Click here to ask our community of linux experts!
Even though the shadow suite contains replacement programs for most programs that need to access passwords, there are a few additional programs on most systems that require access to passwords.
If you are running a Debian Distribution (or even if you are not), you can obtain Debian sources for the programs that need to be rebuild from: ftp://ftp.debian.org/debian/stable/source/
The remainder of this section discusses how to upgrade adduser, wu_ftpd, ftpd, pop3d, xlock, xdm and sudo so that they support the shadow suite.
See the section Adding Shadow Support to a C program for a discussion on how to put shadow support into any other program that needs it (although the program must then be run SUID root or SGID shadow to be able to actually access the shadow file).
Slackware distributions (and possibly some others) contain a interactive program for adding users called /sbin/adduser. A shadow version of this program can be obtained from ftp://sunsite.unc.edu/pub/Linux/ system/Admin/accounts/adduser.shadow-1.4.tar.gz.
I would encourage you to use the programs that are supplied with the Shadow Suite (useradd, usermod, and userdel) instead of the slackware adduser program. They take a little time to learn how to use, but it's well worth the effort because you have much more control and they perform proper file locking on the /etc/passwd and /etc/shadow file (adduser doesn't).
See the section on Putting the Shadow Suite to use for more information.
But if you gotta have it, here is what you do:
tar -xzvf adduser.shadow-1.4.tar.gz cd adduser make clean make adduser chmod 700 adduser cp adduser /sbin
Most Linux systems some with the wu_ftpd server. If your distribution does not come with shadow installed, then your wu_ftpd will not be compiled for shadow. wu_ftpd is launched from inetd/tcpd as a root process. If you are running an old wu_ftpd daemon, you will want to upgrade it anyway because older ones had a bug that would allow the root account to be compromised (For more info see the Linux security home page).
Fortunately, you only need to get the source code and recompile it with shadow enabled.
If you are not running an ELF system, The wu_ftp server can be found on Sunsite as wu-ftp-2.4-fixed.tar.gz
Once you retrieve the server, put it in /usr/src, then type:
cd /usr/src tar -xzvf wu-ftpd-2.4-fixed.tar.gz cd wu-ftpd-2.4-fixed cp ./src/config/config.lnx.shadow ./src/config/config.lnx
Then edit ./src/makefiles/Makefile.lnx, and change the line:
to:LIBES = -lbsd -support
LIBES = -lbsd -support -lshadow
Now you are ready to run the build script and install:
cd /usr/src/wu-ftpd-2.4-fixed /usr/src/wu-ftp-2.4.fixed/build lnx cp /usr/sbin/wu.ftpd /usr/sbin/wu.ftpd.old cp ./bin/ftpd /usr/sbin/wu.ftpd
This uses the Linux shadow configuration file, compiles and installs the server.
On my Slackware 2.3 system I also had to do the following before running build:
cd /usr/include/netinet ln -s in_systm.h in_system.h cd -
Problems have been reported compiling this package under ELF systems, but the Beta version of the next release works fine. It can be found as wu-ftp-2.4.2-beta-10.tar.gz
Once you retrieve the server, put it in /usr/src, then type:
cd /usr/src tar -xzvf wu-ftpd-2.4.2-beta-9.tar.gz cd wu-ftpd-beta-9 cd ./src/config
Then edit config.lnx, and change:
to:#undef SHADOW.PASSWORD
Then,#define SHADOW.PASSWORD
and edit the filecd ../Makefiles
Makefile.lnx and change:
to:LIBES = -lsupport -lbsd # -lshadow
Then build and install:LIBES = -lsupport -lbsd -lshadow
cd .. build lnx cp /usr/sbin/wu.ftpd /usr/sbin/wu.ftpd.old cp ./bin/ftpd /usr/sbin/wu.ftpd
Note that you should check your /etc/inetd.conf file to make sure that this is where your wu.ftpd server really lives. It has been reported that some distributions place the server daemons in different places, and then wu.ftpd in particular may be named something else.
If you are running the standard ftpd server, I would recommend that you upgrade to the wu_ftpd server. Aside from the known bug discussed above, it's generally thought to be more secure.
If you insist on the standard one, or you need NIS support, Sunsite has ftpd-shadow-nis.tgz
If you need to support the third Post Office Protocol (POP3), you will need to recompile a pop3d program. pop3d is normally run by inetd/tcpd as root.
There are two versions available from Sunsite: pop3d-1.00.4.linux.shadow.tar.gz and pop3d+shadow+elf.tar.gz
Both of these are fairly straight forward to install.
If you install the shadow suite, and then run X Windows System and lock the screen without upgrading your xlock, you will have to use CNTL-ALT-Fx to switch to another tty, login, and kill the xlock process (or use CNTL-ALT-BS to kill the X server). Fortunately it's fairly easy to upgrade your xlock program.
If you are running XFree86 Versions 3.x.x, you are probably using xlockmore (which is a great screen-saver in addition to a lock). This package supports shadow with a recompile. If you have an older xlock, I recommend that you upgrade to this one.
xlockmore-3.5.tgz is available at: ftp://sunsite.unc.edu/pub/Linux/X11/xutils/screensavers/xlockmore-3.7.tgz
Basically, this is what you need to do:
Get the xlockmore-3.7.tgz file and put it in /usr/src unpack it:
tar -xzvf xlockmore-3.7.tgz
Edit the file: /usr/X11R6/lib/X11/config/linux.cf, and change the line:
#define HasShadowPasswd NO to #define HasShadowPasswd YES
Then build the executables:
cd /usr/src/xlockmore xmkmf make depend make
Then move everything into place and update file ownerships and permissions:
cp xlock /usr/X11R6/bin/ cp XLock /var/X11R6/lib/app-defaults/ chown root.shadow /usr/X11R6/bin/xlock chmod 2755 /usr/X11R6/bin/xlock chown root.shadow /etc/shadow chmod 640 /etc/shadow
Your xlock will now work correctly.
xdm is a program that presents a login screen for X-Windows. Some systems start xdm when the system is told to goto a specified run level (see /etc/inittab.
With the Shadow Suite install, xdm will need to be updated. Fortunately it's fairly easy to upgrade your xdm program.
xdm.tar.gz is available at: ftp://sunsite.unc.edu/pub/Linux/X11/xutils/xdm.tar.gz
Get the xdm.tar.gz file and put it in /usr/src, then to unpack it:
tar -xzvf xdm.tar.gz
Edit the file: /usr/X11R6/lib/X11/config/linux.cf, and change the line:
#define HasShadowPasswd NO to #define HasShadowPasswd YES
Then build the executables:
cd /usr/src/xdm xmkmf make depend make
Then move everything into place:
cp xdm /usr/X11R6/bin/
xdm is run as root so you don't need to change it file permissions.
The program sudo allows a system administrator to let users run programs that would normally require root access. This is handy because it lets the administrator limit access to the root account itself while still allowing users to do things like mounting drives.
sudo needs to read passwords because it verifies the users password when it's invoked. sudo already runs SUID root, so accessing the /etc/shadow file is not a problem.
sudo for the shadow suite, is available as at: ftp://sunsite.unc.edu/pub/Linux/system/Admin/sudo-1.2-shadow.tgz
Warning: When you install sudo your /etc/sudoers file will be replaced with a default one, so you need to make a backup of it if you have added anything to the default one. (you could also edit the Makefile and remove the line that copies the default file to /etc).
The package is already setup for shadow, so all that's required is to recompile the package (put it in /usr/src):
cd /usr/src tar -xzvf sudo-1.2-shadow.tgz cd sudo-1.2-shadow make all make install
The pppd server can be setup to use several types of authentication: Password Authentication Protocol (PAP) and Cryptographic Handshake Authentication Protocol (CHAP). The pppd server usually reads the password strings that it uses from /etc/ppp/chap-secrets and/or /etc/ppp/pap-secrets. If you are using this default behavior of pppd, it is not necessary to reinstall pppd.
pppd also allows you to use the login parameter (either on the command line, or in the configuration or options file). If the login option is given, then pppd will use the /etc/passwd file for the username and passwords for the PAP. This, of course, will no longer work now that our password file is shadowed. For pppd-1.2.1d this requires adding code for shadow support.
The example given in the next section is adding shadow support to pppd-1.2.1d (an older version of pppd).
pppd-2.2.0 already contains shadow support.