no seccomp, gssapi Index: doc/sample.config --- doc/sample.config.orig +++ doc/sample.config @@ -35,15 +35,6 @@ # Acct-Interim-Interval, and Session-Timeout values. # # See doc/README-radius.md for the supported radius configuration attributes. -# -# gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900] -# The gssapi option allows one to use authentication methods supported by GSSAPI, -# such as Kerberos tickets with ocserv. It should be best used as an alternative -# to PAM (i.e., have pam in auth and gssapi in enable-auth), to allow users with -# tickets and without tickets to login. The default value for require-local-user-map -# is true. The 'tgt-freshness-time' if set, it would require the TGT tickets presented -# to have been issued within the provided number of seconds. That option is used to -# restrict logins even if the KDC provides long time TGT tickets. #auth = "pam" #auth = "pam[gid-min=1000]" @@ -58,8 +49,6 @@ auth = "plain[passwd=./sample.passwd]" # When multiple options are present, they are OR composed (any of them # succeeding allows login). #enable-auth = "certificate" -#enable-auth = "gssapi" -#enable-auth = "gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]" # Accounting methods available: # radius: can be combined with any authentication method, it provides @@ -96,8 +85,8 @@ udp-port = 443 # The user the worker processes will be run as. This should be a dedicated # unprivileged user (e.g., 'ocserv') and no other services should run as this # user. -run-as-user = nobody -run-as-group = daemon +run-as-user = _ocserv +run-as-group = _ocserv # socket file used for IPC with occtl. You only need to set that, # if you use more than a single servers. @@ -106,7 +95,7 @@ run-as-group = daemon # socket file used for server IPC (worker-main), will be appended with .PID # It must be accessible within the chroot environment (if any), so it is best # specified relatively to the chroot directory. -socket-file = /var/run/ocserv-socket +socket-file = ${LOCALSTATEDIR}/run/ocserv-socket # The default server directory. Does not require any devices present. #chroot-dir = /var/lib/ocserv @@ -172,16 +161,6 @@ ca-cert = ../tests/certs/ca.pem ### failures during the reloading time. -# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of -# system calls allowed to a worker process, in order to reduce damage from a -# bug in the worker process. It is available on Linux systems at a performance cost. -# The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8). -# Note however, that process isolation is restricted to the specific libc versions -# the isolation was tested at. If you get random failures on worker processes, try -# disabling that option and report the failures you, along with system and debugging -# information at: https://gitlab.com/ocserv/ocserv/issues -isolate-workers = true - # A banner to be displayed on clients after connection #banner = "Welcome" @@ -345,10 +324,9 @@ min-reauth-time = 300 # Banning clients in ocserv works with a point system. IP addresses # that get a score over that configured number are banned for # min-reauth-time seconds. By default a wrong password attempt is 10 points, -# a KKDCP POST is 1 point, and a connection is 1 point. Note that -# due to different processes being involved the count of points -# will not be real-time precise. Local subnet IPs are exempt to allow -# services that check for process health. +# and a connection is 1 point. Note that due to different processes being +# involved the count of points will not be real-time precise. Local subnet +# IPs are exempt to allow services that check for process health. # # Set to zero to disable. max-ban-score = 80 @@ -359,7 +337,6 @@ ban-reset-time = 1200 # In case you'd like to change the default points. #ban-points-wrong-password = 10 #ban-points-connection = 1 -#ban-points-kkdcp = 1 # Cookie timeout (in seconds) # Once a client is authenticated he's provided a cookie with @@ -434,7 +411,7 @@ rekey-method = ssl use-occtl = true # PID file. It can be overridden in the command line. -pid-file = /var/run/ocserv.pid +pid-file = ${LOCALSTATEDIR}/run/ocserv.pid # Log Level. It can be overridden in the command line with the -d option. # All messages at the configure level and lower will be displayed. @@ -563,6 +540,11 @@ no-route = 192.168.5.0/255.255.255.0 # any other routes. In case of defaultroute, the no-routes are restricted. # All the routes applied by ocserv can be reverted using /etc/ocserv/ocserv-fw # --removeall. This option can be set globally or in the per-user configuration. +# +# OpenBSD package notes: +# to use this with PF, you will need to supply your own ocserv-fw script, +# probably the best approach would be to add via a table or an anchor. +# #restrict-user-to-routes = true # This option implies restrict-user-to-routes set to true. If set, the @@ -635,23 +617,6 @@ no-route = 192.168.5.0/255.255.255.0 # and '%{G}', if present will be replaced by the username and group name. #proxy-url = http://example.com/ #proxy-url = http://example.com/%{U}/ - -# This option allows you to specify a URL location where a client can -# post using MS-KKDCP, and the message will be forwarded to the provided -# KDC server. That is a translation URL between HTTP and Kerberos. -# In MIT kerberos you'll need to add in realms: -# EXAMPLE.COM = { -# kdc = https://ocserv.example.com/KdcProxy -# http_anchors = FILE:/etc/ocserv-ca.pem -# } -# In some distributions the krb5-k5tls plugin of kinit is required. -# -# The following option is available in ocserv, when compiled with GSSAPI support. - -#kkdcp = "SERVER-PATH KERBEROS-REALM PROTOCOL@SERVER:PORT" -#kkdcp = "/KdcProxy KERBEROS.REALM udp@127.0.0.1:88" -#kkdcp = "/KdcProxy KERBEROS.REALM tcp@127.0.0.1:88" -#kkdcp = "/KdcProxy KERBEROS.REALM tcp@[::1]:88" # Client profile xml. This can be used to advertise alternative servers # to the client. A minimal file can be: