Obtained from: The NYS project

This is the first round of changes to incorporate YP server functionality
into FreeBSD. This particular change allows passwd to change either the
local or NIS password, as well as the NIS GECOS and shell information.

Essentially, I've taken passwd(1) and yppasswd from the yppasswd-0.5
distribution (which is part of the NYS project -- a project to provide
a GNU GPL'ed suite of NIS tools) and rammed them into each other
at high speed. I've tried my best to make this co-exist with the
Kerberos stuff, but since I don't run Kerberos I don't have an easy
way to verify that it all works. If you choose any Kerberos flags
then the YP checks should be bypassed, but that may not be enough.
I'll modify it some more if it turns out I broke something. For now,
support for localand NIS passwords is pretty solid:

- If you simply type 'passwd,' the program checks to see if you exist
  in the local pwd.db database. If not, you get bounced to YP.

- If you try to force local functionality with the -l flag and you
  don't exist locally, you get an error.

The -y flag can be used to force YP functionality. -f and -s let you
change your full name and shell (respectively). -f *and* -s let you
change all of your 'account information.'

ypchfn, ypchsh, yppasswd and ypchpass are all links to passwd.

usr.bin/passwd/Makefile

@@ -1,13 +1,20 @@
 # From:	@(#)Makefile	8.3 (Berkeley) 4/2/94
-# $Id: Makefile,v 1.5 1994/11/20 23:21:06 wollman Exp $
+# $Id: Makefile,v 1.6 1995/01/19 21:03:48 wollman Exp $
 
 PROG=	passwd
-SRCS=	local_passwd.c passwd.c pw_copy.c pw_util.c
+SRCS=	local_passwd.c yp_passwd.c yppasswd_xdr.c passwd.c pw_copy.c pw_util.c
 LDADD=	-lcrypt
 .PATH:  ${.CURDIR}/../../usr.bin/chpass ${.CURDIR}/../../usr.sbin/vipw \
-	${.CURDIR}/../rlogin
-CFLAGS+=-DCRYPT -I${.CURDIR} -I${.CURDIR}/../../usr.sbin/vipw \
-	-I${.CURDIR}/../../usr.bin/chpass
+	${.CURDIR}/../rlogin ${.CURDIR}/../../gnu/usr.sbin/yppasswdd
+
+CFLAGS+=-DCRYPT -DYP -I${.CURDIR} -I${.CURDIR}/../../usr.sbin/vipw \
+	-I${.CURDIR}/../../usr.bin/chpass \
+	-I${.CURDIR}/../../gnu/usr.sbin/yppasswdd
+
+LINKS= ${BINDIR}/passwd ${BINDIR}/yppasswd
+LINKS+= ${BINDIR}/passwd ${BINDIR}/ypchfn
+LINKS+= ${BINDIR}/passwd ${BINDIR}/ypchsh
+LINKS+= ${BINDIR}/passwd ${BINDIR}/ypchpass
 
 BINOWN=	root
 BINMODE=4555

usr.bin/passwd/passwd.c

@@ -40,7 +40,7 @@ static char copyright[] =
 #ifndef lint
 static char sccsid[] = "From: @(#)passwd.c	8.3 (Berkeley) 4/2/94";
 static const char rcsid[] =
-	"$Id$";
+	"$Id: passwd.c,v 1.2 1995/01/20 22:03:36 wollman Exp $";
 #endif /* not lint */
 
 #include <err.h>
@@ -49,6 +49,17 @@ static const char rcsid[] =
 #include <stdlib.h>
 #include <unistd.h>
 
+#ifdef YP
+#include <pwd.h>
+#include <limits.h>
+#include <db.h>
+#include <fcntl.h>
+#include <utmp.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/param.h>
+#endif
+
 #ifdef KERBEROS
 #include "krb.h"
 #endif
@@ -59,6 +70,20 @@ void	usage __P((void));
 
 int use_local_passwd = 0;
 
+#ifdef YP
+#define PERM_SECURE (S_IRUSR|S_IWUSR)
+int use_yp_passwd = 0, opt_shell = 0, opt_fullname = 0;
+char *prog_name;
+HASHINFO openinfo = {
+        4096,           /* bsize */
+        32,             /* ffactor */
+        256,            /* nelem */
+        2048 * 1024,    /* cachesize */
+        NULL,           /* hash */
+        0,              /* lorder */
+};
+#endif
+
 int
 main(argc, argv)
 	int argc;
@@ -68,12 +93,34 @@ main(argc, argv)
 	char *uname;
 	char *iflag = 0, *rflag = 0, *uflag = 0;
 
+#ifdef YP
+#ifdef KERBEROS
+	char realm[REALM_SZ];
+#define OPTIONS "lysfi:r:u:"
+#else
+#define OPTIONS "lysf"
+#endif
+#else
 #ifdef KERBEROS
 	char realm[REALM_SZ];
 #define OPTIONS "li:r:u:"
 #else
 #define OPTIONS "l"
 #endif
+#endif
+
+#ifdef YP
+	DB *dbp;
+	DBT key,data;
+	char bf[UT_NAMESIZE + 2];
+
+	if (strstr(argv[0], (prog_name = "ypchpass")))
+		use_yp_passwd = opt_shell = opt_fullname = 1;
+	if (strstr(argv[0], (prog_name = "ypchsh"))) opt_shell = 1;
+	if (strstr(argv[0], (prog_name = "ypchfn"))) opt_fullname = 1;
+	if (strstr(argv[0], (prog_name = "yppasswd"))) use_yp_passwd = 1;
+#endif
+
 	while ((ch = getopt(argc, argv, OPTIONS)) != EOF) {
 		switch (ch) {
 		case 'l':		/* change local password file */
@@ -90,7 +137,17 @@ main(argc, argv)
 			uflag = optarg;
 			break;
 #endif /* KERBEROS */
-
+#ifdef	YP
+		case 'y':			/* Change NIS password */
+			use_yp_passwd = 1;
+			break;
+		case 's':			/* Change NIS shell field */
+			opt_shell = 1;
+			break;
+		case 'f':			/* Change NIS GECOS field */
+			opt_fullname = 1;
+			break;
+#endif
 		default:
 		case '?':
 			usage();
@@ -113,6 +170,34 @@ main(argc, argv)
 		usage();
 	}
 
+#ifdef YP
+	/*
+	 * If the user isn't in the local database file, he must
+	 * be in the NIS database.
+	 */
+#ifdef KERBEROS
+	if (!use_yp_passwd && !opt_shell && !opt_fullname &&
+		iflag == NULL && rflag == NULL && uflag == NULL) {
+#else
+	if (!use_yp_passwd && !opt_shell && !opt_fullname) {
+#endif
+		if ((dbp = dbopen(_PATH_MP_DB, O_RDONLY, PERM_SECURE,
+				DB_HASH, &openinfo)) == NULL)
+			errx(1, "error opening database: %s.", _PATH_MP_DB);
+
+		bf[0] = _PW_KEYBYNAME;
+		bcopy(uname, bf + 1, MIN(strlen(uname), UT_NAMESIZE));
+		key.data = (u_char *)bf;
+		key.size = strlen(uname) + 1;
+		if ((dbp->get)(dbp,&key,&data,0))
+			use_yp_passwd = 1;
+		(dbp->close)(dbp);
+	}
+
+	if (!use_local_passwd && (use_yp_passwd || opt_shell || opt_fullname))
+		exit(yp_passwd(uname));
+#endif
+
 	if (!use_local_passwd) {
 #ifdef	KERBEROS
 		if(krb_get_lrealm(realm, 0) == KSUCCESS) {
@@ -121,6 +206,10 @@ main(argc, argv)
 		}
 #endif
 	}
+#ifdef YP
+	if (use_local_passwd && use_yp_passwd)
+		errx(1,"unknown local user: %s.",uname);
+#endif
 	exit(local_passwd(uname));
 }
 
@@ -128,11 +217,22 @@ void
 usage()
 {
 
+#ifdef	YP
+#ifdef	KERBEROS
+	fprintf(stderr,
+	 "usage: passwd [-l] [-i instance] [-r realm] [-u fullname]\n");
+	fprintf(stderr,
+	"        [-l] [-y] [-f] [-s] [user]\n");
+#else
+	(void)fprintf(stderr, "usage: passwd [-y] [-f] [-s] [user] \n");
+#endif
+#else
 #ifdef	KERBEROS
 	fprintf(stderr,
 	 "usage: passwd [-l] [-i instance] [-r realm] [-u fullname] [user]\n");
 #else
 	(void)fprintf(stderr, "usage: passwd user\n");
+#endif
 #endif
 	exit(1);
 }

usr.bin/passwd/yp_passwd.c

@@ -0,0 +1,359 @@
+/*
+ * Copyright (c) 1992/3 Theo de Raadt <deraadt@fsa.ca>
+ * Copyright (c) 1994 Olaf Kirch <okir@monad.swb.de>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS
+ * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <netdb.h>
+#include <time.h>
+#include <sys/types.h>
+#include <pwd.h>
+#include <errno.h>
+#include <unistd.h>
+#include <limits.h>
+#include <rpc/rpc.h>
+#include <rpcsvc/yp_prot.h>
+#include <rpcsvc/ypclnt.h>
+#include <rpcsvc/yppasswd.h>
+
+extern int    use_yp_passwd, opt_fullname, opt_shell;
+extern char *prog_name;
+uid_t	uid;
+
+static unsigned char itoa64[] =		/* 0 ... 63 => ascii - 64 */
+"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
+
+void to64(char *, long int, int);
+char *getnewyppasswd(struct passwd *);
+
+void
+to64(char *s, long int v, int n)
+{
+  while (--n >= 0)
+    {
+      *s++ = itoa64[v&0x3f];
+      v >>= 6;
+    }
+}
+
+char *
+getnewyppasswd(register struct passwd *pw)
+{
+  char *buf;
+  char salt[9], *p=NULL;
+  int tries = 0;
+  
+  buf = (char *) malloc(30);
+  
+  printf("Changing YP password for %s.\n", pw->pw_name);
+  
+  buf[0] = '\0';
+  while(1) {
+    p = getpass("Please enter new password:");
+    if(*p == '\0') {
+        printf("Password unchanged.\n");
+        return NULL;
+    }
+#ifndef DEBUG
+    if (strlen(p) <= 5 && (uid != 0 || ++tries < 2)) {
+        printf("Please enter a longer password.\n");
+        continue;
+    }
+#endif
+    strcpy(buf, p);
+    p = getpass("Please retype new password:");
+    if( strcmp(buf, p) == 0) {
+        break;
+    } else {
+        printf("Mismatch - password unchanged.\n");
+        return NULL;
+    }
+  }
+  
+  /* grab a random printable character that isn't a colon */
+  srandom((int)time((time_t *)NULL));
+  to64(&salt[0], random(), 2);
+  return strdup(crypt(buf, salt));
+}
+
+char *
+getfield(char *gecos, char *field, int size)
+{
+    char *sp;
+
+    for (sp = gecos; *sp != '\0' && *sp != ','; sp++);
+    if (*sp != '\0') {
+    	*sp++ = '\0';
+    }
+    strncpy (field, gecos, size-1);
+    field[size-1] = '\0';
+    return sp;
+}
+
+int
+newfield(char *prompt, char *deflt, char *field, int size)
+{
+    char	*sp;
+
+    if (deflt == NULL) {
+        deflt = "none";
+    }
+
+    printf("%s [%s]: ", prompt, deflt);
+    fflush(stdout);
+    if (fgets(field, size, stdin) == NULL) {
+    	return 1;
+    }
+
+    if ((sp = strchr(field, '\n')) != NULL) {
+    	*sp = '\0';
+    }
+
+    if (!strcmp(field, "")) {
+    	strcpy(field, deflt);
+    }
+    if (!strcmp(field, "none")) {
+    	strcpy(field, "");
+    }
+
+    if (strchr(field, ':') != NULL) {
+    	fprintf(stderr, "%s: no colons allowed in GECOS field... sorry.\n",
+    				prog_name);
+    	return 1;
+    }
+    return 0;
+}
+
+char *
+getnewfullname(struct passwd *pw)
+{
+    char	gecos[1024], *sp, new_gecos[1024];
+    char	name[254], location[254], office[254], phone[254];
+
+    printf ("\nChanging full name for %s.\n"
+    	    "To accept the default, simply press return. To enter an empty\n"
+    	    "field, type the word \"none\".\n",
+    	    pw->pw_name);
+
+    strncpy (gecos, pw->pw_gecos, sizeof(gecos));
+    sp = getfield(gecos, name, sizeof(name));
+    if (newfield("Name", strtok(gecos, ","), name, sizeof(name))) {
+    	return NULL;
+    }
+    sp = getfield(sp, location, sizeof(location));
+    if (newfield("Location", location, location, sizeof(location))) {
+    	return NULL;
+    }
+    sp = getfield(sp, office, sizeof(office));
+    if (newfield("Office Phone", office, office, sizeof(office))) {
+    	return NULL;
+    }
+    sp = getfield(sp, phone, sizeof(phone));
+    if (newfield("Home Phone", phone, phone, sizeof(phone))) {
+    	return NULL;
+    }
+    sprintf (new_gecos, "%s,%s,%s,%s", name, location, office, phone);
+
+    sp = new_gecos + strlen(new_gecos);
+    while (*--sp == ',') *sp = '\0';
+
+    return strdup(new_gecos);
+}
+
+char *
+getnewshell(struct passwd *pw)
+{
+    char    new_shell[PATH_MAX];
+
+    printf ("\nChanging login shell for %s.\n"
+    	    "To accept the default, simply press return. To use the\n"
+    	    "system's default shell, type the word \"none\".\n",
+    	    pw->pw_name);
+
+    if (newfield("Login shell", pw->pw_shell, new_shell, sizeof(new_shell))) {
+        return NULL;
+    }
+    return strdup(new_shell);
+}
+
+char *
+getserver( void )
+{
+  char  *domainname, *master;
+  int 	port, err;
+  int getrpcport();
+
+  if ((err = yp_get_default_domain(&domainname)) != 0) {
+      fprintf(stderr, "%s: can't get local yp domain: %s\n",
+              				prog_name, yperr_string(err));
+      return NULL;
+  }
+  
+  if ((err = yp_master(domainname, "passwd.byname", &master)) != 0) {
+      fprintf(stderr, "%s: can't find the master ypserver: %s\n",
+              				prog_name, yperr_string(err));
+      return NULL;
+  }
+  port = getrpcport(master, YPPASSWDPROG, YPPASSWDPROC_UPDATE, IPPROTO_UDP);
+  if (port==0) {
+      fprintf (stderr, "%s: yppasswdd not running on NIS master host\n",
+					prog_name);
+      return NULL;
+  }
+  if (port >= IPPORT_RESERVED) {
+      fprintf (stderr, "%s: yppasswd daemon running on illegal port.\n",
+					prog_name);
+      return NULL;
+  }
+  return master;
+}
+
+int
+yp_passwd(char *user)
+{
+  struct timeval timeout;
+  struct yppasswd yppasswd;
+  struct passwd *pw;
+  CLIENT *clnt;
+  char   *master;
+  char   *what;
+  int    c, err, status;
+  char   *s;
+
+  if (use_yp_passwd + opt_fullname + opt_shell == 0)
+      use_yp_passwd = 1;	/* default to yppasswd behavior */
+
+  if ((master = getserver()) == NULL) {
+      exit(1);
+  }
+  
+  /* Obtain the passwd struct for the user whose password is to be changed.
+   */
+  uid = getuid();
+  if (user == NULL) {
+      if ((pw = getpwuid(uid)) == NULL) {
+          fprintf ( stderr, "%s: unknown user (uid=%d).\n",
+		prog_name, (int)uid );
+          exit(1);
+      }
+  } else {
+      if ((pw = getpwnam(user)) == NULL) {
+          fprintf ( stderr, "%s: unknown user: %s.\n", prog_name, user );
+          exit(1);
+      }
+      if (pw->pw_uid != uid && uid != 0) {
+          fprintf ( stderr, "%s: Only root may change account information "
+          		    "for others\n", prog_name );
+          exit(1);
+      }
+  }
+
+  /* Initialize password information */
+  yppasswd.newpw.pw_passwd = pw->pw_passwd;
+  yppasswd.newpw.pw_name = pw->pw_name;
+  yppasswd.newpw.pw_uid = pw->pw_uid;
+  yppasswd.newpw.pw_gid = pw->pw_gid;
+  yppasswd.newpw.pw_gecos = pw->pw_gecos;
+  yppasswd.newpw.pw_dir = pw->pw_dir;
+  yppasswd.newpw.pw_shell = pw->pw_shell;
+  yppasswd.oldpass = NULL;
+  
+  switch (use_yp_passwd + (opt_fullname << 1) + (opt_shell << 2)) {
+  case 1:
+      what = "YP password";
+      break;
+  case 2:
+      what = "fullname";
+      break;
+  case 4:
+      what = "login shell";
+      break;
+  default:
+      what = "account information";
+  }
+  printf("Changing %s for %s on %s.\n",  what, pw->pw_name, master);
+
+  /* Get old password */
+  if(pw->pw_passwd) {
+    char prompt[40];
+
+    sprintf (prompt, "Please enter %spassword:", use_yp_passwd? "old " : "");
+    s = getpass (prompt);
+    if( strcmp(crypt(s, pw->pw_passwd), pw->pw_passwd)) {
+        fprintf(stderr, "Sorry.\n");
+        exit (1);
+    }
+    yppasswd.oldpass = strdup(s);
+  }
+
+  if (use_yp_passwd) {
+      if ((s = getnewyppasswd(pw)) == NULL) 
+      	  exit (1);
+      yppasswd.newpw.pw_passwd = s;
+  }
+  if (opt_fullname) {
+      if ((s = getnewfullname(pw)) == NULL) 
+      	  exit (1);
+      yppasswd.newpw.pw_gecos = s;
+  }
+  if (opt_shell) {
+      if ((s = getnewshell(pw)) == NULL) 
+      	  exit (1);
+      yppasswd.newpw.pw_shell = s;
+  }
+  
+  /* The yppasswd.x file said `unix authentication required',
+   * so I added it. This is the only reason it is in here.
+   * My yppasswdd doesn't use it, but maybe some others out there
+   * do. 					--okir
+   */
+  clnt = clnt_create( master, YPPASSWDPROG, YPPASSWDVERS, "udp" );
+  clnt->cl_auth = authunix_create_default();
+  bzero( (char*)&status, sizeof(status) );
+  timeout.tv_sec = 25; timeout.tv_usec = 0;
+  err = clnt_call( clnt, YPPASSWDPROC_UPDATE,
+  		 xdr_yppasswd, (char*)&yppasswd,
+  		 xdr_int,      (char*)&status,
+  		 &timeout );
+
+  if (err) {
+      clnt_perrno(err);
+      fprintf( stderr, "\n" );
+  } else if (status) {
+      fprintf( stderr, "Error while changing %s.\n", what );
+  }
+
+  printf("\nThe %s has%s been changed on %s.\n", 
+  		what, (err || status)? " not" : "", master);
+
+  auth_destroy( clnt->cl_auth );
+  clnt_destroy( clnt );
+  exit ((err || status) != 0);
+}

usr.bin/passwd/yppasswd.1

@@ -0,0 +1,128 @@
+.\"
+.\" Manpage Copyright 1994 Olaf Kirch, <okir@monad.swb.de>
+.\"
+.TH YPPASSWD 1 "18 December 1994" "" ""
+.SH NAME
+yppasswd, ypchfn, ypchsh \- NIS password update clients
+.SH SYNOPSIS
+.B "yppasswd [-l] [-f] [-p] [user]"
+.br
+.B "ypchfn [-l] [-f] [-p] [user]"
+.br
+.B "ypchsh [-l] [-f] [-p] [user]"
+.SH DESCRIPTION
+When distributing your users' passwords over NIS (a.k.a. YP), the standard
+\fBpasswd\fP, \fBchfn\fP and \fBchsh\fP utilities cannot be used anymore to
+let a user change her password, because they only modify the password file
+on the local host.  They are usually replaced by their YP counterparts,
+\fByppasswd\fP, \fBypchfn\fP and \fBypchsh\fP.
+.P
+These commands are in fact the very same program, linked to different names.
+Using the command line switches, you can choose whether to update your
+password (\fB-p\fP), your login shell (\fB-l\fP), or your GECOS field
+information (\fB-f\fP), or a combination of them. \fByppasswd\fP implies
+the \fB-p\fP option, \fBypchfn\fP the \fB-f\fP option, and so on.
+.P
+When invoked without the \fIuser\fP argument, the account information for
+the invoking user will be updated, otherwise that of \fIuser\fP will be
+updated.  This option is only available to the superuser.
+.P
+All tools will first prompt the user for the current NIS password needed
+for authentication with the \fByppasswdd\fP daemon. Subsequently, the
+program prompts for the updated information:
+.\"
+.\"
+.IP "\fByppasswd\fP or \fB-p\fP
+Change the user's NIS password. The user is prompted for the new password.
+While typing the password, echoing is turned off, so the password does not
+appear on the screen. An empty password is rejected, as are passwords shorter
+than six characters. The user will then be requested to retype the
+password to make sure it wasn't misspelled the first time.
+.\"
+.\"
+.IP "\fBypchsh\fP or \fB-l\fP
+Change the user's login shell. The user is prompted for a new shell,
+offering the old one as default:
+.IP
+.in +2n
+.ft B
+.nf
+Login shell [/bin/bash]: _
+.fi
+.ft
+.in
+.IP
+To accept the default, simply press return. To clear the shell field in
+your \fBpasswd\fP file entry (so that the system's default shell is selected),
+enter the string \fInone\fP.
+.\"
+.\"
+.IP "\fBypchfn\fP or \fB-f\fP
+Change the user's full name and related information. Traditionally, some
+applications expect the GECOS field (field 4) of the \fBpasswd\fP file to
+contain the user's real name (as opposed to the login name) plus some
+additional information like the office phone number. This information is
+displayed by \fBfinger(1)\fP and probably some other tools, too.
+.IP
+When setting the full name, \fBypchfn\fP displays the following prompts,
+with the defaults in brackets:
+.IP
+.in +2n
+.ft B
+.nf
+Name [Joe Doe]: 
+Location [2nd floor, bldg 34]:
+Office Phone [12345]:
+Home Phone []:
+.fi
+.ft
+.in
+.IP
+To accept a default, simply press return. To clear a field, enter the string
+\fInone\fP.
+.SH INSTALLATION
+\fByppasswd\fP and friends are usually installed over the existing, non-NIS
+versions of these programs by renaming the old programs, and linking the new
+ones to the `normal' names. In this way, users can continue to use
+\fBpasswd\fP without having to meditate on the nature of NIS. For instance,
+\fByppasswd\fP could be substituted for \fBpasswd\fP with the following
+sequence of commands:
+.P
+.in +2n
+.ft B
+.nf
+# cd /bin
+# mv passwd passwd.old
+# chmod go-rwx passwd.old
+# ln yppasswd passwd
+.fi
+.ft R 
+.in
+.P
+In this way, the superuser can still use \fBpasswd.old\fP to update the
+local passwords of users not in the NIS \fBpasswd.*\fP maps. Usually, the
+user information for critical accounts such as \fBroot\fP are kept
+in the local \fBpasswd\fP file.
+.SH LICENSE
+This program is a heavily beefed-up version of Theo de Raadt's \fByppasswd\fP
+client, which is covered by the BSD license.  Therefore, the BSD license
+applies to this program as well.
+.SH FILES
+\fB/bin/yppasswd\fP
+.br
+\fB/bin/passwd\fP
+.br
+\fB/bin/ypchfn\fP
+.br
+\fB/bin/ypchsh\fP
+.SH SEE ALSO
+.BR finger(1) ,
+.BR passwd(5) ,
+.BR passwd(1) ,
+.BR ypchfn(1) ,
+.BR ypchsh(1) ,
+.BR yppasswdd(8) .
+.SH AUTHOR
+Theo de Raadt <deraadt@fsa.ca> (original client)
+.br
+Olaf Kirch <okir@monad.swb.de> (heavy modifications and manpages)