1GSSPROXY.CONF(5)             GssProxy Manual pages            GSSPROXY.CONF(5)
2
3
4

NAME

6       gssproxy.conf - GssProxy Daemon Configuration file
7

DESCRIPTION

9       Optional configuration directives for the gssproxy daemon.
10
11       GSS-Proxy conf files are classic ini-style configuration files. Each
12       option consist of a key = value pair. Any characters behind '#' will be
13       treated as comments and will be ignored. Boolean parameters accept "1",
14       "true", "yes" and "on" as positive values. All other values will be
15       considered as negative values.
16
17       GSS-Proxy conf files must either be named "gssproxy.conf", or be of the
18       form "##-foo.conf" (that is, start with two numbers followed by a dash,
19       and end in ".conf"). Files not conforming to this will be ignored
20       unless specifically requested through command line parameters.
21

SECTIONS

23       A section in a GSS-Proxy conf file is identified by the sectionname in
24       square brackets ([sectionname]).
25
26       There is one special section for global gssproxy settings, called
27       [gssproxy].
28
29       Services such as nfs, apache, ssh, etc. are represented by sections
30       like [service/nfs], [service/apache], etc. and are identified by the
31       "euid" setting (see below).
32

VARIABLE SUBSTITUTIONS

34       String parameters may contain substitution patterns. This allows
35       gssproxy to deal with patterns for the storage location of keytabs or
36       credential caches easier.
37
38       The supported patterns are:
39
40       %U
41           substitutes to the user's numeric uid (e.g. 123)
42
43       %u
44           substitutes to the user's username (e.g. john).
45

OPTIONS

47       gssproxy supports the following options:
48
49       allow_any_uid (boolean)
50           Allow any process of any user to use this service.
51
52           Note that absent a custom socket option this option may cause a
53           service definition to mask access to following services. To avoid
54           issues change the order of services in your configuation file so
55           that services with allow_any_uid enabled are listed last, or define
56           a custom socket for other services.
57
58           Default: false
59
60       allow_protocol_transition (boolean)
61           Allow clients to request a ticket to self for an arbitrary user.
62
63           This option controls whether s4u2self requests are allowed for the
64           requesting client. The configured keytab is used as the service
65           identity for which a ticket is requested. The KDC still needs to
66           allow the operation for it to succeed.
67
68           Default: false
69
70       allow_constrained_delegation (boolean)
71           Allow clients to request a ticket to another service using an
72           evidence ticket.
73
74           This option controls whether s4u2proxy requests are allowed for the
75           requesting client. The KDC still needs to allow the operation for
76           it to succeed.
77
78           Default: false
79
80       allow_client_ccache_sync (boolean)
81           Allow clients to request credentials to be sent back for better
82           caching.
83
84           This option allows the proxy, in certain circumstances, to send
85           back an additional option in the response structure of certain
86           calls when it determines that a new ticket may have been added to
87           the internal ccache. Clients can then replace their (encrypted)
88           copy with the updated ccache.
89
90           Default: false
91
92       cred_usage (string)
93           Allow to restrict the kind of operations permitted for this
94           service.
95
96           The allowed options are: initiate, accept, both
97
98           Default: cred_usage = both
99
100       cred_store (string)
101           This parameter allows to control in which way gssproxy should use
102           the cred_store interface provided by GSSAPI. The parameter can be
103           defined multiple times per service.
104
105           The syntax of the cred_store parameter is as follows: cred_store =
106           <cred_store_option>:<cred_store_value>
107
108           Currently this interface supports the following options:
109
110           keytab
111               Defines the keytab the service should use. Example: cred_store
112               = keytab:/path/to/keytab
113
114           client_keytab
115               Defines a client keytab the service should use. Example:
116               cred_store = client_keytab:/path/to/client_keytab.
117
118           ccache
119               Defines a credential cache the service should use. Example:
120               cred_store = ccache:/path/to/ccache.
121
122           Notably the client_keytab and the ccache setting typically are used
123           with variable substitution placeholders (see above). For example:
124
125                   cred_store = keytab:/etc/krb5.keytab
126                   cred_store = ccache:FILE:/var/lib/gssproxy/krb5cc_%U
127                   cred_store = client_keytab:/var/lib/gssproxy/%U.keytab
128
129           Default: cred_store =
130
131       debug (boolean)
132           Enable debugging to syslog. Setting to true is identical to setting
133           debug_level to 1.
134
135           Default: debug = false
136
137       debug_level (integer)
138           Detail level at which to log debugging messages. 0 corresponds to
139           no logging, while 1 turns on basic debug logging. Level 2 increases
140           verbosity, including more detailed credential verification.
141
142           At level 3 and above, KRB5_TRACE output is logged. If KRB5_TRACE
143           was already set in the execution environment, trace output is sent
144           to its value instead.
145
146           Default: 1 if debug is true, otherwise 0
147
148       euid (integer or string)
149           Either the numeric (e.g., 48) or symbolic (e.g., apache) effective
150           uid of a running process, required to identify a service.
151
152           The "euid" parameter is imperative, any section without it will be
153           discarded.
154
155           Default: euid =
156
157       enforce_flags (string)
158           A list of GSS Request Flags that are added unconditionally to every
159           context initialization call. Flags can only be added to the list or
160           removed from the list by prepending a +/- sign to the flag name or
161           value.
162
163           Recognized flag names: DELEGATE, MUTUAL_AUTH, REPLAY_DETECT,
164           SEQUENCE, CONFIDENTIALITY, INTEGRITY, ANONYMOUS
165
166           Examples:
167
168                   enforce_flags = +REPLAY_DETECT
169                   enforce_flags = -0x0001
170
171           Default: enforce_flags =
172
173       filter_flags (string)
174           A list of GSS Request Flags that are filtered unconditionally from
175           every context initialization call. Flags can only be added to the
176           list or removed from the list by prepending a +/- sign to the flag
177           name or value.
178
179           NOTE: Because often gssproxy is used to withold access to
180           credentials the Delegate Flag is filtered by default. To allow a
181           service to delegate credentials use the first example below.
182
183           Recognized flag names: DELEGATE, MUTUAL_AUTH, REPLAY_DETECT,
184           SEQUENCE, CONFIDENTIALITY, INTEGRITY, ANONYMOUS
185
186           Examples:
187
188                   filter_flags = -DELEGATE
189                   filter_flags = -0x0001 +ANONYMOUS
190
191           Default: filter_flags = +DELEGATE
192
193       impersonate (boolean)
194           Use impersonation (s4u2self + s4u2proxy) to obtain credentials
195
196           Default: impersonate = false
197
198       kernel_nfsd (boolean)
199           Boolean flag that allows the Linux kernel to check if gssproxy is
200           running (via /proc/net/rpc/use-gss-proxy).
201
202           Default: kernel_nfsd = false
203
204       krb5_principal (string)
205           The krb5 principal to be used preferred for this service, if one
206           isn't requested by the application. Note that this does not enforce
207           use of this specific name; it only sets a default.
208
209           Default: krb5_principal =
210
211       mechs (string)
212           Currently only krb5 is supported.
213
214           The "mechs" parameter is imperative, any section without it will be
215           discarded.
216
217           Default: mechs =
218
219       run_as_user (string)
220           The name of the user gssproxy will drop privileges to.
221
222           This option is only available in the global section.
223
224           Default: run_as_user =
225
226       selinux_context (string)
227           This option is deprecated. Use a custom socket or euid instead.
228
229       socket (string)
230           This parameter allows to create a per-service socket file over
231           which gssproxy client and server components communicate.
232
233           When this parameter is not set, gssproxy will use a compiled-in
234           default.
235
236       program (string)
237           If specified, this service will only match when the program being
238           run is the specified string.
239
240           Programs are assumed to be specified as canonical paths (i.e., no
241           relative paths, no symlinks). Additionally, the '|' character is
242           reserved for future use and therefore forbidden.
243
244       trusted (boolean)
245           Defines whether this service is considered trusted. Use with
246           caution, this enables impersonation.
247
248           Default: trusted = false
249
250       worker threads (integer)
251           Defines the amount of worker threads gssproxy will create at
252           startup.
253
254           Default: worker threads =
255

SEE ALSO

257       gssproxy(8) and gssproxy-mech(8).
258

AUTHORS

260       GSS-Proxy - http://fedorahosted.org/gss-proxy
261
262
263
264GSS Proxy                         02/01/2019                  GSSPROXY.CONF(5)
Impressum