{"id":3290,"date":"2022-12-20T17:02:15","date_gmt":"2022-12-20T20:02:15","guid":{"rendered":"http:\/\/lode.uno\/linux-man\/index.php\/2022\/12\/20\/tcb_convert-man8\/"},"modified":"2022-12-20T17:02:15","modified_gmt":"2022-12-20T20:02:15","slug":"tcb_convert-man8","status":"publish","type":"post","link":"https:\/\/lode.uno\/linux-man\/2022\/12\/20\/tcb_convert-man8\/","title":{"rendered":"TCB_CONVERT (man8)"},"content":{"rendered":"

TCB_CONVERT<\/h1>\n

NAME<\/a>
SYNOPSIS<\/a>
DESCRIPTION<\/a>
MIGRATING TO TCB<\/a>
THE RETURN TO SHADOW<\/a>
SEE ALSO<\/a> <\/p>\n

\n

NAME <\/a> <\/h2>\n

tcb_convert<\/b>, tcb_unconvert<\/b> \u2212 utilities to convert to and from the tcb password shadowing scheme<\/p>\n

SYNOPSIS <\/a> <\/h2>\n

tcb_convert
tcb_unconvert<\/b><\/p>\n

DESCRIPTION <\/a> <\/h2>\n

tcb_convert<\/b> converts \/etc\/shadow<\/i> into a set of files under \/etc\/tcb\/<\/i> (see tcb<\/b>(5)). During this operation \/etc\/shadow<\/i> is locked.<\/p>\n

tcb_unconvert<\/b> converts the files under \/etc\/tcb\/<\/i> back into \/etc\/shadow<\/i>. Because it is impractical to lock all of the tcb shadow files, tcb_unconvert<\/b> temporarily changes the group ownership on \/etc\/tcb\/<\/i> to group “sys” such that the passwd<\/b>(1) utility will refuse to work during the conversion.<\/p>\n

MIGRATING TO TCB <\/a> <\/h2>\n

In order to migrate a system to the tcb password shadowing scheme from the traditional \/etc\/passwd<\/i>+\/etc\/shadow<\/i> setup, the following steps are necessary:<\/p>\n\n\n\n\n
<\/td>\n\n

1.<\/p>\n<\/td>\n

<\/td>\n\n

Install the tcb package as well as tcb-aware shadow-utils.<\/p>\n<\/td>\n<\/tr>\n

<\/td>\n\n

2.<\/p>\n<\/td>\n

<\/td>\n\n

Create the group “auth” if it isn\u2019t present.<\/p>\n<\/td>\n<\/tr>\n

<\/td>\n\n

3.<\/p>\n<\/td>\n

<\/td>\n\n

If you want processes possessing both “shadow” and “auth” groups to have read-only access to all tcb files, add or uncomment the following line in \/etc\/login.defs<\/i>:<\/p>\n<\/td>\n<\/tr>\n<\/table>\n

TCB_AUTH_GROUP yes<\/p>\n\n\n\n
<\/td>\n\n

4.<\/p>\n<\/td>\n

<\/td>\n\n

As root, execute tcb_convert<\/b>.<\/p>\n<\/td>\n<\/tr>\n

<\/td>\n\n

5.<\/p>\n<\/td>\n

<\/td>\n\n

In \/etc\/nsswitch.conf<\/i>, find the “shadow” entry and replace the “files” method with “tcb”; the edited line should look like this:<\/p>\n<\/td>\n<\/tr>\n<\/table>\n

shadow: tcb nisplus nis<\/p>\n\n\n\n
<\/td>\n\n

6.<\/p>\n<\/td>\n

<\/td>\n\n

In \/etc\/pam.d\/<\/i> files, change occurrences of pam_unix.so<\/b> or pam_pwdb.so<\/b> (if any) to pam_tcb.so<\/b>. You may wish to browse the pam_tcb<\/b>(8) manual for information on additional tuning.<\/p>\n<\/td>\n<\/tr>\n

<\/td>\n\n

7.<\/p>\n<\/td>\n

<\/td>\n\n

In each file under \/etc\/pam.d\/<\/i> which has a “password” line (most notably in \/etc\/pam.d\/passwd<\/i>) add the write_to<\/b>=tcb option to the instance of pam_tcb<\/b> used as the password changing module. The line should look similar to this:<\/p>\n<\/td>\n<\/tr>\n<\/table>\n

password required \/lib\/security\/pam_tcb.so shadow use_authtok write_to=tcb<\/p>\n\n\n
<\/td>\n\n

8.<\/p>\n<\/td>\n

<\/td>\n\n

Edit \/etc\/login.defs<\/i> such that it contains the (uncommented) line:<\/p>\n<\/td>\n<\/tr>\n<\/table>\n

USE_TCB yes<\/p>\n\n\n\n
<\/td>\n\n

9.<\/p>\n<\/td>\n

<\/td>\n\n

Now you should remove the \/etc\/shadow<\/i> file and its backups (if any), such as \/etc\/shadow-<\/i>. It is important that you do so such that processes possessing the “shadow” group don\u2019t get read access to all of your old password hashes (many of which may remain valid for quite some time).<\/p>\n<\/td>\n<\/tr>\n

<\/td>\n\n

10.<\/p>\n<\/td>\n

<\/td>\n\n

As root,<\/p>\n<\/td>\n<\/tr>\n<\/table>\n

chown root:shadow \/usr\/bin\/passwd \/etc\/pam.d\/passwd
chmod 2711 \/usr\/bin\/passwd
chmod 640 \/etc\/pam.d\/passwd<\/p>\n\n\n
<\/td>\n\n

11.<\/p>\n<\/td>\n

<\/td>\n\n

Test if everything works properly, most notably logging in to the system.<\/p>\n<\/td>\n<\/tr>\n<\/table>\n

THE RETURN TO SHADOW <\/a> <\/h2>\n

If for some reason you decide to return from tcb to the traditional password shadowing scheme, you can do so with the use of tcb_unconvert<\/b> and by reverting some of the actions listed in “MIGRATING TO TCB”, above.<\/p>\n

SEE ALSO <\/a> <\/h2>\n

login.defs<\/b>(5), tcb<\/b>(5), pam_tcb<\/b>(8)<\/p>\n

\n","protected":false},"excerpt":{"rendered":"

tcb_convert, tcb_unconvert \u2212 utilities to convert to and from the tcb password shadowing scheme <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[5,52,4,423],"class_list":["post-3290","post","type-post","status-publish","format-standard","hentry","category-8-administracion-del-sistema","tag-5","tag-administracion","tag-man8","tag-tcb_convert"],"gutentor_comment":0,"_links":{"self":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/3290","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/comments?post=3290"}],"version-history":[{"count":0,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/3290\/revisions"}],"wp:attachment":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/media?parent=3290"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/categories?post=3290"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/tags?post=3290"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}