Skip to content
/ nss_gate Public

NSS module for Name Service Switch for Gate SSO supporting users, groups, password and shadow functions

License

MIT license
3 stars 8 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

gate-sso/nss_gate

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits
examples
examples
 
 
libnss_http
libnss_http
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

nss_gate

nss_gate is Unix/Linux Name Service Switch providing user, groups and shadow lookup over http using gate-sso server. GateSSO in turn uses Google MFA to authenticate - so you can actually allow MFA on Linux prompt using nss_gate.

This module enables you to authenticate users against any http based server so that you don't have to create new users on each box and centrally control user access.

  • Provides user lookup over http
  • Provides group lookup over http

This module was forked from opensource nss_http implementation, but this has become much more configurable. Given that it has similarities only about the way nss functions are implemented, this needs a new home, now it's here complementing our gate mfa server as a nice nss module.

Configuration & installation

  • Check out the module from this repo

  • In the libnss_http directory:

     make
 sudo make install

  • You'll need to have jansson, yaml and curl libraries and development headers installed. eg for Ubuntu

    sudo apt-get install libcurl4-openssl-dev libjansson-dev libyaml-dev

  • You may have to modify Makefile for appropriate destination

  • Once the module is compiled and installed, please place libnss_http.so.2 into /lib/x86_64*/ on ubuntu or find where other nss modules are installed and put it over there.

  • create directory /etc/gate and put nss.yml with following configuration

        		nss_http:
   			host_url: https://<gate-sso-server>/nss
   			api_key: <EXAMPLE TOKEN>

  • Now if you issue getent passwd - then you should see remote users in the list

  • You should run check_nss and it should print configuration for nss_http

Old Description

This is a simple Name Service Switch module that I wrote in order to quickly
extend nss via an HTTP server that runs on localhost. __This is seriously not
meant to be used in a production environment. Not only is it inefficient but
I'm extremely rusty with C and there are likely overflow errors and other
security problems. Use at your own enjoyment.__

The above is old description

I forked to make two changes.

  1. Include YAML support so that we can read from yaml file instead of hardcoded server
  2. Include path support so that we can get what we want over public URL but with token - so that it can be secure.

With this module, I made it generic and now it hits our own opensource mfa server to give user's appropriate access.

Installation

In the libnss_http directory:

make
sudo make install

You'll need to have libjansson and libcurl installed.

sudo apt-get install libcurl4-openssl-dev libjansson-dev libyaml-dev

Configuration

Once the module is installed on your system you just have to modify the /etc/nsswitch.conf for the appropriate service you want to utilize the http server on. The service name is http and currently supports the passwd, group, shadow databases.

e.g. /etc/nsswitch.conf

passwd:         http compat
group:          http compat
shadow:         http compat

API

By default nss_http expects a server to be listening on 127.0.0.1:9669. This is compiled in and can be modified in the nss_http.h file. I have provided an example server in the examples directory though I'll describe the API below.

Endpoints

/passwd

The /passwd endpoint should return an array of password objects as described below:

[
    {
        pw_name: "gary",
        pw_passwd: "x",
        pw_uid: 100,
        pw_gid: 100,
        pw_gecos: "User Information",
        pw_dir: "/home/gary",
        pw_shell: "/bin/bash"
    }
]

See man 3 getpwent for more information about the passwd struct.

The passwd endpoint should expect to receive 1 of 2 mutually exclusive query parameters. name, containing a username or uid containing a user id. If either of these query parameters are received, a single object should be returned for the requested username/uid.

/group

The /group endpoint should return an array of group objects as described below:

[
    {
        gr_name: "users",
        gr_passwd: "x",
        gr_gid: 101,
        gr_mem: ["gary", "carolyn"]
    }
]

See man 3 getgrent for more information about the group struct.

The group endpoint should expect to receive 1 of 2 mutually exclusive query parameters. name, containing a username or gid containing a group id. If either of these query parameters are received, a single object should be returned for the requested groupname/gid.

/shadow

The /shadow endpoint should return an array of shadow objects as described below:

[
    {
        sp_namp: "gary",
        sp_pwdp: "<encrypted password>",
        sp_lstchg: 16034,
        sp_min: 0,
        sp_max: 99999,
        sp_warn: 7,
        sp_inact: null,
        sp_expire: null,
        sp_flag: null
    }
]

See man 3 getspent for more information about the shadow struct.

The shadow endpoint should expect to receive a query parameter of name, containing a username. If this query parameter is received, a single object should be returned for the requested username.

Sources

There were a lot of sources involved with completion of this project but the major ones were the following:

About

NSS module for Name Service Switch for Gate SSO supporting users, groups, password and shadow functions

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

3 stars

Watchers

1 watching

Forks

8 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages