|
RPC.YPPASSWDD(8)
Contents
|
rpc.yppasswdd - NIS password update daemon
rpc.yppasswdd [-D directory] [-e chsh|chfn]
rpc.yppasswdd [-s shadow] [-p passwd] [-e chsh|chfn]
rpc.yppasswdd -x program|-E program [-e chsh|chfn]
rpc.yppasswdd is the RPC server that lets users change their passwords
in the presence of NIS (a.k.a. YP). It must be run on the NIS master
server for that NIS domain.
When a yppasswd(1) client contacts the server, it sends the old user
password along with the new one. rpc.yppasswdd will search the system's
passwd file for the specified user name, verify that the given (old)
password matches, and update the entry. If the user specified does not
exist, or if the password, UID or GID doesn't match the information in
the password file, the update request is rejected, and an error
returned to the client.
If this version of the server is compiled with the CHECKROOT=1 option,
the password given is also checked against the systems root password.
After updating the passwd file and returning a success notification to
the client, rpc.yppasswdd executes the pwupdate script that updates the
NIS server's passwd.* and shadow.byname maps. This script assumes all
NIS maps are kept in directories named /var/yp/nisdomain that each contain
a Makefile customized for that NIS domain. If no such Makefile is
found, the scripts uses the generic one in /var/yp.
The following options are available:
-D directory
The passwd and shadow files are located under the specified
directory path. rpc.yppasswdd will use this files, not
/etc/passwd and /etc/shadow. This is useful if you do not want
to give all users in the NIS database automatic access to your
NIS server.
-E program
Instead of rpc.yppasswdd editing the passwd & shadow files, the
specified program will be run to do the editing. The following
environment variables will be set for the program:
YP_PASSWD_OLD, YP_PASSWD_NEW, YP_USER, YP_GECOS, YP_SHELL. The
program should return an exit status of 0 if the change completes
successfully, 1 if the change completes successfully but
pwupdate should not be run, and otherwise if the change fails.
-p passwdfile
This options tells rpc.yppasswdd to use a different source file
instead of /etc/passwd This is useful if you do not want to give
all users in the NIS database automatic access to your NIS
server.
-s shadowfile
This options tells rpc.yppasswdd to use a different source file
instead of /etc/passwd See below for a brief discussion of
shadow support.
-e [chsh|chfn]
By default, rpc.yppasswdd will not allow users to change the
shell or GECOS field of their passwd entry. Using the -e option,
you can enable either of these. Note that when enabling support
for ypchsh(1), you have to list all shells users are allowed to
select in /etc/shells.
-x program
When the -x option is used, rpc.yppasswdd will not attempt to
modify any files itself, but will instead run the specified program,
passing to its stdin information about the requested operation(s).
There is a defined protocol used to communicate with
this external program, which has total freedom in how it propagates
the change request. See below for more details on this.
-m Will be ignored, for compatibility with Solaris only.
-v --version
Prints the version number and if this package is compiled with
the CHECKROOT option.
Shadow Passwords
Using Shadow passwords alongside NIS does not make too much sense,
because the supposedly inaccesible passwords now become readable
through a simple invocation of ypcat(1).
Shadow support in rpc.yppasswdd does not mean that it offers a very
clever solution to this problem, it simply means that it can read and
write password entries in the system's shadow file. You have to produce
a shadow.byname NIS map to distribute password information to your
NIS clients. rpc.yppasswdd will search at first in the /etc/passwd file
for the user and password. If it find's the user, but the password is
"x" and a /etc/shadow file exists, it will update the password in the
shadow map.
Use of the -x option [Toc] [Back]
The program should expect to read a single line from stdin, which is
formatted as follows:
<username> o:<oldpass> p:<password> s:<shell> g:<gcos>\n
where any of the three fields [p, s, g] may or may not be present.
This program should write "OK\n" to stdout if the operation succeeded.
On any other result, rpc.yppasswdd will report failure to the client.
Note that the program specified by the -x option is responsible for
doing any NIS make and build, and for doing any necessary validation on
the shell and gcos field information supplied. The password passed to
the client will be in UNIX crypt() format.
Logging [Toc] [Back]
rpc.yppasswdd logs all password update requests to syslogd(8)'s auth
facility. The logging information includes the originating host's IP
address and the user name and UID contained in the request. The usersupplied
password itself is not logged.
Security [Toc] [Back]
Unless I've screwed up completely (as I did with versions prior to version
0.5), rpc.yppasswdd should be as secure or insecure as any program
relying on simple password authentication. If you feel that this is
not enough, you may want to protect rpc.yppasswdd from outside access
by using the `securenets' feature of the new portmap(8) version 3.
Better still, use Kerberos.
rpc.yppasswdd is copyright (C) Olaf Kirch. You can use and distribute
it under the GNU General Public License Version 2. Note that it does
not contain any code from the shadow password suite.
/usr/sbin/rpc.yppasswdd
/usr/lib/yp/pwupdate
/etc/passwd
/etc/shadow
passwd(5), shadow(5), passwd(1), yppasswd(1), ypchsh(1), ypchfn(1),
ypserv(8), ypcat(1)
The Network Information Service (NIS) was formerly known as Sun Yellow
Pages (YP). The functionality of the two remains the same; only the
name has changed. The name Yellow Pages is a registered trademark in
the United Kingdom of British Telecommunications plc, and may not be
used without permission.
Olaf Kirch, <[email protected]>
Thorsten Kukuk, <[email protected]>
20 April 1997 RPC.YPPASSWDD(8)
[ Back ] |