1GSSPROXY.CONF(5) GssProxy Manual pages GSSPROXY.CONF(5)
2
3
4
6 gssproxy.conf - GssProxy Daemon Configuration file
7
9 Optional configuration directives for the gssproxy daemon.
10
11 GSS-Proxy conf files are classic ini-style configuration files. Each
12 option consist of a key = value pair. Any characters behind '#' will be
13 treated as comments and will be ignored. Boolean parameters accept "1",
14 "true", "yes" and "on" as positive values. All other values will be
15 considered as negative values.
16
17 GSS-Proxy conf files must either be named "gssproxy.conf", or be of the
18 form "##-foo.conf" (that is, start with two numbers followed by a dash,
19 and end in ".conf"). Files not conforming to this will be ignored
20 unless specifically requested through command line parameters. Within a
21 single file, any duplicate values or sections will be merged. Across
22 multiple files, duplicates will generate a warning, and the first value
23 encountered will take precedence (i.e., there is no merging).
24
26 A section in a GSS-Proxy conf file is identified by the sectionname in
27 square brackets ([sectionname]).
28
29 There is one special section for global gssproxy settings, called
30 [gssproxy].
31
32 Services such as nfs, apache, ssh, etc. are represented by sections
33 like [service/nfs], [service/apache], etc. and are identified by the
34 "euid" setting (see below).
35
37 String parameters may contain substitution patterns. This allows
38 gssproxy to deal with patterns for the storage location of keytabs or
39 credential caches easier.
40
41 The supported patterns are:
42
43 %U
44 substitutes to the user's numeric uid (e.g. 123)
45
46 %u
47 substitutes to the user's username (e.g. john).
48
50 gssproxy supports the following options:
51
52 allow_any_uid (boolean)
53 Allow any process of any user to use this service.
54
55 Note that absent a custom socket option this option may cause a
56 service definition to mask access to following services. To avoid
57 issues change the order of services in your configuation file so
58 that services with allow_any_uid enabled are listed last, or define
59 a custom socket for other services.
60
61 Default: false
62
63 allow_protocol_transition (boolean)
64 Allow clients to request a ticket to self for an arbitrary user.
65
66 This option controls whether s4u2self requests are allowed for the
67 requesting client. The configured keytab is used as the service
68 identity for which a ticket is requested. The KDC still needs to
69 allow the operation for it to succeed.
70
71 Default: false
72
73 allow_constrained_delegation (boolean)
74 Allow clients to request a ticket to another service using an
75 evidence ticket.
76
77 This option controls whether s4u2proxy requests are allowed for the
78 requesting client. The KDC still needs to allow the operation for
79 it to succeed.
80
81 Default: false
82
83 allow_client_ccache_sync (boolean)
84 Allow clients to request credentials to be sent back for better
85 caching.
86
87 This option allows the proxy, in certain circumstances, to send
88 back an additional option in the response structure of certain
89 calls when it determines that a new ticket may have been added to
90 the internal ccache. Clients can then replace their (encrypted)
91 copy with the updated ccache.
92
93 Default: false
94
95 cred_store (string)
96 This parameter allows to control in which way gssproxy should use
97 the cred_store interface provided by GSSAPI. The parameter can be
98 defined multiple times per service.
99
100 The syntax of the cred_store parameter is as follows: cred_store =
101 <cred_store_option>:<cred_store_value>
102
103 Currently this interface supports the following options:
104
105 keytab
106 Defines the keytab the service should use. Example: cred_store
107 = keytab:/path/to/keytab
108
109 client_keytab
110 Defines a client keytab the service should use. Example:
111 cred_store = client_keytab:/path/to/client_keytab.
112
113 ccache
114 Defines a credential cache the service should use. Example:
115 cred_store = ccache:/path/to/ccache.
116
117 Notably the client_keytab and the ccache setting typically are used
118 with variable substitution placeholders (see above). For example:
119
120 cred_store = keytab:/etc/krb5.keytab
121 cred_store = ccache:FILE:/var/lib/gssproxy/krb5cc_%U
122 cred_store = client_keytab:/var/lib/gssproxy/%U.keytab
123
124 Default: cred_store =
125
126 cred_usage (string)
127 Allow to restrict the kind of operations permitted for this
128 service.
129
130 The allowed options are: initiate, accept, both
131
132 Default: cred_usage = both
133
134 debug (boolean)
135 Enable debugging to syslog. Setting to true is identical to setting
136 debug_level to 1.
137
138 Default: debug = false
139
140 debug_level (integer)
141 Detail level at which to log debugging messages. 0 corresponds to
142 no logging, while 1 turns on basic debug logging. Level 2 increases
143 verbosity, including more detailed credential verification.
144
145 At level 3 and above, KRB5_TRACE output is logged. If KRB5_TRACE
146 was already set in the execution environment, trace output is sent
147 to its value instead. Refer to docs/KRB5_TRACE.md for more
148 information.
149
150 Default: 1 if debug is true, otherwise 0
151
152 enforce_flags (string)
153 A list of GSS Request Flags that are added unconditionally to every
154 context initialization call. Flags can only be added to the list or
155 removed from the list by prepending a +/- sign to the flag name or
156 value.
157
158 Recognized flag names: DELEGATE, MUTUAL_AUTH, REPLAY_DETECT,
159 SEQUENCE, CONFIDENTIALITY, INTEGRITY, ANONYMOUS
160
161 Examples:
162
163 enforce_flags = +REPLAY_DETECT
164 enforce_flags = -0x0001
165
166 Default: enforce_flags =
167
168 euid (integer or string)
169 Either the numeric (e.g., 48) or symbolic (e.g., apache) effective
170 uid of a running process, required to identify a service.
171
172 The "euid" parameter is imperative, any section without it will be
173 discarded.
174
175 Default: euid =
176
177 filter_flags (string)
178 A list of GSS Request Flags that are filtered unconditionally from
179 every context initialization call. Flags can only be added to the
180 list or removed from the list by prepending a +/- sign to the flag
181 name or value.
182
183 NOTE: Because often gssproxy is used to withold access to
184 credentials the Delegate Flag is filtered by default. To allow a
185 service to delegate credentials use the first example below.
186
187 Recognized flag names: DELEGATE, MUTUAL_AUTH, REPLAY_DETECT,
188 SEQUENCE, CONFIDENTIALITY, INTEGRITY, ANONYMOUS
189
190 Examples:
191
192 filter_flags = -DELEGATE
193 filter_flags = -0x0001 +ANONYMOUS
194
195 Default: filter_flags = +DELEGATE
196
197 impersonate (boolean)
198 Use impersonation (s4u2self + s4u2proxy) to obtain credentials
199
200 Default: impersonate = false
201
202 kernel_nfsd (boolean)
203 Boolean flag that allows the Linux kernel to check if gssproxy is
204 running (via /proc/net/rpc/use-gss-proxy).
205
206 Default: kernel_nfsd = false
207
208 krb5_principal (string)
209 The krb5 principal to be used preferred for this service, if one
210 isn't requested by the application. Note that this does not enforce
211 use of this specific name; it only sets a default.
212
213 Default: krb5_principal =
214
215 mechs (string)
216 Currently only krb5 is supported.
217
218 The "mechs" parameter is imperative, any section without it will be
219 discarded.
220
221 Default: mechs =
222
223 min_lifetime (integer)
224 Minimum lifetime of a cached credential, in seconds.
225
226 If non-zero, when gssproxy is deciding whether to use a cached
227 credential, it will compare the lifetime of the cached credential
228 to this value. If the lifetime of the cached credential is lower,
229 gssproxy will treat the cached credential as expired and will
230 attempt to obtain a new credential.
231
232 Default: min_lifetime = 15
233
234 program (string)
235 If specified, this service will only match when the program being
236 run is the specified string.
237
238 Programs are assumed to be specified as canonical paths (i.e., no
239 relative paths, no symlinks). Additionally, the '|' character is
240 reserved for future use and therefore forbidden.
241
242 run_as_user (string)
243 The name of the user gssproxy will drop privileges to.
244
245 This option is only available in the global section.
246
247 Default: run_as_user =
248
249 selinux_context (string)
250 This option is deprecated. Use a custom socket or euid instead.
251
252 socket (string)
253 This parameter allows to create a per-service socket file over
254 which gssproxy client and server components communicate.
255
256 When this parameter is not set, gssproxy will use a compiled-in
257 default.
258
259 syslog_status (boolean)
260 Enable per-call debugging output to the syslog. This may be useful
261 for investigating problems in applications using gssproxy.
262
263 Default: syslog_status = false
264
265 trusted (boolean)
266 Defines whether this service is considered trusted. Use with
267 caution, this enables impersonation.
268
269 Default: trusted = false
270
271 worker threads (integer)
272 Defines the amount of worker threads gssproxy will create at
273 startup.
274
275 Default: worker threads =
276
278 gssproxy(8) and gssproxy-mech(8).
279
281 GSS-Proxy - http://fedorahosted.org/gss-proxy
282
283
284
285GSS Proxy 07/21/2022 GSSPROXY.CONF(5)