README.hesiod 5.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155
  1. The GNU C library contains an NSS module for the Hesiod name service.
  2. Hesiod is a general name service for a variety of applications and is
  3. based on the Berkeley Internet Name Daemon (BIND).
  4. Introduction
  5. ============
  6. The Hesiod NSS module implements access to all relevant standard
  7. Hesiod types, which means that Hesiod can be used for the `group',
  8. `passwd' and `services' databases. There is however a restriction.
  9. In the same way that it is impossible to use `gethostent()' to iterate
  10. over all the data provided by DNS, it is not possible to scan the
  11. entire Hesiod database by means of `getgrent()', `getpwent()' and
  12. `getservent()'. Besides, Hesiod only provides support for looking up
  13. services by name and not for looking them up by port. In essence this
  14. means that the Hesiod name service is only consulted as a result of
  15. one of the following function calls:
  16. * getgrname(), getgrgid()
  17. * getpwname(), getpwuid()
  18. * getservbyname()
  19. and their reentrant counterparts.
  20. Configuring your systems
  21. ========================
  22. Configuring your systems to make use the Hesiod name service requires
  23. one or more of the following steps, depending on whether you are
  24. already running Hesiod in your network.
  25. Configuring NSS
  26. ---------------
  27. First you should modify the file `/etc/nsswitch.conf' to tell
  28. NSS for which database you want to use the Hesiod name service. If
  29. you want to use Hesiod for all databases it can handle your
  30. configuration file could look like this:
  31. # /etc/nsswitch.conf
  32. #
  33. # Example configuration of GNU Name Service Switch functionality.
  34. #
  35. passwd: db files hesiod
  36. group: db files hesiod
  37. shadow: db files
  38. hosts: files dns
  39. networks: files dns
  40. protocols: db files
  41. services: db files hesiod
  42. ethers: db files
  43. rpc: db files
  44. For more information on NSS, please refer to the `The GNU C Library
  45. Reference Manual'.
  46. Configuring Hesiod
  47. ------------------
  48. Next, you will have to configure Hesiod. If you are already running
  49. Hesiod in your network, you probably already have a file named
  50. `hesiod.conf' on your machines (probably as `/etc/hesiod.conf' or
  51. `/usr/local/etc/hesiod.conf'). The Hesiod NSS module looks for
  52. `/etc/hesiod.conf' by default. If there is no configuration file you
  53. will want to create your own. It should look something like:
  54. rhs=.your.domain
  55. lhs=.ns
  56. classes=in,hs
  57. The optional classes settings specifies which DNS classes Hesiod
  58. should do lookups in. Possible values are IN (the preferred class)
  59. and HS (the deprecated class, still used by some sites).
  60. You may specify both classes separated by a comma to try one class
  61. first and then the other if no entry is available in the first
  62. class. The default value of the classes variable is `IN,HS'.
  63. The value of rhs can be overridden by the environment variable
  64. `HES_DOMAIN'.
  65. Configuring your name servers
  66. -----------------------------
  67. In addition, if you are not already running Hesiod in your network,
  68. you need to create Hesiod information on your central name servers.
  69. You need to run `named' from BIND 4.9 or higher on these servers, and
  70. make them authoritative for the domain `ns.your.domain' with a line in
  71. `/etc/named.boot' reading something like:
  72. primary ns.your.domain named.hesiod
  73. or if you are using the new BIND 8.1 or higher add something to
  74. `/etc/named.conf' like:
  75. zone "ns.your.domain" {
  76. type master;
  77. file "named.hesiod";
  78. };
  79. Then in the BIND working directory (usually `/var/named') create the
  80. file `named.hesiod' containing data that looks something like:
  81. ; SOA and NS records.
  82. @ IN SOA server1.your.domain admin-address.your.domain (
  83. 40000 ; serial - database version number
  84. 1800 ; refresh - sec servers
  85. 300 ; retry - for refresh
  86. 3600000 ; expire - unrefreshed data
  87. 7200 ) ; min
  88. NS server1.your.domain
  89. NS server2.your.domain
  90. ; Actual Hesiod data.
  91. libc.group TXT "libc:*:123:gnu,gnat"
  92. 123.gid CNAME libc.group
  93. gnu.passwd TXT "gnu:*:4567:123:GNU:/home/gnu:/bin/bash"
  94. 456.uid CNAME mark.passwd
  95. nss.service TXT "nss tcp 789 switch sw "
  96. nss.service TXT "nss udp 789 switch sw"
  97. where `libc' is an example of a group, `gnu' an example of an user,
  98. and `nss' an example of a service. Note that the format used to
  99. describe services differs from the format used in `/etc/services'.
  100. For more information on `named' refer to the `Name Server Operations
  101. Guide for BIND' that is included in the BIND distribution.
  102. Security
  103. ========
  104. Note that the information stored in the Hesiod database in principle
  105. is publicly available. Care should be taken with including vulnerable
  106. information like encrypted passwords in the Hesiod database. There
  107. are some ways to improve security by using features provided by
  108. `named' (see the discussion about `secure zones' in the BIND
  109. documentation), but one should keep in mind that Hesiod was never
  110. intended to distribute passwords. In the original design
  111. authenticating users was the job of the Kerberos service.
  112. More information
  113. ================
  114. For more information on the Hesiod name service take a look at some of
  115. the papers in ftp://athena-dist.mit.edu:/pub/ATHENA/usenix and the
  116. documentation that accompanies the source code for the Hesiod name
  117. service library in ftp://athena-dist.mit.edu:/pub/ATHENA/hesiod.
  118. There is a mailing list at MIT for Hesiod users, hesiod@mit.edu. To
  119. get yourself on or off the list, send mail to hesiod-request@mit.edu.