
yppasswd-0.6
------------

This is release 0.6 of my yppasswd package.

I wrote the daemon entirely from scratch as a small excercise in playing
with RPC:-) It works okay for me, but please check it out with DEBUG
enabled before you put it in a real-life situatuion. Losing a password file
is a nasty thing.  The client is from Theo de Raadt's NIS package for
NetBSD (ported to Linux by Swen Thuemmler).  I hacked it up to support
chsh(1) and chfn(1) functionality, fixed a bug, and added AUTH_UNIX style
authentication (for what it's worth).

Since version 0.5, there's also support for shadow passwords, thanks
to Charles Lopez <tjarls@infm.ulst.ac.uk>.

I have only tested the daemon with NYS - I don't have a working set of
old-style YP binaries at the moment.  However, people have reported
that it works flawlessly with the old NIS functions from BSD.

SECURITY NOTICE:
----------------

All versions of yppasswdd prior to 0.5 had a major security hole in them.
This has been fixed in 0.5. If you are running any older version, please
upgrade ASAP.

Also note that the old BSD-derived portmapper has a couple of gaping
security holes. If you want to keep your user from tampering with your
machine, I strongly suggest installing Wietse Venema's portmap_3. It
is available from

	ftp://ftp.win.tue.nl/pub/security

Binary distributions have been made available for Linux and can be
obtained from

	ftp://sunsite.unc.edu/pub/Linux/network/daemons


BUILDING yppasswdd
------------------

When building the yppasswd server and client, there's a couple of compile
time options that affect the program's functionality.

  shadow support
	You can compile the yppasswdd to support J.F. Haugh's shadow
	password library. Note that this _only_ compiles in the necessary
	functions; to actually turn it on at run-time, you have to invoke
	the server with the -s switch.

	If you want shadow support, you have to enable the two make
	variables SPWDEF and SPWLIB. Note that you'll get a couple of
	warnings when enabling this, because the daemon uses some functions
	that are not declared in the public header file spw.h.  Also note
	that although there are some light-weight shadow libraries on the
	net in order to avoid the non-commercial use copyright on the
	original package, I can't vouch for them. If you find one that
	works for you, let me know. I only checked it against the
	official shadow-3.2.2. distribution.

  NYS support
	If you want to use NYS instead of the standard BSD-derived NIS
	code in the Linux libc, enable the NYSLIB and NYSDEF make
	variables. The latter is there for symmetry reasons only and 
	doesn't do anything useful.

  chsh/chfn support
	If you want to allow users to change their GECOS and shell entries
	in the server password file, enable the CHFN and/or CHSH variables.
	Note that this check happens in the server, not in the clients. 
	Thus, your users can even recompile their own ypchf and ypchsh
	clients but still won't be able to change those passwd fields.

  testing
	To test yppasswdd, compile it with the DEBUG option. The daemon
	will then leave the passwd file in /etc alone, and use /tmp/passwd
	instead.


Updating the maps
-----------------

The server currently relies on Makefiles residing in the /var/yp/<domain>
directories to rebuild the passwd maps. After updating /etc/passwd, the
daemon returns a success notification to the client, and forks off a child
that invokes /usr/lib/yp/pwupdate. This script or program should rebuild
all NIS maps that depend on the password information in /etc/passwd. It
should certainly use a resonable locking mechanism to prevent concurrent
update access to the NIS maps. A sample script is provided, and should
work with the Makefile that comes with NYS.


Copyright
---------

The yppasswdd server is covered by the GNU GPL version 2. The yppasswd
client is covered by Theo de Raadt's original license, to be found in
yppasswd.c.


Olaf Kirch, <okir@monad.swb.de>
February 1995
