'\" t
.\" Title: rpc.yppasswdd
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1
.\" Date: 12/31/2020
.\" Manual: NIS Reference Manual
.\" Source: NIS Reference Manual
.\" Language: English
.\"
.TH "RPC\&.YPPASSWDD" "8" "12/31/2020" "NIS Reference Manual" "NIS Reference Manual"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
rpc.yppasswdd \- NIS password update daemon
.SH "SYNOPSIS"
.HP \w'\fBrpc\&.yppasswdd\fR\ 'u
\fBrpc\&.yppasswdd\fR [\-D\ \fIdirectory\fR] \-e\ \fIchsh\fR|\fIchfn\fR [\-\-port\ \fInumber\fR]
.HP \w'\fBrpc\&.yppasswdd\fR\ 'u
\fBrpc\&.yppasswdd\fR [\-s\ \fIshadow\fR] [\-p\ \fIpasswd\fR] \-e\ \fIchsh\fR|\fIchfn\fR [\-\-port\ \fInumber\fR]
.HP \w'\fBrpc\&.yppasswdd\fR\ 'u
\fBrpc\&.yppasswdd\fR \-x\ \fIprogram\fR | \-E\ \fIprogram\fR \-e\ \fIchsh\fR|\fIchfn\fR [\-\-port\ \fInumber\fR]
.SH "DESCRIPTION"
.PP
\fBrpc\&.yppasswdd\fR
is the RPC server that lets users change their passwords in the presence of NIS (a\&.k\&.a\&. YP)\&. It must be run on the NIS master server for that NIS domain\&.
.PP
When a
\fByppasswd\fR(1)
client contacts the server, it sends the old user password along with the new one\&.
\fBrpc\&.yppasswdd\fR
will search the system\*(Aqs
\fBpasswd\fR
file for the specified user name, verify that the given (old) password matches, and update the entry\&. If the user specified does not exist, or if the password, UID or GID doesn\*(Aqt match the information in the password file, the update request is rejected, and an error returned to the client\&.
.PP
If this version of the server is compiled with the CHECKROOT=1 option, the password given is also checked against the systems root password\&.
.PP
After updating the
\fBpasswd\fR
file and returning a success notification to the client,
\fBrpc\&.yppasswdd\fR
executes the
\fBpwupdate\fR
script that updates the NIS server\*(Aqs
\fBpasswd\&.*\fR
and
\fBshadow\&.byname\fR
maps\&. This script assumes all NIS maps are kept in directories named
/var/yp/\fInisdomain\fR
that each contain a
\fBMakefile\fR
customized for that NIS domain\&. If no such
\fBMakefile\fR
is found, the scripts uses the generic one in
/var/yp\&.
.SH "OPTIONS"
.PP
The following options are available:
.PP
\fB\-D\fR\fI directory\fR
.RS 4
The
\fBpasswd\fR
and
\fBshadow\fR
files are located under the specified directory path\&.
\fBrpc\&.yppasswdd\fR
will use this files, not
/etc/passwd
and
/etc/shadow\&.
This is useful if you do not want to give all users in the NIS database automatic access to your NIS server\&.
.RE
.PP
\fB\-E\fR\fI program\fR
.RS 4
Instead of rpc\&.yppasswdd editing the passwd & shadow files, the specified program will be run to do the editing\&. The following environment variables will be set for the program: YP_PASSWD_OLD, YP_PASSWD_NEW, YP_USER, YP_GECOS, YP_SHELL\&. The program should return an exit status of 0 if the change completes successfully, 1 if the change completes successfully but pwupdate should not be run, and otherwise if the change fails\&.
.RE
.PP
\fB\-p\fR\fI passwdfile\fR
.RS 4
This options tells
\fBrpc\&.yppasswdd\fR
to use a different source file instead of
/etc/passwd
This is useful if you do not want to give all users in the NIS database automatic access to your NIS server\&.
.RE
.PP
\fB\-s\fR\fI shadowfile\fR
.RS 4
This options tells
\fBrpc\&.yppasswdd\fR
to use a different source file instead of
/etc/passwd\&. See below for a brief discussion of shadow support\&.
.RE
.PP
\fB\-e [chsh|chfn]\fR
.RS 4
By default,
\fBrpc\&.yppasswdd\fR
will not allow users to change the shell or GECOS field of their
\fBpasswd\fR
entry\&. Using the
\fB\-e\fR
option, you can enable either of these\&. Note that when enabling support for
\fBypchsh\fR(1), you have to list all shells users are allowed to select in
/etc/shells\&.
.RE
.PP
\fB\-x program\fR
.RS 4
When the \-x option is used, rpc\&.yppasswdd will not attempt to modify any files itself, but will instead run the specified program, passing to its stdin information about the requested operation(s)\&. There is a defined protocol used to communicate with this external program, which has total freedom in how it propagates the change request\&. See below for more details on this\&.
.RE
.PP
\fB\-m\fR
.RS 4
Will be ignored, for compatibility with Solaris only\&.
.RE
.PP
\fB\-\-port number\fR
.RS 4
rpc\&.yppasswdd will try to register itself to this port\&. This makes it possible to have a router filter packets to the NIS ports\&.
.RE
.PP
\fB\-v \-\-version\fR
.RS 4
Prints the version number and if this package is compiled with the CHECKROOT option\&.
.RE
.SH "MISCELLANEOUS"
.SS "Shadow Passwords"
.PP
Using Shadow passwords alongside NIS does not make too much sense, because the supposedly inaccesible passwords now become readable through a simple invocation of
\fBypcat\fR(1)\&.
.PP
Shadow support in
\fBrpc\&.yppasswdd\fR
does not mean that it offers a very clever solution to this problem, it simply means that it can read and write password entries in the system\*(Aqs
\fBshadow\fR
file\&. You have to produce a
\fBshadow\&.byname\fR
NIS map to distribute password information to your NIS clients\&.
\fBrpc\&.yppasswdd\fR
will search at first in the
/etc/passwd
file for the user and password\&. If it find\*(Aqs the user, but the password is "x" and a
/etc/shadow
file exists, it will update the password in the shadow map\&.
.SS "Use of the \-x option"
.PP
The program should expect to read a single line from stdin, which is formatted as follows:
.PP
o: p: s: g:\en
.PP
where any of the three fields [p, s, g] may or may not be present\&.
.PP
This program should write "OK\en" to stdout if the operation succeeded\&. On any other result, rpc\&.yppasswdd will report failure to the client\&.
.PP
Note that the program specified by the \-x option is responsible for doing any NIS make and build, and for doing any necessary validation on the shell and gcos field information supplied\&. The password passed to the client will be in UNIX crypt() format\&.
.SS "Logging"
.PP
\fBrpc\&.yppasswdd\fR
logs all password update requests to
\fBsyslogd(8)\fR\*(Aqs auth facility\&. The logging information includes the originating host\*(Aqs IP address and the user name and UID contained in the request\&. The user\-supplied password itself is not logged\&.
.SS "Security"
.PP
\fBrpc\&.yppasswdd\fR
should be as secure or insecure as any program relying on simple password authentication\&. If you feel that this is not enough, you may want to protect
\fBrpc\&.yppasswdd\fR
from outside access by using the `securenets\*(Aq feature of the new
\fBportmap\fR(8)
version\ \&3\&. Better still, look at
\fBrpasswdd\fR(8)\&.
.SH "FILES"
.PP
/usr/sbin/rpc\&.yppasswdd
/usr/lib/yp/pwupdate
/etc/passwd
/etc/shadow
.SH "SEE ALSO"
.PP
\fBpasswd\fR(5),
\fBshadow\fR(5),
\fBpasswd\fR(1),
\fBrpasswdd\fR(8),
\fByppasswd\fR(1),
\fBypchsh\fR(1),
\fBypchfn\fR(1),
\fBypserv\fR(8),
\fBypcat\fR(1)
.SH "AUTHOR"
.PP
Olaf Kirch and Thorsten Kukuk