| lh | 9ed821d | 2023-04-07 01:36:19 -0700 | [diff] [blame] | 1 | The GNU C library contains an NSS module for the Hesiod name service. |
| 2 | Hesiod is a general name service for a variety of applications and is |
| 3 | based on the Berkeley Internet Name Daemon (BIND). |
| 4 | |
| 5 | Introduction |
| 6 | ============ |
| 7 | |
| 8 | The Hesiod NSS module implements access to all relevant standard |
| 9 | Hesiod types, which means that Hesiod can be used for the `group', |
| 10 | `passwd' and `services' databases. There is however a restriction. |
| 11 | In the same way that it is impossible to use `gethostent()' to iterate |
| 12 | over all the data provided by DNS, it is not possible to scan the |
| 13 | entire Hesiod database by means of `getgrent()', `getpwent()' and |
| 14 | `getservent()'. Besides, Hesiod only provides support for looking up |
| 15 | services by name and not for looking them up by port. In essence this |
| 16 | means that the Hesiod name service is only consulted as a result of |
| 17 | one of the following function calls: |
| 18 | |
| 19 | * getgrname(), getgrgid() |
| 20 | * getpwname(), getpwuid() |
| 21 | * getservbyname() |
| 22 | |
| 23 | and their reentrant counterparts. |
| 24 | |
| 25 | |
| 26 | Configuring your systems |
| 27 | ======================== |
| 28 | |
| 29 | Configuring your systems to make use the Hesiod name service requires |
| 30 | one or more of the following steps, depending on whether you are |
| 31 | already running Hesiod in your network. |
| 32 | |
| 33 | Configuring NSS |
| 34 | --------------- |
| 35 | |
| 36 | First you should modify the file `/etc/nsswitch.conf' to tell |
| 37 | NSS for which database you want to use the Hesiod name service. If |
| 38 | you want to use Hesiod for all databases it can handle your |
| 39 | configuration file could look like this: |
| 40 | |
| 41 | # /etc/nsswitch.conf |
| 42 | # |
| 43 | # Example configuration of GNU Name Service Switch functionality. |
| 44 | # |
| 45 | |
| 46 | passwd: db files hesiod |
| 47 | group: db files hesiod |
| 48 | shadow: db files |
| 49 | |
| 50 | hosts: files dns |
| 51 | networks: files dns |
| 52 | |
| 53 | protocols: db files |
| 54 | services: db files hesiod |
| 55 | ethers: db files |
| 56 | rpc: db files |
| 57 | |
| 58 | For more information on NSS, please refer to the `The GNU C Library |
| 59 | Reference Manual'. |
| 60 | |
| 61 | |
| 62 | Configuring Hesiod |
| 63 | ------------------ |
| 64 | |
| 65 | Next, you will have to configure Hesiod. If you are already running |
| 66 | Hesiod in your network, you probably already have a file named |
| 67 | `hesiod.conf' on your machines (probably as `/etc/hesiod.conf' or |
| 68 | `/usr/local/etc/hesiod.conf'). The Hesiod NSS module looks for |
| 69 | `/etc/hesiod.conf' by default. If there is no configuration file you |
| 70 | will want to create your own. It should look something like: |
| 71 | |
| 72 | rhs=.your.domain |
| 73 | lhs=.ns |
| 74 | classes=in,hs |
| 75 | |
| 76 | The optional classes settings specifies which DNS classes Hesiod |
| 77 | should do lookups in. Possible values are IN (the preferred class) |
| 78 | and HS (the deprecated class, still used by some sites). |
| 79 | You may specify both classes separated by a comma to try one class |
| 80 | first and then the other if no entry is available in the first |
| 81 | class. The default value of the classes variable is `IN,HS'. |
| 82 | |
| 83 | The value of rhs can be overridden by the environment variable |
| 84 | `HES_DOMAIN'. |
| 85 | |
| 86 | Configuring your name servers |
| 87 | ----------------------------- |
| 88 | |
| 89 | In addition, if you are not already running Hesiod in your network, |
| 90 | you need to create Hesiod information on your central name servers. |
| 91 | You need to run `named' from BIND 4.9 or higher on these servers, and |
| 92 | make them authoritative for the domain `ns.your.domain' with a line in |
| 93 | `/etc/named.boot' reading something like: |
| 94 | |
| 95 | primary ns.your.domain named.hesiod |
| 96 | |
| 97 | or if you are using the new BIND 8.1 or higher add something to |
| 98 | `/etc/named.conf' like: |
| 99 | |
| 100 | zone "ns.your.domain" { |
| 101 | type master; |
| 102 | file "named.hesiod"; |
| 103 | }; |
| 104 | |
| 105 | Then in the BIND working directory (usually `/var/named') create the |
| 106 | file `named.hesiod' containing data that looks something like: |
| 107 | |
| 108 | ; SOA and NS records. |
| 109 | @ IN SOA server1.your.domain admin-address.your.domain ( |
| 110 | 40000 ; serial - database version number |
| 111 | 1800 ; refresh - sec servers |
| 112 | 300 ; retry - for refresh |
| 113 | 3600000 ; expire - unrefreshed data |
| 114 | 7200 ) ; min |
| 115 | NS server1.your.domain |
| 116 | NS server2.your.domain |
| 117 | |
| 118 | ; Actual Hesiod data. |
| 119 | libc.group TXT "libc:*:123:gnu,gnat" |
| 120 | 123.gid CNAME libc.group |
| 121 | gnu.passwd TXT "gnu:*:4567:123:GNU:/home/gnu:/bin/bash" |
| 122 | 456.uid CNAME mark.passwd |
| 123 | nss.service TXT "nss tcp 789 switch sw " |
| 124 | nss.service TXT "nss udp 789 switch sw" |
| 125 | |
| 126 | where `libc' is an example of a group, `gnu' an example of an user, |
| 127 | and `nss' an example of a service. Note that the format used to |
| 128 | describe services differs from the format used in `/etc/services'. |
| 129 | For more information on `named' refer to the `Name Server Operations |
| 130 | Guide for BIND' that is included in the BIND distribution. |
| 131 | |
| 132 | |
| 133 | Security |
| 134 | ======== |
| 135 | |
| 136 | Note that the information stored in the Hesiod database in principle |
| 137 | is publicly available. Care should be taken with including vulnerable |
| 138 | information like encrypted passwords in the Hesiod database. There |
| 139 | are some ways to improve security by using features provided by |
| 140 | `named' (see the discussion about `secure zones' in the BIND |
| 141 | documentation), but one should keep in mind that Hesiod was never |
| 142 | intended to distribute passwords. In the origional design |
| 143 | authenticating users was the job of the Kerberos service. |
| 144 | |
| 145 | |
| 146 | More information |
| 147 | ================ |
| 148 | |
| 149 | For more information on the Hesiod name service take a look at some of |
| 150 | the papers in ftp://athena-dist.mit.edu:/pub/ATHENA/usenix and the |
| 151 | documentation that accompanies the source code for the Hesiod name |
| 152 | service library in ftp://athena-dist.mit.edu:/pub/ATHENA/hesiod. |
| 153 | |
| 154 | There is a mailing list at MIT for Hesiod users, hesiod@mit.edu. To |
| 155 | get yourself on or off the list, send mail to hesiod-request@mit.edu. |