GSSPROXY\-MECH

The interposer plugin allows to intercept the entire GSSAPI communication and detour to the gssproxy daemon. When the interposer plugin is installed two other conditions need to be met in order to activate it:

a) interposer configuration file

The plugin needs to be manually enabled in the /etc/gss/mech file.

b) gssproxy environment variable

The interposer plugin will not forward to the gssproxy daemon unless the environment variable named GSS_USE_PROXY=yes is set.

Furthermore, the interposer plugin can be configured to behave in different ways when called from the GSSAPI. This behavior is controlled via the GSSPROXY_BEHAVIOR environment variable. It accepts four different values:

LOCAL_ONLY

All commands received with this setting will cause to immediately reenter the GSSAPI w/o any interaction with the gssproxy daemon. When the request cannot be processed it will just fail.

LOCAL_FIRST

All commands received with this setting will cause to immediately reenter the GSSAPI. When the local GSSAPI cannot process the request, it will resend the request to the gssproxy daemon.

REMOTE_FIRST

All commands received with this setting will be forwarded to the gssproxy daemon first. If the request cannot be handled there, the request will reenter the local GSSAPI.

REMOTE_ONLY

This setting is currently not fully implemented and therefor not supported.

The default setting for GSSPROXY_BEHAVIOR is REMOTE_FIRST.

Finally the interposer may need to use a special per-service socket in order to communicate with gssproxy. The path to this socket is set via the GSSPROXY_SOCKET environment variable.  

SEE ALSO

gssproxy.conf(5) and gssproxy(8).  

AUTHORS

GSS-Proxy - http://fedorahosted.org/gss-proxy