.SH NAME
rpc.gssd \- rpcsec_gss daemon
.SH SYNOPSIS
-.B "rpc.gssd [-f] [-n] [-k keytab] [-p pipefsdir] [-v] [-r] [-d ccachedir]"
+.B rpc.gssd
+.RB [ \-fnlvr ]
+.RB [ \-k
+.IR keytab ]
+.RB [ \-p
+.IR pipefsdir ]
+.RB [ \-d
+.IR ccachedir ]
+.RB [ \-t
+.IR timeout ]
+.RB [ \-R
+.IR realm ]
.SH DESCRIPTION
The rpcsec_gss protocol gives a means of using the gss-api generic security
api to provide security for protocols using rpc (in particular, nfs). Before
attempting to mount an nfs filesystem requiring Kerberos
authentication.
.TP
-.B -k keytab
+.BI "-k " keytab
Tells
.B rpc.gssd
to use the keys found in
.I keytab
to obtain "machine credentials".
-The default value is "/etc/krb5.keytab".
+The default value is
+.I /etc/krb5.keytab.
.IP
Previous versions of
.B rpc.gssd
If this search order does not use the correct key then provide a
keytab file that contains only correct keys.
.TP
-.B -p path
+.B -l
+Tells
+.B rpc.gssd
+to limit session keys to Single DES even if the kernel supports stronger
+encryption types. Service ticket encryption is still governed by what
+the KDC believes the target server supports. This way the client can
+access a server that has strong keys in its keytab for ticket decryption
+but whose kernel only supports Single DES.
+.IP
+The alternative is to put only Single DES keys in the server's keytab
+and limit encryption types for its principal to Single DES on the KDC
+which will cause service tickets for this server to be encrypted using
+only Single DES and (as a side-effect) contain only Single DES session
+keys.
+.IP
+This legacy behaviour is only required for older servers
+(pre nfs-utils-1.2.4). If the server has a recent kernel, Kerberos
+implementation and nfs-utils it will work just fine with stronger
+encryption.
+.IP
+.B Note:
+This option is only available with Kerberos libraries that
+support setable encryption types.
+.TP
+.BI "-p " path
Tells
.B rpc.gssd
where to look for the rpc_pipefs filesystem. The default value is
-"/var/lib/nfs/rpc_pipefs".
+.IR /var/lib/nfs/rpc_pipefs .
.TP
-.B -d directory
+.BI "-d " directory
Tells
.B rpc.gssd
-where to look for Kerberos credential files. The default value is "/tmp".
-This can also be a colon separated list of directories to be searched
-for Kerberos credential files. Note that if machine credentials are being
+where to look for Kerberos credential files. The default value is
+.IR /tmp:/run/user/%U .
+This can also be a colon separated list of directories to be searched for
+Kerberos credential files. The sequence "%U", if used, is replaced with
+the UID of the user for whom credentials are being searched.
+Note that if machine credentials are being
stored in files, then the first directory on this list is where the
machine credentials are stored.
.TP
If the rpcsec_gss library supports setting debug level,
increases the verbosity of the output (can be specified multiple times).
.TP
-.B -R realm
+.BI "-R " realm
Kerberos tickets from this
.I realm
will be preferred when scanning available credentials cache files to be
used to create a context. By default, the default realm, as configured
in the Kerberos configuration file, is preferred.
.TP
-.B -t timeout
+.BI "-t " timeout
Timeout, in seconds, for kernel gss contexts. This option allows you to force
new kernel contexts to be negotiated after
.I timeout