%general-entities; ]> Shadow-&shadow-version; Shadow <para>The Shadow package contains programs for handling passwords in a secure way.</para> </sect2> <sect2 role="installation"> <title>Installation of Shadow If you would like to enforce the use of strong passwords, refer to for installing Cracklib prior to building Shadow. Then add --with-libcrack to the configure command below. Create a config.cache containing information about a test that cannot be run when cross-compiling: echo "ac_cv_func_setpgrp_void=yes" > config.cache Prepare Shadow for compilation: ./configure --libdir=/lib --enable-shared \ --without-libpam --without-audit --without-selinux \ --host=${LFS_TARGET} --cache-file=config.cache The meaning of the configure options: --without-libpam Support for Linux-PAM is enabled by default in Shadow, however PAM is not installed on a base LFS system, so this switch disables PAM support in Shadow. For instructions to install PAM and link Shadow to it, you can look at . --without-audit Support for auditing is enabled by default, but a a library that it needs is not installed in a base LFS system. This switch disables auditing support. --without-selinux Support for selinux is enabled by default, but selinux is not built in a base LFS system and configure will fail without this switch. Disable the installation of the groups program and its man pages, as Coreutils provides a better version: cp src/Makefile{,.orig} sed 's/groups$(EXEEXT) //' src/Makefile.orig > src/Makefile cp man/Makefile{,.orig} sed '/groups/d' man/Makefile.orig > man/Makefile Compile the package: make Install the package: make DESTDIR=${LFS} install Shadow uses two files to configure authentication settings for the system. Install these two configuration files: /etc/limits /etc/login.access cp -v etc/{limits,login.access} ${LFS}/etc Instead of using the default crypt method, use the more secure MD5 method of password encryption, which also allows passwords longer than 8 characters. It is also necessary to change the obsolete /var/spool/mail location for user mailboxes that Shadow uses by default to the /var/mail location used currently. Both of these can be accomplished by changing the relevant configuration file while copying it to its destination: /etc/login.defs sed -e's@#MD5_CRYPT_ENAB.no@MD5_CRYPT_ENAB yes@' \ -e 's@/var/spool/mail@/var/mail@' \ etc/login.defs > ${LFS}/etc/login.defs If you built Shadow with Cracklib support, execute this sed to correct the path to the Cracklib dictionary: cp {LFS}/etc/login.defs login.defs.orig sed 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' login.defs.orig > ${LFS}/etc/login.defs Move a misplaced program to its proper location: mv -v ${LFS}/usr/bin/passwd ${LFS}/bin Move Shadow's dynamic libraries to a more appropriate location: mv -v ${LFS}/lib/libshadow.*a ${LFS}/usr/lib rm -v ${LFS}/lib/libshadow.so ln -svf ../../lib/libshadow.so.0 ${LFS}/usr/lib/libshadow.so The option of the useradd program requires the /etc/default directory for it to work properly: install -dv ${LFS}/etc/default Configuring Shadow Shadow configuring This package contains utilities to add, modify, and delete users and groups; set and change their passwords; and perform other administrative tasks. For a full explanation of what password shadowing means, see the doc/HOWTO file within the unpacked source tree. If using Shadow support, keep in mind that programs which need to verify passwords (display managers, FTP programs, pop3 daemons, etc.) must be Shadow-compliant. That is, they need to be able to work with shadowed passwords. To enable shadowed passwords, run the following command: pwconv To enable shadowed group passwords, run: grpconv Under normal circumstances, passwords will not have been created yet. However, if returning to this section later to enable shadowing, reset any current user passwords with the passwd command or any group passwords with the gpasswd command. Setting the root password Choose a password for user root and set it by running: passwd root Contents of Shadow Installed programs Installed libraries chage, chfn, chpasswd, chsh, expiry, faillog, gpasswd, groupadd, groupdel, groupmod, grpck, grpconv, grpunconv, lastlog, login, logoutd, newgrp, newusers, passwd, pwck, pwconv, pwunconv, sg (link to newgrp), useradd, userdel, usermod, vigr (link to vipw), and vipw libshadow.[a,so] Short Descriptions chage Used to change the maximum number of days between obligatory password changes chage chfn Used to change a user's full name and other information chfn chpasswd Used to update the passwords of an entire series of user accounts chpasswd chsh Used to change a user's default login shell chsh expiry Checks and enforces the current password expiration policy expiry faillog Is used to examine the log of login failures, to set a maximum number of failures before an account is blocked, or to reset the failure count faillog gpasswd Is used to add and delete members and administrators to groups gpasswd groupadd Creates a group with the given name groupadd groupdel Deletes the group with the given name groupdel groupmod Is used to modify the given group's name or GID groupmod grpck Verifies the integrity of the group files /etc/group and /etc/gshadow grpck grpconv Creates or updates the shadow group file from the normal group file grpconv grpunconv Updates /etc/group from /etc/gshadow and then deletes the latter grpunconv lastlog Reports the most recent login of all users or of a given user lastlog login Is used by the system to let users sign on login logoutd Is a daemon used to enforce restrictions on log-on time and ports logoutd newgrp Is used to change the current GID during a login session newgrp newusers Is used to create or update an entire series of user accounts newusers passwd Is used to change the password for a user or group account passwd pwck Verifies the integrity of the password files /etc/passwd and /etc/shadow pwck pwconv Creates or updates the shadow password file from the normal password file pwconv pwunconv Updates /etc/passwd from /etc/shadow and then deletes the latter pwunconv sg Executes a given command while the user's GID is set to that of the given group sg su Runs a shell with substitute user and group IDs su useradd Creates a new user with the given name, or updates the default new-user information useradd userdel Deletes the given user account userdel usermod Is used to modify the given user's login name, User Identification (UID), shell, initial group, home directory, etc. usermod vigr Edits the /etc/group or /etc/gshadow files vigr vipw Edits the /etc/passwd or /etc/shadow files vipw libshadow Contains functions used by most programs in this package libshadow