NAME¶
rpc.yppasswdd - NIS password update daemon
SYNOPSIS¶
rpc.yppasswdd [-D directory] [-e chsh|chfn] [--port number]
rpc.yppasswdd [-s shadow] [-p passwd] [-e chsh|chfn] [--port number]
rpc.yppasswdd -x program|-E program [-e chsh|chfn] [--port number]
DESCRIPTION¶
rpc.yppasswdd is the RPC server that lets users change their passwords in
the presence of NIS (a.k.a. YP). It must be run on the NIS master server for
that NIS domain.
When a
yppasswd(1) client contacts the server, it sends the old user
password along with the new one.
rpc.yppasswdd will search the system's
passwd file for the specified user name, verify that the given (old)
password matches, and update the entry. If the user specified does not exist,
or if the password, UID or GID doesn't match the information in the password
file, the update request is rejected, and an error returned to the client.
If this version of the server is compiled with the CHECKROOT=1 option, the
password given is also checked against the systems root password.
After updating the
passwd file and returning a success notification to
the client,
rpc.yppasswdd executes the
pwupdate script that
updates the NIS server's
passwd.* and
shadow.byname maps. This
script assumes all NIS maps are kept in directories named
/var/yp/nisdomain that each contain a
Makefile customized
for that NIS domain. If no such
Makefile is found, the scripts uses the
generic one in
/var/yp.
OPTIONS¶
The following options are available:
- -D directory
- The passwd and shadow files are located under the specified
directory path. rpc.yppasswdd will use this files, not
/etc/passwd and /etc/shadow. This is useful if you do not
want to give all users in the NIS database automatic access to your NIS
server.
- -E program
- Instead of rpc.yppasswdd editing the passwd & shadow files, the
specified program will be run to do the editing. The following environment
variables will be set for the program: YP_PASSWD_OLD, YP_PASSWD_NEW,
YP_USER, YP_GECOS, YP_SHELL. The program should return an exit status of 0
if the change completes successfully, 1 if the change completes
successfully but pwupdate should not be run, and otherwise if the change
fails.
- -p passwdfile
- This options tells rpc.yppasswdd to use a different source file
instead of /etc/passwd This is useful if you do not want to give
all users in the NIS database automatic access to your NIS server.
- -s shadowfile
- This options tells rpc.yppasswdd to use a different source file
instead of /etc/passwd. See below for a brief discussion of shadow
support.
- -e [chsh|chfn]
- By default, rpc.yppasswdd will not allow users to change the shell
or GECOS field of their passwd entry. Using the -e option,
you can enable either of these. Note that when enabling support for
ypchsh(1), you have to list all shells users are allowed to select
in /etc/shells.
- -x program
- When the -x option is used, rpc.yppasswdd will not attempt to modify any
files itself, but will instead run the specified program, passing to its
stdin information about the requested operation(s). There is a defined
protocol used to communicate with this external program, which has total
freedom in how it propagates the change request. See below for more
details on this.
- -m
- Will be ignored, for compatibility with Solaris only.
- --port number
- rpc.yppasswdd will try to register itself to this port. This makes it
possible to have a router filter packets to the NIS ports.
- -v --version
- Prints the version number and if this package is compiled with the
CHECKROOT option.
MISCELLANEOUS¶
Shadow Passwords¶
Using Shadow passwords alongside NIS does not make too much sense, because the
supposedly inaccesible passwords now become readable through a simple
invocation of
ypcat(1).
Shadow support in
rpc.yppasswdd does not mean that it offers a very
clever solution to this problem, it simply means that it can read and write
password entries in the system's
shadow file. You have to produce a
shadow.byname NIS map to distribute password information to your NIS
clients.
rpc.yppasswdd will search at first in the
/etc/passwd
file for the user and password. If it find's the user, but the password is
"x" and a
/etc/shadow file exists, it will update the
password in the shadow map.
Use of the -x option¶
The program should expect to read a single line from stdin, which is formatted
as follows:
<username> o:<oldpass> p:<password> s:<shell>
g:<gcos>\n
where any of the three fields [p, s, g] may or may not be present.
This program should write "OK\n" to stdout if the operation succeeded.
On any other result, rpc.yppasswdd will report failure to the client.
Note that the program specified by the -x option is responsible for doing any
NIS make and build, and for doing any necessary validation on the shell and
gcos field information supplied. The password passed to the client will be in
UNIX crypt() format.
Logging¶
rpc.yppasswdd logs all password update requests to
syslogd(8)'s
auth facility. The logging information includes the originating host's IP
address and the user name and UID contained in the request. The user-supplied
password itself is not logged.
Security¶
Unless I've screwed up completely (as I did with versions prior to
version 0.5),
rpc.yppasswdd should be as secure or insecure as
any program relying on simple password authentication. If you feel that this
is not enough, you may want to protect
rpc.yppasswdd from outside
access by using the `securenets' feature of the new
portmap(8)
version 3. Better still, use Kerberos.
COPYRIGHT¶
rpc.yppasswdd is copyright (C) Olaf Kirch. You can use and distribute it
under the GNU General Public License Version 2. Note that it does
not
contain any code from the shadow password suite.
FILES¶
/usr/sbin/rpc.yppasswdd
/usr/lib/yp/pwupdate
/etc/passwd
/etc/shadow
SEE ALSO¶
passwd(5),
shadow(5),
passwd(1),
yppasswd(1),
ypchsh(1),
ypchfn(1),
ypserv(8),
ypcat(1)
The Network Information Service (NIS) was formerly known as Sun Yellow Pages
(YP). The functionality of the two remains the same; only the name has
changed. The name Yellow Pages is a registered trademark in the United Kingdom
of British Telecommunications plc, and may not be used without permission.
AUTHOR¶
Olaf Kirch, <okir@monad.swb.de>
Thorsten Kukuk, <kukuk@suse.de>