Contents
A list of the installed files, along with their short descriptions can be found at ../../../../lfs/view/11.3-systemd/chapter08/shadow.html#contents-shadow.
Shadow was indeed installed in LFS and there is no reason to reinstall it unless you installed CrackLib or Linux-PAM after your LFS system was completed. If you have installed CrackLib after LFS, then reinstalling Shadow will enable strong password support. If you have installed Linux-PAM, reinstalling Shadow will allow programs such as login and su to utilize PAM.
This package is known to build and work properly using an LFS 11.3 platform.
Download (HTTP): https://github.com/shadow-maint/shadow/releases/download/4.13/shadow-4.13.tar.xz
Download MD5 sum: b1ab01b5462ddcf43588374d57bec123
Download size: 1.7 MB
Estimated disk space required: 45 MB
Estimated build time: 0.2 SBU
Linux-PAM-1.5.2 or CrackLib-2.9.8
User Notes: https://wiki.linuxfromscratch.org/blfs/wiki/shadow
The installation commands shown below are for installations where Linux-PAM has been installed and Shadow is being reinstalled to support the Linux-PAM installation.
If you are reinstalling Shadow
to provide strong password support using the CrackLib library without using Linux-PAM, ensure you add the --with-libcrack
parameter to the
configure script
below and also issue the following command:
sed -i 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' etc/login.defs
Reinstall Shadow by running the following commands:
sed -i 's/groups$(EXEEXT) //' src/Makefile.in && find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; && find man -name Makefile.in -exec sed -i 's/getspnam\.3 / /' {} \; && find man -name Makefile.in -exec sed -i 's/passwd\.5 / /' {} \; && sed -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \ -e 's@#\(SHA_CRYPT_..._ROUNDS 5000\)@\100@' \ -e 's@/var/spool/mail@/var/mail@' \ -e '/PATH=/{s@/sbin:@@;s@/bin:@@}' \ -i etc/login.defs && ./configure --sysconfdir=/etc \ --disable-static \ --with-group-name-max-length=32 && make
This package does not come with a test suite.
Now, as the root
user:
make exec_prefix=/usr install
The man pages were installed in LFS, but if reinstallation is
desired, run (as the root
user):
make -C man install-man
sed -i 's/groups$(EXEEXT) //' src/Makefile.in: This sed is used to suppress the installation of the groups program as the version from the Coreutils package installed during LFS is preferred.
find man -name Makefile.in -exec ... {} \;: The first command is used to suppress the installation of the groups man pages so the existing ones installed from the Coreutils package are not replaced. The two other commands prevent installation of manual pages that are already installed by Man-pages in LFS.
sed -e 's@#ENCRYPT_METHOD
DES@ENCRYPT_METHOD SHA512@' -e 's@#\(SHA_CRYPT_..._ROUNDS
5000\)@\100@' -e 's@/var/spool/mail@/var/mail@' -e
'/PATH=/{s@/sbin:@@;s@/bin:@@}' -i etc/login.defs:
Instead of using the default 'DES' method, this command modifies
the installation to use the more secure 'SHA512' method of hashing
passwords, which also allows passwords longer than eight
characters. The number of rounds is also increased to prevent brute
force password attacks. The command also changes the obsolete
/var/spool/mail
location for user
mailboxes that Shadow uses by
default to the /var/mail
location. It
also changes the default path to be consistent with that set in
LFS.
--with-group-name-max-length=32
: The
maximum user name is 32 characters. Make the maximum group name the
same.
The rest of this page is devoted to configuring Shadow to work properly with Linux-PAM. If you do not have Linux-PAM installed, and you reinstalled Shadow to support strong passwords via the CrackLib library, no further configuration is required.
Configuring your system to use Linux-PAM can be a complex task. The information below will provide a basic setup so that Shadow's login and password functionality will work effectively with Linux-PAM. Review the information and links on the Linux-PAM-1.5.2 page for further configuration information. For information specific to integrating Shadow, Linux-PAM and libpwquality, you can visit the following link:
The login program
currently performs many functions which Linux-PAM modules should now handle. The
following sed
command will comment out the appropriate lines in /etc/login.defs
, and stop login from performing these
functions (a backup file named /etc/login.defs.orig
is also created to
preserve the original file's contents). Issue the following
commands as the root
user:
install -v -m644 /etc/login.defs /etc/login.defs.orig && for FUNCTION in FAIL_DELAY \ FAILLOG_ENAB \ LASTLOG_ENAB \ MAIL_CHECK_ENAB \ OBSCURE_CHECKS_ENAB \ PORTTIME_CHECKS_ENAB \ QUOTAS_ENAB \ CONSOLE MOTD_FILE \ FTMP_FILE NOLOGINS_FILE \ ENV_HZ PASS_MIN_LEN \ SU_WHEEL_ONLY \ CRACKLIB_DICTPATH \ PASS_CHANGE_TRIES \ PASS_ALWAYS_WARN \ CHFN_AUTH ENCRYPT_METHOD \ ENVIRON_FILE do sed -i "s/^${FUNCTION}/# &/" /etc/login.defs done
As mentioned previously in the Linux-PAM instructions, Linux-PAM has two supported methods for
configuration. The commands below assume that you've chosen to
use a directory based configuration, where each program has its
own configuration file. You can optionally use a single
/etc/pam.conf
configuration file
by using the text from the files below, and supplying the
program name as an additional first field for each line.
As the root
user, create the
following Linux-PAM
configuration files in the /etc/pam.d/
directory (or add the contents to
the /etc/pam.conf
file) using the
following commands:
cat > /etc/pam.d/login << "EOF"
# Begin /etc/pam.d/login
# Set failure delay before next prompt to 3 seconds
auth optional pam_faildelay.so delay=3000000
# Check to make sure that the user is allowed to login
auth requisite pam_nologin.so
# Check to make sure that root is allowed to login
# Disabled by default. You will need to create /etc/securetty
# file for this module to function. See man 5 securetty.
#auth required pam_securetty.so
# Additional group memberships - disabled by default
#auth optional pam_group.so
# include system auth settings
auth include system-auth
# check access for the user
account required pam_access.so
# include system account settings
account include system-account
# Set default environment variables for the user
session required pam_env.so
# Set resource limits for the user
session required pam_limits.so
# Display date of last login - Disabled by default
#session optional pam_lastlog.so
# Display the message of the day - Disabled by default
#session optional pam_motd.so
# Check user's mail - Disabled by default
#session optional pam_mail.so standard quiet
# include system session and password settings
session include system-session
password include system-password
# End /etc/pam.d/login
EOF
cat > /etc/pam.d/passwd << "EOF"
# Begin /etc/pam.d/passwd
password include system-password
# End /etc/pam.d/passwd
EOF
cat > /etc/pam.d/su << "EOF"
# Begin /etc/pam.d/su
# always allow root
auth sufficient pam_rootok.so
# Allow users in the wheel group to execute su without a password
# disabled by default
#auth sufficient pam_wheel.so trust use_uid
# include system auth settings
auth include system-auth
# limit su to users in the wheel group
# disabled by default
#auth required pam_wheel.so use_uid
# include system account settings
account include system-account
# Set default environment variables for the service user
session required pam_env.so
# include system session settings
session include system-session
# End /etc/pam.d/su
EOF
cat > /etc/pam.d/chpasswd << "EOF"
# Begin /etc/pam.d/chpasswd
# always allow root
auth sufficient pam_rootok.so
# include system auth and account settings
auth include system-auth
account include system-account
password include system-password
# End /etc/pam.d/chpasswd
EOF
sed -e s/chpasswd/newusers/ /etc/pam.d/chpasswd >/etc/pam.d/newusers
cat > /etc/pam.d/chage << "EOF"
# Begin /etc/pam.d/chage
# always allow root
auth sufficient pam_rootok.so
# include system auth and account settings
auth include system-auth
account include system-account
# End /etc/pam.d/chage
EOF
for PROGRAM in chfn chgpasswd chsh groupadd groupdel \ groupmems groupmod useradd userdel usermod do install -v -m644 /etc/pam.d/chage /etc/pam.d/${PROGRAM} sed -i "s/chage/$PROGRAM/" /etc/pam.d/${PROGRAM} done
At this point, you should do a simple test to see if
Shadow is working as
expected. Open another terminal and log in as root
, and then run login and login as another
user. If you do not see any errors, then all is well and you
should proceed with the rest of the configuration. If you did
receive errors, stop now and double check the above
configuration files manually. Any error is the sign of an
error in the above procedure. You can also run the test suite
from the Linux-PAM package
to assist you in determining the problem. If you cannot find
and fix the error, you should recompile Shadow adding the --without-libpam
switch to the configure command in the
above instructions (also move the /etc/login.defs.orig
backup file to
/etc/login.defs
). If you fail
to do this and the errors remain, you will be unable to log
into your system.
Instead of using the /etc/login.access
file for controlling access
to the system, Linux-PAM uses
the pam_access.so
module along
with the /etc/security/access.conf
file. Rename the
/etc/login.access
file using the
following command:
if [ -f /etc/login.access ]; then mv -v /etc/login.access{,.NOUSE}; fi
Instead of using the /etc/limits
file for limiting usage of system resources, Linux-PAM uses the pam_limits.so
module along with the
/etc/security/limits.conf
file.
Rename the /etc/limits
file using
the following command:
if [ -f /etc/limits ]; then mv -v /etc/limits{,.NOUSE}; fi
Be sure to test the login capabilities of the system before logging out. Errors in the configuration can cause a permanent lockout requiring a boot from an external source to correct the problem.
A list of the installed files, along with their short descriptions can be found at ../../../../lfs/view/11.3-systemd/chapter08/shadow.html#contents-shadow.