Changes between Initial Version and Version 1 of NSS


Ignore:
Timestamp:
01/19/11 10:03:09 (10 years ago)
Author:
geofft
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • NSS

    v1 v1  
     1NSS is the "Name Service Switch"; it allows the standard C library to support pluggable sources of naming information. In the bad old days, everything was hard-coded to use `/etc/passwd` to find users. This meant that the Athena login process had to look up a user in [wiki:Hesiod] and add their passwd entry to that file when they logged in (and usually remove it when they logged out). Now all we need to do is to install the libnss-hesiod package, and configure `/etc/nsswitch.conf` (and `/etc/hesiod.conf`) appropriately, and everything works: all users are automatically available to the system without having to touch `/etc/passwd`. 
     2 
     3Of course this depends on applications having the foresight to use the standard C library functions for reading passwd entries, but most of them do; even in the bad old days, calling `getpwnam` was easier than reading `/etc/passwd` by hand. 
     4 
     5As compared with [wiki:PAM], NSS provides identity information. PAM builds on that to do authentication and then authorization. In other words, NSS is what makes accounts exist on your machine, and PAM controls who can log in to them. 
     6 
     7=== Types of name service data === 
     8 
     9NSS supports the following useful types of data, among others: 
     10 * '''passwd''': usernames, UIDs, real names, shells, and home directories, e.g., 
     11{{{ 
     12sipb0:*:12156:65534:Guest0 Sipb,,,,:/mit/sipb0:/bin/athena/tcsh 
     13}}} 
     14 * '''group''': group names and membership, e.g., 
     15{{{ 
     16fuse:x:104:pyhesiodfs 
     17}}} 
     18 * '''hosts''': hostnames and addresses, e.g., 
     19{{{ 
     2018.9.22.69      web.mit.edu 
     21}}} 
     22 * '''services''': service names and port numbers, e.g., 
     23{{{ 
     24ircd                  6667/tcp 
     25}}} 
     26 
     27See `nsswitch.conf`(5) for a complete list. All of these are traditionally configured by a file in /etc of the same name. 
     28 
     29=== NSS services === 
     30 
     31If you just want to use /etc/''foo'' for the ''foo'' service, then you can use the "files" service, provided by `/lib/libnss_files.so.2`. There are some other backends, including "nis" for NIS/NIS+/YP, and "db" if you carry around local config big enough to be worth compressing in a Berkeley DB. 
     32 
     33The NSS backend we use most is "hesiod", which supports lookups for all of the data that you can keep in [wiki:Hesiod]. One thing it does not support is enumerating all the data; you can't read through all of Hesiod the way you can just read all of a file. 
     34 
     35The other useful backend is "dns", which supports the "hosts" key type. 
     36 
     37One other extremely important backend is "nonlocal", which the Debathena project developed. This is a backend that will lookup a data type with certain restrictions intended to keep your system safe from less-trusted name service data sources. For instance, a user in a nonlocal data source cannot claim to be in a local group. This is very important for us because DNS (which powers Hesiod) is easy to spoof; even if it weren't, you might not want to trust that there's no bug in the Athena server software that generates this data. See NssNonlocal for more information. 
     38 
     39Another useful backend is "afspag", which is only valid for the "group" type. Since AFS pags (process authentication groups) are represented as normal groups in your supplementary group list, this gives them vaguely useful names so that it doesn't look like you're in nonexistent groups. 
     40 
     41=== nsswitch.conf === 
     42 
     43All together, a basic nsswitch.conf for Athena would look something like 
     44{{{ 
     45passwd: files hesiod 
     46group:  files hesiod afspag 
     47hosts:   files dns 
     48services: files 
     49networks: files 
     50... 
     51}}} 
     52 
     53In practice,  because of NssNonlocal, it looks more like 
     54{{{ 
     55passwd: files nonlocal 
     56passwd_nonlocal: hesiod 
     57}}} 
     58etc. 
     59 
     60=== Looking things up in NSS === 
     61 
     62From the command line, you can use the `getent` program to perform a query, e.g., 
     63{{{ 
     64dr-wily:~ geofft$ getent passwd root 
     65root:x:0:0:root:/root:/bin/bash 
     66}}} 
     67Note that this entry, from /etc/passwd, is overriding the slightly different entry for root in Hesiod: 
     68{{{ 
     69dr-wily:~ geofft$ hesinfo root passwd 
     70root:*:0:101:Wizard A Root,,,,:/mit/root:/bin/csh 
     71}}} 
     72Also note that the argument order is backwards between `getent` and `hesinfo`. 
     73 
     74As a programmer, NSS is what provides most of the functions starting with "get" in the C library, e.g., `getpwnam`, `getpwuid`, `getgrnam`, `gethostbyname`, `getservbyport`, etc. etc.