diff options
author | Simo Sorce <simo@redhat.com> | 2013-10-14 16:41:13 -0400 |
---|---|---|
committer | Günther Deschner <gdeschner@redhat.com> | 2013-10-18 15:46:24 +0200 |
commit | 3f587569f2fdd9ec4db05748c5ed5ebbfc1ab5c9 (patch) | |
tree | c0d10556b81aa7b585138c1a4641643fafdda220 /proxy/examples | |
parent | a324853818fd75d7ec11c68de9d499f37228b26a (diff) | |
download | gss-proxy-3f587569f2fdd9ec4db05748c5ed5ebbfc1ab5c9.tar.gz gss-proxy-3f587569f2fdd9ec4db05748c5ed5ebbfc1ab5c9.tar.xz gss-proxy-3f587569f2fdd9ec4db05748c5ed5ebbfc1ab5c9.zip |
Add option to specify allowed usage.
Credentials can often be used both to accept and to initiate contexts.
With this option admins can allow a specific usage only.
This is to avoid allowing an unprivileged process to fool a remote
client by allowing it to impersonate a server, when we only want to
allow this service to use credentials to initiate contexts.
Reviewed-by: Günther Deschner <gdeschner@redhat.com
Diffstat (limited to 'proxy/examples')
-rw-r--r-- | proxy/examples/gssproxy.conf.in | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/proxy/examples/gssproxy.conf.in b/proxy/examples/gssproxy.conf.in index 262125a..f121199 100644 --- a/proxy/examples/gssproxy.conf.in +++ b/proxy/examples/gssproxy.conf.in @@ -13,6 +13,7 @@ cred_store = keytab:/etc/krb5.keytab cred_store = ccache:FILE:@gpstatedir@/clients/krb5cc_%U cred_store = client_keytab:@gpstatedir@/clients/%U.keytab + cred_usage = initiate allow_any_uid = yes trusted = yes euid = 0 |