Andrés J. Díaz

libnss_map

A NSS library to map user credentials to existent user in the system. The idea behind libnss_map is to provide a way to authenticate users without any user database, which is usefull in large distributed environments where keep a consistent user db is not easy.

Latest stable relases:

Source:releases/libnss_map-1.0.tar.gz
Signature:releases/libnss_map-1.0.tar.gz.asc

Show all releases
Github page

Contents:


README

The libnss_map module
=====================

The libnss_map module is a NSS library to map user credentials to existent
user in the system. This module is intended to be used in high virtualized
environment like cloud computing or embedded systems which require a lot of
users.

When a new user has been authenticated by PAM or other authentication
mechanism, then the nss_map module create a virtual user when credentials
mapped to an existent user. For example, suppose here are a user virtual,
created a la standard way on /etc/passwd:

    virtual:x:15000:15000:virtual user for nss_map:/dev/null:/sbin/nologin

Then edit the /etc/nssmap.conf
file:

    virtual:x:15000:15000:virtual user for nss_map:/home/virtual:/bin/bash

Note that the user directory is really a base dir in nssmap, each new user
can search their home in ``/home/virtual/logname'', where logname is the
name used by user to login, and the /home/virtual is the prefix setted in
nssmap.conf.

What about mapped groups? nss_map support mapped roles as groups. It's
useful to maintain a list of roles in your systems, like operators,
sysadmins, dbas etc. The first try is to add the virtual user to a number of
groups in the usual way, so all users extends this groups. On the other hand
if you need a more granular group control you need to use a per user
nss_map configuration. Obviously the groups must be exists on any nss
switchable mechanism.

The file ``~/.nssmaprc'' on home dir (i.e. the base dir plus the logname) of
the user can contain a single mapping for groups. This file is a plaintext
file owner by root:root with 400 permissions which contain a list of group
names in the form of classic ``/etc/group'':

    wheel:x:10:usera


Security considerations
-----------------------
The security is not the main focus of nss_map, so bugs and exploits will be
available soon, get are some easy-to-remember rules to keep your maps
safety:

1. Don't use group maps if it's don't required.
2. If you need group maps then be sure that the ``~/.nssmaprc'' file has
   0644 permissions are it's owner is root.
3. The LOGNAME environment variable is used by nss_map to get the currently
   user name to put on file listing or process list. Also the same variable
   is used by nss_map to map group, so check that the LOGNAME variable is 
   readonly for user process.

About compilation
-----------------
If you need to enable debug support only put the following line on config.mk
file at the top path of libnss_map source code:

    $ cat > config.mk <<EOF
    CFLAGS += -DDEBUG
    EOF

Enjoy!


CONTRIBUTE

If you find any error in the code or incorrect behaviour, please do not hesitate to report me at ajdiaz+libnss_map at ajdiaz.me.

The mainstream code is keep under git control, you can clone as usual:

git clone git://git.ajdiaz.me/ajdiaz/libnss_map.git

Also you can open a issue in github mirror.


Andrés J. Díaz <ajdiaz at ajdiaz.me>.
GPG Key: 90ADF27A6AA55A789738CDB15369AA4171B5139C. GPG Key Signing Policy.
Accesible by Ghoper