1RPC.YPPASSWDD(8)             NIS Reference Manual             RPC.YPPASSWDD(8)
2
3
4

NAME

6       rpc.yppasswdd - NIS password update daemon
7

SYNOPSIS

9       rpc.yppasswdd [-D directory] -e chsh|chfn [--port number]
10
11       rpc.yppasswdd [-s shadow] [-p passwd] -e chsh|chfn [--port number]
12
13       rpc.yppasswdd -x program | -E program  -e chsh|chfn [--port number]
14

DESCRIPTION

16       rpc.yppasswdd is the RPC server that lets users change their passwords
17       in the presence of NIS (a.k.a. YP). It must be run on the NIS master
18       server for that NIS domain.
19
20       When a yppasswd(1) client contacts the server, it sends the old user
21       password along with the new one.  rpc.yppasswdd will search the
22       system's passwd file for the specified user name, verify that the given
23       (old) password matches, and update the entry. If the user specified
24       does not exist, or if the password, UID or GID doesn't match the
25       information in the password file, the update request is rejected, and
26       an error returned to the client.
27
28       If this version of the server is compiled with the CHECKROOT=1 option,
29       the password given is also checked against the systems root password.
30
31       After updating the passwd file and returning a success notification to
32       the client, rpc.yppasswdd executes the pwupdate script that updates the
33       NIS server's passwd.*  and shadow.byname maps. This script assumes all
34       NIS maps are kept in directories named /var/yp/nisdomain that each
35       contain a Makefile customized for that NIS domain. If no such Makefile
36       is found, the scripts uses the generic one in /var/yp.
37

OPTIONS

39       The following options are available:
40
41       -D directory
42           The passwd and shadow files are located under the specified
43           directory path.  rpc.yppasswdd will use this files, not /etc/passwd
44           and /etc/shadow.  This is useful if you do not want to give all
45           users in the NIS database automatic access to your NIS server.
46
47       -E program
48           Instead of rpc.yppasswdd editing the passwd & shadow files, the
49           specified program will be run to do the editing. The following
50           environment variables will be set for the program: YP_PASSWD_OLD,
51           YP_PASSWD_NEW, YP_USER, YP_GECOS, YP_SHELL. The program should
52           return an exit status of 0 if the change completes successfully, 1
53           if the change completes successfully but pwupdate should not be
54           run, and otherwise if the change fails.
55
56       -p passwdfile
57           This options tells rpc.yppasswdd to use a different source file
58           instead of /etc/passwd This is useful if you do not want to give
59           all users in the NIS database automatic access to your NIS server.
60
61       -s shadowfile
62           This options tells rpc.yppasswdd to use a different source file
63           instead of /etc/passwd. See below for a brief discussion of shadow
64           support.
65
66       -e [chsh|chfn]
67           By default, rpc.yppasswdd will not allow users to change the shell
68           or GECOS field of their passwd entry. Using the -e option, you can
69           enable either of these. Note that when enabling support for
70           ypchsh(1), you have to list all shells users are allowed to select
71           in /etc/shells.
72
73       -x program
74           When the -x option is used, rpc.yppasswdd will not attempt to
75           modify any files itself, but will instead run the specified
76           program, passing to its stdin information about the requested
77           operation(s). There is a defined protocol used to communicate with
78           this external program, which has total freedom in how it propagates
79           the change request. See below for more details on this.
80
81       -m
82           Will be ignored, for compatibility with Solaris only.
83
84       --port number
85           rpc.yppasswdd will try to register itself to this port. This makes
86           it possible to have a router filter packets to the NIS ports.
87
88       -v --version
89           Prints the version number and if this package is compiled with the
90           CHECKROOT option.
91

MISCELLANEOUS

93   Shadow Passwords
94       Using Shadow passwords alongside NIS does not make too much sense,
95       because the supposedly inaccesible passwords now become readable
96       through a simple invocation of ypcat(1).
97
98       Shadow support in rpc.yppasswdd does not mean that it offers a very
99       clever solution to this problem, it simply means that it can read and
100       write password entries in the system's shadow file. You have to produce
101       a shadow.byname NIS map to distribute password information to your NIS
102       clients.  rpc.yppasswdd will search at first in the /etc/passwd file
103       for the user and password. If it find's the user, but the password is
104       "x" and a /etc/shadow file exists, it will update the password in the
105       shadow map.
106
107   Use of the -x option
108       The program should expect to read a single line from stdin, which is
109       formatted as follows:
110
111       <username> o:<oldpass> p:<password> s:<shell> g:<gcos>\n
112
113       where any of the three fields [p, s, g] may or may not be present.
114
115       This program should write "OK\n" to stdout if the operation succeeded.
116       On any other result, rpc.yppasswdd will report failure to the client.
117
118       Note that the program specified by the -x option is responsible for
119       doing any NIS make and build, and for doing any necessary validation on
120       the shell and gcos field information supplied. The password passed to
121       the client will be in UNIX crypt() format.
122
123   Logging
124       rpc.yppasswdd logs all password update requests to syslogd(8)'s auth
125       facility. The logging information includes the originating host's IP
126       address and the user name and UID contained in the request. The
127       user-supplied password itself is not logged.
128
129   Security
130       rpc.yppasswdd should be as secure or insecure as any program relying on
131       simple password authentication. If you feel that this is not enough,
132       you may want to protect rpc.yppasswdd from outside access by using the
133       `securenets' feature of the new portmap(8) version 3. Better still,
134       look at rpasswdd(8).
135

FILES

137       /usr/sbin/rpc.yppasswdd
138
139       /usr/lib/yp/pwupdate
140
141       /etc/passwd
142
143       /etc/shadow
144

SEE ALSO

146       passwd(5), shadow(5), passwd(1), rpasswdd(8), yppasswd(1), ypchsh(1),
147       ypchfn(1), ypserv(8), ypcat(1)
148

AUTHOR

150       Olaf Kirch <okir@monad.swb.de> and Thorsten Kukuk <kukuk@linux-nis.org>
151
152
153
154NIS Reference Manual              07/22/2023                  RPC.YPPASSWDD(8)
Impressum