[server] update access.conf comments to conform to no trailing semicolon or colon within the variable name
This commit is contained in:
Michael Rash
parent
3bc28305c3
commit
9a21bc11ba
@ -22,7 +22,7 @@
|
||||
##############################################################################
|
||||
#
|
||||
|
||||
# SOURCE: <IP,..,IP/NET,..,NET/ANY>;
|
||||
# SOURCE <IP,..,IP/NET,..,NET/ANY>
|
||||
#
|
||||
# This defines the source address from which a SPA packet will be accepted.
|
||||
# Every authorization stanza in this file must start with the SOURCE
|
||||
@ -36,7 +36,7 @@
|
||||
# be honored from any source IP.
|
||||
#
|
||||
|
||||
# OPEN_PORTS: <proto/port>, ..., <proto/port>;
|
||||
# OPEN_PORTS <proto/port>, ..., <proto/port
|
||||
#
|
||||
# Define a set of ports and protocols (tcp or udp) that are allowed to be
|
||||
# opened if a valid SPA packet is received and its access request matches
|
||||
@ -46,20 +46,20 @@
|
||||
# specified in the SPA data.
|
||||
#
|
||||
|
||||
# RESTRICT_PORTS: <proto/port>, ..., <proto/port>;
|
||||
# RESTRICT_PORTS <proto/port>, ..., <proto/port>
|
||||
#
|
||||
# Define a set of ports and protocols (tcp or udp) that are *NOT* allowed
|
||||
# to be opened even if a valid SPA packet is received.
|
||||
#
|
||||
|
||||
# KEY: <password>;
|
||||
# KEY <password>
|
||||
#
|
||||
# Define the key used for decrypting an incoming SPA packet that is using
|
||||
# its built-in encryption (e.g. not GPG). This variable is required for
|
||||
# all non-GPG-encrypted SPA packets.
|
||||
#
|
||||
|
||||
# FW_ACCESS_TIMEOUT: <seconds>;
|
||||
# FW_ACCESS_TIMEOUT <seconds>
|
||||
#
|
||||
# Define the length of time access will be granted by fwknop through the
|
||||
# firewall after a valid SPA packet is received from the source IP address
|
||||
@ -69,7 +69,7 @@
|
||||
# seconds will automatically be set.
|
||||
#
|
||||
|
||||
# ENABLE_CMD_EXEC: <Y/N>;
|
||||
# ENABLE_CMD_EXEC <Y/N>
|
||||
#
|
||||
# This specifies whether or not fwknopd will accept complete commands that
|
||||
# are contained within a SPA packet. Any such command will be executed as
|
||||
@ -77,7 +77,7 @@
|
||||
# If not set here, the default is "N".
|
||||
#
|
||||
|
||||
# CMD_EXEC_USER: <username>;
|
||||
# CMD_EXEC_USER <username>
|
||||
#
|
||||
# This specifies the user that will execute commands contained within a SPA
|
||||
# packet. If not specified, fwknopd will execute it as the user it is
|
||||
@ -85,14 +85,14 @@
|
||||
# recommended.
|
||||
#
|
||||
|
||||
# REQUIRE_USERNAME: <username>;
|
||||
# REQUIRE_USERNAME <username>
|
||||
#
|
||||
# Require a specific username from the client system as encoded in the SPA
|
||||
# data. This variable is optional and if not specified, the username data
|
||||
# in the SPA data is ignored.
|
||||
#
|
||||
|
||||
# REQUIRE_SOURCE_ADDRESS: <Y/N>;
|
||||
# REQUIRE_SOURCE_ADDRESS <Y/N>
|
||||
#
|
||||
# Force all SPA packets to contain a real IP address within the encrypted
|
||||
# data. This makes it impossible to use the "-s" command line argument
|
||||
@ -102,14 +102,14 @@
|
||||
# default is "N".
|
||||
#
|
||||
|
||||
# GPG_HOME_DIR: <path>;
|
||||
# GPG_HOME_DIR <path>
|
||||
#
|
||||
# Define the path to the GnuPG directory to be used by fwknopd. If this
|
||||
# keyword is not specified here, then fwknopd will default to using the
|
||||
# "/root/.gnupg" directory for the server key(s).
|
||||
#
|
||||
|
||||
# GPG_DECRYPT_ID: <keyID>;
|
||||
# GPG_DECRYPT_ID <keyID>
|
||||
#
|
||||
# Define a GnuPG key ID to use for decrypting SPA messages that have been
|
||||
# encrypted by an fwknop client using GPG. This keyword is required for
|
||||
@ -127,28 +127,28 @@
|
||||
# link: http://www.cipherdyne.org/fwknop/docs/gpghowto.html
|
||||
#
|
||||
|
||||
# GPG DECRYPT_PW: <decrypt password>;
|
||||
# GPG DECRYPT_PW <decrypt password>
|
||||
#
|
||||
# Specify the decryption password for the gpg key defined by the
|
||||
# GPG_DECRYPT_ID above. This is a required field for gpg-based
|
||||
# authentication.
|
||||
#
|
||||
|
||||
# GPG_REQUIRE_SIG: <Y/N>;
|
||||
# GPG_REQUIRE_SIG <Y/N>
|
||||
#
|
||||
# With this setting set to 'Y', fwknopd check all GPG-encrypted SPA
|
||||
# messages for a signature (signed by the sender's key). If the incoming
|
||||
# message is not signed, the decryption process will fail. If not set, the
|
||||
# default is 'N'.
|
||||
|
||||
# GPG_IGNORE_SIG_VERIFY_ERROR: <Y/N>;
|
||||
# GPG_IGNORE_SIG_VERIFY_ERROR <Y/N>
|
||||
#
|
||||
# Setting this will allow fwknopd to accept incoming GPG-encrypted packets
|
||||
# that are signed, but the signature did not pass verification (i.e. the
|
||||
# signer key was expired, etc.). This setting only applies if the
|
||||
# GPG_REQUIRE_SIG is also set to 'Y'.
|
||||
|
||||
# GPG_REMOTE_ID: <keyID,...,keyID>;
|
||||
# GPG_REMOTE_ID <keyID,...,keyID>
|
||||
#
|
||||
# Define a list of gpg key ID’s that are required to have signed any
|
||||
# incoming SPA messages that have been encrypted with the fwknopd server
|
||||
@ -159,16 +159,17 @@
|
||||
|
||||
#### fwknopd access.conf stanzas ###
|
||||
|
||||
SOURCE: ANY;
|
||||
KEY: __CHANGEME__;
|
||||
SOURCE ANY
|
||||
KEY_BASE64 __CHANGEME__
|
||||
HMAC_KEY_BASE64 __CHANGEME__
|
||||
|
||||
# If you want to use GnuPG keys (recommended) then define the following
|
||||
# variables
|
||||
# If you want to use GnuPG keys then define the following variables
|
||||
#
|
||||
#GPG_HOME_DIR: /root/.gnupg;
|
||||
#GPG_DECRYPT_ID: ABCD1234;
|
||||
#GPG_DECRYPT_PW: __CHANGEME__;
|
||||
#GPG_HOME_DIR /homedir/path/.gnupg
|
||||
#GPG_DECRYPT_ID ABCD1234
|
||||
#GPG_DECRYPT_PW __CHANGEME__
|
||||
|
||||
# If you want to require GPG signatures:
|
||||
#GPG_REQUIRE_SIG: N;
|
||||
#GPG_IGNORE_SIG_VERIFY_ERROR: N;
|
||||
#GPG_REMOTE_ID: 1234ABCD;
|
||||
#GPG_REQUIRE_SIG Y
|
||||
#GPG_IGNORE_SIG_VERIFY_ERROR N
|
||||
#GPG_REMOTE_ID 1234ABCD
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user