<< Back to man.ChinaUnix.net

6.53. Shadow-

The Shadow package contains programs for handling passwords in a secure way.

Approximate build time: 0.4 SBU

Required disk space: 11 MB

Shadow installation depends on: Bash, Binutils, Bison, Coreutils, Diffutils, GCC, Gettext, Glibc, Grep, Make, and Sed

6.53.1. Installation of Shadow

Prepare Shadow for compilation:

./configure --libdir=/usr/lib --enable-shared

Work around a problem that prevents Shadow's internationalization from working:

echo '#define HAVE_SETLOCALE 1' >> config.h

Shadow incorrectly declares the malloc() function, causing compilation failure. Fix this:

sed -i '/extern char/d' libmisc/xmalloc.c

Compile the package:


Install the package:

make install

Shadow uses two files to configure authentication settings for the system. Install these two config files:

cp etc/{limits,login.access} /etc

Instead of using the default crypt method, use the more secure MD5 method of password encryption, which also allows passwords longer than 8 characters. It is also necessary to change the obsolete /var/spool/mail location for user mailboxes that Shadow uses by default to the /var/mail location used currently. Both of these can be accomplished by changing the relevant configuration file while copying it to its destination:

cp etc/login.defs.linux /etc/login.defs
sed -i -e 's@#MD5_CRYPT_ENAB.no@MD5_CRYPT_ENAB yes@' \
    -e 's@/var/spool/mail@/var/mail@' /etc/login.defs

Move some misplaced symlinks/programs to their proper locations:

mv /bin/sg /usr/bin
mv /bin/vigr /usr/sbin
mv /usr/bin/passwd /bin

Move Shadow's dynamic libraries to a more appropriate location:

mv /usr/lib/lib{shadow,misc}.so.0* /lib

Because some packages expect to find the just-moved libraries in /usr/lib, create the following symlinks:

ln -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so
ln -sf ../../lib/libmisc.so.0 /usr/lib/libmisc.so

The -D option of the useradd program requires the /etc/default directory for it to work properly:

mkdir /etc/default

Coreutils has already installed a better groups program in /usr/bin. Remove the one installed by Shadow:

rm /bin/groups

6.53.2. Configuring Shadow

This package contains utilities to add, modify, and delete users and groups; set and change their passwords; and perform other administrative tasks. For a full explanation of what password shadowing means, see the doc/HOWTO file within the unpacked source tree. If using Shadow support, keep in mind that programs which need to verify passwords (display managers, FTP programs, pop3 daemons, etc.) must be shadow-compliant. That is, they need to be able to work with shadowed passwords.

To enable shadowed passwords, run the following command:


To enable shadowed group passwords, run:


Under normal circumstances, passwords will not have been created yet. However, if returning to this section later to enable shadowing, reset any current user passwords with the passwd command or any group passwords with the gpasswd command.

6.53.3. Setting the root password

Choose a password for user root and set it by running:

passwd root

6.53.4. Contents of Shadow

Installed programs: chage, chfn, chpasswd, chsh, expiry, faillog, gpasswd, groupadd, groupdel, groupmod, groups, grpck, grpconv, grpunconv, lastlog, login, logoutd, mkpasswd, newgrp, newusers, passwd, pwck, pwconv, pwunconv, sg (link to newgrp), useradd, userdel, usermod, vigr (link to vipw), and vipw

Installed libraries: libshadow[.a,so]

Short Descriptions


Used to change the maximum number of days between obligatory password changes


Used to change a user's full name and other info


Used to update the passwords of an entire series of user accounts


Used to change a user's default login shell


Checks and enforces the current password expiration policy


Is used to examine the log of login failures, to set a maximum number of failures before an account is blocked, or to reset the failure count


Is used to add and delete members and administrators to groups


Creates a group with the given name


Deletes the group with the given name


Is used to modify the given group's name or GID


Reports the groups of which the given users are members


Verifies the integrity of the group files /etc/group and /etc/gshadow


Creates or updates the shadow group file from the normal group file


Updates /etc/group from /etc/gshadow and then deletes the latter


Reports the most recent login of all users or of a given user


Is used by the system to let users sign on


Is a daemon used to enforce restrictions on log-on time and ports


Generates random passwords


Is used to change the current GID during a login session


Is used to create or update an entire series of user accounts


Is used to change the password for a user or group account


Verifies the integrity of the password files /etc/passwd and /etc/shadow


Creates or updates the shadow password file from the normal password file


Updates /etc/passwd from /etc/shadow and then deletes the latter


Executes a given command while the user's GID is set to that of the given group


Runs a shell with substitute user and group IDs


Creates a new user with the given name, or updates the default new-user information


Deletes the given user account


Is used to modify the given user's login name, User Identification (UID), shell, initial group, home directory, etc.


Edits the /etc/group or /etc/gshadow files


Edits the /etc/passwd or /etc/shadow files


Contains functions used by most programs in this package