TCB_CONVERT(8)TCB_CONVERT(8)NAME
tcb_convert, tcb_unconvert - utilities to convert to and from the tcb
password shadowing scheme
SYNOPSIStcb_convert
tcb_unconvert
DESCRIPTIONtcb_convert converts /etc/shadow into a set of files under /etc/tcb/
(see tcb(5)). During this operation /etc/shadow is locked.
tcb_unconvert converts the files under /etc/tcb/ back into /etc/shadow.
Because it is impractical to lock all of the tcb shadow files,
tcb_unconvert temporarily changes the group ownership on /etc/tcb/ to
group "sys" such that the passwd(1) utility will refuse to work during
the conversion.
MIGRATING TO TCB
In order to migrate a system to the tcb password shadowing scheme from
the traditional /etc/passwd+/etc/shadow setup, the following steps are
necessary:
1. Install the tcb package as well as tcb-aware shadow-utils.
2. Create the group "auth" if it isn't present.
3. If you want processes possessing both "shadow" and "auth" groups
to have read-only access to all tcb files, add or uncomment the
following line in /etc/login.defs:
TCB_AUTH_GROUP yes
4. As root, execute tcb_convert.
5. In /etc/nsswitch.conf, find the "shadow" entry and replace the
"files" method with "tcb"; the edited line should look like
this:
shadow: tcb nisplus nis
6. In /etc/pam.d/ files, change occurrences of pam_unix.so or
pam_pwdb.so (if any) to pam_tcb.so. You may wish to browse the
pam_tcb(8) manual for information on additional tuning.
7. In each file under /etc/pam.d/ which has a "password" line (most
notably in /etc/pam.d/passwd) add the write_to=tcb option to the
instance of pam_tcb used as the password changing module. The
line should look similar to this:
password required /lib/security/pam_tcb.so shadow use_authtok
write_to=tcb
8. Edit /etc/login.defs such that it contains the (uncommented)
line:
USE_TCB yes
9. Now you should remove the /etc/shadow file and its backups (if
any), such as /etc/shadow-. It is important that you do so such
that processes possessing the "shadow" group don't get read
access to all of your old password hashes (many of which may
remain valid for quite some time).
10. As root,
chown root:shadow /usr/bin/passwd /etc/pam.d/passwd
chmod 2711 /usr/bin/passwd
chmod 640 /etc/pam.d/passwd
11. Test if everything works properly, most notably logging in to
the system.
THE RETURN TO SHADOW
If for some reason you decide to return from tcb to the traditional
password shadowing scheme, you can do so with the use of tcb_unconvert
and by reverting some of the actions listed in "MIGRATING TO TCB",
above.
SEE ALSOlogin.defs(5), tcb(5), pam_tcb(8)Openwall Project 18 April 2003 TCB_CONVERT(8)