TCB_CONVERT

Section: Maintenance Commands (8)
Updated: 18 April 2003
Page Index

NAME

tcb_convert, tcb_unconvert - utilities to convert to and from the tcb password shadowing scheme

SYNOPSIS

tcb_convert
tcb_unconvert

DESCRIPTION

tcb_convert converts /etc/shadow into a set of files under /etc/tcb/ (see tcb(5)). During this operation /etc/shadow is locked.

tcb_unconvert converts the files under /etc/tcb/ back into /etc/shadow. Because it is impractical to lock all of the tcb shadow files, tcb_unconvert temporarily changes the group ownership on /etc/tcb/ to group "sys" such that the passwd(1) utility will refuse to work during the conversion.

MIGRATING TO TCB

In order to migrate a system to the tcb password shadowing scheme from the traditional /etc/passwd+/etc/shadow setup, the following steps are necessary:

1.: Install the tcb package as well as tcb-aware shadow-utils.
2.: Create the group "auth" if it isn't present.
3.: If you want processes possessing both "shadow" and "auth" groups to have read-only access to all tcb files, add or uncomment the following line in /etc/login.defs:
TCB_AUTH_GROUP yes
4.: As root, execute tcb_convert.
5.: In /etc/nsswitch.conf, find the "shadow" entry and replace the "files" method with "tcb"; the edited line should look like this:
shadow: tcb nisplus nis
6.: In /etc/pam.d/ files, change occurrences of pam_unix.so or pam_pwdb.so (if any) to pam_tcb.so. You may wish to browse the pam_tcb(8) manual for information on additional tuning.
7.: In each file under /etc/pam.d/ which has a "password" line (most notably in /etc/pam.d/passwd) add the write_to=tcb option to the instance of pam_tcb used as the password changing module. The line should look similar to this:
password required /lib/security/pam_tcb.so shadow use_authtok write_to=tcb
8.: Edit /etc/login.defs such that it contains the (uncommented) line:
USE_TCB yes
9.: Now you should remove the /etc/shadow file and its backups (if any), such as /etc/shadow-. It is important that you do so such that processes possessing the "shadow" group don't get read access to all of your old password hashes (many of which may remain valid for quite some time).
10.: As root,
chown root:shadow /usr/bin/passwd /etc/pam.d/passwd
chmod 2711 /usr/bin/passwd
chmod 640 /etc/pam.d/passwd
11.: Test if everything works properly, most notably logging in to the system.

THE RETURN TO SHADOW

If for some reason you decide to return from tcb to the traditional password shadowing scheme, you can do so with the use of tcb_unconvert and by reverting some of the actions listed in "MIGRATING TO TCB", above.