diff options
author | Simo Sorce <simo@redhat.com> | 2013-11-16 17:27:52 -0500 |
---|---|---|
committer | Günther Deschner <gdeschner@redhat.com> | 2013-11-20 15:26:13 +0100 |
commit | c8386418a754211da5ddf5469a0f1c0fddf21240 (patch) | |
tree | bc5cb77905ca08f8ffb58837f684b2605f1cb4c1 | |
parent | 3df6ac81f4a6d8cf6ff514e7d7f2cbe58840c393 (diff) | |
download | gss-proxy-c8386418a754211da5ddf5469a0f1c0fddf21240.tar.gz gss-proxy-c8386418a754211da5ddf5469a0f1c0fddf21240.tar.xz gss-proxy-c8386418a754211da5ddf5469a0f1c0fddf21240.zip |
man: Describe new flag filtering/enforcing options
Resolves: https://fedorahosted.org/gss-proxy/ticket/109
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
-rw-r--r-- | proxy/man/gssproxy.conf.5.xml | 58 |
1 files changed, 58 insertions, 0 deletions
diff --git a/proxy/man/gssproxy.conf.5.xml b/proxy/man/gssproxy.conf.5.xml index b0012b5..b4d5add 100644 --- a/proxy/man/gssproxy.conf.5.xml +++ b/proxy/man/gssproxy.conf.5.xml @@ -162,6 +162,64 @@ </varlistentry> <varlistentry> + <term>enforce_flags (string)</term> + <listitem> + <para> + A list of GSS Request Flags that are added + unconditionally to every context initialization + call. + Flags can only be added to the list or removed + from the list by prepending a +/- sign to the + flag name or value. + </para> + <para> + Recognized flag names: DELEGATE, MUTUAL_AUTH, + REPLAY_DETECT, SEQUENCE, CONFIDENTIALITY, + INTEGRITY, ANONYMOUS + </para> + <para>Examples: +<programlisting> + <userinput moreinfo="none">enforce_flags = +REPLAY_DETECT</userinput> + <userinput moreinfo="none">enforce_flags = -0x0001</userinput> +</programlisting> + </para> + <para>Default: enforce_flags =</para> + </listitem> + </varlistentry> + + <varlistentry> + <term>filter_flags (string)</term> + <listitem> + <para> + A list of GSS Request Flags that are filtered + unconditionally from every context initialization + call. + Flags can only be added to the list or removed + from the list by prepending a +/- sign to the + flag name or value. + </para> + <para> + NOTE: Because often gssproxy is used to withold + access to credentials the Delegate Flag is filtered + by default. To allow a service to delegate + credentials use the first example below. + </para> + <para> + Recognized flag names: DELEGATE, MUTUAL_AUTH, + REPLAY_DETECT, SEQUENCE, CONFIDENTIALITY, + INTEGRITY, ANONYMOUS + </para> + <para>Examples: +<programlisting> + <userinput moreinfo="none">filter_flags = -DELEGATE</userinput> + <userinput moreinfo="none">filter_flags = -0x0001 +ANONYMOUS</userinput> +</programlisting> + </para> + <para>Default: filter_flags = +DELEGATE</para> + </listitem> + </varlistentry> + + <varlistentry> <term>impersonate (boolean)</term> <listitem> <para>Use impersonation (s4u2self + s4u2proxy) to obtain credentials</para> |