Beyond Linux From Scratch: Version 5.0-PRE1
Prev	Chapter 4. Security	Next

Shadow-4.0.3

Introduction to Shadow

Shadow was indeed installed in LFS and there is no reason to reinstall it unless you installed Linux-PAM. If you did, this will allow programs like login and su to utilize PAM.

Shadow dependencies

Required

Linux-PAM-0.77

Installation of shadow

Download the patch for shadow from http://www.linuxfromscratch.org/patches/blfs/5.0.

Reinstall shadow by running the following commands:

patch -Np1 -i ../shadow-4.0.3-pam-2.patch &&
./configure --prefix=/usr --libdir=/usr/lib \
--enable-shared --with-libpam &&
make &&
make install &&
ln -sf vipw /usr/sbin/vigr &&
rm /bin/vipw &&
mv /bin/sg /usr/bin &&
mv /usr/lib/lib{misc,shadow}.so.0* /lib &&
ln -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so &&
ln -sf ../../lib/libmisc.so.0 /usr/lib/libmisc.so &&
cp debian/securetty /etc/securetty

Command explanations

cp debian/securetty /etc/securetty: This command sets the tty's that allow logins through PAM.

Configuring PAM to work with shadow

Config files

/etc/pam.d/login, /etc/pam.d/passwd, /etc/pam.d/su, /etc/pam.d/shadow, /etc/pam.d/useradd

Configuration Information

Add the following PAM configuration files to /etc/pam.d (or add them to /etc/pam.conf with the additional field for the program).

cat > /etc/pam.d/login << "EOF"
# Begin /etc/pam.d/login

auth        requisite      pam_securetty.so
auth        requisite      pam_nologin.so
auth        required       pam_env.so
auth        required       pam_unix.so
account     required       pam_access.so
account     required       pam_unix.so
session     required       pam_motd.so
session     required       pam_limits.so
session     optional       pam_mail.so     dir=/var/mail standard
session     optional       pam_lastlog.so
session     required       pam_unix.so

# End /etc/pam.d/login
EOF
cat > /etc/pam.d/passwd << "EOF"
# Begin /etc/pam.d/passwd

password    required       pam_unix.so     md5 shadow 

# End /etc/pam.d/passwd
EOF
cat > /etc/pam.d/shadow << "EOF"
# Begin /etc/pam.d/shadow

auth        sufficient      pam_rootok.so
auth        required        pam_unix.so
account     required        pam_unix.so
session     required        pam_unix.so
password    required        pam_permit.so

# End /etc/pam.d/shadow
EOF
cat > /etc/pam.d/su << "EOF"
# Begin /etc/pam.d/su

auth        sufficient      pam_rootok.so
auth        required        pam_unix.so
account     required        pam_unix.so
session     required        pam_unix.so

# End /etc/pam.d/su
EOF
cat > /etc/pam.d/useradd << "EOF"
# Begin /etc/pam.d/useradd

auth        sufficient      pam_rootok.so
auth        required        pam_unix.so
account     required        pam_unix.so
session     required        pam_unix.so
password    required        pam_permit.so

# End /etc/pam.d/useradd
EOF
cat > /etc/pam.d/chage << "EOF"
# Begin /etc/pam.d/chage

auth        sufficient      pam_rootok.so
auth        required        pam_unix.so
account     required        pam_unix.so
session     required        pam_unix.so
password    required        pam_permit.so

# End /etc/pam.d/chage
EOF

Currently, /etc/pam.d/other is configured to allow anyone with an account on the machine to use programs that do not specifically have a configuration file of their own. After testing PAM for proper configuration, it can be changed to the following:

cat > /etc/pam.d/other << "EOF"
# Begin /etc/pam.d/other

auth        required        pam_deny.so
auth        required        pam_warn.so
account     required        pam_deny.so
session     required        pam_deny.so
password    required        pam_deny.so
password    required        pam_warn.so

# End /etc/pam.d/other
EOF

Finally, edit /etc/login.defs by adding '#' to the beginning of the following lines:

DIALUPS_CHECK_ENAB
LASTLOG_ENAB
MAIL_CHECK_ENAB
PORTTIME_CHECKS_ENAB
CONSOLE
MOTD_FILE
NOLOGINS_FILE
PASS_MIN_LEN
SU_WHEEL_ONLY
MD5_CRYPT_ENAB
CONSOLE_GROUPS
ENVIRON_FILE

This stops login from performing these functions, as they will now be performed by PAM modules.