mod_gss.cfile for ProFTPD 1.2 or higher, and is not compiled by default. Installation instructions are discussed here.
The project is hosted at Sourceforge.net and the most current version of
mod_gss can be found at:
Please report bugs to GSS module for proftpd: Bugs
Please report feature requests to GSS module for proftpd: Feature Requests
Please send patches to GSS module for proftpd: Patches
Contact M Möller <markus_moeller at compuserve.com> with any questions, concerns, or suggestions regarding this module.
GSSEngine directive toggles the use of the GSS protocol
mod_gss). This is usually used inside a
<VirtualHost> section to enable GSS sessions for a
particular virtual host. By default
mod_gss is disabled for both
the main server and all configured virtual hosts.
GSSLog directive is used to specify a log file for
mod_gss's reporting on a per-server basis. The file
parameter given must be the full path to the file to use for
logging. If syslog is used as file then logging is
send to syslog.
GSSOptions directive is used to configure various optional
AllowCCC - Allows CCC commands. AllowFWCCC - Allows PORT and PASV only as clear commands for stateful firewalls. Needs special client patch. AllowFWNAT - Allows No Channel Binding to support Network Address Translation. Needs special client patch. NoChannelBinding - Allows No Channel Binding to support Network Address Translation. Needs special client patch. RequireSequenceProtection - Require sequence protection set on GSS encrypted packets RequireReplayProtection - Require replay protection set on GSS encrypted packets
GSSRequired directive is used to define a basic security
policy, one that dictates whether the control channel, or data channel, or
both, of an FTP session must occur over GSS.
The on parameter enables GSS requirements on both control and data channels; off disables the requirements on both channels. Use ctrl and data to require GSS on either channel individually.
# Require GSS on the control channel, so that passwords are not sent # in the clear. GSSRequired ctrl # Require GSS on both channels. GSSRequired on
GSSKeytab directive is used to specify a Kerberos5 keytab file for
mod_gss's Kerberos5 service key on a per-server basis. The file
parameter given must be the full path to the file.
The Kerberos documentation, and its FAQ, are recommended as well:
A copy of RFC2228 describing FTP Security Extensions and of RFC1509 describing Generic Security Service API : C-bindings is included with the source code for this module.
mod_gss.c, follow these instructions. After unpacking the tarball, run the
cd mod_gss ./configure
configurewill try to detect the supported GSS/Kerberos libraries automatically.
If you wish
mod_gssto use MIT GSS/Kerberos5, you'll want to use configure's --enable-mit option. (default if auto detect fails) If you wish
mod_gssto use Heimdal GSS/Kerberos5, you'll want to use configure's --enable-heimdal option. If you wish
mod_gssto use Sun SEAM GSS/Kerberos5, you'll want to use configure's --enable-seam option. If you wish
mod_gssto use IBM NAS GSS/Kerberos5, you'll want to use configure's --enable-nas option.
Now, copy after unpacking the latest proftpd-1.2 or higher source code the
mod_gss.h file into:
Then follow the normal steps for using third-party modules in proftpd:
./configure --with-modules=mod_gss make make installor starting with proftpd 1.3
./configure --enable-dso --with-shared=mod_gss make make installYou may need to specify the location of the GSS/Kerberos5 header and library files in your
./configure --with-modules=mod_gss \ --with-includes=/usr/local/include \ --with-libraries=/usr/local/libor starting with proftpd 1.3
./configure --enable-dso --with-shared=mod_gss \ --with-includes=/usr/local/include \ --with-libraries=/usr/local/lib
To be able to use GSS/Kerberos5 add the following line to the configuration file.
If the Kerberos5 credential cache is bigger than 1023 bytes (e.g. when using Active Directory as kdc) compile
proftpd with --enable-buffer-size=max cache size
Author: $Author: mamoeller $
Last Updated: $Date: 2005/12/23 13:35:53 $
© Copyright 2002-2006 M Möller
All Rights Reserved