RPC.YPPASSWDD(8) | NIS Reference Manual | RPC.YPPASSWDD(8) |
rpc.yppasswdd - NIS password update daemon
rpc.yppasswdd [-D directory] -e chsh|chfn [--port number]
rpc.yppasswdd [-s shadow] [-p passwd] -e chsh|chfn [--port number]
rpc.yppasswdd -x program | -E program -e chsh|chfn [--port number]
rpc.yppasswdd is the RPC server that lets users change their passwords in the presence of NIS (a.k.a. YP). It must be run on the NIS master server for that NIS domain.
When a yppasswd(1) client contacts the server, it sends the old user password along with the new one. rpc.yppasswdd will search the system's passwd file for the specified user name, verify that the given (old) password matches, and update the entry. If the user specified does not exist, or if the password, UID or GID doesn't match the information in the password file, the update request is rejected, and an error returned to the client.
If this version of the server is compiled with the CHECKROOT=1 option, the password given is also checked against the systems root password.
After updating the passwd file and returning a success notification to the client, rpc.yppasswdd executes the pwupdate script that updates the NIS server's passwd.* and shadow.byname maps. This script assumes all NIS maps are kept in directories named /var/yp/nisdomain that each contain a Makefile customized for that NIS domain. If no such Makefile is found, the scripts uses the generic one in /var/yp.
The following options are available:
-D directory
-E program
-p passwdfile
-s shadowfile
-e [chsh|chfn]
-x program
-m
--port number
-v --version
Using Shadow passwords alongside NIS does not make too much sense, because the supposedly inaccesible passwords now become readable through a simple invocation of ypcat(1).
Shadow support in rpc.yppasswdd does not mean that it offers a very clever solution to this problem, it simply means that it can read and write password entries in the system's shadow file. You have to produce a shadow.byname NIS map to distribute password information to your NIS clients. rpc.yppasswdd will search at first in the /etc/passwd file for the user and password. If it find's the user, but the password is "x" and a /etc/shadow file exists, it will update the password in the shadow map.
The program should expect to read a single line from stdin, which is formatted as follows:
<username> o:<oldpass> p:<password> s:<shell> g:<gcos>\n
where any of the three fields [p, s, g] may or may not be present.
This program should write "OK\n" to stdout if the operation succeeded. On any other result, rpc.yppasswdd will report failure to the client.
Note that the program specified by the -x option is responsible for doing any NIS make and build, and for doing any necessary validation on the shell and gcos field information supplied. The password passed to the client will be in UNIX crypt() format.
rpc.yppasswdd logs all password update requests to syslogd(8)'s auth facility. The logging information includes the originating host's IP address and the user name and UID contained in the request. The user-supplied password itself is not logged.
rpc.yppasswdd should be as secure or insecure as any program relying on simple password authentication. If you feel that this is not enough, you may want to protect rpc.yppasswdd from outside access by using the `securenets' feature of the new portmap(8) version 3. Better still, look at rpasswdd(8).
/usr/sbin/rpc.yppasswdd
/usr/lib/yp/pwupdate
/etc/passwd
/etc/shadow
passwd(5), shadow(5), passwd(1), rpasswdd(8), yppasswd(1), ypchsh(1), ypchfn(1), ypserv(8), ypcat(1)
Olaf Kirch <okir@monad.swb.de> and Thorsten Kukuk <kukuk@linux-nis.org>
12/31/2020 | NIS Reference Manual |