Shadow-4.0.4.1

Introduction to Shadow

Shadow was indeed installed in LFS and there is no reason to reinstall it unless you installed Linux-PAM. If you did, this will allow programs like login and su to utilize PAM.

Package information

Additional downloads

Shadow dependencies

Required

Linux-PAM-0.78

Installation of Shadow

Reinstall Shadow by running the following commands:

patch -Np1 -i ../shadow-4.0.4.1-pam-1.patch &&
LIBS="-lpam -lpam_misc" ./configure --libdir=/usr/lib \
    --enable-shared --with-libpam --without-libcrack &&
echo '#define HAVE_SETLOCALE 1' >> config.h &&
sed -i '/extern char/d' libmisc/xmalloc.c &&
make

Now, as the root user:

make install &&
mv /bin/sg /usr/bin &&
mv /bin/vigr /usr/sbin &&
mv /usr/bin/passwd /bin &&
rm /bin/groups &&
mv /usr/lib/lib{misc,shadow}.so.0* /lib &&
ln -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so &&
ln -sf ../../lib/libmisc.so.0 /usr/lib/libmisc.so

Command explanations

--without-libcrack: This switch tells Shadow not to use libcrack. This is desired as Linux-PAM already contains libcrack.

sed -i '/extern char/d' libmisc/xmalloc.c: This fixes a compilation problem when using GCC-3.4.x.

Configuring Linux-PAM to work with Shadow

Config files

/etc/pam.d/login, /etc/pam.d/passwd, /etc/pam.d/su, /etc/pam.d/shadow, /etc/pam.d/useradd, and /etc/pam.d/chage – alternatively, /etc/pam.conf

Configuration Information

Add the following Linux-PAM configuration files to /etc/pam.d/ (or add them to /etc/pam.conf with the additional field for the program).

cat > /etc/pam.d/login << "EOF"
# Begin /etc/pam.d/login

auth        requisite      pam_securetty.so
auth        requisite      pam_nologin.so
auth        required       pam_env.so
auth        required       pam_unix.so
account     required       pam_access.so
account     required       pam_unix.so
session     required       pam_motd.so
session     required       pam_limits.so
session     optional       pam_mail.so     dir=/var/mail standard
session     optional       pam_lastlog.so
session     required       pam_unix.so

# End /etc/pam.d/login
EOF
cat > /etc/pam.d/passwd << "EOF"
# Begin /etc/pam.d/passwd

password    required       pam_unix.so     md5 shadow 

# End /etc/pam.d/passwd
EOF
cat > /etc/pam.d/shadow << "EOF"
# Begin /etc/pam.d/shadow

auth        sufficient      pam_rootok.so
auth        required        pam_unix.so
account     required        pam_unix.so
session     required        pam_unix.so
password    required        pam_permit.so

# End /etc/pam.d/shadow
EOF
cat > /etc/pam.d/su << "EOF"
# Begin /etc/pam.d/su

auth        sufficient      pam_rootok.so
auth        required        pam_unix.so
account     required        pam_unix.so
session     required        pam_unix.so

# End /etc/pam.d/su
EOF
cat > /etc/pam.d/useradd << "EOF"
# Begin /etc/pam.d/useradd

auth        sufficient      pam_rootok.so
auth        required        pam_unix.so
account     required        pam_unix.so
session     required        pam_unix.so
password    required        pam_permit.so

# End /etc/pam.d/useradd
EOF
cat > /etc/pam.d/chage << "EOF"
# Begin /etc/pam.d/chage

auth        sufficient      pam_rootok.so
auth        required        pam_unix.so
account     required        pam_unix.so
session     required        pam_unix.so
password    required        pam_permit.so

# End /etc/pam.d/chage
EOF
[Note]

Note

If you've installed cracklib, replace /etc/pam.d/passwd with the following:

cat > /etc/pam.d/passwd << "EOF" 
# Begin /etc/pam.d/passwd

password    required    pam_cracklib.so     \
    retry=3  difok=8  minlen=5  dcredit=3  ocredit=3  ucredit=2  lcredit=2
password    required    pam_unix.so     md5 shadow use_authtok

# End /etc/pam.d/passwd
EOF
[Warning]

Warning

At this point, you should do a simple test to see if Shadow is working as expected. Open another term and login as a user, then su to to root. If you do not see any errors, then all is well and you should proceed with the rest of the configuration. If you did receive errors, stop now and double check the above configuration files manually. If you cannot find, and fix the error, you should recompile shadow replacing --with-libpam with --without-libpam in the above instructions. If you fail to do this and the errors remain, you will be unable to log into your system.

Currently, /etc/pam.d/other is configured to allow anyone with an account on the machine to use programs that do not specifically have a configuration file of their own. After testing Linux-PAM for proper configuration, it can be changed to the following:

cat > /etc/pam.d/other << "EOF"
# Begin /etc/pam.d/other

auth        required        pam_deny.so
auth        required        pam_warn.so
account     required        pam_deny.so
session     required        pam_deny.so
password    required        pam_deny.so
password    required        pam_warn.so

# End /etc/pam.d/other
EOF

Finally, edit /etc/login.defs by adding '#' to the beginning of the following lines:

LASTLOG_ENAB
MAIL_CHECK_ENAB
PORTTIME_CHECKS_ENAB
CONSOLE
MOTD_FILE
NOLOGINS_FILE
PASS_MIN_LEN
SU_WHEEL_ONLY
MD5_CRYPT_ENAB
CONSOLE_GROUPS
ENVIRON_FILE

This stops login from performing these functions, as they will now be performed by PAM modules. Additionally, add a '#' to the beginning of the following lines if you've installed cracklib:

OBSCURE_CHECKS_ENAB
CRACKLIB_DICTPATH
PASS_CHANGE_TRIES
PASS_ALWAYS_WARN

Contents

A list of the installed files, along with their short descriptions can be found at ../../../../lfs/view/6.0/chapter06/shadow.html#contents-shadow.

Last updated on 2005-03-04 14:08:15 -0700