#!/bin/bash cd /usr/src/shadow-*/ ||exit patch -p 1 <../shadow-4.0.14-configure_fix-1.patch #login, getty and init use logfiles (if existing), let shadow find them: touch /var/run/utmp /var/log/{btmp,lastlog,wtmp} chmod 644 /var/run/utmp /var/log/{btmp,lastlog,wtmp} #/var/run/utmp: users currently logged in #/var/log/wtmp: users who were logged in and when #/var/log/lastlog: time of last login per user #/var/log/btmp: bad login attempts #create dummy passwd to be found to match hardwired install path: touch /usr/bin/passwd #old: #patch -p 1 <../shadow-4.0.4.1-pam-1.patch #patch -p 1 <../shadow-4.0.11-no_groups-1.patch #patch -p 1 <../shadow-4.0.10-Linux_PAM_fixes-2.patch #--without-libcrack: Linux-PAM already contains cracklib LIBS="-lpam -lpam_misc" ./configure --prefix=/usr --libdir=/usr/lib --enable-shared --with-libpam --without-libcrack --enable-shadowgrp && #disable groups (coreutils version is better): sed -i 's@groups$(EXEEXT) @@' src/Makefile && find man -name Makefile -exec sed -i '/groups/d' {} \; && make && make install && #shadow uses these config files: cp etc/{limits,login.access} /etc && #enable MD5 instead of crypt passwords and change mailbox location: sed -e 's@/var/spool/mail@/var/mail@' -e 's@#MD5_CRYPT_ENAB.no@MD5_CRYPT_ENAB yes@' etc/login.defs > /etc/login.defs && #move misplaced stuff: mv /usr/bin/passwd /bin && #move Shadows dynamic libs to a more appropriate location: mv /usr/lib/libshadow.so.0* /lib && #provide symlinks to just-moved libraries: ln -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so && #useradd -D needs this: mkdir -p /etc/default #enable shadowed passwords: /usr/sbin/pwconv && #enable shadowed group passwords: /usr/sbin/grpconv #this is old and not in shadow any more: set the tty's that allow logins through PAM: #cp debian/securetty /etc/securetty # Under normal circumstances, you wont have created any passwords yet. # However, if returning to this section to enable shadowing, you should # reset any current user passwords with the passwd command or any group # passwords with the gpasswd command. #add/modify PAM configuration files to /etc/pam.d (or add them #to /etc/pam.conf with the additional field for the program): cat >/etc/pam.d/login <<"EOF" # Begin /etc/pam.d/login auth requisite pam_securetty.so auth requisite pam_nologin.so auth required pam_unix.so account required pam_access.so account required pam_unix.so session required pam_env.so session required pam_motd.so session required pam_limits.so session optional pam_mail.so dir=/var/mail standard session optional pam_lastlog.so session required pam_unix.so # End /etc/pam.d/login EOF cat >/etc/pam.d/passwd <<"EOF" # Begin /etc/pam.d/passwd password required pam_cracklib.so retry=3 difok=8 minlen=5 dcredit=3 ocredit=3 ucredit=2 lcredit=2 password required pam_unix.so md5 shadow use_authtok # End /etc/pam.d/passwd EOF cat >/etc/pam.d/shadow <<"EOF" # Begin /etc/pam.d/shadow auth sufficient pam_rootok.so auth required pam_unix.so account required pam_unix.so session required pam_unix.so password required pam_permit.so # End /etc/pam.d/shadow EOF cat >/etc/pam.d/su <<"EOF" # Begin /etc/pam.d/su auth sufficient pam_rootok.so auth required pam_unix.so account required pam_unix.so session optional pam_mail.so dir=/var/mail standard session required pam_env.so session required pam_unix.so # End /etc/pam.d/su EOF cat >/etc/pam.d/chage <<"EOF" # Begin /etc/pam.d/chage auth sufficient pam_rootok.so auth required pam_unix.so account required pam_unix.so session required pam_unix.so password required pam_permit.so # End /etc/pam.d/chage EOF for i in chpasswd newusers groupadd groupdel groupmod useradd userdel usermod; do install -v -m644 /etc/pam.d/chage /etc/pam.d/$i sed -i -e "s@chage@$i@" /etc/pam.d/$i done #everyone on the machine can use every program without specific config #according to current /etc/pam.d/other. #Change that after testing PAM properly: cat >/etc/pam.d/other <<"EOF" # Begin /etc/pam.d/other auth required pam_deny.so auth required pam_warn.so account required pam_deny.so session required pam_deny.so password required pam_deny.so password required pam_warn.so # End /etc/pam.d/other EOF #stop login from performing this as it is done by PAM modules now: for i in LASTLOG_ENAB MAIL_CHECK_ENAB PORTTIME_CHECKS_ENAB CONSOLE \ MOTD_FILE NOLOGINS_FILE PASS_MIN_LEN SU_WHEEL_ONLY MD5_CRYPT_ENAB \ CONSOLE_GROUPS ENVIRON_FILE ULIMIT ENV_TZ ENV_HZ ENV_SUPATH \ ENV_PATH QMAIL_DIR MAIL_DIR MAIL_FILE CHFN_AUTH FAILLOG_ENAB \ QUOTAS_ENAB FTMP_FILE \ OBSCURE_CHECKS_ENAB CRACKLIB_DICTPATH PASS_CHANGE_TRIES PASS_ALWAYS_WARN; do sed -i "s@^$i@#&@" /etc/login.defs done