Add option to specify allowed usage.

Credentials can often be used both to accept and to initiate contexts. With this option admins can allow a specific usage only. This is to avoid allowing an unprivileged process to fool a remote client by allowing it to impersonate a server, when we only want to allow this service to use credentials to initiate contexts. Reviewed-by: Günther Deschner <gdeschner@redhat.com
author: Simo Sorce <simo@redhat.com> 2013-10-14 16:41:13 -0400
committer: Günther Deschner <gdeschner@redhat.com> 2013-10-18 15:46:24 +0200
commit: 3f587569f2fdd9ec4db05748c5ed5ebbfc1ab5c9 (patch)
tree: c0d10556b81aa7b585138c1a4641643fafdda220 /proxy/examples
parent: a324853818fd75d7ec11c68de9d499f37228b26a (diff)
download: gss-proxy-3f587569f2fdd9ec4db05748c5ed5ebbfc1ab5c9.tar.gz
gss-proxy-3f587569f2fdd9ec4db05748c5ed5ebbfc1ab5c9.tar.xz
gss-proxy-3f587569f2fdd9ec4db05748c5ed5ebbfc1ab5c9.zip
1 files changed, 1 insertions, 0 deletions
diff --git a/proxy/examples/gssproxy.conf.in b/proxy/examples/gssproxy.conf.in
index 262125a..f121199 100644
--- a/proxy/examples/gssproxy.conf.in
+++ b/proxy/examples/gssproxy.conf.in
@@ -13,6 +13,7 @@
   cred_store = keytab:/etc/krb5.keytab
   cred_store = ccache:FILE:@gpstatedir@/clients/krb5cc_%U
   cred_store = client_keytab:@gpstatedir@/clients/%U.keytab
+  cred_usage = initiate
   allow_any_uid = yes
   trusted = yes
   euid = 0
author	Simo Sorce <simo@redhat.com>	2013-10-14 16:41:13 -0400
committer	Günther Deschner <gdeschner@redhat.com>	2013-10-18 15:46:24 +0200
commit	3f587569f2fdd9ec4db05748c5ed5ebbfc1ab5c9 (patch)
tree	c0d10556b81aa7b585138c1a4641643fafdda220 /proxy/examples
parent	a324853818fd75d7ec11c68de9d499f37228b26a (diff)
download	gss-proxy-3f587569f2fdd9ec4db05748c5ed5ebbfc1ab5c9.tar.gz gss-proxy-3f587569f2fdd9ec4db05748c5ed5ebbfc1ab5c9.tar.xz gss-proxy-3f587569f2fdd9ec4db05748c5ed5ebbfc1ab5c9.zip