fwknopd man page updates for access.conf vars
This commit is contained in:
Michael Rash
parent
00a057a09d
commit
eb0e8eb6a1
@ -2408,7 +2408,7 @@ usage(void)
|
||||
" '$HOME/.fwknoprc' file to provide some of all\n"
|
||||
" of the configuration parameters.\n"
|
||||
" If more arguments are set through the command\n"
|
||||
" line, the configuration is updated accordingly\n"
|
||||
" line, the configuration is updated accordingly.\n"
|
||||
" -A, --access Provide a list of ports/protocols to open\n"
|
||||
" on the server (e.g. 'tcp/22').\n"
|
||||
" -a, --allow-ip Specify IP address to allow within the SPA\n"
|
||||
@ -2454,6 +2454,7 @@ usage(void)
|
||||
" -u, --user-agent Set the HTTP User-Agent for resolving the\n"
|
||||
" external IP via -R, or for sending SPA\n"
|
||||
" packets over HTTP.\n"
|
||||
" -w, --wget-cmd Manually set the path to wget in -R mode.\n"
|
||||
" -H, --http-proxy Specify an HTTP proxy host through which the\n"
|
||||
" SPA packet will be sent. The port can also be\n"
|
||||
" specified here by following the host/ip with\n"
|
||||
@ -2470,9 +2471,9 @@ usage(void)
|
||||
" -K, --key-gen-file Write generated Rijndael + HMAC keys to a\n"
|
||||
" file\n"
|
||||
" --key-rijndael Specify the Rijndael key. Since the password is\n"
|
||||
" visible to utilities (like 'ps' under Unix) this\n"
|
||||
" form should only be used where security is not\n"
|
||||
" important.\n"
|
||||
" visible to utilities (like 'ps' under Unix)\n"
|
||||
" this form should only be used where security is\n"
|
||||
" not important.\n"
|
||||
" --key-base64-rijndael Specify the base64 encoded Rijndael key. Since\n"
|
||||
" the password is visible to utilities (like 'ps'\n"
|
||||
" under Unix) this form should only be used where\n"
|
||||
|
||||
@ -229,17 +229,6 @@ See the '@sysconfdir@/fwknop/fwknopd.conf'' file for the full list and correspon
|
||||
synchronization with the *fwknopd* server system (NTP is good). The
|
||||
default age is 120 seconds (two minutes).
|
||||
|
||||
*ACCESS_EXPIRE* '<MM/DD/YYYY>'::
|
||||
Defines an expiration date for the access stanza in MM/DD/YYYY format.
|
||||
All SPA packets that match an expired stanza will be ignored. This
|
||||
parameter is optional.
|
||||
|
||||
*ACCESS_EXPIRE_EPOCH* '<seconds>'::
|
||||
Defines an expiration date for the access stanza as the epoch time, and is
|
||||
useful if a more accurate expiration time needs to be given than the day
|
||||
resolution offered by the ACCESS_EXPIRE variable above. All SPA packets
|
||||
that match an expired stanza will be ignored. This parameter is optional.
|
||||
|
||||
*ENABLE_DIGEST_PERSISTENCE* '<Y/N>'::
|
||||
Track digest sums associated with previous SPA packets processed by
|
||||
*fwknopd*. This allows digest sums to remain persistent across
|
||||
@ -303,7 +292,7 @@ See the '@sysconfdir@/fwknop/fwknopd.conf'' file for the full list and correspon
|
||||
the '$HOME/.gnupg' directory of the user running *fwknopd* (most
|
||||
likely root).
|
||||
|
||||
GPG_EXE* '<path>'::
|
||||
*GPG_EXE* '<path>'::
|
||||
Specify the path to GPG, and defaults to '/usr/bin/gpg' if not set.
|
||||
|
||||
*LOCALE* '<locale>'::
|
||||
@ -443,6 +432,17 @@ directive starts a new stanza.
|
||||
optional field, and if not specified then *fwknopd* defaults to using
|
||||
SHA256 if the access stanza requires an HMAC.
|
||||
|
||||
*ACCESS_EXPIRE* '<MM/DD/YYYY>'::
|
||||
Defines an expiration date for the access stanza in MM/DD/YYYY format.
|
||||
All SPA packets that match an expired stanza will be ignored. This
|
||||
parameter is optional.
|
||||
|
||||
*ACCESS_EXPIRE_EPOCH* '<seconds>'::
|
||||
Defines an expiration date for the access stanza as the epoch time, and is
|
||||
useful if a more accurate expiration time needs to be given than the day
|
||||
resolution offered by the ACCESS_EXPIRE variable above. All SPA packets
|
||||
that match an expired stanza will be ignored. This parameter is optional.
|
||||
|
||||
*ENABLE_CMD_EXEC* '<Y/N>'::
|
||||
This instructs *fwknopd* to accept complete commands that are contained
|
||||
within an authorization packet. Any such command will be executed on
|
||||
@ -468,6 +468,9 @@ directive starts a new stanza.
|
||||
client behind a NAT) or the client must know the external IP and set it
|
||||
via the *-a* argument.
|
||||
|
||||
*REQUIRE_SOURCE_ADDRESS* '<Y/N>'::
|
||||
Synonym for ``REQUIRE_SOURCE_ADDRESS''.
|
||||
|
||||
*FORCE_NAT* '<IP> <PORT>'::
|
||||
For any valid SPA packet, force the requested connection to be NAT'd
|
||||
through to the specified (usually internal) IP and port value. This is
|
||||
@ -522,10 +525,14 @@ directive starts a new stanza.
|
||||
and/or pinentry to collect a passphrase.
|
||||
|
||||
*GPG_REQUIRE_SIG* '<Y/N>'::
|
||||
With this setting set to 'Y', fwknopd check all GPG-encrypted SPA
|
||||
With this setting set to 'Y', fwknopd check all GPG-encrypted SPA
|
||||
messages for a signature (signed by the sender's key). If the incoming
|
||||
message is not signed, the decryption process will fail. If not set, the
|
||||
default is 'N'.
|
||||
default is 'Y'.
|
||||
|
||||
*GPG_DISABLE_SIG* '<Y/N>'::
|
||||
Disable signature verification for incoming SPA messages. This is not a
|
||||
recommended setting, and the default is 'N'.
|
||||
|
||||
*GPG_IGNORE_SIG_VERIFY_ERROR* '<Y/N>'::
|
||||
Setting this will allow fwknopd to accept incoming GPG-encrypted packets
|
||||
@ -538,9 +545,16 @@ directive starts a new stanza.
|
||||
any incoming SPA message that has been encrypted with the
|
||||
*fwknopd* server key. This ensures that the verification of the
|
||||
remote user is accomplished via a strong cryptographic mechanism.
|
||||
This setting only applies if the ``GPG_REQUIRE_SIG'' is set to 'Y'.
|
||||
Signature verification is enabled by default, and can only be disabled
|
||||
if ``GPG_DISABLE_SIG'' is set to 'Y' (not a recommended setting).
|
||||
Separate multiple entries with a comma.
|
||||
|
||||
*GPG_FINGERPRINT_ID* '<keyID,...,keyID>'::
|
||||
Specify a set of full-length GnuPG key fingerprints instead of the shorter
|
||||
key identifiers set with the ``GPG_REMOTE_ID'' variable. Here is an
|
||||
example fingerprint for one of the fwknop test suite keys:
|
||||
'00CC95F05BC146B6AC4038C9E36F443C6A3FAD56'.
|
||||
|
||||
*GPG_HOME_DIR* '<path>'::
|
||||
Define the path to the GnuPG directory to be used by the *fwknopd*
|
||||
server. If this keyword is not specified within '@sysconfdir@/fwknop/access.conf'
|
||||
|
||||
@ -2,12 +2,12 @@
|
||||
.\" Title: fwknopd
|
||||
.\" Author: [see the "AUTHORS" section]
|
||||
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
|
||||
.\" Date: 06/05/2014
|
||||
.\" Date: 08/26/2014
|
||||
.\" Manual: Fwknop Server
|
||||
.\" Source: Fwknop Server
|
||||
.\" Language: English
|
||||
.\"
|
||||
.TH "FWKNOPD" "8" "06/05/2014" "Fwknop Server" "Fwknop Server"
|
||||
.TH "FWKNOPD" "8" "08/26/2014" "Fwknop Server" "Fwknop Server"
|
||||
.\" -----------------------------------------------------------------
|
||||
.\" * Define some portability stuff
|
||||
.\" -----------------------------------------------------------------
|
||||
@ -317,16 +317,6 @@ Defines the maximum age (in seconds) that an SPA packet will be accepted\&. This
|
||||
server system (NTP is good)\&. The default age is 120 seconds (two minutes)\&.
|
||||
.RE
|
||||
.PP
|
||||
\fBACCESS_EXPIRE\fR \fI<MM/DD/YYYY>\fR
|
||||
.RS 4
|
||||
Defines an expiration date for the access stanza in MM/DD/YYYY format\&. All SPA packets that match an expired stanza will be ignored\&. This parameter is optional\&.
|
||||
.RE
|
||||
.PP
|
||||
\fBACCESS_EXPIRE_EPOCH\fR \fI<seconds>\fR
|
||||
.RS 4
|
||||
Defines an expiration date for the access stanza as the epoch time, and is useful if a more accurate expiration time needs to be given than the day resolution offered by the ACCESS_EXPIRE variable above\&. All SPA packets that match an expired stanza will be ignored\&. This parameter is optional\&.
|
||||
.RE
|
||||
.PP
|
||||
\fBENABLE_DIGEST_PERSISTENCE\fR \fI<Y/N>\fR
|
||||
.RS 4
|
||||
Track digest sums associated with previous SPA packets processed by
|
||||
@ -407,7 +397,7 @@ directory of the user running
|
||||
(most likely root)\&.
|
||||
.RE
|
||||
.PP
|
||||
GPG_EXE* \fI<path>\fR
|
||||
\fBGPG_EXE\fR \fI<path>\fR
|
||||
.RS 4
|
||||
Specify the path to GPG, and defaults to
|
||||
\fI/usr/bin/gpg\fR
|
||||
@ -551,6 +541,16 @@ Specify the digest algorithm for incoming SPA packet authentication\&. Must be o
|
||||
defaults to using SHA256 if the access stanza requires an HMAC\&.
|
||||
.RE
|
||||
.PP
|
||||
\fBACCESS_EXPIRE\fR \fI<MM/DD/YYYY>\fR
|
||||
.RS 4
|
||||
Defines an expiration date for the access stanza in MM/DD/YYYY format\&. All SPA packets that match an expired stanza will be ignored\&. This parameter is optional\&.
|
||||
.RE
|
||||
.PP
|
||||
\fBACCESS_EXPIRE_EPOCH\fR \fI<seconds>\fR
|
||||
.RS 4
|
||||
Defines an expiration date for the access stanza as the epoch time, and is useful if a more accurate expiration time needs to be given than the day resolution offered by the ACCESS_EXPIRE variable above\&. All SPA packets that match an expired stanza will be ignored\&. This parameter is optional\&.
|
||||
.RE
|
||||
.PP
|
||||
\fBENABLE_CMD_EXEC\fR \fI<Y/N>\fR
|
||||
.RS 4
|
||||
This instructs
|
||||
@ -585,6 +585,11 @@ has to be used to automatically resolve the external address (if the client behi
|
||||
argument\&.
|
||||
.RE
|
||||
.PP
|
||||
\fBREQUIRE_SOURCE_ADDRESS\fR \fI<Y/N>\fR
|
||||
.RS 4
|
||||
Synonym for \(lqREQUIRE_SOURCE_ADDRESS\(rq\&.
|
||||
.RE
|
||||
.PP
|
||||
\fBFORCE_NAT\fR \fI<IP> <PORT>\fR
|
||||
.RS 4
|
||||
For any valid SPA packet, force the requested connection to be NAT\(cqd through to the specified (usually internal) IP and port value\&. This is useful if there are multiple internal systems running a service such as SSHD, and you want to give transparent access to only one internal system for each stanza in the access\&.conf file\&. This way, multiple external users can each directly access only one internal system per SPA key\&.
|
||||
@ -633,6 +638,12 @@ to leverage a GnuPG key pair that does not have an associated password\&. While
|
||||
.RS 4
|
||||
With this setting set to
|
||||
\fIY\fR, fwknopd check all GPG\-encrypted SPA messages for a signature (signed by the sender\(cqs key)\&. If the incoming message is not signed, the decryption process will fail\&. If not set, the default is
|
||||
\fIY\fR\&.
|
||||
.RE
|
||||
.PP
|
||||
\fBGPG_DISABLE_SIG\fR \fI<Y/N>\fR
|
||||
.RS 4
|
||||
Disable signature verification for incoming SPA messages\&. This is not a recommended setting, and the default is
|
||||
\fIN\fR\&.
|
||||
.RE
|
||||
.PP
|
||||
@ -646,8 +657,15 @@ Setting this will allow fwknopd to accept incoming GPG\-encrypted packets that a
|
||||
.RS 4
|
||||
Define a list of gpg key ID\(cqs that are required to have signed any incoming SPA message that has been encrypted with the
|
||||
\fBfwknopd\fR
|
||||
server key\&. This ensures that the verification of the remote user is accomplished via a strong cryptographic mechanism\&. This setting only applies if the \(lqGPG_REQUIRE_SIG\(rq is set to
|
||||
\fIY\fR\&. Separate multiple entries with a comma\&.
|
||||
server key\&. This ensures that the verification of the remote user is accomplished via a strong cryptographic mechanism\&. Signature verification is enabled by default, and can only be disabled if \(lqGPG_DISABLE_SIG\(rq is set to
|
||||
\fIY\fR
|
||||
(not a recommended setting)\&. Separate multiple entries with a comma\&.
|
||||
.RE
|
||||
.PP
|
||||
\fBGPG_FINGERPRINT_ID\fR \fI<keyID,\&...,keyID>\fR
|
||||
.RS 4
|
||||
Specify a set of full\-length GnuPG key fingerprints instead of the shorter key identifiers set with the \(lqGPG_REMOTE_ID\(rq variable\&. Here is an example fingerprint for one of the fwknop test suite keys:
|
||||
\fI00CC95F05BC146B6AC4038C9E36F443C6A3FAD56\fR\&.
|
||||
.RE
|
||||
.PP
|
||||
\fBGPG_HOME_DIR\fR \fI<path>\fR
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user