Our setup for anlpasswd ----------------------- Here's a description or our local setup, to give you an idea how this system is used: Most of our filesystems are fully cross-mounted on all architectures. We keep a /usr/local hierarchy for each of our architectures. This is where all of our architecture-specific files are located. In addition, we have another hierarchy, /mcs, into which architecture independent files are kept. /mcs is cross-mounted on all of our architectures. The advantage of this is that many configuration changes can be made by changing something in /mcs rather than changing it on every architecture. We keep anlpasswd, the big dictionary file, and its Perl include files in the /mcs hierarchy. Then we use a compiled C program (a C "wrapper") on each of the architectures to call the anlpasswd script. The advantage is that the C wrapper only gets compiled once; any changes to the anlpasswd script take effect on all architectures. Any configuration changes are thus done on a global basis, without ever worrying about any of the individual architectures. (The one exception to this is the changing of a user's login shell; because the location of this information varies from system to system, it is necessary to change local configuration files as well as the anlpasswd script.) It is important to realize that this functionality depends on keeping the anlpasswd program and its support files on some filesystem that is cross-mounted on all architectures. Installing anlpasswd -------------------- 1. Copy and modify the anlpasswd Perl script. This is located in the "anlpasswd/perl" directory of the distribution, and is called (logically enough) "anlpasswd". The configuration section of the code is located near the beginning of the script, and is labeled "Configs". Here are the lines you need to be concerned with changing: $passwd = "passwd"; $yppasswd = "yppasswd"; These are the names the passwd program and the yppasswd program will be called as. Unless you are on a weird system, you'll probably want to leave these alone. $accounts = "root"; # Person who handles accounts This is the person who handles the creation/deletion of accounts on your system. Change this variable to the email address of that person. @legal_shells = ('/bin/sh, /bin/csh'); This is an array containing the valid shells available on your system. Note that this may not necessarily be the same as the information listed in /etc/shells; for example, on some machines, /bin/csh and /bin/sh don't have to be listed in /etc/shells. This is not the case with anlpasswd; you should set @legal_shells to contain a list of all valid login shells. If you add new login shells to your systems, you need to update this array. It is very important that the shells listed here are available on all of the machines on your YP network; otherwise, a user may change his/her shell to one that doesn't exist on one of your machines, and therefore will be unable to log in to that machine. unshift(@INC, "/mcs/adm/lib/perl"); unshift(@INC, "/mcs/lib/perl"); These are additional locations for Perl to look for the include files that came with the anlpasswd distribution. These are currently set for our local configuration. If you decide to put the Perl libraries in this distribution (im_prompt2.pl, encrypt_passwd) in locations other than the main Perl include directory, you should add those locations to the include file search path (@INC) as shown above. Otherwise, you can just delete these lines. # $bigdict = large list of words $bigdict = "/Net/cmsun/cmsun1/DICTS/bigdict.sorted"; $dictdir = "/mcs/source/DICTIONARIES"; # location of dictionaries $ypstuffdir = "/usr/local/adm/bin"; # location of ypstuff executable These are the locations of other files that anlpasswd needs. Change these to reflect the location of your dictionaries, the location of the main dictionary (bigdict.sorted, in this case), and the location of the "ypstuff" program. Again, if you're using this package over a networked system, the dictionaries must be located on some filesystem cross-mounted on all of your machines; otherwise this won't work. Finally, edit the definition of the @dictlist array to contain the names of the additional dictionaries (if any) you want to use. 2. Decide where you want to put the anlpasswd script, and copy it there. If you are installing this on a network of machines, this location must be on a filesystem cross-mounted on all machines. Since Perl disallows running setuid Perl scripts, the anlpasswd script is not executed directly. Instead, a setuid C wrapper is used to call the anlpasswd script. The Perl script should not be executable or setuid, and should not be located in anyone's path. You should probably "chmod 600 anlpasswd" to be safe. 3. Make a link to anlpasswd called "passwd", i.e. ln -s anlpasswd passwd If you are using YP, make another link for yppasswd: ln -s anlpasswd yppasswd. 4. Decide where you want the passwd executable to reside. This is a C wrapper running setuid to root which calls the anlpasswd script. This will probably be in /bin or /usr/local/bin. You should keep a copy of the original passwd program around somewhere, in case something breaks, but it should not be executable. A good idea would be to do the following: cd /bin (or wherever the original passwd program was kept) mv passwd passwd.orig chmod 644 passwd.orig 5. Modify anlpasswd/c-routines/suidwrap.c to suit your local configuration. The PASSWD_ACTUAL constant contains the location of the "passwd" link to anlpasswd. Similarly the YPPASSWD_ACTUAL constant contains the location of the "yppasswd" link. You should change these to reflect the locations you chose in steps 2 and 3. The current settings assume the yppasswd and passwd executables can be located in /bin or /usr/local/bin. You should modify these to reflect the location(s) you chose in step 4. 6. Run "make" in anlpasswd/c-routines. This will compile the suid wrapper and the ypstuff executable. Copy "suidwrap" to the location you chose in step 4, and rename this copy as "passwd". (Be sure you saved your original passwd program in a safe place). Change this to be executable by all users, and set it to run suid to root (you must be logged in as root to do this). Make a link to this file called "yppasswd". i.e., if passwd_exec_dir is the location you chose in step 4, cp suidwrap passwd_exec_dir/passwd cd passwd_exec_dir chmod 4111 passwd ln -s passwd yppasswd Unless the location you have chosen for the passwd executable is on a partition cross-mounted on all machines, you will have to repeat this procedure on every machine (or architecture) on your network. (Don't confuse the executable C wrapper with the Perl anlpasswd script; there should only be one copy of the Perl script, on a partition accessible by all the machines on your network.) 7. Copy anlpasswd/c-routines/ypstuff to the location you chose for it in step 1. 8. Generate the large dictionary file, and put it in the location you chose in step 1. There is a C program and instructions to do this in anlpasswd/mongodict That should be all that is needed to get this program up and runnning. If there are any problems or inaccuracies in this documentation, or have any improvements or bug fixes, please send email to "support@mcs.anl.gov"