.\" .\" Copyright 1994 Olaf Kirch, .\" .\" This program is covered by the GNU General Public License, version 2. .\" It is provided in the hope that it is useful. However, the author .\" disclaims ALL WARRANTIES, expressed or implied. See the GPL for details. .\" .Dd 12 December 1994 .Dt YPPASSWDD 8 .Sh NAME .Nm yppasswdd .Nd NIS password database update server .Sh SYNOPSIS .Nm yppasswdd .Op Ar -m master password file .Op Fl s .Op Fl f .Op Fl v .Op Fl h .Sh DESCRIPTION .Nm yppasswdd is the RPC server that lets users change their passwords in the presence of NIS (a.k.a. YP). It must be run on the NIS master server for that NIS domain. .Pp When a .Xr yppasswd 1 client contacts the server, it sends the old user password along with the new one. .Nm yppasswdd will search the system's NIS password database file for the specified user name, verify that the given (old) password matches, and update the entry. If the user specified does not exist, or if the password, UID or GID doesn't match the information in the password file, the update request is rejected, and an error returned to the client. .Pp After updating the .Nm master.passwd file and returning a success notifications to the client, .Nm yppasswdd executes the .Nm yppwupdate script that updates the NIS server's .Nm master.passwd.* and .Nm passwd.* maps. This script invokes .Nm /var/yp/Makefile to rebuild the NIS password maps (and propagate them to NIS slave servers if there are any in the domain). .Sh OPTIONS .Bl -tag -width Ds The following options are available with .Nm yppasswdd: .It Fl Ar m master password file .Nm yppasswdd server needs to know the location of the master.passwd file that is to be used to generate updated NIS password maps. This file is normally kept in .Nm /var/yp (it must be owned by root and not world readable for security reasons). If you move it somewhere else you'll have to tell yppasswdd using the .Fl m option. (You'll have to change the location of master.passwd specified in .Nm /var/yp/Makefile as well.) When the server is ready to change a password database entry, it will modify master.passwd, then call the yppwupdate script, which will in turn call .Nm /var/yp/Makefile. .Pp Without the -m option, .Nm yppasswdd expects to use the local .Nm /etc/master.passwd file on the NIS master server as the source for regenerating the password maps (the server will rebuild the local password databases in this case as well). .Pp This is less secure than using a seperate password database to restrict access to the NIS master server, but the functionality is provided in the event this behavior is desired and security is not paramount (such as might be the case on a closed local network of trusted systems). Note that you will have to edit .Nm /var/yp/Makefile to use .Nm /etc/master.passwd instead of .Nm /var/yp/master.passwd if you want to use yppasswdd in this way. .It Fl s When invoked with the .Fl s flag, .Nm yppasswdd will allow users to change the shell field of their NIS password entry. Without it, .Xr yppasswd 1 will appear to succeed when a user tries to change shells, but yppasswdd will not actually alter the password database. .It Fl f This flag works just like .Fl s , except it applies to the GECOS or "fullname" field of a user's NIS password entry instead of the shell field. Some sites may wish to restrict users' ability to change their shells or full names for security or administrative reasons, which is why these two options are provided. .Sh MISCELLANEOUS .Ss Logging .Nm yppasswdd logs all password update requests to .Xr syslogd 8 auth facility. The logging information includes the originating host's IP address and the user name and UID contained in the request. The user-supplied password itself is not logged. .Ss Security Unless I've screwed up completely (as I did with versions prior to version 0.5), .Nm yppasswdd should be as secure or insecure as any program relying on simple password authentication. If you feel that this is not enough, you may want to protect .Nm yppasswdd from outside access by using the 'securenets' feature of .Xr portmap 8 version 3. Better still, use Kerberos. .Sh NOTES .Ss FreeBSD changes Unlike the original .Nm yppasswdd , the FreeBSD version has no support for John F. Haugh II's shadow password suite. It doesn't need it: 4.4BSD's password database system already implements shadow passwords. .Ss Using the yppasswdd server with non-FreeBSD clients FreeBSD's .Nm yppasswdd should work equally well with non-FreeBSD client machines provided a few small changes are made to .Nm /var/yp/Makefile. FreeBSD's passwd.byname and passwd.byuid maps do not contain actual encrypted passwords (just like FreeBSD's /etc/passwd file): the real encrypted passwords are kept in master.passwd.byname and master.passwd.byuid, which FreeBSD's NIS server will only serve to the superuser on FreeBSD NIS clients (non-privileged users are not permitted to access these maps). Non-FreeBSD clients will not function properly in this situation, since they require the password fields in the passwd.* maps to be valid. .Pp To use .Nm yppasswdd with non-FreeBSD clients, you will need to edit .Nm /var/yp/Makefile and uncomment the line that says 'UNSECURE=True' and run .Xr make 1 . This will cause .Nm /var/yp/Makefile to generate passwd.* maps with real passwords in them instead of stripping them out as it does normally. .Sh FILES .Bl -tag -width /usr/libexec/yppwupdate -compact .It Pa /usr/sbin/yppasswdd The yppasswdd daemon .It Pa /usr/libexec/yppwupdate The NIS map update script .It Pa /var/yp/master.passwd NIS password map source file .It Pa /etc/master.passwd Raw local password database (only used when .Fl m option isn't supplied) .Sh SEE ALSO .Xr passwd 5 , .Xr passwd 1 , .Xr portmap 8 , .Xr pwunconv 8 , .Xr yppasswd 1 , .Xr ypchsh 1 , .Xr ypchfn 1 , .Xr ypserv 8 , .Xr ypcat 8 . .Sh COPYRIGHT .Nm yppasswdd is copyright (C) Olaf Kirch. You can use and distribute it under the GNU General Public License Version 2. .Sh AUTHOR(S) .br Olaf Kirch, .br Charles Lopez, (shadow support) .br Bill Paul, (port to FreeBSD, various small changes)