Contents
A list of the installed files, along with their short descriptions can be found at ../../../../lfs/view/6.3/chapter06/shadow.html#contents-shadow.
Shadow-4.0.18.1
Introduction to Shadow
Shadow was indeed installed in LFS and there is no reason to reinstall it unless you installed CrackLib or Linux-PAM after your LFS system was completed. If you have installed CrackLib after LFS, then reinstalling Shadow will enable strong password support. If you have installed Linux-PAM, reinstalling Shadow will allow programs such as login and su to utilize PAM.
Package Information
-
Download (HTTP): http://anduin.linuxfromscratch.org/sources/LFS/lfs-packages/development/shadow-4.0.18.1.tar.bz2
-
Download MD5 sum: e7751d46ecf219c07ae0b028ab3335c6
-
Download size: 1.5 MB
-
Estimated disk space required: 18 MB
-
Estimated build time: 0.3 SBU
Additional Downloads
Shadow Dependencies
Required
Linux-PAM-0.99.10.0 and/or CrackLib-2.8.12
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/shadow
Installation of Shadow
![[Important]](../images/important.png)
Important
The installation shown below is for a situation where
Linux-PAM has been installed
(with or without a CrackLib
installation) and Shadow is
being reinstalled to support the Linux-PAM installation. If you are
reinstalling Shadow to provide
strong password support via the CrackLib library and you have not installed
Linux-PAM, ensure you add the
--with-libcrack parameter
to the configure
script below.
Reinstall Shadow by running the following commands:
patch -Np1 -i ../shadow-4.0.18.1-useradd_fix-2.patch &&
./configure --libdir=/lib \
--sysconfdir=/etc \
--enable-shared \
--without-selinux &&
sed -i 's/groups$(EXEEXT) //' src/Makefile &&
find man -name Makefile -exec sed -i 's/groups\.1 / /' {} \; &&
sed -i -e 's/ ko//' -e 's/ zh_CN zh_TW//' man/Makefile &&
for i in de es fi fr id it pt_BR; do
convert-mans UTF-8 ISO-8859-1 man/${i}/*.?
done &&
for i in cs hu pl; do
convert-mans UTF-8 ISO-8859-2 man/${i}/*.?
done &&
convert-mans UTF-8 EUC-JP man/ja/*.? &&
convert-mans UTF-8 KOI8-R man/ru/*.? &&
convert-mans UTF-8 ISO-8859-9 man/tr/*.? &&
make
This package does not come with a test suite.
Now, as the root user:
make install && mv -v /usr/bin/passwd /bin && mv -v /lib/libshadow.*a /usr/lib && rm -v /lib/libshadow.so && ln -v -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so
Command Explanations
--without-selinux: Support
for selinux is enabled by default, but selinux is not built in a
base LFS system. The configure script will fail if
this option is not used.
sed -i 's/groups$(EXEEXT) //' src/Makefile: This command is used to suppress the installation of the groups program as the version from the Coreutils package installed during LFS is preferred.
find man -name Makefile -exec ... {} \;: This command is used to suppress the installation of the groups man pages so the existing ones installed from the Coreutils package are not replaced.
sed -i -e '...' -e '...' man/Makefile: This command disables the installation of Chinese and Korean manual pages, since Man-DB cannot format them properly.
convert-mans ...: These commands are used to convert some of the man pages so that Man-DB will display them in the expected encodings.
mv -v /usr/bin/passwd
/bin: The passwd program may be needed
during times when the /usr filesystem
is not mounted so it is moved into the root partition.
mv -v ...; rm -v ...; ln -v
...: These commands are used to move the
libshadow library to the root
partition to support the moving of the passwd program earlier.
Configuring Shadow
Shadow's stock configuration for
the useradd utility
is not suitable for LFS systems. Use the following commands as the
root user to change the default
home directory for new users and prevent the creation of mail spool
files:
useradd -D -b /home && sed -i 's/yes/no/' /etc/default/useradd
Configuring Linux-PAM to Work with Shadow
![[Note]](../images/note.png)
Note
The rest of this page is devoted to configuring Shadow to work properly with Linux-PAM. If you do not have Linux-PAM installed, and you reinstalled Shadow to support strong passwords via the CrackLib library, no further configuration is required.
Configuration Information
Configuring your system to use Linux-PAM can be a complex task. The information below will provide a basic setup so that Shadow's login and password functionality will work effectively with Linux-PAM. Review the information and links on the Linux-PAM-0.99.10.0 page for further configuration information. For information specific to integrating Shadow, Linux-PAM and CrackLib, you can visit the following links:
The login program
currently performs many functions which Linux-PAM modules should now handle. The
following sed
command will comment out the appropriate lines in /etc/login.defs, and stop login from performing these
functions (a backup file named /etc/login.defs.orig is also created to
preserve the original file's contents). Issue the following
commands as the root user:
install -v -m644 /etc/login.defs /etc/login.defs.orig &&
for FUNCTION in LASTLOG_ENAB MAIL_CHECK_ENAB \
PORTTIME_CHECKS_ENAB CONSOLE \
MOTD_FILE NOLOGINS_FILE PASS_MIN_LEN \
SU_WHEEL_ONLY MD5_CRYPT_ENAB \
CONSOLE_GROUPS ENVIRON_FILE \
ULIMIT ENV_TZ ENV_HZ ENV_SUPATH \
ENV_PATH QMAIL_DIR MAIL_DIR MAIL_FILE \
CHFN_AUTH FAILLOG_ENAB QUOTAS_ENAB FTMP_FILE \
OBSCURE_CHECKS_ENAB CRACKLIB_DICTPATH \
PASS_CHANGE_TRIES PASS_ALWAYS_WARN ISSUE_FILE
do
sed -i "s/^$FUNCTION/# &/" /etc/login.defs
done
As mentioned previously in the Linux-PAM instructions, Linux-PAM has two supported methods for
configuration. The commands below assume that you've chosen to
use a directory based configuration, where each program has its
own configuration file. You can optionally use a single
/etc/pam.conf configuration file
by using the text from the files below, and supplying the
program name as an additional first field for each line.
As the root user, create the
/etc/pam.d directory with the
following command:
install -v -d -m755 /etc/pam.d
While still the root user, add
the following Linux-PAM
configuration files to the /etc/pam.d/ directory (or add the contents to
the /etc/pam.conf file) with the
following commands:
cat > /etc/pam.d/login << "EOF"
# Begin /etc/pam.d/login
auth requisite pam_nologin.so
auth required pam_securetty.so
auth required pam_unix.so
account required pam_access.so
account required pam_unix.so
session required pam_env.so
session required pam_motd.so
session required pam_limits.so
session optional pam_mail.so dir=/var/mail standard
session optional pam_lastlog.so
session required pam_unix.so
password required pam_cracklib.so retry=3
password required pam_unix.so md5 shadow use_authtok
# End /etc/pam.d/login
EOF
cat > /etc/pam.d/login << "EOF"
# Begin /etc/pam.d/login
auth requisite pam_nologin.so
auth required pam_securetty.so
auth required pam_env.so
auth required pam_unix.so
account required pam_access.so
account required pam_unix.so
session required pam_motd.so
session required pam_limits.so
session optional pam_mail.so dir=/var/mail standard
session optional pam_lastlog.so
session required pam_unix.so
password required pam_unix.so md5 shadow
# End /etc/pam.d/login
EOF
cat > /etc/pam.d/passwd << "EOF"
# Begin /etc/pam.d/passwd
password required pam_cracklib.so type=Linux retry=1 \
difok=5 diffignore=23 minlen=9 \
dcredit=1 ucredit=1 lcredit=1 \
ocredit=1 \
dictpath=/lib/cracklib/pw_dict
password required pam_unix.so md5 shadow use_authtok
# End /etc/pam.d/passwd
EOF
Note
In its default configuration, owing to credits, pam_cracklib
will allow multiple case passwords as short as 6 characters,
even with the minlen
value set to 11. You should review the pam_cracklib(8) man
page and determine if these default values are acceptable for
the security of your system.
cat > /etc/pam.d/passwd << "EOF"
# Begin /etc/pam.d/passwd
password required pam_unix.so md5 shadow
# End /etc/pam.d/passwd
EOF
cat > /etc/pam.d/su << "EOF"
# Begin /etc/pam.d/su
auth sufficient pam_rootok.so
auth required pam_unix.so
account required pam_unix.so
session optional pam_mail.so dir=/var/mail standard
session optional pam_xauth.so
session required pam_env.so
session required pam_unix.so
# End /etc/pam.d/su
EOF
cat > /etc/pam.d/chage << "EOF"
# Begin /etc/pam.d/chage
auth sufficient pam_rootok.so
auth required pam_unix.so
account required pam_unix.so
session required pam_unix.so
password required pam_permit.so
# End /etc/pam.d/chage
EOF
for PROGRAM in chpasswd chgpasswd groupadd groupdel groupmems \
groupmod newusers useradd userdel usermod
do
install -v -m644 /etc/pam.d/chage /etc/pam.d/$PROGRAM
sed -i "s/chage/$PROGRAM/" /etc/pam.d/$PROGRAM
done
![[Warning]](../images/warning.png)
Warning
At this point, you should do a simple test to see if
Shadow is working as
expected. Open another terminal and log in as a user, then
su to
root. If you do not see any
errors, then all is well and you should proceed with the rest
of the configuration. If you did receive errors, stop now and
double check the above configuration files manually. You can
also run the test suite from the Linux-PAM package to assist you in
determining the problem. If you cannot find and fix the
error, you should recompile Shadow adding the --without-libpam switch to the configure command in the
above instructions (also move the /etc/login.defs.orig backup file to
/etc/login.defs). If you fail
to do this and the errors remain, you will be unable to log
into your system.
Currently, /etc/pam.d/other is
configured to allow anyone with an account on the machine to
use PAM-aware programs without a configuration file for that
program. After testing Linux-PAM for proper configuration,
install a more restrictive other
file so that program-specific configuration files are required:
cat > /etc/pam.d/other << "EOF"
# Begin /etc/pam.d/other
auth required pam_deny.so
auth required pam_warn.so
account required pam_deny.so
session required pam_deny.so
password required pam_deny.so
password required pam_warn.so
# End /etc/pam.d/other
EOF
If you preserved the source tree from the Linux-PAM package (or you feel like unpacking that tarball, then running configure and make), now would be a good time to run the test suite from this package. This test suite will use the configuration you just finished during the tests. All the tests should pass.
Instead of using the /etc/login.access file for controlling access
to the system, Linux-PAM uses
the pam_access.so module along
with the /etc/security/access.conf file. Rename the
/etc/login.access file using the
following command:
if [ -f /etc/login.access ]; then
mv -v /etc/login.access /etc/login.access.NOUSE
fi
Instead of using the /etc/limits
file for limiting usage of system resources, Linux-PAM uses the pam_limits.so module along with the
/etc/security/limits.conf file.
Rename the /etc/limits file using
the following command:
if [ -f /etc/limits ]; then
mv -v /etc/limits /etc/limits.NOUSE
fi
During previous configuration, several items were removed from
/etc/login.defs. Some of these
items are now controlled by the pam_env.so module and the /etc/security/pam_env.conf configuration
file. In particular, the default path has been changed. To
recover your default path, execute the following commands:
ENV_PATH=`grep '^ENV_PATH' /etc/login.defs.orig | \
awk '{ print $2 }' | sed 's/PATH=//'` &&
echo 'PATH DEFAULT='`echo "${ENV_PATH}"`\
' OVERRIDE=${PATH}' \
>> /etc/security/pam_env.conf &&
unset ENV_PATH
Note
ENV_SUPATH is no longer supported. You must create a valid
/root/.bashrc file to provide a
modified path for the super-user.
Last updated on 2008-06-27 00:27:03 -0500