shadow
faillog
lists users that exist and tried to login but failed, whilebtmp
lists every failed login attempt- To remove
No mail.
from shadow’slogin
(lib/mail.c
) (This can be removed by creating a.hushlogin
file in~
). - disable
audit
support because it goes inline with utmp as it grants the ability to monitor users and failed logins and such - disable
logind
because shadow switched to systemd to provide utmp-like functionality - disable
su
because the user should usesudo
ordoas
to escalate privileges and notsu
directly (this is also recommended by the Arch wiki Security page) - Use everything user and group related provided by shadow (e.g.
groups
) instead of relying on toybox or util-linux to provide it (LFS disablegroups
from shadow while alpine and arch have it enabled) id
andgroups
from shadow are deprecated as of 4.17.0- enable
fcaps
for better security (only innative
) - enable
yescrypt
for better password hashing scalability - No need to set
--with-group-name-max-length
as the default value is now32
- https://github.com/shadow-maint/shadow/issues/999
- When linking against
nsss
shadow tries to link againstxget*
functions that are used with PAM, even though--without-pam
is being used andlogin_nopam
is being built… - Run
pwconv
to enable shadowed passwords - Run
grpconv
to enable shadowed group passwords