/ Linux Reviews / System administration / The Linux NIS(YP) / NYS / NIS+ HOWTO - en

13. Changing passwords with rpasswd

The standard way to change a NIS password is to call yppasswd, on some systems this is only an alias for passwd. This commands uses the yppasswd protocol and needs a running rpc.yppasswdd process on the NIS master server. The protocol has the disadvantage, that the old password will be send in clear text over the network. This is not so problematic, if the password change was successfull. In this case, the old password is replaced with the new one. But if the password change fails, an attacker can use the clear password to login as this user. Even more worse: If the system administrator changes the NIS password for another user, the root password of the NIS master server is transfered in clear text over the network. And this one will not be changed.

One solution is to not use yppasswd for changing the password. Instead, a good alternative is the rpasswd command from the pwdutils package.

  Site            Directory                          File Name

  ftp.kernel.org  /pub/linux/utils/net/NIS           pwdutils-2.3.tar.gz
  ftp.suse.com    /pub/people/kukuk/pam/pam_pwcheck  pam_pwcheck-2.2.tar.bz2
  ftp.suse.com    /pub/people/kukuk/pam/pam_unix2    pam_unix2-1.16.tar.bz2

rpasswd changes passwords for user accounts on a remote server over a secure SSL connection. A normal user may only change the password for their own account, if the user knows the password of the administrator account (in the moment this is the root password on the server), he may change the password for any account if he calls rpasswd with the -a option.

13.1. Server Configuration

For the server you need at first certificate, the default filename for this is /etc/rpasswdd.pem. The file can be created with the following command:

openssl req -new -x509 -nodes -days 730 -out /etc/rpasswdd.pem -keyout /etc/rpasswdd.pem

A PAM configuration file for rpasswdd is needed, too. If the NIS accounts are stored in /etc/passwd, the following is a good starting point for a working configuration:

auth     required       pam_unix2.so
account  required       pam_unix2.so
password required       pam_pwcheck.so
password required       pam_unix2.so    use_first_pass use_authtok
password required       pam_make.so     /var/yp
session  required       pam_unix2.so

If sources for the NIS password maps are stored in another location (for example in /etc/yp), the nisdir option of pam_unix2 can be used to find the source files in another place:

auth     required       pam_unix2.so
account  required       pam_unix2.so
password required       pam_pwcheck.so  nisdir=/etc/yp
password required       pam_unix2.so    nisdir=/etc/yp use_first_pass use_authtok
password required       pam_make.so     /var/yp
session  required       pam_unix2.so

Now start the rpasswdd daemon on the NIS master server.

Since the password change is done with PAM modules, rpasswdd is also able to allow password changes for NIS+, LDAP or other services supported by a PAM module.

13.1. Client Configuration

On every client only the configuration file /etc/rpasswd.conf which contains the name of the server is neded. If the server does not run on the default port, the correct port can alse be mentioned here:

# rpasswdd runs on master.example.com
server master.example.com
# Port 774 is the default port
port 774

1. Common Problems and Troubleshooting NIS

Here are some common problems reported by various users:

  1. The libraries for 4.5.19 are broken. NIS won't work with it.

  2. If you upgrade the libraries from 4.5.19 to 4.5.24 then the su command breaks. You need to get the su command from the slackware 1.2.0 distribution. Incidentally that's where you can get the updated libraries.

  3. When a NIS server goes down and comes up again ypbind starts complaining with messages like:

        yp_match: clnt_call:
        RPC: Unable to receive; errno = Connection refused
    and logins are refused for those who are registered in the NIS database. Try to login as root and kill ypbind and start it up again. An update to ypbind 3.3 or higher should also help.

  4. After upgrading the libc to a version greater then 5.4.20, the YP tools will not work any longer. You need yp-tools 1.2 or later for libc >= 5.4.21 and glibc 2.x. For earlier libc version you need yp-clients 2.2. yp-tools 2.x should work for all libraries.

  5. In libc 5.4.21 - 5.4.35 yp_maplist is broken, you need 5.4.36 or later, or some YP programs like ypwhich will segfault.

  6. libc 5 with traditional NIS doesn't support shadow passwords over NIS. You need libc5 + NYS or glibc 2.x.

  7. ypcat shadow doesn't show the shadow map. This is correct, the name of the shadow map is shadow.byname, not shadow.

  8. Solaris doesn't use always privileged ports. So don't use password mangling if you have a Solaris client.

/ Linux Reviews / System administration / The Linux NIS(YP) / NYS / NIS+ HOWTO

Meet new people

Adult Dating