ypserv(8) NIS server

SYNOPSIS

/usr/sbin/ypserv [ -d [ path ] ] [ -p port ]

OPTIONS

-d --debug [path]
Causes the server to run in debugging mode. Normally, ypserv reports only errors (access violations, dbm failures) using the syslog(3) facility. In debug mode, the server does not background itself and prints extra status messages to stderr for each request that it revceives. path is an optionally parameter. ypserv is using this directory instead of /var/yp
-p --port port
ypserv will bind itself to this port. This makes it possible to have a router filter packets to the NIS ports, so that access to the NIS server from hosts on the Internet can be restricted.
-v --version
Prints the version number

SECURITY

In general, any remote user can issue an RPC to ypserv and retrieve the contents of your NIS maps, if he knows your domain name. To prevent such unauthorized transactions, ypserv supports a feature called securenets which can be used to restrict access to a given set of hosts. At startup or when arriving the SIGHUP Signal, ypserv will attempt to load the securenets information from a file called /etc/ypserv.securenets . This file contains entries that consist of a netmask and a network pair separated by white spaces. Lines starting with ``#'' are considered to be comments.
A sample securenets file might look like this:

# allow connections from local host -- necessary
host 127.0.0.1
# same as 255.255.255.255 127.0.0.1
#
# allow connections from any host
# on the 131.234.223.0 network
255.255.255.0 131.234.223.0
# allow connections from any host
# between 131.234.214.0 and 131.234.215.255
255.255.254.0 131.234.214.0

If ypserv receives a request from an address that fails to match a rule, the request will be ignored and a warning message will be logged. If the /etc/ypserv.securenets file does not exist, ypserv will allow connections from any host.

In the /etc/ypserv.conf you could specify some access rules for special maps and hosts. But it is not very secure, it makes the life only a little bit harder for a potential hacker. If a mapname doesn't match a rule, ypserv will look for the YP_SECURE key in the map. If it exists, ypserv will only allow requests on a reserved port.

For security reasons, ypserv will only accept ypproc_xfr requests for updating maps from the same master server as the old one. This means, you have to reinstall the slave servers if you change the master server for a map.

FILES

/etc/ypserv.conf /etc/ypserv.securenets

AUTHOR

ypserv was written by Peter Eriksson <[email protected]>. Thorsten Kukuk <[email protected]> added support for master/slave server and is the new Maintainer.