nsscash (0.1, 2019-12-15)

Last updated 2019-12-15

Nsscash (a pun on cache) is a simple file-based cache for NSS similar to nsscache. The goal is to distribute users/groups/etc. to multiple systems without having to rely on a (single) stable server. Traditional systems like LDAP or NIS require a stable server or users/groups cannot be resolved. By distributing the data to all systems, temporary outages of the server cause no issues on the clients. In addition the local storage is much faster than remote network access. To update the local caches polling via HTTP/HTTPS is performed, for example every minute, only downloading new data if anything has changed.

Nsscash consists of two parts: nsscash, written in Go, which downloads files via HTTP or HTTPS, parses them, creates indices and writes the result to a local file. The second part is the NSS module (libnss_cash.so.2), written in C, which provides integration via /etc/nsswitch.conf. It’s specifically designed to be very simple and uses the data prepared by nsscash for lookups. To support quick lookups, in O(log n), the files utilize indices.

Nsscash can also be used separately from the NSS module to deploy arbitrary files to many hosts and keep them up-to-date.


Nsscash is very careful when deploying the changes (see the README for details) and has an extensive test suite.

Nsscash is licensed under AGPL version 3 or later.

Requirements

  • Go, for nsscash

    • github.com/pkg/errors

    • github.com/BurntSushi/toml

  • C compiler, for libnss_cash.so.2

  • HTTP(S) server to provide the passwd/group/etc. files

  • NSS module is only supported on Little-endian systems (for now)

Supported Systems

Tested on Debian Buster, but should work on any GNU/Linux system. With adaptations to the NSS module it should work on any UNIX-like system which uses NSS.

Usage

An example configuration file looks like this:

statepath = "/var/lib/nsscash/state.json"
[[file]]
type = "passwd"
url = "https://example.org/passwd"
path = "/etc/passwd.nsscash"
[[file]]
type = "group"
url = "https://example.org/group"
path = "/etc/group.nsscash"
# Optional, but useful to deploy files which are not supported by the
# nsscash NSS module, but by libc's "files" NSS module. nsscash takes care
# of the atomic replacement and updates; an "netgroup: files" entry in
# "/etc/nsswitch.conf" makes the netgroups available.
[[file]]
type = "plain"
url = "https://example.org/netgroup"
path = "/etc/netgroup"

This config fetches the passwd, group, netgroup files from https://example.org/ and writes the result to /etc/.

After manually creating the target paths (to prevent permission issues nsscash won’t create new files) run nsscash fetch /path/to/config/nsscash.toml to fetch the files.

To use the users/groups provided by nsscash configure the NSS service in /etc/nsswitch.conf:

passwd:         files cash
group:          files cash
[...]
# Optional
netgroup        files

Support for client certificates and basic auth is available. See the README for more detailed instructions, full descriptions of all available options and background information.

Download

Current development happens in the git repository (also browsable as Gitweb):

git clone https://ruderich.org/simon/nsscash/nsscash.git

Last updated 2019-12-15

Impressum Datenschutzerklärung