1GSSPROXY.CONF(5) GssProxy Manual pages GSSPROXY.CONF(5)
2
3
4
6 gssproxy.conf - GssProxy Daemon Configuration file
7
9 Optional configuration directives for the gssproxy daemon.
10
11 GSS-Proxy conf files are classic ini-style configuration files. Each
12 option consist of a key = value pair. Any characters behind '#' will be
13 treated as comments and will be ignored. Boolean parameters accept "1",
14 "true", "yes" and "on" as positive values. All other values will be
15 considered as negative values.
16
17 GSS-Proxy conf files must either be named "gssproxy.conf", or be of the
18 form "##-foo.conf" (that is, start with two numbers followed by a dash,
19 and end in ".conf"). Files not conforming to this will be ignored
20 unless specifically requested through command line parameters.
21
23 A section in a GSS-Proxy conf file is identified by the sectionname in
24 square brackets ([sectionname]).
25
26 There is one special section for global gssproxy settings, called
27 [gssproxy].
28
29 Services such as nfs, apache, ssh, etc. are represented by sections
30 like [service/nfs], [service/apache], etc. and are identified by the
31 "euid" setting (see below).
32
34 String parameters may contain substitution patterns. This allows
35 gssproxy to deal with patterns for the storage location of keytabs or
36 credential caches easier.
37
38 The supported patterns are:
39
40 %U
41 substitutes to the user's numeric uid (e.g. 123)
42
43 %u
44 substitutes to the user's username (e.g. john).
45
47 gssproxy supports the following options:
48
49 allow_any_uid (boolean)
50 Allow any process of any user to use this service.
51
52 Note that absent a custom socket or selinux_context option this
53 option may cause a service definition to mask access to following
54 services. To avoid issues change the order of services in your
55 configuation file so that services with allow_any_uid enabled are
56 listed last, or define a custom socket for other services.
57
58 Default: false
59
60 allow_protocol_transition (boolean)
61 Allow clients to request a ticket to self for an arbitrary user.
62
63 This option controls whether s4u2self requests are allowed for the
64 requesting client. The configured keytab is used as the service
65 identity for which a ticket is requested. The KDC still needs to
66 allow the operation for it to succeed.
67
68 Default: false
69
70 allow_constrained_delegation (boolean)
71 Allow clients to request a ticket to another service using an
72 evidence ticket.
73
74 This option controls whether s4u2proxy requests are allowed for the
75 requesting client. The KDC still needs to allow the operation for
76 it to succeed.
77
78 Default: false
79
80 allow_client_ccache_sync (boolean)
81 Allow clients to request credentials to be sent back for better
82 caching.
83
84 This option allows the proxy, in certain circumstances, to send
85 back an additional option in the response structure of certain
86 calls when it determines that a new ticket may have been added to
87 the internal ccache. Clients can then replace their (encrypted)
88 copy with the updated ccache.
89
90 Default: false
91
92 cred_usage (string)
93 Allow to restrict the kind of operations permitted for this
94 service.
95
96 The allowed options are: initiate, accept, both
97
98 Default: cred_usage = both
99
100 cred_store (string)
101 This parameter allows to control in which way gssproxy should use
102 the cred_store interface provided by GSSAPI. The parameter can be
103 defined multiple times per service.
104
105 The syntax of the cred_store parameter is as follows: cred_store =
106 <cred_store_option>:<cred_store_value>
107
108 Currently this interface supports the following options:
109
110 keytab
111 Defines the keytab the service should use. Example: cred_store
112 = keytab:/path/to/keytab
113
114 client_keytab
115 Defines a client keytab the service should use. Example:
116 cred_store = client_keytab:/path/to/client_keytab.
117
118 ccache
119 Defines a credential cache the service should use. Example:
120 cred_store = ccache:/path/to/ccache.
121
122 Notably the client_keytab and the ccache setting typically are used
123 with variable substitution placeholders (see above). For example:
124
125 cred_store = keytab:/etc/krb5.keytab
126 cred_store = ccache:FILE:/var/lib/gssproxy/krb5cc_%U
127 cred_store = client_keytab:/var/lib/gssproxy/%U.keytab
128
129 Default: cred_store =
130
131 debug (boolean)
132 Enable debugging to syslog. Setting to true is identical to setting
133 debug_level to 1.
134
135 Default: debug = false
136
137 debug_level (integer)
138 Detail level at which to log debugging messages. 0 corresponds to
139 no logging, while 1 turns on basic debug logging. Level 2 increases
140 verbosity, including more detailed credential verification.
141
142 At level 3 and above, KRB5_TRACE output is logged. If KRB5_TRACE
143 was already set in the execution environment, trace output is sent
144 to its value instead.
145
146 Default: 1 if debug is true, otherwise 0
147
148 euid (integer or string)
149 Either the numeric (e.g., 48) or symbolic (e.g., apache) effective
150 uid of a running process, required to identify a service.
151
152 The "euid" parameter is imperative, any section without it will be
153 discarded.
154
155 Default: euid =
156
157 enforce_flags (string)
158 A list of GSS Request Flags that are added unconditionally to every
159 context initialization call. Flags can only be added to the list or
160 removed from the list by prepending a +/- sign to the flag name or
161 value.
162
163 Recognized flag names: DELEGATE, MUTUAL_AUTH, REPLAY_DETECT,
164 SEQUENCE, CONFIDENTIALITY, INTEGRITY, ANONYMOUS
165
166 Examples:
167
168 enforce_flags = +REPLAY_DETECT
169 enforce_flags = -0x0001
170
171 Default: enforce_flags =
172
173 filter_flags (string)
174 A list of GSS Request Flags that are filtered unconditionally from
175 every context initialization call. Flags can only be added to the
176 list or removed from the list by prepending a +/- sign to the flag
177 name or value.
178
179 NOTE: Because often gssproxy is used to withold access to
180 credentials the Delegate Flag is filtered by default. To allow a
181 service to delegate credentials use the first example below.
182
183 Recognized flag names: DELEGATE, MUTUAL_AUTH, REPLAY_DETECT,
184 SEQUENCE, CONFIDENTIALITY, INTEGRITY, ANONYMOUS
185
186 Examples:
187
188 filter_flags = -DELEGATE
189 filter_flags = -0x0001 +ANONYMOUS
190
191 Default: filter_flags = +DELEGATE
192
193 impersonate (boolean)
194 Use impersonation (s4u2self + s4u2proxy) to obtain credentials
195
196 Default: impersonate = false
197
198 kernel_nfsd (boolean)
199 Boolean flag that allows the Linux kernel to check if gssproxy is
200 running (via /proc/net/rpc/use-gss-proxy).
201
202 Default: kernel_nfsd = false
203
204 krb5_principal (string)
205 The krb5 principal to be used by this service.
206
207 Default: krb5_principal =
208
209 mechs (string)
210 Currently only krb5 is supported.
211
212 The "mechs" parameter is imperative, any section without it will be
213 discarded.
214
215 Default: mechs =
216
217 run_as_user (string)
218 The name of the user gssproxy will drop privileges to.
219
220 This option is only available in the global section.
221
222 Default: run_as_user =
223
224 selinux_context (string)
225 This parameter instructs the proxy to allow map a request to the
226 service only if the context of the connecting client matches the
227 one defined here.
228
229 When this parameter is not set any client will be allowed
230 regardless of their selinux context.
231
232 Example: selinux_context = system_u:system_r:gssd_t
233
234 socket (string)
235 This parameter allows to create a per-service socket file over
236 which gssproxy client and server components communicate.
237
238 When this parameter is not set, gssproxy will use a compiled-in
239 default.
240
241 trusted (boolean)
242 Defines whether this service is considered trusted. Use with
243 caution, this enables impersonation.
244
245 Default: trusted = false
246
247 worker threads (integer)
248 Defines the amount of worker threads gssproxy will create at
249 startup.
250
251 Default: worker threads =
252
254 gssproxy(8) and gssproxy-mech(8).
255
257 GSS-Proxy - http://fedorahosted.org/gss-proxy
258
259
260
261GSS Proxy 10/30/2018 GSSPROXY.CONF(5)