yppasswd-0.8 ------------- This is release 0.8 of my yppasswd package. I wrote the daemon entirely from scratch as a small excercise in playing with RPC:-) It works okay for me, but please check it out with DEBUG enabled before you put it in a real-life situatuion. Losing a password file is a nasty thing. The client is from Theo de Raadt's NIS package for NetBSD (ported to Linux by Swen Thuemmler). I hacked it up to support chsh(1) and chfn(1) functionality, fixed a bug, and added AUTH_UNIX style authentication (for what it's worth). Since version 0.5, there's also support for shadow passwords, thanks to Charles Lopez . The client works with both NYS and the old-style NIS functions from BSD. SECURITY NOTICE: ---------------- All versions of yppasswdd prior to 0.7 had a major security hole in them. This has been fixed in 0.7. If you are running any older version, please upgrade ASAP. Also note that the old BSD-derived portmapper has a couple of gaping security holes. If you want to keep your user from tampering with your machine, I strongly suggest installing Wietse Venema's portmap_3. It is available from ftp://ftp.win.tue.nl/pub/security Binary distributions have been made available for Linux and can be obtained from ftp://sunsite.unc.edu/pub/Linux/network/daemons BUILDING yppasswdd ------------------ When building the yppasswd server and client, there's a couple of compile time options that affect the program's functionality. shadow support You can compile yppasswdd to support J.F. Haugh's shadow password library. Note that this _only_ compiles in the necessary functions; to actually turn it on at run-time, you have to invoke the server with the -s switch. If you want shadow support, you have to enable the two make variables SPWDEF and SPWLIB. Note that you'll get a couple of warnings when enabling this, because the daemon uses some functions that are not declared in the public header file spw.h. Also note that although there are some light-weight shadow libraries on the net in order to avoid the non-commercial use copyright on the original package, I can't vouch for them. If you find one that works for you, let me know. I only checked it against the official shadow-3.2.2. distribution. NYS support If you want to use NYS instead of the standard BSD-derived NIS code in the Linux libc, enable the NYSLIB and NYSDEF make variables. The latter is there for symmetry reasons only and doesn't do anything useful at the moment. chsh/chfn support Starting from release 0.7b, user access to the GECOS and shell fields can be configured at run time. yppasswdd now takes switches `-e chfn' and `-e chsh' which make it honor requests from ypchsh and ypchfn. Otherwise, these requests are ignored. testing To test yppasswdd, compile it with the DEBUG option. The daemon will then leave the passwd file in /etc alone, and use /tmp/passwd instead. Updating the maps ----------------- After updating /etc/passwd, the daemon returns a success notification to the client, and forks off a child that invokes /usr/lib/yp/pwupdate. This script or program should rebuild all NIS maps that depend on the password information in /etc/passwd. It should certainly use a resonable locking mechanism to prevent concurrent update access to the NIS maps. A sample script is provided, and should work with the Makefile that comes with NYS. The pwupdate script currently relies on a global Makefile residing in the /var/yp, which is referenced with -f ../Makefile from within the /var/yp/ directories. This seems to be in accordance to the current practice in ypserv and various Linux distributions. Copyright --------- The yppasswdd server is covered by the GNU GPL version 2. The yppasswd client is covered by Theo de Raadt's original license, to be found in yppasswd.c. Olaf Kirch, 1 November 1995