The Shadow package contains programs for handling passwords in a secure way.
![[Note]](../images/note.png)
If you would like to enforce the use of strong passwords, refer to http://www.linuxfromscratch.org/blfs/view/svn/postlfs/cracklib.html for installing Cracklib prior to building Shadow. Then add --with-libcrack to the configure command below.
You will also need to use the following sed after the configure commmand to make sure the correct library is linked:
sed -i libtool \
-e 's@\(^sys_lib_search_path_spec=\).*@\1"/lib64 /usr/lib64 /usr/local/lib64"@g' \
-e 's@\(^sys_lib_dlsearch_path_spec=\).*@\1"/lib64 /usr/lib64 /usr/local/lib64"@g'
Prepare Shadow for compilation:
CC="gcc ${BUILD64}" ./configure --libdir=/lib64 --sysconfdir=/etc \
--enable-shared --without-libpam --without-audit --without-selinux
The meaning of the configure options:
Tells Shadow to install its configuration files into /etc, rather than /usr/etc.
Support for Linux-PAM is enabled by default in Shadow, however PAM is not installed on a base CLFS system, so this switch disables PAM support in Shadow. For instructions to install PAM and link Shadow to it, you can look at http://www.linuxfromscratch.org/blfs/view/svn/postlfs/shadow.html.
Support for auditing is enabled by default, but a library that it needs is not installed in a base CLFS system. This switch disables auditing support.
Support for selinux is enabled by default, but selinux is not built in a base CLFS system and configure will fail without this switch.
Disable the installation of the groups program and its man pages, as Coreutils provides a better version:
sed -i 's/groups$(EXEEXT) //' src/Makefile sed -i '/groups/d' man/Makefile
Compile the package:
make
This package does not come with a test suite.
Install the package:
make install
Instead of using the default crypt method, use the more secure MD5 method of password encryption, which also allows passwords longer than 8 characters. It is also necessary to change the obsolete /var/spool/mail location for user mailboxes that Shadow uses by default to the /var/mail location used currently. Use the following sed command to make these changes to the appropriate configuration file:
sed -i /etc/login.defs \
-e 's@#MD5_CRYPT_ENAB.no@MD5_CRYPT_ENAB yes@' \
-e 's@/var/spool/mail@/var/mail@'
If you built Shadow with Cracklib support, execute this sed to correct the path to the Cracklib dictionary:
sed -i 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' /etc/login.defs
Move a misplaced program to its proper location:
mv -v /usr/bin/passwd /bin
Move Shadow's dynamic libraries to a more appropriate location:
mv -v /lib64/libshadow.*a /usr/lib64 rm -v /lib64/libshadow.so ln -svf ../../lib64/libshadow.so.0 /usr/lib64/libshadow.so
This package contains utilities to add, modify, and delete users and groups; set and change their passwords; and perform other administrative tasks. For a full explanation of what password shadowing means, see the doc/HOWTO file within the unpacked source tree. If using Shadow support, keep in mind that programs which need to verify passwords (display managers, FTP programs, pop3 daemons, etc.) must be Shadow-compliant. That is, they need to be able to work with shadowed passwords.
To enable shadowed passwords, run the following command:
pwconv
To enable shadowed group passwords, run:
grpconv
To view or change the default settings for new user accounts that you create, you can edit /etc/default/useradd. See man useradd or http://www.linuxfromscratch.org/blfs/view/svn/postlfs/skel.html for more information.
Choose a password for user root and set it by running:
passwd root