On Tue, Mar 05, 2002 at 09:10:48AM -0800, Brian Thomas wrote:
I'm inclined to agree with the lurker. :)
Thanks. ;-) It's nice to feel supported.
Isn't this what nscd is designed to do anyway? Wouldn't it make more sense to recommend the use of nscd-or-equivalent if using hostname lookups?
Yes. nscd is a GNU Lib C specific daemon that works in conjunction with the Name Service Switch to cache passwd, group, and host lookups. These C library function calls (getpwent(3), getgrent(3), and gethostbyname(3)) are configured via the /etc/nsswitch.conf file to query different sources for the requested information. nscd caches these queries. As with any caching scheme, there are inherent security risks to consider. nscd does not run as a network daemon, so you do not need to worry about open network sockets. Unsynchronized passwords could be a problem, but if you shut off or reduce the TTL for passwd caching, you minimize that potential problem. In the case of NIS workstations, we turn down the TTL to 1 minute. passwd file lookups for uid then doesn't have to hit the NIS server for each call, but passwords are sync'd relatively quickly. In the case of servers, we shut it off completely. One can always force the dumping of cache tables at any time through the nscd commandline interface. We do use the host name caching and default it to about 6 minutes, but we're also doing some network rearranging. I think it'd be reasonable to cache a host name for fifteen minutes to an hour. It's quite interesting to see the statistics on the number of hits to each table in cache. 'nscd -g' -- Chad Walstrom <chewie@wookimus.net> | a.k.a. ^chewie http://www.wookimus.net/ | s.k.a. gunnarr Get my public key, ICQ#, etc. $(mailx -s 'get info' chewie@wookimus.net)