.\" rpc.gssd(8)
.\"
.\" Copyright (C) 2003 J. Bruce Fields <bfields@umich.edu>
-.TH rpc.gssd 8 "17 Mar 2003"
+.TH rpc.gssd 8 "14 Mar 2007"
.SH NAME
rpc.gssd \- rpcsec_gss daemon
.SH SYNOPSIS
-.B "rpc.gssd [-f] [-k keytab] [-p pipefsdir] [-v] [-r]"
+.B "rpc.gssd [-f] [-n] [-k keytab] [-l] [-p pipefsdir] [-v] [-r] [-d ccachedir]"
.SH DESCRIPTION
The rpcsec_gss protocol gives a means of using the gss-api generic security
api to provide security for protocols using rpc (in particular, nfs). Before
.B rpc.gssd
in the foreground and sends output to stderr (as opposed to syslogd)
.TP
+.B -n
+By default,
+.B rpc.gssd
+treats accesses by the user with UID 0 specially, and uses
+"machine credentials" for all accesses by that user which
+require Kerberos authentication.
+With the \-n option, "machine credentials" will not be used
+for accesses by UID 0. Instead, credentials must be obtained
+manually like all other users. Use of this option means that
+"root" must manually obtain Kerberos credentials before
+attempting to mount an nfs filesystem requiring Kerberos
+authentication.
+.TP
.B -k keytab
Tells
.B rpc.gssd
-to use the keys for principals nfs/hostname in
+to use the keys found in
.I keytab
-to obtain machine credentials.
+to obtain "machine credentials".
The default value is "/etc/krb5.keytab".
-.\".TP
-.\".B -m
-.\"Ordinarily,
-.\".B rpc.gssd
-.\"looks for a cached ticket for user $UID in /tmp/krb5cc_$UID.
-.\"With the -m option, the user with uid 0 will be treated specially, and will
-.\"be mapped instead to the credentials for the principal nfs/hostname found in
-.\"the keytab file.
-.\"(This option is now the default and is ignored if specified.)
+.IP
+Previous versions of
+.B rpc.gssd
+used only "nfs/*" keys found within the keytab.
+To be more consistent with other implementations, we now look for
+specific keytab entries. The search order for keytabs to be used
+for "machine credentials" is now:
+.br
+ <HOSTNAME>$@<REALM>
+.br
+ root/<hostname>@<REALM>
+.br
+ nfs/<hostname>@<REALM>
+.br
+ host/<hostname>@<REALM>
+.br
+ root/<anyname>@<REALM>
+.br
+ nfs/<anyname>@<REALM>
+.br
+ host/<anyname>@<REALM>
+.IP
+If this search order does not use the correct key then provide a
+keytab file that contains only correct keys.
+.TP
+.B -l
+Tells
+.B rpc.gssd
+to limit session keys to Single DES even if the kernel supports stronger
+encryption types. Service ticket encryption is still governed by what
+the KDC believes the target server supports. This way the client can
+access a server that has strong keys in its keytab for ticket decryption
+but whose kernel only supports Single DES.
+.IP
+The alternative is to put only Single DES keys in the server's keytab
+and limit encryption types for its principal to Single DES on the KDC
+which will cause service tickets for this server to be encrypted using
+only Single DES and (as a side-effect) contain only Single DES session
+keys.
+.IP
+This legacy behaviour is only required for older servers
+(pre nfs-utils-1.2.4). If the server has a recent kernel, Kerberos
+implementation and nfs-utils it will work just fine with stronger
+encryption.
+.IP
+.B Note:
+This option is only available with Kerberos libraries that
+support setable encryption types.
.TP
.B -p path
Tells
where to look for the rpc_pipefs filesystem. The default value is
"/var/lib/nfs/rpc_pipefs".
.TP
+.B -d directory
+Tells
+.B rpc.gssd
+where to look for Kerberos credential files. The default value is "/tmp".
+This can also be a colon separated list of directories to be searched
+for Kerberos credential files. Note that if machine credentials are being
+stored in files, then the first directory on this list is where the
+machine credentials are stored.
+.TP
.B -v
Increases the verbosity of the output (can be specified multiple times).
.TP
.B -r
If the rpcsec_gss library supports setting debug level,
increases the verbosity of the output (can be specified multiple times).
+.TP
+.B -R realm
+Kerberos tickets from this
+.I realm
+will be preferred when scanning available credentials cache files to be
+used to create a context. By default, the default realm, as configured
+in the Kerberos configuration file, is preferred.
+.TP
+.B -t timeout
+Timeout, in seconds, for kernel gss contexts. This option allows you to force
+new kernel contexts to be negotiated after
+.I timeout
+seconds, which allows changing Kerberos tickets and identities frequently.
+The default is no explicit timeout, which means the kernel context will live
+the lifetime of the Kerberos service ticket used in its creation.
.SH SEE ALSO
.BR rpc.svcgssd(8)
.SH AUTHORS
projects / nfs-utils.git / blobdiff