13. Changing passwords with rpasswd
The standard way to change a NIS password is to call
yppasswd, on some systems this is only
an alias for passwd. This commands uses
the yppasswd protocol and needs a running
rpc.yppasswdd process on the NIS master
server. The protocol has the disadvantage, that the old
password will be send in clear text over the network.
This is not so problematic, if the password change was
successfull. In this case, the old password is replaced
with the new one. But if the password change fails, an attacker
can use the clear password to login as this user.
Even more worse: If the system administrator changes the
NIS password for another user, the root password of the NIS
master server is transfered in clear text over the network.
And this one will not be changed.
One solution is to not use yppasswd for changing the password.
Instead, a good alternative is the rpasswd
command from the pwdutils package.
Site Directory File Name
ftp.kernel.org /pub/linux/utils/net/NIS pwdutils-2.3.tar.gz
ftp.suse.com /pub/people/kukuk/pam/pam_pwcheck pam_pwcheck-2.2.tar.bz2
ftp.suse.com /pub/people/kukuk/pam/pam_unix2 pam_unix2-1.16.tar.bz2 |
rpasswd changes passwords for user accounts on
a remote server over a secure SSL connection. A normal user may
only change the password for their own account, if the user knows
the password of the administrator account (in the moment this is
the root password on the server), he may change the password for
any account if he calls rpasswd with the -a option.
13.1. Server Configuration
For the server you need at first certificate, the default filename
for this is /etc/rpasswdd.pem. The file can be
created with the following command:
openssl req -new -x509 -nodes -days 730 -out /etc/rpasswdd.pem -keyout /etc/rpasswdd.pem |
A PAM configuration file for rpasswdd is needed,
too. If the NIS accounts are stored in /etc/passwd,
the following is a good starting point for a working configuration:
#%PAM-1.0
auth required pam_unix2.so
account required pam_unix2.so
password required pam_pwcheck.so
password required pam_unix2.so use_first_pass use_authtok
password required pam_make.so /var/yp
session required pam_unix2.so |
If sources for the NIS password maps are stored in another
location (for example in /etc/yp), the nisdir
option of pam_unix2 can be used to find the source files in another place:
#%PAM-1.0
auth required pam_unix2.so
account required pam_unix2.so
password required pam_pwcheck.so nisdir=/etc/yp
password required pam_unix2.so nisdir=/etc/yp use_first_pass use_authtok
password required pam_make.so /var/yp
session required pam_unix2.so |
Now start the rpasswdd daemon on the NIS master server.
Since the password change is done with PAM modules,
rpasswdd is also able to allow password changes
for NIS+, LDAP or other services supported by a PAM module.
13.2. Client Configuration
On every client only the configuration file
/etc/rpasswd.conf which contains the name
of the server is neded. If the server does not run on the default
port, the correct port can alse be mentioned here:
# rpasswdd runs on master.example.com
server master.example.com
# Port 774 is the default port
port 774 |