gssproxy.conf man page

gssproxy.conf — GssProxy Daemon Configuration file

Description

Optional configuration directives for the gssproxy daemon.

GSS-Proxy conf files are classic ini-style configuration files. Each option consist of a key = value pair. Any characters behind '#' will be treated as comments and will be ignored. Boolean parameters accept "1", "true", "yes" and "on" as positive values. All other values will be considered as negative values.

GSS-Proxy conf files must either be named "gssproxy.conf", or be of the form "##-foo.conf" (that is, start with two numbers followed by a dash, and end in ".conf"). Files not conforming to this will be ignored unless specifically requested through command line parameters.

Sections

A section in a GSS-Proxy conf file is identified by the sectionname in square brackets ([sectionname]).

There is one special section for global gssproxy settings, called [gssproxy].

Services such as nfs, apache, ssh, etc. are represented by sections like [service/nfs], [service/apache], etc. and are identified by the "euid" setting (see below).

Variable Substitutions

String parameters may contain substitution patterns. This allows gssproxy to deal with patterns for the storage location of keytabs or credential caches easier.

The supported patterns are:

%U

substitutes to the user's numeric uid (e.g. 123)

%u

substitutes to the user's username (e.g. john).

Options

gssproxy supports the following options:

allow_any_uid (boolean)

Allow any process of any user to use this service.

Note that absent a custom socket or selinux_context option this option may cause a service definition to mask access to following services. To avoid issues change the order of services in your configuation file so that services with allow_any_uid enabled are listed last, or define a custom socket for other services.

Default: false

cred_usage (string)

Allow to restrict the kind of operations permitted for this service.

The allowed options are: initiate, accept, both

Default: cred_usage = both

cred_store (string)

This parameter allows to control in which way gssproxy should use the cred_store interface provided by GSSAPI. The parameter can be defined multiple times per service.

The syntax of the cred_store parameter is as follows: cred_store = <cred_store_option>:<cred_store_value>

Currently this interface supports the following options:

keytab
Defines the keytab the service should use. Example: cred_store = keytab:/path/to/keytab

client_keytab
Defines a client keytab the service should use. Example: cred_store = client_keytab:/path/to/client_keytab.

ccache
Defines a credential cache the service should use. Example: cred_store = ccache:/path/to/ccache.

Notably the client_keytab and the ccache setting typically are used with variable substitution placeholders (see above). For example:

cred_store = keytab:/etc/krb5.keytab
cred_store = ccache:FILE:/var/lib/gssproxy/krb5cc_%U
cred_store = client_keytab:/var/lib/gssproxy/%U.keytab

Default: cred_store =

debug (boolean)

Enable debugging to syslog.

Default: debug = false

euid (integer or string)

Either the numeric (e.g., 48) or symbolic (e.g., apache) effective uid of a running process, required to identify a service.

The "euid" parameter is imperative, any section without it will be discarded.

Default: euid =

enforce_flags (string)

A list of GSS Request Flags that are added unconditionally to every context initialization call. Flags can only be added to the list or removed from the list by prepending a +/- sign to the flag name or value.

Recognized flag names: DELEGATE, MUTUAL_AUTH, REPLAY_DETECT, SEQUENCE, CONFIDENTIALITY, INTEGRITY, ANONYMOUS

Examples:

enforce_flags = +REPLAY_DETECT
enforce_flags = -0x0001

Default: enforce_flags =

filter_flags (string)

A list of GSS Request Flags that are filtered unconditionally from every context initialization call. Flags can only be added to the list or removed from the list by prepending a +/- sign to the flag name or value.

NOTE: Because often gssproxy is used to withold access to credentials the Delegate Flag is filtered by default. To allow a service to delegate credentials use the first example below.

Recognized flag names: DELEGATE, MUTUAL_AUTH, REPLAY_DETECT, SEQUENCE, CONFIDENTIALITY, INTEGRITY, ANONYMOUS

Examples:

filter_flags = -DELEGATE
filter_flags = -0x0001 +ANONYMOUS

Default: filter_flags = +DELEGATE

impersonate (boolean)

Use impersonation (s4u2self + s4u2proxy) to obtain credentials

Default: impersonate = false

kernel_nfsd (boolean)

Boolean flag that allows the Linux kernel to check if gssproxy is running (via /proc/net/rpc/use-gss-proxy).

Default: kernel_nfsd = false

krb5_principal (string)

The krb5 principal to be used by this service.

Default: krb5_principal =

mechs (string)

Currently only krb5 is supported.

The "mechs" parameter is imperative, any section without it will be discarded.

Default: mechs =

run_as_user (string)

The name of the user gssproxy will drop privileges to.

This option is only available in the global section.

Default: run_as_user =

selinux_context (string)

This parameter instructs the proxy to allow map a request to the service only if the context of the connecting client matches the one defined here.

When this parameter is not set any client will be allowed regardless of their selinux context.

Example: selinux_context = system_u:system_r:gssd_t

socket (string)

This parameter allows to create a per-service socket file over which gssproxy client and server components communicate.

When this parameter is not set, gssproxy will use a compiled-in default.

trusted (boolean)

Defines whether this service is considered trusted. Use with caution, this enables impersonation.

Default: trusted = false

worker threads (integer)

Defines the amount of worker threads gssproxy will create at startup.

Default: worker threads =

See Also

gssproxy(8) and gssproxy-mech(8).

Authors

GSS-Proxy - http://fedorahosted.org/gss-proxy

Referenced By

gssproxy(8), gssproxy-mech(8).

09/27/2016 GSS Proxy GssProxy Manual pages