RPC.YPPASSWDD(8)                                              RPC.YPPASSWDD(8)

       rpc.yppasswdd - NIS password update daemon

       rpc.yppasswdd [-D directory] [-e chsh|chfn] [--port number]
       rpc.yppasswdd [-s shadow] [-p passwd] [-e chsh|chfn] [--port number]
       rpc.yppasswdd -x program|-E program [-e chsh|chfn] [--port number]

       rpc.yppasswdd  is the RPC server that lets users change their passwords
       in the presence of NIS (a.k.a. YP). It must be run on  the  NIS  master
       server for that NIS domain.

       When  a  yppasswd(1)  client contacts the server, it sends the old user
       password along with the new one. rpc.yppasswdd will search the system's
       passwd  file  for  the specified user name, verify that the given (old)
       password matches, and update the entry. If the user specified does  not
       exist,  or if the password, UID or GID doesn't match the information in
       the password file,  the  update  request  is  rejected,  and  an  error
       returned to the client.

       If  this version of the server is compiled with the CHECKROOT=1 option,
       the password given is also checked against the systems root password.

       After updating the passwd file and returning a success notification  to
       the client, rpc.yppasswdd executes the pwupdate script that updates the
       NIS server's passwd.* and shadow.byname maps.  This script assumes  all
       NIS maps are kept in directories named /var/yp/nisdomain that each con-
       tain a Makefile customized for that NIS domain. If no such Makefile  is
       found, the scripts uses the generic one in /var/yp.

       The following options are available:

       -D directory
              The  passwd  and  shadow  files  are located under the specified
              directory  path.   rpc.yppasswdd  will  use  this   files,   not
              /etc/passwd  and /etc/shadow.  This is useful if you do not want
              to give all users in the NIS database automatic access  to  your
              NIS server.

       -E program
              Instead  of rpc.yppasswdd editing the passwd & shadow files, the
              specified program will be run to do the editing.  The  following
              environment   variables   will   be   set   for   the   program:
              program  should  return  an  exit status of 0 if the change com-
              pletes successfully, 1 if the change completes successfully  but
              pwupdate should not be run, and otherwise if the change fails.

       -p passwdfile
              This  options tells rpc.yppasswdd to use a different source file
              instead of /etc/passwd This is useful if you do not want to give
              all  users  in  the  NIS  database  automatic access to your NIS

       -s shadowfile
              This options tells rpc.yppasswdd to use a different source  file
              instead  of  /etc/passwd.  See  below  for a brief discussion of
              shadow support.

       -e [chsh|chfn]
              By default, rpc.yppasswdd will not allow  users  to  change  the
              shell or GECOS field of their passwd entry. Using the -e option,
              you can enable either of these. Note that when enabling  support
              for  ypchsh(1), you have to list all shells users are allowed to
              select in /etc/shells.

       -x program
              When the -x option is used, rpc.yppasswdd will  not  attempt  to
              modify any files itself, but will instead run the specified pro-
              gram, passing to its stdin information about the requested oper-
              ation(s).   There is a defined protocol used to communicate with
              this external program, which has total freedom in how it  propa-
              gates the change request. See below for more details on this.

       -m     Will be ignored, for compatibility with Solaris only.

       --port number
              rpc.yppasswdd  will  try  to  register itself to this port. This
              makes it  possible to have a router filter packets  to  the  NIS

       -v --version
              Prints  the  version number and if this package is compiled with
              the CHECKROOT option.

   Shadow Passwords
       Using Shadow passwords alongside NIS does  not  make  too  much  sense,
       because  the  supposedly  inaccesible  passwords  now  become  readable
       through a simple invocation of ypcat(1).

       Shadow support in rpc.yppasswdd does not mean that  it  offers  a  very
       clever  solution  to this problem, it simply means that it can read and
       write password entries in the system's shadow file.  You have  to  pro-
       duce a shadow.byname NIS map to distribute password information to your
       NIS clients. rpc.yppasswdd will search at first in the /etc/passwd file
       for  the  user and password. If it find's the user, but the password is
       "x" and a /etc/shadow file exists, it will update the password  in  the
       shadow map.

   Use of the -x option
       The  program  should  expect to read a single line from stdin, which is
       formatted as follows:

       <username> o:<oldpass> p:<password> s:<shell> g:<gcos>\n

       where any of the three fields [p, s, g] may or may not be present.

       This program should write "OK\n" to stdout if the operation  succeeded.
       On any other result, rpc.yppasswdd will report failure to the client.

       Note  that  the  program  specified by the -x option is responsible for
       doing any NIS make and build, and for doing any necessary validation on
       the  shell and gcos field information supplied.  The password passed to
       the client will be in UNIX crypt() format.

       rpc.yppasswdd logs all password update requests  to  syslogd(8)'s  auth
       facility.  The  logging  information includes the originating host's IP
       address and the user name and UID contained in the request.  The  user-
       supplied password itself is not logged.

       Unless I've screwed up completely (as I did with versions prior to ver-
       sion 0.5), rpc.yppasswdd should be as secure or insecure as any program
       relying  on  simple  password authentication.  If you feel that this is
       not enough, you may want to protect rpc.yppasswdd from  outside  access
       by  using  the  `securenets'  feature  of the new portmap(8) version 3.
       Better still, use Kerberos.

       rpc.yppasswdd is copyright (C) Olaf Kirch. You can use  and  distribute
       it  under  the  GNU General Public License Version 2. Note that it does
       not contain any code from the shadow password suite.


       passwd(5), shadow(5),  passwd(1),  yppasswd(1),  ypchsh(1),  ypchfn(1),
       ypserv(8), ypcat(1)

       The  Network Information Service (NIS) was formerly known as Sun Yellow
       Pages (YP).  The functionality of the two remains the  same;  only  the
       name  has  changed.  The name Yellow Pages is a registered trademark in
       the United Kingdom of British Telecommunications plc, and  may  not  be
       used without permission.

       Olaf Kirch, <>
       Thorsten Kukuk, <>

YP Server                         August 2001                 RPC.YPPASSWDD(8)