X-Git-Url: https://git.decadent.org.uk/gitweb/?p=nfs-utils.git;a=blobdiff_plain;f=utils%2Fgssd%2Fgssd.man;h=1df75c57e1f6f09fb5a2891a4554751583b5cf1c;hp=1d6fb4c66b71340770c1a4392e673ae319325e1e;hb=fb06ed9fc1fa11a95544fb2d89adb6c51ef5d946;hpb=6888d305d8683d178239170794ce8debdaaaacd8 diff --git a/utils/gssd/gssd.man b/utils/gssd/gssd.man index 1d6fb4c..1df75c5 100644 --- a/utils/gssd/gssd.man +++ b/utils/gssd/gssd.man @@ -8,7 +8,7 @@ rpc.gssd \- RPCSEC_GSS daemon .SH SYNOPSIS .B rpc.gssd -.RB [ \-fMnlvr ] +.RB [ \-DfMnlvr ] .RB [ \-k .IR keytab ] .RB [ \-p @@ -172,8 +172,35 @@ If .B rpc.gssd cannot obtain a machine credential (say, the local system has no keytab), NFSv4 operations that require machine credentials will fail. +.SS Encryption types +A realm administrator can choose to add keys encoded in a number of different +encryption types to the local system's keytab. +For instance, a host/ principal might have keys for the +.BR aes256-cts-hmac-sha1-96 , +.BR aes128-cts-hmac-sha1-96 , +.BR des3-cbc-sha1 ", and" +.BR arcfour-hmac " encryption types." +This permits +.B rpc.gssd +to choose an appropriate encryption type that the target NFS server +supports. +.P +These encryption types are stronger than legacy single-DES encryption types. +To interoperate in environments where servers support +only weak encryption types, +you can restrict your client to use only single-DES encryption types +by specifying the +.B -l +option when starting +.BR rpc.gssd . .SH OPTIONS .TP +.B -D +DNS Reverse lookups are not used for determining the +server names pass to GSSAPI. This option will reverses that and forces +the use of DNS Reverse resolution of the server's IP address to +retrieve the server name to use in GSAPI authentication. +.TP .B -f Runs .B rpc.gssd @@ -193,28 +220,12 @@ The default value is .IR /etc/krb5.keytab . .TP .B -l -Tells +When specified, restricts .B rpc.gssd -to limit session keys to Single DES even if the kernel supports stronger -encryption types. Service ticket encryption is still governed by what -the KDC believes the target server supports. This way the client can -access a server that has strong keys in its keytab for ticket decryption -but whose kernel only supports Single DES. -.IP -The alternative is to put only Single DES keys in the server's keytab -and limit encryption types for its principal to Single DES on the KDC -which will cause service tickets for this server to be encrypted using -only Single DES and (as a side-effect) contain only Single DES session -keys. -.IP -This legacy behaviour is only required for older servers -(pre nfs-utils-1.2.4). If the server has a recent kernel, Kerberos -implementation and nfs-utils it will work just fine with stronger -encryption. -.IP -.B Note: -This option is only available with Kerberos libraries that -support setable encryption types. +to sessions to weak encryption types such as +.BR des-cbc-crc . +This option is available only when the local system's Kerberos library +supports settable encryption types. .TP .BI "-p " path Tells