Home Man
Today's Posts

Linux & Unix Commands - Search Man Pages

RedHat 9 (Linux i386) - man page for rpc.yppasswdd (redhat section 8)


       rpc.yppasswdd - NIS password update daemon

       rpc.yppasswdd [-D directory] [-e chsh|chfn] [--port number]
       rpc.yppasswdd [-s shadow] [-p passwd] [-e chsh|chfn] [--port number]
       rpc.yppasswdd -x program|-E program [-e chsh|chfn] [--port number]

       rpc.yppasswdd  is the RPC server that lets users change their passwords in the presence of
       NIS (a.k.a. YP). It must be run on the NIS master server for that NIS domain.

       When a yppasswd(1) client contacts the server, it sends the old user password  along  with
       the  new  one.  rpc.yppasswdd  will search the system's passwd file for the specified user
       name, verify that the given (old) password matches, and update  the  entry.  If	the  user
       specified  does not exist, or if the password, UID or GID doesn't match the information in
       the password file, the update request is rejected, and an error returned to the client.

       If this version of the server is compiled with the CHECKROOT=1 option, the password  given
       is also checked against the systems root password.

       After  updating	the  passwd  file  and	returning  a  success notification to the client,
       rpc.yppasswdd executes the pwupdate script that updates	the  NIS  server's  passwd.*  and
       shadow.byname  maps.   This  script  assumes  all  NIS  maps are kept in directories named
       /var/yp/nisdomain that each contain a Makefile customized for that NIS domain. If no  such
       Makefile is found, the scripts uses the generic one in /var/yp.

       The following options are available:

       -D directory
	      The  passwd  and	shadow	files  are  located  under  the specified directory path.
	      rpc.yppasswdd will use this files, not /etc/passwd and /etc/shadow.  This is useful
	      if  you  do not want to give all users in the NIS database automatic access to your
	      NIS server.

       -E program
	      Instead of rpc.yppasswdd editing the passwd & shadow files, the  specified  program
	      will  be run to do the editing. The following environment variables will be set for
	      the program: YP_PASSWD_OLD, YP_PASSWD_NEW, YP_USER, YP_GECOS, YP_SHELL. The program
	      should  return  an  exit status of 0 if the change completes successfully, 1 if the
	      change completes successfully but pwupdate should not be run, and otherwise if  the
	      change fails.

       -p passwdfile
	      This  options  tells  rpc.yppasswdd  to  use  a  different  source  file instead of
	      /etc/passwd This is useful if you do not want to give all users in the NIS database
	      automatic access to your NIS server.

       -s shadowfile
	      This  options  tells  rpc.yppasswdd  to  use  a  different  source  file instead of
	      /etc/passwd. See below for a brief discussion of shadow support.

       -e [chsh|chfn]
	      By default, rpc.yppasswdd will not allow users to change the shell or  GECOS  field
	      of  their  passwd  entry. Using the -e option, you can enable either of these. Note
	      that when enabling support for ypchsh(1), you have to list  all  shells  users  are
	      allowed to select in /etc/shells.

       -x program
	      When  the  -x  option  is  used, rpc.yppasswdd will not attempt to modify any files
	      itself, but will instead run the specified program, passing to its  stdin  informa-
	      tion  about the requested operation(s).  There is a defined protocol used to commu-
	      nicate with this external program, which has total freedom in how it propagates the
	      change request. See below for more details on this.

       -m     Will be ignored, for compatibility with Solaris only.

       --port number
	      rpc.yppasswdd  will try to register itself to this port. This makes it  possible to
	      have a router filter packets to the NIS ports.

       -v --version
	      Prints the version number and if	this  package  is  compiled  with  the	CHECKROOT

   Shadow Passwords
       Using  Shadow passwords alongside NIS does not make too much sense, because the supposedly
       inaccesible passwords now become readable through a simple invocation of ypcat(1).

       Shadow support in rpc.yppasswdd does not mean that it offers a  very  clever  solution  to
       this  problem, it simply means that it can read and write password entries in the system's
       shadow file.  You have to produce a shadow.byname NIS map to distribute password  informa-
       tion  to  your NIS clients. rpc.yppasswdd will search at first in the /etc/passwd file for
       the user and password. If it find's the user, but the password is "x"  and  a  /etc/shadow
       file exists, it will update the password in the shadow map.

   Use of the -x option
       The program should expect to read a single line from stdin, which is formatted as follows:

       <username> o:<oldpass> p:<password> s:<shell> g:<gcos>\n

       where any of the three fields [p, s, g] may or may not be present.

       This  program  should  write  "OK\n"  to  stdout if the operation succeeded.  On any other
       result, rpc.yppasswdd will report failure to the client.

       Note that the program specified by the -x option is responsible for doing any NIS make and
       build, and for doing any necessary validation on the shell and gcos field information sup-
       plied.  The password passed to the client will be in UNIX crypt() format.

       rpc.yppasswdd logs all password update requests to syslogd(8)'s auth facility. The logging
       information includes the originating host's IP address and the user name and UID contained
       in the request. The user-supplied password itself is not logged.

       Unless I've screwed  up	completely  (as  I  did  with  versions  prior	to  version 0.5),
       rpc.yppasswdd  should  be  as secure or insecure as any program relying on simple password
       authentication.	If you feel that this is not enough, you may want to protect  rpc.yppass-
       wdd from outside access by using the `securenets' feature of the new portmap(8) version 3.
       Better still, use Kerberos.

       rpc.yppasswdd is copyright (C) Olaf Kirch. You can use and distribute  it  under  the  GNU
       General	Public	License Version 2. Note that it does not contain any code from the shadow
       password suite.


       passwd(5), shadow(5), passwd(1), yppasswd(1), ypchsh(1), ypchfn(1), ypserv(8), ypcat(1)

       The Network Information Service (NIS) was formerly known as Sun Yellow  Pages  (YP).   The
       functionality  of  the  two  remains the same; only the name has changed.  The name Yellow
       Pages is a registered trademark in the United Kingdom of British  Telecommunications  plc,
       and may not be used without permission.

       Olaf Kirch, <okir@monad.swb.de>
       Thorsten Kukuk, <kukuk@suse.de>

YP Server				   August 2001				 RPC.YPPASSWDD(8)

All times are GMT -4. The time now is 01:09 PM.

Unix & Linux Forums Content Copyrightę1993-2018. All Rights Reserved.
Show Password