Installing Shadow-4.0.3

Estimated build time:           0.4 SBU
Estimated required disk space:  11 MB

Contents of Shadow

The Shadow package was created to strengthen the security of system passwords.

Installed programs: chage, chfn, chpasswd, chsh, dpasswd, expiry, faillog, gpasswd, groupadd, groupdel, groupmod, groups, grpck, grpconv, grpunconv, lastlog, login, logoutd, mkpasswd, newgrp, newusers, passwd, pwck, pwconv, pwunconv, sg (link to newgrp), useradd, userdel, usermod, vigr (link to vipw) and vipw

Shadow Installation Dependencies

Shadow depends on: Bash, Binutils, Bison, Coreutils, Diffutils, GCC, Gettext, Glibc, Grep, Make, Sed.

Installation of Shadow

The login, getty and init programs (and some others) maintain a number of logfiles to record who are and who were logged in to the system. These programs, however, don't create these logfiles when they don't exist, so if you want this logging to occur you will have to create the files yourself. The Shadow package needs to detect these files in their proper place, so we create them now, with their proper permissions:

touch /var/run/utmp /var/log/{btmp,lastlog,wtmp}
chmod 644 /var/run/utmp /var/log/{btmp,lastlog,wtmp}

The /var/run/utmp file lists the users that are currently logged in, the /var/log/wtmp file who were logged in and when. The /var/log/lastlog file shows for each user when he or she last logged in, and the /var/log/btmp lists the bad login attempts.

Shadow hard-wires the path to the passwd binary within the binary itself, but does this the wrong way. If a passwd binary is not present before installing Shadow, the package incorrectly assumes it is going to be located at /bin/passwd, but then installs it in /usr/bin/passwd. This will lead to errors about not finding /bin/passwd. To work around this bug, create a dummy passwd file, so that it gets hard-wired properly:

touch /usr/bin/passwd

The current Shadow suite has a problem that causes the newgrp command to fail. The following patch (also appearing in Shadow's CVS code) fixes this problem:

patch -Np1 -i ../shadow-4.0.3-newgrp-fix.patch

Now prepare Shadow for compilation:

./configure --prefix=/usr --libdir=/usr/lib --enable-shared

Compile the package:

make

And install it:

make install

Shadow uses two files to configure authentication settings for the system. Install these two config files:

cp etc/{limits,login.access} /etc

We want to change the password method to enable MD5 passwords which are theoretically more secure than the default "crypt" method and also allow password lengths greater than 8 characters. We also need to change the old /var/spool/mail location for user mailboxes to the current location at /var/mail. We do this by changing the relevant configuration file while copying it to its destination:

sed -e 's%/var/spool/mail%/var/mail%' \
    -e 's%#MD5_CRYPT_ENAB.no%MD5_CRYPT_ENAB yes%' \
    etc/login.defs.linux > /etc/login.defs

Note: Be extra careful when typing all of the above. It is probably safer to cut-and-paste it rather than try and type it all in.

According to the man page of vipw, a vigr program should exist too. Since the installation procedure doesn't create this program, create a symlink manually:

ln -s vipw /usr/sbin/vigr

As the /bin/vipw symlink is redundant (and even pointing to a non-existent file), remove it:

rm /bin/vipw

Now move the sg program to its proper place:

mv /bin/sg /usr/bin

And move Shadow's dynamic libraries to a more appropriate location:

mv /usr/lib/lib{shadow,misc}.so.0* /lib

As some packages expect to find the just-moved libraries in /usr/lib, create the following symlinks:

ln -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so
ln -sf ../../lib/libmisc.so.0 /usr/lib/libmisc.so

Coreutils has already installed a groups program in /usr/bin. If you wish, you can remove the one installed by Shadow:

rm /bin/groups

Configuring Shadow

This package contains utilities to modify users' passwords, add or delete users and groups, and the like. We're not going to explain what 'password shadowing' means. A full explanation can be found in the doc/HOWTO file within the unpacked Shadow source tree. There's one thing to keep in mind if you decide to use Shadow support: programs that need to verify passwords (for example xdm, ftp daemons, pop3 daemons) need to be 'shadow-compliant', that is they need to be able to work with shadowed passwords.

To enable shadowed passwords, run the following command:

/usr/sbin/pwconv

And to enable shadowed group passwords, run the following command:

/usr/sbin/grpconv

Under normal circumstances, you won't have created any passwords yet. However, if returning to this section to enable shadowing, you should reset any current user passwords with the passwd command or any group passwords with the gpasswd command.