rpc.yppasswdd

 


RPC.YPPASSWDD(8)                                 RPC.YPPASSWDD(8)



NAME
       rpc.yppasswdd - NIS password update daemon

SYNOPSIS
       rpc.yppasswdd [-D directory] [-e chsh|chfn]
       rpc.yppasswdd [-s shadow] [-p passwd] [-e chsh|chfn]
       rpc.yppasswdd -x program|-E program [-e chsh|chfn]


DESCRIPTION
       rpc.yppasswdd  is  the  RPC  server that lets users change
       their passwords in the presence of  NIS  (a.k.a.  YP).  It
       must  be run on the NIS master server for that NIS domain.

       When a yppasswd(1) client contacts the  server,  it  sends
       the  old user password along with the new one. rpc.yppass­
       wdd will search the system's passwd file for the specified
       user  name,  verify that the given (old) password matches,
       and update the entry.  If  the  user  specified  does  not
       exist,  or  if  the password, UID or GID doesn't match the
       information in the password file, the  update  request  is
       rejected, and an error returned to the client.

       If  this version of the server is compiled with the CHECK­
       ROOT=1 option, the password given is also checked  against
       the systems root password.

       After  updating  the  passwd  file and returning a success
       notification to the  client,  rpc.yppasswdd  executes  the
       pwupdate script that updates the NIS server's passwd.* and
       shadow.byname maps.  This script assumes all NIS maps  are
       kept in directories named /var/yp/nisdomain that each con­
       tain a Makefile customized for that NIS domain. If no such
       Makefile  is  found,  the  scripts uses the generic one in
       /var/yp.

OPTIONS
       The following options are available:

       -D directory
              The passwd and shadow files are located  under  the
              specified  directory  path.  rpc.yppasswdd will use
              this files, not /etc/passwd and /etc/shadow.   This
              is  useful  if you do not want to give all users in
              the NIS  database  automatic  access  to  your  NIS
              server.

       -E program
              Instead  of  rpc.yppasswdd  editing  the  passwd  &
              shadow files, the specified program will be run  to
              do the editing. The following environment variables
              will  be  set  for  the   program:   YP_PASSWD_OLD,
              YP_PASSWD_NEW,  YP_USER,  YP_GECOS,  YP_SHELL.  The
              program should return an exit status of  0  if  the
              change completes successfully, 1 if the change com­
              pletes successfully but pwupdate should not be run,
              and otherwise if the change fails.

       -p passwdfile
              This options tells rpc.yppasswdd to use a different
              source file instead of /etc/passwd This  is  useful
              if  you  do  not  want to give all users in the NIS
              database automatic access to your NIS server.

       -s shadowfile
              This options tells rpc.yppasswdd to use a different
              source  file instead of /etc/passwd See below for a
              brief discussion of shadow support.

       -e [chsh|chfn]
              By default, rpc.yppasswdd will not allow  users  to
              change  the  shell  or  GECOS field of their passwd
              entry. Using the -e option, you can  enable  either
              of  these.  Note  that  when  enabling  support for
              ypchsh(1), you have to list all  shells  users  are
              allowed to select in /etc/shells.

       -x program
              When  the -x option is used, rpc.yppasswdd will not
              attempt  to  modify  any  files  itself,  but  will
              instead  run  the specified program, passing to its
              stdin information about the requested operation(s).
              There  is  a  defined  protocol used to communicate
              with this external program, which has total freedom
              in  how it propagates the change request. See below
              for more details on this.

       -m     Will be ignored,  for  compatibility  with  Solaris
              only.

       -v --version
              Prints  the  version  number and if this package is
              compiled with the CHECKROOT option.

MISCELLANEOUS
   Shadow Passwords
       Using Shadow passwords alongside NIS  does  not  make  too
       much  sense,  because the supposedly inaccesible passwords
       now  become  readable  through  a  simple  invocation   of
       ypcat(1).

       Shadow  support  in  rpc.yppasswdd  does  not mean that it
       offers a very clever solution to this problem,  it  simply
       means  that  it can read and write password entries in the
       system's shadow file.  You have to produce a shadow.byname
       NIS  map  to  distribute  password information to your NIS
       clients.  rpc.yppasswdd  will  search  at  first  in   the
       /etc/passwd  file  for the user and password. If it find's
       the user, but the password is "x" and a  /etc/shadow  file
       exists, it will update the password in the shadow map.

   Use of the -x option
       The  program  should  expect  to  read  a single line from
       stdin, which is formatted as follows:

       <username> o:<oldpass> p:<password> s:<shell> g:<gcos>\n

       where any of the three fields [p, s, g] may or may not  be
       present.

       This  program  should write "OK\n" to stdout if the opera­
       tion succeeded.  On any other result,  rpc.yppasswdd  will
       report failure to the client.

       Note  that  the  program  specified  by  the  -x option is
       responsible for doing any NIS  make  and  build,  and  for
       doing any necessary validation on the shell and gcos field
       information supplied.  The password passed to  the  client
       will be in UNIX crypt() format.

   Logging
       rpc.yppasswdd  logs  all  password update requests to sys­
       logd(8)'s auth facility. The logging information  includes
       the  originating  host's  IP address and the user name and
       UID contained in the request. The  user-supplied  password
       itself is not logged.

   Security
       Unless  I've screwed up completely (as I did with versions
       prior to version 0.5), rpc.yppasswdd should be  as  secure
       or  insecure  as  any  program  relying on simple password
       authentication.  If you feel that this is not enough,  you
       may  want  to protect rpc.yppasswdd from outside access by
       using the `securenets' feature of the new portmap(8)  ver­
       sion 3.  Better still, use Kerberos.

COPYRIGHT
       rpc.yppasswdd is copyright (C) Olaf Kirch. You can use and
       distribute it under the GNU General Public License Version
       2.  Note that it does not contain any code from the shadow
       password suite.

FILES
       /usr/sbin/rpc.yppasswdd
       /usr/lib/yp/pwupdate
       /etc/passwd
       /etc/shadow

SEE ALSO
       passwd(5), shadow(5), passwd(1),  yppasswd(1),  ypchsh(1),
       ypchfn(1), ypserv(8), ypcat(1)

       The  Network  Information Service (NIS) was formerly known
       as Sun Yellow Pages (YP).  The functionality  of  the  two
       remains  the  same;  only  the name has changed.  The name
       Yellow Pages is a registered trademark in the United King­
       dom of British Telecommunications plc, and may not be used
       without permission.

AUTHOR
       Olaf Kirch, <okir@monad.swb.de>
       Thorsten Kukuk, <kukuk@suse.de>



                          20 April 1997          RPC.YPPASSWDD(8)