Man page or keyword search:   man All Sections 1 - General Commands 2 - System Calls 3 - Subroutines, Functions 4 - Special Files 5 - File Formats 6 - Games and Screensavers 7 - Macros and Conventions 8 - Maintenence Commands 9 - Kernel Interface New Commands Server 4.4BSD AIX Alpinelinux Archlinux Aros BSDOS BSDi Bifrost CentOS Cygwin Darwin Debian DigitalUNIX DragonFly ElementaryOS Fedora FreeBSD Gentoo GhostBSD HP-UX Haiku Hurd IRIX Inferno JazzOS Kali Knoppix LinuxMint MacOSX Mageia Mandriva Manjaro Minix MirBSD NeXTSTEP NetBSD OPENSTEP OSF1 OpenBSD OpenDarwin OpenIndiana OpenMandriva OpenServer OpenSuSE OpenVMS Oracle PC-BSD Peanut Pidora Plan9 QNX Raspbian RedHat Scientific Slackware SmartOS Solaris SuSE SunOS Syllable Tru64 UNIXv7 Ubuntu Ultrix UnixWare Xenix YellowDog aLinux   8135 pages apropos Keyword Search (all sections) Output format html ascii pdf view pdf save postscript

TCB_CONVERT(8)							TCB_CONVERT(8)

NAME
       tcb_convert, tcb_unconvert - utilities to convert to and from the tcb
       password shadowing scheme

SYNOPSIS
       tcb_convert
       tcb_unconvert

DESCRIPTION
       tcb_convert converts /etc/shadow into a set of  files  under  /etc/tcb/
       (see tcb(5)).  During this operation /etc/shadow is locked.

       tcb_unconvert converts the files under /etc/tcb/ back into /etc/shadow.
       Because it is  impractical  to  lock  all  of  the  tcb	shadow	files,
       tcb_unconvert  temporarily  changes the group ownership on /etc/tcb/ to
       group "sys" such that the passwd(1) utility will refuse to work	during
       the conversion.

MIGRATING TO TCB
       In  order to migrate a system to the tcb password shadowing scheme from
       the traditional /etc/passwd+/etc/shadow setup, the following steps  are
       necessary:

       1.     Install the tcb package as well as tcb-aware shadow-utils.

       2.     Create the group "auth" if it isn't present.

       3.     If you want processes possessing both "shadow" and "auth" groups
	      to have read-only access to all tcb files, add or uncomment  the
	      following line in /etc/login.defs:

	      TCB_AUTH_GROUP yes

       4.     As root, execute tcb_convert.

       5.     In  /etc/nsswitch.conf,  find the "shadow" entry and replace the
	      "files" method with "tcb"; the  edited  line  should  look  like
	      this:

	      shadow: tcb nisplus nis

       6.     In  /etc/pam.d/  files,  change  occurrences  of	pam_unix.so or
	      pam_pwdb.so (if any) to pam_tcb.so.  You may wish to browse  the
	      pam_tcb(8) manual for information on additional tuning.

       7.     In each file under /etc/pam.d/ which has a "password" line (most
	      notably in /etc/pam.d/passwd) add the write_to=tcb option to the
	      instance	of  pam_tcb used as the password changing module.  The
	      line should look similar to this:

	      password required /lib/security/pam_tcb.so shadow use_authtok
	      write_to=tcb

       8.     Edit  /etc/login.defs  such  that	 it contains the (uncommented)
	      line:

	      USE_TCB yes

       9.     Now you should remove the /etc/shadow file and its  backups  (if
	      any), such as /etc/shadow-.  It is important that you do so such
	      that processes possessing the  "shadow"  group  don't  get  read
	      access  to  all  of  your old password hashes (many of which may
	      remain valid for quite some time).

       10.    As root,

	      chown root:shadow /usr/bin/passwd /etc/pam.d/passwd
	      chmod 2711 /usr/bin/passwd
	      chmod 640 /etc/pam.d/passwd

       11.    Test if everything works properly, most notably  logging	in  to
	      the system.

THE RETURN TO SHADOW
       If  for	some  reason  you decide to return from tcb to the traditional
       password shadowing scheme, you can do so with the use of	 tcb_unconvert
       and  by	reverting  some	 of  the actions listed in "MIGRATING TO TCB",
       above.

SEE ALSO
       login.defs(5), tcb(5), pam_tcb(8)

Openwall Project		 18 April 2003			TCB_CONVERT(8)

Vote for polarhome