X-Git-Url: https://git.decadent.org.uk/gitweb/?p=nfs-utils.git;a=blobdiff_plain;f=utils%2Fgssd%2Fgssd.man;h=0cc7bf4edb9814e195da42c513bcf8c25be0e064;hp=01404d1bf7e61b6e8d25d3462e10317785d89381;hb=7a9d278e9aef620847087bb9a0e67961f92a9925;hpb=651b5d3cf5428cbf1d2cd3ae572453af249bef1e diff --git a/utils/gssd/gssd.man b/utils/gssd/gssd.man index 01404d1..0cc7bf4 100644 --- a/utils/gssd/gssd.man +++ b/utils/gssd/gssd.man @@ -2,11 +2,22 @@ .\" rpc.gssd(8) .\" .\" Copyright (C) 2003 J. Bruce Fields -.TH rpc.gssd 8 "17 Mar 2003" +.TH rpc.gssd 8 "14 Mar 2007" .SH NAME rpc.gssd \- rpcsec_gss daemon .SH SYNOPSIS -.B "rpc.gssd [-f] [-k keytab] [-p pipefsdir] [-v] [-r]" +.B rpc.gssd +.RB [ \-fnlvr ] +.RB [ \-k +.IR keytab ] +.RB [ \-p +.IR pipefsdir ] +.RB [ \-d +.IR ccachedir ] +.RB [ \-t +.IR timeout ] +.RB [ \-R +.IR realm ] .SH DESCRIPTION The rpcsec_gss protocol gives a means of using the gss-api generic security api to provide security for protocols using rpc (in particular, nfs). Before @@ -25,28 +36,93 @@ Runs .B rpc.gssd in the foreground and sends output to stderr (as opposed to syslogd) .TP -.B -k keytab +.B -n +By default, +.B rpc.gssd +treats accesses by the user with UID 0 specially, and uses +"machine credentials" for all accesses by that user which +require Kerberos authentication. +With the \-n option, "machine credentials" will not be used +for accesses by UID 0. Instead, credentials must be obtained +manually like all other users. Use of this option means that +"root" must manually obtain Kerberos credentials before +attempting to mount an nfs filesystem requiring Kerberos +authentication. +.TP +.BI "-k " keytab Tells .B rpc.gssd -to use the keys for principals nfs/hostname in +to use the keys found in .I keytab -to obtain machine credentials. -The default value is "/etc/krb5.keytab". -.\".TP -.\".B -m -.\"Ordinarily, -.\".B rpc.gssd -.\"looks for a cached ticket for user $UID in /tmp/krb5cc_$UID. -.\"With the -m option, the user with uid 0 will be treated specially, and will -.\"be mapped instead to the credentials for the principal nfs/hostname found in -.\"the keytab file. -.\"(This option is now the default and is ignored if specified.) +to obtain "machine credentials". +The default value is +.I /etc/krb5.keytab. +.IP +Previous versions of +.B rpc.gssd +used only "nfs/*" keys found within the keytab. +To be more consistent with other implementations, we now look for +specific keytab entries. The search order for keytabs to be used +for "machine credentials" is now: +.br + $@ +.br + root/@ +.br + nfs/@ +.br + host/@ +.br + root/@ +.br + nfs/@ +.br + host/@ +.IP +If this search order does not use the correct key then provide a +keytab file that contains only correct keys. .TP -.B -p path +.B -l +Tells +.B rpc.gssd +to limit session keys to Single DES even if the kernel supports stronger +encryption types. Service ticket encryption is still governed by what +the KDC believes the target server supports. This way the client can +access a server that has strong keys in its keytab for ticket decryption +but whose kernel only supports Single DES. +.IP +The alternative is to put only Single DES keys in the server's keytab +and limit encryption types for its principal to Single DES on the KDC +which will cause service tickets for this server to be encrypted using +only Single DES and (as a side-effect) contain only Single DES session +keys. +.IP +This legacy behaviour is only required for older servers +(pre nfs-utils-1.2.4). If the server has a recent kernel, Kerberos +implementation and nfs-utils it will work just fine with stronger +encryption. +.IP +.B Note: +This option is only available with Kerberos libraries that +support setable encryption types. +.TP +.BI "-p " path Tells .B rpc.gssd where to look for the rpc_pipefs filesystem. The default value is -"/var/lib/nfs/rpc_pipefs". +.IR /var/lib/nfs/rpc_pipefs . +.TP +.BI "-d " directory +Tells +.B rpc.gssd +where to look for Kerberos credential files. The default value is +.IR /tmp:/run/user/%U . +This can also be a colon separated list of directories to be searched for +Kerberos credential files. The sequence "%U", if used, is replaced with +the UID of the user for whom credentials are being searched. +Note that if machine credentials are being +stored in files, then the first directory on this list is where the +machine credentials are stored. .TP .B -v Increases the verbosity of the output (can be specified multiple times). @@ -54,6 +130,21 @@ Increases the verbosity of the output (can be specified multiple times). .B -r If the rpcsec_gss library supports setting debug level, increases the verbosity of the output (can be specified multiple times). +.TP +.BI "-R " realm +Kerberos tickets from this +.I realm +will be preferred when scanning available credentials cache files to be +used to create a context. By default, the default realm, as configured +in the Kerberos configuration file, is preferred. +.TP +.BI "-t " timeout +Timeout, in seconds, for kernel gss contexts. This option allows you to force +new kernel contexts to be negotiated after +.I timeout +seconds, which allows changing Kerberos tickets and identities frequently. +The default is no explicit timeout, which means the kernel context will live +the lifetime of the Kerberos service ticket used in its creation. .SH SEE ALSO .BR rpc.svcgssd(8) .SH AUTHORS