196 lines
6.1 KiB
Groff
196 lines
6.1 KiB
Groff
.\"
|
|
.\" Copyright 1994 Olaf Kirch, <okir@monad.swb.de>
|
|
.\"
|
|
.\" This program is covered by the GNU General Public License, version 2.
|
|
.\" It is provided in the hope that it is useful. However, the author
|
|
.\" disclaims ALL WARRANTIES, expressed or implied. See the GPL for details.
|
|
.\"
|
|
.Dd 12 December 1994
|
|
.Dt YPPASSWDD 8
|
|
.Sh NAME
|
|
.Nm yppasswdd
|
|
.Nd NIS password database update server
|
|
.Sh SYNOPSIS
|
|
.Nm yppasswdd
|
|
.Op Ar -m master password file
|
|
.Op Fl s
|
|
.Op Fl f
|
|
.Op Fl v
|
|
.Op Fl h
|
|
.Sh DESCRIPTION
|
|
.Nm yppasswdd
|
|
is the RPC server that lets users change their passwords
|
|
in the presence of NIS (a.k.a. YP). It must be run on the NIS master
|
|
server for that NIS domain.
|
|
.Pp
|
|
When a
|
|
.Xr yppasswd 1
|
|
client contacts the server, it sends the old user
|
|
password along with the new one.
|
|
.Nm yppasswdd
|
|
will search the system's
|
|
NIS password database file for the specified user name, verify that the
|
|
given (old) password matches, and update the entry. If the user
|
|
specified does not exist, or if the password, UID or GID doesn't match
|
|
the information in the password file, the update request is rejected,
|
|
and an error returned to the client.
|
|
.Pp
|
|
After updating the
|
|
.Nm master.passwd
|
|
file and returning a success
|
|
notifications to the client,
|
|
.Nm yppasswdd executes the
|
|
.Nm yppwupdate
|
|
script that updates the NIS server's
|
|
.Nm master.passwd.*
|
|
and
|
|
.Nm passwd.*
|
|
maps. This script invokes
|
|
.Nm /var/yp/Makefile
|
|
to rebuild the NIS password maps (and propagate them to NIS slave
|
|
servers if there are any in the domain).
|
|
.Sh OPTIONS
|
|
.Bl -tag -width Ds
|
|
The following options are available with
|
|
.Nm yppasswdd:
|
|
.It Fl Ar m master password file
|
|
.Nm yppasswdd
|
|
server needs to know the location of the
|
|
master.passwd file that is to be used to generate updated NIS
|
|
password maps. This file is normally kept in
|
|
.Nm /var/yp
|
|
(it must be owned by root and not world readable for security reasons).
|
|
If you move it somewhere else you'll have to tell yppasswdd using the
|
|
.Fl m
|
|
option. (You'll have to change the location of master.passwd specified in
|
|
.Nm /var/yp/Makefile
|
|
as well.) When the server is ready to change
|
|
a password database entry, it will modify master.passwd, then
|
|
call the yppwupdate script, which will in turn call
|
|
.Nm /var/yp/Makefile.
|
|
.Pp
|
|
Without the -m option,
|
|
.Nm yppasswdd
|
|
expects to use the local
|
|
.Nm /etc/master.passwd
|
|
file on the NIS master server as the source for
|
|
regenerating the password maps (the server will rebuild the local
|
|
password databases in this case as well).
|
|
.Pp
|
|
This is less secure than
|
|
using a seperate password database to restrict access to the NIS
|
|
master server, but the functionality is provided in the event this
|
|
behavior is desired and security is not paramount (such as might be
|
|
the case on a closed local network of trusted systems).
|
|
Note that you will have to edit
|
|
.Nm /var/yp/Makefile
|
|
to use
|
|
.Nm /etc/master.passwd
|
|
instead of
|
|
.Nm /var/yp/master.passwd
|
|
if you want to use yppasswdd in this way.
|
|
.It Fl s
|
|
When invoked with the
|
|
.Fl s
|
|
flag,
|
|
.Nm yppasswdd
|
|
will allow users to change
|
|
the shell field of their NIS password entry. Without it,
|
|
.Xr yppasswd 1
|
|
will
|
|
appear to succeed when a user tries to change shells, but yppasswdd
|
|
will not actually alter the password database.
|
|
.It Fl f
|
|
This flag works just like
|
|
.Fl s ,
|
|
except it applies to the GECOS or
|
|
"fullname" field of a user's NIS password entry instead of the shell field.
|
|
Some sites may wish to restrict users' ability to change their shells or
|
|
full names for security or administrative reasons, which is why these two
|
|
options are provided.
|
|
.Sh MISCELLANEOUS
|
|
.Ss Logging
|
|
.Nm yppasswdd
|
|
logs all password update requests to
|
|
.Xr syslogd 8
|
|
auth facility. The logging information includes the originating host's
|
|
IP address and the user name and UID contained in the request. The
|
|
user-supplied password itself is not logged.
|
|
.Ss Security
|
|
Unless I've screwed up completely (as I did with versions prior to
|
|
version 0.5),
|
|
.Nm yppasswdd
|
|
should be as secure or insecure as any
|
|
program relying on simple password authentication. If you feel that
|
|
this is not enough, you may want to protect
|
|
.Nm yppasswdd
|
|
from outside
|
|
access by using the 'securenets' feature of
|
|
.Xr portmap 8
|
|
version 3. Better still, use Kerberos.
|
|
.Sh NOTES
|
|
.Ss FreeBSD changes
|
|
Unlike the original
|
|
.Nm yppasswdd ,
|
|
the FreeBSD version has no support for
|
|
John F. Haugh II's shadow password suite. It doesn't need it: 4.4BSD's
|
|
password database system already implements shadow passwords.
|
|
.Ss Using the yppasswdd server with non-FreeBSD clients
|
|
FreeBSD's
|
|
.Nm yppasswdd
|
|
should work equally well with non-FreeBSD client machines provided a
|
|
few small changes are made to
|
|
.Nm /var/yp/Makefile.
|
|
FreeBSD's passwd.byname and passwd.byuid maps do not contain actual
|
|
encrypted passwords (just like FreeBSD's /etc/passwd file): the real
|
|
encrypted passwords are kept in master.passwd.byname and
|
|
master.passwd.byuid, which FreeBSD's NIS server will only serve to
|
|
the superuser on FreeBSD NIS clients (non-privileged users are not
|
|
permitted to access these maps). Non-FreeBSD clients will not function
|
|
properly in this situation, since they require the password fields in
|
|
the passwd.* maps to be valid.
|
|
.Pp
|
|
To use
|
|
.Nm yppasswdd
|
|
with non-FreeBSD clients, you will need to edit
|
|
.Nm /var/yp/Makefile
|
|
and uncomment the line that says 'UNSECURE=True' and run
|
|
.Xr make 1 .
|
|
This will cause
|
|
.Nm /var/yp/Makefile
|
|
to generate passwd.* maps with real passwords in them instead of
|
|
stripping them out as it does normally.
|
|
.Sh FILES
|
|
.Bl -tag -width /usr/libexec/yppwupdate -compact
|
|
.It Pa /usr/sbin/yppasswdd
|
|
The yppasswdd daemon
|
|
.It Pa /usr/libexec/yppwupdate
|
|
The NIS map update script
|
|
.It Pa /var/yp/master.passwd
|
|
NIS password map source file
|
|
.It Pa /etc/master.passwd
|
|
Raw local password database (only used when
|
|
.Fl m
|
|
option isn't supplied)
|
|
.Sh SEE ALSO
|
|
.Xr passwd 5 ,
|
|
.Xr passwd 1 ,
|
|
.Xr portmap 8 ,
|
|
.Xr pwunconv 8 ,
|
|
.Xr yppasswd 1 ,
|
|
.Xr ypchsh 1 ,
|
|
.Xr ypchfn 1 ,
|
|
.Xr ypserv 8 ,
|
|
.Xr ypcat 8 .
|
|
.Sh COPYRIGHT
|
|
.Nm yppasswdd
|
|
is copyright (C) Olaf Kirch. You can use and distribute it
|
|
under the GNU General Public License Version 2.
|
|
.Sh AUTHOR(S)
|
|
.br
|
|
Olaf Kirch, <okir@monad.swb.de>
|
|
.br
|
|
Charles Lopez, <tjarls@infm.ulst.ac.uk> (shadow support)
|
|
.br
|
|
Bill Paul, <wpaul@ctr.columbia.edu> (port to FreeBSD, various small changes)
|