%general-entities; ]> $LastChangedBy$ $Date$ Shadow Shadow was indeed installed in LFS and there is no reason to reinstall it unless you installed Linux-PAM. If you did install Linux-PAM, reinstalling Shadow will allow programs such as login and su to utilize PAM. Package Information Download (HTTP): Download (FTP): Download MD5 sum: &shadow-md5sum; Download size: &shadow-size; Estimated disk space required: &shadow-buildsize; Estimated build time: &shadow-time; Additional Downloads Required patch: Shadow Dependencies Required Reinstall Shadow by running the following commands: patch -Np1 -i ../shadow-&shadow-version;-configure_fix-1.patch && ./configure --libdir=/lib --enable-shared \ --with-libpam --without-libcrack && sed -i 's/groups$(EXEEXT) //' src/Makefile && find man -name Makefile -exec sed -i '/groups/d' && make This package does not come with a test suite. Now, as the root user: make install && mv -v /usr/bin/passwd /bin && mv -v /lib/libshadow.*a /usr/lib && rm -v /lib/libshadow.so && ln -v -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so --without-libcrack: This switch tells Shadow not to use libcrack. This is desired as Linux-PAM will provide libcrack functionality. sed -i ...: These commands are used to suppress the installation of the groups program and man pages as the version from the Coreutils package installed during LFS is preferred. /etc/pam.d/* or alternatively /etc/pam.conf, /etc/login.defs and /etc/security/* /etc/pam.d/* /etc/pam.conf /etc/login.defs /etc/security/* The login program currently performs many functions which Linux-PAM modules should now handle. The following sed command will comment out the appropriate lines in /etc/login.defs, and stop login from performing these functions (a backup file named /etc/login.defs.orig is also created to preserve the original file's contents). Issue the following commands as the root user: /etc/login.defs install -v -m644 /etc/login.defs /etc/login.defs.orig && for FUNCTION in LASTLOG_ENAB MAIL_CHECK_ENAB \ PORTTIME_CHECKS_ENAB CONSOLE \ MOTD_FILE NOLOGINS_FILE PASS_MIN_LEN \ SU_WHEEL_ONLY MD5_CRYPT_ENAB \ CONSOLE_GROUPS ENVIRON_FILE \ ULIMIT ENV_TZ ENV_HZ ENV_SUPATH \ ENV_PATH QMAIL_DIR MAIL_DIR MAIL_FILE \ CHFN_AUTH FAILLOG_ENAB QUOTAS_ENAB FTMP_FILE do sed -i "s/^$FUNCTION/# &/" /etc/login.defs done If you have CrackLib installed, also comment out four more lines using the following command as the root user: for FUNCTION in OBSCURE_CHECKS_ENAB CRACKLIB_DICTPATH \ PASS_CHANGE_TRIES PASS_ALWAYS_WARN do sed -i "s/^$FUNCTION/# &/" /etc/login.defs done Add the following Linux-PAM configuration files to /etc/pam.d/ (or add them to /etc/pam.conf with the additional field for the program). Issue the commands as the root user: cat > /etc/pam.d/login << "EOF" # Begin /etc/pam.d/login auth requisite pam_securetty.so auth requisite pam_nologin.so auth required pam_unix.so account required pam_access.so account required pam_unix.so session required pam_env.so session required pam_motd.so session required pam_limits.so session optional pam_mail.so dir=/var/mail standard session optional pam_lastlog.so session required pam_unix.so password required pam_cracklib.so retry=3 difok=8 minlen=5 \ dcredit=3 ocredit=3 \ ucredit=2 lcredit=2 password required pam_unix.so md5 shadow use_authtok # End /etc/pam.d/login EOF cat > /etc/pam.d/login << "EOF" # Begin /etc/pam.d/login auth requisite pam_securetty.so auth requisite pam_nologin.so auth required pam_env.so auth required pam_unix.so account required pam_access.so account required pam_unix.so session required pam_motd.so session required pam_limits.so session optional pam_mail.so dir=/var/mail standard session optional pam_lastlog.so session required pam_unix.so password required pam_unix.so md5 shadow # End /etc/pam.d/login EOF cat > /etc/pam.d/passwd << "EOF" # Begin /etc/pam.d/passwd password required pam_cracklib.so retry=3 difok=8 minlen=5 \ dcredit=3 ocredit=3 \ ucredit=2 lcredit=2 password required pam_unix.so md5 shadow use_authtok # End /etc/pam.d/passwd EOF cat > /etc/pam.d/passwd << "EOF" # Begin /etc/pam.d/passwd password required pam_unix.so md5 shadow # End /etc/pam.d/passwd EOF cat > /etc/pam.d/su << "EOF" # Begin /etc/pam.d/su auth sufficient pam_rootok.so auth required pam_unix.so account required pam_unix.so session optional pam_mail.so dir=/var/mail standard session required pam_env.so session required pam_unix.so # End /etc/pam.d/su EOF cat > /etc/pam.d/chage << "EOF" # Begin /etc/pam.d/chage auth sufficient pam_rootok.so auth required pam_unix.so account required pam_unix.so session required pam_unix.so password required pam_permit.so # End /etc/pam.d/chage EOF for PROGRAM in chpasswd newusers groupadd groupdel \ groupmod useradd userdel usermod do install -v -m644 /etc/pam.d/chage /etc/pam.d/$PROGRAM sed -i "s/chage/$PROGRAM/" /etc/pam.d/$PROGRAM done At this point, you should do a simple test to see if Shadow is working as expected. Open another terminal and log in as a user, then su to root. If you do not see any errors, then all is well and you should proceed with the rest of the configuration. If you did receive errors, stop now and double check the above configuration files manually. If you cannot find and fix the error, you should recompile Shadow replacing --with-libpam with --without-libpam in the above instructions (also move the /etc/login.defs.orig backup file to /etc/login.defs). If you fail to do this and the errors remain, you will be unable to log into your system. Currently, /etc/pam.d/other is configured to allow anyone with an account on the machine to use PAM-aware programs without a configuration file for that program. After testing Linux-PAM for proper configuration, install a more restrictive other file so that program-specific configuration files are required: cat > /etc/pam.d/other << "EOF" # Begin /etc/pam.d/other auth required pam_deny.so auth required pam_warn.so account required pam_deny.so session required pam_deny.so password required pam_deny.so password required pam_warn.so # End /etc/pam.d/other EOF Instead of using the /etc/login.access file for controlling access to the system, Linux-PAM uses the pam_access.so module along with the /etc/security/access.conf file. Rename the /etc/login.access file using the following command: /etc/security/access.conf if [ -f /etc/login.access ]; then mv -v /etc/login.access /etc/login.access.NOUSE fi Instead of using the /etc/limits file for limiting usage of system resources, Linux-PAM uses the pam_limits.so module along with the /etc/security/limits.conf file. Rename the /etc/limits file using the following command: /etc/security/limits.conf if [ -f /etc/limits ]; then mv -v /etc/limits /etc/limits.NOUSE fi During previous configuration, several items were removed from /etc/login.defs. Some of these items are now controlled by the pam_env.so module and the /etc/security/pam_env.conf configuration file. In particular, the default path has been changed. To recover your default path, execute the following commands: ENV_PATH=`grep '^ENV_PATH' /etc/login.defs.orig | \ awk '{ print $2 }' | sed 's/PATH=//'` && echo 'PATH DEFAULT='`echo "${ENV_PATH}"`\ ' OVERRIDE=${PATH}' \ >> /etc/security/pam_env.conf && unset ENV_PATH ENV_SUPATH is no longer supported. You must create a valid /root/.bashrc file to provide a modified path for the super-user. A list of the installed files, along with their short descriptions can be found at .