mod_gss
mod_gss.c
file for ProFTPD 1.2 or higher,
and is not compiled by default. Installation instructions are discussed here.
The project is hosted at Sourceforge.net and the most current version of mod_gss
can be found at:
http://prdownloads.sourceforge.net/gssmod/
Please report bugs to GSS module for proftpd: Bugs
Please report feature requests to GSS module for proftpd: Feature Requests
Please send patches to GSS module for proftpd: Patches
Contact M Möller <markus_moeller at compuserve.com> with any questions, concerns, or suggestions regarding this module.
<VirtualHost>
, <Global>
The GSSEngine
directive toggles the use of the GSS protocol
engine (e.g. mod_gss
). This is usually used inside a
<VirtualHost>
section to enable GSS sessions for a
particular virtual host. By default mod_gss
is disabled for both
the main server and all configured virtual hosts.
<VirtualHost>
, <Global>
The GSSLog
directive is used to specify a log file for
mod_gss
's reporting on a per-server basis. The file
parameter given must be the full path to the file to use for
logging. If syslog is used as file then logging is
send to syslog.
<VirtualHost>
, <Global>
The GSSOptions
directive is used to configure various optional
behavior of mod_gss
.
Example:
AllowCCC - Allows CCC commands. AllowFWCCC - Allows PORT and PASV only as clear commands for stateful firewalls. Needs special client patch. AllowFWNAT - Allows No Channel Binding to support Network Address Translation. Needs special client patch. NoChannelBinding - Allows No Channel Binding to support Network Address Translation. Needs special client patch. RequireSequenceProtection - Require sequence protection set on GSS encrypted packets RequireReplayProtection - Require replay protection set on GSS encrypted packets
<VirtualHost>
, <Global>
The GSSRequired
directive is used to define a basic security
policy, one that dictates whether the control channel, or data channel, or
both, of an FTP session must occur over GSS.
The on parameter enables GSS requirements on both control and data channels; off disables the requirements on both channels. Use ctrl and data to require GSS on either channel individually.
Example:
# Require GSS on the control channel, so that passwords are not sent # in the clear. GSSRequired ctrl # Require GSS on both channels. GSSRequired on
<VirtualHost>
, <Global>
The GSSKeytab
directive is used to specify a Kerberos5 keytab file for
mod_gss
's Kerberos5 service key on a per-server basis. The file
parameter given must be the full path to the file.
http://docs-pdf.sun.com/816-1331/816-1331.pdf
The Kerberos documentation, and its FAQ, are recommended as well:
http://web.mit.edu/kerberos/www/
A copy of RFC2228 describing FTP Security Extensions and of RFC1509 describing Generic Security Service API : C-bindings is included with the source code for this module.
mod_gss.c
, follow these instructions. After unpacking
the tarball, run the configure
script:
cd mod_gss ./configure
configure
will try to detect the supported GSS/Kerberos libraries automatically.
If you wishmod_gss
to use MIT GSS/Kerberos5, you'll want to use configure's --enable-mit option. (default if auto detect fails) If you wishmod_gss
to use Heimdal GSS/Kerberos5, you'll want to use configure's --enable-heimdal option. If you wishmod_gss
to use Sun SEAM GSS/Kerberos5, you'll want to use configure's --enable-seam option. If you wishmod_gss
to use IBM NAS GSS/Kerberos5, you'll want to use configure's --enable-nas option.
Now, copy after unpacking the latest proftpd-1.2 or higher source code the mod_gss.h
file into:
proftpd-dir/include/and the
mod_gss.c
file into:
proftpd-dir/contrib/
Then follow the normal steps for using third-party modules in proftpd:
./configure --with-modules=mod_gss make make installor starting with proftpd 1.3
./configure --enable-dso --with-shared=mod_gss make make installYou may need to specify the location of the GSS/Kerberos5 header and library files in your
configure
command, e.g.:
./configure --with-modules=mod_gss \ --with-includes=/usr/local/include \ --with-libraries=/usr/local/libor starting with proftpd 1.3
./configure --enable-dso --with-shared=mod_gss \ --with-includes=/usr/local/include \ --with-libraries=/usr/local/lib
To be able to use GSS/Kerberos5 add the following line to the configuration file.
CommandBufferSize 1023
If the Kerberos5 credential cache is bigger than 1023 bytes (e.g. when using Active Directory as kdc) compile
proftpd with --enable-buffer-size=max cache size
Author: $Author: mamoeller $
Last Updated: $Date: 2005/12/23 13:35:53 $
© Copyright 2002-2006 M Möller
All Rights Reserved