.\" SUCH DAMAGE.
.\"
.\" @(#)chpass.1 8.2 (Berkeley) 12/30/93
+.\" $Id$
.\"
.Dd December 30, 1993
.Dt CHPASS 1
.Os
.Sh NAME
-.Nm chpass
+.Nm chpass, chfn, chsh, ypchpass, ypchfn, ypchsh
.Nd add or change user database information
.Sh SYNOPSIS
-chpass
+.Nm chpass
.Op Fl a Ar list
.Op Fl p Ar encpass
.Op Fl s Ar newshell
Only the information that the user is allowed to change is displayed.
.Pp
The options are as follows:
-.Bl -tag -width Ds
+.Bl -tag -width flag
.It Fl a
The super-user is allowed to directly supply a user database
entry, in the format specified by
update the user database itself.
Only the user, or the super-user, may edit the information associated
with the user.
+.Sh NIS INTERACTION
+.Nm Chpass
+can also be used in conjunction with NIS, however some restrictions
+apply.
+Currently,
+.Nm chpass
+can only make changes to the NIS passwd maps through
+.Xr rpc.yppasswdd 8 ,
+which normally only permits changes to a user's password, shell and GECOS
+fields. Except when invoked by the super-user on the NIS master server,
+.Nm chpass
+(and, similarly,
+.Xr passwd 1 )
+can not use the
+.Xr rpc.yppasswdd 8
+server to change other user information or
+add new records to the NIS passwd maps.
+Furthermore,
+.Xr rpc.yppasswdd 8
+requires password authentication before it will make any
+changes. The only user allowed to submit changes without supplying
+a password is the super-user on the NIS master server; all other users,
+including those with root privileges on NIS clients (and NIS slave
+servers) must enter a password.
+(The super-user on the NIS master is allowed to bypass these restrictions
+largely for convenience: a user with root access
+to the NIS master server already has the privileges required to make
+updates to the NIS maps, but editing the map source files by hand can
+be cumbersome.
+.Pp
+Note: these exceptions only apply when the NIS master server is a
+FreeBSD system.)
+.Pp
+Consequently, except where noted, the following restrictions apply when
+.Nm chpass
+is used with NIS:
+.Bl -enum -offset indent
+.It
+.Pa Only the shell and GECOS information may be changed.
+All other
+fields are restricted, even when
+.Nm chpass
+is invoked by the super-user.
+While support for
+changing other fields could be added, this would lead to
+compatibility problems with other NIS-capable systems.
+Even though the super-user may supply data for other fields
+while editing an entry, the extra information (other than the
+password -- see below) will be silently discarded.
+.Pp
+Exception: the super-user on the NIS master server is permitted to
+change any field.
+.Pp
+.It
+.Pa Password authentication is required.
+.Nm Chpass
+will prompt for the user's NIS password before effecting
+any changes. If the password is invalid, all changes will be
+discarded.
+.Pp
+Exception: the super-user on the NIS master server is allowed to
+submit changes without supplying a password. (The super-user may
+choose to turn off this feature using the
+.Fl o
+flag, described below.)
+.It
+.Pa Adding new records to the local
+.Pa password database is discouraged.
+.Nm Chpass
+will allow the administrator to add new records to the
+local password database while NIS is enabled, but this can lead to
+some confusion since the new records are appended to the end of
+the master password file, usually after the special NIS '+' entries.
+The administrator should use
+.Xr vipw 8
+to modify the local password
+file when NIS is running.
+.Pp
+The super-user on the NIS master server is permitted to add new records
+to the NIS password maps, provided the
+.Xr rpc.yppasswdd 8
+server has been started with the
+.Fl a
+flag to permitted additions (it refuses them by default).
+.Nm Chpass
+tries to update the local password database by default; to update the
+NIS maps instead, invoke chpass with the
+.Fl y
+flag.
+.It
+.Pa Password changes are not permitted.
+Users should use
+.Xr passwd 1
+or
+.Xr yppasswd 1
+to change their NIS passwords. The super-user is allowed to specify
+a new password (even though the ``Password:'' field does not show
+up in the editor template, the super-user may add it back by hand),
+but even the super-user must supply the user's original password
+otherwise
+.Xr rpc.yppasswdd 8
+will refuse to update the NIS maps.
+.Pp
+Exception: the super-user on the NIS master server is permitted to
+change a user's NIS password with
+.Nm chpass .
+.El
+.Pp
+There are also a few extra option flags that are available when
+.Nm chpass
+is compiled with NIS support:
+.Bl -tag -width flag
+.It Fl l
+The
+.Fl l
+flag forces
+.Nm chpass
+to modify the local copy of a user's password
+information in the even that a user exists in both
+the local and NIS databases.
+.It Fl y
+This flag has the opposite effect of
+.Fl l .
+This flag is largely redundant since
+.Nm chpass
+operates on NIS entries by default if NIS is enabled.
+.It Fl d Ar domain
+Specify a particular NIS domain.
+.Nm Chpass
+uses the system domain name by default, as set by the
+.Xr domainname 1
+command. The
+.Fl d
+option can be used to override a default, or to specify a domain
+when the system domain name is not set.
+.It Fl h Ar host
+Specify the name or address of an NIS server to query. Normally,
+.Nm chpass
+will communicate with the NIS master host specified in the
+.Pa master.passwd
+or
+.Pa passwd
+maps. On hosts that have not been configured as NIS clients, there is
+no way for the program to determine this information unless the user
+provides the hostname of a server. Note that the specified hostname need
+not be that of the NIS master server; the name of any server, master or
+slave, in a given NIS domain will do.
+.Pp
+When using the
+.Fl d
+option, the hostname defaults to ``localhost.'' The
+.Fl h
+option can be used in conjunction with the
+.Fl d
+option, in which case the user-specified hostname will override
+the default.
+.Pp
+.It Fl o
+Force the use of RPC-based updates when communicating with
+.Xr rpc.yppasswdd 8
+(``old-mode'').
+When invoked by the super-user on the NIS master server,
+.Nm chpass
+allows unrestricted changes to the NIS passwd maps using dedicated,
+non-RPC-based mechanism (in this case, a UNIX domain socket). The
+.Fl o
+flag can be used to force
+.Nm chpass
+to use the standard update mechanism instead. This option is provided
+mainly for testing purposes.
+.El
+.Pp
.Sh FILES
.Bl -tag -width /etc/master.passwd -compact
.It Pa /etc/master.passwd
The list of approved shells
.El
.Sh SEE ALSO
-.Xr login 1 ,
.Xr finger 1 ,
+.Xr login 1 ,
.Xr passwd 1 ,
.Xr getusershell 3 ,
.Xr passwd 5 ,
.%A Ken Thompson
.%T "UNIX Password security"
.Re
+.Sh NOTES
+The
+.Xr chfn 1 ,
+.Xr chsh 1 ,
+.Xr ypchpass 1 ,
+.Xr ypchfn 1
+and
+.Xr ypchsh 1
+commands are really only links to
+.Nm chpass .
.Sh BUGS
User information should (and eventually will) be stored elsewhere.
.Sh HISTORY
git.ckatri.com / pw-darwin.git / blobdiff