dded user doc for gssapi patch from varmojfekoj - thanks!

6 files changed, 97 insertions, 9 deletions

diff --git a/doc/rsconf1_gssforwardservicename.html b/doc/rsconf1_gssforwardservicename.html
new file mode 100644
index 00000000..63ca9c1f
--- /dev/null
+++ b/doc/rsconf1_gssforwardservicename.html
@@ -0,0 +1,23 @@
+<html>
+<head>
+<title>rsyslog.conf file</title>
+</head>
+<body>
+<h2>$GssForwardServiceName</h2>
+<p><b>Type:</b> global configuration directive</p>
+<p><b>Default:</b> host</p>
+<p><b>Description:</b></p>
+<p>Specifies the service name used by the client when forwarding GSS-API wrapped messages.</p>
+<p>The GSS-API service names are constructed by appending '@' and a hostname following "@@" in each selector.</p>
+<p><b>Sample:</b></p>
+<p><code><b>$GssForwardServiceName rsyslog</b></code></p>
+
+<p>[<a href="rsyslog_conf.html">rsyslog.conf overview</a>] [<a href="manual.html">manual 
+index</a>] [<a href="http://www.rsyslog.com/">rsyslog site</a>]</p>
+<p><font size="2">This documentation is part of the
+<a href="http://www.rsyslog.com/">rsyslog</a> project.<br>
+Copyright &copy; 2007 by <a href="http://www.gerhards.net/rainer">Rainer Gerhards</a> and
+<a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL 
+version 2 or higher.</font></p>
+</body>
+</html>
diff --git a/doc/rsconf1_gsslistenservicename.html b/doc/rsconf1_gsslistenservicename.html
new file mode 100644
index 00000000..cd03dc58
--- /dev/null
+++ b/doc/rsconf1_gsslistenservicename.html
@@ -0,0 +1,22 @@
+<html>
+<head>
+<title>rsyslog.conf file</title>
+</head>
+<body>
+<h2>$GssListenServiceName</h2>
+<p><b>Type:</b> global configuration directive</p>
+<p><b>Default:</b> host</p>
+<p><b>Description:</b></p>
+<p>Specifies the service name used by the server when listening for GSS-API wrapped messages.</p>
+<p><b>Sample:</b></p>
+<p><code><b>$GssForwardServiceName rsyslog</b></code></p>
+
+<p>[<a href="rsyslog_conf.html">rsyslog.conf overview</a>] [<a href="manual.html">manual 
+index</a>] [<a href="http://www.rsyslog.com/">rsyslog site</a>]</p>
+<p><font size="2">This documentation is part of the
+<a href="http://www.rsyslog.com/">rsyslog</a> project.<br>
+Copyright &copy; 2007 by <a href="http://www.gerhards.net/rainer">Rainer Gerhards</a> and
+<a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL 
+version 2 or higher.</font></p>
+</body>
+</html>
diff --git a/doc/rsconf1_gssmode.html b/doc/rsconf1_gssmode.html
new file mode 100644
index 00000000..6981f1fe
--- /dev/null
+++ b/doc/rsconf1_gssmode.html
@@ -0,0 +1,25 @@
+<html>
+<head>
+<title>rsyslog.conf file</title>
+</head>
+<body>
+<h2>$GssMode</h2>
+<p><b>Type:</b> global configuration directive</p>
+<p><b>Default:</b> none</p>
+<p><b>Description:</b></p>
+<p>Specifies GSS-API mode to use, which can be "none" - GSS-API
+ is disabled, "integrity" - clients are authenticated and
+ messages are checked for integrity, "encryption" - same as
+ "integrity", but messages are also encrypted if both sides support it.
+<p><b>Sample:</b></p>
+<p><code><b>$GssMode Encryption</b></code></p>
+
+<p>[<a href="rsyslog_conf.html">rsyslog.conf overview</a>] [<a href="manual.html">manual 
+index</a>] [<a href="http://www.rsyslog.com/">rsyslog site</a>]</p>
+<p><font size="2">This documentation is part of the
+<a href="http://www.rsyslog.com/">rsyslog</a> project.<br>
+Copyright &copy; 2007 by <a href="http://www.gerhards.net/rainer">Rainer Gerhards</a> and
+<a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL 
+version 2 or higher.</font></p>
+</body>
+</html>
diff --git a/doc/rsyslog_conf.html b/doc/rsyslog_conf.html
index 266a6dcb..b03bd121 100644
--- a/doc/rsyslog_conf.html
+++ b/doc/rsyslog_conf.html
@@ -40,6 +40,9 @@ a description.</p>
 	<li><a href="rsconf1_filecreatemode.html">$FileCreateMode</a></li>
 	<li><a href="rsconf1_filegroup.html">$FileGroup</a></li>
 	<li><a href="rsconf1_fileowner.html">$FileOwner</a></li>
+	<li><a href="rsconf1_gssforwardservicename.html">$GssForwardServiceName</a></li>
+	<li><a href="rsconf1_gsslistenservicename.html">$GssListenServiceName</a></li>
+	<li><a href="rsconf1_gssmode.html">$GssMode</a></li>
 	<li><a href="rsconf1_includeconfig.html">$IncludeConfig</a></li>
 	<li><a href="rsconf1_mainmsgqueuesize.html">$MainMsgQueueSize</a></li>
 	<li><a href="rsconf1_moddir.html">$ModDir</a></li>
diff --git a/rsyslog.conf.5 b/rsyslog.conf.5
index e1d3659f..7f6ca98b 100644
--- a/rsyslog.conf.5
+++ b/rsyslog.conf.5
@@ -94,6 +94,8 @@ prepend two at signs ("@@"), the messages will be transmitted via TCP.
 Please note that this version of rsyslogd by default does NOT forward messages it has received 
 from the network to another host. Specify the "-h" option to enable this.
 
+Using the $GssMode directive TCP messages can be wrapped with GSS-API.
+
 .B Example:
 .RS
 *.* @192.168.0.1
diff --git a/rsyslogd.8 b/rsyslogd.8
index 9dbf62e3..ca6cf2f9 100644
--- a/rsyslogd.8
+++ b/rsyslogd.8
@@ -18,33 +18,36 @@ rsyslogd \- reliable and extended syslogd
 .RB [ " \-f "
 .I config file
 ]
+.RB [ " \-g "
+.I port,max-nbr-of-sessions
+]
 .RB [ " \-h " ] 
+.br
 .RB [ " \-i "
 .I pid file
 ]
 .RB [ " \-l "
 .I hostlist
 ]
-.br
 .RB [ " \-m "
 .I interval
 ] 
 .RB [ " \-n " ]
 .RB [ " \-o " ]
+.br
 .RB [ " \-p"
 .IB socket 
 ]
-.br
 .RB [ " \-r "
 .I [port]
 ]
 .RB [ " \-s "
 .I domainlist
 ]
+.br
 .RB [ " \-t "
 .I port,max-nbr-of-sessions
 ]
-.br
 .RB [ " \-v " ]
 .RB [ " \-w " ]
 .RB [ " \-x " ]
@@ -153,6 +156,12 @@ Specify an alternative configuration file instead of
 .IR /etc/rsyslog.conf ","
 which is the default.
 .TP
+.BI "\-g "
+Identical to -t except that every tcp connection is authenticated
+using gss-api (kerberos 5). Service name may be set using
+$GssListenServiceName or the default "host" will be used. Encryption
+can be used if specified by the client and supported by both sides.
+.TP
 .BI "\-h "
 By default rsyslogd will not forward messages it receives from remote hosts.
 Specifying this switch on the command line will cause the log daemon to
@@ -283,15 +292,18 @@ running rsyslogd to another node running rsyslogd (or a
 compatible syslog implementation) where they will be
 actually logged to a disk file.
 
-To enable this you have to specify either the
+To enable this you have to specify one of
+.B "\-g"
+,
 .B "\-r"
 or
 .B "\-t"
-option on the command line.  The default behavior is that
+options on the command line.  The default behavior is that
 .B rsyslogd
-won't listen to the network. You can also combine these two
+won't listen to the network. You can also combine these
 options if you want rsyslogd to listen to both TCP and UDP
-messages.
+messages. Only one of the TCP listener options can be used.
+The last one specified will take effect.
 
 The strategy is to have rsyslogd listen on a unix domain socket for
 locally generated log messages.  This behavior will allow rsyslogd to
@@ -478,8 +490,9 @@ If remote logging is enabled, messages can easily be spoofed and replayed.
 As the messages are transmitted in clear-text, an attacker might use
 the information obtained from the packets for malicious things. Also, an
 attacker might reply recorded messages or spoof a sender's IP address,
-which could lead to a wrong preception of system activity. Be sure to think
-about syslog network security before enabling it.
+which could lead to a wrong perception of system activity. These can
+be prevented by using GSS-API authentication and encryption. Be sure
+to think about syslog network security before enabling it.
 .LP
 .SH DEBUGGING
 When debugging is turned on using