%general-entities; ]> Shadow-&shadow-version; Shadow <para>The Shadow package contains programs for handling passwords in a secure way.</para> <segmentedlist> <segtitle>&buildtime;</segtitle> <segtitle>&diskspace;</segtitle> <seglistitem><seg>0.4 SBU</seg><seg>11 MB</seg></seglistitem> </segmentedlist> <segmentedlist> <segtitle>Shadow installation depends on</segtitle> <seglistitem><seg>Bash, Binutils, Bison, Coreutils, Diffutils, GCC, Gettext, Glibc, Grep, Make, Sed</seg></seglistitem> </segmentedlist> </sect2> <sect2 role="installation"> <title>Installation of Shadow Prepare Shadow for compilation: ./configure --libdir=/lib --enable-shared Compile the package: make Then install it: make install Shadow uses two files to configure authentication settings for the system. Install these two config files: cp etc/{limits,login.access} /etc Instead of using the default crypt method, we want to use the more secure MD5 method of password encryption, which also allows passwords longer than 8 characters. We also need to change the obsolete /var/spool/mail location for user mailboxes that Shadow uses by default to the /var/mail location used currently. We accomplish both these things by changing the relevant configuration file while copying it to its destination (it's probably better to cut-and-paste this rather than try and type it all in): sed -e's@#MD5_CRYPT_ENAB.no@MD5_CRYPT_ENAB yes@' \ -e 's@/var/spool/mail@/var/mail@' \ < etc/login.defs.linux > /etc/login.defs Move some misplaced symlinks/programs to their proper locations: mv /usr/bin/passwd /bin And move Shadow's static library to a more appropriate location: mv /lib/libshadow.*a /usr/lib As some packages expect to find the libraries in /usr/lib, create the following symlinks: rm /lib/libshadow.so ln -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so The -D option of the useradd program requires this directory for it to work properly: mkdir /etc/default Coreutils has already installed a better groups program in /usr/bin. Remove the one installed by Shadow: rm /bin/groups Configuring Shadow Shadow configuring This package contains utilities to add, modify and delete users and groups, set and change their passwords, and other such administrative tasks. For a full explanation of what password shadowing means, see the doc/HOWTO file within the unpacked source tree. There's one thing to keep in mind if you decide to use Shadow support: programs that need to verify passwords (display managers, ftp programs, pop3 daemons, and the like) need to be shadow-compliant, that is they need to be able to work with shadowed passwords. To enable shadowed passwords, run the following command: pwconv To enable shadowed group passwords, run: grpconv Under normal circumstances, you won't have created any passwords yet. However, if returning to this section later to enable shadowing, you should reset any current user passwords with the passwd command or any group passwords with the gpasswd command. Setting the root password Choose a password for user root and set it via: passwd root Contents of Shadow Installed programs chage, chfn, chpasswd, chsh, expiry, faillog, gpasswd, groupadd, groupdel, groupmod, groups, grpck, grpconv, grpunconv, lastlog, login, logoutd, mkpasswd, newgrp, newusers, passwd, pwck, pwconv, pwunconv, sg (link to newgrp), useradd, userdel, usermod, vigr (link to vipw) and vipw Short descriptions chage chage is used to change the maximum number of days between obligatory password changes. chfn chfn is used to change a user's full name and some other info. chpasswd chpasswd is used to update the passwords of a whole series of user accounts in one go. chsh chsh is used to change a user's default login shell. expiry expiry checks and enforces the current password expiration policy. faillog faillog is used to examine the log of login failures, to set a maximum number of failures before an account is blocked, or to reset the failure count. gpasswd gpasswd is used to add and delete members and administrators to groups. groupadd groupadd creates a group with the given name. groupdel groupdel deletes the group with the given name. groupmod groupmod is used to modify the given group's name or GID. groups groups reports the groups of which the given users are members. grpck grpck verifies the integrity of the group files, /etc/group and /etc/gshadow. grpconv grpconv creates or updates the shadow group file from the normal group file. grpunconv grpunconv updates /etc/group from /etc/gshadow and then deletes the latter. lastlog lastlog reports the most recent login of all users, or of a given user. login login is used by the system to let users sign on. logoutd logoutd is a daemon used to enforce restrictions on log-on time and ports. mkpasswd mkpasswd encrypts the given password using the also given perturbation. newgrp newgrp is used to change the current GID during a login session. newusers newusers is used to create or update a whole series of user accounts in one go. passwd passwd is used to change the password for a user or group account. pwck pwck verifies the integrity of the password files, /etc/passwd and /etc/shadow. pwconv pwconv creates or updates the shadow password file from the normal password file. pwunconv pwunconv updates /etc/passwd from /etc/shadow and then deletes the latter. sg sg executes a given command while the user's GID is set to that of the given group. su su runs a shell with substitute user and group IDs. useradd useradd creates a new user with the given name, or updates the default new-user information. userdel userdel deletes the given user account. usermod usermod is used to modify the given user's login name, UID (User Identification), shell, initial group, home directory, and the like. vigr vigr can be used to edit the /etc/group or /etc/gshadow files. vipw vipw can be used to edit the /etc/passwd or /etc/shadow files. libmisc libmisc ... libshadow libshadow contains functions used by most programs in this package.