]>
Commit | Line | Data |
---|---|---|
2604afb1 UD |
1 | The GNU C library contains an NSS module for the Hesiod name service. |
2 | Hesiod is a general name service for a variety of applications and is | |
3 | based on the Berkeley Internet Name Daemon (BIND). | |
4 | ||
5 | Introduction | |
6 | ============ | |
7 | ||
8 | The Hesiod NSS module implements access to all relevant standard | |
9 | Hesiod types, which means that Hesiod can be used for the `group', | |
10 | `passwd' and `services' databases. There is however a restriction. | |
11 | In the same way that it is impossible to use `gethostent()' to iterate | |
12 | over all the data provided by DNS, it is not possible to scan the | |
13 | entire Hesiod database by means of `getgrent()', `getpwent()' and | |
14 | `getservent()'. Besides, Hesiod only provides support for looking up | |
15 | services by name and not for looking them up by port. In essence this | |
16 | means that the Hesiod name service is only consulted as a result of | |
17 | one of the following function calls: | |
18 | ||
19 | * getgrname(), getgrgid() | |
20 | * getpwname(), getpwuid() | |
21 | * getservbyname() | |
22 | ||
23 | and their reentrant counterparts. | |
24 | ||
25 | ||
26 | Configuring your systems | |
27 | ======================== | |
28 | ||
fed8f7f7 UD |
29 | Configuring your systems to make use the Hesiod name service requires |
30 | one or more of the following steps, depending on whether you are | |
31 | already running Hesiod in your network. | |
2604afb1 UD |
32 | |
33 | Configuring NSS | |
34 | --------------- | |
35 | ||
36 | First you should modify the file `/etc/nsswitch.conf' to tell | |
37 | NSS for which database you want to use the Hesiod name service. If | |
38 | you want to use Hesiod for all databases it can handle your | |
39 | configuration file could look like this: | |
40 | ||
41 | # /etc/nsswitch.conf | |
42 | # | |
43 | # Example configuration of GNU Name Service Switch functionality. | |
44 | # | |
45 | ||
46 | passwd: db files hesiod | |
47 | group: db files hesiod | |
48 | shadow: db files | |
49 | ||
50 | hosts: files dns | |
51 | networks: files dns | |
52 | ||
53 | protocols: db files | |
54 | services: db files hesiod | |
55 | ethers: db files | |
56 | rpc: db files | |
57 | ||
58 | For more information on NSS, please refer to the `The GNU C Library | |
59 | Reference Manual'. | |
60 | ||
61 | ||
62 | Configuring Hesiod | |
63 | ------------------ | |
64 | ||
65 | Next, you will have to configure Hesiod. If you are already running | |
66 | Hesiod in your network, you probably already have a file named | |
67 | `hesiod.conf' on your machines (probably as `/etc/hesiod.conf' or | |
2f54c82d UD |
68 | `/usr/local/etc/hesiod.conf'). The Hesiod NSS module looks for |
69 | `/etc/hesiod.conf' by default. If there is no configuration file you | |
70 | will want to create your own. It should look something like: | |
2604afb1 UD |
71 | |
72 | rhs=.your.domain | |
73 | lhs=.ns | |
b399a0c2 UD |
74 | classes=in,hs |
75 | ||
76 | The optional classes settings specifies which DNS classes Hesiod | |
77 | should do lookups in. Possible values are IN (the preferred class) | |
78 | and HS (the deprecated class, still used by some sites). | |
79 | You may specify both classes separated by a comma to try one class | |
80 | first and then the other if no entry is available in the first | |
81 | class. The default value of the classes variable is `IN,HS'. | |
2604afb1 UD |
82 | |
83 | The value of rhs can be overridden by the environment variable | |
2f54c82d | 84 | `HES_DOMAIN'. |
2604afb1 UD |
85 | |
86 | Configuring your name servers | |
87 | ----------------------------- | |
88 | ||
89 | In addition, if you are not already running Hesiod in your network, | |
90 | you need to create Hesiod information on your central name servers. | |
91 | You need to run `named' from BIND 4.9 or higher on these servers, and | |
92 | make them authoritative for the domain `ns.your.domain' with a line in | |
93 | `/etc/named.boot' reading something like: | |
94 | ||
95 | primary ns.your.domain named.hesiod | |
96 | ||
97 | or if you are using the new BIND 8.1 or higher add something to | |
98 | `/etc/named.conf' like: | |
99 | ||
100 | zone "ns.your.domain" { | |
101 | type master; | |
102 | file "named.hesiod"; | |
103 | }; | |
104 | ||
105 | Then in the BIND working directory (usually `/var/named') create the | |
106 | file `named.hesiod' containing data that looks something like: | |
107 | ||
108 | ; SOA and NS records. | |
109 | @ IN SOA server1.your.domain admin-address.your.domain ( | |
110 | 40000 ; serial - database version number | |
111 | 1800 ; refresh - sec servers | |
112 | 300 ; retry - for refresh | |
113 | 3600000 ; expire - unrefreshed data | |
114 | 7200 ) ; min | |
115 | NS server1.your.domain | |
116 | NS server2.your.domain | |
117 | ||
118 | ; Actual Hesiod data. | |
119 | libc.group TXT "libc:*:123:gnu,gnat" | |
120 | 123.gid CNAME libc.group | |
121 | gnu.passwd TXT "gnu:*:4567:123:GNU:/home/gnu:/bin/bash" | |
122 | 456.uid CNAME mark.passwd | |
2f54c82d UD |
123 | nss.service TXT "nss tcp 789 switch sw " |
124 | nss.service TXT "nss udp 789 switch sw" | |
2604afb1 UD |
125 | |
126 | where `libc' is an example of a group, `gnu' an example of an user, | |
127 | and `nss' an example of a service. Note that the format used to | |
128 | describe services differs from the format used in `/etc/services'. | |
129 | For more information on `named' refer to the `Name Server Operations | |
130 | Guide for BIND' that is included in the BIND distribution. | |
131 | ||
132 | ||
133 | Security | |
134 | ======== | |
135 | ||
136 | Note that the information stored in the Hesiod database in principle | |
137 | is publicly available. Care should be taken with including vulnerable | |
138 | information like encrypted passwords in the Hesiod database. There | |
139 | are some ways to improve security by using features provided by | |
140 | `named' (see the discussion about `secure zones' in the BIND | |
141 | documentation), but one should keep in mind that Hesiod was never | |
142 | intended to distribute passwords. In the origional design | |
143 | authenticating users was the job of the Kerberos service. | |
144 | ||
145 | ||
146 | More information | |
147 | ================ | |
148 | ||
149 | For more information on the Hesiod name service take a look at some of | |
150 | the papers in ftp://athena-dist.mit.edu:/pub/ATHENA/usenix and the | |
151 | documentation that accompanies the source code for the Hesiod name | |
152 | service library in ftp://athena-dist.mit.edu:/pub/ATHENA/hesiod. | |
153 | ||
154 | There is a mailing list at MIT for Hesiod users, hesiod@mit.edu. To | |
155 | get yourself on or off the list, send mail to hesiod-request@mit.edu. |