The Shadow package contains programs for handling passwords in a secure way.
![[Note]](../images/note.png)
If you would like to enforce the use of strong passwords, refer
to
http://www.linuxfromscratch.org/blfs/view/svn/postlfs/cracklib.html
for installing Cracklib prior to building Shadow. Then add
--with-libcrack to the
configure command
below.
Fix a bug in the useradd and usermod programs which prevent
them from accepting group names rather than group ID numbers to the
-g option:
patch -Np1 -i ../shadow-4.0.18.1-useradd_fix-2.patch
Prepare Shadow for compilation:
./configure --libdir=/lib --sysconfdir=/etc --enable-shared \
--without-selinux
The meaning of the configure options:
--without-selinux
Support for selinux is enabled by default, but selinux is not built in a base LFS system. The configure script will fail if this option is not used.
Disable the installation of the groups program and its man pages, as Coreutils provides a better version:
sed -i 's/groups$(EXEEXT) //' src/Makefile
find man -name Makefile -exec sed -i '/groups/d' {} \;
Disable the installation of Chinese and Korean manual pages, since Man-DB cannot format them properly:
sed -i -e 's/ ko//' -e 's/ zh_CN zh_TW//' man/Makefile
Shadow supplies other manual pages in a UTF-8 encoding. Man-DB can display these in the recommended encodings by using the convert-mans script which we installed.
for i in de es fi fr id it pt_BR; do
convert-mans UTF-8 ISO-8859-1 man/${i}/*.?
done
for i in cs hu pl; do
convert-mans UTF-8 ISO-8859-2 man/${i}/*.?
done
convert-mans UTF-8 EUC-JP man/ja/*.?
convert-mans UTF-8 KOI8-R man/ru/*.?
convert-mans UTF-8 ISO-8859-9 man/tr/*.?
Instead of
using the default crypt
method, use the more secure MD5 method of password encryption, which
also allows passwords longer than 8 characters. It is also
necessary to change the obsolete /var/spool/mail location for user mailboxes that
Shadow uses by default to the /var/mail location used currently.
sed -i -e 's@#MD5_CRYPT_ENAB.no@MD5_CRYPT_ENAB yes@' \
-e 's@/var/spool/mail@/var/mail@' etc/login.defs
If you built Shadow with Cracklib support, run the following:
sed -i 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' \
etc/login.defs
Compile the package:
make
This package does not come with a test suite.
Install the package:
make install
Move a misplaced program to its proper location:
mv -v /usr/bin/passwd /bin
Move Shadow's libraries to more appropriate locations:
mv -v /lib/libshadow.*a /usr/lib rm -v /lib/libshadow.so ln -sfv ../../lib/libshadow.so.0 /usr/lib/libshadow.so
This package contains utilities to add, modify, and delete users
and groups; set and change their passwords; and perform other
administrative tasks. For a full explanation of what password shadowing means, see the
doc/HOWTO file within the unpacked
source tree. If using Shadow support, keep in mind that programs
which need to verify passwords (display managers, FTP programs,
pop3 daemons, etc.) must be Shadow-compliant. That is, they need to
be able to work with shadowed passwords.
To enable shadowed passwords, run the following command:
pwconv
To enable shadowed group passwords, run:
grpconv
Shadow's stock configuration for the useradd utility is not suitable for LFS systems. Use the following commands to change the default home directory for new users and prevent the creation of mail spool files:
useradd -D -b /home sed -i 's/yes/no/' /etc/default/useradd
Choose a password for user root and set it by running:
passwd root