1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
|
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry id='rpc.yppasswdd'>
<refmeta>
<refentrytitle>rpc.yppasswdd</refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo class='manual'>NIS Reference Manual</refmiscinfo>
</refmeta>
<refnamediv id='name'>
<refname>rpc.yppasswdd</refname>
<refpurpose>NIS password update daemon</refpurpose>
</refnamediv>
<!-- body begins here -->
<refsynopsisdiv id='synopsis'>
<cmdsynopsis>
<command>rpc.yppasswdd</command>
<arg choice='opt'>-D <replaceable>directory</replaceable></arg>
<arg choice='plain'>-e <replaceable>chsh</replaceable>|<replaceable>chfn</replaceable></arg>
<arg choice='opt'>--port <replaceable>number</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>rpc.yppasswdd</command>
<arg choice='opt'>-s <replaceable>shadow</replaceable></arg>
<arg choice='opt'>-p <replaceable>passwd</replaceable></arg>
<arg choice='plain'>-e <replaceable>chsh</replaceable>|<replaceable>chfn</replaceable></arg>
<arg choice='opt'>--port <replaceable>number</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>rpc.yppasswdd</command>
<group choice='plain'>
<arg choice='plain'>-x <replaceable>program</replaceable></arg>
<arg choice='plain'>-E <replaceable>program</replaceable></arg>
</group>
<arg choice='plain'>-e <replaceable>chsh</replaceable>|<replaceable>chfn</replaceable></arg>
<arg choice='opt'>--port <replaceable>number</replaceable></arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1 id='description'>
<title>DESCRIPTION</title>
<para>
<command>rpc.yppasswdd</command> is the RPC server that lets users
change their passwords in the presence of NIS (a.k.a. YP). It must
be run on the NIS master server for that NIS domain.
</para>
<para>When a
<citerefentry><refentrytitle>yppasswd</refentrytitle><manvolnum>1</manvolnum></citerefentry>
client contacts the server, it sends the old user
password along with the new one. <command>rpc.yppasswdd</command> will search the system's
<emphasis remap='B'>passwd</emphasis>
file for the specified user name, verify that the
given (old) password matches, and update the entry. If the user
specified does not exist, or if the password, UID or GID doesn't match
the information in the password file, the update request is rejected,
and an error returned to the client.</para>
<para>If this version of the server is compiled with the CHECKROOT=1 option, the
password given is also checked against the systems root password.</para>
<para>After updating the
<emphasis remap='B'>passwd</emphasis>
file and returning a success notification
to the client, <command>rpc.yppasswdd</command> executes the <emphasis remap='B'>pwupdate</emphasis> script that
updates the NIS server's <emphasis remap='B'>passwd.*</emphasis> and <emphasis remap='B'>shadow.byname</emphasis> maps.
This script assumes all NIS maps are kept in directories named
<filename>/var/yp/</filename><emphasis remap='I'>nisdomain</emphasis>
that each contain a <emphasis remap='B'>Makefile</emphasis> customized for that NIS domain. If no
such <emphasis remap='B'>Makefile</emphasis> is found, the scripts uses the generic one in
<filename>/var/yp</filename>.</para>
</refsect1>
<refsect1 id='options'><title>OPTIONS</title>
<para>The following options are available:</para>
<variablelist remap='TP'>
<varlistentry>
<term><option>-D</option><replaceable> directory</replaceable></term>
<listitem>
<para>The
<emphasis remap='B'>passwd</emphasis>
and
<emphasis remap='B'>shadow</emphasis>
files are located under the specified directory path.
<command>rpc.yppasswdd</command>
will use this files, not
<filename>/etc/passwd</filename>
and
<filename>/etc/shadow.</filename>
This is useful if you do not want to give all users in the NIS database
automatic access to your NIS server.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-E</option><replaceable> program</replaceable></term>
<listitem>
<para>Instead of rpc.yppasswdd editing the passwd & shadow files, the
specified program will be run to do the editing. The following
environment variables will be set for the program: YP_PASSWD_OLD,
YP_PASSWD_NEW, YP_USER, YP_GECOS, YP_SHELL. The program should return
an exit status of 0 if the change completes successfully, 1 if the
change completes successfully but pwupdate should not be run, and
otherwise if the change fails.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-p</option><replaceable> passwdfile</replaceable></term>
<listitem>
<para>This options tells <command>rpc.yppasswdd</command> to use a different source file instead
of <filename>/etc/passwd</filename> This is useful if you do not want to give all users
in the NIS database automatic access to your NIS server.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-s</option><replaceable> shadowfile</replaceable></term>
<listitem>
<para>This options tells <command>rpc.yppasswdd</command> to use a different source file instead
of <filename>/etc/passwd</filename>. See below for a brief discussion of shadow support.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-e [chsh|chfn]</option></term>
<listitem>
<para>By default, <command>rpc.yppasswdd</command> will not allow users to change the shell or
GECOS field of their <emphasis remap='B'>passwd</emphasis> entry. Using the <option>-e</option> option,
you can enable either of these. Note that when enabling support for
<citerefentry><refentrytitle>ypchsh</refentrytitle><manvolnum>1</manvolnum></citerefentry>, you have to list all shells users are allowed to
select in <filename>/etc/shells</filename>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-x program</option></term>
<listitem>
<para>When the -x option is used, rpc.yppasswdd will not attempt to modify
any files itself, but will instead run the specified program, passing
to its stdin information about the requested operation(s). There is
a defined protocol used to communicate with this external program, which
has total freedom in how it propagates the change request. See
below for more details on this.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-m</option></term>
<listitem>
<para>Will be ignored, for compatibility with Solaris only.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--port number</option></term>
<listitem>
<para>rpc.yppasswdd will try to register itself to this port. This makes
it possible to have a router filter packets to the NIS ports.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-v --version</option></term>
<listitem>
<para>Prints the version number and if this package is compiled with the
CHECKROOT option.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1 id='miscellaneous'><title>MISCELLANEOUS</title>
<refsect2 id='shadow_passwords'><title>Shadow Passwords</title>
<para>Using Shadow passwords alongside NIS does not make too much sense, because
the supposedly inaccesible passwords now become readable through a simple
invocation of
<citerefentry><refentrytitle>ypcat</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para>
<para>Shadow support in <command>rpc.yppasswdd</command> does not mean that it offers a very
clever solution to this problem, it simply means that it can read and write
password entries in the system's
<emphasis remap='B'>shadow</emphasis>
file. You have to produce a
<emphasis remap='B'>shadow.byname</emphasis> NIS map to distribute password information to your NIS
clients. <command>rpc.yppasswdd</command> will search at first in the <filename>/etc/passwd</filename> file
for the user and password. If it find's the user, but the password is "x"
and a <filename>/etc/shadow</filename> file exists, it will update the password in the
shadow map.</para>
</refsect2>
<refsect2 id='use_of_the_x_option'><title>Use of the -x option</title>
<para>The program should expect to read a single line from stdin, which is
formatted as follows:</para>
<para><username> o:<oldpass> p:<password> s:<shell> g:<gcos>\n</para>
<para>where any of the three fields [p, s, g] may or may not be present.</para>
<para>This program should write "OK\n" to stdout if the operation succeeded. On
any other result, rpc.yppasswdd will report failure to the client.</para>
<para>Note that the program specified by the -x option is responsible for doing
any NIS make and build, and for doing any necessary validation on the
shell and gcos field information supplied. The password passed to the client
will be in UNIX crypt() format.</para>
</refsect2>
<refsect2 id='logging'><title>Logging</title>
<para><command>rpc.yppasswdd</command> logs all password update requests to <emphasis remap='B'>syslogd(8)</emphasis>'s
auth facility. The logging information includes the originating host's
IP address and the user name and UID contained in the request. The
user-supplied password itself is not logged.</para>
</refsect2>
<refsect2 id='security'>
<title>Security</title>
<para>
<command>rpc.yppasswdd</command> should be as secure or insecure
as any program relying on simple password authentication. If you
feel that this is not enough, you may want to protect
<command>rpc.yppasswdd</command> from outside access by using the
`securenets' feature of the new <citerefentry>
<refentrytitle>portmap</refentrytitle><manvolnum>8</manvolnum>
</citerefentry> version 3. Better still, look at <citerefentry>
<refentrytitle>rpasswdd</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>.
</para>
</refsect2>
</refsect1>
<refsect1 id='files'>
<title>FILES</title>
<para>
<filename>/usr/sbin/rpc.yppasswdd</filename>
<!-- .br -->
<filename>/usr/lib/yp/pwupdate</filename>
<!-- .br -->
<filename>/etc/passwd</filename>
<!-- .br -->
<filename>/etc/shadow</filename>
</para>
</refsect1>
<refsect1 id='see_also'>
<title>SEE ALSO</title>
<para>
<citerefentry><refentrytitle>passwd</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>shadow</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>passwd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>rpasswdd</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>yppasswd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>ypchsh</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>ypchfn</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>ypserv</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>ypcat</refentrytitle><manvolnum>1</manvolnum></citerefentry></para>
</refsect1>
<refsect1 id='author'>
<title>AUTHOR</title>
<para>
Olaf Kirch <okir@monad.swb.de> and
Thorsten Kukuk <kukuk@linux-nis.org>
</para>
</refsect1>
</refentry>
|
