|
Packit Service |
9f2c4a |
|
|
Packit Service |
9f2c4a |
|
|
Packit Service |
9f2c4a |
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
|
Packit Service |
9f2c4a |
<reference>
|
|
Packit Service |
9f2c4a |
<title>GssProxy GSSAPI mechanism manual page</title>
|
|
Packit Service |
9f2c4a |
<refentry>
|
|
Packit Service |
9f2c4a |
<refentryinfo>
|
|
Packit Service |
9f2c4a |
<productname>GSS Proxy</productname>
|
|
Packit Service |
9f2c4a |
<orgname>GSS-Proxy - http://fedorahosted.org/gss-proxy</orgname>
|
|
Packit Service |
9f2c4a |
</refentryinfo>
|
|
Packit Service |
9f2c4a |
|
|
Packit Service |
9f2c4a |
<refmeta>
|
|
Packit Service |
9f2c4a |
<refentrytitle>gssproxy-mech</refentrytitle>
|
|
Packit Service |
9f2c4a |
<manvolnum>8</manvolnum>
|
|
Packit Service |
9f2c4a |
</refmeta>
|
|
Packit Service |
9f2c4a |
|
|
Packit Service |
9f2c4a |
<refnamediv id='name'>
|
|
Packit Service |
9f2c4a |
<refname>gssproxy-mech</refname>
|
|
Packit Service |
9f2c4a |
<refpurpose>GssProxy GSSAPI mechanism plugin</refpurpose>
|
|
Packit Service |
9f2c4a |
</refnamediv>
|
|
Packit Service |
9f2c4a |
|
|
Packit Service |
9f2c4a |
<refsynopsisdiv id='synopsis'>
|
|
Packit Service |
9f2c4a |
<cmdsynopsis>
|
|
Packit Service |
9f2c4a |
<command>proxymech_v1 2.16.840.1.113730.3.8.15.1 /usr/lib64/gssproxy/proxymech.so </command>
|
|
Packit Service |
9f2c4a |
<arg choice='opt'>
|
|
Packit Service |
9f2c4a |
<replaceable>options</replaceable>
|
|
Packit Service |
9f2c4a |
</arg>
|
|
Packit Service |
9f2c4a |
</cmdsynopsis>
|
|
Packit Service |
9f2c4a |
</refsynopsisdiv>
|
|
Packit Service |
9f2c4a |
|
|
Packit Service |
9f2c4a |
<refsect1 id='description'>
|
|
Packit Service |
9f2c4a |
<title>DESCRIPTION</title>
|
|
Packit Service |
9f2c4a |
<para>
|
|
Packit Service |
9f2c4a |
The gssproxy proxymech module is a interposer plugin that is
|
|
Packit Service |
9f2c4a |
loaded by GSSAPI. It is enabled by
|
|
Packit Service |
9f2c4a |
<filename>/etc/gss/mech</filename> configuration file.
|
|
Packit Service |
9f2c4a |
</para>
|
|
Packit Service |
9f2c4a |
<para>
|
|
Packit Service |
9f2c4a |
The interposer plugin allows to intercept the entire GSSAPI
|
|
Packit Service |
9f2c4a |
communication and detour to the <command>gssproxy</command>
|
|
Packit Service |
9f2c4a |
daemon. When the interposer plugin is installed two other
|
|
Packit Service |
9f2c4a |
conditions need to be met in order to activate it:
|
|
Packit Service |
9f2c4a |
</para>
|
|
Packit Service |
9f2c4a |
<variablelist>
|
|
Packit Service |
9f2c4a |
<varlistentry>
|
|
Packit Service |
9f2c4a |
<term>a) interposer configuration file</term>
|
|
Packit Service |
9f2c4a |
<listitem>
|
|
Packit Service |
9f2c4a |
<para>The plugin needs to be manually enabled in the
|
|
Packit Service |
9f2c4a |
<filename>/etc/gss/mech</filename> file.
|
|
Packit Service |
9f2c4a |
</para>
|
|
Packit Service |
9f2c4a |
</listitem>
|
|
Packit Service |
9f2c4a |
</varlistentry>
|
|
Packit Service |
9f2c4a |
<varlistentry>
|
|
Packit Service |
9f2c4a |
<term>b) gssproxy environment variable</term>
|
|
Packit Service |
9f2c4a |
<listitem>
|
|
Packit Service |
9f2c4a |
<para>
|
|
Packit Service |
9f2c4a |
The interposer plugin will not forward to the
|
|
Packit Service |
9f2c4a |
gssproxy daemon unless the environment variable
|
|
Packit Service |
9f2c4a |
named <emphasis>GSS_USE_PROXY=yes</emphasis> is set.
|
|
Packit Service |
9f2c4a |
</para>
|
|
Packit Service |
9f2c4a |
</listitem>
|
|
Packit Service |
9f2c4a |
</varlistentry>
|
|
Packit Service |
9f2c4a |
</variablelist>
|
|
Packit Service |
9f2c4a |
<para>
|
|
Packit Service |
9f2c4a |
Furthermore, the interposer plugin can be configured to behave in
|
|
Packit Service |
9f2c4a |
different ways when called from the GSSAPI. This behavior is
|
|
Packit Service |
9f2c4a |
controlled via the <emphasis>GSSPROXY_BEHAVIOR</emphasis>
|
|
Packit Service |
9f2c4a |
environment variable. It accepts four different values:
|
|
Packit Service |
9f2c4a |
</para>
|
|
Packit Service |
9f2c4a |
<variablelist>
|
|
Packit Service |
9f2c4a |
<varlistentry>
|
|
Packit Service |
9f2c4a |
<term>LOCAL_ONLY</term>
|
|
Packit Service |
9f2c4a |
<listitem>
|
|
Packit Service |
9f2c4a |
<para>All commands received with this setting will cause
|
|
Packit Service |
9f2c4a |
to immediately reenter the GSSAPI w/o any interaction
|
|
Packit Service |
9f2c4a |
with the gssproxy daemon. When the request cannot be
|
|
Packit Service |
9f2c4a |
processed it will just fail.
|
|
Packit Service |
9f2c4a |
</para>
|
|
Packit Service |
9f2c4a |
</listitem>
|
|
Packit Service |
9f2c4a |
</varlistentry>
|
|
Packit Service |
9f2c4a |
<varlistentry>
|
|
Packit Service |
9f2c4a |
<term>LOCAL_FIRST</term>
|
|
Packit Service |
9f2c4a |
<listitem>
|
|
Packit Service |
9f2c4a |
<para>All commands received with this setting will cause
|
|
Packit Service |
9f2c4a |
to immediately reenter the GSSAPI. When the local
|
|
Packit Service |
9f2c4a |
GSSAPI cannot process the request, it will resend the
|
|
Packit Service |
9f2c4a |
request to the gssproxy daemon.
|
|
Packit Service |
9f2c4a |
</para>
|
|
Packit Service |
9f2c4a |
</listitem>
|
|
Packit Service |
9f2c4a |
</varlistentry>
|
|
Packit Service |
9f2c4a |
<varlistentry>
|
|
Packit Service |
9f2c4a |
<term>REMOTE_FIRST</term>
|
|
Packit Service |
9f2c4a |
<listitem>
|
|
Packit Service |
9f2c4a |
<para>All commands received with this setting will be
|
|
Packit Service |
9f2c4a |
forwarded to the gssproxy daemon first. If the request
|
|
Packit Service |
9f2c4a |
cannot be handled there, the request will reenter the
|
|
Packit Service |
9f2c4a |
local GSSAPI.
|
|
Packit Service |
9f2c4a |
</para>
|
|
Packit Service |
9f2c4a |
</listitem>
|
|
Packit Service |
9f2c4a |
</varlistentry>
|
|
Packit Service |
9f2c4a |
<varlistentry>
|
|
Packit Service |
9f2c4a |
<term>REMOTE_ONLY</term>
|
|
Packit Service |
9f2c4a |
<listitem>
|
|
Packit Service |
9f2c4a |
<para>This setting is currently not fully implemented and
|
|
Packit Service |
9f2c4a |
therefor not supported.
|
|
Packit Service |
9f2c4a |
</para>
|
|
Packit Service |
9f2c4a |
</listitem>
|
|
Packit Service |
9f2c4a |
</varlistentry>
|
|
Packit Service |
9f2c4a |
</variablelist>
|
|
Packit Service |
9f2c4a |
<para>
|
|
Packit Service |
9f2c4a |
The default setting for <emphasis>GSSPROXY_BEHAVIOR</emphasis>
|
|
Packit Service |
9f2c4a |
is LOCAL_FIRST.
|
|
Packit Service |
9f2c4a |
</para>
|
|
Packit Service |
9f2c4a |
|
|
Packit Service |
9f2c4a |
<para>
|
|
Packit Service |
9f2c4a |
Finally the interposer may need to use a special per-service
|
|
Packit Service |
9f2c4a |
socket in order to communicate with gssproxy. The path to this
|
|
Packit Service |
9f2c4a |
socket is set via the <emphasis>GSSPROXY_SOCKET</emphasis>
|
|
Packit Service |
9f2c4a |
environment variable.
|
|
Packit Service |
9f2c4a |
</para>
|
|
Packit Service |
9f2c4a |
</refsect1>
|
|
Packit Service |
9f2c4a |
|
|
Packit Service |
9f2c4a |
<refsect1 id='see_also'>
|
|
Packit Service |
9f2c4a |
<title>SEE ALSO</title>
|
|
Packit Service |
9f2c4a |
<para>
|
|
Packit Service |
9f2c4a |
<citerefentry>
|
|
Packit Service |
9f2c4a |
<refentrytitle>gssproxy.conf</refentrytitle><manvolnum>5</manvolnum>
|
|
Packit Service |
9f2c4a |
</citerefentry> and
|
|
Packit Service |
9f2c4a |
<citerefentry>
|
|
Packit Service |
9f2c4a |
<refentrytitle>gssproxy</refentrytitle><manvolnum>8</manvolnum>
|
|
Packit Service |
9f2c4a |
</citerefentry>.
|
|
Packit Service |
9f2c4a |
</para>
|
|
Packit Service |
9f2c4a |
</refsect1>
|
|
Packit Service |
9f2c4a |
</refentry>
|
|
Packit Service |
9f2c4a |
</reference>
|