<!-- $Id: mod_gss.html,v 1.12 2005/12/23 13:35:53 mamoeller Exp $ --> <!-- $Source: /cvsroot/gssmod/mod_gss/mod_gss/mod_gss.html,v $ --> <html> <head> <title>ProFTPD module mod_gss</title> </head> <body bgcolor=white> <hr><br> <center> <h2><b>ProFTPD module <code>mod_gss</code></b></h2> </center> <hr><br> This module is contained in the <code>mod_gss.c</code> file for ProFTPD 1.2 or higher, and is not compiled by default. Installation instructions are discussed <a href="#Installation">here</a>. <p> The project is hosted at <a href="http://sourceforge.net/projects/gssmod/"> Sourceforge.net </a> and the most current version of <code>mod_gss</code> can be found at: <pre> <a href="http://prdownloads.sourceforge.net/gssmod/">http://prdownloads.sourceforge.net/gssmod/</a> </pre> <p> <p> Please report bugs to <a href="http://sourceforge.net/tracker/?atid=529593&group_id=70951&func=browse"> GSS module for proftpd: Bugs </a> <br> Please report feature requests to <a href="http://sourceforge.net/tracker/?atid=529596&group_id=70951&func=browse"> GSS module for proftpd: Feature Requests</a> <br> Please send patches to <a href="http://sourceforge.net/tracker/?atid=529595&group_id=70951&func=browse"> GSS module for proftpd: Patches</a> <br> <h2>Author</h2> <p> Contact M Möller <markus_moeller <i>at</i> compuserve.com> with any questions, concerns, or suggestions regarding this module. <p> <h2>Directives</h2> <ul> <li><a href="#GSSEngine">GSSEngine</a> <li><a href="#GSSLog">GSSLog</a> <li><a href="#GSSOptions">GSSOptions</a> <li><a href="#GSSRequired">GSSRequired</a> <li><a href="#GSSKeytab">GSSKeytab</a> </ul> <p> <hr> <h2><a name="GSSEngine">GSSEngine</a></h2> <strong>Syntax:</strong> GSSEngine <em>on|off</em><br> <strong>Default:</strong> None<br> <strong>Context:</strong> server config, <code><VirtualHost></code>, <code><Global></code><br> <strong>Module:</strong> mod_gss<br> <strong>Compatibility:</strong> 1.2.8 and later <p> The <code>GSSEngine</code> directive toggles the use of the GSS protocol engine (<i>e.g.</i> <code>mod_gss</code>). This is usually used inside a <code><VirtualHost></code> section to enable GSS sessions for a particular virtual host. By default <code>mod_gss</code> is disabled for both the main server and all configured virtual hosts. <p> <hr> <h2><a name="GSSLog">GSSLog</a></h2> <strong>Syntax:</strong> GSSLog <em>file</em><br> <strong>Default:</strong> None<br> <strong>Context:</strong> server config, <code><VirtualHost></code>, <code><Global></code><br> <strong>Module:</strong> mod_gss<br> <strong>Compatibility:</strong> 1.2.8 and later <p> The <code>GSSLog</code> directive is used to specify a log file for <code>mod_gss</code>'s reporting on a per-server basis. The <em>file</em> parameter given must be the full path to the file to use for logging. If <em>syslog</em> is used as <em>file</em> then logging is send to syslog. <p> <hr> <h2><a name="GSSOptions">GSSOptions</a></h2> <strong>Syntax:</strong> GSSOptions <em>opt1 ...</em><br> <strong>Default:</strong> None<br> <strong>Context:</strong> server config, <code><VirtualHost></code>, <code><Global></code><br> <strong>Module:</strong> mod_gss<br> <strong>Compatibility:</strong> 1.2.8 and later <p> The <code>GSSOptions</code> directive is used to configure various optional behavior of <code>mod_gss</code>. <p> Example: <pre> AllowCCC - Allows CCC commands. AllowFWCCC - Allows PORT and PASV only as clear commands for stateful firewalls. Needs special client patch. AllowFWNAT - Allows No Channel Binding to support Network Address Translation. Needs special client patch. NoChannelBinding - Allows No Channel Binding to support Network Address Translation. Needs special client patch. RequireSequenceProtection - Require sequence protection set on GSS encrypted packets RequireReplayProtection - Require replay protection set on GSS encrypted packets </pre> <p> <hr> <h2><a name="GSSRequired">GSSRequired</a></h2> <strong>Syntax:</strong> GSSRequired <em>on|off|ctrl|data</em><br> <strong>Default:</strong> None<br> <strong>Context:</strong> server config, <code><VirtualHost></code>, <code><Global></code><br> <strong>Module:</strong> mod_gss<br> <strong>Compatibility:</strong> 1.2.8 and later <p> The <code>GSSRequired</code> directive is used to define a basic security policy, one that dictates whether the control channel, or data channel, or both, of an FTP session must occur over GSS. <p> The <em>on</em> parameter enables GSS requirements on both control and data channels; <em>off</em> disables the requirements on both channels. Use <em>ctrl</em> and <em>data</em> to require GSS on either channel individually. <p> Example: <pre> # Require GSS on the control channel, so that passwords are not sent # in the clear. GSSRequired ctrl # Require GSS on both channels. GSSRequired on </pre> <p> <hr> <h2><a name="GSSKeytab">GSSKeytab</a></h2> <strong>Syntax:</strong> GSSKeytab <em>file</em><br> <strong>Default:</strong> None<br> <strong>Context:</strong> server config, <code><VirtualHost></code>, <code><Global></code><br> <strong>Module:</strong> mod_gss<br> <strong>Compatibility:</strong> 1.2.8 and later <p> The <code>GSSKeytab</code> directive is used to specify a Kerberos5 keytab file for <code>mod_gss</code>'s Kerberos5 service key on a per-server basis. The <em>file</em> parameter given must be the full path to the file. <p> <hr><br> <h2><a name="Usage">Usage</a></h2> Much of the documentation for the GSSAPI applies to this module: <pre> <a href="http://docs-pdf.sun.com/816-1331/816-1331.pdf">http://docs-pdf.sun.com/816-1331/816-1331.pdf </a> </pre> <p> The Kerberos documentation, and its <a href="http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html">FAQ</a>, are recommended as well: <pre> <a href="http://web.mit.edu/kerberos/www/">http://web.mit.edu/kerberos/www/</a> </pre> <p> A copy of RFC2228 describing <em>FTP Security Extensions</em> and of RFC1509 describing <em>Generic Security Service API : C-bindings</em> is included with the source code for this module. <p> <hr><br> <h2><a name="Installation">Installation</a></h2> To install <code>mod_gss.c</code>, follow these instructions. After unpacking the tarball, run the <code>configure</code> script: <pre> cd mod_gss ./configure </pre> <code>configure</code> will try to detect the supported GSS/Kerberos libraries automatically. <p> <pre> If you wish <code>mod_gss</code> to use MIT GSS/Kerberos5, you'll want to use configure's --enable-mit option. (default if auto detect fails) If you wish <code>mod_gss</code> to use Heimdal GSS/Kerberos5, you'll want to use configure's --enable-heimdal option. If you wish <code>mod_gss</code> to use Sun SEAM GSS/Kerberos5, you'll want to use configure's --enable-seam option. If you wish <code>mod_gss</code> to use IBM NAS GSS/Kerberos5, you'll want to use configure's --enable-nas option. </pre> <p> Now, copy after unpacking the latest proftpd-1.2 or higher source code the <code>mod_gss.h</code> file into: <pre> <i>proftpd-dir</i>/include/ </pre> and the <code>mod_gss.c</code> file into: <pre> <i>proftpd-dir</i>/contrib/ </pre> <p> Then follow the normal steps for using third-party modules in proftpd: <pre> ./configure --with-modules=mod_gss make make install </pre>or starting with proftpd 1.3 <pre> ./configure --enable-dso --with-shared=mod_gss make make install </pre> You may need to specify the location of the GSS/Kerberos5 header and library files in your <code>configure</code> command, <i>e.g.</i>: <pre> ./configure --with-modules=mod_gss \ --with-includes=/usr/local/include \ --with-libraries=/usr/local/lib </pre>or starting with proftpd 1.3 <pre> ./configure --enable-dso --with-shared=mod_gss \ --with-includes=/usr/local/include \ --with-libraries=/usr/local/lib </pre> <p> To be able to use GSS/Kerberos5 add the following line to the configuration file. <pre> CommandBufferSize 1023 </pre> <p> If the Kerberos5 credential cache is bigger than 1023 bytes compile proftpd with --enable-buffer-size=<em>max cache size<em> <p> <hr><br> Author: <i>$Author: mamoeller $</i><br> Last Updated: <i>$Date: 2005/12/23 13:35:53 $</i><br> <br><hr> <font size=2><b><i> © Copyright 2002-2006 M Möller<br> All Rights Reserved<br> </i></b></font> <hr><br> <center> <A href="http://sourceforge.net"> <IMG src="http://sourceforge.net/sflogo.php?group_id=70951&type=5" width="210" height="62" border="0" alt="SourceForge.net Logo"></A> <!-- Begin Nedstat Basic code --> <!-- Title: ProFTPD module mod_gss --> <!-- URL: http://gssmod.sourceforge.net --> <script language="JavaScript" src="http://m1.nedstatbasic.net/basic.js"> </script> <script language="JavaScript"> <!-- nedstatbasic("ACDUGwzeL2vzniAMJdUmtnbmaNlw", 0); // --> </script> <noscript> <a target="_blank" href="http://v1.nedstatbasic.net/stats?ACDUGwzeL2vzniAMJdUmtnbmaNlw"><img src="http://m1.nedstatbasic.net/n?id=ACDUGwzeL2vzniAMJdUmtnbmaNlw" border="0" nosave width="18" height="18"></a> </noscript> <!-- End Nedstat Basic code --> </center> </body> </html>