Yuan Yijun (bbbush) wrote,
Yuan Yijun

在读 SSSD 的文档

  • 什么是 NSS?
Name Service Switch https://en.wikipedia.org/wiki/Name_Service_Switch
  • NSS 文档提到 nsswitch.conf,把各种 source 称为 database。这里哪儿有协议、哪儿是 data schema?是不是所有东西都是 hard wired?NSS 是 C lib 实现的,那么 C lib 怎么能支持这么专用的协议,像 user, host, passwd, automount 等等?模块是什么意思?
https://www.gnu.org/software/libc/manual/html_node/Name-Service-Switch.html 链接来自于 wikipedia,指向 GNU C lib doc
Various functions in the C Library need to be configured to work correctly in the local environment. Traditionally, this was done by using files (e.g., /etc/passwd), but other nameservices (like the Network Information Service (NIS) and the Domain Name Service (DNS)) became popular, and were hacked into the C library, usually with a fixed search order (see frobnicate).

The GNU C Library contains a cleaner solution of this problem. It is designed after a method used by Sun Microsystems in the C library of Solaris 2. The GNU C Library follows their name and calls this scheme Name Service Switch (NSS).

Though the interface might be similar to Sun's version there is no common code. We never saw any source code of Sun's implementation and so the internal interface is incompatible. This also manifests in the file names we use as we will see later.

https://www.gnu.org/software/libc/manual/html_node/Services-in-the-NSS-configuration.html#Services-in-the-NSS-configuration 提到

28.2.1 Services in the NSS configuration File

The above example file mentions five different services: files, db, dns, nis, and nisplus. This does not mean these services are available on all sites and it does also not mean these are all the services which will ever be available.

In fact, these names are simply strings which the NSS code uses to find the implicitly addressed functions. The internal interface will be described later. Visible to the user are the modules which implement an individual service.

Assume the service name shall be used for a lookup. The code for this service is implemented in a module called libnss_name. On a system supporting shared libraries this is in fact a shared library with the name (for example) libnss_name.so.2. The number at the end is the currently used version of the interface which will not change frequently. Normally the user should not have to be cognizant of these files since they should be placed in a directory where they are found automatically. Only the names of all available services are important.

  • 什么是 SSSD?
https://fedoraproject.org/wiki/Features/SSSD Fedora wiki 根据这个描述,基本上就是实现了 windows 的一个功能:在离线的时候,仍然可以用域账户登陆 laptop,但是在下次联网时,自动更新最新的账户信息。

System Security Services Daemon (SSSD)


This project provides a set of daemons to manage access to remote directories and authentication mechanisms, it provides an NSS and PAM interface toward the system and a pluggable backend system to connect to multiple different account sources. It is also the basis to provide client auditing and policy services for projects like FreeIPA.

Detailed Description

The SSSD is intended to provide several key feature enhancements to Fedora. The first and most visible will be the addition of offline caching for network credentials. Authentication through the SSSD will potentially allow LDAP, NIS, and FreeIPA services to provide an offline mode, to ease the use of centrally managing laptop users.

The LDAP features will also add support for connection pooling. All communication to the ldap server will happen over a single persistent connection, reducing the overhead of opening a new socket for each request. The SSSD will also add support for multiple LDAP/NIS domains. It will be possible to connect to two or more LDAP/NIS servers acting as separate user namespaces.

An additional feature of the SSSD will be to provide a service on the system D-BUS called InfoPipe. This service will act as a central authority on extended user information such as face browser images, preferred language, etc. This will replace the existing system consisting predominately of hidden configuration files in the user's home directory, which may not be available if the home directory has not yet been mounted by autofs.

The SSSD is being developed alongside the FreeIPA project. Part of its purpose will be to act as an IPA client to enable features such as machine enrollment and machine policy management. SSSD will provide a back-end to the newly redesigned PolicyKit for central management of policy decisions.

Benefit to Fedora

  • Laptop users will have offline access to their network logons, eliminating the need for local laptop accounts when traveling.
  • Desktop developers will have access to the new InfoPipe, allowing them to migrate towards using a more consistent approach for storing and retrieving extended user information.
  • The SSSD will simplify enrollment into FreeIPA network domains, as it will provide the FreeIPA client software.
  • The design of the SSSD will allow other services such as LDAP, NIS and FreeIPA to take advantage of the caching and offline features.
https://fedorahosted.org/sssd/wiki/DesignDocs SSSD 文档。它从 Fedora 11 时开始 0.1 版,到现在已经是 1.9.x 版本,更高的版本以及 2.x 也在开发。可以在 Koji 看到全部的 rpm Changelog。
https://plus.google.com/114204339376082660377/posts G+信息
https://fedorahosted.org/sssd/wiki/DesignDocs/Netgroups http://directory.fedoraproject.org/wiki/Howto:Netgroups Netgroup 概念
http://jhrozek.livejournal.com/2500.html 使用 SSSD 缓存和集中管理 automount。感觉它和 AD 设置 network mapped drive 类似。感觉什么东西都可以集中管理起来为好,包括 SSSD 最初设计中提到的 InfoPipe
  • 什么是 identity provider?
https://en.wikipedia.org/wiki/Identity_provider Identity provider
  • 什么是 IPA?
http://www.freeipa.org/page/IPA_Client_Design_Overview FreeIPA, Identity, Policy, and Audit
  • FreeIPA is an integrated security information management solution combining Linux (Fedora), 389 (formerly known as Fedora Directory Server), MIT Kerberos, NTP, DNS. It consists of a web interface and command-line administration tools.
  • In IPA v2 we added DNS and Dogtag Certificate Server, enhanced administrative framework, added support for host identities, netgroups, automount per location and more.
http://www.freeipa.org/page/About What is FreeIPA

What is Free IPA?

FreeIPA is an integrated security information management solution combining Linux (Fedora), 389 Directory Server, MIT Kerberos, NTP, DNS, Dogtag (Certificate System). It consists of a web interface and command-line administration tools.

IPA takes advantage of different technologies:

  • MIT KDC - core of the IPA's authentication.
  • 389 Directory Server - back end where IPA keeps all data.
  • Dogtag Certificate System - IPA includes CA & RA for certificate management functions.
  • SSSD - client side component that integrates IPA as a authentication and identity provider in a better way than traditional NSS & PAM.

What's Available in FreeIPA Now? What's in the Pipeline?

FreeIPA (so far) is an integrated solution combining

  • Linux (currently Fedora)
  • 389 Directory Server
  • MIT Kerberos
  • NTP
  • DNS (IPA v2)
  • Web and command line provisioning and administration tools
  • Dogtag Certificate System (IPA v2)

Why Use FreeIPA?

For efficiency, compliance and risk mitigation, organizations need to centrally manage and correlate vital security information including:

  • Identity (machine, user, virtual machines, groups, authentication credentials)
  • Policy (host based access control)
  • Audit (this component is deferred)
  • 什么是 389DS?
  • 什么是 authentication provider?
  • 有没有 authentication 的一般的步骤、原则?为什么要 authenticaion?
https://en.wikipedia.org/wiki/Authentication WIki on Authentication
  • OpenID 的原理是什么?
  • Identity 和 trust relationship 有什么联系?什么是 network of trust?
  • 什么是 fedora packager cert?什么是 HTTPS 的 cert?什么是域名备案的 cert?
  • Red Hat network 的 cert 是什么?subscription cert, product cert 和 machine cert 分别用在什么地方?
  • /etc/security/pki 里的文件都是什么玩意儿?
  • 浏览器的 cert 是怎么用在 https 上的?工作中有时候需要导入 fiddler 作为 CA,也遇到过一个奇怪的 bug:网管通过 bluecoat proxy 禁止了对 akamai (download.microsoft.com) 的访问,结果无法下载 cert revocation list,导致 .net application 无法联网。
  • 什么是 X509?
https://en.wikipedia.org/wiki/X.509 Wiki on X.509
https://access.redhat.com/knowledge/docs/Red_Hat_Certificate_System/ Red Hat Certificate System admin guide
  • 什么是 pkcs12?
https://en.wikipedia.org/wiki/PKCS_12 Wiki on PKCS 12
  • 之前 gro.clinux.org.cn 为什么要使用自己的 key 格式?为什么 filezilla 可以用来生成那种 key?(存疑)
  • 什么是 self signing key?
http://www.microhowto.info/howto/create_a_self_signed_ssl_certificate.html Create self signed ssl key HOWTO
在 Wiki on X509 中也提到 root CA 是 self signed,是手工导入浏览器的。
  • 什么是 windows AD?
  • 什么是 LDAP,可以做哪些事情?
https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol Wiki on LDAP
  • 什么是 Kerberos, Krb5?
http://technet.microsoft.com/en-us/library/bb742516.aspx Kerberos Explained, from MSDN
http://gost.isi.edu/publications/kerberos-neuman-tso.html Kerberos technology
http://searchsecurity.techtarget.com/definition/Kerberos Kerberos short definition (这个页面不适合 firefox 看)
https://en.wikipedia.org/wiki/Kerberos_%28protocol%29 Wiki on Kerberos
http://web.mit.edu/kerberos/ Kerberos the protocol
  • 什么是 GSSAPI?
https://en.wikipedia.org/wiki/Generic_Security_Services_Application_Program_Interface Wiki on GSSAPI
  • 为什么之前 NSS 的模块需要全部换成使用 mozilla 的库?为什么可以这么容易地换掉?
  • 为什么 openssl 的 0.x.y.z 版本这么容易把整个系统搞挂掉?
  • 什么是 NT/LM?涉及哪些模块?
  • 什么是 PAM?为什么各种模块要那样布置?
https://en.wikipedia.org/wiki/Linux_PAM Wiki on Linux PAM
https://en.wikipedia.org/wiki/Pluggable_authentication_module Wiki on PAM
  • 什么是 SSH,可以做哪些事情?
  • GPG 是 privacy guard,与 identity 是什么关系?
  • 怎么用 S/MIME?
  • 加密方式在上述的各种过程有什么应用?
  • 有哪些政策、法律方面的考虑?
  • 大规模应用,比如 AD 的设计,经过了怎样的过程?有哪些经验?为什么那样设计?
  • 身份缓存的设计是怎样的?如何决定刷新身份信息的时机?例如,刷新间隔与超时间隔的参数安排
  • AD 与 group policy 是什么关系?
  • 为什么 windows 的 802.1x for ethernet 要通过 group policy 设置,而且只能在 AD 里做?
  • 什么是 RADIUS?什么是 TLS?什么是 LEAP, PEAP, WEP, WPA, MSCHAPv2?什么是 SSPI?什么是 SASL?
https://en.wikipedia.org/wiki/Remote_Authentication_Dial_In_User_Service Wiki on RADIUS
https://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer Wiki on SASL
https://en.wikipedia.org/wiki/Secure_Sockets_Layer Wiki on TLS
https://en.wikipedia.org/wiki/Security_Support_Provider_Interface Wiki on SSPI
https://en.wikipedia.org/wiki/MS-CHAP Wiki on MS-CHAP
  • 不同的 REALM/DOMAIN 之间怎么互相协调?怎么处理 roaming profile?
  • 有没有人和我一样迷糊、一样一窍不通、一样傻,一样没能在 Network 课程上及格,一样在挣扎着重新学这些?
Tags: fedora, reading

  • Installed nvidia driver

    Since Fedora 28 wayland is crashing for me (Dell m4700 with external monitor), I got some time to try the nvidia GPU driver. At first I looked at…

  • My tweets

    Wed, 09:34: WIthout threading support, Outlook managed to introduce "Focused" and "Other" as tabs in the inbox. Now I got two inbox to check.

  • My tweets

    Tue, 11:06: With IntelliJ IDEA it is really hard to tell which window is "active" by looking at the taskbar icon. The project n……

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded