set_tcb(8)set_tcb wrapper set_tcb(8)NAMEset_tcb - Wrapper script to convert between shadow and tcb passwords
OVERVIEW
The tcb package is an alternative to the traditional shadow password
scheme, developed by the Openwall Project. It provides the tools
tcb_convert(8) and tcb_unconvert(8) which converts the actual password
files between the /etc/shadow format and the /etc/tcb format. These
tools do not change other required files, such as PAM files,
login.defs, or nsswitch.conf(5). set_tcb(8) makes those changes as
well as calling the required tcb conversion tool.
COMMANDSset_tcb comes with some very basic options:
--tcb Converts from shadow passwords to tcb passwords, by modifying
/etc/login.defs, /etc/nsswitch.conf, and /etc/pam.d/system-auth.
--shadow
Converts from tcb passwords to shadow passwords, by modifying
/etc/login.defs, /etc/nsswitch.conf, and /etc/pam.d/system-auth.
--hash Configures the system to use the specified password hash.
Available choices are 'md5', /etc/login.defs and /etc/pam.d/sys‐
tem-auth. set_tcb does not support using DES crypt passwords.
--migrate
Configures the system to use pam_tcb instead of pam_unix.
Although pam_tcb operates well enough when called as pam_unix, a
number of features are not supported until they are specified in
/etc/pam.d/system-auth, such as selection of password hash.
This option will replace calls to pam_unix with calls to pam_tcb
and add the supported options. It will also enable blowfish
passwords by default. Finally, it will add TCB/CRYPT-related
keywords to /etc/login.defs if required and comment out the
PASS_MIN_LEN option which TCB does not use/understand.
--revert
In the unlikely event you wish to revert from using pam_tcb to
the original pam_unix, you can do so with this switch. It will
replace all calls to pam_tcb with original options to pam_unix.
As a result, you will be unable to use alternate password hashes
such as blowfish because pam_unix does not understand them,
although it will authenticate against alternate password hashes.
New passwords will be in the traditional md5 format. It will
also uncomment the PASS_MIN_LEN option and comment the USE_TCB
option.
--nis Configures /etc/pam.d/system-auth to support authentication
against NIS. Because NIS passwords are not shadow passwords
(functionally equivalent to using /etc/passwd rather than
/etc/shadow to store passwords), pam_tcb must be told to also
look at passwd as a source of passwords instead of just shadow
(or tcb). If you are using NIS+ you may also have to manually
modifiy system-auth and add the "nisplus" option (see pam_tcb(8)
for more details).
When set_tcb converts a password type, it will automatically remove the
old password format. For instance, when converting to tcb, it will
remove /etc/shadow upon successful completion.
EXIT STATUSset_tcb exits with exit status 1 on any failures. No files are
replaced on failure. set_tcb exits with exit status 0 on successful
conversion.
SEE ALSOpam_tcb(8), tcb_convert(8), tcb_unconvert(8), nsswitch.conf(5),
crypt(3)AUTHORS
The set_tcb script was written by Vincent Danen <vdanen@annvix.org> for
Annvix (http://annvix.org/).
The tcb suite is developed by the Openwall Project (http://www.open‐
wall.com/tcb/)
set_tcbset_tcb(8)
