X-Git-Url: https://git.decadent.org.uk/gitweb/?p=nfs-utils.git;a=blobdiff_plain;f=utils%2Fgssd%2Fgssd.man;h=0cc7bf4edb9814e195da42c513bcf8c25be0e064;hp=073379d37597103e7d416307e90061d5a043c5c8;hb=7a9d278e9aef620847087bb9a0e67961f92a9925;hpb=45e4597bd570ed40221f51887cde7d7f096f55e7 diff --git a/utils/gssd/gssd.man b/utils/gssd/gssd.man index 073379d..0cc7bf4 100644 --- a/utils/gssd/gssd.man +++ b/utils/gssd/gssd.man @@ -6,7 +6,18 @@ .SH NAME rpc.gssd \- rpcsec_gss daemon .SH SYNOPSIS -.B "rpc.gssd [-f] [-n] [-k keytab] [-p pipefsdir] [-v] [-r] [-d ccachedir]" +.B rpc.gssd +.RB [ \-fnlvr ] +.RB [ \-k +.IR keytab ] +.RB [ \-p +.IR pipefsdir ] +.RB [ \-d +.IR ccachedir ] +.RB [ \-t +.IR timeout ] +.RB [ \-R +.IR realm ] .SH DESCRIPTION The rpcsec_gss protocol gives a means of using the gss-api generic security api to provide security for protocols using rpc (in particular, nfs). Before @@ -38,13 +49,14 @@ manually like all other users. Use of this option means that attempting to mount an nfs filesystem requiring Kerberos authentication. .TP -.B -k keytab +.BI "-k " keytab Tells .B rpc.gssd to use the keys found in .I keytab to obtain "machine credentials". -The default value is "/etc/krb5.keytab". +The default value is +.I /etc/krb5.keytab. .IP Previous versions of .B rpc.gssd @@ -70,18 +82,45 @@ for "machine credentials" is now: If this search order does not use the correct key then provide a keytab file that contains only correct keys. .TP -.B -p path +.B -l +Tells +.B rpc.gssd +to limit session keys to Single DES even if the kernel supports stronger +encryption types. Service ticket encryption is still governed by what +the KDC believes the target server supports. This way the client can +access a server that has strong keys in its keytab for ticket decryption +but whose kernel only supports Single DES. +.IP +The alternative is to put only Single DES keys in the server's keytab +and limit encryption types for its principal to Single DES on the KDC +which will cause service tickets for this server to be encrypted using +only Single DES and (as a side-effect) contain only Single DES session +keys. +.IP +This legacy behaviour is only required for older servers +(pre nfs-utils-1.2.4). If the server has a recent kernel, Kerberos +implementation and nfs-utils it will work just fine with stronger +encryption. +.IP +.B Note: +This option is only available with Kerberos libraries that +support setable encryption types. +.TP +.BI "-p " path Tells .B rpc.gssd where to look for the rpc_pipefs filesystem. The default value is -"/var/lib/nfs/rpc_pipefs". +.IR /var/lib/nfs/rpc_pipefs . .TP -.B -d directory +.BI "-d " directory Tells .B rpc.gssd -where to look for Kerberos credential files. The default value is "/tmp". -This can also be a colon separated list of directories to be searched -for Kerberos credential files. Note that if machine credentials are being +where to look for Kerberos credential files. The default value is +.IR /tmp:/run/user/%U . +This can also be a colon separated list of directories to be searched for +Kerberos credential files. The sequence "%U", if used, is replaced with +the UID of the user for whom credentials are being searched. +Note that if machine credentials are being stored in files, then the first directory on this list is where the machine credentials are stored. .TP @@ -92,14 +131,14 @@ Increases the verbosity of the output (can be specified multiple times). If the rpcsec_gss library supports setting debug level, increases the verbosity of the output (can be specified multiple times). .TP -.B -R realm +.BI "-R " realm Kerberos tickets from this .I realm will be preferred when scanning available credentials cache files to be used to create a context. By default, the default realm, as configured in the Kerberos configuration file, is preferred. .TP -.B -t timeout +.BI "-t " timeout Timeout, in seconds, for kernel gss contexts. This option allows you to force new kernel contexts to be negotiated after .I timeout