Hesiod (name service)

Last updated • 2 min readFrom Wikipedia, The Free Encyclopedia

In computing, the Hesiod name service originated in Project Athena (1983–1991). [1] It uses DNS functionality to provide access to databases of information that change infrequently. In Unix environments it often serves to distribute information kept in the /etc/passwd , /etc/group , and /etc/printcap files, among others. Frequently an LDAP server is used to distribute the same kind of information that Hesiod does. However, because Hesiod can leverage existing DNS servers, deploying it to a network is fairly easy.

Contents

In a Unix-like system users usually have a line in the /etc/passwd file for each local user like:

foo:x:100:10:Foo Bar:/home/foo:/bin/sh

This line is composed of seven colon-separated fields which hold the following data:

  1. user login name (string);
  2. password hash or "x" if shadow password file is in use (string);
  3. user id (unsigned integer);
  4. user's primary group id (unsigned integer);
  5. Gecos field (four comma separated fields, string);
  6. user home directory (string);
  7. user login shell (string).

This system works fine for a small number of users on a small number of machines. But when more users start using more machines, having this information managed in one location becomes critical. This is where Hesiod enters.

Instead of having this information stored on every machine, Hesiod stores it in records on your DNS server. Then each client can query the DNS server for this information instead of looking for it locally. In BIND the records for the above user might look something like:

foo.passwd.ns.example.net  HS  TXT  "foo:x:100:10:Foo Bar:/home/foo:/bin/sh" 100.passwd.ns.example.net  HS  TXT  "foo:x:100:10:Foo Bar:/home/foo:/bin/sh" 100.uid.ns.example.net     HS  TXT  "foo:x:100:10:Foo Bar:/home/foo:/bin/sh"

There are three records because the system needs to be able to access the information in different ways. The first line supports looking up the user by their login name and the second two allow it to look up information by the user's uid. Note the use of the HS class instead of IN as might be expected. The Domain Name System has a special class of service for Hesiod's purpose.

On the client side some configuration also needs to happen. The /etc/hesiod.conf file for this setup might look something like:

rhs=.example.net lhs=.ns classes=HS, IN

The /etc/resolv.conf file uses the name servers that have the Hesiod records. Then

$ hesinfo foo passwd foo:x:100:10:Foo Bar:/home/foo:/bin/sh

What happens here is that the foo and the passwd are combined with the lhs and rhs values in the /etc/hesiod.conf file to create a fully qualified name of foo.passwd.ns.example.net. The DNS server is then queried for this entry and returns the value of that record.

See also

Related Research Articles

The Lightweight Directory Access Protocol is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Directory services play an important role in developing intranet and Internet applications by allowing the sharing of information about users, systems, networks, services, and applications throughout the network. As examples, directory services may provide any organized set of records, often with a hierarchical structure, such as a corporate email directory. Similarly, a telephone directory is a list of subscribers with an address and a phone number.

<span class="mw-page-title-main">Unix shell</span> Command-line interpreter for Unix operating system

A Unix shell is a command-line interpreter or shell that provides a command line user interface for Unix-like operating systems. The shell is both an interactive command language and a scripting language, and is used by the operating system to control the execution of the system using shell scripts.

The Network Information Service, or NIS, is a client–server directory service protocol for distributing system configuration data such as user and host names between computers on a computer network. Sun Microsystems developed the NIS; the technology is licensed to virtually all other Unix vendors.

Unix security refers to the means of securing a Unix or Unix-like operating system. A secure environment is achieved not only by the design concepts of these operating systems, but also through vigilant user and administrative practices.

In computing, a directory service or name service maps the names of network resources to their respective network addresses. It is a shared information infrastructure for locating, managing, administering and organizing everyday items and network resources, which can include volumes, folders, files, printers, users, groups, devices, telephone numbers and other objects. A directory service is a critical component of a network operating system. A directory server or name server is a server which provides such a service. Each resource on the network is considered an object by the directory server. Information about a particular resource is stored as a collection of attributes associated with that resource or object.

passwd Tool to change passwords on Unix-like OSes

passwd is a command on Unix, Plan 9, Inferno, and most Unix-like operating systems used to change a user's password. The password entered by the user is run through a key derivation function to create a hashed version of the new password, which is saved. Only the hashed version is stored; the entered password is not saved for security reasons.

Java Authentication and Authorization Service, or JAAS, pronounced "Jazz", is the Java implementation of the standard Pluggable Authentication Module (PAM) information security framework. JAAS was introduced as an extension library to the Java Platform, Standard Edition 1.3 and was integrated in version 1.4.

In Unix-like systems, multiple users can be put into groups. POSIX and conventional Unix file system permissions are organized into three classes, user, group, and others. The use of groups allows additional abilities to be delegated in an organized fashion, such as access to disks, printers, and other peripherals. This method, among others, also enables the superuser to delegate some administrative tasks to normal users, similar to the Administrators group on Microsoft Windows NT and its derivatives.

getent is a Unix command that helps a user get entries in a number of important text files called databases. This includes the passwd and group databases which store user information – hence getent is a common way to look up user details on Unix. Since getent uses the same name service as the system, getent will show all information, including that gained from network information sources such as LDAP.

NIS+ is a directory service developed by Sun Microsystems to replace its older 'NIS'. It is designed to eliminate the need for duplication across many computers of configuration data such as user accounts, host names and addresses, printer information and NFS disk mounts on individual systems, instead using a central repository on a master server, simplifying system administration. NIS+ client software has been ported to other Unix and Unix-like platforms.

The Name Service Switch (NSS) connects the computer with a variety of sources of common configuration databases and name resolution mechanisms. These sources include local operating system files, the Domain Name System (DNS), the Network Information Service, and LDAP.

inetd is a super-server daemon on many Unix systems that provides Internet services. For each configured service, it listens for requests from connecting clients. Requests are served by spawning a process which runs the appropriate executable, but simple services such as echo are served by inetd itself. External executables, which are run on request, can be single- or multi-threaded. First appearing in 4.3BSD, it is generally located at /usr/sbin/inetd. inetd is based on the (service) activator pattern

A directory traversal attack exploits insufficient security validation or sanitization of user-supplied file names, such that characters representing "traverse to parent directory" are passed through to the operating system's file system API. An affected application can be exploited to gain unauthorized access to the file system.

NetInfo is the system configuration database in NeXTSTEP and Mac OS X versions up through Mac OS X v10.4 "Tiger". NetInfo replaces most of the Unix system configuration files, though they are still present for running the machine in single user mode; most Unix APIs wrap around NetInfo instead. NetInfo stores system wide network-type configuration information, such as users and groups, in binary databases; while Mac OS X machine and application specific settings are stored as plist files.

In the X Window System, an X session manager is a session management program, a program that can save and restore the current state of a set of running applications, including window manager.

A proxy auto-config (PAC) file defines how web browsers and other user agents can automatically choose the appropriate proxy server for fetching a given URL.

chsh is a command on Unix-like operating systems that is used to change a login shell. Users can either supply the pathname of the shell that they wish to change to on the command line, or supply no arguments, in which case chsh allows the user to change the shell interactively.

Secure coding is the practice of developing computer software in such a way that guards against the accidental introduction of security vulnerabilities. Defects, bugs and logic flaws are consistently the primary cause of commonly exploited software vulnerabilities. Through the analysis of thousands of reported vulnerabilities, security professionals have discovered that most vulnerabilities stem from a relatively small number of common software programming errors. By identifying the insecure coding practices that lead to these errors and educating developers on secure alternatives, organizations can take proactive steps to help significantly reduce or eliminate vulnerabilities in software before deployment.

XML External Entity attack, or simply XXE attack, is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, DoS attacks, server-side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

A web shell is a shell-like interface that enables a web server to be remotely accessed, often for the purposes of cyberattacks. A web shell is unique in that a web browser is used to interact with it.

References

  1. Jennifer G. Steiner; Daniel E. Geer, Jr. (21 July 1988). "Network Services in the Athena Environment". Proceedings of the Winter 1988 Usenix Conference. CiteSeerX   10.1.1.31.8727 .