pkg://Shadow-Password-HOWTO-html.tar.gz:25518/Shadow-Password-HOWTO-3.html  downloads

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=gb2312">
 <META NAME="GENERATOR" CONTENT="ZH-SGML-Tools 1.0.9">
 <TITLE>如何取得，安装，设定 shadow 密码: 取得 Shadow Suite.</TITLE>
 <LINK HREF="Shadow-Password-HOWTO-4.html" REL=next>
 <LINK HREF="Shadow-Password-HOWTO-2.html" REL=previous>
 <LINK HREF="Shadow-Password-HOWTO.html#toc3" REL=contents>
</HEAD>
<BODY>
<A HREF="Shadow-Password-HOWTO-4.html">Next</A>
<A HREF="Shadow-Password-HOWTO-2.html">Previous</A>
<A HREF="Shadow-Password-HOWTO.html#toc3">Contents</A>
<HR>
<H2><A NAME="s3">3. 取得 Shadow Suite.</A></H2>

<H2><A NAME="ss3.1">3.1 Shadow Suite for Linux 的历史(暂不翻译)</A>
</H2>

<H2><A NAME="ss3.2">3.2 History of the Shadow Suite for Linux</A>
</H2>

<P><EM>DO NOT USE THE PACKAGES IN THIS SECTION, THEY HAVE SECURITY PROBLEMS</EM>
<P>The original <EM>Shadow Suite</EM> was written by <CODE>John F. Haugh II</CODE>.
<P>There are several versions that have been used on Linux systems:
<UL>
<LI><CODE>shadow-3.3.1</CODE> is the original.</LI>
<LI><CODE>shadow-3.3.1-2</CODE> is Linux specific patch made by
<A HREF="mailto:flla@stud.uni-sb.de">Florian La Roche &lt;flla@stud.uni-sb.de></A> and contains some further
enhancements.</LI>
<LI><CODE>shadow-mk</CODE> was specifically packaged for Linux.</LI>
</UL>
<P>The <CODE>shadow-mk</CODE> package contains the <CODE>shadow-3.3.1</CODE> package
distributed by <CODE>John F. Haugh II</CODE> with the <CODE>shadow-3.3.1-2 patch</CODE> 
installed, a few fixes made by 
<A HREF="mailto:magnus@texas.net">Mohan Kokal &lt;magnus@texas.net></A>
that make installation a lot easier, a patch by <CODE>Joseph R.M. Zbiciak</CODE>
for <CODE>login1.c</CODE> (login.secure) that eliminates the -f, -h security
holes in /bin/login, and some other miscellaneous patches.
<P>The <CODE>shadow.mk</CODE> package was the <EM>previously</EM> recommended
package, but should be replaced due to a <EM>security problem</EM> with the
<CODE>login</CODE> program.
<P>There are <EM>security problems</EM> with Shadow versions 3.3.1, 3.3.1-2, 
and shadow-mk involving the <CODE>login</CODE> program.  This <CODE>login</CODE> bug 
involves not checking the length of a login name.  This causes the buffer to
overflow causing crashes or worse.  It has been rumored that this buffer
overflow can allow someone with an account on the system to use this bug and
the shared libraries to gain <EM>root</EM> access.  I won't discuss exactly 
how this is possible because there are a lot of Linux systems that are 
affected, but systems with these <EM>Shadow Suites</EM> installed, and 
most pre-ELF distributions <EM>without</EM> the <EM>Shadow Suite</EM> 
are vulnerable!
<P>For more information on this and other Linux security issues, see the 
<A HREF="http://bach.cis.temple.edu/linux/linux-security/Linux-Security-FAQ/Linux-telnetd.html">Linux Security home page (Shared Libraries and login Program Vulnerability)</A><P>
<P>
<H2><A NAME="ss3.3">3.3 如何取得 Shadow Suite？</A>
</H2>

<P>目前建议 <EM>Shadow Suite</EM> 版本目前还是 BETA 测试版，然後，最近版本在生产环境
是安全的且没有包含易受攻击的 <CODE>签入(login)</CODE> 程式。
<P>该套件(package)使用惯例命名为：
<BLOCKQUOTE><CODE>
<PRE>
shadow-YYMMDD.tar.gz
</PRE>
</CODE></BLOCKQUOTE>

其中 <CODE>YYMMDD</CODE> 是Suite 的发行日期。
<P>目前 BETA 测试版本是 <EM>Version 3.3.3</EM> ，且由
<A HREF="mailto:marekm@i17linuxb.ists.pwr.wroc.pl">Marek Michalkiewicz  &lt;marekm@i17linuxb.ists.pwr.wroc.pl></A> 维护。
<P>还可以从该处得到：
<A HREF="ftp://i17linuxb.ists.pwr.wroc.pl/pub/linux/shadow/shadow-current.tar.gz">shadow-current.tar.gz</A>.
<P>下列网站也可以找到相关资讯：
<UL>
<LI>
<A HREF="ftp://ftp.icm.edu.pl/pub/Linux/shadow/shadow-current.tar.gz">ftp://ftp.icm.edu.pl/pub/Linux/shadow/shadow-current.tar.gz</A></LI>
<LI>
<A HREF="ftp://iguana.hut.fi/pub/linux/shadow/shadow-current.tar.gz">ftp://iguana.hut.fi/pub/linux/shadow/shadow-current.tar.gz</A></LI>
<LI>
<A HREF="ftp://ftp.cin.net/usr/ggallag/shadow/shadow-current.tar.gz">ftp://ftp.cin.net/usr/ggallag/shadow/shadow-current.tar.gz</A></LI>
<LI>
<A HREF="ftp://ftp.netural.com/pub/linux/shadow/shadow-current.tar.gz">ftp://ftp.netural.com/pub/linux/shadow/shadow-current.tar.gz</A></LI>
</UL>
<P>你应该可以获得目前最新的版本。
<P>你应该不要是用比 <CODE>shadow-960129</CODE> <EM>更旧</EM>版本，因为它们有 <CODE>签入</CODE> 
的安全问题。
<P>
<P>
<P>於参考资料方面，我用 <CODE>shadow-960129</CODE> 档进行安装介绍。
<P>如果你之前使用 <CODE>shadow-mk</CODE> ，你应该更信这个版本且重建编译。
<P>
<H2><A NAME="ss3.4">3.4 Shadow Suite包含什麽？</A>
</H2>

<P><EM>Shadow Suite</EM> 包括对下列功能之替代程式：
<P><CODE>su, login, passwd, newgrp, chfn, chsh, and id</CODE>
<P>该套件还包括新程式：
<P><CODE>chage, newusers, dpasswd, gpasswd, useradd, userdel, usermod, groupadd,
groupdel, groupmod, groups, pwck, grpck, lastlog, pwconv, and pwunconv</CODE>
<P>除此之外，函式库： <CODE>libshadow.a</CODE> 也包括需要存取使用者密码之写和编译程式。
<P>程式之操作手册也包含在其中。
<P>
<P>也有对签入程式的 configuration file ，它将被安装在 <CODE>/etc/login.defs</CODE> 档。
<P>
<HR>
<A HREF="Shadow-Password-HOWTO-4.html">Next</A>
<A HREF="Shadow-Password-HOWTO-2.html">Previous</A>
<A HREF="Shadow-Password-HOWTO.html#toc3">Contents</A>
</BODY>
</HTML>