yppasswdd(8) System Manager's Manual yppasswdd(8)NAME
yppasswdd, rpc.yppasswdd - server daemon for modifying the Network Information Service (NIS) password file
SYNOPSIS
/usr/sbin/rpc.yppasswdd file [-m arg1 arg2...]
DESCRIPTION
The yppasswdd daemon is a server that handles password change requests from yppasswd(1). It changes a password entry in the specified file,
which is assumed to be in the same format described in passwd(4). An entry in file will be changed only if the password presented by
yppasswd(1) matches the encrypted password of that entry.
If the -m option is given, then after file is modified, a make(1) will be performed in /var/yp. Any arguments following the option will be
passed to make. The -m option should be set only at a NIS master server machine.
This server is not run by default, nor can it be started up from inetd(8). If it is desired to enable remote password updating for the
NIS, then an entry for yppasswdd should be put in the /sbin/init.d/nis file of the host serving as the master for the NIS passwd file.
SECURITY NOTE
When enhanced security is installed and NIS is used to distribute the protected password authentication database, the yppasswdd daemon man-
ages writes to that database. A strict C2 security policy, which is optionally configurable using enhanced security, requires each
user login or login failure to be recorded in the protected password authentication database. These updates, in combination with password
changes and system administration functions affecting user accounts, are coordinated by the daemon.
EXAMPLES
If the NIS password file is stored as /var/yp/src/passwd, then to have password changes propagated immediately, the server should be
invoked as: /usr/sbin/rpc.yppasswdd /var/yp/src/passwd -m passwd DIR= /var/yp/src
FILES SEE ALSO
Commands: yppasswd(1), ypmake(8)
Files: passwd(4), ypfiles(4)yppasswdd(8)
Check Out this Related Man Page
RPC.YPPASSWDD(8) NIS Reference Manual RPC.YPPASSWDD(8)NAME
rpc.yppasswdd - NIS password update daemon
SYNOPSIS
rpc.yppasswdd [-D directory] -e chsh|chfn [--port number]
rpc.yppasswdd [-s shadow] [-p passwd] -e chsh|chfn [--port number]
rpc.yppasswdd -x program | -E program -e chsh|chfn [--port number]
DESCRIPTION
rpc.yppasswdd is the RPC server that lets users change their passwords in the presence of NIS (a.k.a. YP). It must be run on the NIS master
server for that NIS domain.
When a yppasswd(1) client contacts the server, it sends the old user password along with the new one. rpc.yppasswdd will search the
system's passwd file for the specified user name, verify that the given (old) password matches, and update the entry. If the user specified
does not exist, or if the password, UID or GID doesn't match the information in the password file, the update request is rejected, and an
error returned to the client.
If this version of the server is compiled with the CHECKROOT=1 option, the password given is also checked against the systems root
password.
After updating the passwd file and returning a success notification to the client, rpc.yppasswdd executes the pwupdate script that updates
the NIS server's passwd.* and shadow.byname maps. This script assumes all NIS maps are kept in directories named /var/yp/nisdomain that
each contain a Makefile customized for that NIS domain. If no such Makefile is found, the scripts uses the generic one in /var/yp.
OPTIONS
The following options are available:
-D directory
The passwd and shadow files are located under the specified directory path. rpc.yppasswdd will use this files, not /etc/passwd and
/etc/shadow. This is useful if you do not want to give all users in the NIS database automatic access to your NIS server.
-E program
Instead of rpc.yppasswdd editing the passwd & shadow files, the specified program will be run to do the editing. The following
environment variables will be set for the program: YP_PASSWD_OLD, YP_PASSWD_NEW, YP_USER, YP_GECOS, YP_SHELL. The program should return
an exit status of 0 if the change completes successfully, 1 if the change completes successfully but pwupdate should not be run, and
otherwise if the change fails.
-p passwdfile
This options tells rpc.yppasswdd to use a different source file instead of /etc/passwd This is useful if you do not want to give all
users in the NIS database automatic access to your NIS server.
-s shadowfile
This options tells rpc.yppasswdd to use a different source file instead of /etc/passwd. See below for a brief discussion of shadow
support.
-e [chsh|chfn]
By default, rpc.yppasswdd will not allow users to change the shell or GECOS field of their passwd entry. Using the -e option, you can
enable either of these. Note that when enabling support for ypchsh(1), you have to list all shells users are allowed to select in
/etc/shells.
-x program
When the -x option is used, rpc.yppasswdd will not attempt to modify any files itself, but will instead run the specified program,
passing to its stdin information about the requested operation(s). There is a defined protocol used to communicate with this external
program, which has total freedom in how it propagates the change request. See below for more details on this.
-m
Will be ignored, for compatibility with Solaris only.
--port number
rpc.yppasswdd will try to register itself to this port. This makes it possible to have a router filter packets to the NIS ports.
-v --version
Prints the version number and if this package is compiled with the CHECKROOT option.
MISCELLANEOUS
Shadow Passwords
Using Shadow passwords alongside NIS does not make too much sense, because the supposedly inaccesible passwords now become readable through
a simple invocation of ypcat(1).
Shadow support in rpc.yppasswdd does not mean that it offers a very clever solution to this problem, it simply means that it can read and
write password entries in the system's shadow file. You have to produce a shadow.byname NIS map to distribute password information to your
NIS clients. rpc.yppasswdd will search at first in the /etc/passwd file for the user and password. If it find's the user, but the password
is "x" and a /etc/shadow file exists, it will update the password in the shadow map.
Use of the -x option
The program should expect to read a single line from stdin, which is formatted as follows:
<username> o:<oldpass> p:<password> s:<shell> g:<gcos>
where any of the three fields [p, s, g] may or may not be present.
This program should write "OK
" to stdout if the operation succeeded. On any other result, rpc.yppasswdd will report failure to the
client.
Note that the program specified by the -x option is responsible for doing any NIS make and build, and for doing any necessary validation on
the shell and gcos field information supplied. The password passed to the client will be in UNIX crypt() format.
Logging
rpc.yppasswdd logs all password update requests to syslogd(8)'s auth facility. The logging information includes the originating host's IP
address and the user name and UID contained in the request. The user-supplied password itself is not logged.
Security
rpc.yppasswdd should be as secure or insecure as any program relying on simple password authentication. If you feel that this is not
enough, you may want to protect rpc.yppasswdd from outside access by using the `securenets' feature of the new portmap(8) version 3. Better
still, look at rpasswdd(8).
FILES
/usr/sbin/rpc.yppasswdd
/usr/lib/yp/pwupdate
/etc/passwd
/etc/shadow
SEE ALSO passwd(5), shadow(5), passwd(1), rpasswdd(8), yppasswd(1), ypchsh(1), ypchfn(1), ypserv(8), ypcat(1)AUTHOR
Olaf Kirch <okir@monad.swb.de> and Thorsten Kukuk <kukuk@linux-nis.org>
NIS Reference Manual 09/26/2007 RPC.YPPASSWDD(8)