Shadow Introduction to Shadow Shadow was indeed installed in LFS and there is no reason to reinstall it unless you installed CrackLib or Linux-PAM after your LFS system was completed. If you have installed CrackLib after LFS, then reinstalling Shadow will enable strong password support. If you have installed Linux-PAM, reinstalling Shadow will allow programs such as login and su to utilize PAM. Package Information Download (HTTP): Download MD5 sum: &shadow-md5sum; Download size: &shadow-size; Estimated disk space required: &shadow-buildsize; Estimated build time: &shadow-time; Additional Downloads Required patch: Shadow Dependencies Required or User Notes: Installation of Shadow The installation commands shown below are for installations where Linux-PAM has been installed (with or without a CrackLib installation) and Shadow is being reinstalled to support the Linux-PAM installation. If you are reinstalling Shadow to provide strong password support using the CrackLib library without using Linux-PAM, ensure you add the --with-libcrack parameter to the configure script below and also issue the following command: sed -i 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' etc/login.defs Reinstall Shadow by running the following commands: sed -i 's/groups$(EXEEXT) //' src/Makefile.in && find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; && sed -i -e 's/ ko//' -e 's/ zh_CN zh_TW//' man/Makefile.in && sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \ -e 's@/var/spool/mail@/var/mail@' etc/login.defs && sed -i -e 's@PATH=/sbin:/bin:/usr/sbin:/usr/bin@&:/usr/local/sbin:/usr/local/bin@' \ -e 's@PATH=/bin:/usr/bin@&:/usr/local/bin@' etc/login.defs && patch -Np1 -i ../shadow-&shadow-version;-nscd-1.patch && ./configure --prefix=/usr --sysconfdir=/etc \ --without-acl --without-attr && make This package does not come with a test suite. Now, as the root user: make install && mv -v /usr/bin/passwd /bin Command Explanations sed -i 's/groups$(EXEEXT) //' src/Makefile.in: This command is used to suppress the installation of the groups program as the version from the Coreutils package installed during LFS is preferred. find man -name Makefile.in -exec ... {} \;: This command is used to suppress the installation of the groups man pages so the existing ones installed from the Coreutils package are not replaced. sed -i -e '...' -e '...' man/Makefile.in: This command disables the installation of Chinese and Korean manual pages, since Man-DB cannot format them properly. sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' -e 's@/var/spool/mail@/var/mail@' etc/login.defs: Instead of using the default 'DES' method, this command modifies the installation to use the more secure 'SHA512' method of hashing passwords, which also allows passwords longer than eight characters. It also changes the obsolete /var/spool/mail location for user mailboxes that Shadow uses by default to the /var/mail location. sed -i -e 's@PATH=/sbin:/bin:/usr/sbin:/usr/bin@&:/usr/local/sbin:/usr/local/bin@' -e 's@PATH=/bin:/usr/bin@&:/usr/local/bin@' etc/login.defs: This sed expands PATH to /usr/local/bin for normal and root user and to /usr/local/sbin for root user only. --without-acl: Disables linking with since Shadow fails to compile if it is present. --without-attr: Disables linking with since Shadow fails to compile if it is present. mv -v /usr/bin/passwd /bin: The passwd program may be needed during times when the /usr filesystem is not mounted so it is moved into the root partition. Configuring Shadow Shadow's stock configuration for the useradd utility may not be desirable for your installation. One default parameter causes useradd to create a mailbox file for any newly created user. useradd will make the group ownership of this file to the mail group with 0660 permissions. If you would prefer that these mailbox files are not created by useradd, issue the following command as the root user: sed -i 's/yes/no/' /etc/default/useradd Configuring Linux-PAM to Work with Shadow The rest of this page is devoted to configuring Shadow to work properly with Linux-PAM. If you do not have Linux-PAM installed, and you reinstalled Shadow to support strong passwords via the CrackLib library, no further configuration is required. Config Files /etc/pam.d/* or alternatively /etc/pam.conf, /etc/login.defs, and /etc/security/* /etc/pam.d/* /etc/pam.conf /etc/login.defs /etc/security/* Configuration Information Configuring your system to use Linux-PAM can be a complex task. The information below will provide a basic setup so that Shadow's login and password functionality will work effectively with Linux-PAM. Review the information and links on the page for further configuration information. For information specific to integrating Shadow, Linux-PAM and CrackLib, you can visit the following link: Configuring /etc/login.defs The login program currently performs many functions which Linux-PAM modules should now handle. The following sed command will comment out the appropriate lines in /etc/login.defs, and stop login from performing these functions (a backup file named /etc/login.defs.orig is also created to preserve the original file's contents). Issue the following commands as the root user: /etc/login.defs install -v -m644 /etc/login.defs /etc/login.defs.orig && for FUNCTION in FAIL_DELAY LASTLOG_ENAB \ MAIL_CHECK_ENAB \ OBSCURE_CHECKS_ENAB \ PORTTIME_CHECKS_ENAB \ CONSOLE MOTD_FILE \ NOLOGINS_FILE ENV_HZ \ SU_WHEEL_ONLY \ CRACKLIB_DICTPATH \ SYS_UID_MIN SYS_UID_MAX \ SYS_GID_MIN SYS_GID_MAX \ PASS_CHANGE_TRIES \ PASS_ALWAYS_WARN \ CHFN_AUTH ENVIRON_FILE do sed -i "s/^$FUNCTION/# &/" /etc/login.defs done Configuring the /etc/pam.d/ Files As mentioned previously in the Linux-PAM instructions, Linux-PAM has two supported methods for configuration. The commands below assume that you've chosen to use a directory based configuration, where each program has its own configuration file. You can optionally use a single /etc/pam.conf configuration file by using the text from the files below, and supplying the program name as an additional first field for each line. As the root user, replace the following Linux-PAM configuration files in the /etc/pam.d/ directory (or add the contents to the /etc/pam.conf file) using the following commands: 'system-account' cat > /etc/pam.d/system-account << "EOF" # Begin /etc/pam.d/system-account account required pam_unix.so # End /etc/pam.d/system-account EOF 'system-auth' cat > /etc/pam.d/system-auth << "EOF" # Begin /etc/pam.d/system-auth auth required pam_unix.so # End /etc/pam.d/system-auth EOF 'system-passwd' (with cracklib) cat > /etc/pam.d/system-password << "EOF" # Begin /etc/pam.d/system-password # check new passwords for strength (man pam_cracklib) password required pam_cracklib.so type=Linux retry=3 difok=5 \ difignore=23 minlen=9 dcredit=1 \ ucredit=1 lcredit=1 ocredit=1 \ dictpath=/lib/cracklib/pw_dict # use sha512 hash for encryption, use shadow, and use the # authentication token (chosen password) set by pam_cracklib # above (or any previous modules) password required pam_unix.so sha512 shadow use_authtok # End /etc/pam.d/system-password EOF In its default configuration, owing to credits, pam_cracklib will allow multiple case passwords as short as 6 characters, even with the minlen value set to 11. You should review the pam_cracklib(8) man page and determine if these default values are acceptable for the security of your system. 'system-passwd' (without cracklib) cat > /etc/pam.d/system-password << "EOF" # Begin /etc/pam.d/system-password # use sha512 hash for encryption, use shadow, and try to use any previously # defined authentication token (chosen password) set by any prior module password required pam_unix.so sha512 shadow try_first_pass # End /etc/pam.d/system-password EOF 'system-session' cat > /etc/pam.d/system-session << "EOF" # Begin /etc/pam.d/system-session session required pam_unix.so # End /etc/pam.d/system-session EOF 'login' cat > /etc/pam.d/login << "EOF" # Begin /etc/pam.d/login # Set failure delay before next prompt to 3 seconds auth optional pam_faildelay.so delay=3000000 # Check to make sure that the user is allowed to login auth requisite pam_nologin.so # Check to make sure that root is allowed to login # Disabled by default. You will need to create /etc/securetty # file for this module to function. See man 5 securetty. #auth required pam_securetty.so # Additional group memberships - disabled by default #auth optional pam_group.so # include the default auth settings auth include system-auth # check access for the user account required pam_access.so # include the default account settings account include system-account # Set default environment variables for the user session required pam_env.so # Set resource limits for the user session required pam_limits.so # Display date of last login - Disabled by default #session optional pam_lastlog.so # Display the message of the day - Disabled by default #session optional pam_motd.so # Check user's mail - Disabled by default #session optional pam_mail.so standard quiet # include the default session and password settings session include system-session password include system-password # End /etc/pam.d/login EOF 'passwd' cat > /etc/pam.d/passwd << "EOF" # Begin /etc/pam.d/passwd password include system-password # End /etc/pam.d/passwd EOF 'su' cat > /etc/pam.d/su << "EOF" # Begin /etc/pam.d/su # always allow root auth sufficient pam_rootok.so auth include system-auth # include the default account settings account include system-account # Set default environment variables for the service user session required pam_env.so # include system session defaults session include system-session # End /etc/pam.d/su EOF 'chage' cat > /etc/pam.d/chage << "EOF" #Begin /etc/pam.d/chage # always allow root auth sufficient pam_rootok.so # include system defaults for auth account and session auth include system-auth account include system-account session include system-session # Always permit for authentication updates password required pam_permit.so # End /etc/pam.d/chage EOF 'chfn', 'chgpasswd', 'chgpasswd', 'chsh', 'groupadd', 'groupdel', 'groupmems', 'groupmod', 'newusers', 'useradd', 'userdel' and 'usermod' for PROGRAM in chfn chgpasswd chpasswd chsh groupadd groupdel \ groupmems groupmod newusers useradd userdel usermod do install -v -m644 /etc/pam.d/chage /etc/pam.d/$PROGRAM sed -i "s/chage/$PROGRAM/" /etc/pam.d/$PROGRAM done At this point, you should do a simple test to see if Shadow is working as expected. Open another terminal and log in as a user, then su to root. If you do not see any errors, then all is well and you should proceed with the rest of the configuration. If you did receive errors, stop now and double check the above configuration files manually. You can also run the test suite from the Linux-PAM package to assist you in determining the problem. If you cannot find and fix the error, you should recompile Shadow adding the switch to the configure command in the above instructions (also move the /etc/login.defs.orig backup file to /etc/login.defs). If you fail to do this and the errors remain, you will be unable to log into your system. Other Currently, /etc/pam.d/other is configured to allow anyone with an account on the machine to use PAM-aware programs without a configuration file for that program. After testing Linux-PAM for proper configuration, install a more restrictive other file so that program-specific configuration files are required: cat > /etc/pam.d/other << "EOF" # Begin /etc/pam.d/other auth required pam_warn.so auth required pam_deny.so account required pam_warn.so account required pam_deny.so password required pam_warn.so password required pam_deny.so session required pam_warn.so session required pam_deny.so # End /etc/pam.d/other EOF Configuring Login Access Instead of using the /etc/login.access file for controlling access to the system, Linux-PAM uses the pam_access.so module along with the /etc/security/access.conf file. Rename the /etc/login.access file using the following command: /etc/security/access.conf if [ -f /etc/login.access ]; then mv -v /etc/login.access /etc/login.access.NOUSE fi Configuring Resource Limits Instead of using the /etc/limits file for limiting usage of system resources, Linux-PAM uses the pam_limits.so module along with the /etc/security/limits.conf file. Rename the /etc/limits file using the following command: /etc/security/limits.conf if [ -f /etc/limits ]; then mv -v /etc/limits /etc/limits.NOUSE fi