%general-entities; ]> $LastChangedBy$ $Date$ Shadow Shadow was indeed installed in LFS and there is no reason to reinstall it unless you installed Linux-PAM. If you did, this will allow programs like login and su to utilize PAM. Package Information Download (HTTP): Download (FTP): Download MD5 sum: &shadow-md5sum; Download size: &shadow-size; Estimated disk space required: &shadow-buildsize; Estimated build time: &shadow-time; Additional Downloads Patch to fix several invalid warning messages when used with Linux_PAM: Shadow Dependencies Required Reinstall Shadow by running the following commands: patch -Np1 -i ../shadow-&shadow-version;-Linux_PAM_fixes-1.patch && ./configure --libdir=/lib --enable-shared \ --with-libpam --without-libcrack && sed -i 's/groups$(EXEEXT) //' src/Makefile && sed -i '/groups/d' man/Makefile && make Now, as the root user: make install && mv -v /usr/bin/passwd /bin && mv -v /lib/libshadow.*a /usr/lib && rm -v /lib/libshadow.so && ln -v -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so --without-libcrack: This switch tells Shadow not to use libcrack. This is desired as Linux-PAM already contains libcrack. sed -i ...: These commands are used to suppress the installation of the groups program as the version from the Coreutils package installed during LFS is preferred. /etc/pam.d/*, or alternatively, /etc/pam.conf /etc/pam.d/* /etc/pam.conf Add the following Linux-PAM configuration files to /etc/pam.d/ (or add them to /etc/pam.conf with the additional field for the program). cat > /etc/pam.d/login << "EOF" # Begin /etc/pam.d/login auth requisite pam_securetty.so auth requisite pam_nologin.so auth required pam_env.so auth required pam_unix.so account required pam_access.so account required pam_unix.so session required pam_motd.so session required pam_limits.so session optional pam_mail.so dir=/var/mail standard session optional pam_lastlog.so session required pam_unix.so password required pam_cracklib.so retry=3 difok=8 minlen=5 \ dcredit=3 ocredit=3 \ ucredit=2 lcredit=2 password required pam_unix.so md5 shadow use_authtok # End /etc/pam.d/login EOF cat > /etc/pam.d/login << "EOF" # Begin /etc/pam.d/login auth requisite pam_securetty.so auth requisite pam_nologin.so auth required pam_env.so auth required pam_unix.so account required pam_access.so account required pam_unix.so session required pam_motd.so session required pam_limits.so session optional pam_mail.so dir=/var/mail standard session optional pam_lastlog.so session required pam_unix.so password required pam_unix.so md5 shadow # End /etc/pam.d/login EOF cat > /etc/pam.d/passwd << "EOF" # Begin /etc/pam.d/passwd password required pam_cracklib.so retry=3 difok=8 minlen=5 \ dcredit=3 ocredit=3 \ ucredit=2 lcredit=2 password required pam_unix.so md5 shadow use_authtok # End /etc/pam.d/passwd EOF cat > /etc/pam.d/passwd << "EOF" # Begin /etc/pam.d/passwd password required pam_unix.so md5 shadow # End /etc/pam.d/passwd EOF cat > /etc/pam.d/su << "EOF" # Begin /etc/pam.d/su auth sufficient pam_rootok.so auth required pam_unix.so account required pam_unix.so session optional pam_mail.so dir=/var/mail standard session required pam_unix.so # End /etc/pam.d/su EOF cat > /etc/pam.d/chage << "EOF" # Begin /etc/pam.d/chage auth sufficient pam_rootok.so auth required pam_unix.so account required pam_unix.so session required pam_unix.so password required pam_permit.so # End /etc/pam.d/chage EOF for PROGRAM in chpasswd newusers groupadd groupdel \ groupmod useradd userdel usermod do install -v -m644 /etc/pam.d/chage /etc/pam.d/$PROGRAM sed -i -e "s/chage/$PROGRAM/" /etc/pam.d/$PROGRAM done At this point, you should do a simple test to see if Shadow is working as expected. Open another term and login as a user, then su to root. If you do not see any errors, then all is well and you should proceed with the rest of the configuration. If you did receive errors, stop now and double check the above configuration files manually. If you cannot find, and fix the error, you should recompile Shadow replacing --with-libpam with --without-libpam in the above instructions. If you fail to do this and the errors remain, you will be unable to log into your system. Currently, /etc/pam.d/other is configured to allow anyone with an account on the machine to use PAM-aware programs without a configuration file for that program. After testing Linux-PAM for proper configuration, install a more restrictive other file so that program-specific configuration files are required: cat > /etc/pam.d/other << "EOF" # Begin /etc/pam.d/other auth required pam_deny.so auth required pam_warn.so account required pam_deny.so session required pam_deny.so password required pam_deny.so password required pam_warn.so # End /etc/pam.d/other EOF Instead of using the /etc/login.access file for controlling access to the system, Linux-PAM uses the pam_access.so module along with the /etc/security/access.conf file. Rename the /etc/login.access file using the following command: /etc/security/access.conf if [ -f /etc/login.access ]; then mv -v /etc/login.access /etc/login.access.NOUSE fi Instead of using the /etc/limits file for limiting usage of system resources, Linux-PAM uses the pam_limits.so module along with the /etc/security/limits.conf file. Rename the /etc/limits file using the following command: /etc/security/limits.conf if [ -f /etc/limits ]; then mv -v /etc/limits /etc/limits.NOUSE fi The login program currently performs many functions which Linux-PAM modules should now handle. The following command will comment out the appropriate lines in /etc/login.defs, and stop login from performing these functions: /etc/login.defs for FUNCTION in LASTLOG_ENAB MAIL_CHECK_ENAB \ PORTTIME_CHECKS_ENAB CONSOLE \ MOTD_FILE NOLOGINS_FILE PASS_MIN_LEN \ SU_WHEEL_ONLY MD5_CRYPT_ENAB \ CONSOLE_GROUPS ENVIRON_FILE \ ULIMIT ENV_TZ ENV_HZ ENV_SUPATH \ ENV_PATH QMAIL_DIR MAIL_DIR MAIL_FILE do sed -i -e "s/^$FUNCTION/# &/" /etc/login.defs done If you have cracklib installed, also comment out four more lines using the following command: for FUNCTION in OBSCURE_CHECKS_ENAB CRACKLIB_DICTPATH \ PASS_CHANGE_TRIES PASS_ALWAYS_WARN do sed -i -e "s/^$FUNCTION/# &/" /etc/login.defs done A list of the installed files, along with their short descriptions can be found at .