It seems shadow.byname is not used any more in RH 6.1, since it is effectively commented out of /var/yp/Makefile, but it was used by RH 6.0. However, since the old shadow.byname was left by the upgrade (in /var/yp/domainname), when logging in with ssh (but not telnet) on NIS clients still running RH 6.0, the NIS password was read from this file. So users who changed their passwords after the upgrade (even if they were running yppasswd from the 6.0 client) were effectively given *two* NIS passwords: one new pw for the server and telnet to clients, and one old pw for ssh to clients. (I realize it is really the ypserv version number which matters, but I do not have the version numbers at hand, so I assume they are derivable from the RH release version. Further, we do not allow telnet login, except for testing like in this case.)