1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
|
.\"
.\" Copyright 1994 Olaf Kirch, <okir@monad.swb.de>
.\"
.\" This program is covered by the GNU General Public License, version 2.
.\" It is provided in the hope that it is useful. However, the author
.\" disclaims ALL WARRANTIES, expressed or implied. See the GPL for details.
.\"
.Dd 12 December 1994
.Dt YPPASSWDD 8
.Sh NAME
.Nm yppasswdd
.Nd NIS password database update server
.Sh SYNOPSIS
.Nm yppasswdd
.Op Ar -m master password file
.Op Fl s
.Op Fl f
.Op Fl v
.Op Fl h
.Sh DESCRIPTION
.Nm yppasswdd
is the RPC server that lets users change their passwords
in the presence of NIS (a.k.a. YP). It must be run on the NIS master
server for that NIS domain.
.Pp
When a
.Xr yppasswd 1
client contacts the server, it sends the old user
password along with the new one.
.Nm yppasswdd
will search the system's
NIS password database file for the specified user name, verify that the
given (old) password matches, and update the entry. If the user
specified does not exist, or if the password, UID or GID doesn't match
the information in the password file, the update request is rejected,
and an error returned to the client.
.Pp
After updating the
.Nm master.passwd
file and returning a success
notifications to the client,
.Nm yppasswdd
executes the
.Nm yppwupdate
script that updates the NIS server's
.Nm master.passwd.*
and
.Nm passwd.*
maps. This script invokes
.Nm /var/yp/Makefile
to rebuild the NIS password maps (and propagate them to NIS slave
servers if there are any in the domain).
.Sh OPTIONS
.Bl -tag -width Ds
The following options are available with
.Nm yppasswdd:
.It Fl Ar m master password file
.Nm yppasswdd
server needs to know the location of the
master.passwd file that is to be used to generate updated NIS
password maps. This file is normally kept in
.Nm /var/yp
(it must be owned by root and not world readable for security reasons).
If you move it somewhere else you'll have to tell yppasswdd using the
.Fl m
option. The location of this file is also passed to
.Nm /var/yp/Makefile
when time comes to rebuild the NIS password maps. It is recommended,
however, that you edit
.Nm /var/yp/Makefile
to reflect the new location as well.
When the server is ready to change
a password database entry, it will modify master.passwd, then
call the yppwupdate script, which will in turn call
.Nm /var/yp/Makefile.
.Pp
Without the -m option,
.Nm yppasswdd
expects to use the local
.Nm /etc/master.passwd
file on the NIS master server as the source for
regenerating the password maps (the server will rebuild the local
password databases in this case as well).
.Pp
This is less secure than
using a seperate password database to restrict access to the NIS
master server, but the functionality is provided in the event this
behavior is desired and security is not paramount (such as might be
the case on a closed local network of trusted systems).
Note that you will have to edit
.Nm /var/yp/Makefile
to use
.Nm /etc/master.passwd
instead of
.Nm /var/yp/master.passwd
if you want to use yppasswdd in this way.
.It Fl s
When invoked with the
.Fl s
flag,
.Nm yppasswdd
will allow users to change
the shell field of their NIS password entry. Without it,
.Xr yppasswd 1
will
appear to succeed when a user tries to change shells, but yppasswdd
will not actually alter the password database.
.It Fl f
This flag works just like
.Fl s ,
except it applies to the GECOS or
"fullname" field of a user's NIS password entry instead of the shell field.
Some sites may wish to restrict users' ability to change their shells or
full names for security or administrative reasons, which is why these two
options are provided.
.Sh MISCELLANEOUS
.Ss Logging
.Nm yppasswdd
logs all password update requests to
.Xr syslogd 8
auth facility. The logging information includes the originating host's
IP address and the user name and UID contained in the request. The
user-supplied password itself is not logged.
.Ss Security
Unless I've screwed up completely (as I did with versions prior to
version 0.7),
.Nm yppasswdd
should be as secure or insecure as any
program relying on simple password authentication. If you feel that
this is not enough, you may want to protect
.Nm yppasswdd
from outside
access by using the 'securenets' feature of
.Xr portmap 8
version 3. Better still, use Kerberos.
.Sh NOTES
.Ss FreeBSD changes
Unlike the original
.Nm yppasswdd ,
the FreeBSD version has no support for
John F. Haugh II's shadow password suite. It doesn't need it: 4.4BSD's
password database system already implements shadow passwords.
.Ss Using the yppasswdd server with non-FreeBSD clients
FreeBSD's
.Nm yppasswdd
should work equally well with non-FreeBSD client machines provided a
few small changes are made to
.Nm /var/yp/Makefile.
FreeBSD's passwd.byname and passwd.byuid maps do not contain actual
encrypted passwords (just like FreeBSD's /etc/passwd file): the real
encrypted passwords are kept in master.passwd.byname and
master.passwd.byuid, which FreeBSD's NIS server will only serve to
the superuser on FreeBSD NIS clients (non-privileged users are not
permitted to access these maps). Non-FreeBSD clients will not function
properly in this situation, since they require the password fields in
the passwd.* maps to be valid.
.Pp
To use
.Nm yppasswdd
with non-FreeBSD clients, you will need to edit
.Nm /var/yp/Makefile
and uncomment the line that says 'UNSECURE=True' and run
.Xr make 1 .
This will cause
.Nm /var/yp/Makefile
to generate passwd.* maps with real passwords in them instead of
stripping them out as it does normally.
.Sh FILES
.Bl -tag -width /usr/libexec/yppwupdate -compact
.It Pa /usr/sbin/yppasswdd
The yppasswdd daemon
.It Pa /usr/libexec/yppwupdate
The NIS map update script
.It Pa /var/yp/master.passwd
NIS password map source file
.It Pa /etc/master.passwd
Raw local password database (only used when
.Fl m
option isn't supplied)
.Sh SEE ALSO
.Xr passwd 5 ,
.Xr passwd 1 ,
.Xr portmap 8 ,
.Xr yppasswd 1 ,
.Xr ypchsh 1 ,
.Xr ypchfn 1 ,
.Xr ypserv 8 ,
.Xr ypcat 8 .
.Sh COPYRIGHT
.Nm yppasswdd
is copyright (C) Olaf Kirch. You can use and distribute it
under the GNU General Public License Version 2.
.Sh AUTHOR(S)
.br
Olaf Kirch, <okir@monad.swb.de>
.br
Charles Lopez, <tjarls@infm.ulst.ac.uk> (shadow support)
.br
Bill Paul, <wpaul@ctr.columbia.edu> (port to FreeBSD, various small changes)
|
