Ubuntu Manpage: rpc.yppasswdd - NIS password update daemon

NAME

       rpc.yppasswdd - NIS password update daemon

SYNOPSIS

       rpc.yppasswdd [-D directory] [-e chsh|chfn] [--port number]
       rpc.yppasswdd [-s shadow] [-p passwd] [-e chsh|chfn] [--port number]
       rpc.yppasswdd -x program|-E program [-e chsh|chfn] [--port number]

DESCRIPTION

       rpc.yppasswdd  is  the  RPC  server that lets users change their passwords in the presence of NIS (a.k.a.
       YP). It must be run on the NIS master server for that NIS domain.

       When a yppasswd(1) client contacts the server, it sends the old user password along  with  the  new  one.
       rpc.yppasswdd  will  search  the  system's passwd file for the specified user name, verify that the given
       (old) password matches, and update the entry. If the user specified does not exist, or if  the  password,
       UID  or  GID  doesn't  match the information in the password file, the update request is rejected, and an
       error returned to the client.

       If this version of the server is compiled with the CHECKROOT=1 option, the password given is also checked
       against the systems root password.

       After updating the passwd file and returning a success notification to the client, rpc.yppasswdd executes
       the pwupdate script that updates the NIS server's passwd.* and shadow.byname maps.  This  script  assumes
       all  NIS maps are kept in directories named /var/yp/nisdomain that each contain a Makefile customized for
       that NIS domain. If no such Makefile is found, the scripts uses the generic one in /var/yp.

OPTIONS

The following options are available:

-D directory
The passwd and shadow files are located under the specified directory path. rpc.yppasswdd will
use this files, not /etc/passwd and /etc/shadow. This is useful if you do not want to give all
users in the NIS database automatic access to your NIS server.

-E program
Instead of rpc.yppasswdd editing the passwd & shadow files, the specified program will be run to
do the editing. The following environment variables will be set for the program: YP_PASSWD_OLD,
YP_PASSWD_NEW, YP_USER, YP_GECOS, YP_SHELL. The program should return an exit status of 0 if the
change completes successfully, 1 if the change completes successfully but pwupdate should not be
run, and otherwise if the change fails.

-p passwdfile
This options tells rpc.yppasswdd to use a different source file instead of /etc/passwd This is
useful if you do not want to give all users in the NIS database automatic access to your NIS
server.

-s shadowfile
This options tells rpc.yppasswdd to use a different source file instead of /etc/passwd. See below
for a brief discussion of shadow support.

-e [chsh|chfn]
By default, rpc.yppasswdd will not allow users to change the shell or GECOS field of their passwd
entry. Using the -e option, you can enable either of these. Note that when enabling support for
ypchsh(1), you have to list all shells users are allowed to select in /etc/shells.

-x program
When the -x option is used, rpc.yppasswdd will not attempt to modify any files itself, but will
instead run the specified program, passing to its stdin information about the requested
operation(s). There is a defined protocol used to communicate with this external program, which
has total freedom in how it propagates the change request. See below for more details on this.

-m Will be ignored, for compatibility with Solaris only.

--port number
rpc.yppasswdd will try to register itself to this port. This makes it possible to have a router
filter packets to the NIS ports.

-v --version
Prints the version number and if this package is compiled with the CHECKROOT option.

MISCELLANEOUS

Shadow Passwords
Using Shadow passwords alongside NIS does not make too much sense, because the supposedly inaccesible
passwords now become readable through a simple invocation of ypcat(1).

Shadow support in rpc.yppasswdd does not mean that it offers a very clever solution to this problem, it
simply means that it can read and write password entries in the system's shadow file. You have to
produce a shadow.byname NIS map to distribute password information to your NIS clients. rpc.yppasswdd
will search at first in the /etc/passwd file for the user and password. If it find's the user, but the
password is "x" and a /etc/shadow file exists, it will update the password in the shadow map.

Use of the -x option
The program should expect to read a single line from stdin, which is formatted as follows:

<username> o:<oldpass> p:<password> s:<shell> g:<gcos>\n

where any of the three fields [p, s, g] may or may not be present.

This program should write "OK\n" to stdout if the operation succeeded. On any other result,
rpc.yppasswdd will report failure to the client.

Note that the program specified by the -x option is responsible for doing any NIS make and build, and for
doing any necessary validation on the shell and gcos field information supplied. The password passed to
the client will be in UNIX crypt() format.

Logging
rpc.yppasswdd logs all password update requests to syslogd(8)'s auth facility. The logging information
includes the originating host's IP address and the user name and UID contained in the request. The user-
supplied password itself is not logged.

Security
Unless I've screwed up completely (as I did with versions prior to version 0.5), rpc.yppasswdd should be
as secure or insecure as any program relying on simple password authentication. If you feel that this is
not enough, you may want to protect rpc.yppasswdd from outside access by using the `securenets' feature
of the new portmap(8) version 3. Better still, use Kerberos.

COPYRIGHT

       rpc.yppasswdd is copyright (C) Olaf Kirch. You can use and distribute it under  the  GNU  General  Public
       License Version 2. Note that it does not contain any code from the shadow password suite.

FILES

       /usr/sbin/rpc.yppasswdd
       /usr/lib/yp/pwupdate
       /etc/passwd
       /etc/shadow

AUTHOR

       Olaf Kirch, <okir@monad.swb.de>
       Thorsten Kukuk, <kukuk@suse.de>