1REQUEST-KEY.CONF(5) Linux Key Management Utilities REQUEST-KEY.CONF(5)
2
6 request-key.conf - Instantiation handler configuration file
7
9 This file and its associated key-type specific variants are used by the
10 /sbin/request-key program to determine which program it should run to
11 instantiate a key.
12 request-key looks first in /etc/request-key.d/ for a file of the key
14 type name plus ".conf" that it can use. If that is not found, it will
15 fall back to /etc/request-key.conf.
16 request-key works scans through the chosen file one line at a time
18 until it finds a match, which it will then use. If it doesn't find a
19 match, it'll return an error and the kernel will automatically negate
20 the key.
21 Any blank line or line beginning with a hash mark '#' is considered to
23 be a comment and ignored.
24 All other lines are assumed to be command lines with a number of white
26 space separated fields:
27 <op> <type> <description> <callout-info> <prog> <arg1> <arg2> ...
29 The first four fields are used to match the parameters passed to
31 request-key by the kernel. op is the operation type; currently the only
32 supported operation is "create".
33 type, description and callout-info match the three parameters passed to
35 keyctl request2 or the request_key() system call. Each of these may
36 contain one or more asterisk '*' characters as wildcards anywhere
37 within the string.
38 Should a match be made, the program specified by <prog> will be exec'd.
40 This must have a fully qualified path name. argv[0] will be set from
41 the part of the program name that follows the last slash '/' character.
42 If the program name is prefixed with a pipe bar character '|', then the
44 program will be forked and exec'd attached to three pipes. The callout
45 information will be piped to it on it's stdin and the intended payload
46 data will be retrieved from its stdout. Anything sent to stderr will be
47 posted in syslog. If the program exits 0, then /sbin/request-key will
48 attempt to instantiate the key with the data read from stdout. If it
49 fails in any other way, then request-key will attempt to execute the
50 appropriate 'negate' operation command.
51 The program arguments can be substituted with various macros. Only com‐
53 plete argument substitution is supported - macro substitutions can't be
54 embedded. All macros begin with a percent character '%'. An argument
55 beginning with two percent characters will have one of them discarded.
56 The following macros are supported:
58 %o Operation type
60 %k Key ID
61 %t Key type
62 %d Key description
63 %c Callout information
64 %u Key UID
65 %g Key GID
66 %T Requestor's thread keyring
67 %P Requestor's process keyring
68 %S Requestor's session keyring
69 There's another macro substitution too that permits the interpolation
71 of the contents of a key:
72 %{<type>:<description>}
74 This performs a lookup for a key of the given type and description on
76 the requestor's keyrings, and if found, substitutes the contents for
77 the macro. If not found an error will be logged and the key under con‐
78 struction will be negated.
79
81 A basic file will be installed in the /etc. This will contain two
82 debugging lines that can be used to test the installation:
83 create user debug:* negate /bin/keyctl negate %k 30 %S
85 create user debug:loop:* * |/bin/cat
86 create user debug:* * /usr/share/keyutils/request-key-debug.sh
87 %k %d %c %S
88 negate * * * /bin/keyctl negate %k 30 %S
89 This is set up so that something like:
91 keyctl request2 user debug:xxxx negate
93 will create a negative user-defined key, something like:
95 keyctl request2 user debug:yyyy spoon
97 will create an instantiated user-defined key with "Debug spoon" as the
99 payload, and something like:
100 keyctl request2 user debug:loop:zzzz abcdefghijkl
102 will create an instantiated user-defined key with the callout informa‐
104 tion as the payload.
105
107 /etc/request-key.conf
108 /etc/request-key.d/<keytype>.conf
109
111 keyctl(1), request-key.conf(5)
112Linux 15 November 2011 REQUEST-KEY.CONF(5)