Installing Shadow-4.0.4.1

The Shadow package contains programs for handling passwords in a secure way.

Approximate build time:  0.4 SBU
Required disk space:     11 MB

Official download location for Shadow (4.0.4.1):
ftp://ftp.pld.org.pl/software/shadow/

For its installation Shadow depends on: Bash, Binutils, Bison, Coreutils, Diffutils, GCC, Gettext, Glibc, Grep, Make, Sed.

Installation of Shadow

Shadow hard-wires the path to the passwd binary within the binary itself, but does this the wrong way. If a passwd binary is not present before installing Shadow, the package incorrectly assumes it is going to be located at /bin/passwd, but then installs it in /usr/bin/passwd. This will lead to errors about not finding /bin/passwd. To work around this bug, create a dummy passwd file, so that it gets hard-wired properly:

touch /usr/bin/passwd

Now prepare Shadow for compilation:

./configure --libdir=/usr/lib --enable-shared

Work around a problem that prevents Shadow's internationalization from working:

echo '#define HAVE_SETLOCALE 1' >> config.h

Compile the package:

make

And install it:

make install

Shadow uses two files to configure authentication settings for the system. Install these two config files:

cp etc/{limits,login.access} /etc

We want to change the password method to enable MD5 passwords which are theoretically more secure than the default "crypt" method and also allow password lengths greater than 8 characters. We also need to change the old /var/spool/mail location for user mailboxes to the current location at /var/mail. We do this by changing the relevant configuration file while copying it to its destination:

sed -e 's%/var/spool/mail%/var/mail%' \
    -e 's%#MD5_CRYPT_ENAB.no%MD5_CRYPT_ENAB yes%' \
    etc/login.defs.linux > /etc/login.defs

Note: Be extra careful when typing all of the above. It is probably safer to cut-and-paste it rather than try and type it all in.

Move some misplaced symlinks to their proper locations:

mv /bin/sg /usr/bin
mv /bin/vigr /usr/sbin

And move Shadow's dynamic libraries to a more appropriate location:

mv /usr/lib/lib{shadow,misc}.so.0* /lib

As some packages expect to find the just-moved libraries in /usr/lib, create the following symlinks:

ln -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so
ln -sf ../../lib/libmisc.so.0 /usr/lib/libmisc.so

The -D option of the useradd program requires this directory for it to work properly:

mkdir /etc/default

Coreutils has already installed a better groups program in /usr/bin. Remove the one installed by Shadow:

rm /bin/groups

Configuring Shadow

This package contains utilities to modify users' passwords, add or delete users and groups, and the like. We're not going to explain what 'password shadowing' means. A full explanation can be found in the doc/HOWTO file within the unpacked Shadow source tree. There's one thing to keep in mind if you decide to use Shadow support: programs that need to verify passwords (for example xdm, ftp daemons, pop3 daemons) need to be 'shadow-compliant', that is they need to be able to work with shadowed passwords.

To enable shadowed passwords, run the following command:

/usr/sbin/pwconv

And to enable shadowed group passwords, run the following command:

/usr/sbin/grpconv

Under normal circumstances, you won't have created any passwords yet. However, if returning to this section to enable shadowing, you should reset any current user passwords with the passwd command or any group passwords with the gpasswd command.

Setting the root password

Choose a password for user root and set it by running the following command:

passwd root

Contents of Shadow

Installed programs: chage, chfn, chpasswd, chsh, dpasswd, expiry, faillog, gpasswd, groupadd, groupdel, groupmod, groups, grpck, grpconv, grpunconv, lastlog, login, logoutd, mkpasswd, newgrp, newusers, passwd, pwck, pwconv, pwunconv, sg (link to newgrp), useradd, userdel, usermod, vigr (link to vipw) and vipw

Short descriptions

chage is used to change the maximum number of days between obligatory password changes.

chfn is used to change a user's full name and some other info.

chpasswd is used to update the passwords of a whole series of user accounts in one go.

chsh is used to change a user's default login shell.

dpasswd is used to change dial-up passwords for user login shells.

expiry checks and enforces the current password expiration policy.

faillog is used to examine the log of login failures, to set a maximum number of failures before an account is blocked, or to reset the failure count.

gpasswd is used to add and delete members and administrators to groups.

groupadd creates a group with the given name.

groupdel deletes the group with the given name.

groupmod is used to modify the given group's name or GID.

groups reports the groups of which the given users are members.

grpck verifies the integrity of the group files, /etc/group and /etc/gshadow.

grpconv creates or updates the shadow group file from the normal group file.

grpunconv updates /etc/group from /etc/gshadow and then deletes the latter.

lastlog reports the most recent login of all users, or of a given user.

login is used by the system let users sign on.

logoutd is a daemon used to enforce restrictions on log-on time and ports.

mkpasswd encrypts the given password using the also given perturbation.

newgrp is used to change the current GID during a login session.

newusers is used to create or update a whole series of user accounts in one go.

passwd is used to change the password for a user or group account.

pwck verifies the integrity of the password files, /etc/passwd and /etc/shadow.

pwconv creates or updates the shadow password file from the normal password file.

pwunconv updates /etc/passwd from /etc/shadow and then deletes the latter.

sg executes a given command while the user's GID is set to that of the given group.

useradd creates a new user with the given name, or updates the default new-user information.

userdel deletes the given user account.

usermod is used to modify the given user's login name, UID, shell, initial group, home directory, and the like.

vigr can be used to edit the /etc/group or /etc/gshadow files.

vipw can be used to edit the /etc/passwd or /etc/shadow files.

libmisc...

libshadow contains functions used by most programs in this package.