Shadow

Download Source:	http://pkg-shadow.alioth.debian.org/releases/shadow-4.1.5.1.tar.bz2

Shadow, a login and password handling tool suit

Project Homepage: http://pkg-shadow.alioth.debian.org/

• Cracklib
• PAM Library
• libaudit
• libskey
• SELinux

If you have not installed PAM Library, then use this flag instead of --with-libpam in the instructions below.

--without-libpam

If you have not installed Cracklib, then remove this flag from the instructions below.

--with-libcrack

Configure and compile the package:

./configure --libdir=/lib --sysconfdir=/etc --enable-shared \
  --without-audit --without-selinux --with-libcrack --with-libpam &&
sed -i 's/groups$(EXEEXT) //' src/Makefile &&
find man -name Makefile -exec sed -i '/groups.1.xml/d' '{}' \; &&
find man -name Makefile -exec sed -i 's/groups.1 //' '{}' \; &&
make

Install the package:

make install &&
mv -v /usr/bin/passwd /bin

CC="gcc ${BUILD64}" ./configure --libdir=/lib64 --sysconfdir=/etc --enable-shared \
  --without-audit --without-selinux --with-libcrack --with-libpam &&
sed -i 's/groups$(EXEEXT) //' src/Makefile &&
find man -name Makefile -exec sed -i '/groups.1.xml/d' '{}' \; &&
find man -name Makefile -exec sed -i 's/groups.1 //' '{}' \; &&
make

Install the package:

make install &&
mv -v /usr/bin/passwd /bin

Setup Configuration files:

cp etc/login.defs /etc/login.defs 
sed -i -e 's@#MD5_CRYPT_ENAB.no@MD5_CRYPT_ENAB yes@' \
       -e 's@/var/spool/mail@/var/mail@' \
       -e 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' /etc/login.defs

FUNCTIONS="LASTLOG_ENAB MAIL_CHECK_ENAB PORTTIME_CHECKS_ENAB CONSOLE MOTD_FILE
           NOLOGINS_FILE PASS_MIN_LEN SU_WHEEL_ONLY MD5_CRYPT_ENAB CONSOLE_GROUPS
           ENVIRON_FILE ULIMIT ENV_TZ ENV_HZ ENV_SUPATH ENV_PATH QMAIL_DIR MAIL_DIR
           MAIL_FILE CHFN_AUTH FAILLOG_ENAB QUOTAS_ENAB FTMP_FILE OBSCURE_CHECKS_ENAB
           CRACKLIB_DICTPATH PASS_CHANGE_TRIES PASS_ALWAYS"
for function in $FUNCTIONS; do
     sed -i "s/^$function/# &/" /etc/login.defs
done

This is the file that controls the login program

cat > /etc/pam.d/login << "EOF"
#%PAM-1.0
#
# The common PAM configuration file for login
#
auth       required     pam_shells.so
auth       include      system-auth
auth       optional     pam_securetty.so

account    required     pam_nologin.so
account    include      system-auth

password   include      system-auth

session    include      system-auth
session    required     pam_mkhomedir.so skel=/etc/skel/ umask=0022
session    optional     pam_lastlog.so nowtmp
session    optional     pam_mail.so dir=/var/mail standard
EOF

Also make sure /etc/shells exists because the pam_shells.so module will only permit a login if your users login shell appears in /etc/shells.

These are the files that control changing of a password

for file in chage chfn chgpasswd chpasswd chsh groupadd groupdel groupmems \
  groupmod newusers passwd useradd userdel usermod; do
       cat > /etc/pam.d/$file << "EOF"
#%PAM-1.0
#
# The common PAM configuration file authentication only, root ok
#
auth       sufficient   pam_rootok.so

account    required     pam_permit.so
account    include      system-auth

password   include      system-auth
EOF
done

This is the file that controls su access

cat > /etc/pam.d/su << "EOF"
#%PAM-1.0
#
# The common PAM configuration file for su
#
auth            sufficient      pam_rootok.so
auth            include         system-auth

account         include         system-auth

password        include         system-auth

session         include         system-auth
session         optional        pam_xauth.so
EOF

See Configuring for Adding Users

Installed Programs:	login, su, nologin, faillog, lastlog, chage, chfn, chsh, expiry, gpasswd, newgrp, passwd, chgpasswd, chpasswd, groupadd, groupdel, groupmems, groupmod, grpck, grpconv, grpunconv, logoutd, newusers, pwck, pwconv, pwunconv, useradd, userdel, usermod, vipw
Installed Libraries:
Installed Directories:	/etc/pam.d

expiry	Checks and enforces the current password expiration policy
faillog	Is used to examine the log of login failures, to set a maximum number of failures before an account is blocked, or to reset the failure count
gpasswd	Is used to add and delete members and administrators to groups
groupadd	Creates a group with the given name
groupdel	Deletes the group with the given name
groupmod	Is used to modify the given group's name or GID
grpck	Verifies the integrity of the group files /etc/group and /etc/gshadow
grpconv	Creates or updates the shadow group file from the normal group file
grpunconv	Updates /etc/group from /etc/gshadow and then deletes the latter
lastlog	Reports the most recent login of all users or of a given user
login	Is used by the system to let users sign on
logoutd	Is a daemon used to enforce restrictions on log-on time and ports
newgrp	Is used to change the current GID during a login session
newusers	Is used to create or update an entire series of user accounts
nologin	Displays a message that an account is not available. Designed to be used as the default shell for accounts that have been disabled
passwd	Is used to change the password for a user or group account
pwck	Verifies the integrity of the password files /etc/passwd and /etc/shadow
pwconv	Creates or updates the shadow password file from the normal password file
pwunconv	Updates /etc/passwd from /etc/shadow and then deletes the latter
sg	Executes a given command while the user's GID is set to that of the given group
su	Runs a shell with substitute user and group IDs
useradd	Creates a new user with the given name, or updates the default new-user information
userdel	Deletes the given user account
usermod	Is used to modify the given user's login name, User Identification (UID), shell, initial group, home directory, etc.
vigr	Edits the /etc/group or /etc/gshadow files
vipw	Edits the /etc/passwd or /etc/shadow files