'\" t
.\" Title: gssproxy.conf
.\" Author: GSS-Proxy - http://fedorahosted.org/gss-proxy
.\" Generator: DocBook XSL Stylesheets v1.79.1
.\" Date: 12/27/2016
.\" Manual: GssProxy Manual pages
.\" Source: GSS Proxy
.\" Language: English
.\"
.TH "GSSPROXY\&.CONF" "5" "12/27/2016" "GSS Proxy" "GssProxy Manual pages"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
gssproxy.conf \- GssProxy Daemon Configuration file
.SH "DESCRIPTION"
.PP
Optional configuration directives for the gssproxy daemon\&.
.PP
GSS\-Proxy conf files are classic ini\-style configuration files\&. Each option consist of a key = value pair\&. Any characters behind \*(Aq#\*(Aq will be treated as comments and will be ignored\&. Boolean parameters accept "1", "true", "yes" and "on" as positive values\&. All other values will be considered as negative values\&.
.PP
GSS\-Proxy conf files must either be named "gssproxy\&.conf", or be of the form "##\-foo\&.conf" (that is, start with two numbers followed by a dash, and end in "\&.conf")\&. Files not conforming to this will be ignored unless specifically requested through command line parameters\&.
.SH "SECTIONS"
.PP
A section in a GSS\-Proxy conf file is identified by the sectionname in square brackets ([sectionname])\&.
.PP
There is one special section for global gssproxy settings, called [gssproxy]\&.
.PP
Services such as nfs, apache, ssh, etc\&. are represented by sections like [service/nfs], [service/apache], etc\&. and are identified by the "euid" setting (see below)\&.
.SH "VARIABLE SUBSTITUTIONS"
.PP
String parameters may contain substitution patterns\&. This allows gssproxy to deal with patterns for the storage location of keytabs or credential caches easier\&.
.PP
The supported patterns are:
.PP
%U
.RS 4
substitutes to the user\*(Aqs numeric uid (e\&.g\&. 123)
.RE
.PP
%u
.RS 4
substitutes to the user\*(Aqs username (e\&.g\&. john)\&.
.RE
.SH "OPTIONS"
.PP
gssproxy supports the following options:
.PP
allow_any_uid (boolean)
.RS 4
Allow any process of any user to use this service\&.
.sp
Note that absent a custom socket or selinux_context option this option may cause a service definition to mask access to following services\&. To avoid issues change the order of services in your configuation file so that services with allow_any_uid enabled are listed last, or define a custom socket for other services\&.
.sp
Default: false
.RE
.PP
cred_usage (string)
.RS 4
Allow to restrict the kind of operations permitted for this service\&.
.sp
The allowed options are: initiate, accept, both
.sp
Default: cred_usage = both
.RE
.PP
cred_store (string)
.RS 4
This parameter allows to control in which way gssproxy should use the cred_store interface provided by GSSAPI\&. The parameter can be defined multiple times per service\&.
.sp
The syntax of the cred_store parameter is as follows: cred_store = :
.sp
Currently this interface supports the following options:
.PP
keytab
.RS 4
Defines the keytab the service should use\&. Example: cred_store = keytab:/path/to/keytab
.RE
.PP
client_keytab
.RS 4
Defines a client keytab the service should use\&. Example: cred_store = client_keytab:/path/to/client_keytab\&.
.RE
.PP
ccache
.RS 4
Defines a credential cache the service should use\&. Example: cred_store = ccache:/path/to/ccache\&.
.RE
.sp
Notably the client_keytab and the ccache setting typically are used with variable substitution placeholders (see above)\&. For example:
.sp
.if n \{\
.RS 4
.\}
.nf
\fBcred_store = keytab:/etc/krb5\&.keytab\fR
\fBcred_store = ccache:FILE:/var/lib/gssproxy/krb5cc_%U\fR
\fBcred_store = client_keytab:/var/lib/gssproxy/%U\&.keytab\fR
.fi
.if n \{\
.RE
.\}
.sp
Default: cred_store =
.RE
.PP
debug (boolean)
.RS 4
Enable debugging to syslog\&.
.sp
Default: debug = false
.RE
.PP
euid (integer or string)
.RS 4
Either the numeric (e\&.g\&., 48) or symbolic (e\&.g\&., apache) effective uid of a running process, required to identify a service\&.
.sp
The "euid" parameter is imperative, any section without it will be discarded\&.
.sp
Default: euid =
.RE
.PP
enforce_flags (string)
.RS 4
A list of GSS Request Flags that are added unconditionally to every context initialization call\&. Flags can only be added to the list or removed from the list by prepending a +/\- sign to the flag name or value\&.
.sp
Recognized flag names: DELEGATE, MUTUAL_AUTH, REPLAY_DETECT, SEQUENCE, CONFIDENTIALITY, INTEGRITY, ANONYMOUS
.sp
Examples:
.sp
.if n \{\
.RS 4
.\}
.nf
\fBenforce_flags = +REPLAY_DETECT\fR
\fBenforce_flags = \-0x0001\fR
.fi
.if n \{\
.RE
.\}
.sp
Default: enforce_flags =
.RE
.PP
filter_flags (string)
.RS 4
A list of GSS Request Flags that are filtered unconditionally from every context initialization call\&. Flags can only be added to the list or removed from the list by prepending a +/\- sign to the flag name or value\&.
.sp
NOTE: Because often gssproxy is used to withold access to credentials the Delegate Flag is filtered by default\&. To allow a service to delegate credentials use the first example below\&.
.sp
Recognized flag names: DELEGATE, MUTUAL_AUTH, REPLAY_DETECT, SEQUENCE, CONFIDENTIALITY, INTEGRITY, ANONYMOUS
.sp
Examples:
.sp
.if n \{\
.RS 4
.\}
.nf
\fBfilter_flags = \-DELEGATE\fR
\fBfilter_flags = \-0x0001 +ANONYMOUS\fR
.fi
.if n \{\
.RE
.\}
.sp
Default: filter_flags = +DELEGATE
.RE
.PP
impersonate (boolean)
.RS 4
Use impersonation (s4u2self + s4u2proxy) to obtain credentials
.sp
Default: impersonate = false
.RE
.PP
kernel_nfsd (boolean)
.RS 4
Boolean flag that allows the Linux kernel to check if gssproxy is running (via
/proc/net/rpc/use\-gss\-proxy)\&.
.sp
Default: kernel_nfsd = false
.RE
.PP
krb5_principal (string)
.RS 4
The krb5 principal to be used by this service\&.
.sp
Default: krb5_principal =
.RE
.PP
mechs (string)
.RS 4
Currently only
\fIkrb5\fR
is supported\&.
.sp
The "mechs" parameter is imperative, any section without it will be discarded\&.
.sp
Default: mechs =
.RE
.PP
run_as_user (string)
.RS 4
The name of the user gssproxy will drop privileges to\&.
.sp
This option is only available in the global section\&.
.sp
Default: run_as_user =
.RE
.PP
selinux_context (string)
.RS 4
This parameter instructs the proxy to allow map a request to the service only if the context of the connecting client matches the one defined here\&.
.sp
When this parameter is not set any client will be allowed regardless of their selinux context\&.
.sp
Example: selinux_context = system_u:system_r:gssd_t
.RE
.PP
socket (string)
.RS 4
This parameter allows to create a per\-service socket file over which gssproxy client and server components communicate\&.
.sp
When this parameter is not set, gssproxy will use a compiled\-in default\&.
.RE
.PP
trusted (boolean)
.RS 4
Defines whether this service is considered trusted\&. Use with caution, this enables impersonation\&.
.sp
Default: trusted = false
.RE
.PP
worker threads (integer)
.RS 4
Defines the amount of worker threads gssproxy will create at startup\&.
.sp
Default: worker threads =
.RE
.SH "SEE ALSO"
.PP
\fBgssproxy\fR(8)
and
\fBgssproxy-mech\fR(8)\&.
.SH "AUTHORS"
.PP
\fBGSS\-Proxy \- http://fedorahosted\&.org/gss\-proxy\fR