The Shadow package contains programs for handling passwords in a secure way.
![[Note]](../images/note.png)
If you would like to enforce the use of strong passwords, refer to http://www.linuxfromscratch.org/blfs/view/svn/postlfs/cracklib.html for installing Cracklib prior to building Shadow. Then add --with-libcrack to the configure command below.
Prepare Shadow for compilation:
./configure --libdir=/lib --enable-shared --without-selinux
The meaning of the configure options:
Support for selinux is enabled by default, but selinux is not built in a base LFS system. The configure script will fail if this option is not used.
Disable the installation of the groups program and its man pages, as Coreutils provides a better version:
sed -i 's/groups$(EXEEXT) //' src/Makefile
find man -name Makefile -exec sed -i '/groups/d' {} \;
Disable the installation of Chinese and Korean manual pages, since Man-DB cannot format them properly:
sed -i -e 's/ ko//' -e 's/ zh_CN zh_TW//' man/Makefile
Shadow supplies other manual pages in a UTF-8 encoding. Man-DB can display these in the recommended encodings by using the convert-mans script which we installed.
for i in de es fi fr id it pt_BR; do
convert-mans UTF-8 ISO-8859-1 man/${i}/*.?
done
for i in cs hu pl; do
convert-mans UTF-8 ISO-8859-2 man/${i}/*.?
done
convert-mans UTF-8 EUC-JP man/ja/*.?
convert-mans UTF-8 KOI8-R man/ru/*.?
convert-mans UTF-8 ISO-8859-9 man/tr/*.?
Compile the package:
make
This package does not come with a test suite.
Install the package:
make install
Shadow uses two files to configure authentication settings for the system. Install these two configuration files:
cp -v etc/{limits,login.access} /etc
Instead of using the default crypt method, use the more secure MD5 method of password encryption, which also allows passwords longer than 8 characters. It is also necessary to change the obsolete /var/spool/mail location for user mailboxes that Shadow uses by default to the /var/mail location used currently. Both of these can be accomplished by changing the relevant configuration file while copying it to its destination:
sed -e's@#MD5_CRYPT_ENAB.no@MD5_CRYPT_ENAB yes@' \
-e 's@/var/spool/mail@/var/mail@' \
etc/login.defs > /etc/login.defs
If you built Shadow with Cracklib support, run the following:
sed -i 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' \
/etc/login.defs
Move a misplaced program to its proper location:
mv -v /usr/bin/passwd /bin
Move Shadow's libraries to more appropriate locations:
mv -v /lib/libshadow.*a /usr/lib rm -v /lib/libshadow.so ln -sfv ../../lib/libshadow.so.0 /usr/lib/libshadow.so
The -D option of the useradd program requires the /etc/default directory for it to work properly:
mkdir -v /etc/default
This package contains utilities to add, modify, and delete users and groups; set and change their passwords; and perform other administrative tasks. For a full explanation of what password shadowing means, see the doc/HOWTO file within the unpacked source tree. If using Shadow support, keep in mind that programs which need to verify passwords (display managers, FTP programs, pop3 daemons, etc.) must be Shadow-compliant. That is, they need to be able to work with shadowed passwords.
To enable shadowed passwords, run the following command:
pwconv
To enable shadowed group passwords, run:
grpconv
Choose a password for user root and set it by running:
passwd root