howto:Linux Shadow-Password-HOWTO来源: 发布时间:星期二, 2009年2月3日 浏览:17次 评论:0
="t18">
3.1 Shadow Suite for Linux  历史(暂不翻译) 3.2 History of the Shadow Suite for Linux DO NOT USE THE PACKAGES IN THIS SECTION, THEY HAVE SECURITY PROBLEMS The original Shadow Suite was written by John F. Haugh II. There are several versions that have been used on Linux systems: shadow-3.3.1 is the original. shadow-3.3.1-2 is Linux spec  ic patch made by Florian La Roche and contains some further enhancements. shadow-mk was spec ically packaged for Linux. The shadow-mk package contains the shadow-3.3.1 package distributed by John F. Haugh II with the shadow-3.3.1-2 patch  ed, a few fixes made by Mohan Kokal that make ation a lot easier, a patch by Joseph R.M. Zbiciak for login1.c (login.secure) that eliminates the -f, -h security holes in /bin/login, and some other miscellaneous patches. The shadow.mk package was the previously recommended package, but should be replaced due to a security problem with the login program. There are security problems with Shadow versions 3.3.1, 3.3.1-2, and shadow-mk involving the login program. This login bug involves not checking the length of a login name. This causes the buffer to overflow causing crashes or worse. It has been rumored that this buffer overflow can allow someone with an account on the system to use this bug and the shared libraries to gain root Access. I won't discuss exactly how this is possible because there are a lot of Linux systems that are affected, but systems with these Shadow Suites ed, and most pre-ELF distributions without the Shadow Suite are vulnerable! For more information on this and other Linux security issues, see the Linux Security home page (Shared Libraries and login Program Vulnerability) 3.3 如何取得 Shadow Suite? 目前建议 Shadow Suite 版本目前还是 BETA 测试版  然後最近版本在生产环境是安全且没有包含易受攻击 签入(login) 程式 该套件(package)使用惯例命名为: shadow-YYMMDD.tar.gz 其中 YYMMDD 是Suite 发行日期 目前 BETA 测试版本是 Version 3.3.3 且由 Marek Michalkiewicz 维护 还可以从该处得到: shadow-current.tar.gz. 下列网站WebSite也可以找到相关资讯: FTP://ftp.icm.edu.pl/pub/Linux/shadow/shadow-current.tar.gz ftp://iguana.hut.fi/pub/linux/shadow/shadow-current.tar.gz ftp://ftp.cin.net/usr/ggallag/shadow/shadow-current.tar.gz ftp://ftp.netural.com/pub/linux/shadow/shadow-current.tar.gz 你应该可以获得目前最新 版本你应该不要是用比 shadow-960129 更旧版本  它们有 签入 安全问题 於参考资料方面 我用 shadow-960129 档进行安装介绍 假如你的前使用 shadow-mk 你应该更信这个版本且重建编译 3.4 Shadow Suite包含什麽? Shadow Suite 包括对下列功能的替代程式: su, login, passwd,  grp, chfn, chsh, and id 该套件还包括新程式: chage, users, dpasswd, gpasswd, useradd, userdel, usermod, groupadd, groupdel, groupmod, groups, pwck, grpck, lastlog, pwconv, and pwunconv 除此的外 函式库: libshadow.a 也包括需要存取使用者密码的写和编译程式 程式的操作手册也包含在其中 也有对签入程式 configuration file 它将被安装在 /etc/login.defs 档 0
相关文章读者评论发表评论 |
|
 |
专注于互联网--专注于架构 |
最新标签 网站地图 文章索引 Rss订阅 |
