shadow
faillog
failed login attempts for existing usersbtmp
lists every failed login attempt- Create a
~/.hushlogin
file to disableNo mail.
message fromlogin
(lib/mail.c
) - Disable
audit
support because it goes inline with utmp as it grants the ability to monitor users and failed logins and such - Disable
logind
becauseshadow
switched tosystemd
to provide utmp-like functionality - Disable
su
because the user should usesudo
ordoas
to escalate privileges and notsu
directly; also recommended by the Arch wiki Security page - shadow advises against using their
su
and recommends usingutil-linux
’ssu
instead (which requires PAM) - Prefer
shadow
binaries overtoybox
orutil-linux
similar to Alpine and Arch and unlike LFS id
andgroups
from shadow are deprecated as of 4.17.0- Enable
fcaps
for better security innative
(requiresroot
) - Enable
yescrypt
for better password hashing scalability - The default value for
--with-group-name-max-length
is32
- When linking against
nsss
shadow tries to link againstxget*
functions that are used with PAM, even though--without-pam
is being used andlogin_nopam
is being built - Enable shadowed passwords by running
pwconv
- Enable shadowed group passwords by running
grpconv
sulogin
is being built, but not installed- Builds
login_nopam
correctly, but attempts to link xget pam when usingnsss
patch - Check
/etc/login.defs
for mail stuff and others - The following utilities can be configured to be built without PAM:
Common Binaries
Comparison of different implementations of the same tools by shadow and util-linux:
- Prefer
shadow
’schfn
: util-linux version requires PAM - Prefer
shadow
’schsh
: util-linux version requires PAM - Prefer
shadow
’slogin
: util-linux version requires PAM - Prefer
shadow
’snewgrp
: no flag to disable it fromshadow
, alsoutil-linux
version needs to be explicitly enabled - Prefer
shadow
’snologin
: no flag to disable it fromshadow
- sg (is just a symlink to newgrp)
- vigr (is just a symlink to vipw)
- Prefer
shadow
’svipw
: no flag to disable it fromshadow
, alsoutil-linux
version needs to be explicitly enabled - Prefer
util-linux
’ssulogin
:shadow
’ssulogin
lacks options and is not installed by default - Prefer
toybox
’ssu
: bothshadow
andutil-linux
versions requirepam