%general-entities; ]> Shadow was indeed installed in LFS and there is no reason to reinstall it unless you installed Linux-PAM. If you did, this will allow programs like login and su to utilize PAM. Patch to fix linking against PAM: Reinstall Shadow by running the following commands: patch -Np1 -i ../shadow-&shadow-version;-pam-1.patch && LIBS="-lpam -lpam_misc" ./configure --libdir=/usr/lib \ --enable-shared --with-libpam --without-libcrack && echo '#define HAVE_SETLOCALE 1' >> config.h && sed -i '/extern char/d' libmisc/xmalloc.c && make && make install && mv /bin/sg /usr/bin && mv /bin/vigr /usr/sbin && mv /usr/bin/passwd /bin && rm /bin/groups && mv /usr/lib/lib{misc,shadow}.so.0* /lib && ln -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so && ln -sf ../../lib/libmisc.so.0 /usr/lib/libmisc.so --without-libcrack: This switch tells Shadow not to use libcrack. This is desired as Linux-PAM already contains libcrack. sed -i '/extern char/d' libmisc/xmalloc.c: This fixes a compilation problem when using GCC-3.4.x. /etc/pam.d/login, /etc/pam.d/passwd, /etc/pam.d/su, /etc/pam.d/shadow, /etc/pam.d/useradd, and /etc/pam.d/chage – alternatively, /etc/pam.conf Add the following Linux-PAM configuration files to /etc/pam.d/ (or add them to /etc/pam.conf with the additional field for the program). cat > /etc/pam.d/login << "EOF" # Begin /etc/pam.d/login auth requisite pam_securetty.so auth requisite pam_nologin.so auth required pam_env.so auth required pam_unix.so account required pam_access.so account required pam_unix.so session required pam_motd.so session required pam_limits.so session optional pam_mail.so dir=/var/mail standard session optional pam_lastlog.so session required pam_unix.so # End /etc/pam.d/login EOF cat > /etc/pam.d/passwd << "EOF" # Begin /etc/pam.d/passwd password required pam_unix.so md5 shadow # End /etc/pam.d/passwd EOF cat > /etc/pam.d/shadow << "EOF" # Begin /etc/pam.d/shadow auth sufficient pam_rootok.so auth required pam_unix.so account required pam_unix.so session required pam_unix.so password required pam_permit.so # End /etc/pam.d/shadow EOF cat > /etc/pam.d/su << "EOF" # Begin /etc/pam.d/su auth sufficient pam_rootok.so auth required pam_unix.so account required pam_unix.so session required pam_unix.so # End /etc/pam.d/su EOF cat > /etc/pam.d/useradd << "EOF" # Begin /etc/pam.d/useradd auth sufficient pam_rootok.so auth required pam_unix.so account required pam_unix.so session required pam_unix.so password required pam_permit.so # End /etc/pam.d/useradd EOF cat > /etc/pam.d/chage << "EOF" # Begin /etc/pam.d/chage auth sufficient pam_rootok.so auth required pam_unix.so account required pam_unix.so session required pam_unix.so password required pam_permit.so # End /etc/pam.d/chage EOF If you've installed cracklib, replace /etc/pam.d/passwd with the following: cat > /etc/pam.d/passwd << "EOF" # Begin /etc/pam.d/passwd password required pam_cracklib.so \ retry=3 difok=8 minlen=5 dcredit=3 ocredit=3 ucredit=2 lcredit=2 password required pam_unix.so md5 shadow use_authtok # End /etc/pam.d/passwd EOF Currently, /etc/pam.d/other is configured to allow anyone with an account on the machine to use programs that do not specifically have a configuration file of their own. After testing Linux-PAM for proper configuration, it can be changed to the following: cat > /etc/pam.d/other << "EOF" # Begin /etc/pam.d/other auth required pam_deny.so auth required pam_warn.so account required pam_deny.so session required pam_deny.so password required pam_deny.so password required pam_warn.so # End /etc/pam.d/other EOF Finally, edit /etc/login.defs by adding '#' to the beginning of the following lines: LASTLOG_ENAB MAIL_CHECK_ENAB PORTTIME_CHECKS_ENAB CONSOLE MOTD_FILE NOLOGINS_FILE PASS_MIN_LEN SU_WHEEL_ONLY MD5_CRYPT_ENAB CONSOLE_GROUPS ENVIRON_FILE This stops login from performing these functions, as they will now be performed by PAM modules. Additionally, add a '#' to the beginning of the following lines if you've installed cracklib: OBSCURE_CHECKS_ENAB CRACKLIB_DICTPATH PASS_CHANGE_TRIES PASS_ALWAYS_WARN