Introduction to Shadow

Shadow was indeed installed in LFS and there is no reason to reinstall it unless you installed CrackLib or Linux-PAM after your LFS system was completed. If you have installed CrackLib after LFS, then reinstalling Shadow will enable strong password support. If you have installed Linux-PAM, reinstalling Shadow will allow programs such as login and su to utilize PAM.

This package is known to build and work properly using an LFS-8.4 platform.

Package Information

Shadow Dependencies


Linux-PAM-1.3.0 or CrackLib-2.9.6

User Notes:

Installation of Shadow



The installation commands shown below are for installations where Linux-PAM has been installed (with or without a CrackLib installation) and Shadow is being reinstalled to support the Linux-PAM installation.

If you are reinstalling Shadow to provide strong password support using the CrackLib library without using Linux-PAM, ensure you add the --with-libcrack parameter to the configure script below and also issue the following command:

sed -i 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' etc/login.defs

Reinstall Shadow by running the following commands:

sed -i 's/groups$(EXEEXT) //' src/ &&

find man -name -exec sed -i 's/groups\.1 / /'   {} \; &&
find man -name -exec sed -i 's/getspnam\.3 / /' {} \; &&
find man -name -exec sed -i 's/passwd\.5 / /'   {} \; &&

       -e 's@/var/spool/mail@/var/mail@' etc/login.defs &&

sed -i 's/1000/999/' etc/useradd                           &&

./configure --sysconfdir=/etc --with-group-name-max-length=32 &&

This package does not come with a test suite.

Now, as the root user:

make install &&
mv -v /usr/bin/passwd /bin

Command Explanations

sed -i 's/groups$(EXEEXT) //' src/ This sed is used to suppress the installation of the groups program as the version from the Coreutils package installed during LFS is preferred.

find man -name -exec ... {} \;: This command is used to suppress the installation of the groups man pages so the existing ones installed from the Coreutils package are not replaced.

sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' -e 's@/var/spool/mail@/var/mail@' etc/login.defs: Instead of using the default 'DES' method, this command modifies the installation to use the more secure 'SHA512' method of hashing passwords, which also allows passwords longer than eight characters. It also changes the obsolete /var/spool/mail location for user mailboxes that Shadow uses by default to the /var/mail location.

sed -i 's/1000/999/' etc/useradd: Make a minor change to make the default useradd consistent with the LFS groups file.

--with-group-name-max-length=32: The maximum user name is 32 characters. Make the maximum group name the same.

mv -v /usr/bin/passwd /bin: The passwd program may be needed during times when the /usr filesystem is not mounted so it is moved into the root partition.

Configuring Shadow

Shadow's stock configuration for the useradd utility may not be desirable for your installation. One default parameter causes useradd to create a mailbox file for any newly created user. useradd will make the group ownership of this file to the mail group with 0660 permissions. If you would prefer that these mailbox files are not created by useradd, issue the following command as the root user:

sed -i 's/yes/no/' /etc/default/useradd

Configuring Linux-PAM to Work with Shadow



The rest of this page is devoted to configuring Shadow to work properly with Linux-PAM. If you do not have Linux-PAM installed, and you reinstalled Shadow to support strong passwords via the CrackLib library, no further configuration is required.

Config Files

/etc/pam.d/* or alternatively /etc/pam.conf, /etc/login.defs and /etc/security/*

Configuration Information

Configuring your system to use Linux-PAM can be a complex task. The information below will provide a basic setup so that Shadow's login and password functionality will work effectively with Linux-PAM. Review the information and links on the Linux-PAM-1.3.0 page for further configuration information. For information specific to integrating Shadow, Linux-PAM and CrackLib, you can visit the following link:

Configuring /etc/login.defs

The login program currently performs many functions which Linux-PAM modules should now handle. The following sed command will comment out the appropriate lines in /etc/login.defs, and stop login from performing these functions (a backup file named /etc/login.defs.orig is also created to preserve the original file's contents). Issue the following commands as the root user:

install -v -m644 /etc/login.defs /etc/login.defs.orig &&
for FUNCTION in FAIL_DELAY               \
                FAILLOG_ENAB             \
                LASTLOG_ENAB             \
                MAIL_CHECK_ENAB          \
                OBSCURE_CHECKS_ENAB      \
                PORTTIME_CHECKS_ENAB     \
                QUOTAS_ENAB              \
                CONSOLE MOTD_FILE        \
                FTMP_FILE NOLOGINS_FILE  \
                ENV_HZ PASS_MIN_LEN      \
                SU_WHEEL_ONLY            \
                CRACKLIB_DICTPATH        \
                PASS_CHANGE_TRIES        \
                PASS_ALWAYS_WARN         \
                CHFN_AUTH ENCRYPT_METHOD \
    sed -i "s/^${FUNCTION}/# &/" /etc/login.defs
Configuring the /etc/pam.d/ Files

As mentioned previously in the Linux-PAM instructions, Linux-PAM has two supported methods for configuration. The commands below assume that you've chosen to use a directory based configuration, where each program has its own configuration file. You can optionally use a single /etc/pam.conf configuration file by using the text from the files below, and supplying the program name as an additional first field for each line.

As the root user, replace the following Linux-PAM configuration files in the /etc/pam.d/ directory (or add the contents to the /etc/pam.conf file) using the following commands:

cat > /etc/pam.d/login << "EOF"
# Begin /etc/pam.d/login

# Set failure delay before next prompt to 3 seconds
auth      optional  delay=3000000

# Check to make sure that the user is allowed to login
auth      requisite

# Check to make sure that root is allowed to login
# Disabled by default. You will need to create /etc/securetty
# file for this module to function. See man 5 securetty.
#auth      required

# Additional group memberships - disabled by default
#auth      optional

# include system auth settings
auth      include     system-auth

# check access for the user
account   required

# include system account settings
account   include     system-account

# Set default environment variables for the user
session   required

# Set resource limits for the user
session   required

# Display date of last login - Disabled by default
#session   optional

# Display the message of the day - Disabled by default
#session   optional

# Check user's mail - Disabled by default
#session   optional      standard quiet

# include system session and password settings
session   include     system-session
password  include     system-password

# End /etc/pam.d/login
cat > /etc/pam.d/passwd << "EOF"
# Begin /etc/pam.d/passwd

password  include     system-password

# End /etc/pam.d/passwd
cat > /etc/pam.d/su << "EOF"
# Begin /etc/pam.d/su

# always allow root
auth      sufficient

# Allow users in the wheel group to execute su without a password
# disabled by default
#auth      sufficient trust use_uid

# include system auth settings
auth      include     system-auth

# limit su to users in the wheel group
auth      required use_uid

# include system account settings
account   include     system-account

# Set default environment variables for the service user
session   required

# include system session settings
session   include     system-session

# End /etc/pam.d/su
cat > /etc/pam.d/chage << "EOF"
# Begin /etc/pam.d/chage

# always allow root
auth      sufficient

# include system auth, account, and session settings
auth      include     system-auth
account   include     system-account
session   include     system-session

# Always permit for authentication updates
password  required

# End /etc/pam.d/chage
Other common programs
for PROGRAM in chfn chgpasswd chpasswd chsh groupadd groupdel \
               groupmems groupmod newusers useradd userdel usermod
    install -v -m644 /etc/pam.d/chage /etc/pam.d/${PROGRAM}
    sed -i "s/chage/$PROGRAM/" /etc/pam.d/${PROGRAM}


At this point, you should do a simple test to see if Shadow is working as expected. Open another terminal and log in as a user, then su to root. If you do not see any errors, then all is well and you should proceed with the rest of the configuration. If you did receive errors, stop now and double check the above configuration files manually. You can also run the test suite from the Linux-PAM package to assist you in determining the problem. If you cannot find and fix the error, you should recompile Shadow adding the --without-libpam switch to the configure command in the above instructions (also move the /etc/login.defs.orig backup file to /etc/login.defs). If you fail to do this and the errors remain, you will be unable to log into your system.

Configuring Login Access

Instead of using the /etc/login.access file for controlling access to the system, Linux-PAM uses the module along with the /etc/security/access.conf file. Rename the /etc/login.access file using the following command:

[ -f /etc/login.access ] && mv -v /etc/login.access{,.NOUSE}
Configuring Resource Limits

Instead of using the /etc/limits file for limiting usage of system resources, Linux-PAM uses the module along with the /etc/security/limits.conf file. Rename the /etc/limits file using the following command:

[ -f /etc/limits ] && mv -v /etc/limits{,.NOUSE}


Be sure to test the login capabilities of the system before logging out. Errors in the configuration can cause a permanent lockout requiring a boot from an external source to correct the problem.


A list of the installed files, along with their short descriptions can be found at ../../../../lfs/view/development/chapter06/shadow.html#contents-shadow .

Last updated on 2019-02-15 15:01:29 -0600