The rpc.yppasswdd has an option to not allow shell changes (-s), but is always passed a shell by the remote yppasswd. If an NIS client overrides the shell provided by the ypserv, then yppasswd (pam_unix, actually, afaict) will pass this new shell to the yppasswdd. If this shell has been set on the client to a shell which is invalid on the server, a user will never be able to change their password on the client. It seems that the following thread on freebsd-questions is evidence of this problem: http://www.freebsd.org/cgi/getmsg.cgi?fetch=1145286+1148268+/usr/local/www/db/text/2004/freebsd-questions/20040425.freebsd-questions Fix: The following patch causes invalid shells not to be rejected if the shell is not going to be changed anyways: How-To-Repeat: With client passwd file containing something like +:*:::::/sbin/nologin and "/sbin/nologin" not in the server's /etc/shells, an attempt to use passwd(1) causes the following error, as shown in the system logs: May 24 14:53:39 shell rpc.yppasswdd[62598]: /sbin/nologin is not a valid shell May 24 14:53:39 shell rpc.yppasswdd[62598]: rejecting change attempt: bad arguments May 24 14:53:39 shell rpc.yppasswdd[62598]: client address: 10.0.0.2 username: russell on the NIS client side, error output might look something like, passwd: pam_chauthtok(): error in service module and something like the following in the syslog, May 25 00:05:19 server passwd: in pam_sm_chauthtok(): yppasswd_remote(): NIS password update failed: shell.rucus.ru.ac.za: RPC: Server can't decode arguments ("server" is our NIS client)
Committed revision 288482. Thank you for the patch.
A commit references this bug: Author: araujo Date: Fri Oct 2 08:58:51 UTC 2015 New revision: 288482 URL: https://svnweb.freebsd.org/changeset/base/288482 Log: The rpc.yppasswdd has an option to not allow shell changes (-s), but is always passed a shell by the remote yppasswd. If an NIS client overrides the shell provided by the ypserv, then yppasswd (pam_unix, actually, afaict) will pass this new shell to the yppasswdd. If this shell has been set on the client to a shell which is invalid on the server, a user will never be able to change their password on the client. PR: 67142 Submitted by: russell@rucus.ru.ac.za Approved by: bapt (mentor) Sponsored by: EuroBSDCon Sweden. Changes: head/usr.sbin/rpc.yppasswdd/yppasswdd_server.c