Yolinux.com

RPC.YPPASSWDD manpage

Search topic Section


RPC.YPPASSWDD(8)					      RPC.YPPASSWDD(8)



NAME
       rpc.yppasswdd - NIS password update daemon

SYNOPSIS
       rpc.yppasswdd [-D directory] [-e chsh|chfn] [--port number]
       rpc.yppasswdd [-s shadow] [-p passwd] [-e chsh|chfn] [--port number]
       rpc.yppasswdd -x program|-E program [-e chsh|chfn] [--port number]


DESCRIPTION
       rpc.yppasswdd  is the RPC server that lets users change their passwords
       in the presence of NIS (a.k.a. YP). It must be run on  the  NIS	master
       server for that NIS domain.

       When  a	yppasswd(1)  client contacts the server, it sends the old user
       password along with the new one. rpc.yppasswdd will search the system's
       passwd  file  for  the specified user name, verify that the given (old)
       password matches, and update the entry. If the user specified does  not
       exist,  or if the password, UID or GID doesn't match the information in
       the password file,  the	update	request	 is  rejected,	and  an	 error
       returned to the client.

       If  this version of the server is compiled with the CHECKROOT=1 option,
       the password given is also checked against the systems root password.

       After updating the passwd file and returning a success notification  to
       the client, rpc.yppasswdd executes the pwupdate script that updates the
       NIS server's passwd.* and shadow.byname maps.  This script assumes  all
       NIS maps are kept in directories named /var/yp/nisdomain that each con-
       tain a Makefile customized for that NIS domain. If no such Makefile  is
       found, the scripts uses the generic one in /var/yp.

OPTIONS
       The following options are available:

       -D directory
	      The  passwd  and	shadow	files  are located under the specified
	      directory	 path.	 rpc.yppasswdd	will  use  this	  files,   not
	      /etc/passwd  and /etc/shadow.  This is useful if you do not want
	      to give all users in the NIS database automatic access  to  your
	      NIS server.

       -E program
	      Instead  of rpc.yppasswdd editing the passwd & shadow files, the
	      specified program will be run to do the editing.	The  following
	      environment   variables	will   be   set	  for	the   program:
	      YP_PASSWD_OLD, YP_PASSWD_NEW, YP_USER, YP_GECOS,	YP_SHELL.  The
	      program  should  return  an  exit status of 0 if the change com-
	      pletes successfully, 1 if the change completes successfully  but
	      pwupdate should not be run, and otherwise if the change fails.

       -p passwdfile
	      This  options tells rpc.yppasswdd to use a different source file
	      instead of /etc/passwd This is useful if you do not want to give
	      all  users  in  the  NIS	database  automatic access to your NIS
	      server.

       -s shadowfile
	      This options tells rpc.yppasswdd to use a different source  file
	      instead  of  /etc/passwd.	 See  below  for a brief discussion of
	      shadow support.

       -e [chsh|chfn]
	      By default, rpc.yppasswdd will not allow	users  to  change  the
	      shell or GECOS field of their passwd entry. Using the -e option,
	      you can enable either of these. Note that when enabling  support
	      for  ypchsh(1), you have to list all shells users are allowed to
	      select in /etc/shells.

       -x program
	      When the -x option is used, rpc.yppasswdd will  not  attempt  to
	      modify any files itself, but will instead run the specified pro-
	      gram, passing to its stdin information about the requested oper-
	      ation(s).	  There is a defined protocol used to communicate with
	      this external program, which has total freedom in how it	propa-
	      gates the change request. See below for more details on this.

       -m     Will be ignored, for compatibility with Solaris only.

       --port number
	      rpc.yppasswdd  will  try	to  register itself to this port. This
	      makes it	possible to have a router filter packets  to  the  NIS
	      ports.

       -v --version
	      Prints  the  version number and if this package is compiled with
	      the CHECKROOT option.

MISCELLANEOUS
   Shadow Passwords
       Using Shadow passwords alongside NIS does  not  make  too  much	sense,
       because	the  supposedly	 inaccesible  passwords	 now  become  readable
       through a simple invocation of ypcat(1).

       Shadow support in rpc.yppasswdd does not mean that  it  offers  a  very
       clever  solution	 to this problem, it simply means that it can read and
       write password entries in the system's shadow file.  You have  to  pro-
       duce a shadow.byname NIS map to distribute password information to your
       NIS clients. rpc.yppasswdd will search at first in the /etc/passwd file
       for  the	 user and password. If it find's the user, but the password is
       "x" and a /etc/shadow file exists, it will update the password  in  the
       shadow map.

   Use of the -x option
       The  program  should  expect to read a single line from stdin, which is
       formatted as follows:

       <username> o:<oldpass> p:<password> s:<shell> g:<gcos>\n

       where any of the three fields [p, s, g] may or may not be present.

       This program should write "OK\n" to stdout if the operation  succeeded.
       On any other result, rpc.yppasswdd will report failure to the client.

       Note  that  the	program	 specified by the -x option is responsible for
       doing any NIS make and build, and for doing any necessary validation on
       the  shell and gcos field information supplied.	The password passed to
       the client will be in UNIX crypt() format.

   Logging
       rpc.yppasswdd logs all password update requests	to  syslogd(8)'s  auth
       facility.  The  logging	information includes the originating host's IP
       address and the user name and UID contained in the request.  The	 user-
       supplied password itself is not logged.

   Security
       Unless I've screwed up completely (as I did with versions prior to ver-
       sion 0.5), rpc.yppasswdd should be as secure or insecure as any program
       relying	on  simple  password authentication.  If you feel that this is
       not enough, you may want to protect rpc.yppasswdd from  outside	access
       by  using  the  `securenets'  feature  of the new portmap(8) version 3.
       Better still, use Kerberos.

COPYRIGHT
       rpc.yppasswdd is copyright (C) Olaf Kirch. You can use  and  distribute
       it  under  the  GNU General Public License Version 2. Note that it does
       not contain any code from the shadow password suite.

FILES
       /usr/sbin/rpc.yppasswdd
       /usr/lib64/yp/pwupdate
       /etc/passwd
       /etc/shadow

SEE ALSO
       passwd(5), shadow(5),  passwd(1),  yppasswd(1),	ypchsh(1),  ypchfn(1),
       ypserv(8), ypcat(1)

       The  Network Information Service (NIS) was formerly known as Sun Yellow
       Pages (YP).  The functionality of the two remains the  same;  only  the
       name  has  changed.  The name Yellow Pages is a registered trademark in
       the United Kingdom of British Telecommunications plc, and  may  not  be
       used without permission.

AUTHOR
       Olaf Kirch, <okir@monad.swb.de>
       Thorsten Kukuk, <kukuk@suse.de>



YP Server			  August 2001		      RPC.YPPASSWDD(8)