TCB_CONVERT
Section: Maintenance Commands (8)
Updated: 18 April 2003
Page Index
NAME
tcb_convert,
tcb_unconvert - utilities to convert to and from
the tcb password shadowing scheme
SYNOPSIS
tcb_convert
tcb_unconvert
DESCRIPTION
tcb_convert
converts
/etc/shadow
into a set of files under
/etc/tcb/
(see
tcb(5)).
During this operation
/etc/shadow
is locked.
tcb_unconvert
converts the files under
/etc/tcb/
back into
/etc/shadow.
Because it is impractical to lock all of the tcb shadow files,
tcb_unconvert
temporarily changes the group ownership on
/etc/tcb/
to group "sys" such that the
passwd(1)
utility will refuse to work during the conversion.
MIGRATING TO TCB
In order to migrate a system to the tcb password shadowing scheme from
the traditional
/etc/passwd+
/etc/shadow
setup, the following steps are necessary:
- 1.
-
Install the tcb package as well as tcb-aware shadow-utils.
- 2.
-
Create the group "auth" if it isn't present.
- 3.
-
If you want processes possessing both "shadow" and "auth" groups to
have read-only access to all tcb files, add or uncomment the following
line in
/etc/login.defs:
TCB_AUTH_GROUP yes
- 4.
-
As root, execute
tcb_convert.
- 5.
-
In
/etc/nsswitch.conf,
find the "shadow" entry and replace the "files" method with "tcb"; the
edited line should look like this:
shadow: tcb nisplus nis
- 6.
-
In
/etc/pam.d/
files, change occurrences of
pam_unix.so
or
pam_pwdb.so
(if any) to
pam_tcb.so.
You may wish to browse the
pam_tcb(8)
manual for information on additional tuning.
- 7.
-
In each file under
/etc/pam.d/
which has a "password" line (most notably in
/etc/pam.d/passwd)
add the
write_to=tcb
option to the instance of
pam_tcb
used as the password changing module. The line should look similar to this:
password required /lib/security/pam_tcb.so shadow use_authtok write_to=tcb
- 8.
-
Edit
/etc/login.defs
such that it contains the (uncommented) line:
USE_TCB yes
- 9.
-
Now you should remove the
/etc/shadow
file and its backups (if any), such as
/etc/shadow-.
It is important that you do so such that processes possessing
the "shadow" group don't get read access to all of your old password
hashes (many of which may remain valid for quite some time).
- 10.
-
As root,
chown root:shadow /usr/bin/passwd /etc/pam.d/passwd
chmod 2711 /usr/bin/passwd
chmod 640 /etc/pam.d/passwd
- 11.
-
Test if everything works properly, most notably logging in to the
system.
THE RETURN TO SHADOW
If for some reason you decide to return from tcb to the traditional
password shadowing scheme, you can do so with the use of
tcb_unconvert
and by reverting some of the actions listed in "MIGRATING TO TCB",
above.
SEE ALSO
login.defs(5),
tcb(5),
pam_tcb(8)