The Shadow package contains programs for handling passwords in a
secure way.
Approximate build time: 0.4 SBU
Required disk space: 11 MB
Shadow installation depends on: Bash, Binutils, Bison,
Coreutils, Diffutils, GCC, Gettext, Glibc, Grep, Make, and Sed
6.53.1. Installation of Shadow
Prepare Shadow for compilation:
./configure --libdir=/usr/lib --enable-shared
Work around a problem that prevents Shadow's internationalization
from working:
echo '#define HAVE_SETLOCALE 1' >> config.h
Shadow incorrectly declares the malloc() function, causing
compilation failure. Fix this:
sed -i '/extern char/d' libmisc/xmalloc.c
Compile the package:
make
Install the package:
make install
Shadow uses two files to configure
authentication settings for the system. Install these two config
files:
cp etc/{limits,login.access} /etc
Instead of
using the default crypt
method, use the more secure MD5 method of password encryption, which
also allows passwords longer than 8 characters. It is also
necessary to change the obsolete /var/spool/mail location for user mailboxes that
Shadow uses by default to the /var/mail
location used currently. Both of these can be accomplished by
changing the relevant configuration file while copying it to its
destination:
cp etc/login.defs.linux /etc/login.defs
sed -i -e 's@#MD5_CRYPT_ENAB.no@MD5_CRYPT_ENAB yes@' \
-e 's@/var/spool/mail@/var/mail@' /etc/login.defs
Move some misplaced symlinks/programs to their proper locations:
mv /bin/sg /usr/bin
mv /bin/vigr /usr/sbin
mv /usr/bin/passwd /bin
Move Shadow's dynamic libraries to a more appropriate location:
mv /usr/lib/lib{shadow,misc}.so.0* /lib
Because some packages expect to find the just-moved libraries in
/usr/lib, create the following symlinks:
ln -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so
ln -sf ../../lib/libmisc.so.0 /usr/lib/libmisc.so
The -D option of the
useradd program requires the
/etc/default directory for it to work
properly:
mkdir /etc/default
Coreutils has already installed a better groups program in /usr/bin. Remove the one installed by Shadow:
rm /bin/groups
6.53.2. Configuring Shadow
This package contains utilities to add, modify, and delete users
and groups; set and change their passwords; and perform other
administrative tasks. For a full explanation of what password shadowing means, see the
doc/HOWTO file within the unpacked source
tree. If using Shadow support, keep in mind that programs which
need to verify passwords (display managers, FTP programs, pop3
daemons, etc.) must be shadow-compliant. That is, they need to be
able to work with shadowed passwords.
To enable shadowed passwords, run the following command:
pwconv
To enable shadowed group passwords, run:
grpconv
Under normal circumstances, passwords will not have been created
yet. However, if returning to this section later to enable
shadowing, reset any current user passwords with the
passwd command or any group
passwords with the gpasswd
command.
6.53.4. Contents of Shadow
Installed programs: chage, chfn, chpasswd, chsh, expiry,
faillog, gpasswd, groupadd, groupdel, groupmod, groups, grpck,
grpconv, grpunconv, lastlog, login, logoutd, mkpasswd, newgrp,
newusers, passwd, pwck, pwconv, pwunconv, sg (link to newgrp),
useradd, userdel, usermod, vigr (link to vipw), and vipw
Installed libraries: libshadow[.a,so]
Short Descriptions
-
chage
-
Used to change the maximum number of days between obligatory
password changes
-
chfn
-
Used to change a user's full name and other info
-
chpasswd
-
Used to update the passwords of an entire series of user
accounts
-
chsh
-
Used to change a user's default login shell
-
expiry
-
Checks and enforces the current password expiration policy
-
faillog
-
Is used to examine the log of login failures, to set a
maximum number of failures before an account is blocked, or
to reset the failure count
-
gpasswd
-
Is used to add and delete members and administrators to
groups
-
groupadd
-
Creates a group with the given name
-
groupdel
-
Deletes the group with the given name
-
groupmod
-
Is used to modify the given group's name or GID
-
groups
-
Reports the groups of which the given users are members
-
grpck
-
Verifies the integrity of the group files /etc/group and /etc/gshadow
-
grpconv
-
Creates or updates the shadow group file from the normal
group file
-
grpunconv
-
Updates /etc/group from /etc/gshadow and then deletes the latter
-
lastlog
-
Reports the most recent login of all users or of a given user
-
login
-
Is used by the system to let users sign on
-
logoutd
-
Is a daemon used to enforce restrictions on log-on time and
ports
-
mkpasswd
-
Generates random passwords
-
newgrp
-
Is used to change the current GID during a login session
-
newusers
-
Is used to create or update an entire series of user accounts
-
passwd
-
Is used to change the password for a user or group account
-
pwck
-
Verifies the integrity of the password files /etc/passwd and /etc/shadow
-
pwconv
-
Creates or updates the shadow password file from the normal
password file
-
pwunconv
-
Updates /etc/passwd from /etc/shadow and then deletes the latter
-
sg
-
Executes a given command while the user's GID is set to that
of the given group
-
su
-
Runs a shell with substitute user and group IDs
-
useradd
-
Creates a new user with the given name, or updates the
default new-user information
-
userdel
-
Deletes the given user account
-
usermod
-
Is used to modify the given user's login name, User
Identification (UID), shell, initial group, home directory,
etc.
-
vigr
-
Edits the /etc/group or /etc/gshadow files
-
vipw
-
Edits the /etc/passwd or /etc/shadow files
-
libshadow
-
Contains functions used by most programs in this package