source: chapter06/shadow.xml@ 2a264e0b

<sect1 id="ch-system-shadow" xreflabel="Shadow">
<title>Installing Shadow-&shadow-version;</title>
<?dbhtml filename="shadow.html" dir="chapter06"?>

<para>The Shadow package contains programs for handling passwords in a secure
way.</para>

<screen>&buildtime; &shadow-time;
&diskspace; &shadow-compsize;</screen>

&aa-shadow-down;
&aa-shadow-dep;

<sect2><title>&nbsp;</title><para>&nbsp;</para></sect2>

<sect2>
<title>Installation of Shadow</title>

<para>Shadow hard-wires the path to the <command>passwd</command> binary within
the binary itself, but does this the wrong way. If a <command>passwd</command>
binary is not present before installing Shadow, the package incorrectly assumes
it is going to be located at <filename>/bin/passwd</filename>, but then
installs it as <filename>/usr/bin/passwd</filename>. This will lead to errors
about not finding <filename>/bin/passwd</filename>. To work around this bug,
create a dummy <filename>passwd</filename> file, so that it gets hard-wired
properly:</para>

<screen><userinput>touch /usr/bin/passwd</userinput></screen>

<para>Now prepare Shadow for compilation:</para>

<screen><userinput>./configure --libdir=/usr/lib --enable-shared</userinput></screen>

<para>Work around a problem that prevents Shadow's internationalization from
working:</para>

<screen><userinput>echo '#define HAVE_SETLOCALE 1' &gt;&gt; config.h</userinput></screen>

<para>Compile the package:</para>

<screen><userinput>make</userinput></screen>

<para>And install it:</para>

<screen><userinput>make install</userinput></screen>

<para>Shadow uses two files to configure authentication settings for the
system. Install these two config files:</para>

<screen><userinput>cp etc/{limits,login.access} /etc</userinput></screen>

<para>Instead of using the default <emphasis>crypt</emphasis> method, we want
to use the more secure <emphasis>MD5</emphasis> method of password encryption,
which in addition allows passwords longer than 8 characters. We also need to
change the obsolete <filename class="directory">/var/spool/mail</filename>
location for user mailboxes that Shadow uses by default to the <filename
class="directory">/var/mail</filename> location used nowadays. We accomplish
both these things by changing the relevant configuration file while copying it
to its destination (it's probably better to cut-and-paste this rather than try
and type it all in):</para>

<screen><userinput>sed -e 's%#MD5_CRYPT_ENAB.no%MD5_CRYPT_ENAB yes%' \
&nbsp;&nbsp;&nbsp;&nbsp;-e 's%/var/spool/mail%/var/mail%' \
&nbsp;&nbsp;&nbsp;&nbsp;etc/login.defs.linux &gt; /etc/login.defs</userinput></screen>

<para>Move some misplaced symlinks to their proper locations:</para>

<screen><userinput>mv /bin/sg /usr/bin
mv /bin/vigr /usr/sbin</userinput></screen>

<para>And move Shadow's dynamic libraries to a more appropriate location:</para>

<screen><userinput>mv /usr/lib/lib{shadow,misc}.so.0* /lib</userinput></screen>

<para>As some packages expect to find the just-moved libraries in
<filename>/usr/lib</filename>, create the following symlinks:</para>

<screen><userinput>ln -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so
ln -sf ../../lib/libmisc.so.0 /usr/lib/libmisc.so</userinput></screen>

<para>The -D option of the <filename>useradd</filename> program requires this
directory for it to work properly:</para>

<screen><userinput>mkdir /etc/default</userinput></screen>

<para>Coreutils has already installed a better <command>groups</command>
program in <filename class="directory">/usr/bin</filename>. Remove the one
installed by Shadow:</para>

<screen><userinput>rm /bin/groups</userinput></screen>

</sect2>

<sect2><title>&nbsp;</title><para>&nbsp;</para></sect2>

<sect2><title>Configuring Shadow</title>

<para>This package contains utilities to add, modify and delete users and
groups, set and change their passwords, and other such administrative tasks.
For a full explanation of what <emphasis>password shadowing</emphasis> means,
see the <filename>doc/HOWTO</filename> file within the unpacked source tree.
There's one thing to keep in mind if you decide to use Shadow support: programs
that need to verify passwords (display managers, ftp programs, pop3 daemons,
and the like) need to be <emphasis>shadow-compliant</emphasis>, that is they
need to be able to work with shadowed passwords.</para>

<para>To enable shadowed passwords, run the following command:</para>

<screen><userinput>pwconv</userinput></screen>

<para>And to enable shadowed group passwords, run:</para>

<screen><userinput>grpconv</userinput></screen>

<para>Under normal circumstances, you won't have created any passwords yet.
However, if returning to this section later to enable shadowing, you should
reset any current user passwords with the <command>passwd</command> command or
any group passwords with the <command>gpasswd</command> command.</para>

</sect2>

<sect2><title>&nbsp;</title><para>&nbsp;</para></sect2>

<sect2>
<title>Setting the root password</title>

<para>Choose a password for user root and set it via:</para>

<screen><userinput>passwd root</userinput></screen>

</sect2>

&aa-shadow-shortdesc;
&aa-shadow-desc;

</sect1>