Contents
A list of the installed files, along with their short descriptions can be found at http://www.linuxfromscratch.org/lfs/view/7.7/chapter06/shadow.html#contents-shadow.
Shadow was indeed installed in LFS and there is no reason to reinstall it unless you installed CrackLib or Linux-PAM after your LFS system was completed. If you have installed CrackLib after LFS, then reinstalling Shadow will enable strong password support. If you have installed Linux-PAM, reinstalling Shadow will allow programs such as login and su to utilize PAM.
This package is known to build and work properly using an LFS-7.7 platform.
Download (HTTP): http://pkg-shadow.alioth.debian.org/releases/shadow-4.2.1.tar.xz
Download MD5 sum: 2bfafe7d4962682d31b5eba65dba4fc8
Download size: 1.5 MB
Estimated disk space required: 53 MB
Estimated build time: 0.2 SBU
Linux-PAM-1.1.8 or CrackLib-2.9.2
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/shadow
![[Important]](../images/important.png) 
          The installation commands shown below are for installations where Linux-PAM has been installed (with or without a CrackLib installation) and Shadow is being reinstalled to support the Linux-PAM installation.
            If you are reinstalling Shadow
            to provide strong password support using the CrackLib library without using Linux-PAM, ensure you add the --with-libcrack parameter to the
            configure script
            below and also issue the following command:
          
sed -i 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' etc/login.defs
Reinstall Shadow by running the following commands:
sed -i 's/groups$(EXEEXT) //' src/Makefile.in &&
find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; &&
sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \
       -e 's@/var/spool/mail@/var/mail@' etc/login.defs &&
sed -i 's/1000/999/' etc/useradd &&
./configure --sysconfdir=/etc --with-group-name-max-length=32 &&
make
        This package does not come with a test suite.
          Now, as the root user:
        
make install && mv -v /usr/bin/passwd /bin
sed -i 's/groups$(EXEEXT) //' src/Makefile.in: This sed is used to suppress the installation of the groups program as the version from the Coreutils package installed during LFS is preferred.
find man -name Makefile.in -exec ... {} \;: This command is used to suppress the installation of the groups man pages so the existing ones installed from the Coreutils package are not replaced.
          sed -i -e 's@#ENCRYPT_METHOD
          DES@ENCRYPT_METHOD SHA512@' -e 's@/var/spool/mail@/var/mail@'
          etc/login.defs: Instead of using the default 'DES'
          method, this command modifies the installation to use the more
          secure 'SHA512' method of hashing passwords, which also allows
          passwords longer than eight characters. It also changes the
          obsolete /var/spool/mail location for
          user mailboxes that Shadow uses by
          default to the /var/mail location.
        
sed -i 's/1000/999/' etc/useradd: Make a minor change to make the default useradd consistent with the LFS groups file.
          --with-group-name-max-length=32: The
          maximum user name is 32 characters. Make the maximum group name the
          same.
        
          mv -v /usr/bin/passwd
          /bin: The passwd program may be needed
          during times when the /usr filesystem
          is not mounted so it is moved into the root partition.
        
          Shadow's stock configuration for
          the useradd utility
          may not be desirable for your installation. One default parameter
          causes useradd to
          create a mailbox file for any newly created user. useradd will make the group
          ownership of this file to the mail
          group with 0660 permissions. If you would prefer that these mailbox
          files are not created by useradd, issue the following
          command as the root user:
        
sed -i 's/yes/no/' /etc/default/useradd
![[Note]](../images/note.png) 
          The rest of this page is devoted to configuring Shadow to work properly with Linux-PAM. If you do not have Linux-PAM installed, and you reinstalled Shadow to support strong passwords via the CrackLib library, no further configuration is required.
Configuring your system to use Linux-PAM can be a complex task. The information below will provide a basic setup so that Shadow's login and password functionality will work effectively with Linux-PAM. Review the information and links on the Linux-PAM-1.1.8 page for further configuration information. For information specific to integrating Shadow, Linux-PAM and CrackLib, you can visit the following link:
              The login program
              currently performs many functions which Linux-PAM modules should now handle. The
              following sed
              command will comment out the appropriate lines in /etc/login.defs, and stop login from performing these
              functions (a backup file named /etc/login.defs.orig is also created to
              preserve the original file's contents). Issue the following
              commands as the root user:
            
install -v -m644 /etc/login.defs /etc/login.defs.orig &&
for FUNCTION in FAIL_DELAY               \
                FAILLOG_ENAB             \
                LASTLOG_ENAB             \
                MAIL_CHECK_ENAB          \
                OBSCURE_CHECKS_ENAB      \
                PORTTIME_CHECKS_ENAB     \
                QUOTAS_ENAB              \
                CONSOLE MOTD_FILE        \
                FTMP_FILE NOLOGINS_FILE  \
                ENV_HZ PASS_MIN_LEN      \
                SU_WHEEL_ONLY            \
                CRACKLIB_DICTPATH        \
                PASS_CHANGE_TRIES        \
                PASS_ALWAYS_WARN         \
                CHFN_AUTH ENCRYPT_METHOD \
                ENVIRON_FILE
do
    sed -i "s/^${FUNCTION}/# &/" /etc/login.defs
done
          
              As mentioned previously in the Linux-PAM instructions, Linux-PAM has two supported methods for
              configuration. The commands below assume that you've chosen to
              use a directory based configuration, where each program has its
              own configuration file. You can optionally use a single
              /etc/pam.conf configuration file
              by using the text from the files below, and supplying the
              program name as an additional first field for each line.
            
              As the root user, replace the
              following Linux-PAM
              configuration files in the /etc/pam.d/ directory (or add the contents to
              the /etc/pam.conf file) using the
              following commands:
            
cat > /etc/pam.d/system-account << "EOF"
# Begin /etc/pam.d/system-account
account   required    pam_unix.so
# End /etc/pam.d/system-account
EOF
          
cat > /etc/pam.d/system-auth << "EOF"
# Begin /etc/pam.d/system-auth
auth      required    pam_unix.so
# End /etc/pam.d/system-auth
EOF
          
cat > /etc/pam.d/system-password << "EOF"
# Begin /etc/pam.d/system-password
# check new passwords for strength (man pam_cracklib)
password  required    pam_cracklib.so   type=Linux retry=3 difok=5 \
                                        difignore=23 minlen=9 dcredit=1 \
                                        ucredit=1 lcredit=1 ocredit=1 \
                                        dictpath=/lib/cracklib/pw_dict
# use sha512 hash for encryption, use shadow, and use the
# authentication token (chosen password) set by pam_cracklib
# above (or any previous modules)
password  required    pam_unix.so       sha512 shadow use_authtok
# End /etc/pam.d/system-password
EOF
            ![[Note]](../images/note.png) 
              
                In its default configuration, owing to credits, pam_cracklib
                will allow multiple case passwords as short as 6 characters,
                even with the minlen
                value set to 11. You should review the pam_cracklib(8) man
                page and determine if these default values are acceptable for
                the security of your system.
              
cat > /etc/pam.d/system-password << "EOF"
# Begin /etc/pam.d/system-password
# use sha512 hash for encryption, use shadow, and try to use any previously
# defined authentication token (chosen password) set by any prior module
password  required    pam_unix.so       sha512 shadow try_first_pass
# End /etc/pam.d/system-password
EOF
          
cat > /etc/pam.d/system-session << "EOF"
# Begin /etc/pam.d/system-session
session   required    pam_unix.so
# End /etc/pam.d/system-session
EOF
          
cat > /etc/pam.d/login << "EOF"
# Begin /etc/pam.d/login
# Set failure delay before next prompt to 3 seconds
auth      optional    pam_faildelay.so  delay=3000000
# Check to make sure that the user is allowed to login
auth      requisite   pam_nologin.so
# Check to make sure that root is allowed to login
# Disabled by default. You will need to create /etc/securetty
# file for this module to function. See man 5 securetty.
#auth      required    pam_securetty.so
# Additional group memberships - disabled by default
#auth      optional    pam_group.so
# include the default auth settings
auth      include     system-auth
# check access for the user
account   required    pam_access.so
# include the default account settings
account   include     system-account
# Set default environment variables for the user
session   required    pam_env.so
# Set resource limits for the user
session   required    pam_limits.so
# Display date of last login - Disabled by default
#session   optional    pam_lastlog.so
# Display the message of the day - Disabled by default
#session   optional    pam_motd.so
# Check user's mail - Disabled by default
#session   optional    pam_mail.so      standard quiet
# include the default session and password settings
session   include     system-session
password  include     system-password
# End /etc/pam.d/login
EOF
          
cat > /etc/pam.d/passwd << "EOF"
# Begin /etc/pam.d/passwd
password  include     system-password
# End /etc/pam.d/passwd
EOF
          
cat > /etc/pam.d/su << "EOF"
# Begin /etc/pam.d/su
# always allow root
auth      sufficient  pam_rootok.so
auth      include     system-auth
# include the default account settings
account   include     system-account
# Set default environment variables for the service user
session   required    pam_env.so
# include system session defaults
session   include     system-session
# End /etc/pam.d/su
EOF
          
cat > /etc/pam.d/chage << "EOF"
#Begin /etc/pam.d/chage
# always allow root
auth      sufficient  pam_rootok.so
# include system defaults for auth account and session
auth      include     system-auth
account   include     system-account
session   include     system-session
# Always permit for authentication updates
password  required    pam_permit.so
# End /etc/pam.d/chage
EOF
          
for PROGRAM in chfn chgpasswd chpasswd chsh groupadd groupdel \
               groupmems groupmod newusers useradd userdel usermod
do
    install -v -m644 /etc/pam.d/chage /etc/pam.d/${PROGRAM}
    sed -i "s/chage/$PROGRAM/" /etc/pam.d/${PROGRAM}
done
            ![[Warning]](../images/warning.png) 
              
                At this point, you should do a simple test to see if
                Shadow is working as
                expected. Open another terminal and log in as a user, then
                su to
                root. If you do not see any
                errors, then all is well and you should proceed with the rest
                of the configuration. If you did receive errors, stop now and
                double check the above configuration files manually. You can
                also run the test suite from the Linux-PAM package to assist you in
                determining the problem. If you cannot find and fix the
                error, you should recompile Shadow adding the --without-libpam switch to the configure command in the
                above instructions (also move the /etc/login.defs.orig backup file to
                /etc/login.defs). If you fail
                to do this and the errors remain, you will be unable to log
                into your system.
              
              Currently, /etc/pam.d/other is
              configured to allow anyone with an account on the machine to
              use PAM-aware programs without a configuration file for that
              program. After testing Linux-PAM for proper configuration,
              install a more restrictive other
              file so that program-specific configuration files are required:
            
cat > /etc/pam.d/other << "EOF"
# Begin /etc/pam.d/other
auth        required        pam_warn.so
auth        required        pam_deny.so
account     required        pam_warn.so
account     required        pam_deny.so
password    required        pam_warn.so
password    required        pam_deny.so
session     required        pam_warn.so
session     required        pam_deny.so
# End /etc/pam.d/other
EOF
          
              Instead of using the /etc/login.access file for controlling access
              to the system, Linux-PAM uses
              the pam_access.so module along
              with the /etc/security/access.conf file. Rename the
              /etc/login.access file using the
              following command:
            
[ -f /etc/login.access ] && mv -v /etc/login.access{,.NOUSE}
          A list of the installed files, along with their short descriptions can be found at http://www.linuxfromscratch.org/lfs/view/7.7/chapter06/shadow.html#contents-shadow.
Last updated on 2015-02-22 14:34:08 -0800