Installing Shadow-&shadow-version;
The Shadow package contains programs for handling passwords in a secure
way.
Estimated build time: &shadow-time;
Estimated required disk space: &shadow-compsize;
&aa-shadowpwd-down;
&aa-shadowpwd-dep;
Installation of Shadow
The login, getty and
init programs (and some others) maintain a number
of logfiles to record who are and who were logged in to the system. These
programs, however, don't create these logfiles when they don't exist, so if
you want this logging to occur you will have to create the files yourself.
The Shadow package needs to detect these files in their proper place, so we
create them now, with their proper permissions:
touch /var/run/utmp /var/log/{btmp,lastlog,wtmp}
chmod 644 /var/run/utmp /var/log/{btmp,lastlog,wtmp}
The /var/run/utmp file lists the users that are
currently logged in, the /var/log/wtmp file who
were logged in and when.
The /var/log/lastlog file shows for each user when he
or she last logged in, and the /var/log/btmp lists the
bad login attempts.
Shadow hard-wires the path to the passwd binary
within the binary itself, but does this the wrong way. If a
passwd binary is not present before installing Shadow,
the package incorrectly assumes it is going to be located at
/bin/passwd, but then installs it in
/usr/bin/passwd. This will lead to errors about not finding
/bin/passwd. To work around this bug, create a dummy
passwd file, so that it gets hard-wired properly:
touch /usr/bin/passwd
The current Shadow suite has a problem that causes the
newgrp command to fail. The following patch (also
appearing in Shadow's CVS code) fixes this problem:
patch -Np1 -i ../&shadow-patch;
Now prepare Shadow for compilation:
./configure --prefix=/usr --libdir=/usr/lib --enable-shared
Compile the package:
make
And install it:
make install
Shadow uses two files to configure authentication settings for the
system. Install these two config files:
cp etc/{limits,login.access} /etc
We want to change the password method to enable MD5 passwords which are
theoretically more secure than the default "crypt" method and also allow
password lengths greater than 8 characters. We also need to change the old
/var/spool/mail location for user
mailboxes to the current location at
/var/mail. We do this by changing the
relevant configuration file while copying it to its destination:
sed -e 's%/var/spool/mail%/var/mail%' \
-e 's%#MD5_CRYPT_ENAB.no%MD5_CRYPT_ENAB yes%' \
etc/login.defs.linux > /etc/login.defs
Be extra careful when typing all of the above. It is probably safer
to cut-and-paste it rather than try and type it all in.
According to the man page of vipw, a
vigr program should exist too. Since the installation
procedure doesn't create this program, create a symlink manually:
ln -s vipw /usr/sbin/vigr
As the /bin/vipw symlink is redundant (and even
pointing to a non-existent file), remove it:
rm /bin/vipw
Now move the sg program to its proper place:
mv /bin/sg /usr/bin
And move Shadow's dynamic libraries to a more appropriate location:
mv /usr/lib/lib{shadow,misc}.so.0* /lib
As some packages expect to find the just-moved libraries in
/usr/lib, create the following symlinks:
ln -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so
ln -sf ../../lib/libmisc.so.0 /usr/lib/libmisc.so
The -D option of the useradd program requires this
directory for it to work properly:
mkdir /etc/default
Coreutils has already installed a groups program
in /usr/bin. If you wish, you can remove the one
installed by Shadow:
rm /bin/groups
&c6-cf-shadowpwd;
&c6-cf-password;
&aa-shadowpwd-shortdesc;
&aa-shadowpwd-desc;