diff options
| author | Greg Hudson <ghudson@mit.edu> | 2019-09-16 14:36:32 -0400 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2019-09-19 16:11:42 -0400 |
| commit | 2977b8e88002fc928a0ff3757098b34ca83645ef (patch) | |
| tree | 2b1dd2ec2d9a55a0f010fad2101937538dbf88b3 /doc | |
| parent | 7ae4e8882458336fbe50d0e722ec9d5e3e338c63 (diff) | |
| download | krb5-2977b8e88002fc928a0ff3757098b34ca83645ef.zip krb5-2977b8e88002fc928a0ff3757098b34ca83645ef.tar.gz krb5-2977b8e88002fc928a0ff3757098b34ca83645ef.tar.bz2 | |
Add environment variable for GSS mech config
If the environment variable GSS_MECH_CONFIG is set (and the process is
not privileged), read it instead of /etc/gss/mech or files within
/etc/gss/mech.d.
Set GSS_MECH_CONFIG in test frameworks so that system configuration
does not interfere with tests.
Fix documentation to indicate that the default mech config file is in
sysconfdir, not necessarily /etc.
ticket: 8833 (new)
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/admin/host_config.rst | 10 | ||||
| -rw-r--r-- | doc/mitK5defaults.rst | 1 | ||||
| -rw-r--r-- | doc/plugindev/gssapi.rst | 11 | ||||
| -rw-r--r-- | doc/user/user_config/kerberos.rst | 6 |
4 files changed, 18 insertions, 10 deletions
diff --git a/doc/admin/host_config.rst b/doc/admin/host_config.rst index 6df2504..e186dd4 100644 --- a/doc/admin/host_config.rst +++ b/doc/admin/host_config.rst @@ -199,10 +199,9 @@ GSSAPI mechanism modules ~~~~~~~~~~~~~~~~~~~~~~~~ GSSAPI mechanism modules are registered using the file -``/etc/gss/mech`` or configuration files in the ``/etc/gss/mech.d/`` -directory. Only files with a ``.conf`` suffix will be read from the -``/etc/gss/mech.d/`` directory. Each line in these files has the -form:: +|sysconfdir|\ ``/gss/mech`` or configuration files in the +|sysconfdir|\ ``/gss/mech.d`` directory with a ``.conf`` +suffix. Each line in these files has the form:: oid pathname [options] <type> @@ -214,6 +213,9 @@ options provided to the plugin module, surrounded in square brackets. Currently the only special module type is "interposer", for a module designed to intercept calls to other mechanisms. +If the environment variable **GSS_MECH_CONFIG** is set, its value is +used as the sole mechanism configuration filename. + .. _profile_plugin_config: diff --git a/doc/mitK5defaults.rst b/doc/mitK5defaults.rst index 65d904e..58f4f16 100644 --- a/doc/mitK5defaults.rst +++ b/doc/mitK5defaults.rst @@ -14,6 +14,7 @@ Client :ref:`keytab_definition` file |ckeytab| **KRB Kerberos config file :ref:`krb5.conf(5)` |krb5conf|\ ``:``\ **KRB5_CONFIG** |sysconfdir|\ ``/krb5.conf`` KDC config file :ref:`kdc.conf(5)` |kdcdir|\ ``/kdc.conf`` **KRB5_KDC_PROFILE** +GSS mechanism config file |sysconfdir|\ ``/gss.mech`` **GSS_MECH_CONFIG** KDC database path (DB2) |kdcdir|\ ``/principal`` Master key :ref:`stash_definition` |kdcdir|\ ``/.k5.``\ *realm* Admin server ACL file :ref:`kadm5.acl(5)` |kdcdir|\ ``/kadm5.acl`` diff --git a/doc/plugindev/gssapi.rst b/doc/plugindev/gssapi.rst index 34fc9e4..28e62ae 100644 --- a/doc/plugindev/gssapi.rst +++ b/doc/plugindev/gssapi.rst @@ -9,8 +9,7 @@ the set of built-in mechanisms. A mechanism module is a Unix shared object or Windows DLL, built separately from the krb5 tree. Modules are loaded according to the -``/etc/gss/mech`` or ``/etc/gss/mech.d/*.conf`` config files, as -described in :ref:`gssapi_plugin_config`. +GSS mechanism config files described in :ref:`gssapi_plugin_config`. For the most part, a GSSAPI mechanism module exports the same functions as would a GSSAPI implementation itself, with the same @@ -45,10 +44,10 @@ with the following signature:: gss_OID_set gss_mech_interposer(gss_OID mech_type); This function is invoked with the OID of the interposer mechanism as -specified in ``/etc/gss/mech`` or in a ``/etc/gss/mech.d/*.conf`` -file, and returns a set of mechanism OIDs to be interposed. The -returned OID set must have been created using the mechglue's -gss_create_empty_oid_set and gss_add_oid_set_member functions. +specified in the mechanism config file, and returns a set of mechanism +OIDs to be interposed. The returned OID set must have been created +using the mechglue's gss_create_empty_oid_set and +gss_add_oid_set_member functions. An interposer module must use the prefix ``gssi_`` for the GSSAPI functions it exports, instead of the prefix ``gss_``. diff --git a/doc/user/user_config/kerberos.rst b/doc/user/user_config/kerberos.rst index bcb79d9..1830447 100644 --- a/doc/user/user_config/kerberos.rst +++ b/doc/user/user_config/kerberos.rst @@ -142,6 +142,12 @@ programs. These include: **KPROP_PORT** :ref:`kprop(8)` port to use. Defaults to 754. +**GSS_MECH_CONFIG** + Specifies a filename containing GSSAPI mechanism module + configuration. The default is to read |sysconfdir|\ ``/gss/mech`` + and files with a ``.conf`` suffix within the directory + |sysconfdir|\ ``/gss/mech.d``. + Most environment variables are disabled for certain programs, such as login system programs and setuid programs, which are designed to be secure when run within an untrusted process environment. |