8.28.1. Installation of Shadow
Important
If you've installed Linux-PAM, you should follow
the BLFS shadow page instead of this page to build (or,
rebuild or upgrade) shadow.
Disable the installation of the groups program and its man pages,
as Coreutils provides a better version. Also, prevent the
installation of manual pages that were already installed in
Section 8.3, “Man-pages-6.7”:
sed -i 's/groups$(EXEEXT) //' src/Makefile.in
find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \;
find man -name Makefile.in -exec sed -i 's/getspnam\.3 / /' {} \;
find man -name Makefile.in -exec sed -i 's/passwd\.5 / /' {} \;
Instead of
using the default crypt
method, use the much more secure YESCRYPT method of password encryption,
which also allows passwords longer than 8 characters. It is also
necessary to change the obsolete /var/spool/mail
location for user mailboxes that
Shadow uses by default to the /var/mail
location used currently. And, remove
/bin
and /sbin
from the PATH
,
since they are simply symlinks to their counterparts in
/usr
.
Note
If you wish to include /bin
and/or
/sbin
in the PATH
for some reason, modify the PATH
in .bashrc
after LFS has been built.
sed -e 's:#ENCRYPT_METHOD DES:ENCRYPT_METHOD YESCRYPT:' \
-e 's:/var/spool/mail:/var/mail:' \
-e '/PATH=/{s@/sbin:@@;s@/bin:@@}' \
-i etc/login.defs
Note
If you chose to build Shadow with Cracklib support, issue this
command:
sed -i 's:DICTPATH.*:DICTPATH\t/lib/cracklib/pw_dict:' etc/login.defs
Prepare Shadow for compilation:
touch /usr/bin/passwd
./configure --sysconfdir=/etc \
--disable-static \
--with-{b,yes}crypt \
--without-libbsd \
--with-group-name-max-length=32
The meaning of the new configuration options:
-
touch
/usr/bin/passwd
-
The file /usr/bin/passwd
needs
to exist because its location is hardcoded in some programs;
if it does not already exist, the installation script will
create it in the wrong place.
-
--with-{b,yes}crypt
-
The shell expands this to two switches, --with-bcrypt
and --with-yescrypt
. They allow
shadow to use the Bcrypt and Yescrypt algorithms implemented
by Libxcrypt for hashing
passwords. These algorithms are more secure (in particular,
much more resistant to GPU-based attacks) than the
traditional SHA algorithms.
-
--with-group-name-max-length=32
-
The longest permissible user name is 32 characters. Make the
maximum length of a group name the same.
-
--without-libbsd
-
Do not use the readpassphrase function from libbsd which is
not in LFS. Use the internal copy instead.
Compile the package:
make
This package does not come with a test suite.
Install the package:
make exec_prefix=/usr install
make -C man install-man
8.28.2. Configuring
Shadow
This package contains utilities to add, modify, and delete users
and groups; set and change their passwords; and perform other
administrative tasks. For a full explanation of what password shadowing means, see the
doc/HOWTO
file within the unpacked
source tree. If you use Shadow support, keep in mind that programs
which need to verify passwords (display managers, FTP programs,
pop3 daemons, etc.) must be Shadow-compliant. That is, they must be
able to work with shadowed passwords.
To enable shadowed passwords, run the following command:
pwconv
To enable shadowed group passwords, run:
grpconv
Shadow's default configuration for the useradd utility needs some
explanation. First, the default action for the useradd utility is to create the
user and a group with the same name as the user. By default the
user ID (UID) and group ID (GID) numbers will begin at 1000. This
means if you don't pass extra parameters to useradd, each user will be a
member of a unique group on the system. If this behavior is
undesirable, you'll need to pass either the -g
or -N
parameter to useradd, or else change the
setting of USERGROUPS_ENAB
in /etc/login.defs
. See useradd(8) for more
information.
Second, to change the default parameters, the file /etc/default/useradd
must be created and tailored
to suit your particular needs. Create it with:
mkdir -p /etc/default
useradd -D --gid 999
/etc/default/useradd
parameter explanations
-
GROUP=999
-
This parameter sets the beginning of the group numbers used
in the /etc/group
file. The
particular value 999 comes from the --gid
parameter above. You may
set it to any desired value. Note that useradd will never reuse a
UID or GID. If the number identified in this parameter is
used, it will use the next available number. Note also that
if you don't have a group with an ID equal to this number on
your system, then the first time you use useradd without the
-g
parameter, an
error message will be generated—useradd: unknown GID 999
, even though
the account has been created correctly. That is why we
created the group users
with
this group ID in Section 7.6,
“Creating Essential Files and Symlinks”.
-
CREATE_MAIL_SPOOL=yes
-
This parameter causes useradd to create a mailbox
file for each new user. useradd will assign the
group ownership of this file to the mail
group with 0660 permissions. If you
would rather not create these files, issue the following
command:
sed -i '/MAIL/s/yes/no/' /etc/default/useradd