packages icon
README for npasswd March 1990

@(#)README	1.7 1/28/92 (cc.utexas.edu)

* Introduction

Npasswd is a pretty-much-plug-compatable replacement for passwd(1).
This version incorporates a password checking system
that disallows simple-minded passwords.

It does exactly ONE thing - change login passwords, though it would
not be too difficult to make it do shells and GECOS stuff also.

I have modeled npasswd after passwd(1) from 4.3BSD and SunOS 4.0, but
it does not impliment the options those versions have.
I have also included support for Sys VR3 password aging, but I don't have
a SysV box around to test it on.

* About npasswd

The program is divided into upper and lower sections.
The upper (driver) half deals with abstract data such as login names and
passwords.  It has no knowledge of how or where passwords are stored.

The lower (method) half does data lookup and replacement.  There are 
two different method modules provided with this distribution.

	pw_passwd.c - deals with standard /etc/passwd type files and
		the hashed passwd database used in 4.3BSD.
	pw_yp.c - deals with standard /etc/passwd files and Yellow Pages
		passwd service.

The lower half hides all its data from the upper half, and vice versa.
The upper and lower halves communicate via this interface:

	pw_initalize()		Do initializations 
	pw_getuserbyname()	Get user information by name
	pw_permission()		Check if user has permission
				 to change this users' password
	pw_compare()		Compare passwords (returns 1 on match, 0 if not)
	pw_check()		Check password (returns 1 if ok, 0 otherwise)
	pw_replace()		Replace the password
	pw_cleanup()		Cleanup

Both the upper and lower halves keep private state, and must determine
such things as who invoked the program seperately.

This approach allows there to be one user interface for a variety of
password storage methods.  To support another method, such as shadow
password files, a new collection of method routines need be written and
linked to npasswd.o.

I have tried to minimalize the assumptions about what is available in the
C library and localized UNIX version dependancies.

* Building npasswd

- You will probably want to edit the manual page - it is fairly rough.

- Look at the sources before you install to see if the assumptions
  I made are correct for your site.

1. Choose which version of npasswd you want to be the default and
   retarget 'all' in Makefile to point to it.

2. Read checkpasswd/README and configure Makefiles accordingly.

3. Set the system target information in Makefile.
	* For running under SunOS 4.X system, set OPTIONS = -DSUNOS4 
	* If you are thinking about running Sun "Secure RPC", add
	  -DSECURE_RPC to OPTIONS
	* For running under System V, set OPTIONS = -DSYSV
	* To use syslog(3), include -DSYSLOG in OPTIONS
	* To update the 4.3BSD hashed password database,
	  include '-DBSD4_3' in OPTIONS.
	* Change the lines for 'CF' and 'HF' to retarget the config and
	  or help files.

4. Edit 'npasswd.help' to reflect the preferences chosen for the
   password checking plus add any other local administrativa.

5. Edit 'npasswd.conf' to reflect your preferences.  See
   checkpasswd/checkpasswd.8 (or the section below) for information about
   the password checking configuration file.

6. Do a 'make'.

7. Become super-user and do 'make install'.

8. If you built npasswd with -DSYSLOG, modify /etc/syslog.conf to log
   messages for facility LOG_AUTH level LOG_INFO.  This gives you a record
   of password changes.

* The configuration file explained

dictionary	/path/to/dictionary	[description]
	/usr/dict/words is always looked in.
	There are 2 good reasons to have a DBM version of each dictionary:
	1. Faster password checking.	
	2. More secure checking.  If there are no DBM files, then egrep(1)
	   is used and unfortunately, the candidate password must be put on the 
	   command line - which makes it suspectible to being seen with ps(1).

# singlecase	yes | [no]	- Pass single-case passwords
	Allow single case passwords.  Default is not to.

# minlength	N [5]	- Minimum password length
	5 characters is the default minimum password length

# maxlength	N [8]	Maximum effective password length
	All this does is issue a warning message that just the first N
	characters of a password are used.

# printonly	yes | [no] 	- Allow only printable characters
	Allow non-printable (ASCII control) characters in passwords

# badchars	"<string>"	- Replace illegal character list
	Set a list of characters verboten in passwords.
	This form REPLACES the built-in illegal character list.
	Control characters may be specified by the '^X' convention.  

# badchars	+"<string>"	- Add to illegal character list
	Adds to the built-in illegal character list.

----------------------
Bug reports & enhancements to

	npasswd-bugs@emx.utexas.edu

There is a mailing list for users of the npasswd program:

	npasswd-users@emx.utexas.edu

Requests to be added to this list should be send to:

	npasswd-users-request@emx.utexas.edu


	-Clyde Hoover (clyde@emx.utexas.edu)