|
Packit |
6c4009 |
The GNU C library contains an NSS module for the Hesiod name service.
|
|
Packit |
6c4009 |
Hesiod is a general name service for a variety of applications and is
|
|
Packit |
6c4009 |
based on the Berkeley Internet Name Daemon (BIND).
|
|
Packit |
6c4009 |
|
|
Packit |
6c4009 |
Introduction
|
|
Packit |
6c4009 |
============
|
|
Packit |
6c4009 |
|
|
Packit |
6c4009 |
The Hesiod NSS module implements access to all relevant standard
|
|
Packit |
6c4009 |
Hesiod types, which means that Hesiod can be used for the `group',
|
|
Packit |
6c4009 |
`passwd' and `services' databases. There is however a restriction.
|
|
Packit |
6c4009 |
In the same way that it is impossible to use `gethostent()' to iterate
|
|
Packit |
6c4009 |
over all the data provided by DNS, it is not possible to scan the
|
|
Packit |
6c4009 |
entire Hesiod database by means of `getgrent()', `getpwent()' and
|
|
Packit |
6c4009 |
`getservent()'. Besides, Hesiod only provides support for looking up
|
|
Packit |
6c4009 |
services by name and not for looking them up by port. In essence this
|
|
Packit |
6c4009 |
means that the Hesiod name service is only consulted as a result of
|
|
Packit |
6c4009 |
one of the following function calls:
|
|
Packit |
6c4009 |
|
|
Packit |
6c4009 |
* getgrname(), getgrgid()
|
|
Packit |
6c4009 |
* getpwname(), getpwuid()
|
|
Packit |
6c4009 |
* getservbyname()
|
|
Packit |
6c4009 |
|
|
Packit |
6c4009 |
and their reentrant counterparts.
|
|
Packit |
6c4009 |
|
|
Packit |
6c4009 |
|
|
Packit |
6c4009 |
Configuring your systems
|
|
Packit |
6c4009 |
========================
|
|
Packit |
6c4009 |
|
|
Packit |
6c4009 |
Configuring your systems to make use the Hesiod name service requires
|
|
Packit |
6c4009 |
one or more of the following steps, depending on whether you are
|
|
Packit |
6c4009 |
already running Hesiod in your network.
|
|
Packit |
6c4009 |
|
|
Packit |
6c4009 |
Configuring NSS
|
|
Packit |
6c4009 |
---------------
|
|
Packit |
6c4009 |
|
|
Packit |
6c4009 |
First you should modify the file `/etc/nsswitch.conf' to tell
|
|
Packit |
6c4009 |
NSS for which database you want to use the Hesiod name service. If
|
|
Packit |
6c4009 |
you want to use Hesiod for all databases it can handle your
|
|
Packit |
6c4009 |
configuration file could look like this:
|
|
Packit |
6c4009 |
|
|
Packit |
6c4009 |
# /etc/nsswitch.conf
|
|
Packit |
6c4009 |
#
|
|
Packit |
6c4009 |
# Example configuration of GNU Name Service Switch functionality.
|
|
Packit |
6c4009 |
#
|
|
Packit |
6c4009 |
|
|
Packit |
6c4009 |
passwd: db files hesiod
|
|
Packit |
6c4009 |
group: db files hesiod
|
|
Packit |
6c4009 |
shadow: db files
|
|
Packit |
6c4009 |
|
|
Packit |
6c4009 |
hosts: files dns
|
|
Packit |
6c4009 |
networks: files dns
|
|
Packit |
6c4009 |
|
|
Packit |
6c4009 |
protocols: db files
|
|
Packit |
6c4009 |
services: db files hesiod
|
|
Packit |
6c4009 |
ethers: db files
|
|
Packit |
6c4009 |
rpc: db files
|
|
Packit |
6c4009 |
|
|
Packit |
6c4009 |
For more information on NSS, please refer to the `The GNU C Library
|
|
Packit |
6c4009 |
Reference Manual'.
|
|
Packit |
6c4009 |
|
|
Packit |
6c4009 |
|
|
Packit |
6c4009 |
Configuring Hesiod
|
|
Packit |
6c4009 |
------------------
|
|
Packit |
6c4009 |
|
|
Packit |
6c4009 |
Next, you will have to configure Hesiod. If you are already running
|
|
Packit |
6c4009 |
Hesiod in your network, you probably already have a file named
|
|
Packit |
6c4009 |
`hesiod.conf' on your machines (probably as `/etc/hesiod.conf' or
|
|
Packit |
6c4009 |
`/usr/local/etc/hesiod.conf'). The Hesiod NSS module looks for
|
|
Packit |
6c4009 |
`/etc/hesiod.conf' by default. If there is no configuration file you
|
|
Packit |
6c4009 |
will want to create your own. It should look something like:
|
|
Packit |
6c4009 |
|
|
Packit |
6c4009 |
rhs=.your.domain
|
|
Packit |
6c4009 |
lhs=.ns
|
|
Packit |
6c4009 |
classes=in,hs
|
|
Packit |
6c4009 |
|
|
Packit |
6c4009 |
The optional classes settings specifies which DNS classes Hesiod
|
|
Packit |
6c4009 |
should do lookups in. Possible values are IN (the preferred class)
|
|
Packit |
6c4009 |
and HS (the deprecated class, still used by some sites).
|
|
Packit |
6c4009 |
You may specify both classes separated by a comma to try one class
|
|
Packit |
6c4009 |
first and then the other if no entry is available in the first
|
|
Packit |
6c4009 |
class. The default value of the classes variable is `IN,HS'.
|
|
Packit |
6c4009 |
|
|
Packit |
6c4009 |
The value of rhs can be overridden by the environment variable
|
|
Packit |
6c4009 |
`HES_DOMAIN'.
|
|
Packit |
6c4009 |
|
|
Packit |
6c4009 |
Configuring your name servers
|
|
Packit |
6c4009 |
-----------------------------
|
|
Packit |
6c4009 |
|
|
Packit |
6c4009 |
In addition, if you are not already running Hesiod in your network,
|
|
Packit |
6c4009 |
you need to create Hesiod information on your central name servers.
|
|
Packit |
6c4009 |
You need to run `named' from BIND 4.9 or higher on these servers, and
|
|
Packit |
6c4009 |
make them authoritative for the domain `ns.your.domain' with a line in
|
|
Packit |
6c4009 |
`/etc/named.boot' reading something like:
|
|
Packit |
6c4009 |
|
|
Packit |
6c4009 |
primary ns.your.domain named.hesiod
|
|
Packit |
6c4009 |
|
|
Packit |
6c4009 |
or if you are using the new BIND 8.1 or higher add something to
|
|
Packit |
6c4009 |
`/etc/named.conf' like:
|
|
Packit |
6c4009 |
|
|
Packit |
6c4009 |
zone "ns.your.domain" {
|
|
Packit |
6c4009 |
type master;
|
|
Packit |
6c4009 |
file "named.hesiod";
|
|
Packit |
6c4009 |
};
|
|
Packit |
6c4009 |
|
|
Packit |
6c4009 |
Then in the BIND working directory (usually `/var/named') create the
|
|
Packit |
6c4009 |
file `named.hesiod' containing data that looks something like:
|
|
Packit |
6c4009 |
|
|
Packit |
6c4009 |
; SOA and NS records.
|
|
Packit |
6c4009 |
@ IN SOA server1.your.domain admin-address.your.domain (
|
|
Packit |
6c4009 |
40000 ; serial - database version number
|
|
Packit |
6c4009 |
1800 ; refresh - sec servers
|
|
Packit |
6c4009 |
300 ; retry - for refresh
|
|
Packit |
6c4009 |
3600000 ; expire - unrefreshed data
|
|
Packit |
6c4009 |
7200 ) ; min
|
|
Packit |
6c4009 |
NS server1.your.domain
|
|
Packit |
6c4009 |
NS server2.your.domain
|
|
Packit |
6c4009 |
|
|
Packit |
6c4009 |
; Actual Hesiod data.
|
|
Packit |
6c4009 |
libc.group TXT "libc:*:123:gnu,gnat"
|
|
Packit |
6c4009 |
123.gid CNAME libc.group
|
|
Packit |
6c4009 |
gnu.passwd TXT "gnu:*:4567:123:GNU:/home/gnu:/bin/bash"
|
|
Packit |
6c4009 |
456.uid CNAME mark.passwd
|
|
Packit |
6c4009 |
nss.service TXT "nss tcp 789 switch sw "
|
|
Packit |
6c4009 |
nss.service TXT "nss udp 789 switch sw"
|
|
Packit |
6c4009 |
|
|
Packit |
6c4009 |
where `libc' is an example of a group, `gnu' an example of an user,
|
|
Packit |
6c4009 |
and `nss' an example of a service. Note that the format used to
|
|
Packit |
6c4009 |
describe services differs from the format used in `/etc/services'.
|
|
Packit |
6c4009 |
For more information on `named' refer to the `Name Server Operations
|
|
Packit |
6c4009 |
Guide for BIND' that is included in the BIND distribution.
|
|
Packit |
6c4009 |
|
|
Packit |
6c4009 |
|
|
Packit |
6c4009 |
Security
|
|
Packit |
6c4009 |
========
|
|
Packit |
6c4009 |
|
|
Packit |
6c4009 |
Note that the information stored in the Hesiod database in principle
|
|
Packit |
6c4009 |
is publicly available. Care should be taken with including vulnerable
|
|
Packit |
6c4009 |
information like encrypted passwords in the Hesiod database. There
|
|
Packit |
6c4009 |
are some ways to improve security by using features provided by
|
|
Packit |
6c4009 |
`named' (see the discussion about `secure zones' in the BIND
|
|
Packit |
6c4009 |
documentation), but one should keep in mind that Hesiod was never
|
|
Packit |
6c4009 |
intended to distribute passwords. In the origional design
|
|
Packit |
6c4009 |
authenticating users was the job of the Kerberos service.
|
|
Packit |
6c4009 |
|
|
Packit |
6c4009 |
|
|
Packit |
6c4009 |
More information
|
|
Packit |
6c4009 |
================
|
|
Packit |
6c4009 |
|
|
Packit |
6c4009 |
For more information on the Hesiod name service take a look at some of
|
|
Packit |
6c4009 |
the papers in ftp://athena-dist.mit.edu:/pub/ATHENA/usenix and the
|
|
Packit |
6c4009 |
documentation that accompanies the source code for the Hesiod name
|
|
Packit |
6c4009 |
service library in ftp://athena-dist.mit.edu:/pub/ATHENA/hesiod.
|
|
Packit |
6c4009 |
|
|
Packit |
6c4009 |
There is a mailing list at MIT for Hesiod users, hesiod@mit.edu. To
|
|
Packit |
6c4009 |
get yourself on or off the list, send mail to hesiod-request@mit.edu.
|