Contents
A list of the installed files, along with their short descriptions can be found at ../../../../lfs/view/stable/chapter06/shadow.html#contents-shadow.
Introduction to Shadow
Shadow was indeed installed in LFS and there is no reason to reinstall it unless you installed Linux-PAM. If you did, this will allow programs like login and su to utilize PAM.
Package Information
-
Download (FTP): ftp://ftp.pld.org.pl/software/shadow/old/shadow-4.0.9.tar.bz2
-
Download MD5 sum: 66e3a3a60ea6b021a7babff311b07607
-
Download size: 1.1 MB
-
Estimated disk space required: 13 MB
-
Estimated build time: 0.3 SBU
Additional Downloads
-
Patch to fix several invalid warning messages when used with Linux_PAM: http://www.linuxfromscratch.org/blfs/downloads/6.1/shadow-4.0.9-Linux_PAM_fixes-1.patch
Shadow Dependencies
Required
Installation of Shadow
Reinstall Shadow by running the following commands:
patch -Np1 -i ../shadow-4.0.9-Linux_PAM_fixes-1.patch &&
./configure --libdir=/lib --enable-shared \
--with-libpam --without-libcrack &&
sed -i 's/groups$(EXEEXT) //' src/Makefile &&
sed -i '/groups/d' man/Makefile &&
make
Now, as the root user:
make install && mv -v /usr/bin/passwd /bin && mv -v /lib/libshadow.*a /usr/lib && rm -v /lib/libshadow.so && ln -v -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so
Command Explanations
--without-libcrack: This switch tells Shadow not to use libcrack. This is desired as Linux-PAM already contains libcrack.
sed -i ...: These commands are used to suppress the installation of the groups program as the version from the Coreutils package installed during LFS is preferred.
Configuring Linux-PAM to Work with Shadow
The login program currently performs many functions which Linux-PAM modules should now handle. The following sed command will comment out the appropriate lines in /etc/login.defs, and stop login from performing these functions (a backup file named /etc/login.defs.orig is also created to preserve the original file's contents):
install -v -m644 /etc/login.defs /etc/login.defs.orig &&
for FUNCTION in LASTLOG_ENAB MAIL_CHECK_ENAB \
PORTTIME_CHECKS_ENAB CONSOLE \
MOTD_FILE NOLOGINS_FILE PASS_MIN_LEN \
SU_WHEEL_ONLY MD5_CRYPT_ENAB \
CONSOLE_GROUPS ENVIRON_FILE \
ULIMIT ENV_TZ ENV_HZ ENV_SUPATH \
ENV_PATH QMAIL_DIR MAIL_DIR MAIL_FILE \
CHFN_AUTH FAILLOG_ENAB QUOTAS_ENAB FTMP_FILE
do
sed -i -e "s/^$FUNCTION/# &/" /etc/login.defs
done
If you have CrackLib installed, also comment out four more lines using the following command:
for FUNCTION in OBSCURE_CHECKS_ENAB CRACKLIB_DICTPATH \
PASS_CHANGE_TRIES PASS_ALWAYS_WARN
do
sed -i -e "s/^$FUNCTION/# &/" /etc/login.defs
done
Add the following Linux-PAM configuration files to /etc/pam.d/ (or add them to /etc/pam.conf with the additional field for the program).
cat > /etc/pam.d/login << "EOF"
# Begin /etc/pam.d/login
auth requisite pam_securetty.so
auth requisite pam_nologin.so
auth required pam_unix.so
account required pam_access.so
account required pam_unix.so
session required pam_env.so
session required pam_motd.so
session required pam_limits.so
session optional pam_mail.so dir=/var/mail standard
session optional pam_lastlog.so
session required pam_unix.so
password required pam_cracklib.so retry=3 difok=8 minlen=5 \
dcredit=3 ocredit=3 \
ucredit=2 lcredit=2
password required pam_unix.so md5 shadow use_authtok
# End /etc/pam.d/login
EOF
cat > /etc/pam.d/login << "EOF" # Begin /etc/pam.d/login auth requisite pam_securetty.so auth requisite pam_nologin.so auth required pam_env.so auth required pam_unix.so account required pam_access.so account required pam_unix.so session required pam_motd.so session required pam_limits.so session optional pam_mail.so dir=/var/mail standard session optional pam_lastlog.so session required pam_unix.so password required pam_unix.so md5 shadow # End /etc/pam.d/login EOF
cat > /etc/pam.d/passwd << "EOF"
# Begin /etc/pam.d/passwd
password required pam_cracklib.so retry=3 difok=8 minlen=5 \
dcredit=3 ocredit=3 \
ucredit=2 lcredit=2
password required pam_unix.so md5 shadow use_authtok
# End /etc/pam.d/passwd
EOF
cat > /etc/pam.d/passwd << "EOF" # Begin /etc/pam.d/passwd password required pam_unix.so md5 shadow # End /etc/pam.d/passwd EOF
cat > /etc/pam.d/su << "EOF" # Begin /etc/pam.d/su auth sufficient pam_rootok.so auth required pam_unix.so account required pam_unix.so session optional pam_mail.so dir=/var/mail standard session required pam_env.so session required pam_unix.so # End /etc/pam.d/su EOF
cat > /etc/pam.d/chage << "EOF" # Begin /etc/pam.d/chage auth sufficient pam_rootok.so auth required pam_unix.so account required pam_unix.so session required pam_unix.so password required pam_permit.so # End /etc/pam.d/chage EOF
for PROGRAM in chpasswd newusers groupadd groupdel \
groupmod useradd userdel usermod
do
install -v -m644 /etc/pam.d/chage /etc/pam.d/$PROGRAM
sed -i -e "s/chage/$PROGRAM/" /etc/pam.d/$PROGRAM
done
![[Warning]](../images/warning.png)
Warning
At this point, you should do a simple test to see if Shadow is working as expected. Open another terminal and log in as a user, then su to root. If you do not see any errors, then all is well and you should proceed with the rest of the configuration. If you did receive errors, stop now and double check the above configuration files manually. If you cannot find and fix the error, you should recompile Shadow replacing --with-libpam with --without-libpam in the above instructions (also move the /etc/login.defs.orig backup file to /etc/login.defs). If you fail to do this and the errors remain, you will be unable to log into your system.
Currently, /etc/pam.d/other is configured to allow anyone with an account on the machine to use PAM-aware programs without a configuration file for that program. After testing Linux-PAM for proper configuration, install a more restrictive other file so that program-specific configuration files are required:
cat > /etc/pam.d/other << "EOF" # Begin /etc/pam.d/other auth required pam_deny.so auth required pam_warn.so account required pam_deny.so session required pam_deny.so password required pam_deny.so password required pam_warn.so # End /etc/pam.d/other EOF
Instead of using the /etc/login.access file for controlling access to the system, Linux-PAM uses the pam_access.so module along with the /etc/security/access.conf file. Rename the /etc/login.access file using the following command:
if [ -f /etc/login.access ]; then
mv -v /etc/login.access /etc/login.access.NOUSE
fi
Instead of using the /etc/limits file for limiting usage of system resources, Linux-PAM uses the pam_limits.so module along with the /etc/security/limits.conf file. Rename the /etc/limits file using the following command:
if [ -f /etc/limits ]; then
mv -v /etc/limits /etc/limits.NOUSE
fi
During previous configuration, several items were removed from /etc/login.defs. Some of these items are now controlled by the pam_env.so module and the /etc/security/pam_env.conf configuration file. In particular, the default path has been changed. To recover your default path, execute the following commands:
ENV_PATH=`grep '^ENV_PATH' /etc/login.defs.orig | \
awk '{ print $2 }' | sed 's/PATH=//'` &&
echo 'PATH DEFAULT='`echo "${ENV_PATH}"`' OVERRIDE=${PATH}' \
>> /etc/security/pam_env.conf &&
unset ENV_PATH
![[Note]](../images/note.png)
Note
ENV_SUPATH is no longer supported. You must create a valid /root/.bashrc file to provide a modified path for the super user.
Last updated on 2005-08-09 19:50:01 -0600