%general-entities; ]> $LastChangedBy$ $Date$ Shadow Shadow was indeed installed in LFS and there is no reason to reinstall it unless you installed CrackLib or Linux-PAM after your LFS system was completed. If you have installed CrackLib after LFS, then reinstalling Shadow will enable strong password support. If you have installed Linux-PAM, reinstalling Shadow will allow programs such as login and su to utilize PAM. &lfs65_checked; Package Information Download (HTTP): Download (FTP): Download MD5 sum: &shadow-md5sum; Download size: &shadow-size; Estimated disk space required: &shadow-buildsize; Estimated build time: &shadow-time; Shadow Dependencies Required and/or User Notes: The installation commands shown below are for installations where Linux-PAM has been installed (with or without a CrackLib installation) and Shadow is being reinstalled to support the Linux-PAM installation. If you are reinstalling Shadow to provide strong password support using the CrackLib library without using Linux-PAM, ensure you add the --with-libcrack parameter to the configure script below and also issue the following command: sed -i 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' etc/login.defs Reinstall Shadow by running the following commands: sed -i 's/groups$(EXEEXT) //' src/Makefile.in && find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; && sed -i -e 's/ ko//' -e 's/ zh_CN zh_TW//' man/Makefile.in && sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD MD5@' \ -e 's@/var/spool/mail@/var/mail@' etc/login.defs && ./configure --sysconfdir=/etc && make This package does not come with a test suite. Now, as the root user: make install && mv -v /usr/bin/passwd /bin sed -i 's/groups$(EXEEXT) //' src/Makefile.in: This command is used to suppress the installation of the groups program as the version from the Coreutils package installed during LFS is preferred. find man -name Makefile.in -exec ... {} \;: This command is used to suppress the installation of the groups man pages so the existing ones installed from the Coreutils package are not replaced. sed -i -e '...' -e '...' man/Makefile.in: This command disables the installation of Chinese and Korean manual pages, since Man-DB cannot format them properly. sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD MD5@' -e 's@/var/spool/mail@/var/mail@' etc/login.defs: Instead of using the default 'crypt' method, this command modifies the installation to use the more secure 'MD5' method of password encryption, which also allows passwords longer than eight characters. It also changes the obsolete /var/spool/mail location for user mailboxes that Shadow uses by default to the /var/mail location. mv -v /usr/bin/passwd /bin: The passwd program may be needed during times when the /usr filesystem is not mounted so it is moved into the root partition. Shadow's stock configuration for the useradd utility may not be desirable for your installation. One default parameter causes useradd to create a mailbox file for any newly created user. useradd will make the group ownership of this file to the mail group with 0660 permissions. If you would prefer that these mailbox files are not created by useradd, issue the following command as the root user: sed -i 's/yes/no/' /etc/default/useradd The rest of this page is devoted to configuring Shadow to work properly with Linux-PAM. If you do not have Linux-PAM installed, and you reinstalled Shadow to support strong passwords via the CrackLib library, no further configuration is required. /etc/pam.d/* or alternatively /etc/pam.conf, /etc/login.defs, and /etc/security/* /etc/pam.d/* /etc/pam.conf /etc/login.defs /etc/security/* Configuring your system to use Linux-PAM can be a complex task. The information below will provide a basic setup so that Shadow's login and password functionality will work effectively with Linux-PAM. Review the information and links on the page for further configuration information. For information specific to integrating Shadow, Linux-PAM and CrackLib, you can visit the following links: The login program currently performs many functions which Linux-PAM modules should now handle. The following sed command will comment out the appropriate lines in /etc/login.defs, and stop login from performing these functions (a backup file named /etc/login.defs.orig is also created to preserve the original file's contents). Issue the following commands as the root user: /etc/login.defs install -v -m644 /etc/login.defs /etc/login.defs.orig && for FUNCTION in LASTLOG_ENAB MAIL_CHECK_ENAB \ PORTTIME_CHECKS_ENAB CONSOLE \ MOTD_FILE NOLOGINS_FILE PASS_MIN_LEN \ SU_WHEEL_ONLY MD5_CRYPT_ENAB \ CONSOLE_GROUPS ENVIRON_FILE \ ULIMIT ENV_TZ ENV_HZ ENV_SUPATH \ ENV_PATH QMAIL_DIR MAIL_DIR MAIL_FILE \ CHFN_AUTH FAILLOG_ENAB QUOTAS_ENAB FTMP_FILE \ OBSCURE_CHECKS_ENAB CRACKLIB_DICTPATH \ PASS_CHANGE_TRIES PASS_ALWAYS_WARN ISSUE_FILE do sed -i "s/^$FUNCTION/# &/" /etc/login.defs done As mentioned previously in the Linux-PAM instructions, Linux-PAM has two supported methods for configuration. The commands below assume that you've chosen to use a directory based configuration, where each program has its own configuration file. You can optionally use a single /etc/pam.conf configuration file by using the text from the files below, and supplying the program name as an additional first field for each line. As the root user, replace the following Linux-PAM configuration files in the /etc/pam.d/ directory (or add the contents to the /etc/pam.conf file) using the following commands: cat > /etc/pam.d/login << "EOF" # Begin /etc/pam.d/login auth requisite pam_nologin.so auth required pam_securetty.so auth required pam_unix.so account required pam_access.so account required pam_unix.so session required pam_env.so session required pam_motd.so session required pam_limits.so session optional pam_mail.so dir=/var/mail standard session optional pam_lastlog.so session required pam_unix.so password required pam_cracklib.so retry=3 password required pam_unix.so md5 shadow use_authtok # End /etc/pam.d/login EOF cat > /etc/pam.d/login << "EOF" # Begin /etc/pam.d/login auth requisite pam_nologin.so auth required pam_securetty.so auth required pam_env.so auth required pam_unix.so account required pam_access.so account required pam_unix.so session required pam_motd.so session required pam_limits.so session optional pam_mail.so dir=/var/mail standard session optional pam_lastlog.so session required pam_unix.so password required pam_unix.so md5 shadow # End /etc/pam.d/login EOF cat > /etc/pam.d/passwd << "EOF" # Begin /etc/pam.d/passwd password required pam_cracklib.so type=Linux retry=1 \ difok=5 diffignore=23 minlen=9 \ dcredit=1 ucredit=1 lcredit=1 \ ocredit=1 \ dictpath=/lib/cracklib/pw_dict password required pam_unix.so md5 shadow use_authtok # End /etc/pam.d/passwd EOF In its default configuration, owing to credits, pam_cracklib will allow multiple case passwords as short as 6 characters, even with the minlen value set to 11. You should review the pam_cracklib(8) man page and determine if these default values are acceptable for the security of your system. cat > /etc/pam.d/passwd << "EOF" # Begin /etc/pam.d/passwd password required pam_unix.so md5 shadow # End /etc/pam.d/passwd EOF cat > /etc/pam.d/su << "EOF" # Begin /etc/pam.d/su auth sufficient pam_rootok.so auth required pam_unix.so account required pam_unix.so session optional pam_mail.so dir=/var/mail standard session optional pam_xauth.so session required pam_env.so session required pam_unix.so # End /etc/pam.d/su EOF cat > /etc/pam.d/chage << "EOF" # Begin /etc/pam.d/chage auth sufficient pam_rootok.so auth required pam_unix.so account required pam_unix.so session required pam_unix.so password required pam_permit.so # End /etc/pam.d/chage EOF for PROGRAM in chfn chgpasswd chpasswd chsh groupadd groupdel \ groupmems groupmod newusers useradd userdel usermod do install -v -m644 /etc/pam.d/chage /etc/pam.d/$PROGRAM sed -i "s/chage/$PROGRAM/" /etc/pam.d/$PROGRAM done At this point, you should do a simple test to see if Shadow is working as expected. Open another terminal and log in as a user, then su to root. If you do not see any errors, then all is well and you should proceed with the rest of the configuration. If you did receive errors, stop now and double check the above configuration files manually. You can also run the test suite from the Linux-PAM package to assist you in determining the problem. If you cannot find and fix the error, you should recompile Shadow adding the --without-libpam switch to the configure command in the above instructions (also move the /etc/login.defs.orig backup file to /etc/login.defs). If you fail to do this and the errors remain, you will be unable to log into your system. Currently, /etc/pam.d/other is configured to allow anyone with an account on the machine to use PAM-aware programs without a configuration file for that program. After testing Linux-PAM for proper configuration, install a more restrictive other file so that program-specific configuration files are required: cat > /etc/pam.d/other << "EOF" # Begin /etc/pam.d/other auth required pam_deny.so auth required pam_warn.so account required pam_deny.so account required pam_warn.so password required pam_deny.so password required pam_warn.so session required pam_deny.so session required pam_warn.so # End /etc/pam.d/other EOF Instead of using the /etc/login.access file for controlling access to the system, Linux-PAM uses the pam_access.so module along with the /etc/security/access.conf file. Rename the /etc/login.access file using the following command: /etc/security/access.conf if [ -f /etc/login.access ]; then mv -v /etc/login.access /etc/login.access.NOUSE fi Instead of using the /etc/limits file for limiting usage of system resources, Linux-PAM uses the pam_limits.so module along with the /etc/security/limits.conf file. Rename the /etc/limits file using the following command: /etc/security/limits.conf if [ -f /etc/limits ]; then mv -v /etc/limits /etc/limits.NOUSE fi During previous configuration, several items were removed from /etc/login.defs. Some of these items are now controlled by the pam_env.so module and the /etc/security/pam_env.conf configuration file. In particular, the default path has been changed. To recover your default path, execute the following commands: ENV_PATH=`grep '^ENV_PATH' /etc/login.defs.orig | \ awk '{ print $2 }' | sed 's/PATH=//'` && echo 'PATH DEFAULT='`echo "${ENV_PATH}"`\ ' OVERRIDE=${PATH}' \ >> /etc/security/pam_env.conf && unset ENV_PATH ENV_SUPATH is no longer supported. You must create a valid /root/.bashrc file to provide a modified path for the super-user. A list of the installed files, along with their short descriptions can be found at .