÆÇ¢¾ë¤B
DES ASY©ÌÉÍȪ éÌÅAcrypt(3)ÌC^tF[XÍpX
[hFØ̼Ég¤×«ÅÍÈ¢Bcrypt(3)ÌC^tF[XðûÌàÌ
ÉÖíévWFNgÉpµÄÍÈçÈ¢B±Ìæ¤ÈêÉÍAûÉ
Â¢Ä¢Ä éÇ¢{ÆLp·é±ÆªÅ«é DES Cuðüè
·é׫ŠéB"
ÙÆñÇÌ Shadow Suites pbP[WÉÍpX[hð16¶É{·»·é
R[hªÜÜêĢܷBµ©µDESÌêåÆͱêð§µÄ¢Ü¹ñBp
X[hÌ·³ª{ÅàAÅɶ¼ªðGR[hµÄAÉE¼ªðG
R[hµÄ¢é¾¯¾©çÅ·B±êÍcryptÌ®ì̽ßÅ èAnß©ç
{·pX[hªgíêĢȩÁ½êÆä×ÄàAæèÆãÈpX[h
ðìÁĵܢܷBܽA[UÉ16 ¶ÌpX[hðo¦Äà礱
ÆÍ¢ïÅ éÆ¢¤Rà èÜ·B
cryptÉãéàÌÅAæèÀSÅ·¢pX[hðT|[gµ(ÁÉ MD5 A
SY)A³çÉcryptÆÌÝ·«ð۵Ģéæ¤ÈFØASYð
Jµæ¤ÆµÄ¢évWFNgª èÜ·B
àµAÇҪûÉ¢ÄÌÇ¢{ðTµÄ¢éÈçAMÒÍȺÌ{ð
EµÄ¨«Ü·:
"Applied Cryptography: Protocols, Algorithms, and Source Code in C"
by Bruce Schneier <schneier@chinet.com>
ISBN: 0-471-59756-2
3. Shadow Suite Ìüè
3.1. Linux pÌ Shadow Suite Ìðj
ZL
eBãÌâèª éÌÅA±ÌßÅq×éâpbP[WðgÁÄÍ
¢¯Ü¹ñB
IWiÌ Shadow Suite Í John F. Haugh IIÉæÁÄ쬳êܵ
½B
Linux VXeãÅp¢çêÄ«½o[W͢© èÜ·:
o shadow-3.3.1 ÍIWiÅ·B
o shadow-3.3.1-2 Í Florian La Roche <flla@stud.uni-sb.de> ÉæÁÄ
©ê½ Linux êpÌpb`ÅAÆ©Ìg£àµÄ¢Ü·B
o shadow-mk Linux êpÌpbP[WÅ·B
shadow-mkpbP[WÍ John F. Haugh II ªzzµÄ¢é shadow-3.3.1
pbP[WÉ shadow-3.3.1-2 ÖÌpb`A Mohan Kokal
<magnus@texas.net> ÉæÁÄȳê½CXg[ðÈPÉ·é½ßÌC
³AJoseph R.M. Zbiciak Éæé /bin/login Ì -f, -h ÌIvVÌ
®ìÉ¢ÄÌZL
eBz[ðÇ®½ßÌ login1.c (login.secure)
Éηépb`yѻ̼¢Â©ÌÏXðÁ¦½àÌÅ·B
shadow.mkpbP[WÍ ÈOͧ³êĢܵ½ªA loginvOÌZ
L
eBãÌâèª éÌÅg¤×«ÅÍȢŵå¤B
o[W 3.3.1, 3.3.1-2 Ì Shadow Æ shadow-mk ÅÍloginvOÉ
ZL
eBãÌâèª èÜ·B±Ìlogin ÌoOÍOC¼Ì·³ð
`FbNµÈ¢Æ¢¤àÌÅ·B±êÉæèobt@ªI[o[t[µÄv
OªÙí®ìµÄµÜ¢Ü·BVXeãÉAJEgðÁÄ¢él
ÔÍA±ÌoOƤLCuðgÁÄ root Ì ÀðèÉüêé±ÆªÅ
«éÆ¢¤\ª¬êܵ½BͱêÉ¢ÄÚµ¢bð·éÂàèÍ èÜ
¹ñBe¿ð¤¯é Linux VXeͽ¢¯êÇA±êçÌShadow Suites
ðCXg[µ½ Linux VXeâúo[WÌ ELF ÅpbP[WÌ
VXeÅShadow SuitesðCXg[µÄ¢È¢àÌÍë¯É³ç³êé
©çÅ·B
±ÌbèâA»Ì¼Ì Linux ÌZL
eBÉ¢ÄÌîñð¾é½ßÉ
ÍA Linux Security z[y[W (¤LCuÆloginvO ÌÆ
ã«) <http://bach.cis.temple.edu/linux/linux-security/Linux-Security-
FAQ/Linux-telnetd.html> ð©éÆæ¢Åµå¤B
3.2. Shadow Suite Ìüè
»Ý§³êéBêÌ Shadow Suite ÍܾÀo[WÅ·ªAÅVÌàÌ
ÍìÁÄ¢é«ÅÍÀSÅ èAë¯È loginvOàÜñŢܹ
ñB
pbP[WÍȺ̼Ot¯ÌK¥ðgÁĢܷ:
shadow-YYMMDD.tar.gz
ÍAShadow Suite Ì YYNMMDDú öJµ½ÅÅ é±ÆðÓ¡µÜ·B
±Ìo[WÍ»ÝÀeXgÅ èAâªÄo[W 3.3.3 ÉÈéÅ
µå¤B¡ÍMarek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>
ÉæÁÄeiX³êĨèA shadow-current.tar.gz
<ftp://i17linuxb.ists.pwr.wroc.pl/pub/linux/shadow/shadow-
current.tar.gz> ©çüèÂ\Å·B
ܽAȺÌ~[TCgà èÜ·:
o ftp://ftp.icm.edu.pl/pub/Linux/shadow/shadow-current.tar.gz
o ftp://iguana.hut.fi/pub/linux/shadow/shadow-current.tar.gz
o ftp://ftp.cin.net/usr/ggallag/shadow/shadow-current.tar.gz
o ftp://ftp.netural.com/pub/linux/shadow/shadow-current.tar.gz
»ÝpÅ«éÅVÅðpµÜµå¤B
shadow-960129æèâo[WÌàÌÍæöq×½æ¤É loginvO
Éâèª éÌÅgÁÄÍ¢¯Ü¹ñB
±Ì¶Å Shadow Suite ÆÍA±ÌpbP[WÉ¢ÄLqµÄ¢
éàÌƵܷBܽA Ƚªg¤pbP[Wà±êÅ éàÌƼèµÜ
·B
Ql̽ßÉAshadow-960129 ÉîâÄCXg[Ìèð쬵ܵ
½B
ൠȽª»Ýshadow-mkðgÁÄ¢éÈçÎA·×ÄÄ\zµÄ±Ìo[
WÉAbvO[h·é׫ŵå¤B
3.3. Shadow Suite ÉͽªÜÜêÄ¢é©
Shadow SuiteÍȺÌR}hðu«·¦Ü·:
su, login, passwd, newgrp, chfn, chsh, and id
ܽApbP[WÉÍȺÌVµ¢vOªÜÜêĢܷ:
chage, newusers, dpasswd, gpasswd, useradd, userdel, usermod,
groupadd, groupdel, groupmod, groups, pwck, grpck, lastlog, pwconv,
and pwunconv
Á¦ÄApX[hÉANZX·éKvª évOðìé½ßÌCu
libshadow.a ªÜÜêĢܷB
»µÄAvOÌIC}j
AàÜÜêĢܷB
/etc/login.defs ƵÄCXg[³êéAlogin vOÌÝèt@C
àÜÜêĢܷB
4. vOÌRpC
4.1. A[JCuÌWJ
pbP[Wðüèµ½ãÌÅÌìÆͱêðWJ·é±ÆÅ·BpbP[W
Í tar (Tape ARchive) ÅÜÆß½ãÉ gzip ųkµÄ éÌÅAܸpb
P[Wð /usr/src ÉÚ®³¹Ä©çÌæ¤Éü͵ĺ³¢:
tar -xzvf shadow-current.tar.gz
±ÌìÅpbP[WÍ /usr/src/shadow-YYMMDD Æ¢¤fBNgÉWJ
³êÜ·B
4.2. config.h ÉæéÝè
ܸÅÉsȤ±ÆÍMakefileÆconfig.hÌ2Âðã«Rs[·é±ÆÅ
·:
cd /usr/src/shadow-YYMMDD
cp Makefile.linux Makefile
cp config.h.linux config.h
ܸ config.h t@Cð©Ä¾³¢B±Ìt@CÉÍÝèIvVÌ
è`ª©êĢܷBàµA Ƚª§³êÄ¢épbP[Wðp¢Ä¢
éêÉÍAܸO[vÌshadowT|[gðܸ³øɵܵå¤B
WÅÍO[vÌpX[hÍLøÉÈÁĢܷB±êð³øÉ·é½ß
ÉÍconfig.hðÒWµA#define SHADOWGRP ð #undef SHADOWGRP ÉÏXµÜ
·BÆè ¦¸Í±êð³øɵĨ«A ÆÅ{ÉO[vÌpX[h
âO[vÌÇÒªKvÆÈÁ½É Shadow Suite ðÄRpC·é×
«Åµå¤BàµLøÈÜÜɵĨÌÈçÎA/etc/gshadow t@Cð
ìçȯêÎÈèܹñB
{·pX[hðLøÉ·é±ÆÍOÉq×½R̽ßA§µÜ¹ñB
#undef AUTOSHADOW ÌÝèÍâÎÉÏXµÄÍ¢¯Ü¹ñB
AUTOSHADOW IvVÍ shadow ððÅ«È¢vOà@\·éæ¤
É·é½ßÉÝv³ê½àÌÅ·B±êÍÇ¢±ÆÌæ¤Év¦Ü·ªA«¿
ñÆ®«Ü¹ñB±ÌIvVðLøɵAroot ÅvOðÀs·é
ÆA getpwnam() ÖðÄÑo³ê½êÉÍÏX³ê½Gg[ð
/etc/passwd t@CɫߵĵܢܷB (àÍâshadow »³ê½p
X[hÈÈÁĵܤ) chfn â chsh ª±êÉY·évOÅ
·Bgetpwnam()ðÄÑo·OÉ^ÌUIDÆÀøUIDð¤ÜØÖ¦é±ÆÅñð
·éÆ¢¤û@Íg¦Ü¹ñB chfn â chsh Í root ÀÅ®ì·é©çÅ
·B
libc Éͯ¶Ó¡ð SHADOW_COMPAT IvVª èÜ·ªA¯¶Ó
ª libc ðìéÛÉàÄÍÜèÜ·Bg¤×«ÅÍ èܹñI
àµ/etc/passwdt@CÉGR[h³ê½pX[hª»íêéæ¤Èç
ÎâèÅ·B
àµ4.6.27 ÈOÌo[WÌlibcðgÁÄ¢éÈçA
config.hÆMakefileð»ê¼êÏX·éKvª èÜ·B config.h ÍȺÌ
ªð:
#define HAVE_BASENAME
±Ìæ¤ÉÏXµÄ¾³¢:
#undef HAVE_BASENAME
Makefile É¢Äà¯lÅ·:
SOBJS = smain.o env.o entry.o susetup.o shell.o \
sub.o mail.o motd.o sulog.o age.o tz.o hushed.o
SSRCS = smain.c env.c entry.c setup.c shell.c \
pwent.c sub.c mail.c motd.c sulog.c shadow.c age.c pwpack.c rad64.c \
tz.c hushed.c
SOBJS = smain.o env.o entry.o susetup.o shell.o \
sub.o mail.o motd.o sulog.o age.o tz.o hushed.o basename.o
SSRCS = smain.c env.c entry.c setup.c shell.c \
pwent.c sub.c mail.c motd.c sulog.c shadow.c age.c pwpack.c rad64.c \
tz.c hushed.c basename.c
libc 4.6.27 È~ÅͱêçÌÏXÍbasename.cÉεÄsíêĢܷB
4.3. ³ÌvOÌobNAbvÌì¬
Shadow Suite ªu«·¦ÄµÜ¤vOð 究ßmFµÄ¨«A
obNAbvðæÁĨÌÍÇ¢l¦Å·BSlackware 3.0 pbP[WÅÍ
ȺÌt@CªYµÜ·:
o /bin/su
o /bin/login
o /usr/bin/passwd
o /usr/bin/newgrp
o /usr/bin/chfn
o /usr/bin/chsh
o /usr/bin/id
ÀÅpbP[WÉÍ Makefile Ésave Æ¢¤^[Qbgª èÜ·ªAR
gAEg³êĢܷBpbP[WªÙÈêÎvOÌu«êàÙ
Èé©çÅ·B
/etc/passwdt@CÌobNAbvàæÁĨ¢½Ù¤ªÇ¢Åµå
¤BpasswdR}hƯ¶fBNgÉu¢Ä㫵ĵÜíÈ¢æ¤
ÉA½©Ê̼Oɵܵå¤B
4.4. Make ÌÀs
CXg[ìÆÌÙÆñÇÍrootƵÄs¤Kvª èÜ·B
pbP[WÌÀst@CðRpC·é½ßÉ make ðÀsµÄº³¢:
make all
rcsid defined but not used Æ¢¤EH[jOªoé©àµêܹñªA
³µÄ\¢Ü¹ñB±êÍìÒªo[WÇc[ðgÁÄ¢é½ßÉ
N±éàÌÅ·B
5. CXg[
5.1. VXejóÉõ¦ÄÌu[gfBXNì¬
Å«ÌÔÉõ¦ÄAu[gfBXNðìÁĨ«Üµå¤BVXeðC
Xg[µ½Ìu[gfBXNÆ[gfBXNª êÎ\ªÅ·B³¢ê
ÉÍAu[gfBXNÌì¬É¢ÄÌྪ©êÄ¢é Bootdisk-
HOWTO <http://sunsite.unc.edu/mdw/HOWTO/Bootdisk-HOWTO.html> ðQƵ
ĺ³¢B
5.2. d¡·éIC}j
AÌí
u«·¦çêéâ}j
AÍDZ©ÉڵĨ׫ŷBobNAbv
ȵŠShadow Suite ðCXg[·éêÅàAâ}j
AðÁµÄ
µÜ¢½Èéŵå¤Bâ}j
Aͨ»ç³k³êÄ¢éÌÅAV
µ¢}j
AͤÜ㫳êÈ¢©çÅ·B
man -aW Æ locate R}hðgÁÄÚ®(í)·×«}j
AÌÊuð²
×é±ÆªÅ«Ü·BêÊIÉÍ make install ðÀsµ½ãæèàÀs·é
Oힻ̢}j
AÌêð©Â¯é̪eÕÅ·B
Slackware 3.0 pbP[WÌêÉÍí·×«}j
AÍȺÌêÉ
èÜ·:
o /usr/man/man1/chfn.1.gz
o /usr/man/man1/chsh.1.gz
o /usr/man/man1/id.1.gz
o /usr/man/man1/login.1.gz
o /usr/man/man1/passwd.1.gz
o /usr/man/man1/su.1.gz
o /usr/man/man5/passwd.5.gz
/var/man/cat[1-9] É௶¼OÌIC}j
Aª é©àmêÈ¢
ÌÅA êÎí·éKvª èÜ·B
5.3. make install ÌÀs
ȺÌR}hðÀsµÜµå¤:(rootÉÈÁÄ©çÀsµÄº³¢)
make install
±êÅAVµ¢vOyÑu«·¦çêévOªCXg[³
êAt@CÌp[~bVªC³³êÜ·BܽAIC}j
A
àCXg[³êÜ·B
Shadow Suite ÌCN[ht@Cª ³µ¢ê (/usr/include/shadow)
ÉCXg[³ê½©Ç¤©mFµÄº³¢B
ÀÅpbP[WðgÁÄ¢éêÉÍAlogin.defsðè®Å /etcÖRs[µ
ÄAroot ¾¯µ©ÇÝ«Å«È¢æ¤ÉµÈ¯êÎÈèܹñB
cp login.defs /etc
chmod 700 /etc/login.defs
±Ìt@CÍloginvOÌÝèt@CÅ·B±Ìt@CÍ È½
ÌVXeÉí¹ÄÏXµÄ¾³¢B±Ìt@CÅÍAÇÌ tty ©ç
root ÌOCð·©ÈÇZL
eBÉÖ·éÝè(pX[hÌúÀÝ
èÈÇ)ªÅ«Ü·B
5.4. pwconv ÌÀs
ÌXebvÍ pwconv ðÀs·é±ÆÅ·B±êàroot ÀÅsíȯê
ÎÈèܹñBܽA/etc fBNgÖÚ®µÄ©çÀsµÄº³¢:
cd /etc
/usr/sbin/pwconv
pwconv Í /etc/passwd ÌetB[hðæèoµÄA /etc/npasswd Æ
/etc/nshadow Ì2ÂÌt@CðìèÜ·B
pwunconv Æ¢¤R}hà èAàµKvÈçÎ /etc/passwd Æ
/etc/shadow ©çÊÌ /etc/passwd 𶬷é±ÆàÅ«Ü·B
5.5. npasswd Æ nshadow Ìl[
pwconv ðÀsµ½±ÆÅ /etc/npasswd Æ /etc/nshadow ª¾çê½Í¸Å
·B±êçÌt@Cð»ê¼ê /etc/passwd Æ /etc/shadow É㫵Ä
¾³¢Bã«ÌOÉÍ³Ì /etc/passwd ÌobNAbvðìèA±Ì
obNAbvÍ root ÈOÌ[UÍÇßÈ¢æ¤ÉµÄ¨«Üµå¤Bob
NAbvÍ root Ìz[fBNgÉìéÆǢŵå¤:
cd /etc
cp passwd ~passwd
chmod 600 ~passwd
mv npasswd passwd
mv nshadow shadow
³çÉAt@CÌI[iÆp[~bVª³µ¢©Ç¤©mFµÜµå
¤B X-Window System ðgÁÄ¢éÈçÎAxlock â xdm Í shadow t@C
ðÇßéæ¤ÉÈÁĢȯêÎÈèܹñ(«ÝªÅ«éKvÍ è
ܹñ)B
±êÉÍ2ÂÌû@ª èÜ·BêÂÍAxlockð root É SUID ·éû@Å
·B(xdm Í¢¸êɹæ root ƵĮì·éÌÅÖW èܹñB) à¤
êÂÍ shadow t@CÌLÒÍrootÉAO[vÍshadowÉ·éû@Å
·B±Ìæ¤ÈÝèÉ·éOÉÍA/etc/group t@Cð©ÄA shadow O
[vª é©Ç¤©ðܸmFµÄ¾³¢Bshadow O[vÉ®·é
[UÍêlà¢ÄÍ¢¯Ü¹ñB
chown root.root passwd
chown root.shadow shadow
chmod 0644 passwd
chmod 0640 shadow
±êŠȽÌVXeÌpX[hÍ shadow »³êܵ½B±±ÅAVµ
¼z[ðJ¢ÄOCªÅ«é©Ç¤©mFµÄÝܵå¤B
³ AâÁÄÝܵå¤I
൤ܢ©È¢êÍADZ©ÅÔá¦Ä¢Ü·Bshadow »³êÄ¢È
¢óÔÉß·½ßÉÍȺÌæ¤È豫ðsÁĺ³¢:
cd /etc
cp ~passwd passwd
chmod 644 passwd
ÅÉobNAbvðæÁ½¼Ìt@Cà³µ¢êÉߵܵå¤B
6. AbvO[h·é©pb`ðÄéKvª évO
Shadow Suite ÉÍpX[hÉANZX·évOÙÆñÇÌãÖið
ÜñŢܷªAÙÆñÇÌVXeÅͼÉà¢Â©ÌvOªKv
ÆÈèÜ·B
Debian pbP[WÅÍ(»¤ÅÈ¢êÅà\¢Ü¹ñª)AȺÌê©ç
VXeÌÄ\zÉKvÈvOÌ Debian pbP[WÌÌ\[Xðüè
·é±ÆªÅ«Ü·B ftp://ftp.debian.org/debian/stable/source/
±ÌßÌcèÍadduser, wu_ftpd, ftpd, pop3d, xlock, xdm and sudo ª
Shadow Suite ðT|[gÅ«éæ¤É·é½ßs¤AbvO[hÉ¢Ä
ྵܷB
¼ÌvOà shadow T|[gÅ«éæ¤É·éû@Í ``CvOð
Shadow Suite Éγ¹éû@'' ÌÍðQƵĺ³¢B(ÀÛÉ shadow
t@CÉANZX·é½ßÉÍ root É SUID ·é© shadow É SGID ·é
Kvª èÜ·B)
6.1. Slackware adduser program
Slackware pbP[W(¨»ç¼ÌpbP[WÉà)ÉÍ /sbin/adduser Æ
¢¤ÎbIÉVµ¢[UðÇÁ·évOªÜÜêĢܷB±Ìv
OÌ shadow ÎÅÍ ftp://sunsite.unc.edu/pub/Linux/
system/Admin/accounts/adduser.shadow-1.4.tar.gz ©çüèÅ«Ü·B
MÒÍ slackware ÌadduserÌãèÉShadow SuiteÉÜÜêÄ¢évO
(useradd, usermod, userdel)ðg¤±Æð©ßÜ·Bg¢ûÍV½Éo¦
ȯêÎÈèܹñªA»ê¾¯Ì¿lÍ èÜ·Bæèש¢§äªÅ«Ü
·µA (adduserÅÍsíÈ¢) /etc/passwd â /etc/shadowÌbLOà
µÄêé©çÅ·B
ÚµÍ ``Shadow Suite ðgÁÄÝé'' ÌÍð©Ä¾³¢B
»êÅà adduser ðg¢½¢ÈçÎAȺÌæ¤ÈèÅCXg[µÄ
¾³¢:
tar -xzvf adduser.shadow-1.4.tar.gz
cd adduser
make clean
make adduser
chmod 700 adduser
cp adduser /sbin
6.2. wu_ftpd T[o
åªÌ Linux VXeÅÍ wu_ftpd T[oðgÁĢܷBàµA Ƚ
ÌgÁÄ¢épbP[WÉ Shadow SuiteªCXg[³êĢȢê
Awu_ftpd à shadow ðT|[g·éæ¤ÉÍÈÁĢȢŵå
¤Bwu_ftpd Í inetd/tcpd ©çrootÌvZXƵÄN®³êÜ·BàµA
ȽªÃ¢ wu_ftpd f[ðç¹Ä¢éÈçAo[Wðã°Ä
¾³¢Bâo[WÍ rootÌAJEgðFßĵܤoOðÁÄ¢
é±ÆÅmçêÄ¢é©çÅ·B(ÚµÍ Linux security z[y[W
<http://bach.cis.temple.edu/linux/linux-security/Linux-Security-
FAQ/Linux-wu.ftpd-2.4-Update.html>) ðQƵĺ³¢B )
K¢Ashadow ðLøÉ·é½ßÉÍ\[XR[hðüèµÄÄRpC·
龯ŷB
ELF VXeÅÈ¢êÉÍAwu_ftpT[oÍ Sunsite É wu-
ftp-2.4-fixed.tar.gz
<ftp://sunsite.unc.edu/pub/Linux/system/Network/file-transfer/wu-
ftpd-2.4-fixed.tar.gz> ̼OÅu¢Ä¢éà̪pÅ«Ü·B
t@Cðüèµ½çA±Ìt@Cð /usr/src Éu¢Ä©çAȺÌæ¤
ÈìðsÁľ³¢:
cd /usr/src
tar -xzvf wu-ftpd-2.4-fixed.tar.gz
cd wu-ftpd-2.4-fixed
cp ./src/config/config.lnx.shadow ./src/config/config.lnx
É ./src/makefiles/Makefile.lnx t@CÌȺ̪ð:
LIBES = -lbsd -support
Ìæ¤ÉÏXµÜ·:
LIBES = -lbsd -support -lshadow
»µÄAÀst@C¶¬XNvgÌÀsyÑCXg[ðs¢Ü·:
cd /usr/src/wu-ftpd-2.4-fixed
/usr/src/wu-ftp-2.4.fixed/build lnx
cp /usr/sbin/wu.ftpd /usr/sbin/wu.ftpd.old
cp ./bin/ftpd /usr/sbin/wu.ftpd
±êÍALinux p shadow ÌÝèt@CðgÁÄT[oÌRpCyÑC
Xg[ðs¢Ü·B
MÒÌ Slackware 2.3 VXeÅÍÀst@C¶¬XNvgðÀs·é
OÉȺÌìðs¤Kvª èܵ½:
cd /usr/include/netinet
ln -s in_systm.h in_system.h
cd -
ELF VXeãÅÍRpCª¤Ü¢©È¢±Æªñ³êĢܷªA
Ì[XÌÀÅðg¦Î¤Ü¢æ¤Å·B±êÍAwu-
ftp-2.4.2-beta-10.tar.gz <ftp://tscnet.com/pub/linux/network/ftp/wu-
ftpd-2.4.2-beta-10.tar.gz> ƵÄüèÅ«Ü·B
t@Cðüèµ½çA±êð /usr/src Éu¢ÄAȺÌìðsÁľ
³¢:
cd /usr/src
tar -xzvf wu-ftpd-2.4.2-beta-9.tar.gz
cd wu-ftpd-beta-9
cd ./src/config
É config.lnx t@CÌȺ̪ð
#undef SHADOW.PASSWORD
Ìæ¤ÉÏXµÜ·B
#define SHADOW.PASSWORD
»ê©çA
cd ../Makefiles
ðs¢AJgfBNgðÏXµÄ©ç Makefile.lnx t@CÌ
LIBES = -lsupport -lbsd # -lshadow
̪ðÌæ¤ÉÏXµÜ·B
LIBES = -lsupport -lbsd -lshadow
»µÄÀst@C¶¬ÆCXg[ðs¢Ü·:
cd ..
build lnx
cp /usr/sbin/wu.ftpd /usr/sbin/wu.ftpd.old
cp ./bin/ftpd /usr/sbin/wu.ftpd
/etc/inetd.conf t@CÉ wu_ftpd {ÌÌu«êª©êÄ¢é©Ç¤
©ðmF·éÌðYêÈ¢æ¤ÉµÜµå¤BpbP[WÉæÁÄÍT[of
[Ìuêªá¢Awu_ftpd ªÊ̼OÉÈÁÄ¢éàÌà éÆ¢¤ñ
ª èܵ½B
ó: Slackware 3.1 ÅÍ shadow pX[h»ðsÁ½êAwu-ftpd ÌR
pCɸs·éêª èÜ·BºLÌæ¤ÈG[ªoéêÉÍ
src/makefiles/Makefile.lnx Ì CFLAGS É "-DDIRENT_ILLEGAL_ACCESS" ðÁ
¦ÄÝľ³¢B (±ÌîñÍÎLd@å³ñæ踫ܵ½B)
______________________________________________________________________
gcc -O2 -fomit-frame-pointer -I.. -I../support -I/usr/include/bsd -L../suppors
-c glob.c -o glob.o
glob.c: In function `matchdir':
glob.c:284: dereferencing pointer to incomplete type
make: *** [glob.o] Error 1
______________________________________________________________________
6.3. WÌ ftpd
WÌ ftpd T[oðgÁÄ¢éêÉÍ wu_ftpd T[oÉAbvO[h
·é±Æð©ßÜ·Bæöq×½oOð¯ÎAæèÀS¾Æ³êÄ¢é©ç
Å·B
ǤµÄàWÌàÌðg¢½¢êâANIS ðT|[g·éKvª éê
ÉÍ Sunsite ©ç ftpd-shadow-nis.tgz
<ftp://sunsite.unc.edu/pub/Linux/system/Network/file-transfer/ftpd-
shadow-nis.tgz> ðüèµÄº³¢B
6.4. pop3d (Post Office Protocol 3)
àµAPOP3(the third Post Office Protocol) ðT|[g·éKvª éê
ÉÍ pop3d ðÄRpC·éKvª èÜ·B pop3d Í inet/tcpd ©
çroot ÀÅÀs³êÜ·B
Sunsite ©ç2ÂÌÙÈéo[WÌàÌðüèÅ«Ü·:
pop3d-1.00.4.linux.shadow.tar.gz
<ftp://sunsite.unc.edu/pub/Linux/system/Mail/pop/pop3d-1.00.4.linux.shadow.tar.gz>
Æ pop3d+shadow+elf.tar.gz
<ftp://sunsite.unc.edu/pub/Linux/system/Mail/pop/pop3d+shadow+elf.tar.gz>
Å·B
Ç¿çÌêàâèÈCXg[Å«éŵå¤B
6.5. xlock
Shadow Suite ðCXg[µAX Window VXeãÅ xlock ðAbvO
[hµÈ¢ÜÜÅÀsµ½êÉÍA CNTL-ALT-Fx ÅÊÌR\[ÉØ
Ö¦ÄOCµ xlock ÌvZXðE·( é¢Í CNTL-ALT-BS Å X T[
oðE·)ÈOÉǤµæ¤àÈ¢óÔÉÈÁĵܢܷBK¢È±ÆÉA
xlock ðAbvO[h·éÌÍÆÄàÈPÅ·B
àµAXFree86 Ìo[W 3.x.x ðpµÄ¢éêÉÍA xlockmore
(lock @\ÉÁ¦ÄXN[Z[o@\ðÂ)ðgÁÄ¢éÆv¢Ü·B
±ÌpbP[WÍÄRpC·é±ÆÅ shadow ðT|[gÅ«Ü·Bâ
xlock ðgÁÄ¢éêÉÍ xlockmore ÉAbvO[h·é±Æð©ßÜ
·B
xlockmore-3.5.tgz ÍȺÌêÅüèÅ«Ü·:
<ftp://sunsite.unc.edu/pub/Linux/X11/xutils/screensavers/xlockmore-3.7.tgz>
CXg[Íî{IÉÍȺÌæ¤ÈìÅs¢Ü·:
xlockmore-3.5.tgz ðüèµA/usr/src ÅWJµÜ·:
tar -xzvf xlockmore-3.7.tgz
/usr/X11R6/lib/X11/config/linux.cf ðÒWµA
#define HasShadowPasswd NO
Ìsð
#define HasShadowPasswd YES
Ìæ¤ÉÏXµÜ·B
»µÄAÀst@Cð쬵ܷ:
cd /usr/src/xlockmore
xmkmf
make depend
make
t@CðÚ®µAI[iÆp[~bVðÝèµÜ·:
cp xlock /usr/X11R6/bin/
cp XLock /var/X11R6/lib/app-defaults/
chown root.shadow /usr/X11R6/bin/xlock
chmod 2755 /usr/X11R6/bin/xlock
chown root.shadow /etc/shadow
chmod 640 /etc/shadow
±êÅA¤Ü® xlock ªÅ«½Í¸Å·B
6.6. xdm
xdmÍ X Window ÌOCæÊð\¦·évOÅ·BÁèÌ run
level ÉÚsµ½Æ«ÉxdmªÀs³êéVXeà èÜ·B
(/etc/inittabQÆ)
Shadow SuiteÌCXg[ðsȤÆAxdmàXVµÈ¯êÎÈèܹñB
µ©µxdmÌAbvO[hÍÈPÈÌÅâè èܹñB
xdm.tar.gz ÍȺÌURLÅüèÅ«Ü·:
<ftp://sunsite.unc.edu/pub/Linux/X11/xutils/xdm.tar.gz>
xdm.tar.gz t@CðüèµÄA/usr/srcÉu¢Ä©çȺÌæ¤ÉµÄW
JµÜ·:
tar -xzvf xdm.tar.gz
/usr/X11R6/lib/X11/config/linux.cf àÌ
#define HasShadowPasswd NO
̪ð
#define HasShadowPasswd YES
Ìæ¤ÉÏXµÜ·B
Àst@CðìèÜ·:
cd /usr/src/xdm
xmkmf
make depend
make
t@CðCXg[µÜ·:
cp xdm /usr/X11R6/bin/
xdm Í root ÀÅ®ì·éÌÅt@CÌp[~bVðϦéKvÍ
èܹñB
6.7. sudo
sudovOÍVXeÇÒªÊíroot ÀðKvÆ·évOð
[UÉÀs³¹é½ßÉp¢Ü·BÇÒªrootÌAJEgÖÌANZXð
§Àµ½ÜÜÅA[UÉfBXNÌ}EgÌìð·éÆ«ÉÖ
ÈvOÅ·B
sudo ÍÀs³ê½É[UÌpX[hFØðs¤ÌÅApX[ht@
CðÇßȯêÎÈèܹñBsudo ÍÅ©çrootÉ SUID ³êÄ®ì·
éÌÅA/etc/shadow ÖÌANZXÉ¢ÄÍâè èܹñB
Shadow Suit ÎÌ sudo ÍȺÌURLÅüèÅ«Ü·:
<ftp://sunsite.unc.edu/pub/Linux/system/Admin/sudo-1.2-shadow.tgz>
x: sudoðCXg[·éÛÉ /etc/sudoerst@CÍWÌàÌÆu
«·¦çêĵܢܷBÅ·©çAWÌóÔ©çÏXª éêÉÍob
NAbvðæÁĨKvª èÜ·B(Makefile ðÏXµÄWÌt@C
ð/etcÉRs[·éªÌðí·éÆ¢¤û@à èÜ·B)
±ÌpbP[WÍùÉ shadow ÎÌÝèªÈ³êÄ¢éÌÅApbP[Wð
ÄRpC·é¾¯ÅpÅ«Ü·(\[XÍ /usr/src ÉWJµÄº³
¢):
cd /usr/src
tar -xzvf sudo-1.2-shadow.tgz
cd sudo-1.2-shadow
make all
make install
6.8. imapd (E-Mail [pine pbP[W])
imapd Í pop3d Ìæ¤È[T[oÅ·B imapd Í pine E-mail pbP
[WÉt®µÄ¢Ü·BpbP[WÉt®·éhL
gÉÍ Linux VX
eÉηéWÝèÅ shadow ðT|[gµÄ¢éÆ©êĢܷBµ©
µA±êͳµÈ¢LqÅ·B³çÉA±ÌpbP[WÅÍÀst@C¶
¬XNvgÆ Makefile Ìg¹ªKvÅARpCÉlibshadow.að
Á¦é±Æªªïµ¢ÌÅ·B»¤¢¤í¯ÅAÍܾ imapd ª shadow
T|[g·éæ¤ÉÍūĢܹñB
൬÷µ½lª¢Üµ½çAMÒÌƱëÉ[Åmç¹Ä¾³¢B±
ÌÚÉÁ¦½¢Æv¢Ü·B
6.9. pppd (PPP vgRT[o)
pppd T[oÍFØÌû®ð¡pÅ«éæ¤ÉÝèÅ«Ü·B Password
Authentication Protocol (PAP) Æ Cryptographic Handshake
Authentication Protocol (CHAP)Å·Bpppd T[oÍÊpX[h¶ñ
ð /etc/ppp/chap-secrets © /etc/ppp/pap-secrets ( é¢Í¼û)©ç¾
Ü·Bpppd ÉWÌ®ìð³¹Ä¢éêÉÍ pppd ðÄCXg[·é
KvÍ èܹñB
pppd Íloginp[^ðg¤æ¤É·é±ÆàÅ«Ü·(R}hC
©AÝèt@CÅwè·é© options t@CàÅwè)Bàµlogin Iv
Vªwè³êéÆ pppd Í PAP Å /etc/passwd t@CÌ[Ul[
ÆpX[hðg¢Ü·BpX[hð shadow »·éÆà¿ëñA±êÍ®
ìµÈÈèÜ·B pppd-1.2.1d ÅÍ shadow ðT|[g·é½ßÉÍv
OðÏXµÈ¯êÎÈèܹñB
ÌÍÅÌáèÍ pppd-1.2.1d(o[WªÃ¢ pppd)É shadow T|[g
ðÁ¦éÆ¢¤àÌÅ·B
pppd-2.2.0 ÅÍùÉ shadow ΪsíêĢܷB
7. Shadow Suite ðgÁÄÝé
±ÌÍÅÍVXeÉShadow SuiteðCXg[µ½ãÉmÁĨ׫¾
Ævíêé±ÆðྵܷBæèÚµ¢à¾ÍeR}hÌIC}
j
AðQƵľ³¢B
7.1. [UÌÇÁAÏXAí
Shadow Suite ÉÍ[UðÇÁAÏXAí·é½ßÌvOªÜÜê
ĢܷBùÉadduservOàÁÄ¢é©àµêܹñB
7.1.1. useradd
useraddR}hÍVXeÉ[UðÇÁ·é½ßÉp¢Ü·BWÌÝè
ðϦéÆ«Éà±ÌR}hðÀsµÜ·B
ÅÉsȤ׫±ÆÍWÝèðmFµÄ ȽÌVXeÉí¹ÄÏX
ðÁ¦é±ÆÅ·:
useradd -D
______________________________________________________________________
GROUP=1
HOME=/home
INACTIVE=0
EXPIRE=0
SHELL=
SKEL=/etc/skel
______________________________________________________________________
WÝèͨ»çCÉüçȢŵ天çA[UðÁ¦éÆ«Ée[
UÉεÄSÄÌÚ𢿢¿wè·éæèàAWÌÝèðϦĵܢ
ܵå¤B
MÒÌVXeÅÍȺÌæ¤ÈÝèÉϦĢܷ:
o WÌO[v ID ð 100 É
o pX[hÌúÀð 60 úÉ
o pX[hÌúÀØêÉæéAJEgÌbNÍsÈíÈ¢
o WÌVFð/bin/bash É
±Ìæ¤ÈÏXðsȤÉÍÌR}hðÀsµÜ·:
useradd -D -g100 -e60 -f0 -s/bin/bash
±ÌóÔÅ useradd -D ðÀs·éÆȺÌÊð¾Ü·:
______________________________________________________________________
GROUP=100
HOME=/home
INACTIVE=0
EXPIRE=60
SHELL=/bin/bash
SKEL=/etc/skel
______________________________________________________________________
àµm软êÎA±êçÌWÝèÍ/etc/default/useradd t@CÅm
FÅ«Ü·B
±êÅ[UÌÇÁÉ useradd ðg¦éæ¤ÉÈèܵ½Bá¦ÎAWÌ
ÝèðgÁÄ[U fred ðÇÁ·é½ßÉÍȺÌæ¤ÈìðsÈ¢Ü
·:
useradd -m -c "Fred Flintstone" fred
±ÌR}hÍ/etc/passwd t@CàÉȺÌæ¤ÈGg[ðìèÜ
·:
fred:*:505:100:Fred Flintstone:/home/fred:/bin/bash
ܽA/etc/shadowt@CàÉȺÌGg[ðìèÜ·:
fred:!:0:0:60:0:0:0:0
-mIvVªÂ¢Ä¢éÌÅA[Ufred Ìz[fBNgඬ³
êA/etc/skelfBNgÌàeªRs[³êÜ·B
UID ÍwèµÄ¢ÈÄàKÉßÄêÜ·B
±êÅfredÌAJEgªÅ«Üµ½ªAAJEgÌbNððµÈ¢À
èfredÍOC·é±ÆÍūܹñBbNÌðÍpX[hðϦé
±ÆÉæÁÄsȢܷB
passwd fred
______________________________________________________________________
Changing password for fred
Enter the new password (minimum of 5 characters)
Please use a combination of upper and lower case letters and numbers.
New Password: *******
Re-enter new password: *******
______________________________________________________________________
±êÅ /etc/shadowÍȺÌæ¤ÈàeÉÈèÜ·:
fred:J0C.WDR1amIt6:9559:0:60:0:0:0:0
»µÄAfredÍVXeÉOCÅ«éæ¤ÉÈèÜ·B¼ÌvOÅ
È useradd ðg¤_Í/etc/passwd Æ/etc/shadowÌÏXªsªÉsÈ
íêé±ÆÅ·BÂÜèA Ƚª[Uðo^·éÌƯɼÌ[Uª
pX[hðÏXµ½ÆµÄàA¼ûÆà³µÀs³êÜ·B
¼Ú /etc/passwd â /etc/shadow ðÒW·éÌÍâßÄApÓ³ê½R}
hðp·é׫ŷB Ƚª /etc/passwd ðÒWµÄ¢éÔÉA é
[UªpX[hðÏXµ½Æ·éÆA»Ì[UÌpX[hÏXÍ È½
ªt@CðZ[uµ½É¸íêĵܢܷB
Ⱥɦ·ÌÍuseraddÆpasswdðgÁ½ÈPÈÎbI[UÇÁXNvg
Å·B
______________________________________________________________________
#!/bin/bash
#
# /sbin/newuser - A script to add users to the system using the Shadow
# Suite's useradd and passwd commands.
#
# Written my Mike Jackson <mhjack@tscnet.com> as an example for the Linux
# Shadow Password Howto. Permission to use and modify is expressly granted.
#
# This could be modified to show the defaults and allow modification similar
# to the Slackware Adduser program. It could also be modified to disallow
# stupid entries. (i.e. better error checking).
#
##
# Defaults for the useradd command
##
GROUP=100 # Default Group
HOME=/home # Home directory location (/home/username)
SKEL=/etc/skel # Skeleton Directory
INACTIVE=0 # Days after password expires to disable account (0=never)
EXPIRE=60 # Days that a passwords lasts
SHELL=/bin/bash # Default Shell (full path)
##
# Defaults for the passwd command
##
PASSMIN=0 # Days between password changes
PASSWARN=14 # Days before password expires that a warning is given
##
# Ensure that root is running the script.
##
WHOAMI=`/usr/bin/whoami`
if [ $WHOAMI != "root" ]; then
echo "You must be root to add news users!"
exit 1
fi
##
# Ask for username and fullname.
##
echo ""
echo -n "Username: "
read USERNAME
echo -n "Full name: "
read FULLNAME
#
echo "Adding user: $USERNAME."
#
# Note that the "" around $FULLNAME is required because this field is
# almost always going to contain at least on space, and without the "'s
# the useradd command would think that you we moving on to the next
# parameter when it reached the SPACE character.
#
/usr/sbin/useradd -c"$FULLNAME" -d$HOME/$USERNAME -e$EXPIRE \
-f$INACTIVE -g$GROUP -m -k$SKEL -s$SHELL $USERNAME
##
# Set password defaults
##
/bin/passwd -n $PASSMIN -w $PASSWARN $USERNAME >/dev/null 2>&1
##
# Let the passwd command actually ask for password (twice)
##
/bin/passwd $USERNAME
##
# Show what was done.
##
echo ""
echo "Entry from /etc/passwd:"
echo -n " "
grep "$USERNAME:" /etc/passwd
echo "Entry from /etc/shadow:"
echo -n " "
grep "$USERNAME:" /etc/shadow
echo "Summary output of the passwd command:"
echo -n " "
passwd -S $USERNAME
echo ""
______________________________________________________________________
[UÌÇÁÉXNvgðp·é±ÆͼÚ/etc/passwdâ
/etc/shadowðÒWµ½èASlackware Ì adduservOðp·éæè
à]ܵ¢Å·B±ÌXNvgð ȽÌVXeÉí¹ÄÏXµÄgÁ
ľ³¢B
useraddÉ¢ÄÌæèÚµ¢à¾ÍIC}j
AðQƵľ³
¢B
7.1.2. usermod
usermodvOÍ[UÉ¢ÄÌîñðÏX·é½ßÌàÌÅ·BIv
VÍuseraddÆÙÆñǯ¶Å·B
fredÌVFðϦæ¤ÆvÁ½çAȺÌæ¤ÈìðµÜ·:
usermod -s /bin/tcsh fred
±êÉæÁÄA/etc/passwdÌfredÌGg[ÍÌæ¤ÉÏX³êÜ·:
fred:*:505:100:Fred Flintstone:/home/fred:/bin/tcsh
ÉAfredÌAJEgÌúÀð 1997N915úÉÝèµÄÝܵå¤:
usermod -e 09/15/97 fred
±êÅ/etc/shadowÌfredÌGg[ÍÌæ¤ÉÏX³êÜ·:
fred:J0C.WDR1amIt6:9559:0:60:0:0:10119:0
usermodÉ¢ÄÌæèÚµ¢à¾ÍIC}j
AðQƵľ³
¢B
7.1.3. userdel
userdelͼOÌÊèA[UÌAJEgðÁµÜ·Bg¢ûÍPÉ
userdel -r username
Æüͷ龯ŷB -rIvVð¯éÆ[UÌz[fBNg
ð(z[fBNg»ÌàÌàÜßÄ)ÁµÜ·BÙÈét@CVXe
ãÉ ét@CÍèìÆÅÁµÈ¯êÎÈèܹñB
AJEgðÁ·ÌÅÍÈAPÉbN·é¾¯ÌêÉÍ passwdR}
hðg¢Ü·B
7.2. passwd R}hÆpX[hÌúÀÝè
passwdR}hÍÊÌpX[hÏXÌ@\ðÁĢܷB±êÉÁ¦
ÄA[UrootÅÀsµ½êÉÍAȺ̱ƪūܷB
o AJEgÌbNyÑ»Ìð (-l Æ -u)
o pX[hÌÅZLøúÔÌÝè (-x)
o pX[hÏXÜÅÌÅZúÌÝè(-n)
o úÀÌØêépX[hÉεĽúO©çx·é©ÌÝè (-w)
o pX[hÌúÀØê©çAJEgÌbNÜÅÌúÌÝè is
locked (-i)
o AJEgîñð´µÄ\¦(-S)
áƵÄAÄÑ[Ufredð©ÄÝܵå¤B
passwd -S fred
fred P 03/04/96 0 60 0 0
±êÍAfredÌpX[hÍLøÅ é±ÆAOñÌÏXÍ1996N3 4úÅ
Á½±ÆA¢ÂÅàÏXÂ\Å é±ÆA60úãÉúÀØêÉÈé±
ÆAfred ÉÍxÍȳêÈ¢±ÆApX[hªúÀØêÉÈÁÄàAJ
EgͳøÆÈçÈ¢±ÆðÓ¡µÄ¢Ü·B
±êÍApX[hªúÀØêÉÈÁÄ©çfredªOC·éÆVµ¢pX
[hðv·évvgªoÄéÆ¢¤±ÆÅ·B
àµAfredÌpX[hªúÀØêÉÈé14úOÉxðoµAúÀØê
Ì14úãÉÍAJEgªâ~ÆÈéæ¤É·é½ßÉÍÌæ¤È½ßð^
¦Ü·B
passwd -w14 -i14 fred
±ÌÆ«AfredÌîñÍÌæ¤ÉÈèÜ·B
fred P 03/04/96 0 60 14 14
Ú×É¢ÄÍpasswdÌIC}j
AðQƵľ³¢B
7.3. login.defs t@C
/etc/logint@CÍloginvOÆShadow SuiteSÌÌÝèt@CÅ
·B
/etc/login t@CÍvvg\¦©çA[UªpX[hÏXðµ½
ÉWÌpX[húÀÍǤÈé©ÜÅÌL¢ÝèðÁĢܷB
/etc/login.defs àÉÚµ¢Rgª èÜ·ªA¢Â©Ó·×«_ª
èÜ·B
o ¶µ½MOÌÊðè·étO(on é¢Í off ÉÅ«é)ðÜ
Þ
o ¼ÌÝèt@CÖÌ|C^ðÜÞ
o pX[hÌ aging ÈÇÉ¢ÄÌWÌÝèðÜÞ
±êç̱ƩçdvÈt@CÅ é±Æªí©éÆv¢Ü·BÅ·©çA
t@Cª»Ìà̪¶Ý·é±ÆƳµ¢ÝèÉÈÁÄ¢é©Ç¤©ðK¸
mFµÄ¾³¢B
7.4. O[vÌpX[h
/etc/groupst@CÍÁèÌO[vÌoÉÈé½ßÌpX[hðÜ
ޱƪ èÜ·B±Ì@\ÍRpCÉ /usr/src/shadow-
YYMMDD/config.h t@CàÅèSHADOWGRP ðè`µÄ¢êÎLøÉÈÁÄ
¢Ü·B
±Ìèðè`µÄRpCðsÈÁ½ÈçÎA/etc/gshadowt@Cðì
èAO[vÌpX[hyÑO[vÇÒÉ¢ÄÌîñðÛ³¹È¯
êÎÈèܹñB
/etc/shadow t@CðìÁ½ÉÍ pwconvÆÄÎêévOðg¢Ü
µ½ªA/etc/gshadowÉεÄͱêÉ·éàÌÍ èܹñBµ©µA
±Ìt@CÍÁÉÒW·éKvÍÈ¢ÌÅâèÉÍÈèܹñB
ÅÉ /etc/gshadow t@Cðìé½ßÉÍȺÌìðsȢܷB
touch /etc/gshadow
chown root.root /etc/gshadow
chmod 700 /etc/gshadow
Vµ¢O[vðìéÆ©®IÉ/etc/groupyÑ /etc/gshadowt@CÉÇ
Á³êÜ·B[UÌÇÁâíAO[vÌpX[hÌÏXÈÇÌC³ª
sÈíê½êÉÍ /etc/gshadowt@CàÏX³êÜ·B
Shadow Suite ÉÜÜêéO[vðÏX·é½ßÌvOƵÄgroups,
groupadd, groupmod, groupdelª èÜ·B
/etc/group t@CÌtH[}bgÍÌæ¤ÉÈÁĢܷB
groupname:!:GID:member,member,...
etB[hÌàeÍÌæ¤ÉÈÁĢܷ:
groupname
O[v¼
! ÊíÍpX[hðÛ·étB[hÅ éªA Shadow Suite ÅÍ
pX[hÍ/etc/gshadow t@CÉi[³êé
GID
O[vID(l)
member
O[vÌoÌXg
/etc/gshadow t@CÌtH[}bgÍÌæ¤ÉÈèÜ·B
groupname:password:admin,admin,...:member,member,...
etB[hÌàeÍÍȺÌæ¤ÉÈÁĢܷ:
groupname
O[v̼O
password
GR[h³ê½pX[h
admin
O[vÌÇÒÌXg
member
O[vÌoÌXg
gpasswdR}hÍO[vÉεÄÇÒâ[UÌÇÁyÑíðsȤ
ɾ¯g¢Ü·BrootâO[vÌÇÒXgÉüÁÄ¢é[UÍO
[vÌoÌÇÁâíðsȤ±ÆªÅ«Ü·B
O[vÌpX[hÍ root ©O[vÌÇÒXgÉüÁÄ¢é[U
ªpasswdR}hðgp·é±ÆÅÏXÅ«Ü·B
»ÝÌƱëAgpasswdR}hÌIC}j
AÍ èܹñªAp
[^ȵÄgpasswdðÀs·é±ÆÅIvVêðmF·é±ÆªÅ
«Ü·Bt@CÌtH[}bgÆÓ¡ððµÄ¢êÎR}hªÇÌæ¤
É®ì·éÌ©ðc¬·é±ÆÍÈPÅ·B
7.5. êÑ«ð`FbN·évO
7.5.1. pwck
vOpwckÍ/etc/passwdÆ/etc/shadow ÌàeÉêÑ«ª é©Ç¤©
ð²×é½ßÌàÌÅ·B±ÌvOÍ»ê¼êÌ[U¼É¢ÄȺ
ÌÚð²×Ü·:
o tB[h̪³µ¢©
o ¯¶¼OÌ[U¼ª¢È¢©
o [UIDAO[vIDª³µ¢©
o primary O[vª³µ¢©
o z[fBNgª³µ¢©
o OCVFª³µ¢©
ܽApX[h³µÌAJEgª êÎxµÜ·B
Shadow SuiteðCXg[µ½çApwckðÀs·éÆ¢¤ÌÍÇ¢l¦Å
·BèúI(½Æ¦ÎAT)ÉÀs·éÌࢢŵå¤B-rIvV
ðg¦ÎAcronðgÁÄèúIÉÀs³¹AÊð[Åñ³¹é±Æª
Å«Ü·B
7.5.2. grpck
grpck Í/etc/group Æ /etc/gshadow ÌêÑ«ðmF·évOÅ·B
±ÌvOÍȺÌ`FbNðsȢܷ:
o tB[h̪³µ¢©
o O[v¼Ìd¡ªÈ¢©
o o[ÆÇÒÌXgª³µ¢©
pwckR}h¯lÉA-r IvVðgÁÄ©®IÉÊñð³¹é±Æ
ªÅ«Ü·B
7.6. _CAAbvEpX[h
_CAAbvEpX[hÍ_CACÌANZXðµĢéVXe
ÌAÊíÌpX[hFØÆÍÊÌhqüÅ·B[J é¢Ílbg
[NoRÅڱūé[Uͽ¢é¯êÇ_CACÅڱūé[
UͧÀµ½¢êÉÍA_CAAbvEpX[hªðɧ¿Ü·B_C
AAbvEpX[hðLøÉ·éÉÍA/etc/login.defsðÒWµA
DIALUPS_CHECK_ENAB ð yes ɵܷB
_CAAbvÉ¢ÄÌÝèÍ2ÂÌt@CÅs¢Ü·BêÂÍ
/etc/dialupsÅAtty ÌÝèðLqµÜ·B(ñüêÂÉεÄês«Af
oCX¼ÌÅÌ"/dev/"ðæ袽àÌðLqµÜ·B) tty ª©êÄ
¢êÎA_CAAbvÌÚ±Éηé`FbNªsíêÜ·B
à¤êÂÌt@CÍ /etc/d_passwd Å·B±Ìt@CÉÍKØÈVF
ÌpX¼ÆÇÁÌpX[hðLqµÜ·B
àµA/etc/dialupsÉ©êÄ¢éñü©ç[UªOCµA
/etc/d_passwd ɱÌ[UÌOCVFª©êÄ¢éÈçÎA³µ¢
pX[hðüÍ·é±ÆÅANZXÂð¾é±ÆªÅ«Ü·B
_CAAbvEpX[hÍñüÉÁèÌ^Cv(PPPâUUCPÈÇ)ÌÚ±¾
¯ð·êÉàLøÉpÅ«Ü·B[Uª¼Ì^CvÌÚ±(á¦Î
XgÉÚÁÄ¢éVFðg¤)ðs¤êÉͱÌñüÌpX[hðmÁ
Ä¢éKvª èÜ·B
_CAAbvEpX[hðg¤OÉÍAOqÌÝèt@Cð쬷éK
vª èÜ·B
R}h dpasswd ðgÁÄ /etc/d_passwdt@CÌVFÉηépX
[hðÝè·é±ÆªÅ«Ü·BÚµÍIC}j
AðQƵÄ
¾³¢B
8. CvOð Shadow Suite Éγ¹éû@
vOÉ shadow T|[gðÁ¦éÌÍÀÛÉÍÆÄàÈPÅ·BâèÍ
/etc/shadow t@CÉANZX·é½ßÉvOÍroot ÀÅÀs·é
©ArootÉ SUID µÄÀsµÈ¯êÎÈçÈ¢±ÆÅ·B
±êÍdåÈâèÅ·BSUID ·évOðìéÉÍñíÉTdÉv
O·éKvª èÜ·Bá¦ÎAVFÉGXP[vÅ«évOÍ
vOªrootÉ SUID ³êÄ¢ÄàrootƵÄÀsµÄÍÈèܹñB
pX[hÌ`FbNÍ·éªA»êÈOÉÍrootƵĮì·éKvªÈ¢
æ¤ÈêÅ shadow T|[gðvOÉÇÁ·éÍ shadow O[v
É SGID ·éûª¸ÁÆÀSÅ·Bxlock vOͱÌæ¤ÈáÌT^Å
·B
ȺŦ·áÌ pppd-1.2.1d ÍùÉrootÉ SUID ³êÄ¢éÌÅAshadow T
|[gðÁ¦é±ÆÅAvOªZL
eBIÉæèÆãÉÈé±ÆÍ
àÍâ èܹñB
8.1. wb_t@C
wb_t@CÍ /usr/include/shadow fBNgàÉ é׫Å
·B/usr/include/shadow.h àKvÅ·ªA±êÍ
/usr/include/shadow/shadow.h ÖÌV{bNNÉÈèÜ·B
vOÉ shadow T|[gðÁ¦é½ßÉÍÌwb_t@CðCN
[h·éKvª èÜ·:
#include <shadow/shadow.h>
#include <shadow/pwauth.h>
shadow pÌR[hððRpCÅpÅ«éæ¤ÉRpC½ßðp
¢éÌÍÇ¢l¦Å·B(ȺÌáÅ໤µÄ¢Ü·B)
8.2. libshadow.a Cu
Shadow Suite ðCXg[·éÉÍ libshadow.a à쬳êA/usr/lib
ÉCXg[³êÜ·B
vOÅ shadow T|[g·é½ßÉÍAJÉ libshadow.a ð
N·éæ¤Éw¦·éKvª èÜ·B
±êÍȺÌæ¤És¢Ü·:
gcc program.c -o program -lshadow
µ©µAȺÌáÅí©éæ¤ÉåKÍÈvOÅÍåï Makefile ðg
¢Ü·©çAÊÍ LIBS ÏðÏXµÜ·B
8.3. Shadow \¢Ì
libshadow.a CuÍ spwd ÆÄÎêé\¢ÌÉ /etc/shadow t@C
©çæèoµ½îñði[µÜ·B±êÍ wb_t@C
/usr/include/shadow/shadow.h ɨ¯é spwd Ìè`Å·:
______________________________________________________________________
struct spwd
{
char *sp_namp; /* login name */
char *sp_pwdp; /* encrypted password */
sptime sp_lstchg; /* date of last change */
sptime sp_min; /* minimum number of days between changes */
sptime sp_max; /* maximum number of days between changes */
sptime sp_warn; /* number of days of warning before password
expires */
sptime sp_inact; /* number of days after password expires
until the account becomes unusable. */
sptime sp_expire; /* days since 1/1/70 until account expires
*/
unsigned long sp_flag; /* reserved for future use */
};
______________________________________________________________________
Shadow Suite ÅÍ sp_pwdp ÉPÈéGR[h³ê½pX[h¾¯ÅÈ
A»êÈOÌîñཹé±ÆªÅ«Ü·Bá¦ÎApX[htB[
hªÈºÌæ¤ÈsðÜñÅ¢éêÅ·:
username:Npge08pfz4wuk;@/sbin/extra:9479:0:10000::::
±êÅApX[hÉÁ¦Ä/sbin/extra vOð³çÈéFØÉp¢é
±Æðw¦µÄ¢Ü·BÄÑo³ê½vOÍA[U¼ÆȺÄÑo³
꽩ð¦·XCb`ðn³êÜ·BæèÚµ¢îñð¾é½ßÉÍ
/usr/include/shadow/pwauth.h Æ\[XR[hÉÜÜêé pwauth.c ðÇñ
ž³¢B
±êªÓ¡·éƱëÍA2FØÉÓ·é±ÆÆAÀÛÌFØðs¤É
ÍÖ pwauth ðp¢é׫¾Æ¢¤±ÆÅ·BȺÌáèÅͱêðÀsµ
ĢܷB
»Ý¶ÝµÄ¢évOÌÙÆñǪ±êðsÁĢȢ½ßA Shadow
SuiteÌìÒÍ«Ìo[WÅͱÌ@\ð³·©dlðÏX·é±Æ
ð¾ÁĢܷB
8.4. Shadow T|[g̽ßÌÖ
shadow.h t@CÉÍ libshadow.a CuªÜñÅ¢éÖÌÖv
g^Cvà©êĢܷ:
______________________________________________________________________
extern void setspent __P ((void));
extern void endspent __P ((void));
extern struct spwd *sgetspent __P ((__const char *__string));
extern struct spwd *fgetspent __P ((FILE *__fp));
extern struct spwd *getspent __P ((void));
extern struct spwd *getspnam __P ((__const char *__name));
extern int putspent __P ((__const struct spwd *__sp, FILE *__fp));
______________________________________________________________________
±ê©çáèÅp¢éÖÍ getspnam (^¦çê½¼OÉηé spwd \
¢Ìð^¦é)Å·B
8.5. áè
±êÍftHgÅ shadow T|[gðµÄ¢È¢vOð shadow Î
³¹éáÅ·B
±ÌáÅÍ Point-to-Point vgRT[o(pppd-1.2.1d) ðp¢Ä¢Ü
·B±ÌvOÍ PAP â CHAP t@CÅÈ /etc/passwd t@C©
ç¾½[U¼ÆpX[hðp¢Ä PAP FØðs¤[hðÁÄ¢Ü
·BùÉ pppd-2.2.0 Å shadow T|[gªsíêÄ¢éÌÅApppd-2.2.0
ÉεÄáèÌR[hðÇÁ·éKvÍ èܹñB
pppd ̱Ì@\Í ÜègíÈ¢àÌÅ·ªAShadow Suite ðCXg[
·éÆpX[hª /etc/passwd ÉÛ³êÈÈé½ßÉA±Ì@\ÍS
g¦ÈÈÁĵܢܷB
pppd-1.2.1d Ì[UFØ̪ÌR[hÍ
/usr/src/pppd-1.2.1d/pppd/auth.c t@CÉ èÜ·B
ȺÌR[hÍR[hàÌ¼Ì #include ½ßæèàOÉÁ¦éKvª èÜ
·Bð½ßÅ #include ðÍñŢܷ(µ½ªÁÄ shadow T|[g è
ÅRpC·é¾¯CN[h³êÜ·)B
______________________________________________________________________
#ifdef HAS_SHADOW
#include <shadow.h>
#include <shadow/pwauth.h>
#endif
______________________________________________________________________
̪ÍÀÛÌR[hÉηéÏX_Å·Bauth.c t@CÉXÉÏXð
Á¦Ü·B
ÏXOÌ auth.c:
______________________________________________________________________
/*
* login - Check the user name and password against the system
* password database, and login the user if OK.
*
* returns:
* UPAP_AUTHNAK: Login failed.
* UPAP_AUTHACK: Login succeeded.
* In either case, msg points to an appropriate message.
*/
static int
login(user, passwd, msg, msglen)
char *user;
char *passwd;
char **msg;
int *msglen;
{
struct passwd *pw;
char *epasswd;
char *tty;
if ((pw = getpwnam(user)) == NULL) {
return (UPAP_AUTHNAK);
}
/*
* XXX If no passwd, let them login without one.
*/
if (pw->pw_passwd == '\0') {
return (UPAP_AUTHACK);
}
epasswd = crypt(passwd, pw->pw_passwd);
if (strcmp(epasswd, pw->pw_passwd)) {
return (UPAP_AUTHNAK);
}
syslog(LOG_INFO, "user %s logged in", user);
/*
* Write a wtmp entry for this user.
*/
tty = strrchr(devname, '/');
if (tty == NULL)
tty = devname;
else
tty++;
logwtmp(tty, user, ""); /* Add wtmp login entry */
logged_in = TRUE;
return (UPAP_AUTHACK);
}
______________________________________________________________________
[UÌpX[hÍ pw->pw_passwd Éãü³êÄ¢éÌÅA±±Ås¤K
vª éÌÍÖ getspnam ðÇÁ·é±ÆÅ·B±ÌÖÍpX[hð
spwd->sp_pwdp ÉãüµÜ·B
ÉAÀÛÌFØðs¤½ßÉÖ pwauth ðÁ¦Ü·B±ÌÖÍ shadow
t@Cª2FØð·éæ¤ÉÝè³êÄ¢éêÉÍA©®IÉ2FØð
ÀsµÜ·B
shadow ðT|[g·éæ¤ÉÏXµ½ãÌauth.c:
______________________________________________________________________
/*
* login - Check the user name and password against the system
* password database, and login the user if OK.
*
* This function has been modified to support the Linux Shadow Password
* Suite if USE_SHADOW is defined.
*
* returns:
* UPAP_AUTHNAK: Login failed.
* UPAP_AUTHACK: Login succeeded.
* In either case, msg points to an appropriate message.
*/
static int
login(user, passwd, msg, msglen)
char *user;
char *passwd;
char **msg;
int *msglen;
{
struct passwd *pw;
char *epasswd;
char *tty;
#ifdef USE_SHADOW
struct spwd *spwd;
struct spwd *getspnam();
#endif
if ((pw = getpwnam(user)) == NULL) {
return (UPAP_AUTHNAK);
}
#ifdef USE_SHADOW
spwd = getspnam(user);
if (spwd)
pw->pw_passwd = spwd->sp-pwdp;
#endif
/*
* XXX If no passwd, let NOT them login without one.
*/
if (pw->pw_passwd == '\0') {
return (UPAP_AUTHNAK);
}
#ifdef HAS_SHADOW
if ((pw->pw_passwd && pw->pw_passwd[0] == '@'
&& pw_auth (pw->pw_passwd+1, pw->pw_name, PW_LOGIN, NULL))
|| !valid (passwd, pw)) {
return (UPAP_AUTHNAK);
}
#else
epasswd = crypt(passwd, pw->pw_passwd);
if (strcmp(epasswd, pw->pw_passwd)) {
return (UPAP_AUTHNAK);
}
#endif
syslog(LOG_INFO, "user %s logged in", user);
/*
* Write a wtmp entry for this user.
*/
tty = strrchr(devname, '/');
if (tty == NULL)
tty = devname;
else
tty++;
logwtmp(tty, user, ""); /* Add wtmp login entry */
logged_in = TRUE;
return (UPAP_AUTHACK);
}
______________________________________________________________________
Ó[²×êÎA¼ÉàÏX_ª é±Æªí©èÜ·BIWiÌo[
WÅÍ/etc/passwdt@CàÉpX[hªÈ¢êÉÍANZXð
µÜ·B(UPAP_AUTHACK ðßµlÉ·éB)±êÍ ÜèÇÈ¢±ÆÅ·B
ÊÌOCÅÍ PPP vZXÖÌANZXð·ÉêÂÌAJEg
ðp¢A»ê©ç /etc/passwd t@CÌ[U¼Æ /etc/shadowt@C
ÌpX[hðpµÄAüͳê½[U¼ÆpX[hÉ뵀 PAP F
Øðs¤©çÅ·B
¾©çA൳Ìo[Wð[U(á¦Î ppp)ÌVFƵÄç¹é
ÆA[U ppp ÅópX[hÉµÄ PAP ðÝèµÄàNà PPP Ú±ð¾
é±ÆªÅ«ÈÈèÜ·B
pX[hªóÌÉÍ UPAP_AUTHNAK ÅÈ UPAP_AUTHACKðßµlÆ·é
æ¤É·é±ÆÅàC³Å«Ü·B
Ê¢±ÆÉApppd-2.2.0 É௶âèª èÜ·B
ÉAȺÌ2_É墀 Makefile ðC³·éKvª èÜ·: USE_SHADOW
ðè`·é±ÆÆAlibshadow.a ðN·éæ¤É·é±ÆÅ·B
Makefile ðÒWµÄAÌsðÁ¦Ä¾³¢:
LIBS = -lshadow
»ê©çAÌsð©Â¯Ä:
COMPILE_FLAGS = -I.. -D_linux_=1 -DGIDSET_TYPE=gid_t
ȺÌæ¤ÉÏXµÄ¾³¢:
COMPILE_FLAGS = -I.. -D_linux_=1 -DGIDSET_TYPE=gid_t -DUSE_SHADOW
ÅãÉARpCyÑCXg[ðÀsµÜµå¤B
9. æ·©êé¿â(Frequently Asked Questions).
Q: /etc/securettys t@CðgÁÄ rootªOCÅ«é tty ð§äµ
æ¤ÆµÄ¢éÌÅ·ªA¤Ü¢«Ü¹ñB
A: /etc/securettys Í Shadow SuiteªCXg[³ê½ãÉÍSÓ¡ð
¿Ü¹ñBrootªpÅ«é tty ðLq·éÝèt@CÍ
/etc/login.defsÉÈèÜ·B±Ìt@CàżÌt@Cðwè·é±Æ
à èÜ·B
Q: Shadow SuiteðCXg[µ½ÌÅ·ªAOCªÅ«ÈÈÁĵ
ܢܵ½B½ª«¢Ìŵå¤H
A: ¨»çShadow SuiteÌvOÍCXg[µ½¯êÇApwconvð
ÀsµÄ¢È¢©A/etc/npasswdð
/etc/passwdÉA/etc/nshadowð/etc/shadowÉ»ê¼êRs[·éÌðYêé
©µ½Ìŵå¤Blogin.defsð /etcÉRs[µÄ¢È¢Ì©àµêܹ
ñB
Q:xlock ÌÍÅ /etc/shadowt@CÌLO[vð shadowɹæÆ è
ܵ½ªA»Ìæ¤ÈO[vÍ èܹñBǤµ½çÇ¢Ìŵ天H
A:O[vðÇÁµÜµå¤BPÉ/etc/groupt@CðÒWµÄAshadow
O[vÉ¢ÄÌLqðÁ¦é¾¯Å·BO[vIDª¼Æd¡µÈ¢æ¤
É·é_ÆAnogroupÌGg[æèOÉÇÁ·é_ÉÍӵľ³
¢BPÉ xlockð root É SUID ·éÆ¢¤û@à èÜ·B
Q: Linux Å Shadow Suite É¢ÄÌ[OXgÍ èÜ·©H
A: èÜ·Bµ©µA±êÍÌo[WÌ LinuxÅShadow Suite ÌJ
ÆÀeXg̽ßÌàÌÅ·B shadow-list-request@neptune.cin.net¶ÉT
uWFNgª subscribeÅ é[ðé±ÆÅ[OXgÉQÁÅ
«Ü·B±Ì[OXgÍ LinuxÅshadow-YYMMSSÉ¢ÄÌc_ðs
¤êÅ·BJÉÁíè½¢© Shadow Suite ðCXg[µ½ÌÅVµ
¢[XÉ¢ÄÌîñð¾½¢êÉÍQÁ·éÆǢŵå¤B
Q:Shadow SuiteðCXg[µÜµ½ªA userdelR}hðÀs·é
Æ"userdel: cannot open shadow group file"Æ¢¤G[ªoÜ·B½ª¨
©µ¢Ìŵå¤H
A: Shadow Suite ðSHADOWGRPIvVðLøɵÄRpCµ½Ì
ÉA/etc/gshadowt@CªÈ¢Ìŵå¤Bconfig.hðC³µÄÄRpC
·é©A/etc/group t@Cðìèܵå¤Bshadow O[vÌà¾ÌÍ
àmFµÜµå¤B
Q: Shadow SuiteðCXg[µÜµ½ªA /etc/passwdÉû³ê½p
X[hª©êĵܢܷBǤµÄÅ·©H
A:¨»çconfig.ht@CàÌAUTOSHADOWIvVðLøɵÄRpC
µ½©A ȽÌgÁÄ¢élibc ªSAHDOW_COMPATIvVðLøɵÄ
RpC³êÄ¢é©Å·Bǿ窴ö©mFµÄY·éûðÄRp
CµÜµå¤B
10. Copyright Message(ì \¦)
The Linux Shadow Password HOWTO is Copyright (c) 1996 Michael H.
Jackson.
Permission is granted to make and distribute verbatim copies of this
document provided the copyright notice and this permission notice are
preserved on all copies.
Permission is granted to copy and distribute modified versions of this
document under the conditions for verbatim copies above, provided a
notice clearly stating that the document is a modified version is also
included in the modified document.
Permission is granted to copy and distribute translations of this
document into another language, under the conditions specified above
for modified versions.
Permission is granted to convert this document into another media
under the conditions specified above for modified versions provided
the requirement to acknowledge the source document is fulfilled by
inclusion of an obvious reference to the source document in the new
media. Where there is any doubt as to what defines 'obvious' the
copyright owner reserves the right to decide.
Ó: ȺÌaóÍ ÜÅQlÅ·Bì É¢ÄÍ´¶Ì\¦É]ÁÄ
¾³¢B
The Linux Shadow Password HOWTO Í Michael H. Jackson Ìì¨Å·B
(Copyright (c) 1996 Michael H. Jackson)
ì \¦yѱÌø\¦ðSÄÌRs[Éc·±ÆððÉA±Ì¶ð
üϹ¸É¡ÊyÑzz·é±ÆªÂ\Å·B
ãLÌððüϵȢ±ÆyѶªüϳêÄ¢é±Æ¾L·é±Æðð
ÉA±Ì¶ðüϵ½àÌð¡ÊyÑzz·é±ÆªÂ\Å·B
ãqÌüϳ꽶ÉηéðƯ¶ðÅA±Ì¶ð¼Ì¾êÉ|ó
µ½àÌð¡ÊyÑzz·é±ÆªÂ\Å·B
ãqÌüϳ꽶ÉηéðÉÁ¦AVµ¢fBAàɳ̶ÖÌ
¾ÈQƪÜÜêé±Æų̶Šé±Æð壷évªÊ½³êé
±ÆððÉA±Ì¶ð¼ÌfBAÅzz·é±ÆªÂ\Å·Bu¾
ÉvÌè`ªÍÁ«èµÈ¢êÉÍì Òªè·é ðÛ¯µÄ¢é
àÌƵܷB
11. »Ì¼ / Ó«
áèÌ auth.c ÉεÄÌR[hÍ pppd-1.2.1d Æ ppp-2.1.0e ©çøpµ
ܵ½B±êçÌ\tgEFAÍ Australian National University yÑ
Carnegie Mellon University Ìì¨Å·B (Copyright (c) 1993 and The
Australian National University and Copyright (c) 1989 Carnegie Mellon
University)
Thanks to Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl> for
writing and maintaining the Shadow Suite for Linux, and for his review
and comments on this document.
Shadow SuiteÌìÒ/ÇÒÅ èAܽA±Ì¶ð©ÄRgðº³Á
½ Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl> É´Óµ
Ü·B
±Ì¶Ìá]yÑeXgðsÁĺ³Á½ Ron Tidd <rtidd@tscnet.com>
ɴӵܷB
MÒÉtB[hobNðèA±Ì¶ÌüÇɦ͵ľ³Á½FlÉ´
ӵܷB
RgâñĪ êÎǤ©MÒÉ[Åmç¹Ä¾³¢B
Michael H. Jackson <mhjack@tscnet.com>
12. óÒæè
|óÌzzðÍ´¶É]¤àÌƵܷBܽ|óÌàeÉ¢ÄÍóÒÍ
êØÌÓCðÄܹñÌÅAF³ñÌÓCÅpµÄ¾³¢B
ëóÈÇÌwEâóÉηéRgð¨Ò¿µÄ¢Ü·B¨CyÉ[
¾³¢B
¡´PÃ <fujiwara@linux.or.jp>
distrib
>
Mandriva
>
2010.0
>
i586
>
media
>
contrib-release
>
by-pkgid
>
e74e806c1a2640e922856d7eb69d1420
>
files
>
103
