The OpenNET Project / Index page

[ новости /+++ | форум | wiki | теги | ]

Интерактивная система просмотра системных руководств (man-ов)

 ТемаНаборКатегория 
 
 [Cписок руководств | Печать]

tcb_unconvert (8)
  • tcb_unconvert (8) ( Русские man: Команды системного администрирования )
  • >> tcb_unconvert (8) ( Linux man: Команды системного администрирования )
  •  

    NAME

    tcb_convert, tcb_unconvert - utilities to convert to and from
    the tcb password shadowing scheme
     
    

    SYNOPSIS

    tcb_convert
    tcb_unconvert  

    DESCRIPTION

    tcb_convert converts /etc/shadow into a set of files under /etc/tcb/ (see tcb(5)). During this operation /etc/shadow is locked.

    tcb_unconvert converts the files under /etc/tcb/ back into /etc/shadow. Because it is impractical to lock all of the tcb shadow files, tcb_unconvert temporarily changes the group ownership on /etc/tcb/ to group "sys" such that the passwd(1) utility will refuse to work during the conversion.  

    MIGRATING TO TCB

    In order to migrate a system to the tcb password shadowing scheme from the traditional /etc/passwd+/etc/shadow setup, the following steps are necessary:
    1.
    Install the tcb package as well as tcb-aware shadow-utils.
    2.
    Create the group "auth" if it isn't present.
    3.
    If you want processes possessing both "shadow" and "auth" groups to have read-only access to all tcb files, add or uncomment the following line in /etc/login.defs:

    TCB_AUTH_GROUP yes

    4.
    As root, execute tcb_convert.
    5.
    In /etc/nsswitch.conf, find the "shadow" entry and replace the "files" method with "tcb"; the edited line should look like this:

    shadow: tcb nisplus nis

    6.
    In /etc/pam.d/ files, change occurrences of pam_unix.so or pam_pwdb.so (if any) to pam_tcb.so. You may wish to browse the pam_tcb(8) manual for information on additional tuning.
    7.
    In each file under /etc/pam.d/ which has a "password" line (most notably in /etc/pam.d/passwd) add the write_to=tcb option to the instance of pam_tcb used as the password changing module. The line should look similar to this:

    password required /lib/security/pam_tcb.so shadow use_authtok write_to=tcb

    8.
    Edit /etc/login.defs such that it contains the (uncommented) line:

    USE_TCB yes

    9.
    Now you should remove the /etc/shadow file and its backups (if any), such as /etc/shadow-. It is important that you do so such that processes possessing the "shadow" group don't get read access to all of your old password hashes (many of which may remain valid for quite some time).
    10.
    As root,

    chown root:shadow /usr/bin/passwd /etc/pam.d/passwd
    chmod 2711 /usr/bin/passwd
    chmod 640 /etc/pam.d/passwd

    11.
    Test if everything works properly, most notably logging in to the system.
     

    THE RETURN TO SHADOW

    If for some reason you decide to return from tcb to the traditional password shadowing scheme, you can do so with the use of tcb_unconvert and by reverting some of the actions listed in "MIGRATING TO TCB", above.  

    SEE ALSO

    login.defs(5), tcb(5), pam_tcb(8)


     

    Index

    NAME
    SYNOPSIS
    DESCRIPTION
    MIGRATING TO TCB
    THE RETURN TO SHADOW
    SEE ALSO


    Поиск по тексту MAN-ов: 




    Спонсоры:
    PostgresPro
    Inferno Solutions
    Hosting by Hoster.ru
    Хостинг:

    Закладки на сайте
    Проследить за страницей
    Created 1996-2022 by Maxim Chirkov
    Добавить, Поддержать, Вебмастеру