NAME<\/a> gssproxy.conf \u2212 GssProxy Daemon Configuration file<\/p>\n Optional configuration directives for the gssproxy daemon.<\/p>\n GSS\u2212Proxy conf files are classic ini\u2212style configuration files. Each option consist of a key = value pair. Any characters behind ‘#’ will be treated as comments and will be ignored. Boolean parameters accept “1”, “true”, “yes” and “on” as positive values. All other values will be considered as negative values.<\/p>\n GSS\u2212Proxy conf files must either be named “gssproxy.conf”, or be of the form “##\u2212foo.conf” (that is, start with two numbers followed by a dash, and end in “.conf”). Files not conforming to this will be ignored unless specifically requested through command line parameters. Within a single file, any duplicate values or sections will be merged. Across multiple files, duplicates will generate a warning, and the first value encountered will take precedence (i.e., there is no merging).<\/p>\n A section in a GSS\u2212Proxy conf file is identified by the sectionname in square brackets ([sectionname]).<\/p>\n There is one special section for global gssproxy settings, called [gssproxy].<\/p>\n Services such as nfs, apache, ssh, etc. are represented by sections like [service\/nfs], [service\/apache], etc. and are identified by the “euid” setting (see below).<\/p>\n String parameters may contain substitution patterns. This allows gssproxy to deal with patterns for the storage location of keytabs or credential caches easier.<\/p>\n The supported patterns are:<\/p>\n %U<\/p>\n substitutes to the user’s numeric uid (e.g. 123)<\/p>\n %u<\/p>\n substitutes to the user’s username (e.g. john).<\/p>\n gssproxy supports the following options:<\/p>\n allow_any_uid (boolean)<\/p>\n Allow any process of any user to use this service.<\/p>\n Note that absent a custom socket option this option may cause a service definition to mask access to following services. To avoid issues change the order of services in your configuation file so that services with allow_any_uid enabled are listed last, or define a custom socket for other services.<\/p>\n Default: false<\/p>\n allow_protocol_transition (boolean)<\/p>\n Allow clients to request a ticket to self for an arbitrary user.<\/p>\n This option controls whether s4u2self requests are allowed for the requesting client. The configured keytab is used as the service identity for which a ticket is requested. The KDC still needs to allow the operation for it to succeed.<\/p>\n Default: false<\/p>\n allow_constrained_delegation (boolean)<\/p>\n Allow clients to request a ticket to another service using an evidence ticket.<\/p>\n This option controls whether s4u2proxy requests are allowed for the requesting client. The KDC still needs to allow the operation for it to succeed.<\/p>\n Default: false<\/p>\n allow_client_ccache_sync (boolean)<\/p>\n Allow clients to request credentials to be sent back for better caching.<\/p>\n This option allows the proxy, in certain circumstances, to send back an additional option in the response structure of certain calls when it determines that a new ticket may have been added to the internal ccache. Clients can then replace their (encrypted) copy with the updated ccache.<\/p>\n Default: false<\/p>\n cred_store (string)<\/p>\n This parameter allows to control in which way gssproxy should use the cred_store interface provided by GSSAPI. The parameter can be defined multiple times per service.<\/p>\n The syntax of the cred_store parameter is as follows: cred_store = Currently this interface supports the following options:<\/p>\n keytab<\/p>\n Defines the keytab the service should use. Example: cred_store = keytab:\/path\/to\/keytab<\/p>\n client_keytab<\/p>\n Defines a client keytab the service should use. Example: cred_store = client_keytab:\/path\/to\/client_keytab.<\/p>\n ccache<\/p>\n Defines a credential cache the service should use. Example: cred_store = ccache:\/path\/to\/ccache.<\/p>\n Notably the client_keytab and the ccache setting typically are used with variable substitution placeholders (see above). For example:<\/p>\n cred_store = keytab:\/etc\/krb5.keytab Default: cred_store =<\/p>\n cred_usage (string)<\/p>\n Allow to restrict the kind of operations permitted for this service.<\/p>\n The allowed options are: initiate, accept, both<\/p>\n Default: cred_usage = both<\/p>\n debug (boolean)<\/p>\n Enable debugging to syslog. Setting to true is identical to setting debug_level to 1.<\/p>\n Default: debug = false<\/p>\n debug_level (integer)<\/p>\n Detail level at which to log debugging messages. 0 corresponds to no logging, while 1 turns on basic debug logging. Level 2 increases verbosity, including more detailed credential verification.<\/p>\n At level 3 and above, KRB5_TRACE output is logged. If KRB5_TRACE was already set in the execution environment, trace output is sent to its value instead.<\/p>\n Default: 1 if debug is true, otherwise 0<\/p>\n enforce_flags (string)<\/p>\n A list of GSS Request Flags that are added unconditionally to every context initialization call. Flags can only be added to the list or removed from the list by prepending a +\/\u2212 sign to the flag name or value.<\/p>\n Recognized flag names: DELEGATE, MUTUAL_AUTH, REPLAY_DETECT, SEQUENCE, CONFIDENTIALITY, INTEGRITY, ANONYMOUS<\/p>\n Examples:<\/p>\n enforce_flags = +REPLAY_DETECT Default: enforce_flags =<\/p>\n euid (integer or string)<\/p>\n Either the numeric (e.g., 48) or symbolic (e.g., apache) effective uid of a running process, required to identify a service.<\/p>\n The “euid” parameter is imperative, any section without it will be discarded.<\/p>\n Default: euid =<\/p>\n filter_flags (string)<\/p>\n A list of GSS Request Flags that are filtered unconditionally from every context initialization call. Flags can only be added to the list or removed from the list by prepending a +\/\u2212 sign to the flag name or value.<\/p>\n NOTE: Because often gssproxy is used to withold access to credentials the Delegate Flag is filtered by default. To allow a service to delegate credentials use the first example below.<\/p>\n Recognized flag names: DELEGATE, MUTUAL_AUTH, REPLAY_DETECT, SEQUENCE, CONFIDENTIALITY, INTEGRITY, ANONYMOUS<\/p>\n Examples:<\/p>\n filter_flags = \u2212DELEGATE Default: filter_flags = +DELEGATE<\/p>\n impersonate (boolean)<\/p>\n Use impersonation (s4u2self + s4u2proxy) to obtain credentials<\/p>\n Default: impersonate = false<\/p>\n kernel_nfsd (boolean)<\/p>\n Boolean flag that allows the Linux kernel to check if gssproxy is running (via \/proc\/net\/rpc\/use\u2212gss\u2212proxy).<\/p>\n Default: kernel_nfsd = false<\/p>\n krb5_principal (string)<\/p>\n The krb5 principal to be used preferred for this service, if one isn’t requested by the application. Note that this does not enforce use of this specific name; it only sets a default.<\/p>\n Default: krb5_principal =<\/p>\n mechs (string)<\/p>\n Currently only krb5<\/i> is supported.<\/p>\n The “mechs” parameter is imperative, any section without it will be discarded.<\/p>\n Default: mechs =<\/p>\n program (string)<\/p>\n If specified, this service will only match when the program being run is the specified string.<\/p>\n Programs are assumed to be specified as canonical paths (i.e., no relative paths, no symlinks). Additionally, the ‘|’ character is reserved for future use and therefore forbidden.<\/p>\n run_as_user (string)<\/p>\n The name of the user gssproxy will drop privileges to.<\/p>\n This option is only available in the global section.<\/p>\n Default: run_as_user =<\/p>\n selinux_context (string)<\/p>\n This option is deprecated. Use a custom socket or euid instead.<\/p>\n socket (string)<\/p>\n This parameter allows to create a per\u2212service socket file over which gssproxy client and server components communicate.<\/p>\n When this parameter is not set, gssproxy will use a compiled\u2212in default.<\/p>\n syslog_status (boolean)<\/p>\n Enable per\u2212call debugging output to the syslog. This may be useful for investigating problems in applications using gssproxy.<\/p>\n Default: syslog_status = false<\/p>\n trusted (boolean)<\/p>\n Defines whether this service is considered trusted. Use with caution, this enables impersonation.<\/p>\n Default: trusted = false<\/p>\n worker threads (integer)<\/p>\n Defines the amount of worker threads gssproxy will create at startup.<\/p>\n Default: worker threads =<\/p>\n
DESCRIPTION<\/a>
SECTIONS<\/a>
VARIABLE SUBSTITUTIONS<\/a>
OPTIONS<\/a>
SEE ALSO<\/a>
AUTHORS<\/a> <\/p>\n
\nNAME <\/a> <\/h2>\n
DESCRIPTION <\/a> <\/h2>\n
SECTIONS <\/a> <\/h2>\n
VARIABLE SUBSTITUTIONS <\/a> <\/h2>\n
OPTIONS <\/a> <\/h2>\n
cred_store = ccache:FILE:\/var\/lib\/gssproxy\/krb5cc_%U
cred_store = client_keytab:\/var\/lib\/gssproxy\/%U.keytab<\/b><\/p>\n
enforce_flags = \u22120x0001<\/b><\/p>\n
filter_flags = \u22120x0001 +ANONYMOUS<\/b><\/p>\nSEE ALSO <\/a> <\/h2>\n