Shadow was indeed installed in LFS and there is no reason to reinstall it unless you installed Linux-PAM. If you did, this will allow programs like login and su to utilize PAM.
Download (FTP): ftp://ftp.pld.org.pl/software/shadow/old/shadow-4.0.4.1.tar.bz2
Download MD5 sum: 3a3d17d3d7c630b602baf66ae7434c61
Download size: 814 KB
Estimated disk space required: 14.1 MB
Estimated build time: 0.42 SBU
Patch to fix linking against PAM: http://www.linuxfromscratch.org/blfs/downloads/6.0/shadow-4.0.4.1-pam-1.patch
Reinstall Shadow by running the following commands:
patch -Np1 -i ../shadow-4.0.4.1-pam-1.patch &&
LIBS="-lpam -lpam_misc" ./configure --libdir=/usr/lib \
--enable-shared --with-libpam --without-libcrack &&
echo '#define HAVE_SETLOCALE 1' >> config.h &&
sed -i '/extern char/d' libmisc/xmalloc.c &&
make
Now, as the root user:
make install &&
mv /bin/sg /usr/bin &&
mv /bin/vigr /usr/sbin &&
mv /usr/bin/passwd /bin &&
rm /bin/groups &&
mv /usr/lib/lib{misc,shadow}.so.0* /lib &&
ln -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so &&
ln -sf ../../lib/libmisc.so.0 /usr/lib/libmisc.so
--without-libcrack: This switch tells Shadow not to use libcrack. This is desired as Linux-PAM already contains libcrack.
sed -i '/extern char/d' libmisc/xmalloc.c: This fixes a compilation problem when using GCC-3.4.x.
/etc/pam.d/login, /etc/pam.d/passwd, /etc/pam.d/su, /etc/pam.d/shadow, /etc/pam.d/useradd, and /etc/pam.d/chage – alternatively, /etc/pam.conf
Add the following Linux-PAM configuration files to /etc/pam.d/ (or add them to /etc/pam.conf with the additional field for the program).
cat > /etc/pam.d/login << "EOF" # Begin /etc/pam.d/login auth requisite pam_securetty.so auth requisite pam_nologin.so auth required pam_env.so auth required pam_unix.so account required pam_access.so account required pam_unix.so session required pam_motd.so session required pam_limits.so session optional pam_mail.so dir=/var/mail standard session optional pam_lastlog.so session required pam_unix.so # End /etc/pam.d/login EOF cat > /etc/pam.d/passwd << "EOF" # Begin /etc/pam.d/passwd password required pam_unix.so md5 shadow # End /etc/pam.d/passwd EOF cat > /etc/pam.d/shadow << "EOF" # Begin /etc/pam.d/shadow auth sufficient pam_rootok.so auth required pam_unix.so account required pam_unix.so session required pam_unix.so password required pam_permit.so # End /etc/pam.d/shadow EOF cat > /etc/pam.d/su << "EOF" # Begin /etc/pam.d/su auth sufficient pam_rootok.so auth required pam_unix.so account required pam_unix.so session required pam_unix.so # End /etc/pam.d/su EOF cat > /etc/pam.d/useradd << "EOF" # Begin /etc/pam.d/useradd auth sufficient pam_rootok.so auth required pam_unix.so account required pam_unix.so session required pam_unix.so password required pam_permit.so # End /etc/pam.d/useradd EOF cat > /etc/pam.d/chage << "EOF" # Begin /etc/pam.d/chage auth sufficient pam_rootok.so auth required pam_unix.so account required pam_unix.so session required pam_unix.so password required pam_permit.so # End /etc/pam.d/chage EOF
If you've installed cracklib, replace /etc/pam.d/passwd with the following:
cat > /etc/pam.d/passwd << "EOF" # Begin /etc/pam.d/passwd password required pam_cracklib.so \ retry=3 difok=8 minlen=5 dcredit=3 ocredit=3 ucredit=2 lcredit=2 password required pam_unix.so md5 shadow use_authtok # End /etc/pam.d/passwd EOF
At this point, you should do a simple test to see if Shadow is working as expected. Open another term and login as a user, then su to to root. If you do not see any errors, then all is well and you should proceed with the rest of the configuration. If you did receive errors, stop now and double check the above configuration files manually. If you cannot find, and fix the error, you should recompile shadow replacing --with-libpam with --without-libpam in the above instructions. If you fail to do this and the errors remain, you will be unable to log into your system.
Currently, /etc/pam.d/other is configured to allow anyone with an account on the machine to use programs that do not specifically have a configuration file of their own. After testing Linux-PAM for proper configuration, it can be changed to the following:
cat > /etc/pam.d/other << "EOF" # Begin /etc/pam.d/other auth required pam_deny.so auth required pam_warn.so account required pam_deny.so session required pam_deny.so password required pam_deny.so password required pam_warn.so # End /etc/pam.d/other EOF
Finally, edit /etc/login.defs by adding '#' to the beginning of the following lines:
LASTLOG_ENAB MAIL_CHECK_ENAB PORTTIME_CHECKS_ENAB CONSOLE MOTD_FILE NOLOGINS_FILE PASS_MIN_LEN SU_WHEEL_ONLY MD5_CRYPT_ENAB CONSOLE_GROUPS ENVIRON_FILE
This stops login from performing these functions, as they will now be performed by PAM modules. Additionally, add a '#' to the beginning of the following lines if you've installed cracklib:
OBSCURE_CHECKS_ENAB CRACKLIB_DICTPATH PASS_CHANGE_TRIES PASS_ALWAYS_WARN
A list of the installed files, along with their short descriptions can be found at ../../../../lfs/view/6.0/chapter06/shadow.html#contents-shadow.
Last updated on 2005-03-04 14:08:15 -0700