
                       ȡãװ趨 shadow 
                                       
:Michael H. Jackson, [1]mhjack@tscnet.com
:Sung Min-Ju, [2]songmj@ms1.hinet.net

   v1.3, 3 April 1996 :15 MAY 2000
     _________________________________________________________________
   
   ļҪȡãװ趨 Shadow Suite 롣Ҳȡú
   װҪȡʹ֮·سʽ(network daemons)Щ
   岻 Shadow Suit ʵ֣ЩʽҪ±֧
   ԮShadow Suite ļһʽԳʽ shadow ֧Ԯ
   ĽβΪ⼰𰸡
     _________________________________________________________________
   
1. 

     * 1.1 һ汾
     * 1.2 °ļ
     * 1.3 ظ
       
2. Ϊ shadow  passwd ?

     * 2.1 ΪҪ shadow  passwd 
     * 2.2 ʽ /etc/passwd 
     * 2.3 ʽ shadow 
     * 2.4 ع crypt(3).
       
3. ȡ Shadow Suite.

     * 3.1 Shadow Suite for Linux ʷ(ݲ)
     * 3.2 History of the Shadow Suite for Linux
     * 3.3 ȡ Shadow Suite
     * 3.4 Shadow Suiteʲ᣿
       
4. ʽ

     * 4.1 ѹ
     * 4.2 趨 config.h 
     * 4.3 ԭʼʽ
     * 4.4 ִ make
       
5. װ

     * 5.1 ֱ׼һƬ
     * 5.2 ƳƵ man pages
     * 5.3 ִ make install
     * 5.4 ִ pwconv
     * 5.5  npasswd  nshadow
       
6. Ҫ(upgrade)ǿ(patch)ʽ

     * 6.1 Slackware adduser ʽ
     * 6.2 wu_ftpd Server
     * 6.3 ׼ ftpd
     * 6.4 pop3d (Post Office Protocol 3)
     * 6.5 xlock
     * 6.6 xdm
     * 6.7 sudo
     * 6.8 imapd (E-Mail [pine package])
     * 6.9 pppd (Point-to-Point Protocol Server)
       
7.  Shadow Suite Žʹá

     * 7.1 ޸ĺɾʹ
     * 7.2 passwd ָ passwd ϻ
     * 7.3 login.defs 
     * 7.4 Ⱥ
     * 7.5 ʽһ
     * 7.6 Dial-up 
       
8.  shadow ֧Ԯ C 

     * 8.1 ͷ(Header files)
     * 8.2 libshadow.a ʽ(library)
     * 8.3 Shadow ṹ(Structure)
     * 8.4 Shadow ʽ(Functions)
     * 8.5 
       
9. ⼰

10. Ȩ(ݲ)

11. Miscellaneous and Acknowledgments.
     _________________________________________________________________
   
1. 

   ƪΪ Linux Shadow-Password-HOWTO ҪΪμ
   Linux ϵͳ shadow ֧Ԯ ʹ Shadow Suite's ĳЩ
   
   
    Shadow Suite װʹ utility ʽʱ root Ȩ
   ǩ롣 ҽ Shadow Suite װʱϵͳ彫ı䣬ǿҵĽ 
   ˵ֳʽڴǿʼҵǰĶ˽е˵顣
   
1.1 һ汾


        һӽڣΪҪװ shadow
        һӽڣ޸ xdm ʽ
        һڣΪҪװ shadow
        һڣδ Shadow Suite
        һڣ⼰


/޸ģ
         Sunsite  html ο
         wu-ftp  Makefile  -lshadow
        ϲƴʹʴ
         wu-ftp ֧Ԯ ELF
        ޸ڲͬǩ(login)ʽȫ
        ޸ Linux Shadow Suite Ϊ Marek Michalkiewicz

1.2 °ļ

    FTP վ°ļ sunsite.unc.edu
/pub/Linux/docs/HOWTO/Shadow-Password-HOWTO

   or:
/pub/Linux/docs/HOWTO/other-formats/Shadow-Password-HOWTO{-html.tar,ps,dvi}.gz

   ͸վ [3]Linux Documentation Project Web Serverҳ
   [4]Shadow-Password-HOWTO 磺 <mhjack@tscnet.com>. ͸
   Ⱥ comp.os.linux.answers
   
   ЩļѾ Shadow-YYDDMM ׼С
   
1.3 ظ

   뽫κ޸Ļ [5]Michael H. Jackson
   <mhjack@tscnet.com> һᾡظļ 㷢κ⣬ֱ
    email ңһὫ¼Ⱥ顣
   
2. Ϊ shadow  passwd ?

   󲿷Ŀǰ Linux а汾ԤֵδShadow Suite װ Щ汾
   Slackware 2.3, Slackware 3.0 ܻӭķа汾 Ҫԭ֮һ
   ԭʼShadow SuiteȨвδ ʹ߸ѡ
   Linux ʹ GNU Ȩͨʹ߿ʹ׼
   
   Shadow SuiteάԱ [6]Marek Michalkiewicz
   <marekm@i17linuxb.ists.pwr.wroc.pl> ѾԴ BSD ʽʹðȨ
   ֮ԭʼǽԭʼ롣 ĿǰȨ ˿Ԥδ汾֮
   Ԥֵ password shadowing ʹˣ Ҫаװ
   
   İ汾Ǵ CD-ROM װּܷʹĿǰ汾δShadow Suite
   װȻڸƬ CD-ROM ҵҪװShadow Suite
   
   ȻShadow Suite 3.3.1, 3.3.1-2 汾 shadow-mk ǩ(login)
   ʽ suid rootʽаȫ⣬˲Ӧʹ̫á
   
   бҪ͸ FTP վվҵ
   
   ûаװShadow Suite Linux ϵͳʺʹѶͨ
   /etc/passwd  Ϊ (encrypted)ʽ Ȼһ
   רң/ 뵵ֻǱ(encoded)Ǽܸʽ
   Ϊʹ crypt(3) ʱֵΪ null Ǽֵ(key) ˣ
   ҽƪļʹ 롣
   
   ʹλ㷨춼ʹone way hash functionһ
   ڵһ򵥵ǳѵ㷨ȷ㷨
   2.4 ڻ  crypt(3) ֲҵ
   
   ʹѡָһ룬ϵͳһֵsalt
   롣 ʾκض 4096 вͬ档 salt ֵ汻
    
   
   ʹǩṩһ룬 salt Ƚ롣Ȼṩ
     salt ֵһ룬ұȽѾ롣 match ʹͨ
   Ȩ޼顣
   
   ͸ԭԭʼм㸴Ӷȵ(ǲܵ)ȻĳЩϵ
   ͳ ܶʹߵ붼Ϊһ(һֵļ򵥱仯)
   
   ϵͳ֪£ҽ򵥵ļֺһʹ4096 salt ֵ֮Ŀ¼
   Ȼ ǽȽϿ֮ /etc/passwd ֮룬ֻҪҵһ
   ȶԣ ҵһʺ֮롣dictionary attackйأδ
   ɴȡϵͳȡ úչõķ֮һ
   
   һ 8  4096 * 13 ִһ
   400,000 һ ֡ͼ򵥱仯ֵ佫Ҫ 4GB Ӳȡռ䡣
   ҪֻǷִ ȶԽ Դ 4GB Ӳ
   1000.00 ᣬԴϵͳ͵ ֪ 
   
   ȷ /etc/passwd ֻҪ
   /etc/passwd  salt ֵֵ룬ⷽӵ486Ի򼸸 
   MB ӲռʮСá
   
   ʹûкܴĴŵռ䣬 crack(1) Ĺ߳ʽͨ㹻ʹϵͳ
   ƽһ 루ϵͳʹ߱ѡҪ룩
   
   /etc/passwd ҲһЩѶʹ IDȺ IDʹõϵͳ
   ʽ /etc/passwd   ȫɶ. ı /etc/passwd
   û˿Զȡ㽫ֵĵһ ls -l ȡƶʾ
   ʹ ID 
   
   Shadow Suite ͸һͨ /etc/shadow  
   ⡣ /etc/shadow κ趨ɶֻ root Ȩ޿Զд
   /etc/shadow ĳЩʽ xlockҪı룬ֻҪȷ뼴
   Щʽ  suid root ִл趨һȺ shadow Ψ
   /etc/shadow ȻЩʽִ sgidshadow
   
   ͸ƶ /etc/shadow ǿıкʹӴȡ뵽ִ
    dictionary attack ֤ݡ
   
   ֮⣬ Shadow Suite ɫ
     * 趨趨ΪǩʱԤ(/etc/login.defs)
     * ޸ĺɾʹʺȺ֮߳ʽ
     * 㼰
     * ʺŵո
     * Ⱥ (ѡ)
     *  (16 Ԫ) [ʹ]
     * ʹѡнϺõĿ
     * ɲ
     * ЧȨ޳ʽ [ʹ]
       
   װ Shadow Suite ΪиȫϵͳǻԸ Linux ϵ
   ͳİȫ սһϵе Linux ȫ HOWTO's ȫ׼
   ļ汾
   
   Ŀǰ Linux ȫļѶַ [7]Linux Security home
   page.
   
2.1 ΪҪ shadow  passwd 

   һЩ״趨ڰװ Shadow Suite   ⣺ There are a
   few circumstances and configurations in which installing the Shadow
   Suite would NOT be a good idea:
     * ûаʹʺš
     *  LAN ʹ·Ѷ(Network Information Services,
       NIS)õӦʹƺܸ·ϵʹ(ʵ⻹ 
       ִУʵϲκΰȫ)
     * ʹն֤ʹ߾ NFS(Network File System), NIS 
       ĳЩ
     * ֤ʹûκ shadow 汾ԭʼɻá
       
2.2 ʽ /etc/passwd 

   һ non-shadowed /etc/passwd ʽʾ
   
username:passwd:UID:GID:full_name:directory:shell

   
   
   username
          ʹ(ǩ)
          
   passwd
          
          
   UID
          ʹ߱
          
   GID
          Ԥ
          
   full_name
          ʹȫ - ʵλ GECOS (General Electric
          Comprehensive Operating System) λҿԴȫѶ
          Shadow commands and manual pages refer to this field as the
          comment field.
          
   directory
          ʹ߸Ŀ¼ (·)
          
   shell
          ʹǩĻ (·)
          
   ˵
   
username:Npge08pfz4wuk:503:100:Full Name:/home/username:/bin/sh

   УNp  salt  ge08pfz4wuk Ǳ롣 ѱ salt/password 
    kbeMVnZM0oL7I ִһ롣ͬ  4096 ֿ
   ܵı롣( "passwaor"ǱȽ  )
   
   ֻҪ shadow suite Ѿװ /etc/passwd ɣ
   
username:x:503:100:Full Name:/home/username:/bin/sh

   ֮ڶλ x ֻһplace holder/etc/passwdĸʽ 
   δĸı䣬ֻǲٰ 롣ʾκγʽԶȡ /etc/passwd
   Ҫȷǲȷ
   
   Щڱ· shadow (ͨ /etc/shadow )
   
2.3 ʽ shadow 

   /etc/shadow Ѷ
   
username:passwd:last:may:must:warn:expire:disable:reserved

   
   
   username
          ʹ
          
   passwd
          
          
   last
          ϴθڣԴ197011
          
   may
          ıǰ
          
   must
          ʹ
          
   warn
          ǰȾʹ
          
   expire
          ᣬ͹رոʺ
          
   disable
          ʺŹرգԴ197011
          
   reserved
          Ԥλ
          
   ֮ǰɣ
   
username:Npge08pfz4wuk:9479:0:10000::::

2.4 ع crypt(3).

    crypt(3) ʹļõ
   
   "crypt ܷʽ It is based on the Data Encryption Standard
   algorithm with variations intended (among other things) to discourage
   use of hardware implementations of a key search.
   
   [The] key ʹ롣 [ִȫ NULLs]
   
   [The] salt Ǵ [a-zA-Z0-9./] ѡλԪִ ִ
    4096 ֲ֮ͬһ㷨
   
   ͸õ key ÿλԪ 7 bit[s]Խ 56-bit key 
   56-bit key ظһִ(ͨǰִ) 
   ֵָһ ӡ֮13 ASCII Ԫ(ǰһԪʾ
   salt ) ͸ÿεĺпɽ ֱָ̬ϡ
   
   ѶϢ Key space  2**56  7.2e16 ֵܵشƽ
     Key space Ѱǿܡ crack(1) Ѱֵ
   ֮ key space ǿɻõġˣѡӦñʹһ
   ּ֡ һ⿪ѡ passwd(1) ʽʹֵƼġ
   
   DES 㷨һЩʹ crypt(3) κȨܲѡʹ
    䡣ƻʹ crypt(3) ܼƻǧ
    Ҫһܺ͹㷺 DES ʽ ." һʹá
   
    Shadow Suites  16 λԪ볤֮ԭʼ롣  des ר ҽ
   ʹõʼԽϳȼ򵥵ıȻҰ롣 crypt 
   ⽫ ϲ ȫ롣֮⣬ʹпܼס 16 λԪ
    һȽϲ顣
   
   ĿǰȨȡĳЩȫ֧Ԯϳ( MD5 㷨)ұ
   к crypt ݵķչڽС
   
   Ѱһܵĺ飬£
        "Applied Cryptography: Protocols, Algorithms, and Source Code in C"
        by Bruce Schneier <schneier@chinet.com>
        ISBN: 0-471-59756-2

3. ȡ Shadow Suite.

3.1 Shadow Suite for Linux ʷ(ݲ)

3.2 History of the Shadow Suite for Linux

   DO NOT USE THE PACKAGES IN THIS SECTION, THEY HAVE SECURITY PROBLEMS
   
   The original Shadow Suite was written by John F. Haugh II.
   
   There are several versions that have been used on Linux systems:
     * shadow-3.3.1 is the original.
     * shadow-3.3.1-2 is Linux specific patch made by [8]Florian La Roche
       <flla@stud.uni-sb.de> and contains some further enhancements.
     * shadow-mk was specifically packaged for Linux.
       
   The shadow-mk package contains the shadow-3.3.1 package distributed by
   John F. Haugh II with the shadow-3.3.1-2 patch installed, a few fixes
   made by [9]Mohan Kokal <magnus@texas.net> that make installation a lot
   easier, a patch by Joseph R.M. Zbiciak for login1.c (login.secure)
   that eliminates the -f, -h security holes in /bin/login, and some
   other miscellaneous patches.
   
   The shadow.mk package was the previously recommended package, but
   should be replaced due to a security problem with the login program.
   
   There are security problems with Shadow versions 3.3.1, 3.3.1-2, and
   shadow-mk involving the login program. This login bug involves not
   checking the length of a login name. This causes the buffer to
   overflow causing crashes or worse. It has been rumored that this
   buffer overflow can allow someone with an account on the system to use
   this bug and the shared libraries to gain root access. I won't discuss
   exactly how this is possible because there are a lot of Linux systems
   that are affected, but systems with these Shadow Suites installed, and
   most pre-ELF distributions without the Shadow Suite are vulnerable!
   
   For more information on this and other Linux security issues, see the
   [10]Linux Security home page (Shared Libraries and login Program
   Vulnerability)
   
3.3 ȡ Shadow Suite

   Ŀǰ Shadow Suite 汾Ŀǰ BETA ԰棬Ȼᣬ汾
    ǰȫûаܹ ǩ(login) ʽ
   
   ׼(package)ʹùΪ
   
shadow-YYMMDD.tar.gz

    YYMMDD Suite ķڡ
   
   Ŀǰ BETA ԰汾 Version 3.3.3  [11]Marek Michalkiewicz
   <marekm@i17linuxb.ists.pwr.wroc.pl> ά
   
   ԴӸôõ [12]shadow-current.tar.gz.
   
   վҲҵѶ
     * [13]ftp://ftp.icm.edu.pl/pub/Linux/shadow/shadow-current.tar.gz
     * [14]ftp://iguana.hut.fi/pub/linux/shadow/shadow-current.tar.gz
     * [15]ftp://ftp.cin.net/usr/ggallag/shadow/shadow-current.tar.gz
     * [16]ftp://ftp.netural.com/pub/linux/shadow/shadow-current.tar.gz
       
   ӦÿԻĿǰµİ汾
   
   ӦòҪñ shadow-960129 ɰ汾Ϊ ǩ İȫ⡣
   
   춲οϷ棬 shadow-960129 аװܡ
   
   ֮ǰʹ shadow-mk Ӧø汾ؽ롣
   
3.4 Shadow Suiteʲ᣿

   Shadow Suite й֮ʽ
   
   su, login, passwd, newgrp, chfn, chsh, and id
   
   ׼³ʽ
   
   chage, newusers, dpasswd, gpasswd, useradd, userdel, usermod,
   groupadd, groupdel, groupmod, groups, pwck, grpck, lastlog, pwconv,
   and pwunconv
   
   ֮⣬ʽ⣺ libshadow.a ҲҪȡʹ֮дͱʽ
   
   ʽֲ֮ҲС
   
   Ҳжǩʽ configuration file װ /etc/login.defs 
   
4. ʽ

4.1 ѹ

   ڽ׼һ unpacking׼ tar ʽʹ gzip ѹ
    ȽõƵ /usr/src Ȼ룺
   
tar -xzvf shadow-current.tar.gz

   ⽫ unpack һĿ¼/usr/src/shadow-YYMMDD
   
4.2 趨 config.h 

   һҪ Makefile  config.h 
   
cd /usr/src/shadow-YYMMDD
cp Makefile.linux Makefile
cp config.h.linux config.h

   ȻӦ config.h  õĳЩ趨ѡĶ塣ʹ 
    ׼ҽڵһ趨ص group shadow support
   
   shadowed group passwords Ԥֵǿġ  config.h ص趨
   Ҹı #define SHADOWGRP  #undef SHADOWGRPҽһʼ ص
   ȻҪ group passwords  group administrators ʱ 
   Ǻ±롣 㿪    /etc/gshadow 
   
   ѡҲʹá
   
   Ҫ ı #undef AUTOSHADOW 趨
   
   AUTOSHADOW ѡʼ shadow  function һִС
   û취ȷ 㿪ѡʽ
   root Ȩִ У  root Ȩִһ getpwnam() Ȼ
   /etc/passwd  (no-longer-shadowed ) ʽ chfn  chsh
   ( root ں getpwnam() ֮ǰʹ chfn  chshʹʺŽ û
   취ʵЧס)
   
   Ҫ libcͬľҲЧи SHADOW_COMPAT ͬ¡
    Ӧñʹã㿪ʼ /etc/passwd ߢȡ룬 Ǹ
   ⡣
   
   ʹñ 4.6.27 ߵ libc 汾㽫Ҫ config.h 
   Makefileܶı䡣  config.h ı༭͸ı䣺 ӣ
   
#define HAVE_BASENAME

   
   
#undef HAVE_BASENAME

   Ȼ Makefile ĸı䣺
   
SOBJS = smain.o env.o entry.o susetup.o shell.o \
        sub.o mail.o motd.o sulog.o age.o tz.o hushed.o

SSRCS = smain.c env.c entry.c setup.c shell.c \
        pwent.c sub.c mail.c motd.c sulog.c shadow.c age.c pwpack.c rad64.c \
        tz.c hushed.c

SOBJS = smain.o env.o entry.o susetup.o shell.o \
        sub.o mail.o motd.o sulog.o age.o tz.o hushed.o basename.o

SSRCS = smain.c env.c entry.c setup.c shell.c \
        pwent.c sub.c mail.c motd.c sulog.c shadow.c age.c pwpack.c rad64.c \
        tz.c hushed.c basename.c

   Щ basename.c ʽĸı豶 libc 4.6.27 ڡ
   
4.3 ԭʼʽ

    shadow suite Ҫʱʽݽһܺõĵӡ Slackware
   3.0 ϵͳУ Щǣ
   
     * /bin/su
     * /bin/login
     * /usr/bin/passwd
     * /usr/bin/newgrp
     * /usr/bin/chfn
     * /usr/bin/chsh
     * /usr/bin/id
       
    BETA ׼Ѿи   Makefile Ŀĵ Ϊͬİ汾ͨ
   ʽڲͬĵط˳ۡ
   
   Ӧñ /etc/passwd ҪСĵȻ㽫
   ͬĿ¼㽫޷д passwd 
   
4.4 ִ make

   Ҫ root Ȩǩִаװ.
   
   ִ make ׼еִе
   
make all

   ܻῴ rcsid defined but not used. ûϵ Ϊʹ
   ð汾׼Żᷢ
   
5. װ

5.1 ֱ׼һƬ

   ķشиƬ֮õġҪ boot/root ϲİ
   װ ο [17]Bootdisk-HOWTO  root ֮Ƭ
   
5.2 ƳƵ man pages

   ҲӦýֲ£ʹԲñݰװ Shadow Suite
   ȻҪ ɵĲֲƳΪ°Ĳֲ޷ĸǾɰ汾
   
   ʹһϣ man -aW   locate  Ѱ豸Ƴ Ĳ
   ᡣִ make install ǰҳϾɰ汾Ƚס
   
   ʹ Slackware 3.0 汾ȻҪƳĲֲǣ
     * /usr/man/man1/chfn.1.gz
     * /usr/man/man1/chsh.1.gz
     * /usr/man/man1/id.1.gz
     * /usr/man/man1/login.1.gz
     * /usr/man/man1/passwd.1.gz
     * /usr/man/man1/su.1.gz
     * /usr/man/man5/passwd.5.gz
       
    /var/man/cat[1-9] Ŀ¼ҲͬҪɾ
   
5.3 ִ make install

   Ѿ׼Ҫ룺 ( root Ȩִ)
   
make install

   ⽫װº͸³ʽ޸ȨҲᰲװֲᡣ
   
   Ҳڰװʱǽ Shadow Suite ȷλ
   /usr/include/shadow 
   
   ʹ BETA ׼Ҫֶ login.defs  /etc Ŀ¼£ 
   Ҫȷֻ root Ȩ޿Ըı
   
cp login.defs /etc
chmod 700 /etc/login.defs

    ǩ ʽ configuration file Ӧüȷĸ
   ״ ĸ tty  root Դǩ趨ȫ
   ط(Ԥĵ)
   
5.4 ִ pwconv

   Ĳִ pwconv Ҳ rootִ /etc Ŀ¼ִУ
   
cd /etc
/usr/sbin/pwconv

   pwconv ߢȡ /etc/passwd ɾĳЩλΪ˽
   /etc/npasswd  /etc/nshadow.
   
   һ pwunconv Ҳṩ㽨һ /etc/passwd  /etc/shadow ϵ
   /etc/passwd 
   
5.5  npasswd  nshadow

   Ѿִ pwconv Ѿ /etc/npasswd  /etc/nshadow 
   ҪƵ /etc/passwd  /etc/shadow  ҲҪԭʼ
   /etc/passwd ȷֻ root Զ ǽõ root ø
   Ŀ¼
   
cd /etc
cp passwd ~passwd
chmod 600 ~passwd
mv npasswd passwd
mv nshadow shadow

   ҲӦȷӵ߸ȡȨȷġ 㽫Ҫʹ X-Windows
    xlock  xdm Ҫȡ shadow (費Ҫдõ)
   
    趨 xlock  suid  root (xdm ͨ root Ȩ
   ִ) ʹ root Ϊ shadow Ⱥӵ shadow  
   ֮ǰҪȷѾи shadow group ( /etc/group )
   Ӧκʹ shadow group 
   
chown root.root passwd
chown root.shadow shadow
chmod 0644 passwd
chmod 0640 shadow

   ϵͳ shadow 뵵ޡ  Ӧ ؿһն˻Ӵȷ
    ǩ(login)
   
   ȷʵ£
   
   㲻ܣĳЩдޣ ΪҪص to a non-shadowed ״̬
   в裺
   
cd /etc
cp ~passwd passwd
chmod 644 passwd

   㽫´Щǰ㴢ǵȷλá
   
6. Ҫ(upgrade)ǿ(patch)ʽ

   ʹ shadow suite Դ󲿷Ҫȡ뵵ĳʽ԰³ʽ
   һЩҪ ȡ뵵ĶʽϵͳС
   
   ִ Debian 汾 (߼ʹ㲻)ҵ Debian Ҫ
   rebuild ԭʼ룺 ftp://ftp.debian.org/debian/stable/source/
   
   ʣŵĲ۸ adduser, wu_ftpd, ftpd, pop3d, xlock,xdm 
   sudo ʽԱЩʽ֧Ԯ shadow suite
   
   뿴 [18]Adding Shadow Support to a C program ڣҪ ν
   shadow ֧ԮŵҪʽ(ȻЩʽҪ SUID root ִл SGID
   shadow ȷȡ shadow )
   
6.1 Slackware adduser ʽ

   Slackware 汾һʹߵĽʽ /sbin/adduseróʽ
   shadow 汾 [19]ftp://sunsite.unc.edu/pub/Linux/system/
   Admin/accounts/adduser.shadow-1.4.tar.gzҵ
   
   Һܹʹ Shadow Suite Ӧĳʽ(useradd, usermod, 
   userdel) ȡ slackware adduser ʽ ֻ軨һʱѧϰ 
   ֵõģΪԿƺȷչס /etc/passwd 
   /etc/shadow ĵ(adduser ûа취)
   
   ο [20]Putting the Shadow Suite to use ýڵõѶ
   
   ѾӵޣҪĲ֣
   
tar -xzvf adduser.shadow-1.4.tar.gz
cd adduser
make clean
make adduser
chmod 700 adduser
cp adduser /sbin

6.2 wu_ftpd Server

   󲿷ֵ Linux ϵͳ wu_ftpd server İ汾ûи shadow 
   װ  wu_ftpd ûа취 shadow 롣 wu_ftpd Ǵ
   inetd/tcpd ʼ root Ȩִеĳʽ һɰ
   wu_ftpd daemon 㽫ҪΪϾɰ汾 bug Σ root Ȩ
   ޡ(ο [21]Linux security home page õѶ)
   
   ˵ֻҪȡǶ shaow ԭʼ±Ϳޣ
   
   㲻ִ ELF ϵͳ wu_ftp server Դ Sunsite ַ
   [22]wu-ftp-2.4-fixed.tar.gz ҵ
   
    server /usr/srcĿ¼Ȼ룺
   
cd /usr/src
tar -xzvf wu-ftpd-2.4-fixed.tar.gz
cd wu-ftpd-2.4-fixed
cp ./src/config/config.lnx.shadow ./src/config/config.lnx

   Ȼ༭ ./src/makefiles/Makefile.lnx͸ı
   
LIBES    = -lbsd -support

   һе
   
LIBES    = -lbsd -support -lshadow

   Ѿ׼ִ script װ
   
cd /usr/src/wu-ftpd-2.4-fixed
/usr/src/wu-ftp-2.4.fixed/build lnx
cp /usr/sbin/wu.ftpd /usr/sbin/wu.ftpd.old
cp ./bin/ftpd /usr/sbin/wu.ftpd

    Linux shadow configuration fileͰװ server
   
   ҵ Slackware 2.3 ϵͳҲҪִǰв裺
   
   build:
   
cd /usr/include/netinet
ln -s in_systm.h in_system.h
cd -

    ELF ϵͳ»бı棬һ Beta ȷִС
   Դ [23]wu-ftp-2.4.2-beta-10.tar.gz ҵ
   
    server /usr/srcĿ¼Ȼ룺
   
cd /usr/src
tar -xzvf wu-ftpd-2.4.2-beta-9.tar.gz
cd wu-ftpd-beta-9
cd ./src/config

   Ȼ༭ config.lnx͸ı䣺
   
#undef SHADOW.PASSWORD

   һе
   
#define SHADOW.PASSWORD

   Ȼᣬ
   
cd ../Makefiles

   ұ༭ Makefile.lnx ͸ı
   
LIBES = -lsupport -lbsd # -lshadow

   һе
   
LIBES = -lsupport -lbsd -lshadow

   ȻὨ(build)Ͱװ(install)
   
cd ..
build lnx
cp /usr/sbin/wu.ftpd /usr/sbin/wu.ftpd.old
cp ./bin/ftpd /usr/sbin/wu.ftpd

   עӦü /etc/inetd.conf ȷ wu.ftpd server ǲ
   Ļ Щ汾ܽ server daemons ڲͬĵطòֱͬʾ
   
   
6.3 ׼ ftpd

   ִб׼ ftpd serverҽ wu_ftpd server 뿪
    bug ϵͳȽϰȫ
   
   ڱ׼ģʽҪ NIS ֧Ԯ Sunsite
   [24]ftpd-shadow-nis.tgz вοϡ
   
6.4 pop3d (Post Office Protocol 3)

   Ҫ֧Ԯ Post Office Protocol (POP3)㽫Ҫ±
   pop3d ʽ pop3d ͸ inetd/tcpd  root ȨִС
   
    Sunsite 汾Իã [25]pop3d-1.00.4.linux.shadow.tar.gz 
   [26]pop3d+shadow+elf.tar.gz
   
   ܼ򵥿԰װ
   
6.5 xlock

   㰲װ shadow suiteȻִ X Windows System  lock өĻûԸ
    xlock  㽫ʹ CNTL-ALT-Fx ȥл һ ttyǩ
   (login)ɱ(kill) xlock process (ʹ CNTL-ALT-BS ɱ X server)
    ˵Ҳ׿Ը xlock ʽ
   
   ִ XFree86 Versions 3.x.xȷʹ xlockmore (һܰ
   өĻʽ). ׼֧Ԯ shadowֻҪ±뼴ɡκν
   ϵ xlock 汾ҽа汾
   
   xlockmore-3.5.tgz Դ
   [27]ftp://sunsite.unc.edu/pub/Linux/X11/xutils/screensavers/xlockmore-
   3.7.tgz վá
   
   Ҫġ
   
   ߢȡ xlockmore-3.7.tgz  /usr/src Ŀ¼ѹ
   
tar -xzvf xlockmore-3.7.tgz

   ༭ /usr/X11R6/lib/X11/config/linux.cf, ͸ı
   
#define HasShadowPasswd    NO

һе

#define HasShadowPasswd    YES

   ȻὨִе
   
cd /usr/src/xlockmore
xmkmf
make depend
make

   ȻԵȷĿ¼Ҹµӵ߼ִȨޣ
   
cp xlock /usr/X11R6/bin/
cp XLock /var/X11R6/lib/app-defaults/
chown root.shadow /usr/X11R6/bin/xlock
chmod 2755 /usr/X11R6/bin/xlock
chown root.shadow /etc/shadow
chmod 640 /etc/shadow

    xlock ȷޣ
   
6.6 xdm

   xdm һԱʾ X-Windows ǩ뻭ĳʽĳЩϵͳʼ xdm ϵͳ
   ֪һضִˮ׼(ο /etc/inittab)
   
    Shadow Suite װ xdm Ҫ¡ ˵Ҳ׿Ը
    xdm ʽ
   
   xdm.tar.gz Դַã
   [28]ftp://sunsite.unc.edu/pub/Linux/X11/xutils/xdm.tar.gz
   
   ߢȡ xdm.tar.gz  /usr/srcĿ¼Ȼѹ
   
tar -xzvf xdm.tar.gz

   ༭ /usr/X11R6/lib/X11/config/linux.cfҸı
   
#define HasShadowPasswd    NO

һе

#define HasShadowPasswd    YES

   ȻὨִе
   
cd /usr/src/xdm
xmkmf
make depend
make

   ȻеȷĿ¼
   
cp xdm /usr/X11R6/bin/

   xdm  root ȨִУ㲻Ҫı䵵ȡȨޡ
   
6.7 sudo

   sudo ʽϵͳԱʹ߿ root Ȩִгʽ Ƿ
   Ϊƹִ root ʺűȨޣʹ
    mounte drives 顣
   
   sudo ҪȡΪִʱȷʹ롣 sudo Ѿִ SUID
   root Դȡ /etc/shadow ⡣
   
   sudo ֧Ԯ shadow suite ַȡã
   [29]ftp://sunsite.unc.edu/pub/Linux/system/Admin/sudo-1.2-shadow.tgz
   
   棺㰲װ sudo  /etc/sudoers ȡԤֵ Ҫԭ
   ʼʽмκ趨ԤʽҪ༭ Makefile Ƴ
   õ /etc С
   
   ׼Ѿ shadow 趨ֻҪ±׼ (
   /usr/src Ŀ¼)
   
cd /usr/src
tar -xzvf sudo-1.2-shadow.tgz
cd sudo-1.2-shadow
make all
make install

6.8 imapd (E-Mail [pine package])

   imapd һ pop3d  email server imapd  Pine E-mail ׼
    ֲڽܸ׼ʱ shadow ֧ԮȻҷⲻȫȻȷ
    ټڱʱ libshadow.a ʽ ͸׼ build script /
   Makefile Ƿǳ׵ġԶ imapd  shadow ֧Ԯǲ̫ܵġ
   
   κδ𰸣 Email ңһὫýŵ
   
6.9 pppd (Point-to-Point Protocol Server)

   pppd server ʹüȨ趨 Password Authentication Protocol
   (PAP)  Cryptographic Handshake Authentication Protocol (CHAP) pppd
   server  /etc/ppp/chap-secrets / /etc/ppp/pap-secrets ȡ
    ʹԤ pppd ִУûбҪ°װ pppd 
   
   pppd ʹ login   login ѡѡȡ pppd ʹ
   /etc/passwd ʺ PAP. Ȼڲ뵵 shadowedm
   pppd-1.2.1d Ѿ shadow ֧Ԯ
   
   һڼ֧Ԯ shadow ġ pppd-1.2.1d (һϰ汾 pppd).
   
   pppd-2.2.0 Ѿ shadow ֧Ԯޡ
   
7.  Shadow Suite Žʹá

   Ҫ֪ЩʽڰװʱѾ Shadow Suite 󲿷ֵѶ
   ڲֲҵ
   
7.1 ޸ĺɾʹ

   Shadow Suite ָ޸ĺɾʹߡ Ҳǿ԰װ
   adduser ʽ
   
  useradd
  
   useradd ʹϵͳʹߡ ҲԲôָıԤִ
   
   ӦĵһǼԤֵ趨ϵͳиı䣺
   
useradd -D
     _________________________________________________________________
   
GROUP=1
HOME=/home
INACTIVE=0
EXPIRE=0
SHELL=
SKEL=/etc/skel
     _________________________________________________________________
   
   ԤֵȫҪģ㿪ʼʹߣÿʹѶ
    ңǿܺӦøı趨ֵ
   
   ҵϵͳϣ
     * ҪԤȺ 100
     * Ҫÿ 60 ͵
     * ҲҪסʺΪᵽ
     * ҪԤ shell  /bin/bash
       
   ΪЩı䣬Ҫʹã
   
useradd -D -g100 -e60 -f0 -s/bin/bash

   ִ useradd -D õ
     _________________________________________________________________
   
GROUP=100
HOME=/home
INACTIVE=0
EXPIRE=60
SHELL=/bin/bash
SKEL=/etc/skel
     _________________________________________________________________
   
   Ҫ޸ģԤֵ /etc/default/useradd.
   
   ʹ useradd ϵͳʹߡ˵һʹ fred ʹ
   Ԥֵʽ£
   
useradd -m -c "Fred Flintstone" fred

   ⽫ /etc/passwd еһн£
   
fred:*:505:100:Fred Flintstone:/home/fred:/bin/bash

    /etc/shadow еһн£
   
fred:!:0:0:60:0:0:0:0

   fredĸĿ¼ /etc/skel ݽΪָ -m 趨
   
   Ϊǲδ UIDϵͳֱѰһɻõıš
   
   fredʺűޣ fred Ȼǩֱǲס(unlock)
   ʺš ͸ unlock ʺţ£
   
passwd fred
     _________________________________________________________________
   
Changing password for fredEnter the new password (minimum of 5 characters)
Please use a combination of upper and lower case letters and numbers.
New Password: *******
Re-enter new password: *******
     _________________________________________________________________
   
    /etc/shadow 
   
fred:J0C.WDR1amIt6:9559:0:60:0:0:0:0

    fred ǩʹøϵͳ useradd  Shadow Suite ȽϺ
   ĵطǿԶı /etc/passwd  /etc/shadow  һ
   ʹߣ һʹڸ룬ȷִС
   
   ʹṩֱָӴȡ /etc/passwd  /etc/shadow á 
   ༭ /etc/shadow иʹ༭ʱҪı룬 Ȼ㴢
   ༭ʹߵ뽫ʧ
   
   ʹ useradd  passwd ʹߵһЩ interactive script 
     _________________________________________________________________
   
#!/bin/bash
#
# /sbin/newuser - A script to add users to the system using the Shadow
#                 Suite's useradd and passwd commands.
#
# Written my Mike Jackson <mhjack@tscnet.com> as an example for the Linux
# Shadow Password Howto.  Permission to use and modify is expressly granted.
#
# This could be modified to show the defaults and allow modification similar
# to the Slackware Adduser program.  It could also be modified to disallow
# stupid entries.  (i.e. better error checking).
#
##
#  Defaults for the useradd command
##
GROUP=100        # Default Group
HOME=/home       # Home directory location (/home/username)
SKEL=/etc/skel   # Skeleton Directory
INACTIVE=0       # Days after password expires to disable account (0=never)
EXPIRE=60        # Days that a passwords lasts
SHELL=/bin/bash  # Default Shell (full path)
##
#  Defaults for the passwd command
##
PASSMIN=0        # Days between password changes
PASSWARN=14      # Days before password expires that a warning is given
##
#  Ensure that root is running the script.
##
WHOAMI=`/usr/bin/whoami`
if [ $WHOAMI != "root" ]; then
        echo "You must be root to add news users!"
        exit 1
fi
##
#  Ask for username and fullname.
##
echo ""
echo -n "Username: "
read USERNAME
echo -n "Full name: "
read FULLNAME
#
echo "Adding user: $USERNAME."
#
# Note that the "" around $FULLNAME is required because this field is
# almost always going to contain at least on space, and without the "'s
# the useradd command would think that you we moving on to the next
# parameter when it reached the SPACE character.
#
/usr/sbin/useradd -c"$FULLNAME" -d$HOME/$USERNAME -e$EXPIRE \
        -f$INACTIVE -g$GROUP -m -k$SKEL -s$SHELL $USERNAME
##
#  Set password defaults
##
/bin/passwd -n $PASSMIN -w $PASSWARN $USERNAME >/dev/null 2>&1
##
#  Let the passwd command actually ask for password (twice)
##
/bin/passwd $USERNAME
##
#  Show what was done.
##
echo ""
echo "Entry from /etc/passwd:"
echo -n "   "
grep "$USERNAME:" /etc/passwd
echo "Entry from /etc/shadow:"
echo -n "   "
grep "$USERNAME:" /etc/shadow
echo "Summary output of the passwd command:"
echo -n "   "
passwd -S $USERNAME
echo ""
     _________________________________________________________________
   
   ʹ script ֱӱ༭ /etc/passwd / /etc/shadow ʹ 
   Slackware  adduser ʽҪá
   
   Ҫ useradd Ѷϲֲᡣ
   
  usermod
  
   usermod ʽ޸ʹѶ Ĳʹú useradd ʽơ
   
   Ҫ fred  shellҪв裺
   
usermod -s /bin/tcsh fred

    fred  /etc/passwd ɣ
   
fred:*:505:100:Fred Flintstone:/home/fred:/bin/tcsh

   Ҫʹ fred ʺŵΪ 09/15/97
   
usermod -e 09/15/97 fred

    fred  /etc/shadow λɣ
   
fred:J0C.WDR1amIt6:9559:0:60:0:0:10119:0

   Ҫ usermod Ѷϲֲᡣ
   
  userdel
  
   userdel ɾʹߣʹ÷Ϊ
   
userdel -r username

   -r Խʹ߸Ŀ¼ȫƳλڴĿ¼ĵֶƳ
   
   ֻҪ򵥵סʺŶûҪɾʹ passwd ָ
   
7.2 passwd ָ passwd ϻ

   passwd ָʹڸı룬֮⣬  root ʹڣ
     * Lock  unlock ʺ (-l and -u)
     * 趨Ϸ (-x)
     * 趨ıС (-n)
     * 趨뵽ڵľ (-w)
     * 趨ʺδ뵽ľ (-i)
     * ѯʺѶ (-S)
       
   ˵Ҫ fred ʺţ
   
passwd -S fred
fred P 03/04/96 0 60 0 0

   ʾ fred Чģ 03/04/96 ޸κʱ䶼ɱ޸ 
   fred յʺŽ뵽ڶرա
   
   ʾ fred 뵽ǩ룬Ҫһǩ롣
   
   ǾҪ fred ǰ 14 죬ʺڵ14쾯
   棬 Ҫв裺
   
passwd -w14 -i14 fred

    fred ıΪ
   
fred P 03/04/96 0 60 14 14

   Ҫ passwd Ѷϲֲᡣ
   
7.3 login.defs 

   /etc/login Ƕ login ʽ configuration file   Shadow Suite
   
   /etc/login Ԥֵı趨
   
   /etc/login.defs һܺõļȻЩҪע⣺
   
     * It contains flags that can be turned on or off that determine the
       amount of logging that takes place.
     * It contains pointers to other configuration files.
     * It contains defaults assignments for things like password aging.
       
   ȥԷһҪӦȷĿǰ趨㽫ϵͳ
   趨ݡ
   
7.4 Ⱥ

   /etc/groups ߴȡȺ֮롣 㶨 SHADOWGRP 
   /usr/src/shadow-YYMMDD/config.h ùܡ
   
   㶨óұ轨һ /etc/gshadow Ⱥ 
   ȺѶ
   
   㽨 /etc/shadowʹһгʽ pwconv óʽὨ
   /etc/gshadow ûϵֻҪнɡ
   
   Ϊ˽ʼ /etc/gshadow Ҫִв裺
   
touch /etc/gshadow
chown root.root /etc/gshadow
chmod 700 /etc/gshadow

   ÿ㽨һȺ飬ǻᱻӵ /etc/group  /etc/gshadow  
   ͸Ƴʹ޸ȺıȺ룬/etc/gshadow 
   䡣
   
   groups, groupadd, groupmod,  groupdel ʽӦ Shadow Suite 
   ֿԱȺ顣
   
   /etc/group ʽ£
   
groupname:!:GID:member,member,...

   У
   
   groupname
          The name of the group
          
   !
          The field that normally holds the password, but that is now
          relocated to the /etc/gshadow file.
          
   GID
          The numerical group ID number
          
   member
          List of group members
          
   /etc/gshadow ʽ£
   
groupname:password:admin,admin,...:member,member,...

   У
   
   groupname
          The name of the group
          
   password
          The encoded group password.
          
   admin
          List of group administrators
          
   member
          List of group members
          
   gpasswd ָƳߺȺԱ root  Ⱥ
   ԱƳȺԱ
   
   Ⱥ͸ passwd ָı䣬͸ root ڸȺȨ޵
   ʺŷ޸ġ
   
   Despite the fact that there is not currently a manual page for
   gpasswd, typing gpasswd without any parameters gives a listing of
   options. It's fairly easy to grasp how it all works once you
   understand the file formats and the concepts.
   
7.5 ʽһ

  pwck
  
   pwck ʽṩ /etc/passwd  /etc/shadow һԼ顣 ÿ
   ʹвȷϣ
   
     * the correct number of fields
     * unique user name
     * valid user and group identifier
     * valid primary group
     * valid home directory
     * valid login shell
       
   Ҳᾯûʺš
   
   ڰװ Shadow Suite ִ pwck һܺõĵӡ Ҳÿܻÿ
   ԵִС ʹ -r  cron ִյʼ
   
  grpck
  
   grpck  /etc/group  /etc/gshadow һԵĳʽ м飺
     * the correct number of fields
     * unique group name
     * valid list of members and administrators
       
   Ҳ -r Զ
   
7.6 Dial-up 

   Dial-up һϵͳѡУϵͳӴȡ һ
   ϵͳ·ᣬƲӵȨޣʹ
   dial-up 롣 ΪҪ dial-up 룬༭ /etc/login.defs 
   ȷ DIALUPS_CHECK_ENAB 趨Ϊ yes.
   
    dial-up Ѷ /etc/dialups  ttys (one per line,
   with the leading "/dev/" removed)  tty бг dial-up ʾ
   顣
   
   ڶ /etc/d_passwd   shell ȫϷ·ơ
   
   Ըʹǩһ /etc/dialups (line) shell 
   /etc/d_passwd ȡ͸ṩȷ롣
   
   һʹ dial-up Ŀ趨ָĳЩʽ(PPP 
   UUCP ) һʹõһʽ (i.e. a list of
   shells)֪ʹߵ롣
   
   δʹ dial-up ǰ轨һЩ
   
   dpasswd ָṩ /etc/d_passwd  shells ָ롣 Կ
   ĵѶ
   
8.  shadow ֧Ԯ C 

   ֧Ԯ shadow ʽʵǺֱӵġ ΨһǳʽҪ root (
   SUID root) ȨִУſԴȡ /etc/shadow 
   
   ʾһ⣺  SUID ʽʱҪСճʽ˵
   Ը ʽ shell escapeʽ SUID root Ҫ root
   ʽ֡
   
   Գʽ֧Ԯ shadow ԣԼ룬 root ȨִУ
    SUID shadow ȡִбȽϰȫ xlock ʽһӡ
   
   ܣ pppd-1.2.1d Ѿ SUID as root ʽִУ
   shadow ֧ԮӦòʹʽκӰ졣
   
8.1 ͷ(Header files)

   ͷӦ /usr/include/shadow Ӧһ /usr/include/shadow.h
    symbolic link  /usr/include/shadow/shadow.h
   
   Ϊ֧Ԯ shadow ʽҪ include ͷ
   
#include <shadow/shadow.h>
#include <shadow/pwauth.h>

8.2 libshadow.a ʽ(library)

   㰲װ Shadow Suite libshadow.a Ͱװ /usr/lib Ŀ¼
   
   һ shadow support ʽlinker Ҫ libshadow.a ʽ
   ᡣ
   
   ִ£
   
gcc program.c -o program -lshadow

   ȻǽҪӣ󲿷ִʽʹ Makefile  ͨб
    LIBS=... Ҫ޸ġ
   
8.3 Shadow ṹ(Structure)

   libshadow.a ʽ /etc/shadow ѶʹýṹС Ǵ
   /usr/include/shadow/shadow.h ͷ spwd ṹ壺
     _________________________________________________________________
   
struct spwd
{
  char *sp_namp;                /* login name */
  char *sp_pwdp;                /* encrypted password */
  sptime sp_lstchg;             /* date of last change */
  sptime sp_min;                /* minimum number of days between changes */
  sptime sp_max;                /* maximum number of days between changes */
  sptime sp_warn;               /* number of days of warning before password
                                   expires */
  sptime sp_inact;              /* number of days after password expires
                                   until the account becomes unusable. */
  sptime sp_expire;             /* days since 1/1/70 until account expires
*/
  unsigned long sp_flag;        /* reserved for future use */
};
     _________________________________________________________________
   
   Shadow Suite Էų˱֮ϵ sp_pwdp λ λɰ
   
   
username:Npge08pfz4wuk;@/sbin/extra:9479:0:10000::::

   ʾһ룬 /sbin/extra ʽӦñȨ޺С ʽĺ
   ȡʹƺָΪ豻е switchſͨ 鿴
   /usr/include/shadow/pwauth.h ԭʼ pwauth.c øѶ
   
   ΪӦʹ pwauth ȥʾȨޣʲ˼ʹڶȨ
   Ҳ ܵúܺá
   
   Shadow Suite ָΪ󲿷ִڵĳʽޣ Shadow
   Suiteδİ汾Ƴ
   
8.4 Shadow ʽ(Functions)

   shadow.h  libshadow.a ʽ⣺
     _________________________________________________________________
   
extern void setspent __P ((void));
extern void endspent __P ((void));
extern struct spwd *sgetspent __P ((__const char *__string));
extern struct spwd *fgetspent __P ((FILE *__fp));
extern struct spwd *getspent __P ((void));
extern struct spwd *getspnam __P ((__const char *__name));
extern int putspent __P ((__const struct spwd *__sp, FILE *__fp));
     _________________________________________________________________
   
   ǽʹõġʽǣ getspnam ԹӦƻָ spwd ṹ
   
8.5 

   һ shadow ֧ԮʽԤֵûС
   
   ʹ Point-to-Point Protocol Server (pppd-1.2.1d)иģʽǱ
   ʾ  /etc/passwd ȡ PAP  CHAP ʹʺ PAP Ȩޣ㽫
   Ҫ pppd-2.2.0 Щʽ룬ΪѾޡ
   
   pppd δϲᱻʹúܶ࣬㰲װ Shadow Suite
   /etc/passwd 뽫޷
   
    pppd-1.2.1d Ȩʹõĳʽλ /usr/src/pppd-1.2.1d/pppd/auth.c
   
   
   ʽҪ #include ָͷǽע
   ָ #includes
     _________________________________________________________________
   
#ifdef HAS_SHADOW
#include <shadow.h>
#include <shadow/pwauth.h>
#endif
     _________________________________________________________________
   
   ҪǱʵ룬 ǽ auth.c 
   
   ǰ auth.c  function Ϊ
     _________________________________________________________________
   
/*
 * login - Check the user name and password against the system
 * password database, and login the user if OK.
 *
 * returns:
 *      UPAP_AUTHNAK: Login failed.
 *      UPAP_AUTHACK: Login succeeded.
 * In either case, msg points to an appropriate message.
 */
static int
login(user, passwd, msg, msglen)
    char *user;
    char *passwd;
    char **msg;
    int *msglen;
{
    struct passwd *pw;
    char *epasswd;
    char *tty;

    if ((pw = getpwnam(user)) == NULL) {
        return (UPAP_AUTHNAK);
    }
     /*
     * XXX If no passwd, let them login without one.
     */
    if (pw->pw_passwd == '\0') {
        return (UPAP_AUTHACK);
    }

    epasswd = crypt(passwd, pw->pw_passwd);
    if (strcmp(epasswd, pw->pw_passwd)) {
        return (UPAP_AUTHNAK);
    }

    syslog(LOG_INFO, "user %s logged in", user);

    /*
     * Write a wtmp entry for this user.
     */
    tty = strrchr(devname, '/');
    if (tty == NULL)
        tty = devname;
    else
        tty++;
    logwtmp(tty, user, "");             /* Add wtmp login entry */
    logged_in = TRUE;

    return (UPAP_AUTHACK);
}
     _________________________________________________________________
   
   ʹߵ뱻 pw->pw_passwd getspnam function
   ŵ spwd->sp_pwdp
   
   ǽ pwauth function ʾȨޡ ⽫ shadow 趨ʱ 
   ڶȨޡ
   
   Ϊ֧Ԯ shadow  auth.c function
     _________________________________________________________________
   
/*
 * login - Check the user name and password against the system
 * password database, and login the user if OK.
 *
 * This function has been modified to support the Linux Shadow Password
 * Suite if USE_SHADOW is defined.
 *
 * returns:
 *      UPAP_AUTHNAK: Login failed.
 *      UPAP_AUTHACK: Login succeeded.
 * In either case, msg points to an appropriate message.
 */
static int
login(user, passwd, msg, msglen)
    char *user;
    char *passwd;
    char **msg;
    int *msglen;
{
    struct passwd *pw;
    char *epasswd;
    char *tty;

#ifdef USE_SHADOW
    struct spwd *spwd;
    struct spwd *getspnam();
#endif

    if ((pw = getpwnam(user)) == NULL) {
        return (UPAP_AUTHNAK);
    }

#ifdef USE_SHADOW
        spwd = getspnam(user);
        if (spwd)
                pw->pw_passwd = spwd->sp-pwdp;
#endif

     /*
     * XXX If no passwd, let NOT them login without one.
     */
    if (pw->pw_passwd == '\0') {
        return (UPAP_AUTHNAK);
    }
#ifdef HAS_SHADOW
    if ((pw->pw_passwd && pw->pw_passwd[0] == '@'
         && pw_auth (pw->pw_passwd+1, pw->pw_name, PW_LOGIN, NULL))
        || !valid (passwd, pw)) {
        return (UPAP_AUTHNAK);
    }
#else
    epasswd = crypt(passwd, pw->pw_passwd);
    if (strcmp(epasswd, pw->pw_passwd)) {
        return (UPAP_AUTHNAK);
    }
#endif

    syslog(LOG_INFO, "user %s logged in", user);

    /*
     * Write a wtmp entry for this user.
     */
    tty = strrchr(devname, '/');
    if (tty == NULL)
        tty = devname;
    else
        tty++;
    logwtmp(tty, user, "");             /* Add wtmp login entry */
    logged_in = TRUE;

    return (UPAP_AUTHACK);
}
     _________________________________________________________________
   
   Ͻġıİ ԭʼİ汾 /etc/passwd
    ûκ룬ȡص UPAP_AUTHACK ǲõģΪ ǩ
   ʹʹһȡ PPP processʺţȻʺ룬ʺ
    RAP  /etc/passwd ʺź /etc/shadow 빩Ӧ
   
   趨ԭ汾ÿʹߣ ppp  shell ִУȻ
   ˿  ppp ͸趨Ƕʹ ppp  PAP  null 롣
   
    UPAP_AUTHNAK ȡ UPAP_AUTHACK λǿյġ
   
   Ȥ pppd-2.2.0 ͬ⡣
   
   Ҫ Makefile Ա·
   
   USE_SHADOW 뱻¶libshadow.a Ҫ process
   
   ༭ Makefile 
   
LIBS = -lshadow

   ȻҵһУ
   
COMPILE_FLAGS = -I.. -D_linux_=1 -DGIDSET_TYPE=gid_t

   Ȼıɣ
   
COMPILE_FLAGS = -I.. -D_linux_=1 -DGIDSET_TYPE=gid_t -DUSE_SHADOW

   ִ make  install.
   
9. ⼰

   Q:  tty's root Ȩʹ /etc/securettys Ƕû κ
   ν
   
   A: /etc/securettys  Shadow Suite װͲκޡ
   
   tty's  root Ȩ޿ʹһ /etc/login.defs ǩ趨޸ġ
   趨Ҳָһ
   
   Q: Ҷ Shadow Suite аװᣬû취ǩ(login)ϵͳ к
   ʲᲽ
   
   A: İװ Shadow ʽޣǲδִ pwconv Ǹ
   /etc/npasswd  /etc/passwd Ҹ /etc/nshadow  /etc/shadowޡ Ҳ
   Ҫ login.defs  /etc
   
   Q:  xlock һ½ᵽı /etc/shadow Ⱥӵߵ shadow
   û shadow Ⱥ飬δ
   
   A: һ 򵥵ı༭ /etc/group Ȼһи shadow Ⱥ
   飬ҪȷȺŲδȺʹãҪ nogroup ¼֮ǰ
   趨 Լ򻯶 rootȨ趨 suid xlock
   
   Q: κζ Linux Shadow Password Suite ĵʼб
   
   A: УĿ Linux һ Shadow Suite汾չԣ
    shadow-list-request@neptune.cin.net ʼժҪ룺 subscribe
    Linux shadow-YYMMSSϵа汾Ӧòμ δչ
   㰲װ Suite ĵҪõ°汾Ѷ
   
   Q: Ұװ Shadow Suiteǵʹ userdel ᣬ ҵõ "userdel:
   cannot open shadow group file" ѶϢ
   
   A:  Shadow Suite ʱп SHADOWGRP ѡ ûһ
   /etc/gshadow Ҫ༭ config.h ± һ
   /etc/group 뿴 shadow groups һڡ
   
   Q: Ұװ Shadow Suite ޷ҵҵ /etc/passwd 
   ʲ⣿
   
   A:  Shadow config.h  AUTOSHADOW ѡ  libc 
   SAHDOW_COMPAT ѡ룬Ҫĸ⣬Ȼ ±롣
   
10. Ȩ(ݲ)

   The Linux Shadow Password HOWTO is Copyright (c) 1996 Michael H.
   Jackson.
   
   Permission is granted to make and distribute verbatim copies of this
   document provided the copyright notice and this permission notice are
   preserved on all copies.
   
   Permission is granted to copy and distribute modified versions of this
   document under the conditions for verbatim copies above, provided a
   notice clearly stating that the document is a modified version is also
   included in the modified document.
   
   Permission is granted to copy and distribute translations of this
   document into another language, under the conditions specified above
   for modified versions.
   
   Permission is granted to convert this document into another media
   under the conditions specified above for modified versions provided
   the requirement to acknowledge the source document is fulfilled by
   inclusion of an obvious reference to the source document in the new
   media. Where there is any doubt as to what defines 'obvious' the
   copyright owner reserves the right to decide.
   
11. Miscellaneous and Acknowledgments.

   The code examples for auth.c are taken from pppd-1.2.1d and
   ppp-2.1.0e, Copyright (c) 1993 and The Australian National University
   and Copyright (c) 1989 Carnegie Mellon University.
   
   Thanks to Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl> for
   writing and maintaining the Shadow Suite for Linux, and for his review
   and comments on this document.
   
   Thanks to Ron Tidd <rtidd@tscnet.com> for his helpful review and
   testing.
   
   Thanks to everyone who has sent me feedback to help improve this
   document.
   
   Please, if you have any comments or suggestions then mail them to me.
   
   regards
   
   [30]Michael H. Jackson <mhjack@tscnet.com>

References

   1. mailto:mhjack@tscnet.com
   2. mailto:songmj@ms1.hinet.net
   3. http://sunsite.unc.edu/mdw/linux.html
   4. http://sunsite.unc.edu/linux/HOWTO/Shadow-Password-HOWTO.html
   5. mailto:mhjack@tscnet.com
   6. mailto:marekm@i17linuxb.ists.pwr.wroc.pl
   7. http://bach.cis.temple.edu/linux/linux-security/
   8. mailto:flla@stud.uni-sb.de
   9. mailto:magnus@texas.net
  10. http://bach.cis.temple.edu/linux/linux-security/Linux-Security-FAQ/Linux-telnetd.html
  11. mailto:marekm@i17linuxb.ists.pwr.wroc.pl
  12. ftp://i17linuxb.ists.pwr.wroc.pl/pub/linux/shadow/shadow-current.tar.gz
  13. ftp://ftp.icm.edu.pl/pub/Linux/shadow/shadow-current.tar.gz
  14. ftp://iguana.hut.fi/pub/linux/shadow/shadow-current.tar.gz
  15. ftp://ftp.cin.net/usr/ggallag/shadow/shadow-current.tar.gz
  16. ftp://ftp.netural.com/pub/linux/shadow/shadow-current.tar.gz
  17. http://sunsite.unc.edu/mdw/HOWTO/Bootdisk-HOWTO.html
  18. file://localhost/tmp/zh-sgmltools.9490/Shadow-Password-HOWTO.txt.html#sec-adding
  19. ftp://sunsite.unc.edu/pub/Linux/system/Admin/accounts/adduser.shadow-1.4.tgz
  20. file://localhost/tmp/zh-sgmltools.9490/Shadow-Password-HOWTO.txt.html#sec-work
  21. http://bach.cis.temple.edu/linux/linux-security/Linux-Security-FAQ/Linux-wu.ftpd-2.4-Update.html
  22. ftp://sunsite.unc.edu/pub/Linux/system/Network/file-transfer/wu-ftpd-2.4-fixed.tar.gz
  23. ftp://tscnet.com/pub/linux/network/ftp/wu-ftpd-2.4.2-beta-10.tar.gz
  24. ftp://sunsite.unc.edu/pub/Linux/system/Network/file-transfer/ftpd-shadow-nis.tgz
  25. ftp://sunsite.unc.edu/pub/Linux/system/Mail/pop/pop3d-1.00.4.linux.shadow.tar.gz
  26. ftp://sunsite.unc.edu/pub/Linux/system/Mail/pop/pop3d+shadow+elf.tar.gz
  27. ftp://sunsite.unc.edu/pub/Linux/X11/xutils/screensavers/xlockmore-3.7.tgz
  28. ftp://sunsite.unc.edu/pub/Linux/X11/xutils/xdm.tar.gz
  29. ftp://sunsite.unc.edu/pub/Linux/system/Admin/sudo-1.2-shadow.tgz
  30. mailto:mhjack@tscnet.com
