RPC.YPPASSWDD(8)
NAME
rpc.yppasswdd - NIS password update daemon
SYNOPSIS
rpc.yppasswdd [-D directory] [-e chsh|chfn]
rpc.yppasswdd [-s shadow] [-p passwd] [-e chsh|chfn]
DESCRIPTION
rpc.yppasswdd is the RPC server that lets users change
their passwords in the presence of NIS (a.k.a. YP). It
must be run on the NIS master server for that NIS domain.
When a yppasswd(1) client contacts the server, it sends
the old user password along with the new one. rpc.yppass-
wdd will search the system's passwd file for the specified
user name, verify that the given (old) password matches,
and update the entry. If the user specified does not
exist, or if the password, UID or GID doesn't match the
information in the password file, the update request is
rejected, and an error returned to the client.
If this version of the server is compiled with the CHECK-
ROOT=1 option, the password given is also checked against
the systems root password.
After updating the passwd file and returning a success
notification to the client, rpc.yppasswdd executes the
pwupdate script that updates the NIS server's passwd.* and
shadow.byname maps. This script assumes all NIS maps are
kept in directories named /var/yp/nisdomain that each con-
tain a Makefile customized for that NIS domain. If no such
Makefile is found, the scripts uses the generic one in
/var/yp.
OPTIONS
The following options are available:
-D directory
The passwd and shadow files are located under the
specified directory path. rpc.yppasswdd will use
this files, not /etc/passwd and /etc/shadow. This
is useful if you do not want to give all users in
the NIS database automatic access to your NIS
server.
-p passwdfile
This options tells rpc.yppasswdd to use a different
source file instead of /etc/passwd This is useful
if you do not want to give all users in the NIS
database automatic access to your NIS server.
-s shadowfile
This options tells rpc.yppasswdd to use a different
source file instead of /etc/passwd See below for a
brief discussion of shadow support.
-e [chsh|chfn]
By default, rpc.yppasswdd will not allow users to
change the shell or GECOS field of their passwd
entry. Using the -e option, you can enable either
of these. Note that when enabling support for
ypchsh(1), you have to list all shells users are
allowed to select in /etc/shells.
-m Will be ignored, for compatibility with Solaris
only.
-v --version
Prints the version number and if this package is
compiled with the CHECKROOT option.
MISCELLANEOUS
Shadow Passwords
Using Shadow passwords alongside NIS does not make too
much sense, because the supposedly inaccesible passwords
now become readable through a simple invocation of
ypcat(1).
Shadow support in rpc.yppasswdd does not mean that it
offers a very clever solution to this problem, it simply
means that it can read and write password entries in the
system's shadow file. You have to produce a shadow.byname
NIS map to distribute password information to your NIS
clients. rpc.yppasswdd will search at first in the
/etc/passwd file for the user and password. If it find's
the user, but the password is "x" and a /etc/shadow file
exists, it will update the password in the shadow map.
Logging
rpc.yppasswdd logs all password update requests to sys-
logd(8)'s auth facility. The logging information includes
the originating host's IP address and the user name and
UID contained in the request. The user-supplied password
itself is not logged.
Security
Unless I've screwed up completely (as I did with versions
prior to version 0.5), rpc.yppasswdd should be as secure
or insecure as any program relying on simple password
authentication. If you feel that this is not enough, you
may want to protect rpc.yppasswdd from outside access by
using the `securenets' feature of the new portmap(8)
version 3. Better still, use Kerberos.
COPYRIGHT
rpc.yppasswdd is copyright (C) Olaf Kirch. You can use and
distribute it under the GNU General Public License Version
2. Note that it does not contain any code from the shadow
password suite.
FILES
/usr/sbin/rpc.yppasswdd
/usr/lib/yp/pwupdate
/etc/passwd
/etc/shadow
SEE ALSO
passwd(5) shadow(5) passwd(1) yppasswd(1) ypchsh(1)
ypchfn(1) ypserv(8) ypcat(1)
The Network Information Service (NIS) was formerly known
as Sun Yellow Pages (YP). The functionality of the two
remains the same; only the name has changed. The name
Yellow Pages is a registered trademark in the United King-
dom of British Telecommunications plc, and may not be used
without permission.
AUTHOR
Olaf Kirch, lt;okir@monad.swb.de
Thorsten Kukuk, lt;kukuk@uni-paderborn.de