1GSSPROXY.CONF(5)             GssProxy Manual pages            GSSPROXY.CONF(5)
2
3
4

NAME

6       gssproxy.conf - GssProxy Daemon Configuration file
7

DESCRIPTION

9       Optional configuration directives for the gssproxy daemon.
10
11       GSS-Proxy conf files are classic ini-style configuration files. Each
12       option consist of a key = value pair. Any characters behind '#' will be
13       treated as comments and will be ignored. Boolean parameters accept "1",
14       "true", "yes" and "on" as positive values. All other values will be
15       considered as negative values.
16
17       GSS-Proxy conf files must either be named "gssproxy.conf", or be of the
18       form "##-foo.conf" (that is, start with two numbers followed by a dash,
19       and end in ".conf"). Files not conforming to this will be ignored
20       unless specifically requested through command line parameters. Within a
21       single file, any duplicate values or sections will be merged. Across
22       multiple files, duplicates will generate a warning, and the first value
23       encountered will take precedence (i.e., there is no merging).
24

SECTIONS

26       A section in a GSS-Proxy conf file is identified by the sectionname in
27       square brackets ([sectionname]).
28
29       There is one special section for global gssproxy settings, called
30       [gssproxy].
31
32       Services such as nfs, apache, ssh, etc. are represented by sections
33       like [service/nfs], [service/apache], etc. and are identified by the
34       "euid" setting (see below).
35

VARIABLE SUBSTITUTIONS

37       String parameters may contain substitution patterns. This allows
38       gssproxy to deal with patterns for the storage location of keytabs or
39       credential caches easier.
40
41       The supported patterns are:
42
43       %U
44           substitutes to the user's numeric uid (e.g. 123)
45
46       %u
47           substitutes to the user's username (e.g. john).
48

OPTIONS

50       gssproxy supports the following options:
51
52       allow_any_uid (boolean)
53           Allow any process of any user to use this service.
54
55           Note that absent a custom socket option this option may cause a
56           service definition to mask access to following services. To avoid
57           issues change the order of services in your configuation file so
58           that services with allow_any_uid enabled are listed last, or define
59           a custom socket for other services.
60
61           Default: false
62
63       allow_protocol_transition (boolean)
64           Allow clients to request a ticket to self for an arbitrary user.
65
66           This option controls whether s4u2self requests are allowed for the
67           requesting client. The configured keytab is used as the service
68           identity for which a ticket is requested. The KDC still needs to
69           allow the operation for it to succeed.
70
71           Default: false
72
73       allow_constrained_delegation (boolean)
74           Allow clients to request a ticket to another service using an
75           evidence ticket.
76
77           This option controls whether s4u2proxy requests are allowed for the
78           requesting client. The KDC still needs to allow the operation for
79           it to succeed.
80
81           Default: false
82
83       allow_client_ccache_sync (boolean)
84           Allow clients to request credentials to be sent back for better
85           caching.
86
87           This option allows the proxy, in certain circumstances, to send
88           back an additional option in the response structure of certain
89           calls when it determines that a new ticket may have been added to
90           the internal ccache. Clients can then replace their (encrypted)
91           copy with the updated ccache.
92
93           Default: false
94
95       cred_store (string)
96           This parameter allows to control in which way gssproxy should use
97           the cred_store interface provided by GSSAPI. The parameter can be
98           defined multiple times per service.
99
100           The syntax of the cred_store parameter is as follows: cred_store =
101           <cred_store_option>:<cred_store_value>
102
103           Currently this interface supports the following options:
104
105           keytab
106               Defines the keytab the service should use. Example: cred_store
107               = keytab:/path/to/keytab
108
109           client_keytab
110               Defines a client keytab the service should use. Example:
111               cred_store = client_keytab:/path/to/client_keytab.
112
113           ccache
114               Defines a credential cache the service should use. Example:
115               cred_store = ccache:/path/to/ccache.
116
117           Notably the client_keytab and the ccache setting typically are used
118           with variable substitution placeholders (see above). For example:
119
120                   cred_store = keytab:/etc/krb5.keytab
121                   cred_store = ccache:FILE:/var/lib/gssproxy/krb5cc_%U
122                   cred_store = client_keytab:/var/lib/gssproxy/%U.keytab
123
124           Default: cred_store =
125
126       cred_usage (string)
127           Allow to restrict the kind of operations permitted for this
128           service.
129
130           The allowed options are: initiate, accept, both
131
132           Default: cred_usage = both
133
134       debug (boolean)
135           Enable debugging to syslog. Setting to true is identical to setting
136           debug_level to 1.
137
138           Default: debug = false
139
140       debug_level (integer)
141           Detail level at which to log debugging messages. 0 corresponds to
142           no logging, while 1 turns on basic debug logging. Level 2 increases
143           verbosity, including more detailed credential verification.
144
145           At level 3 and above, KRB5_TRACE output is logged. If KRB5_TRACE
146           was already set in the execution environment, trace output is sent
147           to its value instead.
148
149           Default: 1 if debug is true, otherwise 0
150
151       enforce_flags (string)
152           A list of GSS Request Flags that are added unconditionally to every
153           context initialization call. Flags can only be added to the list or
154           removed from the list by prepending a +/- sign to the flag name or
155           value.
156
157           Recognized flag names: DELEGATE, MUTUAL_AUTH, REPLAY_DETECT,
158           SEQUENCE, CONFIDENTIALITY, INTEGRITY, ANONYMOUS
159
160           Examples:
161
162                   enforce_flags = +REPLAY_DETECT
163                   enforce_flags = -0x0001
164
165           Default: enforce_flags =
166
167       euid (integer or string)
168           Either the numeric (e.g., 48) or symbolic (e.g., apache) effective
169           uid of a running process, required to identify a service.
170
171           The "euid" parameter is imperative, any section without it will be
172           discarded.
173
174           Default: euid =
175
176       filter_flags (string)
177           A list of GSS Request Flags that are filtered unconditionally from
178           every context initialization call. Flags can only be added to the
179           list or removed from the list by prepending a +/- sign to the flag
180           name or value.
181
182           NOTE: Because often gssproxy is used to withold access to
183           credentials the Delegate Flag is filtered by default. To allow a
184           service to delegate credentials use the first example below.
185
186           Recognized flag names: DELEGATE, MUTUAL_AUTH, REPLAY_DETECT,
187           SEQUENCE, CONFIDENTIALITY, INTEGRITY, ANONYMOUS
188
189           Examples:
190
191                   filter_flags = -DELEGATE
192                   filter_flags = -0x0001 +ANONYMOUS
193
194           Default: filter_flags = +DELEGATE
195
196       impersonate (boolean)
197           Use impersonation (s4u2self + s4u2proxy) to obtain credentials
198
199           Default: impersonate = false
200
201       kernel_nfsd (boolean)
202           Boolean flag that allows the Linux kernel to check if gssproxy is
203           running (via /proc/net/rpc/use-gss-proxy).
204
205           Default: kernel_nfsd = false
206
207       krb5_principal (string)
208           The krb5 principal to be used preferred for this service, if one
209           isn't requested by the application. Note that this does not enforce
210           use of this specific name; it only sets a default.
211
212           Default: krb5_principal =
213
214       mechs (string)
215           Currently only krb5 is supported.
216
217           The "mechs" parameter is imperative, any section without it will be
218           discarded.
219
220           Default: mechs =
221
222       program (string)
223           If specified, this service will only match when the program being
224           run is the specified string.
225
226           Programs are assumed to be specified as canonical paths (i.e., no
227           relative paths, no symlinks). Additionally, the '|' character is
228           reserved for future use and therefore forbidden.
229
230       run_as_user (string)
231           The name of the user gssproxy will drop privileges to.
232
233           This option is only available in the global section.
234
235           Default: run_as_user =
236
237       selinux_context (string)
238           This option is deprecated. Use a custom socket or euid instead.
239
240       socket (string)
241           This parameter allows to create a per-service socket file over
242           which gssproxy client and server components communicate.
243
244           When this parameter is not set, gssproxy will use a compiled-in
245           default.
246
247       syslog_status (boolean)
248           Enable per-call debugging output to the syslog. This may be useful
249           for investigating problems in applications using gssproxy.
250
251           Default: syslog_status = false
252
253       trusted (boolean)
254           Defines whether this service is considered trusted. Use with
255           caution, this enables impersonation.
256
257           Default: trusted = false
258
259       worker threads (integer)
260           Defines the amount of worker threads gssproxy will create at
261           startup.
262
263           Default: worker threads =
264

SEE ALSO

266       gssproxy(8) and gssproxy-mech(8).
267

AUTHORS

269       GSS-Proxy - http://fedorahosted.org/gss-proxy
270
271
272
273GSS Proxy                         01/26/2021                  GSSPROXY.CONF(5)
Impressum