1pure-certd(8)                      Pure-FTPd                     pure-certd(8)
2
3
4

NAME

6       pure-certd - TLS certificate agent for Pure-FTPd.
7

SYNTAX

9       pure-certd   [-p   </path/to/pidfile>]  [-u  uid]  [-g  gid]  [-B]  <-s
10       /path/to/socket> -r /program/to/run
11
12

DESCRIPTION

14       pure-certd is a daemon that forks an authentication program, waits  for
15       a certificate path as a reply, and returns it to an application server.
16
17       pure-certd  listens  to  a  local Unix socket. A new connection to that
18       socket should send pure-authd the following structure:
19
20              sni_name:xxx end
21
22       These content is passed to the authentication program, as  an  environ‐
23       ment variable:
24
25              CERTD_SNI_NAME
26
27       The  authentication program should take appropriate actions to select a
28       TLS certificate, and reply to the standard output  with  the  following
29       format:
30
31              action:strict                        cert_file:/path/to/cert.pem
32              key_file:/path/to/cert.pem end
33
34       cert_file:xxx
35              Absolute path to the certificate in PEM format.
36
37       key_file:xxx
38              This is optional, as a certificate and its key can  be  concate‐
39              nated in the same file.
40
41       action:xxx
42              If  action  is "deny", a certificate for that name was not found
43              and access is denied.  If xxx is "default", the default certifi‐
44              cate  will  be  used.  If xxx is "strict", the certificate whose
45              path is indicated in "cert_path" will  be  used.  If  absent  or
46              invalid,  access will be denied.  If xxx is "fallback", the cer‐
47              tificate whose path is indicated in "cert_path" will be used. If
48              absent or invalid, the default certificate will be used instead.
49
50       uid:xxx
51              The system uid to be assigned to that user. Must be > 0.
52
53       gid:xxx
54              The primary system gid. Must be > 0.
55
56       dir:xxx
57              The  absolute  path to the home directory. Can contain /./ for a
58              chroot jail.
59
60       Only one authentication program is forked at a  time.  It  must  return
61       quickly.
62

OPTIONS

64       -u <uid>
65              Have the daemon run with that uid.
66
67       -g <gid>
68              Have the daemon run with that gid.
69
70       -B     Fork in background (daemonization).
71
72       -s </path/to/socket>
73              Set the full path to the local Unix socket.
74
75       -r </path/to/program>
76              Set the full path to the authentication program.
77
78       -h     Output help information and exit.
79

EXAMPLES

81       To run this program the standard way type:
82
83       pure-certd -s /var/run/certd.sock -r /usr/bin/my-cert-program &
84
85       pure-ftpd -lextauth:/var/run/certd.sock &
86
87       /usr/bin/my-cert-program can be as simple as:
88              #! /bin/sh
89
90              echo 'action:strict'
91
92              echo 'cert_file:/etc/ssl/private/pure-ftpd/cert.pem'
93
94              echo 'end'
95

AUTHORS

97       Frank DENIS <j at pureftpd dot org>
98

SEE ALSO

100       ftp(1),   pure-ftpd(8)   pure-ftpwho(8)  pure-mrtginfo(8)  pure-upload‐
101       script(8)  pure-statsdecode(8)  pure-pw(8)   pure-quotacheck(8)   pure-
102       authd(8)
103
104
105
106Frank Denis                         1.0.49                       pure-certd(8)
Impressum