Shadow-4.6

The Shadow package contains programs for handling passwords in a secure way.

Approximate Build Time: 0.3 SBU

Required Disk Space: 22 MB

Installation of Shadow

NOTE

If you would like to enforce the use of strong passwords, refer to cracklib for installing CrackLib prior to building Shadow. Then add --with-libcrack to the configure command below.

Disable the installation of the groups program and its man pages, as Coreutils provides a better version. Also Prevent the installation of manual pages that were already installed in Section 6.8, “Man-pages-4.16”:

sed -i 's/groups$(EXEEXT) //' src/Makefile.in
find man -name Makefile.in -exec sed -i 's/groups\.1 / /'   {} \;
find man -name Makefile.in -exec sed -i 's/getspnam\.3 / /' {} \;
find man -name Makefile.in -exec sed -i 's/passwd\.5 / /'   {} \;

Instead of using the default crypt method, use the more secure SHA-512 method of password encryption, which also allows passwords longer than 8 characters. It is also necessary to change the obsolete /var/spool/mail location for user mailboxes that Shadow uses by default to the /var/mail location used currently:

sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \
       -e 's@/var/spool/mail@/var/mail@' etc/login.defs

NOTE

If you chose to build Shadow with Cracklib support, run the following:

sed -i 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' etc/login.defs

Make a minor change to make the first group number generated by useradd 1000:

sed -i 's/1000/999/' etc/useradd

Prepare Shadow for compilation:

./configure --sysconfdir=/etc --with-group-name-max-length=32

The meaning of the configure option:

--with-group-name-max-length=32

The maximum user name is 32 characters. Make the maximum group name the same.

Compile the package:

make

This package does not come with a test suite.

Install the package:

make install

Move a misplaced program to its proper location:

mv -v /usr/bin/passwd /bin

Configuring Shadow

This package contains utilities to add, modify, and delete users and groups; set and change their passwords; and perform other administrative tasks. For a full explanation of what password shadowing means, see the doc/HOWTO file within the unpacked source tree. If using Shadow support, keep in mind that programs which need to verify passwords (display managers, FTP programs, pop3 daemons, etc.) must be Shadow-compliant. That is, they need to be able to work with shadowed passwords.

To enable shadowed passwords, run the following command:

pwconv

To enable shadowed group passwords, run:

grpconv

Shadow's stock configuration for the useradd utility has a few caveats that need some explanation. First, the default action for the useradd utility is to create the user and a group of the same name as the user. By default the user ID (UID) and group ID (GID) numbers will begin with 1000. This means if you don't pass parameters to useradd, each user will be a member of a unique group on the system. If this behavior is undesirable, you'll need to pass the -g parameter to useradd. The default parameters are stored in the /etc/default/useradd file. You may need to modify two parameters in this file to suit your particular needs.

/etc/default/useradd Parameter Explanations

GROUP=1000

This parameter sets the beginning of the group numbers used in the /etc/group file. You can modify it to anything you desire. Note that useradd will never reuse a UID or GID. If the number identified in this parameter is used, it will use the next available number after this. Note also that if you don't have a group 1000 on your system the first time you use useradd without the -g parameter, you'll get a message displayed on the terminal that says: useradd: unknown GID 1000. You may disregard this message and group number 1000 will be used. CREATE_MAIL_SPOOL=yes

This parameter causes useradd to create a mailbox file for the newly created user. useradd will make the group ownership of this file to the mail group with 0660 permissions. If you would prefer that these mailbox files are not created by useradd, issue the following command:

sed -i 's/yes/no/' /etc/default/useradd

Setting the root password

Choose a password for user root and set it by running:

passwd root

Contents of Shadow

Installed Programs: chage, chfn, chgpasswd, chpasswd, chsh, expiry, faillog, gpasswd, groupadd, groupdel, groupmems, groupmod, grpck, grpconv, grpunconv, lastlog, login, logoutd, newgidmap, newgrp, newuidmap, newusers, nologin, passwd, pwck, pwconv, pwunconv, sg (link to newgrp), su, useradd, userdel, usermod, vigr (link to vipw), and vipw

Installed Directories: /etc/default

Installed	Description
chage	Used to change the maximum number of days between obligatory password changes
chfn	Used to change a user's full name and other information
chgpasswd	Used to update group passwords in batch mode
chpasswd	Used to update user passwords in batch mode
chsh	Used to change a user's default login shell
expiry	Checks and enforces the current password expiration policy
faillog	Is used to examine the log of login failures, to set a maximum number of failures before an account is blocked, or to reset the failure count
gpasswd	Is used to add and delete members and administrators to groups
groupadd	Creates a group with the given name
groupdel	Deletes the group with the given name
groupmems	Allows a user to administer his/her own group membership list without the requirement of super user privileges.
groupmod	Is used to modify the given group's name or GID
grpck	Verifies the integrity of the group files /etc/group and /etc/gshadow
grpconv	Creates or updates the shadow group file from the normal group file
grpunconv	Updates /etc/group from /etc/gshadow and then deletes the latter
lastlog	Reports the most recent login of all users or of a given user
login	Is used by the system to let users sign on
logoutd	Is a daemon used to enforce restrictions on log-on time and ports
newgidmap	Is used to set the gid mapping of a user namespace
newgrp	Is used to change the current GID during a login session
newuidmap	Is used to set the uid mapping of a user namespace
newusers	Is used to create or update an entire series of user accounts
nologin	Displays a message that an account is not available; it is designed to be used as the default shell for accounts that have been disabled
passwd	Is used to change the password for a user or group account
pwck	Verifies the integrity of the password files /etc/passwd and /etc/shadow
pwconv	Creates or updates the shadow password file from the normal password file
pwunconv	Updates /etc/passwd from /etc/shadow and then deletes the latter
sg	Executes a given command while the user's GID is set to that of the given group
su	Runs a shell with substitute user and group IDs
useradd	Creates a new user with the given name, or updates the default new-user information
userdel	Deletes the given user account
usermod	Is used to modify the given user's login name, User Identification (UID), shell, initial group, home directory, etc.
vigr	Edits the /etc/group or /etc/gshadow files
vipw	Edits the /etc/passwd or /etc/shadow files