The shipped configuration does not work at all on BLFS, so these files
are completely useless.
We were installing the files then overwriting them, but preventing the
installation can make our life easier when we reinstall/upgrade shadow
(then we don't need to recreate our BLFS-specific configuration).
The shadow installation procedure overwrites many files in /etc/pam.d/
which will render system login and su commands (among others) inoperative.
This update adds a warning at the beginning of the build instructions
so it will be hard to miss.
It's no longer built by default and is deprecated because it uses utmp,
wtmp, btmp, and lastlog; none of which are Y2038 safe, even on 64-bit
architectures.
Since this is commented out by default anyway, I don't think there's a
need for a freeze break.
Attention - you must have libxcrypt for this. If you are running an old
LFS release, install libxcrypt, then rebuild Shadow --with-yescrypt.
Technically if Shadow is built with PAM, then --with-{b,yes}crypt
switches are not necessary (but also do no harm). Just keep it there to
sync with LFS and prevent people building Shadow w/o PAM being locked
out of their system.
for the SHA512 crypt method, the default number of rounds (5000) is
too low to prevent brute force attacks on modern hardware. Multiply
it by 1000 (not sure it is enough).
shadow applications chpasswd and newusers use the "password" type,
and expect to be able to pass the password to the PAM module. But
we use pam_permit.so, which does nothing except return PAM_SUCCESS.
So the applications themselves do nothing without returning an
error. Change the config files to include system-password.
Also clean up the config files so that only the types used by the
applications appear.
Fixes#15950
There was some consistency issues in URLs to LFS. For example, in
systemd revision the URL to LFS "General Network Configuration" points
to the sysv book, this can be really troubling to new readers.
Instead of fixing them one by one, merge conditional XML developed by
Pierre from LFS.
I know it is somewhat useless, but I don't like them for
two reasons: first they cannot be seen, and I do not like things I
cannot see. Second, git highlights them, and this is disturbing...
