Man Linux: Main Page and Category List


       rpc.yppasswdd - NIS password update daemon


       rpc.yppasswdd [-D directory] [-e chsh|chfn] [--port number]
       rpc.yppasswdd [-s shadow] [-p passwd] [-e chsh|chfn] [--port number]
       rpc.yppasswdd -x program|-E program [-e chsh|chfn] [--port number]


       rpc.yppasswdd  is the RPC server that lets users change their passwords
       in the presence of NIS (a.k.a. YP). It must be run on  the  NIS  master
       server for that NIS domain.

       When  a  yppasswd(1)  client contacts the server, it sends the old user
       password along with the new one. rpc.yppasswdd will search the system’s
       passwd  file  for  the specified user name, verify that the given (old)
       password matches, and update the entry. If the user specified does  not
       exist,  or if the password, UID or GID doesn’t match the information in
       the password file,  the  update  request  is  rejected,  and  an  error
       returned to the client.

       If  this version of the server is compiled with the CHECKROOT=1 option,
       the password given is also checked against the systems root password.

       After updating the passwd file and returning a success notification  to
       the client, rpc.yppasswdd executes the pwupdate script that updates the
       NIS server’s passwd.* and shadow.byname maps.  This script assumes  all
       NIS  maps  are  kept  in  directories named /var/yp/nisdomain that each
       contain a Makefile customized for that NIS domain. If no such  Makefile
       is found, the scripts uses the generic one in /var/yp.


       The following options are available:

       -D directory
              The  passwd  and  shadow  files  are located under the specified
              directory  path.   rpc.yppasswdd  will  use  this   files,   not
              /etc/passwd  and /etc/shadow.  This is useful if you do not want
              to give all users in the NIS database automatic access  to  your
              NIS server.

       -E program
              Instead  of rpc.yppasswdd editing the passwd & shadow files, the
              specified program will be run to do the editing.  The  following
              environment   variables   will   be   set   for   the   program:
              program  should  return  an  exit  status  of  0  if  the change
              completes successfully, 1 if the change  completes  successfully
              but  pwupdate  should  not  be  run, and otherwise if the change

       -p passwdfile
              This options tells rpc.yppasswdd to use a different source  file
              instead of /etc/passwd This is useful if you do not want to give
              all users in the NIS  database  automatic  access  to  your  NIS

       -s shadowfile
              This  options tells rpc.yppasswdd to use a different source file
              instead of /etc/passwd. See below  for  a  brief  discussion  of
              shadow support.

       -e [chsh|chfn]
              By  default,  rpc.yppasswdd  will  not allow users to change the
              shell or GECOS field of their passwd entry. Using the -e option,
              you  can enable either of these. Note that when enabling support
              for ypchsh(1), you have to list all shells users are allowed  to
              select in /etc/shells.

       -x program
              When  the  -x  option is used, rpc.yppasswdd will not attempt to
              modify any files itself, but  will  instead  run  the  specified
              program,  passing  to  its stdin information about the requested
              operation(s).  There is a defined protocol used  to  communicate
              with  this  external  program, which has total freedom in how it
              propagates the change request. See below  for  more  details  on

       -m     Will be ignored, for compatibility with Solaris only.

       --port number
              rpc.yppasswdd  will  try  to  register itself to this port. This
              makes it  possible to have a router filter packets  to  the  NIS

       -v --version
              Prints  the  version number and if this package is compiled with
              the CHECKROOT option.


   Shadow Passwords
       Using Shadow passwords alongside NIS does  not  make  too  much  sense,
       because  the  supposedly  inaccesible  passwords  now  become  readable
       through a simple invocation of ypcat(1).

       Shadow support in rpc.yppasswdd does not mean that  it  offers  a  very
       clever  solution  to this problem, it simply means that it can read and
       write password entries in  the  system’s  shadow  file.   You  have  to
       produce  a  shadow.byname NIS map to distribute password information to
       your NIS clients. rpc.yppasswdd will search at first in the /etc/passwd
       file for the user and password. If it find’s the user, but the password
       is "x" and a /etc/shadow file exists, it will update  the  password  in
       the shadow map.

   Use of the -x option
       The  program  should  expect to read a single line from stdin, which is
       formatted as follows:

       <username> o:<oldpass> p:<password> s:<shell> g:<gcos>\n

       where any of the three fields [p, s, g] may or may not be present.

       This program should write "OK\n" to stdout if the operation  succeeded.
       On any other result, rpc.yppasswdd will report failure to the client.

       Note  that  the  program  specified by the -x option is responsible for
       doing any NIS make and build, and for doing any necessary validation on
       the  shell and gcos field information supplied.  The password passed to
       the client will be in UNIX crypt() format.

       rpc.yppasswdd logs all password update requests  to  syslogd(8)’s  auth
       facility.  The  logging  information includes the originating host’s IP
       address and the user name and UID contained in the request.  The  user-
       supplied password itself is not logged.

       Unless  I’ve  screwed  up  completely  (as I did with versions prior to
       version 0.5), rpc.yppasswdd should be as  secure  or  insecure  as  any
       program  relying  on  simple password authentication.  If you feel that
       this is not enough, you may want to protect rpc.yppasswdd from  outside
       access  by  using  the  ‘securenets’  feature  of  the  new  portmap(8)
       version 3.  Better still, use Kerberos.


       rpc.yppasswdd is copyright (C) Olaf Kirch. You can use  and  distribute
       it  under  the  GNU General Public License Version 2. Note that it does
       not contain any code from the shadow password suite.




       passwd(5), shadow(5),  passwd(1),  yppasswd(1),  ypchsh(1),  ypchfn(1),
       ypserv(8), ypcat(1)

       The  Network Information Service (NIS) was formerly known as Sun Yellow
       Pages (YP).  The functionality of the two remains the  same;  only  the
       name  has  changed.  The name Yellow Pages is a registered trademark in
       the United Kingdom of British Telecommunications plc, and  may  not  be
       used without permission.


       Olaf Kirch, <>
       Thorsten Kukuk, <>