summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSimo Sorce <simo@redhat.com>2013-11-16 17:27:52 -0500
committerGünther Deschner <gdeschner@redhat.com>2013-11-20 15:26:13 +0100
commitc8386418a754211da5ddf5469a0f1c0fddf21240 (patch)
treebc5cb77905ca08f8ffb58837f684b2605f1cb4c1
parent3df6ac81f4a6d8cf6ff514e7d7f2cbe58840c393 (diff)
downloadgss-proxy-c8386418a754211da5ddf5469a0f1c0fddf21240.tar.gz
gss-proxy-c8386418a754211da5ddf5469a0f1c0fddf21240.tar.xz
gss-proxy-c8386418a754211da5ddf5469a0f1c0fddf21240.zip
man: Describe new flag filtering/enforcing options
Resolves: https://fedorahosted.org/gss-proxy/ticket/109 Reviewed-by: Günther Deschner <gdeschner@redhat.com>
Diffstat
-rw-r--r--proxy/man/gssproxy.conf.5.xml58
1 files changed, 58 insertions, 0 deletions
diff --git a/proxy/man/gssproxy.conf.5.xml b/proxy/man/gssproxy.conf.5.xml
index b0012b5..b4d5add 100644
--- a/proxy/man/gssproxy.conf.5.xml
+++ b/proxy/man/gssproxy.conf.5.xml
@@ -162,6 +162,64 @@
</varlistentry>
<varlistentry>
+ <term>enforce_flags (string)</term>
+ <listitem>
+ <para>
+ A list of GSS Request Flags that are added
+ unconditionally to every context initialization
+ call.
+ Flags can only be added to the list or removed
+ from the list by prepending a +/- sign to the
+ flag name or value.
+ </para>
+ <para>
+ Recognized flag names: DELEGATE, MUTUAL_AUTH,
+ REPLAY_DETECT, SEQUENCE, CONFIDENTIALITY,
+ INTEGRITY, ANONYMOUS
+ </para>
+ <para>Examples:
+<programlisting>
+ <userinput moreinfo="none">enforce_flags = +REPLAY_DETECT</userinput>
+ <userinput moreinfo="none">enforce_flags = -0x0001</userinput>
+</programlisting>
+ </para>
+ <para>Default: enforce_flags =</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>filter_flags (string)</term>
+ <listitem>
+ <para>
+ A list of GSS Request Flags that are filtered
+ unconditionally from every context initialization
+ call.
+ Flags can only be added to the list or removed
+ from the list by prepending a +/- sign to the
+ flag name or value.
+ </para>
+ <para>
+ NOTE: Because often gssproxy is used to withold
+ access to credentials the Delegate Flag is filtered
+ by default. To allow a service to delegate
+ credentials use the first example below.
+ </para>
+ <para>
+ Recognized flag names: DELEGATE, MUTUAL_AUTH,
+ REPLAY_DETECT, SEQUENCE, CONFIDENTIALITY,
+ INTEGRITY, ANONYMOUS
+ </para>
+ <para>Examples:
+<programlisting>
+ <userinput moreinfo="none">filter_flags = -DELEGATE</userinput>
+ <userinput moreinfo="none">filter_flags = -0x0001 +ANONYMOUS</userinput>
+</programlisting>
+ </para>
+ <para>Default: filter_flags = +DELEGATE</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>impersonate (boolean)</term>
<listitem>
<para>Use impersonation (s4u2self + s4u2proxy) to obtain credentials</para>
generated by cgit (git 2.34.1) at 2024-04-28 17:41:23 +0000