rpc.yppasswdd(8)
NAME
rpc.yppasswdd - NIS password update daemon
SYNOPSIS
rpc.yppasswdd [-D directory] [-e chsh|chfn] [--port number] rpc.yppasswdd [-s shadow] [-p passwd] [-e chsh|chfn] [--port number] rpc.yppasswdd -x program|-E program [-e chsh|chfn] [--port number]
DESCRIPTION
- rpc.yppasswdd is the RPC server that lets users change
- their passwords
in the presence of NIS (a.k.a. YP). It must be run on the - NIS master
server for that NIS domain. - When a yppasswd(1) client contacts the server, it sends
- the old user
password along with the new one. rpc.yppasswdd will search - the system's
passwd file for the specified user name, verify that - the given (old)
password matches, and update the entry. If the user speci - fied does not
exist, or if the password, UID or GID doesn't match the - information in
the password file, the update request is rejected, - and an error
returned to the client. - If this version of the server is compiled with the CHECK
- ROOT=1 option,
the password given is also checked against the systems - root password.
- After updating the passwd file and returning a success no
- tification to
the client, rpc.yppasswdd executes the pwupdate script - that updates the
NIS server's passwd.* and shadow.byname maps. This script - assumes all
NIS maps are kept in directories named /var/yp/nisdomain - that each contain a Makefile customized for that NIS domain. If no such
Makefile
found, the scripts uses the generic one in /var/yp.
OPTIONS
The following options are available:
- -D directory
- The passwd and shadow files are located under
- the specified
directory path. rpc.yppasswdd will use this - files, not
/etc/passwd and /etc/shadow. This is useful if - you do not want
to give all users in the NIS database automatic ac - cess to your
NIS server. - -E program
- Instead of rpc.yppasswdd editing the passwd &
- shadow files, the
specified program will be run to do the editing. - The following
environment variables will be set for - the program:
YP_PASSWD_OLD, YP_PASSWD_NEW, YP_USER, YP_GECOS, - YP_SHELL. The
program should return an exit status of 0 if - the change completes successfully, 1 if the change completes suc
- cessfully but
pwupdate should not be run, and otherwise if the - change fails.
- -p passwdfile
- This options tells rpc.yppasswdd to use a differ
- ent source file
instead of /etc/passwd This is useful if you do not - want to give
all users in the NIS database automatic ac - cess to your NIS
server. - -s shadowfile
- This options tells rpc.yppasswdd to use a different
- source file
instead of /etc/passwd. See below for a brief - discussion of
shadow support. - -e [chsh|chfn]
- By default, rpc.yppasswdd will not allow users to
- change the
shell or GECOS field of their passwd entry. Using - the -e option,
you can enable either of these. Note that when en - abling support
for ypchsh(1), you have to list all shells users - are allowed to
select in /etc/shells. - -x program
- When the -x option is used, rpc.yppasswdd will not
- attempt to
modify any files itself, but will instead run the - specified program, passing to its stdin information about the
- requested operation(s). There is a defined protocol used to
- communicate with
this external program, which has total freedom in - how it propagates the change request. See below for more de
- tails on this.
- -m Will be ignored, for compatibility with Solaris on
- ly.
- --port number
- rpc.yppasswdd will try to register itself to
- this port. This
makes it possible to have a router filter packets - to the NIS
ports. - -v --version
- Prints the version number and if this package is
- compiled with
the CHECKROOT option.
MISCELLANEOUS
- Shadow Passwords
- Using Shadow passwords alongside NIS does not make too
- much sense,
because the supposedly inaccesible passwords now be - come readable
through a simple invocation of ypcat(1). - Shadow support in rpc.yppasswdd does not mean that it
- offers a very
clever solution to this problem, it simply means that it - can read and
write password entries in the system's shadow file. You - have to produce a shadow.byname NIS map to distribute password infor
- mation to your
NIS clients. rpc.yppasswdd will search at first in the - /etc/passwd file
for the user and password. If it find's the user, but - the password is
"x" and a /etc/shadow file exists, it will update the - password in the
shadow map. - Use of the -x option
- The program should expect to read a single line from
- stdin, which is
formatted as follows: - <username> o:<oldpass> p:<password> s:<shell> g:<gcos>
- where any of the three fields [p, s, g] may or may not be
- present.
- This program should write "OK0 to stdout if the operation
- succeeded.
On any other result, rpc.yppasswdd will report failure to - the client.
- Note that the program specified by the -x option is
- responsible for
doing any NIS make and build, and for doing any necessary - validation on
the shell and gcos field information supplied. The pass - word passed to
the client will be in UNIX crypt() format. - Logging
- rpc.yppasswdd logs all password update requests to
- syslogd(8)'s auth
facility. The logging information includes the origi - nating host's IP
address and the user name and UID contained in the re - quest. The usersupplied password itself is not logged.
- Security
- Unless I've screwed up completely (as I did with versions
- prior to version 0.5), rpc.yppasswdd should be as secure or insecure
- as any program
relying on simple password authentication. If you feel - that this is
not enough, you may want to protect rpc.yppasswdd from - outside access
by using the `securenets' feature of the new - portmap(8) version 3.
Better still, use Kerberos.
COPYRIGHT
- rpc.yppasswdd is copyright (C) Olaf Kirch. You can use
- and distribute
it under the GNU General Public License Version 2. Note - that it does
not contain any code from the shadow password suite.
FILES
/usr/sbin/rpc.yppasswdd
/usr/lib/yp/pwupdate
/etc/passwd
/etc/shadow
SEE ALSO
- passwd(5), shadow(5), passwd(1), yppasswd(1),
- ypchsh(1), ypchfn(1),
ypserv(8), ypcat(1) - The Network Information Service (NIS) was formerly known
- as Sun Yellow
Pages (YP). The functionality of the two remains the - same; only the
name has changed. The name Yellow Pages is a registered - trademark in
the United Kingdom of British Telecommunications plc, and - may not be
used without permission.
AUTHOR
- Olaf Kirch, <okir@monad.swb.de>
Thorsten Kukuk, <kukuk@suse.de> - YP Server August 2001