Shadow-4.0.9

Introduction to Shadow

Shadow was indeed installed in LFS and there is no reason to reinstall it unless you installed Linux-PAM. If you did, this will allow programs like login and su to utilize PAM.

Package Information

Additional Downloads

Shadow Dependencies

Required

Linux-PAM-0.80

Installation of Shadow

Reinstall Shadow by running the following commands:

patch -Np1 -i ../shadow-4.0.9-Linux_PAM_fixes-1.patch &&
./configure --libdir=/lib --enable-shared \
    --with-libpam --without-libcrack &&
sed -i 's/groups$(EXEEXT) //' src/Makefile &&
sed -i '/groups/d' man/Makefile &&
make

Now, as the root user:

make install &&
mv -v /usr/bin/passwd /bin &&
mv -v /lib/libshadow.*a /usr/lib &&
rm -v /lib/libshadow.so &&
ln -v -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so

Command Explanations

--without-libcrack: This switch tells Shadow not to use libcrack. This is desired as Linux-PAM already contains libcrack.

sed -i ...: These commands are used to suppress the installation of the groups program as the version from the Coreutils package installed during LFS is preferred.

Configuring Linux-PAM to Work with Shadow

Config Files

/etc/pam.d/* or alternatively /etc/pam.conf, /etc/login.defs and /etc/security/*

Configuration Information

Configuring /etc/login.defs

The login program currently performs many functions which Linux-PAM modules should now handle. The following sed command will comment out the appropriate lines in /etc/login.defs, and stop login from performing these functions (a backup file named /etc/login.defs.orig is also created to preserve the original file's contents):

install -v -m644 /etc/login.defs /etc/login.defs.orig &&
for FUNCTION in LASTLOG_ENAB MAIL_CHECK_ENAB \
                PORTTIME_CHECKS_ENAB CONSOLE \
                MOTD_FILE NOLOGINS_FILE PASS_MIN_LEN \
                SU_WHEEL_ONLY MD5_CRYPT_ENAB \
                CONSOLE_GROUPS ENVIRON_FILE \
                ULIMIT ENV_TZ ENV_HZ ENV_SUPATH \
                ENV_PATH QMAIL_DIR MAIL_DIR MAIL_FILE \
                CHFN_AUTH FAILLOG_ENAB QUOTAS_ENAB FTMP_FILE
do
    sed -i -e "s/^$FUNCTION/# &/" /etc/login.defs
done

If you have CrackLib installed, also comment out four more lines using the following command:

for FUNCTION in OBSCURE_CHECKS_ENAB CRACKLIB_DICTPATH \
                PASS_CHANGE_TRIES PASS_ALWAYS_WARN
do
    sed -i -e "s/^$FUNCTION/# &/" /etc/login.defs
done
Configuring the /etc/pam.d/ Files

Add the following Linux-PAM configuration files to /etc/pam.d/ (or add them to /etc/pam.conf with the additional field for the program).

'login' (with CrackLib)
cat > /etc/pam.d/login << "EOF"
# Begin /etc/pam.d/login

auth        requisite      pam_securetty.so
auth        requisite      pam_nologin.so
auth        required       pam_unix.so
account     required       pam_access.so
account     required       pam_unix.so
session     required       pam_env.so
session     required       pam_motd.so
session     required       pam_limits.so
session     optional       pam_mail.so      dir=/var/mail standard
session     optional       pam_lastlog.so
session     required       pam_unix.so
password    required       pam_cracklib.so  retry=3 difok=8 minlen=5 \
                                            dcredit=3 ocredit=3 \
                                            ucredit=2 lcredit=2
password    required       pam_unix.so      md5 shadow use_authtok

# End /etc/pam.d/login
EOF
'login' (without CrackLib)
cat > /etc/pam.d/login << "EOF"
# Begin /etc/pam.d/login

auth        requisite      pam_securetty.so
auth        requisite      pam_nologin.so
auth        required       pam_env.so
auth        required       pam_unix.so
account     required       pam_access.so
account     required       pam_unix.so
session     required       pam_motd.so
session     required       pam_limits.so
session     optional       pam_mail.so      dir=/var/mail standard
session     optional       pam_lastlog.so
session     required       pam_unix.so
password    required       pam_unix.so      md5 shadow

# End /etc/pam.d/login
EOF
'passwd' (with CrackLib)
cat > /etc/pam.d/passwd << "EOF"
# Begin /etc/pam.d/passwd

password    required       pam_cracklib.so  retry=3 difok=8 minlen=5 \
                                            dcredit=3  ocredit=3 \
                                            ucredit=2  lcredit=2
password    required       pam_unix.so      md5 shadow use_authtok

# End /etc/pam.d/passwd
EOF
'passwd' (without CrackLib)
cat > /etc/pam.d/passwd << "EOF"
# Begin /etc/pam.d/passwd

password    required       pam_unix.so      md5 shadow

# End /etc/pam.d/passwd
EOF
'su'
cat > /etc/pam.d/su << "EOF"
# Begin /etc/pam.d/su

auth        sufficient      pam_rootok.so
auth        required        pam_unix.so
account     required        pam_unix.so
session     optional        pam_mail.so     dir=/var/mail standard
session     required        pam_env.so
session     required        pam_unix.so

# End /etc/pam.d/su
EOF
'chage'
cat > /etc/pam.d/chage << "EOF"
# Begin /etc/pam.d/chage

auth        sufficient      pam_rootok.so
auth        required        pam_unix.so
account     required        pam_unix.so
session     required        pam_unix.so
password    required        pam_permit.so

# End /etc/pam.d/chage
EOF
'chpasswd', 'newusers', 'groupadd', 'groupdel', 'groupmod', 'useradd', 'userdel', and 'usermod'
for PROGRAM in chpasswd newusers groupadd groupdel \
               groupmod useradd userdel usermod
do
    install -v -m644 /etc/pam.d/chage /etc/pam.d/$PROGRAM
    sed -i -e "s/chage/$PROGRAM/" /etc/pam.d/$PROGRAM
done
[Warning]

Warning

At this point, you should do a simple test to see if Shadow is working as expected. Open another terminal and log in as a user, then su to root. If you do not see any errors, then all is well and you should proceed with the rest of the configuration. If you did receive errors, stop now and double check the above configuration files manually. If you cannot find and fix the error, you should recompile Shadow replacing --with-libpam with --without-libpam in the above instructions (also move the /etc/login.defs.orig backup file to /etc/login.defs). If you fail to do this and the errors remain, you will be unable to log into your system.

Other

Currently, /etc/pam.d/other is configured to allow anyone with an account on the machine to use PAM-aware programs without a configuration file for that program. After testing Linux-PAM for proper configuration, install a more restrictive other file so that program-specific configuration files are required:

cat > /etc/pam.d/other << "EOF"
# Begin /etc/pam.d/other

auth        required        pam_deny.so
auth        required        pam_warn.so
account     required        pam_deny.so
session     required        pam_deny.so
password    required        pam_deny.so
password    required        pam_warn.so

# End /etc/pam.d/other
EOF
Configuring Login Access

Instead of using the /etc/login.access file for controlling access to the system, Linux-PAM uses the pam_access.so module along with the /etc/security/access.conf file. Rename the /etc/login.access file using the following command:

if [ -f /etc/login.access ]; then
    mv -v /etc/login.access /etc/login.access.NOUSE
fi
Configuring Resource Limits

Instead of using the /etc/limits file for limiting usage of system resources, Linux-PAM uses the pam_limits.so module along with the /etc/security/limits.conf file. Rename the /etc/limits file using the following command:

if [ -f /etc/limits ]; then
    mv -v /etc/limits /etc/limits.NOUSE
fi
Configuring Default Environment

During previous configuration, several items were removed from /etc/login.defs. Some of these items are now controlled by the pam_env.so module and the /etc/security/pam_env.conf configuration file. In particular, the default path has been changed. To recover your default path, execute the following commands:

ENV_PATH=`grep '^ENV_PATH' /etc/login.defs.orig | \
    awk '{ print $2 }' | sed 's/PATH=//'` &&
echo 'PATH        DEFAULT='`echo "${ENV_PATH}"`'        OVERRIDE=${PATH}' \
    >> /etc/security/pam_env.conf &&
unset ENV_PATH
[Note]

Note

ENV_SUPATH is no longer supported. You must create a valid /root/.bashrc file to provide a modified path for the super user.

Contents

A list of the installed files, along with their short descriptions can be found at ../../../../lfs/view/stable/chapter06/shadow.html#contents-shadow.

Last updated on 2005-08-09 19:50:01 -0600