1RPC.YPPASSWDD(8)                                              RPC.YPPASSWDD(8)
2
3
4

NAME

6       rpc.yppasswdd - NIS password update daemon
7

SYNOPSIS

9       rpc.yppasswdd [-D directory] [-e chsh|chfn] [--port number]
10       rpc.yppasswdd [-s shadow] [-p passwd] [-e chsh|chfn] [--port number]
11       rpc.yppasswdd -x program|-E program [-e chsh|chfn] [--port number]
12
13

DESCRIPTION

15       rpc.yppasswdd  is the RPC server that lets users change their passwords
16       in the presence of NIS (a.k.a. YP). It must be run on  the  NIS  master
17       server for that NIS domain.
18
19       When  a  yppasswd(1)  client contacts the server, it sends the old user
20       password along with the new one. rpc.yppasswdd will search the system's
21       passwd  file  for  the specified user name, verify that the given (old)
22       password matches, and update the entry. If the user specified does  not
23       exist,  or if the password, UID or GID doesn't match the information in
24       the password file,  the  update  request  is  rejected,  and  an  error
25       returned to the client.
26
27       If  this version of the server is compiled with the CHECKROOT=1 option,
28       the password given is also checked against the systems root password.
29
30       After updating the passwd file and returning a success notification  to
31       the client, rpc.yppasswdd executes the pwupdate script that updates the
32       NIS server's passwd.* and shadow.byname maps.  This script assumes  all
33       NIS maps are kept in directories named /var/yp/nisdomain that each con‐
34       tain a Makefile customized for that NIS domain. If no such Makefile  is
35       found, the scripts uses the generic one in /var/yp.
36

OPTIONS

38       The following options are available:
39
40       -D directory
41              The  passwd  and  shadow  files  are located under the specified
42              directory  path.   rpc.yppasswdd  will  use  this   files,   not
43              /etc/passwd  and /etc/shadow.  This is useful if you do not want
44              to give all users in the NIS database automatic access  to  your
45              NIS server.
46
47       -E program
48              Instead  of rpc.yppasswdd editing the passwd & shadow files, the
49              specified program will be run to do the editing.  The  following
50              environment   variables   will   be   set   for   the   program:
51              YP_PASSWD_OLD, YP_PASSWD_NEW, YP_USER, YP_GECOS,  YP_SHELL.  The
52              program  should  return  an  exit status of 0 if the change com‐
53              pletes successfully, 1 if the change completes successfully  but
54              pwupdate should not be run, and otherwise if the change fails.
55
56       -p passwdfile
57              This  options tells rpc.yppasswdd to use a different source file
58              instead of /etc/passwd This is useful if you do not want to give
59              all  users  in  the  NIS  database  automatic access to your NIS
60              server.
61
62       -s shadowfile
63              This options tells rpc.yppasswdd to use a different source  file
64              instead  of  /etc/passwd.  See  below  for a brief discussion of
65              shadow support.
66
67       -e [chsh|chfn]
68              By default, rpc.yppasswdd will not allow  users  to  change  the
69              shell or GECOS field of their passwd entry. Using the -e option,
70              you can enable either of these. Note that when enabling  support
71              for  ypchsh(1), you have to list all shells users are allowed to
72              select in /etc/shells.
73
74       -x program
75              When the -x option is used, rpc.yppasswdd will  not  attempt  to
76              modify any files itself, but will instead run the specified pro‐
77              gram, passing to its stdin information about the requested oper‐
78              ation(s).   There is a defined protocol used to communicate with
79              this external program, which has total freedom in how it  propa‐
80              gates the change request. See below for more details on this.
81
82       -m     Will be ignored, for compatibility with Solaris only.
83
84       --port number
85              rpc.yppasswdd  will  try  to  register itself to this port. This
86              makes it  possible to have a router filter packets  to  the  NIS
87              ports.
88
89       -v --version
90              Prints  the  version number and if this package is compiled with
91              the CHECKROOT option.
92

MISCELLANEOUS

94   Shadow Passwords
95       Using Shadow passwords alongside NIS does  not  make  too  much  sense,
96       because  the  supposedly  inaccesible  passwords  now  become  readable
97       through a simple invocation of ypcat(1).
98
99       Shadow support in rpc.yppasswdd does not mean that  it  offers  a  very
100       clever  solution  to this problem, it simply means that it can read and
101       write password entries in the system's shadow file.  You have  to  pro‐
102       duce a shadow.byname NIS map to distribute password information to your
103       NIS clients. rpc.yppasswdd will search at first in the /etc/passwd file
104       for  the  user and password. If it find's the user, but the password is
105       "x" and a /etc/shadow file exists, it will update the password  in  the
106       shadow map.
107
108   Use of the -x option
109       The  program  should  expect to read a single line from stdin, which is
110       formatted as follows:
111
112       <username> o:<oldpass> p:<password> s:<shell> g:<gcos>\n
113
114       where any of the three fields [p, s, g] may or may not be present.
115
116       This program should write "OK\n" to stdout if the operation  succeeded.
117       On any other result, rpc.yppasswdd will report failure to the client.
118
119       Note  that  the  program  specified by the -x option is responsible for
120       doing any NIS make and build, and for doing any necessary validation on
121       the  shell and gcos field information supplied.  The password passed to
122       the client will be in UNIX crypt() format.
123
124   Logging
125       rpc.yppasswdd logs all password update requests  to  syslogd(8)'s  auth
126       facility.  The  logging  information includes the originating host's IP
127       address and the user name and UID contained in the request.  The  user-
128       supplied password itself is not logged.
129
130   Security
131       Unless I've screwed up completely (as I did with versions prior to ver‐
132       sion 0.5), rpc.yppasswdd should be as secure or insecure as any program
133       relying  on  simple  password authentication.  If you feel that this is
134       not enough, you may want to protect rpc.yppasswdd from  outside  access
135       by  using  the  `securenets'  feature  of the new portmap(8) version 3.
136       Better still, use Kerberos.
137

COPYRIGHT

139       rpc.yppasswdd is copyright (C) Olaf Kirch. You can use  and  distribute
140       it  under  the  GNU General Public License Version 2. Note that it does
141       not contain any code from the shadow password suite.
142

FILES

144       /usr/sbin/rpc.yppasswdd
145       /usr/lib64/yp/pwupdate
146       /etc/passwd
147       /etc/shadow
148

SEE ALSO

150       passwd(5), shadow(5),  passwd(1),  yppasswd(1),  ypchsh(1),  ypchfn(1),
151       ypserv(8), ypcat(1)
152
153       The  Network Information Service (NIS) was formerly known as Sun Yellow
154       Pages (YP).  The functionality of the two remains the  same;  only  the
155       name  has  changed.  The name Yellow Pages is a registered trademark in
156       the United Kingdom of British Telecommunications plc, and  may  not  be
157       used without permission.
158

AUTHOR

160       Olaf Kirch, <okir@monad.swb.de>
161       Thorsten Kukuk, <kukuk@suse.de>
162
163
164
165YP Server                         August 2001                 RPC.YPPASSWDD(8)