Linux Shadow Password HOWTO Michael H. Jackson, mhjack@tscnet.com v1.3, 1996N43ú ¡´PÃ, fujiwara@linux.or.jp ±Ì¶Í Linux ÌpX[hð shadow »·é Shadow Suit ÌüèAC Xg[yÑÝèÌû@É¢ÄྷéàÌÅ·BܽA[UÌpX[ hFØðs¤\tgEFAâf[Ì(Ä)CXg[É¢ÄàðàµÜ ·B±êçÌvOÍ Shadow Suit ÌêÅÍ èܹñªAShadow Suit ðT|[g·é½ßÉÍÄRpC·éKvª èÜ·BܽA±Ì ¶ÉÍ shadow pX[hðT|[g·évOÌáà¢Ä èÜ ·B«ÌüèÅÍæ·©êé¿âÖÌñà³çÉÁ¦éÂàèÅ·B ______________________________________________________________________ Ú 1. ͶßÉ 1.1 ÈOÌÅ©çÌÏX_ 1.2 ±Ì¶ÌÅVÅÉ墀 1.3 tB[hobN 2. shadow pX[hðg¤×«R 2.1 shadow pX[hðgíÈ¢Ù¤ªÇ¢ê 2.2 /etc/passwd t@CÌtH[}bg 2.3 shadow t@CÌtH[}bg 2.4 crypt(3) ÌTv 3. Shadow Suite Ìüè 3.1 Linux pÌ Shadow Suite Ìðj 3.2 Shadow Suite Ìüè 3.3 Shadow Suite ÉͽªÜÜêÄ¢é© 4. vOÌRpC 4.1 A[JCuÌWJ 4.2 config.h ÉæéÝè 4.3 ³ÌvOÌobNAbvÌì¬ 4.4 Make ÌÀs 5. CXg[ 5.1 VXejóÉõ¦ÄÌu[gfBXNì¬ 5.2 d¡·éIC}j AÌí 5.3 make install ÌÀs 5.4 pwconv ÌÀs 5.5 npasswd Æ nshadow Ìl[ 6. AbvO[h·é©pb`ðÄéKvª évO 6.1 Slackware adduser program 6.2 wu_ftpd T[o 6.3 WÌ ftpd 6.4 pop3d (Post Office Protocol 3) 6.5 xlock 6.6 xdm 6.7 sudo 6.8 imapd (E-Mail [pine pbP[W]) 6.9 pppd (PPP vgRT[o) 7. Shadow Suite ðgÁÄÝé 7.1 [UÌÇÁAÏXAí 7.1.1 useradd 7.1.2 usermod 7.1.3 userdel 7.2 passwd R}hÆpX[hÌúÀÝè 7.3 login.defs t@C 7.4 O[vÌpX[h 7.5 êÑ«ð`FbN·évO 7.5.1 pwck 7.5.2 grpck 7.6 _CAAbvEpX[h 8. CvOð Shadow Suite Éγ¹éû@ 8.1 wb_t@C 8.2 libshadow.a Cu 8.3 Shadow \¢Ì 8.4 Shadow T|[g̽ßÌÖ 8.5 áè 9. æ·©êé¿â(Frequently Asked Questions). 10. Copyright Message(ì \¦) 11. »Ì¼ / Ó« 12. óÒæè ______________________________________________________________________ 1. ͶßÉ ±Ì¶Í Linux Shadow-Password-HOWTO Å·B±Ì¶Í Linux VXe ÉȺ shadow pX[hð±ü·éÌ©AܽÇÌæ¤É±ü·éÌ©ðà ¾µÜ·BShadow Suite Ì@\Ìp@É¢ÄÌà¾à èÜ·B Shadow Suite ðCXg[·éâA[eBeBðg¤ÉÍ root ÅȯêÎÈèܹñBShadow Suite ðCXg[·éÛÉÍVXeÌ î²\tgEFAÌÏXªsíêéÌÅAãÅྷéæ¤ÉobNAbvð æé׫ŷBܽìÆðnßéOÉÍA±ê©çs¤à¾ð·×ÄÇÝA ðµÄ¨×«Åµå¤B 1.1. ÈOÌÅ©çÌÏX_ ÇÁ: shadow pX[hðCXg[µÈ¢Ù¤ªæ¢êÉ¢ÄÌßðÇÁ xdm ÌXVÉ¢ÄÌßðÇÁ Shadwo Sutie Ì®ì̳¹©½É¢ÄÌÍðÇÁ æ·©êé¿âÉ¢ÄÌÍðÇÁ ù³/XV: Sunsite Ì html ÖÌQÆðù³ wu-ftp ÌÍÅ Makefile É -lshadow ð Makefile ÉÁ¦éæ¤ù³ ëEÌù³ wu-ftp ÌÍÅ ELF ðT|[g·éæ¤ÏX vO'login'Ũ±éZL eBãÌâèðXV Marek Michalkiewicz Éæé Linux Shadow Suite ð§·éæ¤XV 1.2. ±Ì¶ÌÅVÅÉ墀 ±Ì¶ÌÅVÅÍȺÌTCg©ç anonymous FTP ÅüèÅ«Ü·: sunsite.unc.edu /pub/Linux/docs/HOWTO/Shadow-Password-HOWTO é¢Í: /pub/Linux/docs/HOWTO/other-formats/Shadow-Password-HOWTO{-html.tar,ps,dvi}.gz é¢ÍAWWW ðpµÄA Linux Documentation Project Web Server <http://sunsite.unc.edu/mdw/linux.html> Ì Shadow-Password-HOWTO <http://sunsite.unc.edu/linux/HOWTO/Shadow-Password-HOWTO.html> Ìy[ W©çüè·é±ÆàÅ«Ü·B ܽAMÒ(<mhjack@tscnet.com>) ©ç¼Úüè·é±ÆàÅ«Ü·µA comp.os.linux.answers j [XO[vÉàe³êÜ·B ±Ì¶Í»ÝÍ Shadow-YYDDMM pbP[WÉàÜÜêéæ¤ÉÈèܵ ½B ó: ú{êóÌÅVÅÉ¢ÄÍ WWWªpÅ«éÈçÎ JF-INDEX <http://jf.linux.or.jp/JF/JF-ftp/other-formats/INDEX-JF.html> ©çA ftp ªpÅ«éÈçÎ jf.linux.or.jp Ì/Linux/JF/fBNgÈÇ©ç üèÅ«Ü·B 1.3. tB[hobN Rgâù³AñÄÈÇÍMÒ(Michael H. Jackson <mhjack@tscnet.com>)ÉÁĺ³¢BtB[hobNð¾çêêÎA» 꾯±Ì¶ð¼·±ÆªÅ«Ü·B Üèlbgj [XÍ©Ä¢È ¢ÌÅAsïð©Â¯½êÉͼÚ[ðÁĺ³¢B 2. shadow pX[hðg¤×«R »ÝÍÙÆñÇÌ Linux ÌpbP[WÅÍ Shadow Suite ÍWÅÍCX g[³êܹñBSlackware 2.3, Slackware 3.0 â¼Ì|s [Èpb P[WÅ»¤ÈÁĢܷB±ÌRÌêÂÍIWiÌ Shadow Suite Ì ì \¦ÍA³¿zzÅÈ¢êÉ¢Äs¾m¾©çÅ·BLinux Í CD- ROM Ìæ¤ÈzzÉÖÈfBAÖpbP[W»µA±êÉηéñVðó ¯æé±Æªs¢â·¢ GNU Copyright (Copyleft Æà¾íêÜ·ª)ðÌp µÄ¢Ü·B »ÝShadow SuiteðeiXµÄ¢é, Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl> ͳÌìÒ©çAÄzzÌÅ«é BSD X^CÌì ÌàÆÉ\[XR[hðó¯æÁĢܷB»ÝÍì ÌâèÍðµÄ¢éÌÅA«ÍWÅ Linux ÌpbP[WÉ Shadow Suite ªÜÜêé±ÆÉÈéŵå¤B»êÜÅÍA[Uª©ª©gÅC Xg[µÈ¯êÎÈèܹñB pbP[Wð CD-ROM ©çCXg[·éêÉÍApbP[W©ÌÍ Shadow Suite ðCXg[µÈÄàAShadow Suite ÌCXg[ÉK vÈt@CÍ CD-ROM ÉÜÜêÄ¢é±Æª èÜ·B µ©µAo[W3.3.1, 3.3.1-2Ì Shadow Suite Æ shadow-mk ÅÍ login vOÆroot É suid ³ê½vOÅZL eBãÌâè ðN±µÜ·BÅ·©çA±êçðgÁÄÍ¢¯Ü¹ñB KvÈt@CÍ anonymous FTP â WWW ðpµÄüè·é±ÆªÅ«Ü ·B Shadow Suite ªCXg[³êĢȢ Linux VXeÅÍpX[hð Üß½[UîñÍ /etc/passwd t@CÉL^³êĢܷBà¿ëñA pX[hÍû³ê½óÔÅL^³êĢܷBµ©µAÃÌêåÆÉ ¾í¹éƱêÍû(encrypt)ÅÍÈGR[h(encode)É߬Ȣ» ¤Å·Bcrypt(3) ðp¢éê̶ñªóÅ êÎpX[hÍL[É ÈÁĵܤ©çÅ·B±ÌR©çA±êÈ~̶ÅÍ'û'ÅÍÈ 'GR[h'Ìêðp¢Ü·B ±±ÅpX[hðGR[h·é½ßÉp¢çêéASYÍAZpI ÉÍPûüÌnbV ÖƾíêéàÌÅ·B±êÍA éûüÉÍvZµ â·¢¯êÇA»ÌtûüÌvZÍñíÉﵢƢ¤ASYÅ·BÀ ÛÌASYÉ¢ÄÌæèÚµ¢à¾Í 2.4ß© crypt(3) Ì}j A ðQƵĺ³¢B [Uª épX[hðß½êA±ÌpX[hÍ_Éßçê ½ salt ÆÄÎêélðp¢ÄGR[h³êÜ·B±¤·é±ÆÅêÂ̶ ñªGR[h³ê½ÊƵÄæè¤éÊÍ 4096 ÊèÉÈèÜ ·Bsalt ÌlÍGR[h³ê½pX[hÆêÉL^³êÜ·B [UªOCÉpX[hðüÍ·éÆAܸ salt ªGR[h³ê Ä¢épX[h©çæèo³êÜ·B»µÄAüͳê½pX[hð salt ðp¢ÄGR[hµÄ»ÌÊðGR[h³ê½¶ñÆärµÜ ·B±êªêvµ½êɳµ¢[UƵÄFصܷB _ÉGR[h³ê½pX[hðüèµA³ÌpX[hð³·é ±ÆÍvZÌ_©ç¢ïÅ·(sÂ\ÅÍÈ¢)Bµ©µA¡ÈãÌlªg¤ VXeÅÍÈ©ç¸ÌpX[hÍ èÓê½Pê( é¢Í èÓê½ PêðµÏ¦½¾¯ÌàÌ)ÉÈÁĢܷB NbJ[ͱÌæ¤ÈîðæmÁÄ¢éÌÅ 4096 ÂSÄÌ salt ðp ¢Ä«ÌPêÆægí껤ÈpX[hð 究ßGR[hµÄ¨ «Ü·B»µÄA/etc/passwd É©êÄ¢éGR[hµ½pX[hð± ÌÊÆärµÜ·B±±Åêv·éà̪©Â©êÎANbJ[ͼlÌ pX[hðjÁ½±ÆÉÈéí¯Å·B±êÍu«UvÆÄÎêéàÌ ÅA³KÌFØðó¯¸ÉVXeÉANZX·é½ßÌí èiÅ·B é 8 ¶©çÈépX[hÍ A13 ¶©ç¬é 4096 Êè̶ñÌ Çê©ÉGR[h³êÜ·Bµ½ªÁÄAî{êâÅL¼Æ»êÉÈPÈ Ï»ð¯½àÌðWßÄìÁ½400,000 êöxÌ«Í 4GB Ìn[hfB XNÉ\ªûÜéç¢Ì嫳ŷBNbJ[ͱêçð\[gµÄ¨ «A /etc/passwd ̶ñÆêv·é©Ç¤©ð²×龯Åæ¢ÌÅ ·B4GB Ìn[hfBXNÍ 1,000 hȺŦéç¢Å·©çAåï ÌNbJ[ÍÁÄ¢éÆl¦é׫ŷB ܽANbJ[ªÅÉ È½Ì /etc/passwd t@CðèÉüê½ê ÉÍNbJ[ͱÌt@CÉÜÜêÄ¢ésaltðgÁÄ«ðGR[h µÄä¯Î梾¯ÉÈÁĵܢܷBfBXNSKoCgÆ486N XÌCPUðÂ}Vª êÎA±Ìöx̱ÆÍqÅàÅ«ÄµÜ¢Ü ·B åÊÌfBXNªÈÄà crack(1) Ìæ¤È[eBeBðp¢êÎA éöxÈãÌÌ[Uª¢éVXeÌÈÆàêÂÍpX[hðjé ±ÆªÅ«Ü·B([UÍ©ªÅe©ÌpX[hðßéàÌƵܷB) /etc/passwd t@CÉͽÌVXevOªg¤[U ID âO [vID Ìæ¤Èîñª©êĢܷB]ÁÄA±Ìt@CÍ¢E©ç ANZXūȯêÎÈèܹñBá¦ÎA /etc/passwd t@CðNàÇ ßÈ¢æ¤ÉµÄµÜÁ½çAÄÁÍßÉÈéŵå¤B Shadow Suite ÍpX[hðÊÌêÉÚ·±ÆűÌâèððµÜ·(Ê íÍ /etc/shadow)B±Ìt@CÍNàÇßÈ¢æ¤ÉÝè³êÜ ·Broot¾¯ª /etc/shadow t@CðÇÝ«Å«Ü·B¢Â©Ìv O(xlock ÈÇ)Í /etc/shadow ðÏXÍÅ«ÈÄࢢŷªApX [hÌmFÍs¤Kvª èÜ·B±Ìæ¤ÈvOÍ root É SUID ·é©Ashadow O[vÉ®·éKvª èÜ·BpX[hðmF·é½ ß¾¯É root É SUID ·éæèÍAshadow É SGID ·éûªÇ¢l¦Æ¾ ¦Ü·B pX[hð /etc/shadow ÉÚ®³¹é±ÆÉæÁÄANbJ[ªGR [h³ê½pX[hÉANZXµÄ«UÉp·é±Æðh°Ü·B Á¦ÄAShadow Suite ÍȺÌæ¤ÈÁ·ðÁĢܷ: o OCÌftHgðÝè·éRtBO[Vt@C (/etc/login.defs) o [UAJEgâO[vðÇÁAC³Aí·é½ßÌ[eB eB o âpX[hÌ`FbNâúÀÝè o AJEgÌúÀÝèÆbLO o {·pX[h (16¶ÌpX[h) [§µÜ¹ñ] o [UÌpX[hèð§äµâ·¢ o _CAAbvEpX[h o 2FØvO [§µÜ¹ñ] Shadow Suit ðCXg[·é±ÆÅVXeÌZL eBð»·é± ƪūܷªALinux VXeÌZL eBðæè»·é½ßÉÍA¼ Éàâé׫±Æͽ èÜ·BZL eB»Ìû@ÆZL eB ÉÖW·ébèÉ¢Äðà·é Linux Security HOWTO V[Yª»Ì¤¿ Å«é±Æŵå¤B ùmÌZL eBz[É¢ÄÌxÈÇA Linux ÌZL eBÉ ¢ÄÌÅVÌîñð¾é½ßÉÍLinux Security z[y[W <http://bach.cis.temple.edu/linux/linux-security/> ðQƵĺ³¢B 2.1. shadow pX[hðgíÈ¢Ù¤ªÇ¢ê Shadow SuiteðCXg[·é±Æª©È縵àÇ¢±ÆÅÍȢ«â VXe\¬à èÜ·B o VXeÉ[UAJEgªÈ¢êB o Rs [^ª LAN ÉqªÁÄ¢ÄA[U¼âpX[hÍ NIS (Network Information Services) oRÅlbg[Nã̼Ì}V©ç ¾Ä¢éêB(±êÍ{¶ÌÍÍðOêÄ¢é_ÆA ÜèZL eBüãÍ]ßÈ¢ÌÅྵܹñ) o VXeª NFS (Network File System)â NIS ÈÇðp¢Ä[UFØð ·é½ßÉ^[~iT[oÉæÁÄp³êéê o [UFØÍ·éªAshadow pX[hÉεĨç¸A\[XR[h à³¢\tgEFAðgíȯêÎÈçÈ¢ê 2.2. /etc/passwd t@CÌtH[}bg shadow »³êĢȢ /etc/passwd t@CÍȺÌæ¤ÈtH[}bgÉ ÈÁĢܷ: username:passwd:UID:GID:full_name:directory:shell ±±ÅA username [UÌOCl[ passwd GR[h³ê½pX[h UID [U ID (l) GID ftHgÌO[v ID (l) full_name [UÌ{¼BÀÛÉͱÌtB[hÍ GECOS (General Electric Comprehensive Operating System) tB[hÆÄÎêA[UÌ{¼ ÈOÌîñàÛÅ«Ü·BShadow Suite ÌR}h¨æÑIC }j AÅÍRgtB[hƵÄLq³êĢܷB directory [UÌz[fBNg shell [UÌOCVF(âÎpXLq) á¦ÎÌæ¤ÉÈèÜ·: username:Npge08pfz4wuk:503:100:Full Name:/home/username:/bin/sh ±±ÅAæ2tB[hÌ Np Í salt ÅAge08pfz4wuk ÍGR[h³ê½ pX[hÅ·B¯¶pX[hÅàAsalt/pX[hÌgÝí¹Í kbe- MVnZM0oL7I Ìæ¤ÉÈéêà èÜ·B éêÂÌpX[hÉÖµÄG R[h³ê¾éÂ\«Í 4096ÊèÅ·B(±ÌáÅp¢½ 'password' Æ¢ ¤pX[hÍjçêâ·¢_ɨ¢ÄñíÉ«¢pX[hÅ·B) Shadow suite ªCXg[³êéÆA/etc/passwd t@CÍȺÌæ¤ ÉÈèÜ·: username:x:503:100:FullName:/home/username:/bin/sh ±ÌêÌ2ÔÚÌtB[hÌ 'x' ÍPÉêðßĢ龯ŷBG R[h³ê½pX[hÍÜÜêÈÈèÜ·ªA /etc/passwd t@CÌ tH[}bg©ÌÍÏíèܹñB]ÁÄA /etc/passwd t@CðÇÞ¯ êÇpX[hFØÍsíÈ¢vOÍÈOÌÊèÉ®ìµÜ·B pX[hÍ shadow t@C(Êí /etc/shadow) ÉÚ³êÜ·B 2.3. shadow t@CÌtH[}bg /etc/shadowt@CÉÍȺÌæ¤ÈîñªLq³êĢܷ: username:passwd:last:may:must:warn:expire:disable:reserved àeÍȺÌæ¤ÈÓ¡ð¿Ü·: username [U¼ passwd GR[h³ê½pX[h last 1970N11ú©çApX[hªÅãÉXV³ê½úÜÅÌú may ½úOÉpX[hªÏX³ê½Ævíêé© must pX[hðÏXµÈ¯êÎÈçÈ¢úÀ warn pX[hÌúÀØê̽úOÉ[UÉx·é© expire pX[húÀØê̽úãÉAJEgðÁ·é© disable 1970N11ú©çAAJEgªÁ³ê½úÜÅÌú reserved \ñtB[h ³«ÙÇƯ¶áÅÍ /etc/shadow ͱÌæ¤ÉÈèÜ·: username:Npge08pfz4wuk:9479:0:10000:::: 2.4. crypt(3) ÌTv crypt(3) ÌIC}j Aæè: "cryptÍpX[hÌûÖÅ éB±êÍ Data Encryption Standard (DES) ÌASYÉAÁÉL[õÌn[hEFAÀðµÉ·é± ÆðÁÉÓ}µ½Ï»ð¯½àÌÉîâĢéB L[Í[UÌü͵½pX[hÅ éB [GR[h³ê½¶ñÍ·× ÄNULLÅ éB] salt Í [a-zA-Z0-9./] Ì©ç2¶ðIñ¾¶ñÅ éB±Ì¶ñÍ ASYÌÅ4096ÊèÌÙÈéÊ©çêÂðKÉIÑo·½ßÉp ¢çêéB L[Ìe¶ÌºÊ7rbgðæèo·±ÆÅ 56rbgÌL[ª¾çêéB± Ì56rbgÌL[Íè¶ñ(ÊíÍSÄ0̶ñðÜÞ)ðJèԵà »·é½ßÉp¢çêéBßµlÍû³ê½pX[hÖÌ|C^Å èA±ÌpX[hÍ13¶Ì ASCII ¶Å é(ÅÌ2¶Ísalt»Ìà ÌÅ é)BßµlÌ|C^ªw·ÌæÍÄÑoµ²ÆÉ㫳êéÃI Èf[^Å éB x:L[óÔÍ 2Ì56æ(=7.2e16)ÂÌlðæé±ÆªÅ«éB±ÌL[óÔ ÍåÊÌÀñvZ@ðp¢êÎSTõ·é±ÆªÂ\Å éBܽAcrack(1) Ìæ¤È\tgEFAÍlÔªpX[hÉp¢»¤ÈPêªìéL[óÔÌ ªóÔÉiÁÄõðs¤B]ÁÄApX[hÌIðÅÍ èÓê½Pê â¼OÌgpÍð¯é׫ŠéBpX[hðßéÛÉÍjçêâ·¢p X[hÌ`FbNðs¤ passwd(1) vOðp·éÆÇ¢¾ë¤B DES ASY©ÌÉÍȪ éÌÅAcrypt(3)ÌC^tF[XÍpX [hFØ̼Ég¤×«ÅÍÈ¢Bcrypt(3)ÌC^tF[XðûÌàÌ ÉÖíévWFNgÉpµÄÍÈçÈ¢B±Ìæ¤ÈêÉÍAÃ»É Â¢Ä¢Ä éÇ¢{ÆLp·é±ÆªÅ«é DES Cuðüè ·é׫ŠéB" ÙÆñÇÌ Shadow Suites pbP[WÉÍpX[hð16¶É{·»·é R[hªÜÜêĢܷBµ©µDESÌêåÆͱêð§µÄ¢Ü¹ñBp X[hÌ·³ª{ÅàAÅɶ¼ªðGR[hµÄAÉE¼ªðG R[hµÄ¢é¾¯¾©çÅ·B±êÍcryptÌ®ì̽ßÅ èAnß©ç {·pX[hªgíêĢȩÁ½êÆä×ÄàAæèÆãÈpX[h ðìÁĵܢܷBܽA[UÉ16 ¶ÌpX[hðo¦Äà礱 ÆÍ¢ïÅ éÆ¢¤Rà èÜ·B cryptÉãéàÌÅAæèÀSÅ·¢pX[hðT|[gµ(ÁÉ MD5 A SY)A³çÉcryptÆÌÝ·«ð۵Ģéæ¤ÈFØASYð Jµæ¤ÆµÄ¢évWFNgª èÜ·B àµAÇҪûÉ¢ÄÌÇ¢{ðTµÄ¢éÈçAMÒÍȺÌ{ð EµÄ¨«Ü·: "Applied Cryptography: Protocols, Algorithms, and Source Code in C" by Bruce Schneier <schneier@chinet.com> ISBN: 0-471-59756-2 3. Shadow Suite Ìüè 3.1. Linux pÌ Shadow Suite Ìðj ZL eBãÌâèª éÌÅA±ÌßÅq×éâpbP[WðgÁÄÍ ¢¯Ü¹ñB IWiÌ Shadow Suite Í John F. Haugh IIÉæÁÄ쬳êܵ ½B Linux VXeãÅp¢çêÄ«½o[W͢© èÜ·: o shadow-3.3.1 ÍIWiÅ·B o shadow-3.3.1-2 Í Florian La Roche <flla@stud.uni-sb.de> ÉæÁÄ ©ê½ Linux êpÌpb`ÅAÆ©Ìg£àµÄ¢Ü·B o shadow-mk Linux êpÌpbP[WÅ·B shadow-mkpbP[WÍ John F. Haugh II ªzzµÄ¢é shadow-3.3.1 pbP[WÉ shadow-3.3.1-2 ÖÌpb`A Mohan Kokal <magnus@texas.net> ÉæÁÄȳê½CXg[ðÈPÉ·é½ßÌC ³AJoseph R.M. Zbiciak Éæé /bin/login Ì -f, -h ÌIvVÌ ®ìÉ¢ÄÌZL eBz[ðÇ®½ßÌ login1.c (login.secure) Éηépb`yѻ̼¢Â©ÌÏXðÁ¦½àÌÅ·B shadow.mkpbP[WÍ ÈOͧ³êĢܵ½ªA loginvOÌZ L eBãÌâèª éÌÅg¤×«ÅÍȢŵå¤B o[W 3.3.1, 3.3.1-2 Ì Shadow Æ shadow-mk ÅÍloginvOÉ ZL eBãÌâèª èÜ·B±Ìlogin ÌoOÍOC¼Ì·³ð `FbNµÈ¢Æ¢¤àÌÅ·B±êÉæèobt@ªI[o[t[µÄv OªÙí®ìµÄµÜ¢Ü·BVXeãÉAJEgðÁÄ¢él ÔÍA±ÌoOƤLCuðgÁÄ root Ì ÀðèÉüêé±ÆªÅ «éÆ¢¤\ª¬êܵ½BͱêÉ¢ÄÚµ¢bð·éÂàèÍ èÜ ¹ñBe¿ð¤¯é Linux VXeͽ¢¯êÇA±êçÌShadow Suites ðCXg[µ½ Linux VXeâúo[WÌ ELF ÅpbP[WÌ VXeÅShadow SuitesðCXg[µÄ¢È¢àÌÍë¯É³ç³êé ©çÅ·B ±ÌbèâA»Ì¼Ì Linux ÌZL eBÉ¢ÄÌîñð¾é½ßÉ ÍA Linux Security z[y[W (¤LCuÆloginvO ÌÆ ã«) <http://bach.cis.temple.edu/linux/linux-security/Linux-Security- FAQ/Linux-telnetd.html> ð©éÆæ¢Åµå¤B 3.2. Shadow Suite Ìüè »Ý§³êéBêÌ Shadow Suite ÍܾÀo[WÅ·ªAÅVÌàÌ ÍìÁÄ¢é«ÅÍÀSÅ èAë¯È loginvOàÜñŢܹ ñB pbP[WÍȺ̼Ot¯ÌK¥ðgÁĢܷ: shadow-YYMMDD.tar.gz ÍAShadow Suite Ì YYNMMDDú öJµ½ÅÅ é±ÆðÓ¡µÜ·B ±Ìo[WÍ»ÝÀeXgÅ èAâªÄo[W 3.3.3 ÉÈéÅ µå¤B¡ÍMarek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl> ÉæÁÄeiX³êĨèA shadow-current.tar.gz <ftp://i17linuxb.ists.pwr.wroc.pl/pub/linux/shadow/shadow- current.tar.gz> ©çüèÂ\Å·B ܽAȺÌ~[TCgà èÜ·: o ftp://ftp.icm.edu.pl/pub/Linux/shadow/shadow-current.tar.gz o ftp://iguana.hut.fi/pub/linux/shadow/shadow-current.tar.gz o ftp://ftp.cin.net/usr/ggallag/shadow/shadow-current.tar.gz o ftp://ftp.netural.com/pub/linux/shadow/shadow-current.tar.gz »ÝpÅ«éÅVÅðpµÜµå¤B shadow-960129æèâo[WÌàÌÍæöq×½æ¤É loginvO Éâèª éÌÅgÁÄÍ¢¯Ü¹ñB ±Ì¶Å Shadow Suite ÆÍA±ÌpbP[WÉ¢ÄLqµÄ¢ éàÌƵܷBܽA Ƚªg¤pbP[Wà±êÅ éàÌƼèµÜ ·B Ql̽ßÉAshadow-960129 ÉîâÄCXg[Ìèð쬵ܵ ½B ൠȽª»Ýshadow-mkðgÁÄ¢éÈçÎA·×ÄÄ\zµÄ±Ìo[ WÉAbvO[h·é׫ŵå¤B 3.3. Shadow Suite ÉͽªÜÜêÄ¢é© Shadow SuiteÍȺÌR}hðu«·¦Ü·: su, login, passwd, newgrp, chfn, chsh, and id ܽApbP[WÉÍȺÌVµ¢vOªÜÜêĢܷ: chage, newusers, dpasswd, gpasswd, useradd, userdel, usermod, groupadd, groupdel, groupmod, groups, pwck, grpck, lastlog, pwconv, and pwunconv Á¦ÄApX[hÉANZX·éKvª évOðìé½ßÌCu libshadow.a ªÜÜêĢܷB »µÄAvOÌIC}j AàÜÜêĢܷB /etc/login.defs ƵÄCXg[³êéAlogin vOÌÝèt@C àÜÜêĢܷB 4. vOÌRpC 4.1. A[JCuÌWJ pbP[Wðüèµ½ãÌÅÌìÆͱêðWJ·é±ÆÅ·BpbP[W Í tar (Tape ARchive) ÅÜÆß½ãÉ gzip ųkµÄ éÌÅAܸpb P[Wð /usr/src ÉÚ®³¹Ä©çÌæ¤Éü͵ĺ³¢: tar -xzvf shadow-current.tar.gz ±ÌìÅpbP[WÍ /usr/src/shadow-YYMMDD Æ¢¤fBNgÉWJ ³êÜ·B 4.2. config.h ÉæéÝè ܸÅÉsȤ±ÆÍMakefileÆconfig.hÌ2Âðã«Rs[·é±ÆÅ ·: cd /usr/src/shadow-YYMMDD cp Makefile.linux Makefile cp config.h.linux config.h ܸ config.h t@Cð©Ä¾³¢B±Ìt@CÉÍÝèIvVÌ è`ª©êĢܷBàµA Ƚª§³êÄ¢épbP[Wðp¢Ä¢ éêÉÍAܸO[vÌshadowT|[gðܸ³øɵܵå¤B WÅÍO[vÌpX[hÍLøÉÈÁĢܷB±êð³øÉ·é½ß ÉÍconfig.hðÒWµA#define SHADOWGRP ð #undef SHADOWGRP ÉÏXµÜ ·BÆè ¦¸Í±êð³øɵĨ«A ÆÅ{ÉO[vÌpX[h âO[vÌÇÒªKvÆÈÁ½É Shadow Suite ðÄRpC·é× «Åµå¤BàµLøÈÜÜɵĨÌÈçÎA/etc/gshadow t@Cð ìçȯêÎÈèܹñB {·pX[hðLøÉ·é±ÆÍOÉq×½R̽ßA§µÜ¹ñB #undef AUTOSHADOW ÌÝèÍâÎÉÏXµÄÍ¢¯Ü¹ñB AUTOSHADOW IvVÍ shadow ððÅ«È¢vOà@\·éæ¤ É·é½ßÉÝv³ê½àÌÅ·B±êÍÇ¢±ÆÌæ¤Év¦Ü·ªA«¿ ñÆ®«Ü¹ñB±ÌIvVðLøɵAroot ÅvOðÀs·é ÆA getpwnam() ÖðÄÑo³ê½êÉÍÏX³ê½Gg[ð /etc/passwd t@CɫߵĵܢܷB (àÍâshadow »³ê½p X[hÈÈÁĵܤ) chfn â chsh ª±êÉY·évOÅ ·Bgetpwnam()ðÄÑo·OÉ^ÌUIDÆÀøUIDð¤ÜØÖ¦é±ÆÅñð ·éÆ¢¤û@Íg¦Ü¹ñB chfn â chsh Í root ÀÅ®ì·é©çÅ ·B libc Éͯ¶Ó¡ð SHADOW_COMPAT IvVª èÜ·ªA¯¶Ó ª libc ðìéÛÉàÄÍÜèÜ·Bg¤×«ÅÍ èܹñI àµ/etc/passwdt@CÉGR[h³ê½pX[hª»íêéæ¤Èç ÎâèÅ·B àµ4.6.27 ÈOÌo[WÌlibcðgÁÄ¢éÈçA config.hÆMakefileð»ê¼êÏX·éKvª èÜ·B config.h ÍÈºÌ ªð: #define HAVE_BASENAME ±Ìæ¤ÉÏXµÄ¾³¢: #undef HAVE_BASENAME Makefile É¢Äà¯lÅ·: SOBJS = smain.o env.o entry.o susetup.o shell.o \ sub.o mail.o motd.o sulog.o age.o tz.o hushed.o SSRCS = smain.c env.c entry.c setup.c shell.c \ pwent.c sub.c mail.c motd.c sulog.c shadow.c age.c pwpack.c rad64.c \ tz.c hushed.c SOBJS = smain.o env.o entry.o susetup.o shell.o \ sub.o mail.o motd.o sulog.o age.o tz.o hushed.o basename.o SSRCS = smain.c env.c entry.c setup.c shell.c \ pwent.c sub.c mail.c motd.c sulog.c shadow.c age.c pwpack.c rad64.c \ tz.c hushed.c basename.c libc 4.6.27 È~ÅͱêçÌÏXÍbasename.cÉεÄsíêĢܷB 4.3. ³ÌvOÌobNAbvÌì¬ Shadow Suite ªu«·¦ÄµÜ¤vOð 究ßmFµÄ¨«A obNAbvðæÁĨÌÍÇ¢l¦Å·BSlackware 3.0 pbP[WÅÍ ÈºÌt@CªYµÜ·: o /bin/su o /bin/login o /usr/bin/passwd o /usr/bin/newgrp o /usr/bin/chfn o /usr/bin/chsh o /usr/bin/id ÀÅpbP[WÉÍ Makefile Ésave Æ¢¤^[Qbgª èÜ·ªAR gAEg³êĢܷBpbP[WªÙÈêÎvOÌu«êàÙ Èé©çÅ·B /etc/passwdt@CÌobNAbvàæÁĨ¢½Ù¤ªÇ¢Åµå ¤BpasswdR}hƯ¶fBNgÉu¢Ä㫵ĵÜíÈ¢æ¤ ÉA½©Ê̼Oɵܵå¤B 4.4. Make ÌÀs CXg[ìÆÌÙÆñÇÍrootƵÄs¤Kvª èÜ·B pbP[WÌÀst@CðRpC·é½ßÉ make ðÀsµÄº³¢: make all rcsid defined but not used Æ¢¤EH[jOªoé©àµêܹñªA ³µÄ\¢Ü¹ñB±êÍìÒªo[WÇc[ðgÁÄ¢é½ßÉ N±éàÌÅ·B 5. CXg[ 5.1. VXejóÉõ¦ÄÌu[gfBXNì¬ Å«ÌÔÉõ¦ÄAu[gfBXNðìÁĨ«Üµå¤BVXeðC Xg[µ½Ìu[gfBXNÆ[gfBXNª êÎ\ªÅ·B³¢ê ÉÍAu[gfBXNÌì¬É¢ÄÌྪ©êÄ¢é Bootdisk- HOWTO <http://sunsite.unc.edu/mdw/HOWTO/Bootdisk-HOWTO.html> ðQƵ ĺ³¢B 5.2. d¡·éIC}j AÌí u«·¦çêéâ}j AÍDZ©ÉڵĨ׫ŷBobNAbv ȵŠShadow Suite ðCXg[·éêÅàAâ}j AðÁµÄ µÜ¢½Èéŵå¤Bâ}j Aͨ»ç³k³êÄ¢éÌÅAV µ¢}j AͤÜ㫳êÈ¢©çÅ·B man -aW Æ locate R}hðgÁÄÚ®(í)·×«}j AÌÊuð² ×é±ÆªÅ«Ü·BêÊIÉÍ make install ðÀsµ½ãæèàÀs·é OÌûªÃ¢}j AÌêð©Â¯é̪eÕÅ·B Slackware 3.0 pbP[WÌêÉÍí·×«}j AÍȺÌêÉ èÜ·: o /usr/man/man1/chfn.1.gz o /usr/man/man1/chsh.1.gz o /usr/man/man1/id.1.gz o /usr/man/man1/login.1.gz o /usr/man/man1/passwd.1.gz o /usr/man/man1/su.1.gz o /usr/man/man5/passwd.5.gz /var/man/cat[1-9] É௶¼OÌIC}j Aª é©àmêÈ¢ ÌÅA êÎí·éKvª èÜ·B 5.3. make install ÌÀs ȺÌR}hðÀsµÜµå¤:(rootÉÈÁÄ©çÀsµÄº³¢) make install ±êÅAVµ¢vOyÑu«·¦çêévOªCXg[³ êAt@CÌp[~bVªC³³êÜ·BܽAIC}j A àCXg[³êÜ·B Shadow Suite ÌCN[ht@Cª ³µ¢ê (/usr/include/shadow) ÉCXg[³ê½©Ç¤©mFµÄº³¢B ÀÅpbP[WðgÁÄ¢éêÉÍAlogin.defsðè®Å /etcÖRs[µ ÄAroot ¾¯µ©ÇÝ«Å«È¢æ¤ÉµÈ¯êÎÈèܹñB cp login.defs /etc chmod 700 /etc/login.defs ±Ìt@CÍloginvOÌÝèt@CÅ·B±Ìt@CÍ È½ ÌVXeÉí¹ÄÏXµÄ¾³¢B±Ìt@CÅÍAÇÌ tty ©ç root ÌOCð·©ÈÇZL eBÉÖ·éÝè(pX[hÌúÀÝ èÈÇ)ªÅ«Ü·B 5.4. pwconv ÌÀs ÌXebvÍ pwconv ðÀs·é±ÆÅ·B±êàroot ÀÅsíȯê ÎÈèܹñBܽA/etc fBNgÖÚ®µÄ©çÀsµÄº³¢: cd /etc /usr/sbin/pwconv pwconv Í /etc/passwd ÌetB[hðæèoµÄA /etc/npasswd Æ /etc/nshadow Ì2ÂÌt@CðìèÜ·B pwunconv Æ¢¤R}hà èAàµKvÈçÎ /etc/passwd Æ /etc/shadow ©çÊÌ /etc/passwd 𶬷é±ÆàÅ«Ü·B 5.5. npasswd Æ nshadow Ìl[ pwconv ðÀsµ½±ÆÅ /etc/npasswd Æ /etc/nshadow ª¾çê½Í¸Å ·B±êçÌt@Cð»ê¼ê /etc/passwd Æ /etc/shadow Éã«µÄ ¾³¢Bã«ÌOÉÍ³Ì /etc/passwd ÌobNAbvðìèA±Ì obNAbvÍ root ÈOÌ[UÍÇßÈ¢æ¤ÉµÄ¨«Üµå¤Bob NAbvÍ root Ìz[fBNgÉìéÆǢŵå¤: cd /etc cp passwd ~passwd chmod 600 ~passwd mv npasswd passwd mv nshadow shadow ³çÉAt@CÌI[iÆp[~bVª³µ¢©Ç¤©mFµÜµå ¤B X-Window System ðgÁÄ¢éÈçÎAxlock â xdm Í shadow t@C ðÇßéæ¤ÉÈÁĢȯêÎÈèܹñ(«ÝªÅ«éKvÍ è ܹñ)B ±êÉÍ2ÂÌû@ª èÜ·BêÂÍAxlockð root É SUID ·éû@Å ·B(xdm Í¢¸êɹæ root ƵĮì·éÌÅÖW èܹñB) ठêÂÍ shadow t@CÌLÒÍrootÉAO[vÍshadowÉ·éû@Å ·B±Ìæ¤ÈÝèÉ·éOÉÍA/etc/group t@Cð©ÄA shadow O [vª é©Ç¤©ðܸmFµÄ¾³¢Bshadow O[vÉ®·é [UÍêlà¢ÄÍ¢¯Ü¹ñB chown root.root passwd chown root.shadow shadow chmod 0644 passwd chmod 0640 shadow ±êŠȽÌVXeÌpX[hÍ shadow »³êܵ½B±±ÅAVµ ¼z[ðJ¢ÄOCªÅ«é©Ç¤©mFµÄÝܵå¤B ³ AâÁÄÝܵå¤I ൤ܢ©È¢êÍADZ©ÅÔá¦Ä¢Ü·Bshadow »³êÄ¢È ¢óÔÉß·½ßÉÍȺÌæ¤È豫ðsÁĺ³¢: cd /etc cp ~passwd passwd chmod 644 passwd ÅÉobNAbvðæÁ½¼Ìt@Cà³µ¢êÉߵܵå¤B 6. AbvO[h·é©pb`ðÄéKvª évO Shadow Suite ÉÍpX[hÉANZX·évOÙÆñÇÌãÖið ÜñŢܷªAÙÆñÇÌVXeÅͼÉà¢Â©ÌvOªKv ÆÈèÜ·B Debian pbP[WÅÍ(»¤ÅÈ¢êÅà\¢Ü¹ñª)AȺÌê©ç VXeÌÄ\zÉKvÈvOÌ Debian pbP[WÌÌ\[Xðüè ·é±ÆªÅ«Ü·B ftp://ftp.debian.org/debian/stable/source/ ±ÌßÌcèÍadduser, wu_ftpd, ftpd, pop3d, xlock, xdm and sudo ª Shadow Suite ðT|[gÅ«éæ¤É·é½ßs¤AbvO[hÉÂ¢Ä à¾µÜ·B ¼ÌvOà shadow T|[gÅ«éæ¤É·éû@Í ``CvOð Shadow Suite Éγ¹éû@'' ÌÍðQƵĺ³¢B(ÀÛÉ shadow t@CÉANZX·é½ßÉÍ root É SUID ·é© shadow É SGID ·é Kvª èÜ·B) 6.1. Slackware adduser program Slackware pbP[W(¨»ç¼ÌpbP[WÉà)ÉÍ /sbin/adduser Æ ¢¤ÎbIÉVµ¢[UðÇÁ·évOªÜÜêĢܷB±Ìv OÌ shadow ÎÅÍ ftp://sunsite.unc.edu/pub/Linux/ system/Admin/accounts/adduser.shadow-1.4.tar.gz ©çüèÅ«Ü·B MÒÍ slackware ÌadduserÌãèÉShadow SuiteÉÜÜêÄ¢évO (useradd, usermod, userdel)ðg¤±Æð©ßÜ·Bg¢ûÍV½Éo¦ ȯêÎÈèܹñªA»ê¾¯Ì¿lÍ èÜ·Bæèש¢§äªÅ«Ü ·µA (adduserÅÍsíÈ¢) /etc/passwd â /etc/shadowÌbLOà µÄêé©çÅ·B ÚµÍ ``Shadow Suite ðgÁÄÝé'' ÌÍð©Ä¾³¢B »êÅà adduser ðg¢½¢ÈçÎAȺÌæ¤ÈèÅCXg[µÄ ¾³¢: tar -xzvf adduser.shadow-1.4.tar.gz cd adduser make clean make adduser chmod 700 adduser cp adduser /sbin 6.2. wu_ftpd T[o åªÌ Linux VXeÅÍ wu_ftpd T[oðgÁĢܷBàµA Ƚ ÌgÁÄ¢épbP[WÉ Shadow SuiteªCXg[³êĢȢê Awu_ftpd à shadow ðT|[g·éæ¤ÉÍÈÁÄ¢È¢Åµå ¤Bwu_ftpd Í inetd/tcpd ©çrootÌvZXƵÄN®³êÜ·BàµA ȽªÃ¢ wu_ftpd f[ðç¹Ä¢éÈçAo[Wðã°Ä ¾³¢Bâo[WÍ rootÌAJEgðFßĵܤoOðÁÄ¢ é±ÆÅmçêÄ¢é©çÅ·B(ÚµÍ Linux security z[y[W <http://bach.cis.temple.edu/linux/linux-security/Linux-Security- FAQ/Linux-wu.ftpd-2.4-Update.html>) ðQƵĺ³¢B ) K¢Ashadow ðLøÉ·é½ßÉÍ\[XR[hðüèµÄÄRpC· 龯ŷB ELF VXeÅÈ¢êÉÍAwu_ftpT[oÍ Sunsite É wu- ftp-2.4-fixed.tar.gz <ftp://sunsite.unc.edu/pub/Linux/system/Network/file-transfer/wu- ftpd-2.4-fixed.tar.gz> ̼OÅu¢Ä¢éà̪pÅ«Ü·B t@Cðüèµ½çA±Ìt@Cð /usr/src Éu¢Ä©çAȺÌæ¤ ÈìðsÁľ³¢: cd /usr/src tar -xzvf wu-ftpd-2.4-fixed.tar.gz cd wu-ftpd-2.4-fixed cp ./src/config/config.lnx.shadow ./src/config/config.lnx É ./src/makefiles/Makefile.lnx t@CÌȺ̪ð: LIBES = -lbsd -support Ìæ¤ÉÏXµÜ·: LIBES = -lbsd -support -lshadow »µÄAÀst@C¶¬XNvgÌÀsyÑCXg[ðs¢Ü·: cd /usr/src/wu-ftpd-2.4-fixed /usr/src/wu-ftp-2.4.fixed/build lnx cp /usr/sbin/wu.ftpd /usr/sbin/wu.ftpd.old cp ./bin/ftpd /usr/sbin/wu.ftpd ±êÍALinux p shadow ÌÝèt@CðgÁÄT[oÌRpCyÑC Xg[ðs¢Ü·B MÒÌ Slackware 2.3 VXeÅÍÀst@C¶¬XNvgðÀs·é OÉȺÌìðs¤Kvª èܵ½: cd /usr/include/netinet ln -s in_systm.h in_system.h cd - ELF VXeãÅÍRpCª¤Ü¢©È¢±Æªñ³êĢܷªA Ì[XÌÀÅðg¦Î¤Ü¢æ¤Å·B±êÍAwu- ftp-2.4.2-beta-10.tar.gz <ftp://tscnet.com/pub/linux/network/ftp/wu- ftpd-2.4.2-beta-10.tar.gz> ƵÄüèÅ«Ü·B t@Cðüèµ½çA±êð /usr/src Éu¢ÄAȺÌìðsÁľ ³¢: cd /usr/src tar -xzvf wu-ftpd-2.4.2-beta-9.tar.gz cd wu-ftpd-beta-9 cd ./src/config É config.lnx t@CÌȺ̪ð #undef SHADOW.PASSWORD Ìæ¤ÉÏXµÜ·B #define SHADOW.PASSWORD »ê©çA cd ../Makefiles ðs¢AJgfBNgðÏXµÄ©ç Makefile.lnx t@CÌ LIBES = -lsupport -lbsd # -lshadow ̪ðÌæ¤ÉÏXµÜ·B LIBES = -lsupport -lbsd -lshadow »µÄÀst@C¶¬ÆCXg[ðs¢Ü·: cd .. build lnx cp /usr/sbin/wu.ftpd /usr/sbin/wu.ftpd.old cp ./bin/ftpd /usr/sbin/wu.ftpd /etc/inetd.conf t@CÉ wu_ftpd {ÌÌu«êª©êÄ¢é©Ç¤ ©ðmF·éÌðYêÈ¢æ¤ÉµÜµå¤BpbP[WÉæÁÄÍT[of [Ìuêªá¢Awu_ftpd ªÊ̼OÉÈÁÄ¢éàÌà éÆ¢¤ñ ª èܵ½B ó: Slackware 3.1 ÅÍ shadow pX[h»ðsÁ½êAwu-ftpd ÌR pCɸs·éêª èÜ·BºLÌæ¤ÈG[ªoéêÉÍ src/makefiles/Makefile.lnx Ì CFLAGS É "-DDIRENT_ILLEGAL_ACCESS" ðÁ ¦ÄÝľ³¢B (±ÌîñÍÎLd@å³ñæ踫ܵ½B) ______________________________________________________________________ gcc -O2 -fomit-frame-pointer -I.. -I../support -I/usr/include/bsd -L../suppors -c glob.c -o glob.o glob.c: In function `matchdir': glob.c:284: dereferencing pointer to incomplete type make: *** [glob.o] Error 1 ______________________________________________________________________ 6.3. WÌ ftpd WÌ ftpd T[oðgÁÄ¢éêÉÍ wu_ftpd T[oÉAbvO[h ·é±Æð©ßÜ·Bæöq×½oOð¯ÎAæèÀS¾Æ³êÄ¢é©ç Å·B ǤµÄàWÌàÌðg¢½¢êâANIS ðT|[g·éKvª éê ÉÍ Sunsite ©ç ftpd-shadow-nis.tgz <ftp://sunsite.unc.edu/pub/Linux/system/Network/file-transfer/ftpd- shadow-nis.tgz> ðüèµÄº³¢B 6.4. pop3d (Post Office Protocol 3) àµAPOP3(the third Post Office Protocol) ðT|[g·éKvª éê ÉÍ pop3d ðÄRpC·éKvª èÜ·B pop3d Í inet/tcpd © çroot ÀÅÀs³êÜ·B Sunsite ©ç2ÂÌÙÈéo[WÌàÌðüèÅ«Ü·: pop3d-1.00.4.linux.shadow.tar.gz <ftp://sunsite.unc.edu/pub/Linux/system/Mail/pop/pop3d-1.00.4.linux.shadow.tar.gz> Æ pop3d+shadow+elf.tar.gz <ftp://sunsite.unc.edu/pub/Linux/system/Mail/pop/pop3d+shadow+elf.tar.gz> Å·B Ç¿çÌêàâèÈCXg[Å«éŵå¤B 6.5. xlock Shadow Suite ðCXg[µAX Window VXeãÅ xlock ðAbvO [hµÈ¢ÜÜÅÀsµ½êÉÍA CNTL-ALT-Fx ÅÊÌR\[ÉØ Ö¦ÄOCµ xlock ÌvZXðE·( é¢Í CNTL-ALT-BS Å X T[ oðE·)ÈOÉǤµæ¤àÈ¢óÔÉÈÁĵܢܷBK¢È±ÆÉA xlock ðAbvO[h·éÌÍÆÄàÈPÅ·B àµAXFree86 Ìo[W 3.x.x ðpµÄ¢éêÉÍA xlockmore (lock @\ÉÁ¦ÄXN[Z[o@\ðÂ)ðgÁÄ¢éÆv¢Ü·B ±ÌpbP[WÍÄRpC·é±ÆÅ shadow ðT|[gÅ«Ü·Bâ xlock ðgÁÄ¢éêÉÍ xlockmore ÉAbvO[h·é±Æð©ßÜ ·B xlockmore-3.5.tgz ÍȺÌêÅüèÅ«Ü·: <ftp://sunsite.unc.edu/pub/Linux/X11/xutils/screensavers/xlockmore-3.7.tgz> CXg[Íî{IÉÍȺÌæ¤ÈìÅs¢Ü·: xlockmore-3.5.tgz ðüèµA/usr/src ÅWJµÜ·: tar -xzvf xlockmore-3.7.tgz /usr/X11R6/lib/X11/config/linux.cf ðÒWµA #define HasShadowPasswd NO Ìsð #define HasShadowPasswd YES Ìæ¤ÉÏXµÜ·B »µÄAÀst@Cð쬵ܷ: cd /usr/src/xlockmore xmkmf make depend make t@CðÚ®µAI[iÆp[~bVðÝèµÜ·: cp xlock /usr/X11R6/bin/ cp XLock /var/X11R6/lib/app-defaults/ chown root.shadow /usr/X11R6/bin/xlock chmod 2755 /usr/X11R6/bin/xlock chown root.shadow /etc/shadow chmod 640 /etc/shadow ±êÅA¤Ü® xlock ªÅ«½Í¸Å·B 6.6. xdm xdmÍ X Window ÌOCæÊð\¦·évOÅ·BÁèÌ run level ÉÚsµ½Æ«ÉxdmªÀs³êéVXeà èÜ·B (/etc/inittabQÆ) Shadow SuiteÌCXg[ðsȤÆAxdmàXVµÈ¯êÎÈèܹñB µ©µxdmÌAbvO[hÍÈPÈÌÅâè èܹñB xdm.tar.gz ÍȺÌURLÅüèÅ«Ü·: <ftp://sunsite.unc.edu/pub/Linux/X11/xutils/xdm.tar.gz> xdm.tar.gz t@CðüèµÄA/usr/srcÉu¢Ä©çȺÌæ¤ÉµÄW JµÜ·: tar -xzvf xdm.tar.gz /usr/X11R6/lib/X11/config/linux.cf àÌ #define HasShadowPasswd NO ̪ð #define HasShadowPasswd YES Ìæ¤ÉÏXµÜ·B Àst@CðìèÜ·: cd /usr/src/xdm xmkmf make depend make t@CðCXg[µÜ·: cp xdm /usr/X11R6/bin/ xdm Í root ÀÅ®ì·éÌÅt@CÌp[~bVðϦéKvÍ èܹñB 6.7. sudo sudovOÍVXeÇÒªÊíroot ÀðKvÆ·évOð [UÉÀs³¹é½ßÉp¢Ü·BÇÒªrootÌAJEgÖÌANZXð §Àµ½ÜÜÅA[UÉfBXNÌ}EgÌìð·éÆ«ÉÖ ÈvOÅ·B sudo ÍÀs³ê½É[UÌpX[hFØðs¤ÌÅApX[ht@ CðÇßȯêÎÈèܹñBsudo ÍÅ©çrootÉ SUID ³êÄ®ì· éÌÅA/etc/shadow ÖÌANZXÉ¢ÄÍâè èܹñB Shadow Suit ÎÌ sudo ÍȺÌURLÅüèÅ«Ü·: <ftp://sunsite.unc.edu/pub/Linux/system/Admin/sudo-1.2-shadow.tgz> x: sudoðCXg[·éÛÉ /etc/sudoerst@CÍWÌàÌÆu «·¦çêĵܢܷBÅ·©çAWÌóÔ©çÏXª éêÉÍob NAbvðæÁĨKvª èÜ·B(Makefile ðÏXµÄWÌt@C ð/etcÉRs[·éªÌðí·éÆ¢¤û@à èÜ·B) ±ÌpbP[WÍùÉ shadow ÎÌÝèªÈ³êÄ¢éÌÅApbP[Wð ÄRpC·é¾¯ÅpÅ«Ü·(\[XÍ /usr/src ÉWJµÄº³ ¢): cd /usr/src tar -xzvf sudo-1.2-shadow.tgz cd sudo-1.2-shadow make all make install 6.8. imapd (E-Mail [pine pbP[W]) imapd Í pop3d Ìæ¤È[T[oÅ·B imapd Í pine E-mail pbP [WÉt®µÄ¢Ü·BpbP[WÉt®·éhL gÉÍ Linux VX eÉηéWÝèÅ shadow ðT|[gµÄ¢éÆ©êĢܷBµ© µA±êͳµÈ¢LqÅ·B³çÉA±ÌpbP[WÅÍÀst@C¶ ¬XNvgÆ Makefile Ìg¹ªKvÅARpCÉlibshadow.að Á¦é±Æªªïµ¢ÌÅ·B»¤¢¤í¯ÅAÍܾ imapd ª shadow T|[g·éæ¤ÉÍūĢܹñB ൬÷µ½lª¢Üµ½çAMÒÌƱëÉ[Åmç¹Ä¾³¢B± ÌÚÉÁ¦½¢Æv¢Ü·B 6.9. pppd (PPP vgRT[o) pppd T[oÍFØÌû®ð¡pÅ«éæ¤ÉÝèÅ«Ü·B Password Authentication Protocol (PAP) Æ Cryptographic Handshake Authentication Protocol (CHAP)Å·Bpppd T[oÍÊpX[h¶ñ ð /etc/ppp/chap-secrets © /etc/ppp/pap-secrets ( é¢Í¼û)©ç¾ Ü·Bpppd ÉWÌ®ìð³¹Ä¢éêÉÍ pppd ðÄCXg[·é KvÍ èܹñB pppd Íloginp[^ðg¤æ¤É·é±ÆàÅ«Ü·(R}hC ©AÝèt@CÅwè·é© options t@CàÅwè)Bàµlogin Iv Vªwè³êéÆ pppd Í PAP Å /etc/passwd t@CÌ[Ul[ ÆpX[hðg¢Ü·BpX[hð shadow »·éÆà¿ëñA±êÍ® ìµÈÈèÜ·B pppd-1.2.1d ÅÍ shadow ðT|[g·é½ßÉÍv OðÏXµÈ¯êÎÈèܹñB ÌÍÅÌáèÍ pppd-1.2.1d(o[WªÃ¢ pppd)É shadow T|[g ðÁ¦éÆ¢¤àÌÅ·B pppd-2.2.0 ÅÍùÉ shadow ΪsíêĢܷB 7. Shadow Suite ðgÁÄÝé ±ÌÍÅÍVXeÉShadow SuiteðCXg[µ½ãÉmÁĨ׫¾ Ævíêé±ÆðྵܷBæèÚµ¢à¾ÍeR}hÌIC} j AðQƵľ³¢B 7.1. [UÌÇÁAÏXAí Shadow Suite ÉÍ[UðÇÁAÏXAí·é½ßÌvOªÜÜê ĢܷBùÉadduservOàÁÄ¢é©àµêܹñB 7.1.1. useradd useraddR}hÍVXeÉ[UðÇÁ·é½ßÉp¢Ü·BWÌÝè ðϦéÆ«Éà±ÌR}hðÀsµÜ·B ÅÉsȤ׫±ÆÍWÝèðmFµÄ ȽÌVXeÉí¹ÄÏX ðÁ¦é±ÆÅ·: useradd -D ______________________________________________________________________ GROUP=1 HOME=/home INACTIVE=0 EXPIRE=0 SHELL= SKEL=/etc/skel ______________________________________________________________________ WÝèͨ»çCÉüçȢŵ天çA[UðÁ¦éÆ«Ée[ UÉεÄSÄÌÚ𢿢¿wè·éæèàAWÌÝèðϦĵܢ ܵå¤B MÒÌVXeÅÍȺÌæ¤ÈÝèÉϦĢܷ: o WÌO[v ID ð 100 É o pX[hÌúÀð 60 úÉ o pX[hÌúÀØêÉæéAJEgÌbNÍsÈíÈ¢ o WÌVFð/bin/bash É ±Ìæ¤ÈÏXðsȤÉÍÌR}hðÀsµÜ·: useradd -D -g100 -e60 -f0 -s/bin/bash ±ÌóÔÅ useradd -D ðÀs·éÆȺÌÊð¾Ü·: ______________________________________________________________________ GROUP=100 HOME=/home INACTIVE=0 EXPIRE=60 SHELL=/bin/bash SKEL=/etc/skel ______________________________________________________________________ àµm软êÎA±êçÌWÝèÍ/etc/default/useradd t@CÅm FÅ«Ü·B ±êÅ[UÌÇÁÉ useradd ðg¦éæ¤ÉÈèܵ½Bá¦ÎAWÌ ÝèðgÁÄ[U fred ðÇÁ·é½ßÉÍȺÌæ¤Èìðs领 ·: useradd -m -c "Fred Flintstone" fred ±ÌR}hÍ/etc/passwd t@CàÉȺÌæ¤ÈGg[ðìèÜ ·: fred:*:505:100:Fred Flintstone:/home/fred:/bin/bash ܽA/etc/shadowt@CàÉȺÌGg[ðìèÜ·: fred:!:0:0:60:0:0:0:0 -mIvVªÂ¢Ä¢éÌÅA[Ufred Ìz[fBNgඬ³ êA/etc/skelfBNgÌàeªRs[³êÜ·B UID ÍwèµÄ¢ÈÄàKÉßÄêÜ·B ±êÅfredÌAJEgªÅ«Üµ½ªAAJEgÌbNððµÈ¢À èfredÍOC·é±ÆÍūܹñBbNÌðÍpX[hðÏ¦é ±ÆÉæÁÄsȢܷB passwd fred ______________________________________________________________________ Changing password for fred Enter the new password (minimum of 5 characters) Please use a combination of upper and lower case letters and numbers. New Password: ******* Re-enter new password: ******* ______________________________________________________________________ ±êÅ /etc/shadowÍȺÌæ¤ÈàeÉÈèÜ·: fred:J0C.WDR1amIt6:9559:0:60:0:0:0:0 »µÄAfredÍVXeÉOCÅ«éæ¤ÉÈèÜ·B¼ÌvOÅ È useradd ðg¤_Í/etc/passwd Æ/etc/shadowÌÏXªsªÉsÈ íêé±ÆÅ·BÂÜèA Ƚª[Uðo^·éÌƯɼÌ[Uª pX[hðÏXµ½ÆµÄàA¼ûÆà³µÀs³êÜ·B ¼Ú /etc/passwd â /etc/shadow ðÒW·éÌÍâßÄApÓ³ê½R} hðp·é׫ŷB Ƚª /etc/passwd ðÒWµÄ¢éÔÉA é [UªpX[hðÏXµ½Æ·éÆA»Ì[UÌpX[hÏXÍ È½ ªt@CðZ[uµ½É¸íêĵܢܷB Ⱥɦ·ÌÍuseraddÆpasswdðgÁ½ÈPÈÎbI[UÇÁXNvg Å·B ______________________________________________________________________ #!/bin/bash # # /sbin/newuser - A script to add users to the system using the Shadow # Suite's useradd and passwd commands. # # Written my Mike Jackson <mhjack@tscnet.com> as an example for the Linux # Shadow Password Howto. Permission to use and modify is expressly granted. # # This could be modified to show the defaults and allow modification similar # to the Slackware Adduser program. It could also be modified to disallow # stupid entries. (i.e. better error checking). # ## # Defaults for the useradd command ## GROUP=100 # Default Group HOME=/home # Home directory location (/home/username) SKEL=/etc/skel # Skeleton Directory INACTIVE=0 # Days after password expires to disable account (0=never) EXPIRE=60 # Days that a passwords lasts SHELL=/bin/bash # Default Shell (full path) ## # Defaults for the passwd command ## PASSMIN=0 # Days between password changes PASSWARN=14 # Days before password expires that a warning is given ## # Ensure that root is running the script. ## WHOAMI=`/usr/bin/whoami` if [ $WHOAMI != "root" ]; then echo "You must be root to add news users!" exit 1 fi ## # Ask for username and fullname. ## echo "" echo -n "Username: " read USERNAME echo -n "Full name: " read FULLNAME # echo "Adding user: $USERNAME." # # Note that the "" around $FULLNAME is required because this field is # almost always going to contain at least on space, and without the "'s # the useradd command would think that you we moving on to the next # parameter when it reached the SPACE character. # /usr/sbin/useradd -c"$FULLNAME" -d$HOME/$USERNAME -e$EXPIRE \ -f$INACTIVE -g$GROUP -m -k$SKEL -s$SHELL $USERNAME ## # Set password defaults ## /bin/passwd -n $PASSMIN -w $PASSWARN $USERNAME >/dev/null 2>&1 ## # Let the passwd command actually ask for password (twice) ## /bin/passwd $USERNAME ## # Show what was done. ## echo "" echo "Entry from /etc/passwd:" echo -n " " grep "$USERNAME:" /etc/passwd echo "Entry from /etc/shadow:" echo -n " " grep "$USERNAME:" /etc/shadow echo "Summary output of the passwd command:" echo -n " " passwd -S $USERNAME echo "" ______________________________________________________________________ [UÌÇÁÉXNvgðp·é±ÆͼÚ/etc/passwdâ /etc/shadowðÒWµ½èASlackware Ì adduservOðp·éæè à]ܵ¢Å·B±ÌXNvgð ȽÌVXeÉí¹ÄÏXµÄgÁ ľ³¢B useraddÉ¢ÄÌæèÚµ¢à¾ÍIC}j AðQƵľ³ ¢B 7.1.2. usermod usermodvOÍ[UÉ¢ÄÌîñðÏX·é½ßÌàÌÅ·BIv VÍuseraddÆÙÆñǯ¶Å·B fredÌVFðϦæ¤ÆvÁ½çAȺÌæ¤ÈìðµÜ·: usermod -s /bin/tcsh fred ±êÉæÁÄA/etc/passwdÌfredÌGg[ÍÌæ¤ÉÏX³êÜ·: fred:*:505:100:Fred Flintstone:/home/fred:/bin/tcsh ÉAfredÌAJEgÌúÀð 1997N915úÉÝèµÄÝܵå¤: usermod -e 09/15/97 fred ±êÅ/etc/shadowÌfredÌGg[ÍÌæ¤ÉÏX³êÜ·: fred:J0C.WDR1amIt6:9559:0:60:0:0:10119:0 usermodÉ¢ÄÌæèÚµ¢à¾ÍIC}j AðQƵľ³ ¢B 7.1.3. userdel userdelͼOÌÊèA[UÌAJEgðÁµÜ·Bg¢ûÍPÉ userdel -r username Æüͷ龯ŷB -rIvVð¯éÆ[UÌz[fBNg ð(z[fBNg»ÌàÌàÜßÄ)ÁµÜ·BÙÈét@CVXe ãÉ ét@CÍèìÆÅÁµÈ¯êÎÈèܹñB AJEgðÁ·ÌÅÍÈAPÉbN·é¾¯ÌêÉÍ passwdR} hðg¢Ü·B 7.2. passwd R}hÆpX[hÌúÀÝè passwdR}hÍÊÌpX[hÏXÌ@\ðÁĢܷB±êÉÁ¦ ÄA[UrootÅÀsµ½êÉÍAȺ̱ƪūܷB o AJEgÌbNyÑ»Ìð (-l Æ -u) o pX[hÌÅZLøúÔÌÝè (-x) o pX[hÏXÜÅÌÅZúÌÝè(-n) o úÀÌØêépX[hÉεĽúO©çx·é©ÌÝè (-w) o pX[hÌúÀØê©çAJEgÌbNÜÅÌúÌÝè is locked (-i) o AJEgîñð´µÄ\¦(-S) áƵÄAÄÑ[Ufredð©ÄÝܵå¤B passwd -S fred fred P 03/04/96 0 60 0 0 ±êÍAfredÌpX[hÍLøÅ é±ÆAOñÌÏXÍ1996N3 4úÅ Á½±ÆA¢ÂÅàÏXÂ\Å é±ÆA60úãÉúÀØêÉÈé± ÆAfred ÉÍxÍȳêÈ¢±ÆApX[hªúÀØêÉÈÁÄàAJ EgͳøÆÈçÈ¢±ÆðÓ¡µÄ¢Ü·B ±êÍApX[hªúÀØêÉÈÁÄ©çfredªOC·éÆVµ¢pX [hðv·évvgªoÄéÆ¢¤±ÆÅ·B àµAfredÌpX[hªúÀØêÉÈé14úOÉxðoµAúÀØê Ì14úãÉÍAJEgªâ~ÆÈéæ¤É·é½ßÉÍÌæ¤È½ßð^ ¦Ü·B passwd -w14 -i14 fred ±ÌÆ«AfredÌîñÍÌæ¤ÉÈèÜ·B fred P 03/04/96 0 60 14 14 Ú×É¢ÄÍpasswdÌIC}j AðQƵľ³¢B 7.3. login.defs t@C /etc/logint@CÍloginvOÆShadow SuiteSÌÌÝèt@CÅ ·B /etc/login t@CÍvvg\¦©çA[UªpX[hÏXðµ½ ÉWÌpX[húÀÍǤÈé©ÜÅÌL¢ÝèðÁĢܷB /etc/login.defs àÉÚµ¢Rgª èÜ·ªA¢Â©Ó·×«_ª èÜ·B o ¶µ½MOÌÊðè·étO(on é¢Í off ÉÅ«é)ðÜ Þ o ¼ÌÝèt@CÖÌ|C^ðÜÞ o pX[hÌ aging ÈÇÉ¢ÄÌWÌÝèðÜÞ ±êç̱ƩçdvÈt@CÅ é±Æªí©éÆv¢Ü·BÅ·©çA t@Cª»Ìà̪¶Ý·é±ÆƳµ¢ÝèÉÈÁÄ¢é©Ç¤©ðK¸ mFµÄ¾³¢B 7.4. O[vÌpX[h /etc/groupst@CÍÁèÌO[vÌoÉÈé½ßÌpX[hðÜ Þ±Æª èÜ·B±Ì@\ÍRpCÉ /usr/src/shadow- YYMMDD/config.h t@CàÅèSHADOWGRP ðè`µÄ¢êÎLøÉÈÁÄ ¢Ü·B ±Ìèðè`µÄRpCðsÈÁ½ÈçÎA/etc/gshadowt@Cðì èAO[vÌpX[hyÑO[vÇÒÉ¢ÄÌîñðÛ³¹È¯ êÎÈèܹñB /etc/shadow t@CðìÁ½ÉÍ pwconvÆÄÎêévOðg¢Ü µ½ªA/etc/gshadowÉεÄͱêÉ·éàÌÍ èܹñBµ©µA ±Ìt@CÍÁÉÒW·éKvÍÈ¢ÌÅâèÉÍÈèܹñB ÅÉ /etc/gshadow t@Cðìé½ßÉÍȺÌìðsȢܷB touch /etc/gshadow chown root.root /etc/gshadow chmod 700 /etc/gshadow Vµ¢O[vðìéÆ©®IÉ/etc/groupyÑ /etc/gshadowt@CÉÇ Á³êÜ·B[UÌÇÁâíAO[vÌpX[hÌÏXÈÇÌC³ª sÈíê½êÉÍ /etc/gshadowt@CàÏX³êÜ·B Shadow Suite ÉÜÜêéO[vðÏX·é½ßÌvOƵÄgroups, groupadd, groupmod, groupdelª èÜ·B /etc/group t@CÌtH[}bgÍÌæ¤ÉÈÁĢܷB groupname:!:GID:member,member,... etB[hÌàeÍÌæ¤ÉÈÁĢܷ: groupname O[v¼ ! ÊíÍpX[hðÛ·étB[hÅ éªA Shadow Suite ÅÍ pX[hÍ/etc/gshadow t@CÉi[³êé GID O[vID(l) member O[vÌoÌXg /etc/gshadow t@CÌtH[}bgÍÌæ¤ÉÈèÜ·B groupname:password:admin,admin,...:member,member,... etB[hÌàeÍÍȺÌæ¤ÉÈÁĢܷ: groupname O[v̼O password GR[h³ê½pX[h admin O[vÌÇÒÌXg member O[vÌoÌXg gpasswdR}hÍO[vÉεÄÇÒâ[UÌÇÁyÑíðsȤ ɾ¯g¢Ü·BrootâO[vÌÇÒXgÉüÁÄ¢é[UÍO [vÌoÌÇÁâíðsȤ±ÆªÅ«Ü·B O[vÌpX[hÍ root ©O[vÌÇÒXgÉüÁÄ¢é[U ªpasswdR}hðgp·é±ÆÅÏXÅ«Ü·B »ÝÌƱëAgpasswdR}hÌIC}j AÍ èܹñªAp [^ȵÄgpasswdðÀs·é±ÆÅIvVêðmF·é±ÆªÅ «Ü·Bt@CÌtH[}bgÆÓ¡ððµÄ¢êÎR}hªÇÌæ¤ É®ì·éÌ©ðc¬·é±ÆÍÈPÅ·B 7.5. êÑ«ð`FbN·évO 7.5.1. pwck vOpwckÍ/etc/passwdÆ/etc/shadow ÌàeÉêÑ«ª é©Ç¤© ð²×é½ßÌàÌÅ·B±ÌvOÍ»ê¼êÌ[U¼É¢ÄȺ ÌÚð²×Ü·: o tB[h̪³µ¢© o ¯¶¼OÌ[U¼ª¢È¢© o [UIDAO[vIDª³µ¢© o primary O[vª³µ¢© o z[fBNgª³µ¢© o OCVFª³µ¢© ܽApX[h³µÌAJEgª êÎxµÜ·B Shadow SuiteðCXg[µ½çApwckðÀs·éÆ¢¤ÌÍÇ¢l¦Å ·BèúI(½Æ¦ÎAT)ÉÀs·éÌࢢŵå¤B-rIvV ðg¦ÎAcronðgÁÄèúIÉÀs³¹AÊð[Åñ³¹é±Æª Å«Ü·B 7.5.2. grpck grpck Í/etc/group Æ /etc/gshadow ÌêÑ«ðmF·évOÅ·B ±ÌvOÍȺÌ`FbNðsȢܷ: o tB[h̪³µ¢© o O[v¼Ìd¡ªÈ¢© o o[ÆÇÒÌXgª³µ¢© pwckR}h¯lÉA-r IvVðgÁÄ©®IÉÊñð³¹é±Æ ªÅ«Ü·B 7.6. _CAAbvEpX[h _CAAbvEpX[hÍ_CACÌANZXðµĢéVXe ÌAÊíÌpX[hFØÆÍÊÌhqüÅ·B[J é¢Ílbg [NoRÅڱūé[Uͽ¢é¯êÇ_CACÅڱūé[ UͧÀµ½¢êÉÍA_CAAbvEpX[hªðɧ¿Ü·B_C AAbvEpX[hðLøÉ·éÉÍA/etc/login.defsðÒWµA DIALUPS_CHECK_ENAB ð yes ɵܷB _CAAbvÉ¢ÄÌÝèÍ2ÂÌt@CÅs¢Ü·BêÂÍ /etc/dialupsÅAtty ÌÝèðLqµÜ·B(ñüêÂÉεÄês«Af oCX¼ÌÅÌ"/dev/"ðæ袽àÌðLqµÜ·B) tty ª©êÄ ¢êÎA_CAAbvÌÚ±Éηé`FbNªsíêÜ·B à¤êÂÌt@CÍ /etc/d_passwd Å·B±Ìt@CÉÍKØÈVF ÌpX¼ÆÇÁÌpX[hðLqµÜ·B àµA/etc/dialupsÉ©êÄ¢éñü©ç[UªOCµA /etc/d_passwd ɱÌ[UÌOCVFª©êÄ¢éÈçÎA³µ¢ pX[hðüÍ·é±ÆÅANZXÂð¾é±ÆªÅ«Ü·B _CAAbvEpX[hÍñüÉÁèÌ^Cv(PPPâUUCPÈÇ)ÌÚ±¾ ¯ð·êÉàLøÉpÅ«Ü·B[Uª¼Ì^CvÌÚ±(á¦Î XgÉÚÁÄ¢éVFðg¤)ðs¤êÉͱÌñüÌpX[hðmÁ Ä¢éKvª èÜ·B _CAAbvEpX[hðg¤OÉÍAOqÌÝèt@Cð쬷éK vª èÜ·B R}h dpasswd ðgÁÄ /etc/d_passwdt@CÌVFÉηépX [hðÝè·é±ÆªÅ«Ü·BÚµÍIC}j AðQÆµÄ ¾³¢B 8. CvOð Shadow Suite Éγ¹éû@ vOÉ shadow T|[gðÁ¦éÌÍÀÛÉÍÆÄàÈPÅ·BâèÍ /etc/shadow t@CÉANZX·é½ßÉvOÍroot ÀÅÀs·é ©ArootÉ SUID µÄÀsµÈ¯êÎÈçÈ¢±ÆÅ·B ±êÍdåÈâèÅ·BSUID ·évOðìéÉÍñíÉTdÉv O·éKvª èÜ·Bá¦ÎAVFÉGXP[vÅ«évOÍ vOªrootÉ SUID ³êÄ¢ÄàrootƵÄÀsµÄÍÈèܹñB pX[hÌ`FbNÍ·éªA»êÈOÉÍrootƵĮì·éKvªÈ¢ æ¤ÈêÅ shadow T|[gðvOÉÇÁ·éÍ shadow O[v É SGID ·éûª¸ÁÆÀSÅ·Bxlock vOͱÌæ¤ÈáÌT^Å ·B ȺŦ·áÌ pppd-1.2.1d ÍùÉrootÉ SUID ³êÄ¢éÌÅAshadow T |[gðÁ¦é±ÆÅAvOªZL eBIÉæèÆãÉÈé±ÆÍ àÍâ èܹñB 8.1. wb_t@C wb_t@CÍ /usr/include/shadow fBNgàÉ é׫Š·B/usr/include/shadow.h àKvÅ·ªA±êÍ /usr/include/shadow/shadow.h ÖÌV{bNNÉÈèÜ·B vOÉ shadow T|[gðÁ¦é½ßÉÍÌwb_t@CðCN [h·éKvª èÜ·: #include <shadow/shadow.h> #include <shadow/pwauth.h> shadow pÌR[hððRpCÅpÅ«éæ¤ÉRpC½ßðp ¢éÌÍÇ¢l¦Å·B(ȺÌáÅ໤µÄ¢Ü·B) 8.2. libshadow.a Cu Shadow Suite ðCXg[·éÉÍ libshadow.a à쬳êA/usr/lib ÉCXg[³êÜ·B vOÅ shadow T|[g·é½ßÉÍAJÉ libshadow.a ð N·éæ¤Éw¦·éKvª èÜ·B ±êÍȺÌæ¤És¢Ü·: gcc program.c -o program -lshadow µ©µAȺÌáÅí©éæ¤ÉåKÍÈvOÅÍåï Makefile ðg ¢Ü·©çAÊÍ LIBS ÏðÏXµÜ·B 8.3. Shadow \¢Ì libshadow.a CuÍ spwd ÆÄÎêé\¢ÌÉ /etc/shadow t@C ©çæèoµ½îñði[µÜ·B±êÍ wb_t@C /usr/include/shadow/shadow.h ɨ¯é spwd Ìè`Å·: ______________________________________________________________________ struct spwd { char *sp_namp; /* login name */ char *sp_pwdp; /* encrypted password */ sptime sp_lstchg; /* date of last change */ sptime sp_min; /* minimum number of days between changes */ sptime sp_max; /* maximum number of days between changes */ sptime sp_warn; /* number of days of warning before password expires */ sptime sp_inact; /* number of days after password expires until the account becomes unusable. */ sptime sp_expire; /* days since 1/1/70 until account expires */ unsigned long sp_flag; /* reserved for future use */ }; ______________________________________________________________________ Shadow Suite ÅÍ sp_pwdp ÉPÈéGR[h³ê½pX[h¾¯ÅÈ A»êÈOÌîñཹé±ÆªÅ«Ü·Bá¦ÎApX[htB[ hªÈºÌæ¤ÈsðÜñÅ¢éêÅ·: username:Npge08pfz4wuk;@/sbin/extra:9479:0:10000:::: ±êÅApX[hÉÁ¦Ä/sbin/extra vOð³çÈéFØÉp¢é ±Æðw¦µÄ¢Ü·BÄÑo³ê½vOÍA[U¼ÆȺÄÑo³ 꽩ð¦·XCb`ðn³êÜ·BæèÚµ¢îñð¾é½ßÉÍ /usr/include/shadow/pwauth.h Æ\[XR[hÉÜÜêé pwauth.c ðÇñ ž³¢B ±êªÓ¡·éƱëÍA2FØÉÓ·é±ÆÆAÀÛÌFØðs¤É ÍÖ pwauth ðp¢é׫¾Æ¢¤±ÆÅ·BȺÌáèÅͱêðÀsµ ĢܷB »Ý¶ÝµÄ¢évOÌÙÆñǪ±êðsÁĢȢ½ßA Shadow SuiteÌìÒÍ«Ìo[WÅͱÌ@\ð³·©dlðÏX·é±Æ ð¾ÁĢܷB 8.4. Shadow T|[g̽ßÌÖ shadow.h t@CÉÍ libshadow.a CuªÜñÅ¢éÖÌÖv g^Cvà©êĢܷ: ______________________________________________________________________ extern void setspent __P ((void)); extern void endspent __P ((void)); extern struct spwd *sgetspent __P ((__const char *__string)); extern struct spwd *fgetspent __P ((FILE *__fp)); extern struct spwd *getspent __P ((void)); extern struct spwd *getspnam __P ((__const char *__name)); extern int putspent __P ((__const struct spwd *__sp, FILE *__fp)); ______________________________________________________________________ ±ê©çáèÅp¢éÖÍ getspnam (^¦çê½¼OÉηé spwd \ ¢Ìð^¦é)Å·B 8.5. áè ±êÍftHgÅ shadow T|[gðµÄ¢È¢vOð shadow Î ³¹éáÅ·B ±ÌáÅÍ Point-to-Point vgRT[o(pppd-1.2.1d) ðp¢Ä¢Ü ·B±ÌvOÍ PAP â CHAP t@CÅÈ /etc/passwd t@C© ç¾½[U¼ÆpX[hðp¢Ä PAP FØðs¤[hðÁÄ¢Ü ·BùÉ pppd-2.2.0 Å shadow T|[gªsíêÄ¢éÌÅApppd-2.2.0 ÉεÄáèÌR[hðÇÁ·éKvÍ èܹñB pppd ̱Ì@\Í ÜègíÈ¢àÌÅ·ªAShadow Suite ðCXg[ ·éÆpX[hª /etc/passwd ÉÛ³êÈÈé½ßÉA±Ì@\ÍS g¦ÈÈÁĵܢܷB pppd-1.2.1d Ì[UFØ̪ÌR[hÍ /usr/src/pppd-1.2.1d/pppd/auth.c t@CÉ èÜ·B ȺÌR[hÍR[hàÌ¼Ì #include ½ßæèàOÉÁ¦éKvª èÜ ·Bð½ßÅ #include ðÍñŢܷ(µ½ªÁÄ shadow T|[g è ÅRpC·é¾¯CN[h³êÜ·)B ______________________________________________________________________ #ifdef HAS_SHADOW #include <shadow.h> #include <shadow/pwauth.h> #endif ______________________________________________________________________ ̪ÍÀÛÌR[hÉηéÏX_Å·Bauth.c t@CÉXÉÏXð Á¦Ü·B ÏXOÌ auth.c: ______________________________________________________________________ /* * login - Check the user name and password against the system * password database, and login the user if OK. * * returns: * UPAP_AUTHNAK: Login failed. * UPAP_AUTHACK: Login succeeded. * In either case, msg points to an appropriate message. */ static int login(user, passwd, msg, msglen) char *user; char *passwd; char **msg; int *msglen; { struct passwd *pw; char *epasswd; char *tty; if ((pw = getpwnam(user)) == NULL) { return (UPAP_AUTHNAK); } /* * XXX If no passwd, let them login without one. */ if (pw->pw_passwd == '\0') { return (UPAP_AUTHACK); } epasswd = crypt(passwd, pw->pw_passwd); if (strcmp(epasswd, pw->pw_passwd)) { return (UPAP_AUTHNAK); } syslog(LOG_INFO, "user %s logged in", user); /* * Write a wtmp entry for this user. */ tty = strrchr(devname, '/'); if (tty == NULL) tty = devname; else tty++; logwtmp(tty, user, ""); /* Add wtmp login entry */ logged_in = TRUE; return (UPAP_AUTHACK); } ______________________________________________________________________ [UÌpX[hÍ pw->pw_passwd Éãü³êÄ¢éÌÅA±±Ås¤K vª éÌÍÖ getspnam ðÇÁ·é±ÆÅ·B±ÌÖÍpX[hð spwd->sp_pwdp ÉãüµÜ·B ÉAÀÛÌFØðs¤½ßÉÖ pwauth ðÁ¦Ü·B±ÌÖÍ shadow t@Cª2FØð·éæ¤ÉÝè³êÄ¢éêÉÍA©®IÉ2FØð ÀsµÜ·B shadow ðT|[g·éæ¤ÉÏXµ½ãÌauth.c: ______________________________________________________________________ /* * login - Check the user name and password against the system * password database, and login the user if OK. * * This function has been modified to support the Linux Shadow Password * Suite if USE_SHADOW is defined. * * returns: * UPAP_AUTHNAK: Login failed. * UPAP_AUTHACK: Login succeeded. * In either case, msg points to an appropriate message. */ static int login(user, passwd, msg, msglen) char *user; char *passwd; char **msg; int *msglen; { struct passwd *pw; char *epasswd; char *tty; #ifdef USE_SHADOW struct spwd *spwd; struct spwd *getspnam(); #endif if ((pw = getpwnam(user)) == NULL) { return (UPAP_AUTHNAK); } #ifdef USE_SHADOW spwd = getspnam(user); if (spwd) pw->pw_passwd = spwd->sp-pwdp; #endif /* * XXX If no passwd, let NOT them login without one. */ if (pw->pw_passwd == '\0') { return (UPAP_AUTHNAK); } #ifdef HAS_SHADOW if ((pw->pw_passwd && pw->pw_passwd[0] == '@' && pw_auth (pw->pw_passwd+1, pw->pw_name, PW_LOGIN, NULL)) || !valid (passwd, pw)) { return (UPAP_AUTHNAK); } #else epasswd = crypt(passwd, pw->pw_passwd); if (strcmp(epasswd, pw->pw_passwd)) { return (UPAP_AUTHNAK); } #endif syslog(LOG_INFO, "user %s logged in", user); /* * Write a wtmp entry for this user. */ tty = strrchr(devname, '/'); if (tty == NULL) tty = devname; else tty++; logwtmp(tty, user, ""); /* Add wtmp login entry */ logged_in = TRUE; return (UPAP_AUTHACK); } ______________________________________________________________________ Ó[²×êÎA¼ÉàÏX_ª é±Æªí©èÜ·BIWiÌo[ WÅÍ/etc/passwdt@CàÉpX[hªÈ¢êÉÍANZXð µÜ·B(UPAP_AUTHACK ðßµlÉ·éB)±êÍ ÜèÇÈ¢±ÆÅ·B ÊÌOCÅÍ PPP vZXÖÌANZXð·ÉêÂÌAJEg ðp¢A»ê©ç /etc/passwd t@CÌ[U¼Æ /etc/shadowt@C ÌpX[hðpµÄAüͳê½[U¼ÆpX[hÉ뵀 PAP F Øðs¤©çÅ·B ¾©çA൳Ìo[Wð[U(á¦Î ppp)ÌVFƵÄç¹é ÆA[U ppp ÅópX[hÉµÄ PAP ðÝèµÄàNà PPP Ú±ð¾ é±ÆªÅ«ÈÈèÜ·B pX[hªóÌÉÍ UPAP_AUTHNAK ÅÈ UPAP_AUTHACKðßµlÆ·é æ¤É·é±ÆÅàC³Å«Ü·B Ê¢±ÆÉApppd-2.2.0 É௶âèª èÜ·B ÉAȺÌ2_É墀 Makefile ðC³·éKvª èÜ·: USE_SHADOW ðè`·é±ÆÆAlibshadow.a ðN·éæ¤É·é±ÆÅ·B Makefile ðÒWµÄAÌsðÁ¦Ä¾³¢: LIBS = -lshadow »ê©çAÌsð©Â¯Ä: COMPILE_FLAGS = -I.. -D_linux_=1 -DGIDSET_TYPE=gid_t ȺÌæ¤ÉÏXµÄ¾³¢: COMPILE_FLAGS = -I.. -D_linux_=1 -DGIDSET_TYPE=gid_t -DUSE_SHADOW ÅãÉARpCyÑCXg[ðÀsµÜµå¤B 9. æ·©êé¿â(Frequently Asked Questions). Q: /etc/securettys t@CðgÁÄ rootªOCÅ«é tty ð§äµ æ¤ÆµÄ¢éÌÅ·ªA¤Ü¢«Ü¹ñB A: /etc/securettys Í Shadow SuiteªCXg[³ê½ãÉÍSÓ¡ð ¿Ü¹ñBrootªpÅ«é tty ðLq·éÝèt@CÍ /etc/login.defsÉÈèÜ·B±Ìt@CàżÌt@Cðwè·é±Æ à èÜ·B Q: Shadow SuiteðCXg[µ½ÌÅ·ªAOCªÅ«ÈÈÁĵ ܢܵ½B½ª«¢Ìŵå¤H A: ¨»çShadow SuiteÌvOÍCXg[µ½¯êÇApwconvð ÀsµÄ¢È¢©A/etc/npasswdð /etc/passwdÉA/etc/nshadowð/etc/shadowÉ»ê¼êRs[·éÌðYêé ©µ½Ìŵå¤Blogin.defsð /etcÉRs[µÄ¢È¢Ì©àµêܹ ñB Q:xlock ÌÍÅ /etc/shadowt@CÌLO[vð shadowɹæÆ è ܵ½ªA»Ìæ¤ÈO[vÍ èܹñBǤµ½çÇ¢Ìŵ天H A:O[vðÇÁµÜµå¤BPÉ/etc/groupt@CðÒWµÄAshadow O[vÉ¢ÄÌLqðÁ¦é¾¯Å·BO[vIDª¼Æd¡µÈ¢æ¤ É·é_ÆAnogroupÌGg[æèOÉÇÁ·é_ÉÍӵľ³ ¢BPÉ xlockð root É SUID ·éÆ¢¤û@à èÜ·B Q: Linux Å Shadow Suite É¢ÄÌ[OXgÍ èÜ·©H A: èÜ·Bµ©µA±êÍÌo[WÌ LinuxÅShadow Suite ÌJ ÆÀeXg̽ßÌàÌÅ·B shadow-list-request@neptune.cin.net¶ÉT uWFNgª subscribeÅ é[ðé±ÆÅ[OXgÉQÁÅ «Ü·B±Ì[OXgÍ LinuxÅshadow-YYMMSSÉ¢ÄÌc_ðs ¤êÅ·BJÉÁíè½¢© Shadow Suite ðCXg[µ½ÌÅVµ ¢[XÉ¢ÄÌîñð¾½¢êÉÍQÁ·éÆǢŵå¤B Q:Shadow SuiteðCXg[µÜµ½ªA userdelR}hðÀs·é Æ"userdel: cannot open shadow group file"Æ¢¤G[ªoÜ·B½ª¨ ©µ¢Ìŵå¤H A: Shadow Suite ðSHADOWGRPIvVðLøɵÄRpCµ½Ì ÉA/etc/gshadowt@CªÈ¢Ìŵå¤Bconfig.hðC³µÄÄRpC ·é©A/etc/group t@Cðìèܵå¤Bshadow O[vÌà¾ÌÍ àmFµÜµå¤B Q: Shadow SuiteðCXg[µÜµ½ªA /etc/passwdÉû³ê½p X[hª©êĵܢܷBǤµÄÅ·©H A:¨»çconfig.ht@CàÌAUTOSHADOWIvVðLøɵÄRpC µ½©A ȽÌgÁÄ¢élibc ªSAHDOW_COMPATIvVðLøÉµÄ RpC³êÄ¢é©Å·Bǿ窴ö©mFµÄY·éûðÄRp CµÜµå¤B 10. Copyright Message(ì \¦) The Linux Shadow Password HOWTO is Copyright (c) 1996 Michael H. Jackson. Permission is granted to make and distribute verbatim copies of this document provided the copyright notice and this permission notice are preserved on all copies. Permission is granted to copy and distribute modified versions of this document under the conditions for verbatim copies above, provided a notice clearly stating that the document is a modified version is also included in the modified document. Permission is granted to copy and distribute translations of this document into another language, under the conditions specified above for modified versions. Permission is granted to convert this document into another media under the conditions specified above for modified versions provided the requirement to acknowledge the source document is fulfilled by inclusion of an obvious reference to the source document in the new media. Where there is any doubt as to what defines 'obvious' the copyright owner reserves the right to decide. Ó: ȺÌaóÍ ÜÅQlÅ·Bì É¢ÄÍ´¶Ì\¦É]ÁÄ ¾³¢B The Linux Shadow Password HOWTO Í Michael H. Jackson Ìì¨Å·B (Copyright (c) 1996 Michael H. Jackson) ì \¦yѱÌø\¦ðSÄÌRs[Éc·±ÆððÉA±Ì¶ð üϹ¸É¡ÊyÑzz·é±ÆªÂ\Å·B ãLÌððüϵȢ±ÆyѶªüϳêÄ¢é±Æ¾L·é±Æðð ÉA±Ì¶ðüϵ½àÌð¡ÊyÑzz·é±ÆªÂ\Å·B ãqÌüϳ꽶ÉηéðƯ¶ðÅA±Ì¶ð¼Ì¾êÉ|ó µ½àÌð¡ÊyÑzz·é±ÆªÂ\Å·B ãqÌüϳ꽶ÉηéðÉÁ¦AVµ¢fBAàɳ̶ÖÌ ¾ÈQƪÜÜêé±Æų̶Šé±Æð壷évªÊ½³êé ±ÆððÉA±Ì¶ð¼ÌfBAÅzz·é±ÆªÂ\Å·Bu¾ ÉvÌè`ªÍÁ«èµÈ¢êÉÍì Òªè·é ðÛ¯µÄ¢é àÌƵܷB 11. »Ì¼ / Ó« áèÌ auth.c ÉεÄÌR[hÍ pppd-1.2.1d Æ ppp-2.1.0e ©çøpµ ܵ½B±êçÌ\tgEFAÍ Australian National University yÑ Carnegie Mellon University Ìì¨Å·B (Copyright (c) 1993 and The Australian National University and Copyright (c) 1989 Carnegie Mellon University) Thanks to Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl> for writing and maintaining the Shadow Suite for Linux, and for his review and comments on this document. Shadow SuiteÌìÒ/ÇÒÅ èAܽA±Ì¶ð©ÄRgðº³Á ½ Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl> É´Óµ Ü·B ±Ì¶Ìá]yÑeXgðsÁĺ³Á½ Ron Tidd <rtidd@tscnet.com> ɴӵܷB MÒÉtB[hobNðèA±Ì¶ÌüÇɦ͵ľ³Á½FlÉ´ ӵܷB RgâñĪ êÎǤ©MÒÉ[Åmç¹Ä¾³¢B Michael H. Jackson <mhjack@tscnet.com> 12. óÒæè |óÌzzðÍ´¶É]¤àÌƵܷBܽ|óÌàeÉ¢ÄÍóÒÍ êØÌÓCðÄܹñÌÅAF³ñÌÓCÅpµÄ¾³¢B ëóÈÇÌwEâóÉηéRgð¨Ò¿µÄ¢Ü·B¨CyÉ[ ¾³¢B ¡´Pà <fujiwara@linux.or.jp>