4 .\" Copyright (C) 2003 J. Bruce Fields <bfields@umich.edu>
6 .TH rpc.gssd 8 "20 Feb 2013"
8 rpc.gssd \- RPCSEC_GSS daemon
23 The RPCSEC_GSS protocol, defined in RFC 5403, is used to provide
24 strong security for RPC-based protocols such as NFS.
26 Before exchanging RPC requests using RPCSEC_GSS, an RPC client must
28 .IR "security context" .
29 A security context is shared state on each
30 end of a network transport that enables GSS-API security services.
32 Security contexts are established using
33 .IR "security credentials" .
34 A credential grants temporary access to a secure network service,
35 much as a railway ticket grants temporary access to use a rail service.
37 A user typically obtains a credential by providing a password to the
39 command, or via a PAM library at login time.
40 A credential acquired with a
46 for more on principals).
48 For certain operations, a credential is required
49 which represents no user,
50 is otherwise unprivileged,
51 and is always available.
52 This is referred to as a
53 .IR "machine credential" .
55 Machine credentials are typically established using a
56 .IR "service principal" ,
57 whose encrypted password, called its
59 is stored in a file, called a
61 to avoid requiring a user prompt.
62 A machine credential effectively does not expire because the system
63 can renew it as needed without user intervention.
65 Once obtained, credentials are typically stored in local temporary files
66 with well-known pathnames.
68 To establish GSS security contexts using these credential files,
69 the Linux kernel RPC client depends on a userspace daemon called
73 daemon uses the rpc_pipefs filesystem to communicate with the kernel.
79 in the foreground and sends output to stderr (as opposed to syslogd)
84 treats accesses by the user with UID 0 specially, and uses
85 "machine credentials" for all accesses by that user which
86 require Kerberos authentication.
87 With the \-n option, "machine credentials" will not be used
88 for accesses by UID 0. Instead, credentials must be obtained
89 manually like all other users. Use of this option means that
90 "root" must manually obtain Kerberos credentials before
91 attempting to mount an nfs filesystem requiring Kerberos
97 to use the keys found in
99 to obtain "machine credentials".
105 used only "nfs/*" keys found within the keytab.
106 To be more consistent with other implementations, we now look for
107 specific keytab entries. The search order for keytabs to be used
108 for "machine credentials" is now:
112 root/<hostname>@<REALM>
114 nfs/<hostname>@<REALM>
116 host/<hostname>@<REALM>
118 root/<anyname>@<REALM>
120 nfs/<anyname>@<REALM>
122 host/<anyname>@<REALM>
124 If this search order does not use the correct key then provide a
125 keytab file that contains only correct keys.
130 to limit session keys to Single DES even if the kernel supports stronger
131 encryption types. Service ticket encryption is still governed by what
132 the KDC believes the target server supports. This way the client can
133 access a server that has strong keys in its keytab for ticket decryption
134 but whose kernel only supports Single DES.
136 The alternative is to put only Single DES keys in the server's keytab
137 and limit encryption types for its principal to Single DES on the KDC
138 which will cause service tickets for this server to be encrypted using
139 only Single DES and (as a side-effect) contain only Single DES session
142 This legacy behaviour is only required for older servers
143 (pre nfs-utils-1.2.4). If the server has a recent kernel, Kerberos
144 implementation and nfs-utils it will work just fine with stronger
148 This option is only available with Kerberos libraries that
149 support setable encryption types.
154 where to look for the rpc_pipefs filesystem. The default value is
155 .IR /var/lib/nfs/rpc_pipefs .
157 .BI "-d " search-path
158 This option specifies a colon separated list of directories that
160 searches for credential files. The default value is
161 .IR /tmp:/run/user/%U .
162 The literal sequence "%U" can be specified to substitue the UID
163 of the user for whom credentials are being searched.
166 By default, machine credentials are stored in files in the first
167 directory in the credential directory search path (see the
173 stores machine credentials in memory instead.
176 Increases the verbosity of the output (can be specified multiple times).
179 If the RPCSEC_GSS library supports setting debug level,
180 increases the verbosity of the output (can be specified multiple times).
183 Kerberos tickets from this
185 will be preferred when scanning available credentials cache files to be
186 used to create a context. By default, the default realm, as configured
187 in the Kerberos configuration file, is preferred.
190 Timeout, in seconds, for kernel GSS contexts. This option allows you to force
191 new kernel contexts to be negotiated after
193 seconds, which allows changing Kerberos tickets and identities frequently.
194 The default is no explicit timeout, which means the kernel context will live
195 the lifetime of the Kerberos service ticket used in its creation.
203 Dug Song <dugsong@umich.edu>
205 Andy Adamson <andros@umich.edu>
207 Marius Aamodt Eriksen <marius@umich.edu>
209 J. Bruce Fields <bfields@umich.edu>