
                       poAwˡA]w shadow KX
                                       
@:@Michael H. Jackson, [1]mhjack@tscnet.com
Ķ:@Sung Min-Ju, [2]songmj@ms1.hinet.net

   v1.3, 3 April 1996 ½Ķ:@15 MAY 2000
     _________________________________________________________________
   
   oDnyzpoAw˩M]w Shadow Suite KXC]yzoM
   w˻ݭnsϥΪ̱KXLnMʱ{(network daemons)CoǨ
   Ln餣O Shadow Suit u곡AOoǵ{NݭnQssĶΥH
   Shadow Suite Co]A@ӵ{dҡG{[J shadow 䴩C
   嵲`ݰDεסC
     _________________________________________________________________
   
1. ²

     * 1.1 W@
     * 1.2 s
     * 1.3 ^
       
2.  shadow A passwd ?

     * 2.1 zn shadow A passwd 
     * 2.2 榡 /etc/passwd 
     * 2.3 榡 shadow 
     * 2.4 ^U crypt(3).
       
3. o Shadow Suite.

     * 3.1 Shadow Suite for Linux v(Ȥ½Ķ)
     * 3.2 History of the Shadow Suite for Linux
     * 3.3 po Shadow SuiteH
     * 3.4 Shadow Suite]tH
       
4. sĶ{

     * 4.1 Y
     * 4.2 ]w config.h 
     * 4.3 ƥl{
     * 4.4  make
       
5. w

     * 5.1 ǳƤ@Ӷ}
     * 5.2 ƻs man pages
     * 5.3  make install
     * 5.4  pwconv
     * 5.5 sRW npasswd M nshadow
       
6. LAݭnɯ(upgrade)θɱj(patch){

     * 6.1 Slackware adduser {
     * 6.2 wu_ftpd Server
     * 6.3 з ftpd
     * 6.4 pop3d (Post Office Protocol 3)
     * 6.5 xlock
     * 6.6 xdm
     * 6.7 sudo
     * 6.8 imapd (E-Mail [pine package])
     * 6.9 pppd (Point-to-Point Protocol Server)
       
7. N Shadow Suite iӨϥΡC

     * 7.1 sWBקMRϥΪ
     * 7.2 passwd OM passwd Ѥ
     * 7.3 login.defs 
     * 7.4 sձKX
     * 7.5 ˬd{@P
     * 7.6 Dial-up KX
       
8. [J shadow 䴩 C y

     * 8.1 Y(Header files)
     * 8.2 libshadow.a 禡w(library)
     * 8.3 Shadow c(Structure)
     * 8.4 Shadow 禡(Functions)
     * 8.5 d
       
9. `ݰDε

10. vn(Ȥ½Ķ)

11. Miscellaneous and Acknowledgments.
     _________________________________________________________________
   
1. ²

   og峹 Linux Shadow-Password-HOWTOC DnObyzΦp
   Linux tΥ[J shadow KX䴩C ]Apϥ Shadow Suite's Yǽd
   ҡC
   
   i Shadow Suite wˤΨϥγ\h utility {ɡEAH root v
   ñJC Bi Shadow Suite wˮɡAtγnNQܡA]jPĳ z
   ӻɳƤ{Cbjզbz}l@~eݥ\ŪΤFѩҦѡC
   
1.1 W@

sWG
        sW@Ӥl`Gznw shadow
        sW@Ӥl`Gק xdm {
        sW@`Gznw shadow
        sW@`Gp󥼨ӹB@ Shadow Suite
        sW@`G`ݰDε


/קG
        󥿦b Sunsite  html ѦҸ
        󥿦b wu-ftp `b Makefile sW -lshadow
        󥿸YM~
         wu-ftp `ΥH䴩 ELF
        קbPñJ(login){wD
        ק Linux Shadow Suite ĳ Marek Michalkiewicz

1.2 s

   ziQΰΦWɶiJ FTP U̷sG sunsite.unc.edu
/pub/Linux/docs/HOWTO/Shadow-Password-HOWTO

   or:
/pub/Linux/docs/HOWTO/other-formats/Shadow-Password-HOWTO{-html.tar,ps,dvi}.gz

   γzLG [3]Linux Documentation Project Web ServerAG
   [4]Shadow-Password-HOWTO λPpG <mhjack@tscnet.com>. izLsD
   sձiKG comp.os.linux.answers
   
   oǤ{bwg] Shadow-YYDDMM M󤤡C
   
1.3 ^

   бNyBקΫĳHܡG [5]Michael H. Jackson
   <mhjack@tscnet.com> ڷ|ɧ֦^Шç󥿸ӤC pGAo{DAЪ
    email ڡAڷ|N̷s޳NiKsDsաC
   
2.  shadow A passwd ?

   jثe Linux o檩w]Ȩå]tShadow Suite wˡC oǪ]A
   Slackware 2.3, Slackware 3.0 MLw諸o檩C Dn]@Ob
   lShadow SuitevnåܲMyzӳnO _ݨϥΪ̥IOC
   Linux ϥ GNU vq`ϥΪ̥iKOBNϥάMC
   
   Shadow Suite{b@H [6]Marek Michalkiewicz
   <marekm@i17linuxb.ists.pwr.wroc.pl> wgiHqb BSD ˦ݦAϥΪv
   l@̨lXC ثevow ѨMA]iHwbӪ
   w]ȱN]A password shadowingC YϦpA AݭnۦwˡC
   
   pGAOq CD-ROM wˡCAio{YϥثeåShadow Suite
   wˡAAMiHbӤ CD-ROM Aݭnw˪Shadow SuiteC
   
   MӡAҦShadow Suite 3.3.1, 3.3.1-2 M shadow-mk HñJ(login)
   {M Lsuid root{wWDA]ӨϥΤӤ[C
   
   ҦnɮקiHzLΦW FTP κC
   
   bSwShadow Suite Linux tΡA]AKXbϥΪ̸Tq`xsb
   /etc/passwd ɡC xsKX [K(encrypted)榡C MӡApGAݤ@
   KXMaAL/oN iDAuKXɥuOsX(encoded)ӤO[K榡A]
   ϥ crypt(3) ɡArɭ] null BKXO(key)C ]AU
   ӧڱNbog󤤨ϥ sXC
   
   ϥΦbKXsXtk޳NWOϥone way hash functionCoO@
   b@Vp²fVpD`xtkCoTtkiHb
   2.4 `  crypt(3) ާ@UC
   
   ϥΪ̬DΫw@ӱKXAtαNHͤ@ӭȡAssaltANKXi
   sXC oܥSwKXiH 4096 PkxsC salt ȱNxsQs
   XKX C
   
   ϥΪñJδѤ@ӱKXA salt xssXKXCMoѱK
   X |M salt Ȥ@_sXABwgsXKXCpG match AӨϥΪ̳q
   LvˬdC
   
   HsXM_lKXOpת(Oi઺)CMӡAbYǨt
    ܦhϥΪ̪KX]@r(άO@r²ܤ)
   
   tbȪDoơABN²檺[KrM@ϥ4096 salt ȱKXؿ
   CM ḺNbƮw /etc/passwd ɤsXKXAunĻ@
   AL iH@ӱbKXCoMdictionary attackABΩ
   g\istΨ oMi}`Ϊk@C
   
   pGAQL@ 8 XKXsX 4096 * 13 XrA@ӥΦbyz
   400,000 @r BWrBKXM²ܤƪrNݭn 4GB wЦsŶC
   bȻݭnuOrˬd ﵲGC ۱q 4GB wХiHH
   1000.00 HURAjhƨtbȪNqiQ  C
   
   pGbȭo{A /etc/passwd ɡAL̥uݭnNu]tb
   /etc/passwd  salt ȪrsXAokiѾ֦486ŹqδXӦ X
   MB wЪŶQӷpľAΡC
   
   YϨSܤjϺЪŶA crack(1) u{q`iHbϥΪ̨t
   ܤ֯}Ѥ@ KX]]tΨϥΪ̭\DL̷QnKX^C
   
   /etc/passwd ɤ]]A@ǬTAϥΪ ID@Ms IDҨϥΪtε{
   F] /etc/passwd   O@ɥiŪ. pGA /etc/passwd
   ɥHPSHiHŪAANo{Ĥ@ƬO ls -l RONNW٦
   ϥΪ ID C
   
   Shadow Suite zLNKXsܥt@ɡ]q`O /etc/shadow ɡ^ӸѨM 
   DC /etc/shadow ɹH]wiŪɡAu root viHŪg
   /etc/shadow ɡCYǵ{] xlock^ݭnܱKXAuݭnT{KXYi
   Coǵ{ iHH suid root Ϊ̧AiH]w@Ӹs shadow ΨӰŪ
   /etc/shadow ɡAMoǵ{iH sgid@shadowC
   
   zLʱKX /etc/shadow ɡAڭ̥iHOƦbȱqssXKX
    dictionary attack ҾڡC
   
   ~A Shadow Suite sW\hSG
     * ]wɩ]wñJɹw](/etc/login.defs)
     * sWBקMRϥΪ̱bsդu{
     * KXةRpΨ
     * bꦺ
     * øsձKX (iܪ)
     * ⭿ױKX (16 rKX) [ĳϥ]
     * wϥΪ̱KXܦn
     * iKX
     * ƥΦv{ [ĳϥ]
       
   w Shadow Suite ^mwtΡAO٦LkiHﵽ Linux t
   Ϊw AB̲ױN@tC Linux w HOWTO's NQרLwǩM
   󪩥E
   
   wثeL Linux wTAаѷӺ}G [7]Linux Security home
   page.
   
2.1 zn shadow A passwd 

   @Ǫp]wBΦbw Shadow Suite N O nDNG@ There are a
   few circumstances and configurations in which installing the Shadow
   Suite would NOT be a good idea:
     * DS]tϥΪ̱bC
     * DOb LAN W]BϥκTA(Network Information Services,
       NIS)oΨϥΪ̦W٩MKWLϥ(ƹWo٬O i
       HAOڤWäW[w)C
     * Oϥβ׺ݥDҨϥΪ̸g NFS(Network File System), NIS 
       YǨLkC
     * ]LnҨϥΪ̥BS shadow έlXioC
       
2.2 榡 /etc/passwd 

   @ non-shadowed /etc/passwd ɮ榡pUҥܡG
   
username:passwd:UID:GID:full_name:directory:shell

   䤤
   
   username
          ϥΪ(ñJ)W
          
   passwd
          sXKX
          
   UID
          ϥΪ̽s
          
   GID
          w]sսs
          
   full_name
          ϥΪ̥W - ƹWo٧@ GECOS (General Electric
          Comprehensive Operating System) BiHxsW~T
          CShadow commands and manual pages refer to this field as the
          comment field.
          
   directory
          ϥΪ̮ڥؿ (|)
          
   shell
          ϥΪñJ (|)
          
   |һG
   
username:Npge08pfz4wuk:503:100:Full Name:/home/username:/bin/sh

   @ANp O salt B ge08pfz4wuk OsXKXC wsX salt/password N
    kbeMVnZM0oL7I BoӦrO@˪KXCۦP KXi঳ 4096 إi
   ઺sXC(dҪKXO "passwaor"AoO n KX)C
   
   un shadow suite wgwˡA /etc/passwd ɱNQNG
   
username:x:503:100:Full Name:/home/username:/bin/sh

   dҤĤG x {buO@ӡ@place holderC@/etc/passwdɪ榡 
   uܡAuOA]t sXKXCoܥ{iHŪ /etc/passwd
   ɡAäuݭnT{KXOOTaB@C
   
   oǱKX{bQsb shadow (q`Ob /etc/shadow )C
   
2.3 榡 shadow 

   /etc/shadow ɥ]AUCTG
   
username:passwd:last:may:must:warn:expire:disable:reserved

   䤤
   
   username
          ϥΪ̦W
          
   passwd
          sXKX
          
   last
          KXWʤAHq1970~11_ѼƥN
          
   may
          KXܫeѼ
          
   must
          KX̱`ϥΤѼ
          
   warn
          NeXѴNƥĵiϥΪ
          
   expire
          WLKXLѼƫANӱb
          
   disable
          bAHq1970~11_ѼƥN
          
   reserved
          w
          
   ̷ӤedұNܦG
   
username:Npge08pfz4wuk:9479:0:10000::::

2.4 ^U crypt(3).

   q crypt(3) ϥΪ̤oG
   
   "crypt OKX[K{C It is based on the Data Encryption Standard
   algorithm with variations intended (among other things) to discourage
   use of hardware implementations of a key search.
   
   [The] key OϥΪ̿JKXC [sXrO NULLs]
   
   [The] salt Oq [a-zA-Z0-9./] XXӦ줸rC ӦrOΩZ
   æb 4096 ؤPk@ӺtkC
   
   zLo key CӦ줸̧C 7 bit[s]AiHإ 56-bit key C
   o56-bit key OΦbƥ[K@ӱ`Ʀr(q`O]tҦFr)C Ǧ^
   ȫ[KKXO@s iLX13 ASCII r(̫e@Ӧr
   salt )C zLCIsiN Ǧ^RAơC
   
   ĵiTG Key space ]A 2**56 Y 7.2e16 i઺ȡCPέj
   q N Key space ɪjMOiC crack(1) nΨӷjMѤH
   ͤKX key space OioC]AKXܦܤקKϥΤ@
   rΦWrC @ӥΨˬdѶ}KXܪ passwd(1) {ϥάOȱo˪C
   
   DES tk@Ǩ crypt(3) bLKXvϹjܮtܪ
    譱@ܡCpGApeϥ crypt(3) ӥ[KpeAHUyzdUOo
   @G on@[KnѩMsxo DES {w ." @_ϥΡC
   
   jh Shadow Suites ]A 16 줸KXר⭿lXC b des M a
   ĳקKϥη}l`KX²檺sXbMkbCѩ crypt B@k
   AoNy t wsXKXC~AϥΪ̦iO 16 줸KX
   O @tƱC
   
   ثe\vzץΥHNYǧwM䴩KX(Ҧp MD5 tk)BO
   M crypt kۮeoiu@biC
   
   pGAbM@[KnѡAĳpUG
        "Applied Cryptography: Protocols, Algorithms, and Source Code in C"
        by Bruce Schneier <schneier@chinet.com>
        ISBN: 0-471-59756-2

3. o Shadow Suite.

3.1 Shadow Suite for Linux v(Ȥ½Ķ)

3.2 History of the Shadow Suite for Linux

   DO NOT USE THE PACKAGES IN THIS SECTION, THEY HAVE SECURITY PROBLEMS
   
   The original Shadow Suite was written by John F. Haugh II.
   
   There are several versions that have been used on Linux systems:
     * shadow-3.3.1 is the original.
     * shadow-3.3.1-2 is Linux specific patch made by [8]Florian La Roche
       <flla@stud.uni-sb.de> and contains some further enhancements.
     * shadow-mk was specifically packaged for Linux.
       
   The shadow-mk package contains the shadow-3.3.1 package distributed by
   John F. Haugh II with the shadow-3.3.1-2 patch installed, a few fixes
   made by [9]Mohan Kokal <magnus@texas.net> that make installation a lot
   easier, a patch by Joseph R.M. Zbiciak for login1.c (login.secure)
   that eliminates the -f, -h security holes in /bin/login, and some
   other miscellaneous patches.
   
   The shadow.mk package was the previously recommended package, but
   should be replaced due to a security problem with the login program.
   
   There are security problems with Shadow versions 3.3.1, 3.3.1-2, and
   shadow-mk involving the login program. This login bug involves not
   checking the length of a login name. This causes the buffer to
   overflow causing crashes or worse. It has been rumored that this
   buffer overflow can allow someone with an account on the system to use
   this bug and the shared libraries to gain root access. I won't discuss
   exactly how this is possible because there are a lot of Linux systems
   that are affected, but systems with these Shadow Suites installed, and
   most pre-ELF distributions without the Shadow Suite are vulnerable!
   
   For more information on this and other Linux security issues, see the
   [10]Linux Security home page (Shared Libraries and login Program
   Vulnerability)
   
3.3 po Shadow SuiteH

   ثeĳ Shadow Suite ثe٬O BETA ժAMA̪񪩥bͲ
    OwBS]t ñJ(login) {C
   
   ӮM(package)ϥκDҩRWG
   
shadow-YYMMDD.tar.gz

   䤤 YYMMDD OSuite oC
   
   ثe BETA ժO Version 3.3.3 AB [11]Marek Michalkiewicz
   <marekm@i17linuxb.ists.pwr.wroc.pl> @C
   
   ٥iHqӳBoG [12]shadow-current.tar.gz.
   
   UC]iHTG
     * [13]ftp://ftp.icm.edu.pl/pub/Linux/shadow/shadow-current.tar.gz
     * [14]ftp://iguana.hut.fi/pub/linux/shadow/shadow-current.tar.gz
     * [15]ftp://ftp.cin.net/usr/ggallag/shadow/shadow-current.tar.gz
     * [16]ftp://ftp.netural.com/pub/linux/shadow/shadow-current.tar.gz
       
   AӥiHoثe̷sC
   
   AӤnOΤ shadow-960129 ªA]̦ ñJ wDC
   
   ѦҸƤ譱Aڥ shadow-960129 ɶiwˤСC
   
   pGAeϥ shadow-mk AAӧHoӪBؽsĶC
   
3.4 Shadow Suite]tH

   Shadow Suite ]AUC\धN{G
   
   su, login, passwd, newgrp, chfn, chsh, and id
   
   ӮM٥]As{G
   
   chage, newusers, dpasswd, gpasswd, useradd, userdel, usermod,
   groupadd, groupdel, groupmod, groups, pwck, grpck, lastlog, pwconv,
   and pwunconv
   
   ~A禡wG libshadow.a ]]AݭnsϥΪ̱KXgMsĶ{C
   
   {ާ@U]]tb䤤C
   
   ]ñJ{ configuration file ANQw˦b /etc/login.defs ɡC
   
4. sĶ{

4.1 Y

   bMĤ@ӨBJNO unpackingCӮMO tar ɮ׮榡ϥ gzip 
   Y AҥHNɮײ /usr/src AMJG
   
tar -xzvf shadow-current.tar.gz

   oN| unpack @ӥؿG/usr/src/shadow-YYMMDD
   
4.2 ]w config.h 

   Ĥ@ƬOAݭnƻs Makefile M config.h ɡG
   
cd /usr/src/shadow-YYMMDD
cp Makefile.linux Makefile
cp config.h.linux config.h

   MAӯdN config.h ɡC ɮץ]AYǳ]wﶵwqCpGAϥ 
   ĳ MAګĳAbĤ@]w group shadow supportC
   
   shadowed group passwords w]ȬO}ҪC b config.h oӳ]wA
   B #define SHADOWGRP ܦ #undef SHADOWGRPCګĳz@}l 
   AMpGAuݭn group passwords M group administrators ɧAb }
   ҥ̩MssĶC pGA}ҥA A  إ /etc/gshadow ɡC
   
   }ҪKXﶵ]ĳϥΡC
   
   n  #undef AUTOSHADOW ]wC
   
   AUTOSHADOW ﶵl]pOΥH shadow iH function @˰CzפW
   ť_ӤAOSkTB@C pGA}ҳoӿﶵABoӵ{H
   root vb A | root v@Is getpwnam() AMܧ
   /etc/passwd  (no-longer-shadowed KX)C o{]A chfn M chsh
   C(pG root bIs getpwnam() eϥ chfn M chshAϥΪ̱bN S
   kuBĥC)
   
   pGAnإ libcAP˪ĵi]ġA SHADOW_COMPAT @ۦPơC
    ӳQϥΡIpGA}lqA /etc/passwd ^sXKXA o|O
   DC
   
   pGAϥΤ 4.6.27 ٰ libc AANݭnb config.h M
   MakefileɰܦhܡC b config.h ɪsMܡG qG
   
#define HAVE_BASENAME

   G
   
#undef HAVE_BASENAME

   Mb Makefile ɪܡG
   
SOBJS = smain.o env.o entry.o susetup.o shell.o \
        sub.o mail.o motd.o sulog.o age.o tz.o hushed.o

SSRCS = smain.c env.c entry.c setup.c shell.c \
        pwent.c sub.c mail.c motd.c sulog.c shadow.c age.c pwpack.c rad64.c \
        tz.c hushed.c

SOBJS = smain.o env.o entry.o susetup.o shell.o \
        sub.o mail.o motd.o sulog.o age.o tz.o hushed.o basename.o

SSRCS = smain.c env.c entry.c setup.c shell.c \
        pwent.c sub.c mail.c motd.c sulog.c shadow.c age.c pwpack.c rad64.c \
        tz.c hushed.c basename.c

   oǥ]tb basename.c {Xܧݭ]Ab libc 4.6.27 C
   
4.3 ƥl{

   b shadow suite nsɡAs@{ƥNO@ӫܦnIlCb Slackware
   3.0 tΤA oɮ׬OG
   
     * /bin/su
     * /bin/login
     * /usr/bin/passwd
     * /usr/bin/newgrp
     * /usr/bin/chfn
     * /usr/bin/chsh
     * /usr/bin/id
       
   o BETA Mwg xs b Makefile تɡAO ]Pq`
   N{bPaA]`QHסC
   
   AӳƥA /etc/passwd ɡAOAnܤpߦaRWAMpڧANb
   ۦPؿAANLkg passwd ROC
   
4.4  make

   AݭnH root vñJHw˵{.
   
    make ӽsĶM󤤪ɡG
   
make all

   Ai|ݨĵiyG rcsid defined but not used. oSYA ]@̨
   ΪM~|o͡C
   
5. w

5.1 ǳƤ@Ӷ}

   pGuoY~AӶ}ϤΪCpGAn boot/root X֪w
   ˡAAiH Ѧ [17]Bootdisk-HOWTO Hs@ root }}C
   
5.2 ƻs man pages

   A]ӱNާ@UsAYϧAܼF`쨬Hγƥw Shadow SuiteAA
   MnN Nªާ@UA]sާ@ULk`л\ªC
   
   AiHϥΤ@ӲզXG man -aW RO M locate RO MݳƲ ާ@
   UCbA make install eXªeC
   
   pGAϥ Slackware 3.0 AMAnާ@UOG
     * /usr/man/man1/chfn.1.gz
     * /usr/man/man1/chsh.1.gz
     * /usr/man/man1/id.1.gz
     * /usr/man/man1/login.1.gz
     * /usr/man/man1/passwd.1.gz
     * /usr/man/man1/su.1.gz
     * /usr/man/man5/passwd.5.gz
       
   b /var/man/cat[1-9] ؿ]ۦPWrݭnQRC
   
5.3  make install

   {bAwgǳƭnJG (H root v)
   
make install

   oNw˳̷sMs{B״_ɮ׳\ivC]|w˾ާ@UC
   
   o]NbwˮɦҼ{N Shadow Suite ]tɮשbTm
   /usr/include/shadow C
   
   ϥ BETA MAAݭnʽƻs login.defs oɨ /etc oӥؿUA 
   BnT{u root viHܥC
   
cp login.defs /etc
chmod 700 /etc/login.defs

   oɮ׬O ñJ { configuration fileC AˬdTwoɪ
   ܪpC oOAMw tty  root iHqñJM]wLww
   a(w]KX)C
   
5.4  pwconv

   UӪBJO pwconvC o]ݥH rootB̦nb /etc ؿUG
   
cd /etc
/usr/sbin/pwconv

   pwconv ^A /etc/passwd ɥBRY쬰FإߨɮסG
   /etc/npasswd M /etc/nshadow.
   
   @ pwunconv ]ѧAإߤ@ /etc/passwd M /etc/shadow զX`
   /etc/passwd ɮסC
   
5.5 sRW npasswd M nshadow

   {bAwg pwconv AӥBAwgإ /etc/npasswd M /etc/nshadow 
   סCoݭnƻs /etc/passwd M /etc/shadow ɡC ڭ̤]ݭnƻsl
   /etc/passwd ɡAӥBTwu root iHŪC ڭ̱Nɮשb root o
   ؿG
   
cd /etc
cp passwd ~passwd
chmod 600 ~passwd
mv npasswd passwd
mv nshadow shadow

   A]ӽTwɮת̸֦svOTC pGANnϥ X-Windows
   A xlock M xdm iݭnŪ shadow (ݤngJ)C
   
   ӤkiHC AiH]w xlock  suid O root (xdm q`H root v
   )C Ϊ̧AiH root  shadow sեiH֦ shadow  AO
   b@oeAnTwAwg shadow group (iHb /etc/group ɬݨ)C
   靈ϥΪ̯ub shadow group C
   
chown root.root passwd
chown root.shadow shadow
chmod 0644 passwd
chmod 0640 shadow

   Atβ{b shadow KXoC A{b  }@Ӳ׺ݾMT{
   A iHñJ(login)C
   
   аWTꪺ@oơI
   
   pLAAiYǨƱ~oI Fn^ to a non-shadowed AA
   Ч@UCBJG
   
cd /etc
cp ~passwd passwd
chmod 644 passwd

   ANsxsoɮרeAxs̪TmC
   
6. LAݭnɯ(upgrade)θɱj(patch){

   Y shadow suite jݭnsKXɪ{iH]ts{AO
   @ǻݭn sKXɪB~{btΤC
   
   pGA Debian  (Ϊ̧YϧAO)AAiH Debian ݭn
   rebuild lXG ftp://ftp.debian.org/debian/stable/source/
   
   o`ѾlbQקs adduser, wu_ftpd, ftpd, pop3d, xlock,xdm M
   sudo {HKoǵ{䴩 shadow suiteC
   
   Ь [18]Adding Shadow Support to a C program o`ADnOb QצpN
   shadow 䴩Lݭn{(Moǵ{ݭnH SUID root  SGID
   shadow ݥTs shadow )C
   
6.1 Slackware adduser {

   Slackware ]t@ӷsWϥΪ̪椬{s /sbin/adduserCӵ{
   shadow iHb [19]ftp://sunsite.unc.edu/pub/Linux/system/
   Admin/accounts/adduser.shadow-1.4.tar.gzC
   
   ګܹyAϥ Shadow Suite {(Ҧpuseradd, usermod, M
   userdel) ӨN slackware adduser {C ̥uݪ@Iɶǲ A
   ONȱoA]AiHݨhMbTi{ /etc/passwd M
   /etc/shadow ɮ(adduser NSko)C
   
   Ѧ [20]Putting the Shadow Suite to use Ӹ`ohTC
   
   OpGAwg֦oAUӬOAnG
   
tar -xzvf adduser.shadow-1.4.tar.gz
cd adduser
make clean
make adduser
chmod 700 adduser
cp adduser /sbin

6.2 wu_ftpd Server

   j Linux tγ wu_ftpd serverC pGASa shadow w
   ˡA A wu_ftpd NSk shadow sĶC wu_ftpd Oq
   inetd/tcpd }lBH root v檺{C pGAb]@ª
   wu_ftpd daemonA LצpANns]ª bug NM root v
   C(Ѧ [21]Linux security home page ohT)C
   
   BOAuݭnOJ shaow lXMssĶNiHoI
   
   pGAOb ELF tΡA wu_ftp server iHq Sunsite }
   [22]wu-ftp-2.4-fixed.tar.gz C
   
   Aoo serverA⥦b /usr/srcؿAMJG
   
cd /usr/src
tar -xzvf wu-ftpd-2.4-fixed.tar.gz
cd wu-ftpd-2.4-fixed
cp ./src/config/config.lnx.shadow ./src/config/config.lnx

   Ms ./src/makefiles/Makefile.lnxAM
   
LIBES    = -lbsd -support

   o@G
   
LIBES    = -lbsd -support -lshadow

   {bAwgǳƦn script إ߸wˡG
   
cd /usr/src/wu-ftpd-2.4-fixed
/usr/src/wu-ftp-2.4.fixed/build lnx
cp /usr/sbin/wu.ftpd /usr/sbin/wu.ftpd.old
cp ./bin/ftpd /usr/sbin/wu.ftpd

   oOΦb Linux shadow configuration fileBsĶMw serverC
   
   bڪ Slackware 2.3 tΡAڤ]ݭnbe@UCBJG
   
   build:
   
cd /usr/include/netinet
ln -s in_systm.h in_system.h
cd -

   b ELF tΤU|sĶDiAOU@ Beta hiHTC
   iHq [23]wu-ftp-2.4.2-beta-10.tar.gz C
   
   Aoo serverA⥦b /usr/srcؿAMJG
   
cd /usr/src
tar -xzvf wu-ftpd-2.4.2-beta-9.tar.gz
cd wu-ftpd-beta-9
cd ./src/config

   Ms config.lnxAMܡG
   
#undef SHADOW.PASSWORD

   o@G
   
#define SHADOW.PASSWORD

   MA
   
cd ../Makefiles

   Bs Makefile.lnx ɩM
   
LIBES = -lsupport -lbsd # -lshadow

   o@G
   
LIBES = -lsupport -lbsd -lshadow

   Mإ(build)Mw(install)G
   
cd ..
build lnx
cp /usr/sbin/wu.ftpd /usr/sbin/wu.ftpd.old
cp ./bin/ftpd /usr/sbin/wu.ftpd

   GAˬdA /etc/inetd.conf ɨӽT{A wu.ftpd server OOu
   ۡC ǪiN server daemons bPaΥΤPWr
   C
   
6.3 з ftpd

   pGAbзǪ ftpd serverAڱNĳAs wu_ftpd serverC }
   Wz bug Atη|wC
   
   pGAbзǼҦAΪ̧Aݭn NIS 䴩Ab Sunsite
   [24]ftpd-shadow-nis.tgz ѦҸơC
   
6.4 pop3d (Post Office Protocol 3)

   pGAݭn䴩ĤT Post Office Protocol (POP3)AANݭnssĶ
   pop3d {C pop3d iHzL inetd/tcpd H root v`C
   
   q Sunsite ӪiHoG [25]pop3d-1.00.4.linux.shadow.tar.gz M
   [26]pop3d+shadow+elf.tar.gz
   
   oӳ²iHwˡC
   
6.5 xlock

   pGAw shadow suiteAM X Windows System M lock ùSHs
   A xlock ɡA ANϥ CNTL-ALT-Fx h t@ ttyAñ
   J(login)M(kill) xlock process (Ψϥ CNTL-ALT-BS  X server)
   C ܩBo]ܮeiHsA xlock {C
   
   pGA XFree86 Versions 3.x.xABTϥ xlockmore (O@ӫܴ
   ùO@{). oӮM䴩 shadowAunssĶYiCpGA
   Ѫ xlock AګĳAsUCG
   
   xlockmore-3.5.tgz iHq
   [27]ftp://sunsite.unc.edu/pub/Linux/X11/xutils/screensavers/xlockmore-
   3.7.tgz oC
   
   򥻤WoOAҭnC
   
   ^ xlockmore-3.7.tgz AñNb /usr/src ؿøYG
   
tar -xzvf xlockmore-3.7.tgz

   soɡG /usr/X11R6/lib/X11/config/linux.cf, M
   
#define HasShadowPasswd    NO

o@G

#define HasShadowPasswd    YES

   MإߥiɡG
   
cd /usr/src/xlockmore
xmkmf
make depend
make

   MhҥHɮר쥿TؿBsɮ׾֦̤ΰvG
   
cp xlock /usr/X11R6/bin/
cp XLock /var/X11R6/lib/app-defaults/
chown root.shadow /usr/X11R6/bin/xlock
chmod 2755 /usr/X11R6/bin/xlock
chown root.shadow /etc/shadow
chmod 640 /etc/shadow

   A xlock NiHTB@oI
   
6.6 xdm

   xdm O@ӥiHܦb X-Windows ñJe{CYǨtζ}l xdm t
   QiD@ӯSw(Ѧ /etc/inittab)C
   
   H Shadow Suite wˡA xdm ݭnQsC ܩBo]ܮeiHs
   A xdm {C
   
   xdm.tar.gz iHqUC}oG
   [28]ftp://sunsite.unc.edu/pub/Linux/X11/xutils/xdm.tar.gz
   
   ^ xdm.tar.gz ɨñNb /usr/srcؿMYG
   
tar -xzvf xdm.tar.gz

   soɡG /usr/X11R6/lib/X11/config/linux.cfAB
   
#define HasShadowPasswd    NO

o@G

#define HasShadowPasswd    YES

   MإߥiɡG
   
cd /usr/src/xdm
xmkmf
make depend
make

   MhҦɮץTؿG
   
cp xdm /usr/X11R6/bin/

   xdm H root vbAҥHAݭnɮצsvC
   
6.7 sudo

   sudo {\tκ޲zϥΪ̥iHH root v`{C oOD
   `K]iH޲z̰ root bvA٥iH\ϥΪ̧@
    mounte drives ƱC
   
   sudo ݭnŪKX]bɻݽT{ϥΪ̱KXC sudo wg SUID
   rootA ҥHs /etc/shadow ҤODC
   
   sudo 䴩 shadow suite ibUC}oG
   [29]ftp://sunsite.unc.edu/pub/Linux/system/Admin/sudo-1.2-shadow.tgz
   
   ĵiGAw sudo A /etc/sudoers ɱNNw]ȡAҥHA ݭnƥ
   l{CpGAa]wbw]{AAins Makefile Bƻs
   ɨ /etc oC
   
   ӮMwg shadow i]wAҥHunssĶӮMYi (⥦b
   /usr/src ؿ)G
   
cd /usr/src
tar -xzvf sudo-1.2-shadow.tgz
cd sudo-1.2-shadow
make all
make install

6.8 imapd (E-Mail [pine package])

   imapd O@ӹ pop3d  email serverC imapd H Pine E-mail Mo
   C ާ@UbиӮMɧY]t shadow 䴩CMӡAڵo{oMT
   C A[WbsĶɥ[W libshadow.a 禡w MӮM󵲦X build script /
   Makefile OD`eCҥH imapd [J shadow 䴩Oӥi઺C
   
   pG󵪮סAiH Email ڡAڷ|NӸѵo̡C
   
6.9 pppd (Point-to-Point Protocol Server)

   pppd server iHϥδXv]wG Password Authentication Protocol
   (PAP) M Cryptographic Handshake Authentication Protocol (CHAP)C pppd
   server q /etc/ppp/chap-secrets M/ /etc/ppp/pap-secrets ŪKXr
   C pGAϥιw] pppd ANSnAsw pppd C
   
   pppd H\Aϥ login ѼơC pG login ﶵQA pppd Nϥ
   /etc/passwd ɪbKX PAP. Mb[KXɷ|O shadowedm
   Cpppd-1.2.1d ɤwg[J shadow 䴩C
   
   U@`[J䴩 shadow dҬOw pppd-1.2.1d (@ӸѪ pppd).
   
   pppd-2.2.0 Nwg]A shadow 䴩oC
   
7. N Shadow Suite iӨϥΡC

   o`yzAݭnDǵ{bwˮɴNwg Shadow SuiteC jT
   bާ@UiHC
   
7.1 sWBקMRϥΪ

   Shadow Suite sWUCOΨӷsWBקMRϥΪ̡C o]OiHw
   adduser {C
   
  useradd
  
   useradd ϥOiΦbtΤsWϥΪ̡C A]iHĥΦOӧܹw]rC
   
   AӰĤ@ƬOˬdw]ȳ]wMwAtζiܡG
   
useradd -D
     _________________________________________________________________
   
GROUP=1
HOME=/home
INACTIVE=0
EXPIRE=0
SHELL=
SKEL=/etc/skel
     _________________________________________________________________
   
   w]ȤOAnAҥHpGA}lsWϥΪ̡AAԾ\CӨϥΪ̸T
   C ӥBAڭ̥iMӧܳ]wȡC
   
   bڪtΤWG
     * ڭnw]sլO 100
     * ڭnKXC 60 ѴN
     * ڤnb]KX|
     * ڭnw] shell O /bin/bash
       
   FoǧܡAڭnϥΡG
   
useradd -D -g100 -e60 -f0 -s/bin/bash

   {b useradd -D NoG
     _________________________________________________________________
   
GROUP=100
HOME=/home
INACTIVE=0
EXPIRE=60
SHELL=/bin/bash
SKEL=/etc/skel
     _________________________________________________________________
   
   ި̷ӧAݭnקAw]ȱNsb /etc/default/useradd.
   
   bAiHϥ useradd ӷsWtΨϥΪ̡C|һAsW@ϥΪ fred 
   ιw]Ȥ覡pUG
   
useradd -m -c "Fred Flintstone" fred

   oNb /etc/passwd ɤ@إߦpUG
   
fred:*:505:100:Fred Flintstone:/home/fred:/bin/bash

   Bb /etc/shadow ɤ@إߦpUF
   
fred:!:0:0:60:0:0:0:0

   fredڥؿNQإߥB /etc/skel eNQƻs]Oy -m ]wC
   
   ]ڭ̨åԭz UIDAtη|MU@ӥiosC
   
   fredbQإoAO fred MñJڭ̤A(unlock)o
   bC zLKX unlock bAkpUG
   
passwd fred
     _________________________________________________________________
   
Changing password for fred
Enter the new password (minimum of 5 characters)
Please use a combination of upper and lower case letters and numbers.
New Password: *******
Re-enter new password: *******
     _________________________________________________________________
   
   {b /etc/shadow ɱN]tG
   
fred:J0C.WDR1amIt6:9559:0:60:0:0:0:0

   B fred NiHñJMϥθӨtΡC useradd MLa Shadow Suite n
   aOiH۰ʧ /etc/passwd M /etc/shadow C ҥHpGAbsW@
   ӨϥΪ̡A Bt@ӨϥΪ̥bKXAoӾާ@iHTC
   
   AϥδѪO񪽱s /etc/passwd M /etc/shadow ٦nC pGA
   s /etc/shadow ɡABӨϥΪ̦bAsɭnܥLKXA MAxs
   s赲GAoӨϥΪ̪KXN|򥢱C
   
   o̬Oϥ useradd M passwd sWϥΪ̪@ interactive script G
     _________________________________________________________________
   
#!/bin/bash
#
# /sbin/newuser - A script to add users to the system using the Shadow
#                 Suite's useradd and passwd commands.
#
# Written my Mike Jackson <mhjack@tscnet.com> as an example for the Linux
# Shadow Password Howto.  Permission to use and modify is expressly granted.
#
# This could be modified to show the defaults and allow modification similar
# to the Slackware Adduser program.  It could also be modified to disallow
# stupid entries.  (i.e. better error checking).
#
##
#  Defaults for the useradd command
##
GROUP=100        # Default Group
HOME=/home       # Home directory location (/home/username)
SKEL=/etc/skel   # Skeleton Directory
INACTIVE=0       # Days after password expires to disable account (0=never)
EXPIRE=60        # Days that a passwords lasts
SHELL=/bin/bash  # Default Shell (full path)
##
#  Defaults for the passwd command
##
PASSMIN=0        # Days between password changes
PASSWARN=14      # Days before password expires that a warning is given
##
#  Ensure that root is running the script.
##
WHOAMI=`/usr/bin/whoami`
if [ $WHOAMI != "root" ]; then
        echo "You must be root to add news users!"
        exit 1
fi
##
#  Ask for username and fullname.
##
echo ""
echo -n "Username: "
read USERNAME
echo -n "Full name: "
read FULLNAME
#
echo "Adding user: $USERNAME."
#
# Note that the "" around $FULLNAME is required because this field is
# almost always going to contain at least on space, and without the "'s
# the useradd command would think that you we moving on to the next
# parameter when it reached the SPACE character.
#
/usr/sbin/useradd -c"$FULLNAME" -d$HOME/$USERNAME -e$EXPIRE \
        -f$INACTIVE -g$GROUP -m -k$SKEL -s$SHELL $USERNAME
##
#  Set password defaults
##
/bin/passwd -n $PASSMIN -w $PASSWARN $USERNAME >/dev/null 2>&1
##
#  Let the passwd command actually ask for password (twice)
##
/bin/passwd $USERNAME
##
#  Show what was done.
##
echo ""
echo "Entry from /etc/passwd:"
echo -n "   "
grep "$USERNAME:" /etc/passwd
echo "Entry from /etc/shadow:"
echo -n "   "
grep "$USERNAME:" /etc/shadow
echo "Summary output of the passwd command:"
echo -n "   "
passwd -S $USERNAME
echo ""
     _________________________________________________________________
   
   sWϥΪ̬O script 񪽱s /etc/passwd / /etc/shadow ɩΨϥ 
   Slackware  adduser {٭nnC
   
   ݭnh useradd TаѷӽuWާ@UC
   
  usermod
  
   usermod {OΦbקϥΪ̸TC ѼƨϥΩM useradd {C
   
   pGAns fred  shellAAn@UCBJG
   
usermod -s /bin/tcsh fred

   {b fred  /etc/passwd ɱNܦG
   
fred:*:505:100:Fred Flintstone:/home/fred:/bin/tcsh

   pGn fred b鬰 09/15/97G
   
usermod -e 09/15/97 fred

   {b fred b /etc/shadow ܦG
   
fred:J0C.WDR1amIt6:9559:0:60:0:0:10119:0

   ݭnh usermod TаѷӽuWާ@UC
   
  userdel
  
   userdel ΦbRϥΪ̡AϥΤkG
   
userdel -r username

   -r ѼƥiHNӨϥΪ̮ڥؿCbݥؿɮ׫hݤʲC
   
   pGAuOn²檺bӨSnRAĳAϥ passwd OC
   
7.2 passwd OM passwd Ѥ

   passwd OܩϥΦbܱKXA~A i root ϥΦbG
     * Lock M unlock b (-l and -u)
     * ]wKXXk̤jѼ (-x)
     * ]wKX̤ܶpѼ (-n)
     * ]wKXĵiѼ (-w)
     * ]wbbQꦺKX᪺ĵiѼ (-i)
     * \d߱bT (-S)
       
   |һApGnꦺ fred bG
   
passwd -S fred
fred P 03/04/96 0 60 0 0

   o fred KXOĪAb 03/04/96 QקBɶiQק A
   fred N|ĵiBbN|]KXC
   
   oܦpG fred bKXñJANQnDΤ@ӷsKXñJC
   
   pGڭ̨Mwnĵi fred bKXLe 14 ѡABbb14ĵ
   iA ڭ̻ݭn@UCBJG
   
passwd -w14 -i14 fred

   {b fred ܬG
   
fred P 03/04/96 0 60 14 14

   ݭnh passwd TаѷӽuWާ@UC
   
7.3 login.defs 

   /etc/login ɬO login { configuration file B  Shadow SuiteC
   
   /etc/login ]tqw]ȱKXܪXʳ]wC
   
   /etc/login.defs ɬO@ӫܦnɡAMӤǨƱn`NG
   
     * It contains flags that can be turned on or off that determine the
       amount of logging that takes place.
     * It contains pointers to other configuration files.
     * It contains defaults assignments for things like password aging.
       
   hWzAiHo{oO@ӭnɡABAӽT{ثe]wΧANAtΪ
   ]weC
   
7.4 sձKX

   /etc/groups ɥ]A\OΪ̦ssդKXC pGAwq SHADOWGRP b
   /usr/src/shadow-YYMMDD/config.h ɱN}Ҹӥ\C
   
   pGAwqӱ`ƥBsĶAAݫإߤ@ /etc/gshadow ɨӫOssձKX M
   sպ޲z̸TC
   
   Aإ /etc/shadowCAϥΤ@өIs{s pwconvA ӵ{|إ
   /etc/gshadow ɡAOoSYAunAۦإߧYiC
   
   Fإ߰_l /etc/gshadow ɭnUCBJG
   
touch /etc/gshadow
chown root.root /etc/gshadow
chmod 700 /etc/gshadow

   CAإߤ@ӷssաA̷|Q[ /etc/group M /etc/gshadow ɡC pG
   AzLsWβϥΪ̨ӭקsթΧܸsձKXA/etc/gshadow ɳNQ
   ܡC
   
   groups, groupadd, groupmod, M groupdel {OΨӨ Shadow Suite 
   iHܧsաC
   
   /etc/group ɮ榡pUG
   
groupname:!:GID:member,member,...

   䤤G
   
   groupname
          The name of the group
          
   !
          The field that normally holds the password, but that is now
          relocated to the /etc/gshadow file.
          
   GID
          The numerical group ID number
          
   member
          List of group members
          
   /etc/gshadow ɮ榡pUG
   
groupname:password:admin,admin,...:member,member,...

   䤤G
   
   groupname
          The name of the group
          
   password
          The encoded group password.
          
   admin
          List of group administrators
          
   member
          List of group members
          
   gpasswd OOΦbsWβ޲z̩MsզC root ΨLb sպ޲z
   HisWβsզC
   
   sձKXiHzL passwd OܡAݳzL root ΦbӸsպ޲z̦v
   biקC
   
   Despite the fact that there is not currently a manual page for
   gpasswd, typing gpasswd without any parameters gives a listing of
   options. It's fairly easy to grasp how it all works once you
   understand the file formats and the concepts.
   
7.5 ˬd{@P

  pwck
  
   pwck {Ѧb /etc/passwd M /etc/shadow ɪ@PˬdC NˬdC
   ӨϥΪ̦W٥B̷ӤUCBJT{G
   
     * the correct number of fields
     * unique user name
     * valid user and group identifier
     * valid primary group
     * valid home directory
     * valid login shell
       
   ]|ĵiSKXbC
   
   bw Shadow Suite  pwck O@ӫܦnIlC ]iHCgΨCg
   ʪC pGAϥ -r ѼơAAiH cron ӰBqlli
   
  grpck
  
   grpck ˬd /etc/group M /etc/gshadow ɤ@Pʪ{C @UCˬdG
     * the correct number of fields
     * unique group name
     * valid list of members and administrators
       
   ] -r ѼƦ۰ʲͳC
   
7.6 Dial-up KX

   Dial-up KXOt@ӹtΨmﶵCAӨtΤ\sC pGA@
   ӨtΤ\\hHϰsAOAQvAAݨϥ
   dial-up KXC Fn} dial-up KXAAs /etc/login.defs ɥB
   TwN DIALUPS_CHECK_ENAB ]w yes.
   
   ɮץ]A dial-up TA /etc/dialups ]A ttys (one per line,
   with the leading "/dev/" removed)C pG tty QCXA dial-up ܤw
   gQˬdC
   
   ĤGɬO /etc/d_passwd C oɥ]A shell Xk|W١C
   
   pGHӨϥΪñJ@Cb /etc/dialups u(line)ABL shell QCb
   /etc/d_passwd ɡALNQ\szLѥTKXC
   
   t@Өϥ dial-up KXتO]w\YǧΦsu(iOPPP 
   UUCP s)C pG@ӨϥΪ̸յ۱ot@اΦs (i.e. a list of
   shells)ALDϥγouKXC
   
   bAiHbӨϥ dial-up eAAKݫإߤ@ɮסC
   
   dpasswd Oѹb /etc/d_passwd ɪ shells KXC iHݾާ@
   UhTC
   
8. [J shadow 䴩 C y

   sW䴩 shadow {ƹWOܪC ߤ@DO{ݭnH root (
   SUID root) vAoˤ~iHs /etc/shadow ɡC
   
   oܤ@ӤjDG إ SUID {ɻݭnܤpߨ̷ӵ{B@C|һG
   pGH { shell escapeApG{O SUID root NݭnH root
   覡e{C
   
   {sW䴩 shadow ӨAiHˬdKXAݥH root vA
   OH SUID shadow NwC xlock {NO@ӨҤlC
   
   UӽdҤСA pppd-1.2.1d wgH SUID as root 覡AҥHsW
   shadow 䴩Ӥ|ϵ{ͥvTC
   
8.1 Y(Header files)

   Ysb /usr/include/shadowC Ӧ@ /usr/include/shadow.hɡA
   ON symbolic link  /usr/include/shadow/shadow.hC
   
   FsW䴩 shadow {AAݭn include YɡG
   
#include <shadow/shadow.h>
#include <shadow/pwauth.h>

8.2 libshadow.a 禡w(library)

   Aw Shadow SuiteA libshadow.a ɳQإߩMw˦b /usr/lib ؿC
   
   sĶ@ shadow support {Alinker ݭn]A libshadow.a 禡wiJ
   쵲C
   
   pUG
   
gcc program.c -o program -lshadow

   MӡANڭ̱UӭnݪҤlAjj{ϥ Makefile B q`ܼ
   Is LIBS=... ݭnQקC
   
8.3 Shadow c(Structure)

   libshadow.a 禡w復q /etc/shadow ɱTϥεcƩIsC oOq
   /usr/include/shadow/shadow.h Yɪ spwd cwqG
     _________________________________________________________________
   
struct spwd
{
  char *sp_namp;                /* login name */
  char *sp_pwdp;                /* encrypted password */
  sptime sp_lstchg;             /* date of last change */
  sptime sp_min;                /* minimum number of days between changes */
  sptime sp_max;                /* maximum number of days between changes */
  sptime sp_warn;               /* number of days of warning before password
                                   expires */
  sptime sp_inact;              /* number of days after password expires
                                   until the account becomes unusable. */
  sptime sp_expire;             /* days since 1/1/70 until account expires
*/
  unsigned long sp_flag;        /* reserved for future use */
};
     _________________________________________________________________
   
   Shadow Suite iH񰣤FsXKX~ƨ sp_pwdp C KXi]
   AG
   
username:Npge08pfz4wuk;@/sbin/extra:9479:0:10000::::

   oܤ@B~KXA /sbin/extra {ӳQhvIsC {I
   sݨoϥΪ̦W٩MXݳQIs switch~iqLC d
   /usr/include/shadow/pwauth.h MlX pwauth.c ohTC
   
   ڭϥ pwauth hܯuvAoONANϲĤGv
   ] ]oܦnC
   
   Shadow Suite @̫X]jsb{o@oAҥH Shadow
   SuiteӪNC
   
8.4 Shadow 禡(Functions)

   shadow.h ]t libshadow.a 禡wG
     _________________________________________________________________
   
extern void setspent __P ((void));
extern void endspent __P ((void));
extern struct spwd *sgetspent __P ((__const char *__string));
extern struct spwd *fgetspent __P ((FILE *__fp));
extern struct spwd *getspent __P ((void));
extern struct spwd *getspnam __P ((__const char *__name));
extern int putspent __P ((__const struct spwd *__sp, FILE *__fp));
     _________________________________________________________________
   
   ڭ̱NϥΪdҵ{OG getspnam NW٫_ڭ spwd cC
   
8.5 d

   oO@ӽdҴyzsW shadow 䴩{Aw]ȨèSC
   
   dҨϥ Point-to-Point Protocol Server (pppd-1.2.1d)AӼҦO
    q /etc/passwd ɨN PAP  CHAP ɨϥαbKX PAP vAAN
   ݭnb pppd-2.2.0 [oǵ{XA]wgsboC
   
   pppd ӤjPW|QϥΫܦhAOpGAw Shadow SuiteAxsb
   /etc/passwd ɪKXNLkB@C
   
   b pppd-1.2.1d vϥΪ{XOb /usr/src/pppd-1.2.1d/pppd/auth.c
   ɡC
   
   Uӵ{XݭnQ[bҦL #include Oɮת̤WYAڭ̱N`N
   ҫO #includesC
     _________________________________________________________________
   
#ifdef HAS_SHADOW
#include <shadow.h>
#include <shadow/pwauth.h>
#endif
     _________________________________________________________________
   
   UӭnƱOܧڽXA ڭ̱Nܧ auth.c ɡC
   
   ܧe auth.c  function G
     _________________________________________________________________
   
/*
 * login - Check the user name and password against the system
 * password database, and login the user if OK.
 *
 * returns:
 *      UPAP_AUTHNAK: Login failed.
 *      UPAP_AUTHACK: Login succeeded.
 * In either case, msg points to an appropriate message.
 */
static int
login(user, passwd, msg, msglen)
    char *user;
    char *passwd;
    char **msg;
    int *msglen;
{
    struct passwd *pw;
    char *epasswd;
    char *tty;

    if ((pw = getpwnam(user)) == NULL) {
        return (UPAP_AUTHNAK);
    }
     /*
     * XXX If no passwd, let them login without one.
     */
    if (pw->pw_passwd == '\0') {
        return (UPAP_AUTHACK);
    }

    epasswd = crypt(passwd, pw->pw_passwd);
    if (strcmp(epasswd, pw->pw_passwd)) {
        return (UPAP_AUTHNAK);
    }

    syslog(LOG_INFO, "user %s logged in", user);

    /*
     * Write a wtmp entry for this user.
     */
    tty = strrchr(devname, '/');
    if (tty == NULL)
        tty = devname;
    else
        tty++;
    logwtmp(tty, user, "");             /* Add wtmp login entry */
    logged_in = TRUE;

    return (UPAP_AUTHACK);
}
     _________________________________________________________________
   
   ϥΪ̪KXQb pw->pw_passwdAҥHڭ̻ݷsW getspnam functionAo
   N|KX spwd->sp_pwdpC
   
   ڭ̱NsW pwauth function ӪܯuvC oNb shadow ɳ]w 
   ʲͲĤGvC
   
   ܧ󬰥iH䴩 shadow ᪺ auth.c functionG
     _________________________________________________________________
   
/*
 * login - Check the user name and password against the system
 * password database, and login the user if OK.
 *
 * This function has been modified to support the Linux Shadow Password
 * Suite if USE_SHADOW is defined.
 *
 * returns:
 *      UPAP_AUTHNAK: Login failed.
 *      UPAP_AUTHACK: Login succeeded.
 * In either case, msg points to an appropriate message.
 */
static int
login(user, passwd, msg, msglen)
    char *user;
    char *passwd;
    char **msg;
    int *msglen;
{
    struct passwd *pw;
    char *epasswd;
    char *tty;

#ifdef USE_SHADOW
    struct spwd *spwd;
    struct spwd *getspnam();
#endif

    if ((pw = getpwnam(user)) == NULL) {
        return (UPAP_AUTHNAK);
    }

#ifdef USE_SHADOW
        spwd = getspnam(user);
        if (spwd)
                pw->pw_passwd = spwd->sp-pwdp;
#endif

     /*
     * XXX If no passwd, let NOT them login without one.
     */
    if (pw->pw_passwd == '\0') {
        return (UPAP_AUTHNAK);
    }
#ifdef HAS_SHADOW
    if ((pw->pw_passwd && pw->pw_passwd[0] == '@'
         && pw_auth (pw->pw_passwd+1, pw->pw_name, PW_LOGIN, NULL))
        || !valid (passwd, pw)) {
        return (UPAP_AUTHNAK);
    }
#else
    epasswd = crypt(passwd, pw->pw_passwd);
    if (strcmp(epasswd, pw->pw_passwd)) {
        return (UPAP_AUTHNAK);
    }
#endif

    syslog(LOG_INFO, "user %s logged in", user);

    /*
     * Write a wtmp entry for this user.
     */
    tty = strrchr(devname, '/');
    if (tty == NULL)
        tty = devname;
    else
        tty++;
    logwtmp(tty, user, "");             /* Add wtmp login entry */
    logged_in = TRUE;

    return (UPAP_AUTHACK);
}
     _________________________________________________________________
   
   YԪdұNҵoڭ̦b@LܪUC lpGb /etc/passwd
    SKXAi\sǦ^ UPAP_AUTHACK CoOnA] ñJ
   ϥάOϥΤ@Ӥ\s PPP processbAMˬdbKXAӱbK
   XO RAP Bb /etc/passwd ɪbM /etc/shadow ɪKXC
   
   ҥHpGڭ̳]w쥻CӨϥΪ̡Ap ppp iHb shell AM
   HiH o ppp 쵲zL]wL̹ϥΪ ppp  PAP M null KXC
   
   ڭ̭ץ UPAP_AUTHNAK N UPAP_AUTHACK pGKXOŪC
   
   쪺O pppd-2.2.0 ۦPDC
   
   Uӧڭ̻ݭnܧ Makefile HKƵo͡G
   
   USE_SHADOW QswqBlibshadow.a ݭnQsW쵲 processC
   
   s Makefile BsWG
   
LIBS = -lshadow

   Mڭ̧o@G
   
COMPILE_FLAGS = -I.. -D_linux_=1 -DGIDSET_TYPE=gid_t

   MܥܦG
   
COMPILE_FLAGS = -I.. -D_linux_=1 -DGIDSET_TYPE=gid_t -DUSE_SHADOW

   {b make  install.
   
9. `ݰDε

   Q: ڥ tty's root vϥ /etc/securettys ɡAOS B@A
   ӦpѨMH
   
   A: /etc/securettys ɦb Shadow Suite w˫NNqoC
   
   tty's  root viHϥΤ@өb /etc/login.defs ñJ]wɶiקC
   ӳ]wɤ]it@ɡC
   
   Q: ڹ Shadow Suite iw˫A{bڨSkñJ(login)tΡA ڦ
   BJܡH
   
   A: AOuw Shadow {oAOå pwconv ΧAѰOƻs
   /etc/npasswd  /etc/passwd Bƻs /etc/nshadow  /etc/shadowoC A]
   ݭnƻs login.defs  /etcC
   
   Q: b xlock @` /etc/shadow ɪsվ̨֦ shadowC
   S shadow sաAӦpBzH
   
   A: AiHsW@ӡC ²檺s /etc/group ɡAMsW@浹 shadow s
   աAAݭnT{sսsåQLsըϥΡABAݭnb nogroup e
   Jӳ]wC γoAiH²ƹ rootv]w suid xlockC
   
   Q:  Linux Shadow Password Suite qllCܡH
   
   A: AOتOw Linux U@ Shadow SuiteoiաAAi
   H shadow-list-request@neptune.cin.net qllKnJG subscribeC
   oObQ Linux shadow-YYMMSStCCAӰѥ[pGA QѤӵoi
   ΧAw Suite bAqBQnosTC
   
   Q: ڦw Shadow SuiteAOڨϥ userdel ROA ڱo "userdel:
   cannot open shadow group file" TAڦ̧@FܡH
   
   A: AsĶ Shadow Suite ɦ} SHADOWGRP ﶵAO AS@
   /etc/gshadow ɮסAAݭns config.h ɩMss ĶΫإߤ@
   /etc/group ɡAЬ shadow groups @`C
   
   Q: ڦw Shadow Suite OڵLksXKXbڪ /etc/passwd ɡAo
   ͤDH
   
   A: Aib Shadow config.h ɶ} AUTOSHADOW ﶵΪ A libc Q
   SAHDOW_COMPAT ﶵsĶAAݭnMwOӰDAM AssĶC
   
10. vn(Ȥ½Ķ)

   The Linux Shadow Password HOWTO is Copyright (c) 1996 Michael H.
   Jackson.
   
   Permission is granted to make and distribute verbatim copies of this
   document provided the copyright notice and this permission notice are
   preserved on all copies.
   
   Permission is granted to copy and distribute modified versions of this
   document under the conditions for verbatim copies above, provided a
   notice clearly stating that the document is a modified version is also
   included in the modified document.
   
   Permission is granted to copy and distribute translations of this
   document into another language, under the conditions specified above
   for modified versions.
   
   Permission is granted to convert this document into another media
   under the conditions specified above for modified versions provided
   the requirement to acknowledge the source document is fulfilled by
   inclusion of an obvious reference to the source document in the new
   media. Where there is any doubt as to what defines 'obvious' the
   copyright owner reserves the right to decide.
   
11. Miscellaneous and Acknowledgments.

   The code examples for auth.c are taken from pppd-1.2.1d and
   ppp-2.1.0e, Copyright (c) 1993 and The Australian National University
   and Copyright (c) 1989 Carnegie Mellon University.
   
   Thanks to Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl> for
   writing and maintaining the Shadow Suite for Linux, and for his review
   and comments on this document.
   
   Thanks to Ron Tidd <rtidd@tscnet.com> for his helpful review and
   testing.
   
   Thanks to everyone who has sent me feedback to help improve this
   document.
   
   Please, if you have any comments or suggestions then mail them to me.
   
   regards
   
   [30]Michael H. Jackson <mhjack@tscnet.com>

References

   1. mailto:mhjack@tscnet.com
   2. mailto:songmj@ms1.hinet.net
   3. http://sunsite.unc.edu/mdw/linux.html
   4. http://sunsite.unc.edu/linux/HOWTO/Shadow-Password-HOWTO.html
   5. mailto:mhjack@tscnet.com
   6. mailto:marekm@i17linuxb.ists.pwr.wroc.pl
   7. http://bach.cis.temple.edu/linux/linux-security/
   8. mailto:flla@stud.uni-sb.de
   9. mailto:magnus@texas.net
  10. http://bach.cis.temple.edu/linux/linux-security/Linux-Security-FAQ/Linux-telnetd.html
  11. mailto:marekm@i17linuxb.ists.pwr.wroc.pl
  12. ftp://i17linuxb.ists.pwr.wroc.pl/pub/linux/shadow/shadow-current.tar.gz
  13. ftp://ftp.icm.edu.pl/pub/Linux/shadow/shadow-current.tar.gz
  14. ftp://iguana.hut.fi/pub/linux/shadow/shadow-current.tar.gz
  15. ftp://ftp.cin.net/usr/ggallag/shadow/shadow-current.tar.gz
  16. ftp://ftp.netural.com/pub/linux/shadow/shadow-current.tar.gz
  17. http://sunsite.unc.edu/mdw/HOWTO/Bootdisk-HOWTO.html
  18. file://localhost/tmp/zh-sgmltools.9490/Shadow-Password-HOWTO.txt.html#sec-adding
  19. ftp://sunsite.unc.edu/pub/Linux/system/Admin/accounts/adduser.shadow-1.4.tgz
  20. file://localhost/tmp/zh-sgmltools.9490/Shadow-Password-HOWTO.txt.html#sec-work
  21. http://bach.cis.temple.edu/linux/linux-security/Linux-Security-FAQ/Linux-wu.ftpd-2.4-Update.html
  22. ftp://sunsite.unc.edu/pub/Linux/system/Network/file-transfer/wu-ftpd-2.4-fixed.tar.gz
  23. ftp://tscnet.com/pub/linux/network/ftp/wu-ftpd-2.4.2-beta-10.tar.gz
  24. ftp://sunsite.unc.edu/pub/Linux/system/Network/file-transfer/ftpd-shadow-nis.tgz
  25. ftp://sunsite.unc.edu/pub/Linux/system/Mail/pop/pop3d-1.00.4.linux.shadow.tar.gz
  26. ftp://sunsite.unc.edu/pub/Linux/system/Mail/pop/pop3d+shadow+elf.tar.gz
  27. ftp://sunsite.unc.edu/pub/Linux/X11/xutils/screensavers/xlockmore-3.7.tgz
  28. ftp://sunsite.unc.edu/pub/Linux/X11/xutils/xdm.tar.gz
  29. ftp://sunsite.unc.edu/pub/Linux/system/Admin/sudo-1.2-shadow.tgz
  30. mailto:mhjack@tscnet.com
