ports/net/ocserv/patches/patch-doc_sample_config

134 lines
6 KiB
Text

no seccomp, gssapi
Index: doc/sample.config
--- doc/sample.config.orig
+++ doc/sample.config
@@ -35,15 +35,6 @@
# Acct-Interim-Interval, and Session-Timeout values.
#
# See doc/README-radius.md for the supported radius configuration attributes.
-#
-# gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]
-# The gssapi option allows one to use authentication methods supported by GSSAPI,
-# such as Kerberos tickets with ocserv. It should be best used as an alternative
-# to PAM (i.e., have pam in auth and gssapi in enable-auth), to allow users with
-# tickets and without tickets to login. The default value for require-local-user-map
-# is true. The 'tgt-freshness-time' if set, it would require the TGT tickets presented
-# to have been issued within the provided number of seconds. That option is used to
-# restrict logins even if the KDC provides long time TGT tickets.
#auth = "pam"
#auth = "pam[gid-min=1000]"
@@ -58,8 +49,6 @@ auth = "plain[passwd=./sample.passwd]"
# When multiple options are present, they are OR composed (any of them
# succeeding allows login).
#enable-auth = "certificate"
-#enable-auth = "gssapi"
-#enable-auth = "gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]"
# Accounting methods available:
# radius: can be combined with any authentication method, it provides
@@ -96,8 +85,8 @@ udp-port = 443
# The user the worker processes will be run as. This should be a dedicated
# unprivileged user (e.g., 'ocserv') and no other services should run as this
# user.
-run-as-user = nobody
-run-as-group = daemon
+run-as-user = _ocserv
+run-as-group = _ocserv
# socket file used for IPC with occtl. You only need to set that,
# if you use more than a single servers.
@@ -106,7 +95,7 @@ run-as-group = daemon
# socket file used for server IPC (worker-main), will be appended with .PID
# It must be accessible within the chroot environment (if any), so it is best
# specified relatively to the chroot directory.
-socket-file = /var/run/ocserv-socket
+socket-file = ${LOCALSTATEDIR}/run/ocserv-socket
# The default server directory. Does not require any devices present.
#chroot-dir = /var/lib/ocserv
@@ -172,16 +161,6 @@ ca-cert = ../tests/certs/ca.pem
### failures during the reloading time.
-# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of
-# system calls allowed to a worker process, in order to reduce damage from a
-# bug in the worker process. It is available on Linux systems at a performance cost.
-# The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8).
-# Note however, that process isolation is restricted to the specific libc versions
-# the isolation was tested at. If you get random failures on worker processes, try
-# disabling that option and report the failures you, along with system and debugging
-# information at: https://gitlab.com/ocserv/ocserv/issues
-isolate-workers = true
-
# A banner to be displayed on clients after connection
#banner = "Welcome"
@@ -345,10 +324,9 @@ min-reauth-time = 300
# Banning clients in ocserv works with a point system. IP addresses
# that get a score over that configured number are banned for
# min-reauth-time seconds. By default a wrong password attempt is 10 points,
-# a KKDCP POST is 1 point, and a connection is 1 point. Note that
-# due to different processes being involved the count of points
-# will not be real-time precise. Local subnet IPs are exempt to allow
-# services that check for process health.
+# and a connection is 1 point. Note that due to different processes being
+# involved the count of points will not be real-time precise. Local subnet
+# IPs are exempt to allow services that check for process health.
#
# Set to zero to disable.
max-ban-score = 80
@@ -359,7 +337,6 @@ ban-reset-time = 1200
# In case you'd like to change the default points.
#ban-points-wrong-password = 10
#ban-points-connection = 1
-#ban-points-kkdcp = 1
# Cookie timeout (in seconds)
# Once a client is authenticated he's provided a cookie with
@@ -434,7 +411,7 @@ rekey-method = ssl
use-occtl = true
# PID file. It can be overridden in the command line.
-pid-file = /var/run/ocserv.pid
+pid-file = ${LOCALSTATEDIR}/run/ocserv.pid
# Log Level. It can be overridden in the command line with the -d option.
# All messages at the configure level and lower will be displayed.
@@ -563,6 +540,11 @@ no-route = 192.168.5.0/255.255.255.0
# any other routes. In case of defaultroute, the no-routes are restricted.
# All the routes applied by ocserv can be reverted using /etc/ocserv/ocserv-fw
# --removeall. This option can be set globally or in the per-user configuration.
+#
+# OpenBSD package notes:
+# to use this with PF, you will need to supply your own ocserv-fw script,
+# probably the best approach would be to add via a table or an anchor.
+#
#restrict-user-to-routes = true
# This option implies restrict-user-to-routes set to true. If set, the
@@ -635,23 +617,6 @@ no-route = 192.168.5.0/255.255.255.0
# and '%{G}', if present will be replaced by the username and group name.
#proxy-url = http://example.com/
#proxy-url = http://example.com/%{U}/
-
-# This option allows you to specify a URL location where a client can
-# post using MS-KKDCP, and the message will be forwarded to the provided
-# KDC server. That is a translation URL between HTTP and Kerberos.
-# In MIT kerberos you'll need to add in realms:
-# EXAMPLE.COM = {
-# kdc = https://ocserv.example.com/KdcProxy
-# http_anchors = FILE:/etc/ocserv-ca.pem
-# }
-# In some distributions the krb5-k5tls plugin of kinit is required.
-#
-# The following option is available in ocserv, when compiled with GSSAPI support.
-
-#kkdcp = "SERVER-PATH KERBEROS-REALM PROTOCOL@SERVER:PORT"
-#kkdcp = "/KdcProxy KERBEROS.REALM udp@127.0.0.1:88"
-#kkdcp = "/KdcProxy KERBEROS.REALM tcp@127.0.0.1:88"
-#kkdcp = "/KdcProxy KERBEROS.REALM tcp@[::1]:88"
# Client profile xml. This can be used to advertise alternative servers
# to the client. A minimal file can be: