[thirdparty/glibc.git] / hesiod / README.hesiod

The GNU C library contains an NSS module for the Hesiod name service.
Hesiod is a general name service for a variety of applications and is
based on the Berkeley Internet Name Daemon (BIND).

Introduction
============

The Hesiod NSS module implements access to all relevant standard
Hesiod types, which means that Hesiod can be used for the `group',
`passwd' and `services' databases.  There is however a restriction.
In the same way that it is impossible to use `gethostent()' to iterate
over all the data provided by DNS, it is not possible to scan the
entire Hesiod database by means of `getgrent()', `getpwent()' and
`getservent()'.  Besides, Hesiod only provides support for looking up
services by name and not for looking them up by port.  In essence this
means that the Hesiod name service is only consulted as a result of
one of the following function calls:

  * getgrname(), getgrgid()
  * getpwname(), getpwuid()
  * getservbyname()

and their reentrant counterparts.


Configuring your systems
========================

Configuring your systems to make use the Hesiod name service requires
one or more of the following steps, depending on whether you are
already running Hesiod in your network.

Configuring NSS
---------------

First you should modify the file `/etc/nsswitch.conf' to tell
NSS for which database you want to use the Hesiod name service.  If
you want to use Hesiod for all databases it can handle your
configuration file could look like this:

  # /etc/nsswitch.conf
  #
  # Example configuration of GNU Name Service Switch functionality.
  #

  passwd:	  db files hesiod
  group:	  db files hesiod
  shadow:	  db files

  hosts:	  files dns
  networks:	  files dns

  protocols:	  db files
  services:	  db files hesiod
  ethers:	  db files
  rpc:		  db files

For more information on NSS, please refer to the `The GNU C Library
Reference Manual'.


Configuring Hesiod
------------------

Next, you will have to configure Hesiod.  If you are already running
Hesiod in your network, you probably already have a file named
`hesiod.conf' on your machines (probably as `/etc/hesiod.conf' or
`/usr/local/etc/hesiod.conf').  The Hesiod NSS module looks for
`/etc/hesiod.conf' by default.  If there is no configuration file you
will want to create your own.  It should look something like:

  rhs=.your.domain
  lhs=.ns
  classes=in,hs

The optional classes settings specifies which DNS classes Hesiod
should do lookups in.  Possible values are IN (the preferred class)
and  HS (the deprecated class, still used by some sites).
You may specify both classes separated by a comma to try one class
first and then the other if no entry is available in the first
class.  The default value of the classes variable is `IN,HS'.

The value of rhs can be overridden by the environment variable
`HES_DOMAIN'.

Configuring your name servers
-----------------------------

In addition, if you are not already running Hesiod in your network,
you need to create Hesiod information on your central name servers.
You need to run `named' from BIND 4.9 or higher on these servers, and
make them authoritative for the domain `ns.your.domain' with a line in
`/etc/named.boot' reading something like:

  primary         ns.your.domain          named.hesiod

or if you are using the new BIND 8.1 or higher add something to
`/etc/named.conf' like:

  zone "ns.your.domain" {
          type master;
          file "named.hesiod";
  };

Then in the BIND working directory (usually `/var/named') create the
file `named.hesiod' containing data that looks something like:

  ; SOA and NS records.
  @       IN      SOA     server1.your.domain admin-address.your.domain (
                  40000           ; serial - database version number
                  1800            ; refresh - sec servers
                  300             ; retry - for refresh
                  3600000         ; expire - unrefreshed data
                  7200 )          ; min
                  NS      server1.your.domain
                  NS      server2.your.domain

  ; Actual Hesiod data.
  libc.group      TXT     "libc:*:123:gnu,gnat"
  123.gid         CNAME   libc.group
  gnu.passwd      TXT     "gnu:*:4567:123:GNU:/home/gnu:/bin/bash"
  456.uid         CNAME   mark.passwd
  nss.service     TXT     "nss tcp 789 switch sw "
  nss.service     TXT     "nss udp 789 switch sw"

where `libc' is an example of a group, `gnu' an example of an user,
and `nss' an example of a service.  Note that the format used to
describe services differs from the format used in `/etc/services'.
For more information on `named' refer to the `Name Server Operations
Guide for BIND' that is included in the BIND distribution.


Security
========

Note that the information stored in the Hesiod database in principle
is publicly available.  Care should be taken with including vulnerable
information like encrypted passwords in the Hesiod database.  There
are some ways to improve security by using features provided by
`named' (see the discussion about `secure zones' in the BIND
documentation), but one should keep in mind that Hesiod was never
intended to distribute passwords.  In the origional design
authenticating users was the job of the Kerberos service.


More information
================

For more information on the Hesiod name service take a look at some of
the papers in ftp://athena-dist.mit.edu:/pub/ATHENA/usenix and the
documentation that accompanies the source code for the Hesiod name
service library in ftp://athena-dist.mit.edu:/pub/ATHENA/hesiod.

There is a mailing list at MIT for Hesiod users, hesiod@mit.edu.  To
get yourself on or off the list, send mail to hesiod-request@mit.edu.
Commit	Line	Data
2604afb1 UD	1	The GNU C library contains an NSS module for the Hesiod name service.
	2	Hesiod is a general name service for a variety of applications and is
	3	based on the Berkeley Internet Name Daemon (BIND).
	4
	5	Introduction
	6	============
	7
	8	The Hesiod NSS module implements access to all relevant standard
	9	Hesiod types, which means that Hesiod can be used for the `group',
	10	`passwd' and `services' databases. There is however a restriction.
	11	In the same way that it is impossible to use `gethostent()' to iterate
	12	over all the data provided by DNS, it is not possible to scan the
	13	entire Hesiod database by means of `getgrent()', `getpwent()' and
	14	`getservent()'. Besides, Hesiod only provides support for looking up
	15	services by name and not for looking them up by port. In essence this
	16	means that the Hesiod name service is only consulted as a result of
	17	one of the following function calls:
	18
	19	* getgrname(), getgrgid()
	20	* getpwname(), getpwuid()
	21	* getservbyname()
	22
	23	and their reentrant counterparts.
	24
	25
	26	Configuring your systems
	27	========================
	28
fed8f7f7 UD	29	Configuring your systems to make use the Hesiod name service requires
	30	one or more of the following steps, depending on whether you are
	31	already running Hesiod in your network.
2604afb1 UD	32
	33	Configuring NSS
	34	---------------
	35
	36	First you should modify the file `/etc/nsswitch.conf' to tell
	37	NSS for which database you want to use the Hesiod name service. If
	38	you want to use Hesiod for all databases it can handle your
	39	configuration file could look like this:
	40
	41	# /etc/nsswitch.conf
	42	#
	43	# Example configuration of GNU Name Service Switch functionality.
	44	#
	45
	46	passwd: db files hesiod
	47	group: db files hesiod
	48	shadow: db files
	49
	50	hosts: files dns
	51	networks: files dns
	52
	53	protocols: db files
	54	services: db files hesiod
	55	ethers: db files
	56	rpc: db files
	57
	58	For more information on NSS, please refer to the `The GNU C Library
	59	Reference Manual'.
	60
	61
	62	Configuring Hesiod
	63	------------------
	64
	65	Next, you will have to configure Hesiod. If you are already running
	66	Hesiod in your network, you probably already have a file named
	67	`hesiod.conf' on your machines (probably as `/etc/hesiod.conf' or
2f54c82d UD	68	`/usr/local/etc/hesiod.conf'). The Hesiod NSS module looks for
	69	`/etc/hesiod.conf' by default. If there is no configuration file you
	70	will want to create your own. It should look something like:
2604afb1 UD	71
	72	rhs=.your.domain
	73	lhs=.ns
b399a0c2 UD	74	classes=in,hs
	75
	76	The optional classes settings specifies which DNS classes Hesiod
	77	should do lookups in. Possible values are IN (the preferred class)
	78	and HS (the deprecated class, still used by some sites).
	79	You may specify both classes separated by a comma to try one class
	80	first and then the other if no entry is available in the first
	81	class. The default value of the classes variable is `IN,HS'.
2604afb1 UD	82
2604afb1 UD	83	The value of rhs can be overridden by the environment variable
2f54c82d	84	`HES_DOMAIN'.
2604afb1 UD	85
	86	Configuring your name servers
	87	-----------------------------
	88
	89	In addition, if you are not already running Hesiod in your network,
	90	you need to create Hesiod information on your central name servers.
	91	You need to run `named' from BIND 4.9 or higher on these servers, and
	92	make them authoritative for the domain `ns.your.domain' with a line in
	93	`/etc/named.boot' reading something like:
	94
	95	primary ns.your.domain named.hesiod
	96
	97	or if you are using the new BIND 8.1 or higher add something to
	98	`/etc/named.conf' like:
	99
	100	zone "ns.your.domain" {
	101	type master;
	102	file "named.hesiod";
	103	};
	104
	105	Then in the BIND working directory (usually `/var/named') create the
	106	file `named.hesiod' containing data that looks something like:
	107
	108	; SOA and NS records.
	109	@ IN SOA server1.your.domain admin-address.your.domain (
	110	40000 ; serial - database version number
	111	1800 ; refresh - sec servers
	112	300 ; retry - for refresh
	113	3600000 ; expire - unrefreshed data
	114	7200 ) ; min
	115	NS server1.your.domain
	116	NS server2.your.domain
	117
	118	; Actual Hesiod data.
	119	libc.group TXT "libc:*:123:gnu,gnat"
	120	123.gid CNAME libc.group
	121	gnu.passwd TXT "gnu:*:4567:123:GNU:/home/gnu:/bin/bash"
	122	456.uid CNAME mark.passwd
2f54c82d UD	123	nss.service TXT "nss tcp 789 switch sw "
2f54c82d UD	124	nss.service TXT "nss udp 789 switch sw"
2604afb1 UD	125
	126	where `libc' is an example of a group, `gnu' an example of an user,
	127	and `nss' an example of a service. Note that the format used to
	128	describe services differs from the format used in `/etc/services'.
	129	For more information on `named' refer to the `Name Server Operations
	130	Guide for BIND' that is included in the BIND distribution.
	131
	132
	133	Security
	134	========
	135
	136	Note that the information stored in the Hesiod database in principle
	137	is publicly available. Care should be taken with including vulnerable
	138	information like encrypted passwords in the Hesiod database. There
	139	are some ways to improve security by using features provided by
	140	`named' (see the discussion about `secure zones' in the BIND
	141	documentation), but one should keep in mind that Hesiod was never
	142	intended to distribute passwords. In the origional design
	143	authenticating users was the job of the Kerberos service.
	144
	145
	146	More information
	147	================
	148
	149	For more information on the Hesiod name service take a look at some of
	150	the papers in ftp://athena-dist.mit.edu:/pub/ATHENA/usenix and the
	151	documentation that accompanies the source code for the Hesiod name
	152	service library in ftp://athena-dist.mit.edu:/pub/ATHENA/hesiod.
	153
	154	There is a mailing list at MIT for Hesiod users, hesiod@mit.edu. To
	155	get yourself on or off the list, send mail to hesiod-request@mit.edu.