GSSPROXY.CONF(5) GssProxy Manual pages GSSPROXY.CONF(5)NAMEgssproxy.conf - GssProxy Daemon Configuration file
DESCRIPTION
Optional configuration directives for the gssproxy daemon.
The gssproxy.conf file is a classic ini-style configuration file. Each
option consist of a key = value pair. Any characters behind '#' will be
treated as comments and will be ignored. Boolean parameters accept "1",
"true", "yes" and "on" as positive values. All other values will be
considered as negative values.
SECTIONS
A section in the gssproxy.conf file is identified by the sectionname in
square brackets ([sectionname]).
There is one special section for global gssproxy settings, called
[gssproxy].
Services such as nfs, apache, ssh, etc. are represented by sections
like [service/nfs], [service/apache], etc. and are identified by the
"euid" setting (see below).
VARIABLE SUBSTITUTIONS
String parameters may contain substitution patterns. This allows
gssproxy to deal with patterns for the storage location of keytabs or
credential caches easier.
The supported patterns are:
%U
substitutes to the user's numeric uid (e.g. 123)
%u
substitutes to the user's username (e.g. john).
OPTIONS
gssproxy supports the following options:
allow_any_uid (boolean)
Allow any process of any user to use this service.
Note that absent a custom socket or selinux_context option this
option may cause a service definition to mask access to following
services. To avoid issues change the order of services in your
configuation file so that services with allow_any_uid enabled are
listed last, or define a custom socket for other services.
Default: false
cred_usage (string)
Allow to restrict the kind of operations permitted for this
service.
The allowed options are: initiate, accept, both
Default: cred_usage = both
cred_store (string)
This parameter allows to control in which way gssproxy should use
the cred_store interface provided by GSSAPI. The parameter can be
defined multiple times per service.
The syntax of the cred_store parameter is as follows: cred_store =
<cred_store_option>:<cred_store_value>
Currently this interface supports the following options:
keytab
Defines the keytab the service should use. Example: cred_store
= keytab:/path/to/keytab
client_keytab
Defines a client keytab the service should use. Example:
cred_store = client_keytab:/path/to/client_keytab.
ccache
Defines a credential cache the service should use. Example:
cred_store = ccache:/path/to/ccache.
Notably the client_keytab and the ccache setting typically are used
with variable substitution placeholders (see above). For example:
cred_store = keytab:/etc/krb5.keytab
cred_store = ccache:FILE:/var/lib/gssproxy/krb5cc_%U
cred_store = client_keytab:/var/lib/gssproxy/%U.keytab
Default: cred_store =
debug (boolean)
Enable debugging to syslog.
Default: debug = false
euid (integer)
The numeric effective uid of a running process, required to
identify a service.
The "euid" parameter is imperative, any section without it will be
discarded.
Default: euid =
impersonate (boolean)
Use impersonation (s4u2self + s4u2proxy) to obtain credentials
Default: impersonate = false
kernel_nfsd (boolean)
Boolean flag that allows the Linux kernel to check if gssproxy is
running (via /proc/net/rpc/use-gss-proxy).
Default: kernel_nfsd = false
krb5_principal (string)
The krb5 principal to be used by this service.
Default: krb5_principal =
mechs (string)
Currently only krb5 is supported.
The "mechs" parameter is imperative, any section without it will be
discarded.
Default: mechs =
selinux_context (string)
This parameter instructs the proxy to allow map a request to the
service only if the context of the connecting client matches the
one defined here.
When this parameter is not set any client will be allowed
regardless of their selinux context.
Example: selinux_context = system_u:system_r:gssd_t
socket (string)
This parameter allows to create a per-service socket file over
which gssproxy client and server components communicate.
When this parameter is not set, gssproxy will use a compiled-in
default.
trusted (boolean)
Defines whether this service is considered trusted. Use with
caution, this enables impersonation.
Default: trusted = false
worker threads (integer)
Defines the amount of worker threads gssproxy will create at
startup.
Default: worker threads =
SEE ALSOgssproxy(8) and gssproxy-mech(8).
AUTHORS
GSS-Proxy - http://fedorahosted.org/gss-proxy
GSS Proxy 10/28/2013 GSSPROXY.CONF(5)