rpc.yppasswdd(8)

NAME

rpc.yppasswdd - NIS password update daemon

SYNOPSIS

rpc.yppasswdd  [-D  directory]  [-e   chsh|chfn]   [--port
number]
rpc.yppasswdd  [-s  shadow]  [-p  passwd]  [-e  chsh|chfn]
[--port number]
rpc.yppasswdd -x program|-E program [-e chsh|chfn] [--port
number]

DESCRIPTION

rpc.yppasswdd is the RPC server that lets users change
their passwords
in the presence of NIS (a.k.a. YP). It must be run on the
NIS master
server for that NIS domain.
When a yppasswd(1) client contacts the server, it sends
the old user
password along with the new one. rpc.yppasswdd will search
the system's
passwd file for the specified user name, verify that
the given (old)
password matches, and update the entry. If the user speci
fied does not
exist, or if the password, UID or GID doesn't match the
information in
the password file, the update request is rejected,
and an error
returned to the client.
If this version of the server is compiled with the CHECK
ROOT=1 option,
the password given is also checked against the systems
root password.
After updating the passwd file and returning a success no
tification to
the client, rpc.yppasswdd executes the pwupdate script
that updates the
NIS server's passwd.* and shadow.byname maps. This script
assumes all
NIS maps are kept in directories named /var/yp/nisdomain
that each contain a Makefile customized for that NIS domain. If no such

Makefile

found, the scripts uses the generic one in /var/yp.

OPTIONS

The following options are available:

-D directory
The passwd and shadow files are located under
the specified
directory path. rpc.yppasswdd will use this
files, not
/etc/passwd and /etc/shadow. This is useful if
you do not want
to give all users in the NIS database automatic ac
cess to your
NIS server.
-E program
Instead of rpc.yppasswdd editing the passwd &
shadow files, the
specified program will be run to do the editing.
The following
environment variables will be set for
the program:
YP_PASSWD_OLD, YP_PASSWD_NEW, YP_USER, YP_GECOS,
YP_SHELL. The
program should return an exit status of 0 if
the change completes successfully, 1 if the change completes suc
cessfully but
pwupdate should not be run, and otherwise if the
change fails.
-p passwdfile
This options tells rpc.yppasswdd to use a differ
ent source file
instead of /etc/passwd This is useful if you do not
want to give
all users in the NIS database automatic ac
cess to your NIS
server.
-s shadowfile
This options tells rpc.yppasswdd to use a different
source file
instead of /etc/passwd. See below for a brief
discussion of
shadow support.
-e [chsh|chfn]
By default, rpc.yppasswdd will not allow users to
change the
shell or GECOS field of their passwd entry. Using
the -e option,
you can enable either of these. Note that when en
abling support
for ypchsh(1), you have to list all shells users
are allowed to
select in /etc/shells.
-x program
When the -x option is used, rpc.yppasswdd will not
attempt to
modify any files itself, but will instead run the
specified program, passing to its stdin information about the
requested operation(s). There is a defined protocol used to
communicate with
this external program, which has total freedom in
how it propagates the change request. See below for more de
tails on this.
-m Will be ignored, for compatibility with Solaris on
ly.
--port number
rpc.yppasswdd will try to register itself to
this port. This
makes it possible to have a router filter packets
to the NIS
ports.
-v --version
Prints the version number and if this package is
compiled with
the CHECKROOT option.

MISCELLANEOUS

Shadow Passwords
Using Shadow passwords alongside NIS does not make too
much sense,
because the supposedly inaccesible passwords now be
come readable
through a simple invocation of ypcat(1).
Shadow support in rpc.yppasswdd does not mean that it
offers a very
clever solution to this problem, it simply means that it
can read and
write password entries in the system's shadow file. You
have to produce a shadow.byname NIS map to distribute password infor
mation to your
NIS clients. rpc.yppasswdd will search at first in the
/etc/passwd file
for the user and password. If it find's the user, but
the password is
"x" and a /etc/shadow file exists, it will update the
password in the
shadow map.
Use of the -x option
The program should expect to read a single line from
stdin, which is
formatted as follows:
<username> o:<oldpass> p:<password> s:<shell> g:<gcos>
where any of the three fields [p, s, g] may or may not be
present.
This program should write "OK0 to stdout if the operation
succeeded.
On any other result, rpc.yppasswdd will report failure to
the client.
Note that the program specified by the -x option is
responsible for
doing any NIS make and build, and for doing any necessary
validation on
the shell and gcos field information supplied. The pass
word passed to
the client will be in UNIX crypt() format.
Logging
rpc.yppasswdd logs all password update requests to
syslogd(8)'s auth
facility. The logging information includes the origi
nating host's IP
address and the user name and UID contained in the re
quest. The usersupplied password itself is not logged.
Security
Unless I've screwed up completely (as I did with versions
prior to version 0.5), rpc.yppasswdd should be as secure or insecure
as any program
relying on simple password authentication. If you feel
that this is
not enough, you may want to protect rpc.yppasswdd from
outside access
by using the `securenets' feature of the new
portmap(8) version 3.
Better still, use Kerberos.

COPYRIGHT

rpc.yppasswdd is copyright (C) Olaf Kirch. You can use
and distribute
it under the GNU General Public License Version 2. Note
that it does
not contain any code from the shadow password suite.

FILES

/usr/sbin/rpc.yppasswdd
/usr/lib/yp/pwupdate
/etc/passwd
/etc/shadow

SEE ALSO

passwd(5), shadow(5), passwd(1), yppasswd(1),
ypchsh(1), ypchfn(1),
ypserv(8), ypcat(1)
The Network Information Service (NIS) was formerly known
as Sun Yellow
Pages (YP). The functionality of the two remains the
same; only the
name has changed. The name Yellow Pages is a registered
trademark in
the United Kingdom of British Telecommunications plc, and
may not be
used without permission.

AUTHOR

Olaf Kirch, <okir@monad.swb.de>
Thorsten Kukuk, <kukuk@suse.de>
YP Server August 2001
Copyright © 2010-2024 Platon Technologies, s.r.o.           Home | Man pages | tLDP | Documents | Utilities | About
Design by styleshout