Respond to Name Service Switch lookups with the output of custom commands. Both JSON and the typical colon-separated *nix format are supported.
libnss_shim
is an adapter to make integration with NSS easier. It is an NSS/nsswitch service that runs commands
defined per-function in /etc/libnss_shim/config.json
.
- Commands can output responses to queries either in the colon-delimited Unix format, or in JSON
- The output of each command execution is parsed from
stdout
and validated before being passed back to NSS- See Commands in the docs for details
- The
group
,passwd
, andshadow
NSS databases/services are supported- See Configuration in the docs for details
- See the documentation for additional information
A more complex example implementation with config, scripts and Dockerfile
can be found at
samples/advanced
.
Custom PAM modules alone are not enough to create a custom Linux authentication process - integration with NSS is
also required to inject custom user data to group
/passwd
/shadow
lookups earlier in the login flow.
In other words: NSS determines if an account exists, and PAM determines how an account can be accessed.
For example, SSSD leverages both NSS and PAM to enable seamless LDAP authentication. Integrating directly with
NSS can be difficult, so libnss_shim
was created to allow any command that can print to stdout
in a supported format
to be used with NSS.
- Tested on:
- Debian 11
- Debian 12
- Ubuntu 20.04
- Ubuntu 22.04
- Ubuntu 24.04
- CentOS 7
- AlmaLinux 8
- AlmaLinux 9
- Builds for
amd64
andaarch64
architectures- See Development in the docs for information about building for other architectures
- Packaged in
.deb
and.rpm
formats- If those formats are not supported by a target platform,
libnss_shim
might be usable if theassets
are installed as described inCargo.toml
prior to running thedebian/postinst
script, but this has not been tested extensively
- If those formats are not supported by a target platform,
- To request support for a different configuration, please create an issue
-
Prepare the commands/software that will be triggered by
libnss_shim
. See Commands in the docs for details. -
Download the latest release produced by GitHub Actions.
AMD64 deb:
curl -sLo libnss_shim.deb https://github.com/xenago/libnss_shim/releases/download/1.2.1/libnss_shim_1.2.1-1_amd64.deb
AMD64 RPM:
curl -sLo libnss_shim.rpm https://github.com/xenago/libnss_shim/releases/download/1.2.1/libnss_shim-1.2.1-1.x86_64.rpm
Full table:
Architecture Package Link amd64
deb
libnss_shim_1.2.1-1_amd64.deb
amd64
RPM
libnss_shim-1.2.1-1.x86_64.rpm
aarch64
deb
libnss_shim_1.2.1-1_arm64.deb
aarch64
RPM
libnss_shim-1.2.1-1.aarch64.rpm
See Downloading and Attestations in the docs for more details.
-
Install or upgrade it directly with
dpkg
orrpm
.deb:
sudo dpkg -i libnss_shim.deb
RPM:
sudo rpm -Uv libnss_shim.rpm
-
Configure the shim by importing a custom
config.json
.e.g.
sudo cp custom_config.json /etc/libnss_shim/config.json
Using the default
config.json
,libnss_shim
should have no effect, as the default configuration has commands defined that output nothing. Updates to the config take effect immediately and can be performed at any time afterlibnss_shim
has been installed and used, without restarting.See Configuration and Commands in the docs for details.
-
When installed,
libnss_shim
is mapped asshim
in/etc/nsswitch.conf
as the last source for all supported databases. In that file, the access order for each database's sources can be changed,shim
can be removed from specific locations if not required, etc.Because
nsswitch.conf
is read only once per-process, any software actively using it will need to be restarted to accesslibnss_shim
when it is installed. Rebooting the system is often the safest/easiest way to do this:sudo reboot
See Interaction with
/etc/nsswitch.conf
in the docs for details. -
Perform NSS queries to validate the installation, for example using the built-in
getent
tool.Some sample commands to test your implementation:
getent group getent passwd getent shadow getent group <groupname>
A very basic test config is available that will respond to
getent group
calls with a fake group (like in the demo GIF):curl -sLo /etc/libnss_shim/config.json https://raw.githubusercontent.com/xenago/libnss_shim/main/samples/basic/custom_config.json getent group | tail -1
If the installation worked, the output should look like:
test-shim-group::1008:fake-username,another-user
-
To remove
libnss_shim
, run the same package manager used for installation.deb:
sudo dpkg -r libnss_shim
RPM:
sudo rpm -e libnss_shim
-
As mentioned above,
nsswitch.conf
is read only once per-process so restarting affected applications is required to apply the change. A system reboot is an effective way to do this:sudo reboot
The libnss_shim
NSS plugin runs commands defined in /etc/libnss_shim/config.json
, which only root
can edit by
default. Ensure that this file, the commands defined inside it, and any other related resources remain read-only to
other users, or the system may be vulnerable to privilege escalation attacks. Do not store secrets in config.json
or
any other file which can be read by non-root
users.
To enable non-root users to access resources defined by libnss_shim
, they must be able to access the commands defined
in config.json
. For example, if a file group-script.py
is being used to resolve group
queries, it will need to be
readable (along with the Python interpreter used to run it):
sudo chown root:root /path/to/custom/group-script.py
sudo chmod 644 /path/to/custom/group-script.py
However, as the shadow
database is generally only accessed via su
/setuid
etc., programs used to resolve shadow
queries can be left as 640
:
sudo chown root:root /path/to/custom/shadow-script.py
sudo chmod 640 /path/to/custom/shadow-script.py
It is recommended to pass data (like <$name>
) using environment variables rather than arguments, except for
testing purposes. Environment variables are generally private, whereas commands/launch args are not.
Commands are not passed through a shell for execution. Although it is possible to run software like bash
with libnss_shim
, using a shell is not recommended as this comes with additional risks such as command injection.
See Attestations in the docs for information about validating official
libnss_shim
release artifacts.
See SECURITY.md for information about reporting security problems.