1RPC.YPPASSWDD(8) NIS Reference Manual RPC.YPPASSWDD(8)
2
6 rpc.yppasswdd - NIS password update daemon
7
9 rpc.yppasswdd [-D directory] -e chsh|chfn [--port number]
10 [-f|--foreground]
11 rpc.yppasswdd [-s shadow] [-p passwd] -e chsh|chfn [--port number]
13 [-f|--foreground]
14 rpc.yppasswdd -x program | -E program -e chsh|chfn [--port number]
16 [-f|--foreground]
17
19 rpc.yppasswdd is the RPC server that lets users change their passwords
20 in the presence of NIS (a.k.a. YP). It must be run on the NIS master
21 server for that NIS domain.
22 When a yppasswd(1) client contacts the server, it sends the old user
24 password along with the new one. rpc.yppasswdd will search the
25 system´s passwd file for the specified user name, verify that the given
26 (old) password matches, and update the entry. If the user specified
27 does not exist, or if the password, UID or GID doesn´t match the
28 information in the password file, the update request is rejected, and
29 an error returned to the client.
30 If this version of the server is compiled with the CHECKROOT=1 option,
32 the password given is also checked against the systems root password.
33 After updating the passwd file and returning a success notification to
35 the client, rpc.yppasswdd executes the pwupdate script that updates the
36 NIS server´s passwd.* and shadow.byname maps. This script assumes all
37 NIS maps are kept in directories named /var/yp/nisdomain that each
38 contain a Makefile customized for that NIS domain. If no such Makefile
39 is found, the scripts uses the generic one in /var/yp.
40 It is possible to pass OPTIONS to rpc.yppasswdd using the environment
42 variable YPPASSWDD_ARGS and this variable can be set in
43 /etc/sysconfig/yppasswdd.
44
46 The following options are available:
47 -D directory
49 The passwd and shadow files are located under the specified
50 directory path. rpc.yppasswdd will use this files, not /etc/passwd
51 and /etc/shadow. This is useful if you do not want to give all
52 users in the NIS database automatic access to your NIS server.
53 -E program
55 Instead of rpc.yppasswdd editing the passwd & shadow files, the
56 specified program will be run to do the editing. The following
57 environment variables will be set for the program: YP_PASSWD_OLD,
58 YP_PASSWD_NEW, YP_USER, YP_GECOS, YP_SHELL. The program should
59 return an exit status of 0 if the change completes successfully, 1
60 if the change completes successfully but pwupdate should not be
61 run, and otherwise if the change fails.
62 -p passwdfile
64 This options tells rpc.yppasswdd to use a different source file
65 instead of /etc/passwd This is useful if you do not want to give
66 all users in the NIS database automatic access to your NIS server.
67 -s shadowfile
69 This options tells rpc.yppasswdd to use a different source file
70 instead of /etc/passwd. See below for a brief discussion of shadow
71 support.
72 -e [chsh|chfn]
74 By default, rpc.yppasswdd will not allow users to change the shell
75 or GECOS field of their passwd entry. Using the -e option, you can
76 enable either of these. Note that when enabling support for
77 ypchsh(1), you have to list all shells users are allowed to select
78 in /etc/shells.
79 -x program
81 When the -x option is used, rpc.yppasswdd will not attempt to
82 modify any files itself, but will instead run the specified
83 program, passing to its stdin information about the requested
84 operation(s). There is a defined protocol used to communicate with
85 this external program, which has total freedom in how it propagates
86 the change request. See below for more details on this.
87 -m
89 Will be ignored, for compatibility with Solaris only.
90 --port number
92 rpc.yppasswdd will try to register itself to this port. This makes
93 it possible to have a router filter packets to the NIS ports.
94 -v --version
96 Prints the version number and if this package is compiled with the
97 CHECKROOT option.
98 -f, --foreground
100 will not put itself into background.
101
103 Shadow Passwords
104 Using Shadow passwords alongside NIS does not make too much sense,
105 because the supposedly inaccesible passwords now become readable
106 through a simple invocation of ypcat(1).
107 Shadow support in rpc.yppasswdd does not mean that it offers a very
109 clever solution to this problem, it simply means that it can read and
110 write password entries in the system´s shadow file. You have to produce
111 a shadow.byname NIS map to distribute password information to your NIS
112 clients. rpc.yppasswdd will search at first in the /etc/passwd file
113 for the user and password. If it find´s the user, but the password is
114 "x" and a /etc/shadow file exists, it will update the password in the
115 shadow map.
116 Use of the -x option
118 The program should expect to read a single line from stdin, which is
119 formatted as follows:
120 <username> o:<oldpass> p:<password> s:<shell> g:<gcos>\n
122 where any of the three fields [p, s, g] may or may not be present.
124 This program should write "OK\n" to stdout if the operation succeeded.
126 On any other result, rpc.yppasswdd will report failure to the client.
127 Note that the program specified by the -x option is responsible for
129 doing any NIS make and build, and for doing any necessary validation on
130 the shell and gcos field information supplied. The password passed to
131 the client will be in UNIX crypt() format.
132 Logging
134 rpc.yppasswdd logs all password update requests to syslogd(8)´s auth
135 facility. The logging information includes the originating host´s IP
136 address and the user name and UID contained in the request. The
137 user-supplied password itself is not logged.
138 Security
140 rpc.yppasswdd should be as secure or insecure as any program relying on
141 simple password authentication. If you feel that this is not enough,
142 you may want to protect rpc.yppasswdd from outside access by using the
143 `securenets´ feature of the new portmap(8) version 3. Better still,
144 look at rpasswdd(8).
145
147 /usr/sbin/rpc.yppasswdd
148 /usr/lib/yp/pwupdate
150 /etc/passwd
152 /etc/shadow
154 /etc/sysconfig/yppasswdd
156
158 passwd(5), shadow(5), passwd(1), rpasswdd(8), yppasswd(1), ypchsh(1),
159 ypchfn(1), ypserv(8), ypcat(1)
160
162 Olaf Kirch <okir@monad.swb.de> and Thorsten Kukuk <kukuk@linux-nis.org>
163NIS Reference Manual 09/26/2007 RPC.YPPASSWDD(8)