ProFTPD module mod_gss


This module is contained in the mod_gss.c file for ProFTPD 1.2 or higher, and is not compiled by default. Installation instructions are discussed here. Support This Project

The project is hosted at Sourceforge.net and the most current version of mod_gss can be found at: 

  http://prdownloads.sourceforge.net/gssmod/

Please report bugs to GSS module for proftpd: Bugs
Please report feature requests to GSS module for proftpd: Feature Requests
Please send patches to GSS module for proftpd: Patches

Author

Contact M Möller <markus_moeller at compuserve.com> with any questions, concerns, or suggestions regarding this module.

Directives

GSSEngine

Syntax: GSSEngine on|off
Default: None
Context: server config, <VirtualHost>, <Global>
Module: mod_gss
Compatibility: 1.2.8 and later

The GSSEngine directive toggles the use of the GSS protocol engine (e.g. mod_gss). This is usually used inside a <VirtualHost> section to enable GSS sessions for a particular virtual host. By default mod_gss is disabled for both the main server and all configured virtual hosts.

GSSLog

Syntax: GSSLog file
Default: None
Context: server config, <VirtualHost>, <Global>
Module: mod_gss
Compatibility: 1.2.8 and later

The GSSLog directive is used to specify a log file for mod_gss's reporting on a per-server basis. The file parameter given must be the full path to the file to use for logging. If syslog is used as file then logging is send to syslog.

GSSOptions

Syntax: GSSOptions opt1 ...
Default: None
Context: server config, <VirtualHost>, <Global>
Module: mod_gss
Compatibility: 1.2.8 and later

The GSSOptions directive is used to configure various optional behavior of mod_gss.

Example: 

  AllowCCC - Allows CCC commands. 

  AllowFWCCC - Allows PORT and PASV only as clear commands for stateful firewalls. Needs special client patch.

  AllowFWNAT - Allows No Channel Binding to support Network Address Translation. Needs special client patch.
  NoChannelBinding - Allows No Channel Binding to support Network Address Translation. Needs special client patch.

  RequireSequenceProtection - Require sequence protection set on GSS encrypted packets

  RequireReplayProtection - Require replay protection set on GSS encrypted packets

GSSRequired

Syntax: GSSRequired on|off|ctrl|data
Default: None
Context: server config, <VirtualHost>, <Global>
Module: mod_gss
Compatibility: 1.2.8 and later

The GSSRequired directive is used to define a basic security policy, one that dictates whether the control channel, or data channel, or both, of an FTP session must occur over GSS.

The on parameter enables GSS requirements on both control and data channels; off disables the requirements on both channels. Use ctrl and data to require GSS on either channel individually.

Example: 

  # Require GSS on the control channel, so that passwords are not sent
  # in the clear.
  GSSRequired ctrl

  # Require GSS on both channels.
  GSSRequired on

GSSKeytab

Syntax: GSSKeytab file
Default: None
Context: server config, <VirtualHost>, <Global>
Module: mod_gss
Compatibility: 1.2.8 and later

The GSSKeytab directive is used to specify a Kerberos5 keytab file for mod_gss's Kerberos5 service key on a per-server basis. The file parameter given must be the full path to the file.


Usage

Much of the documentation for the GSSAPI applies to this module: 
  http://docs-pdf.sun.com/816-1331/816-1331.pdf

The Kerberos documentation, and its FAQ, are recommended as well: 

  http://web.mit.edu/kerberos/www/

A copy of RFC2228 describing FTP Security Extensions and of RFC1509 describing Generic Security Service API : C-bindings is included with the source code for this module.


Installation

To install mod_gss.c, follow these instructions. After unpacking the tarball, run the configure script: 
  cd mod_gss
  ./configure
configure will try to detect the supported GSS/Kerberos libraries automatically. 

If you wish mod_gss to use MIT GSS/Kerberos5, you'll want to use configure's --enable-mit option. (default if auto detect fails)
If you wish mod_gss to use Heimdal GSS/Kerberos5, you'll want to use configure's --enable-heimdal option.
If you wish mod_gss to use Sun SEAM GSS/Kerberos5, you'll want to use configure's --enable-seam option.
If you wish mod_gss to use IBM NAS GSS/Kerberos5, you'll want to use configure's --enable-nas option.

Now, copy after unpacking the latest proftpd-1.2 or higher source code the mod_gss.h file into: 

  proftpd-dir/include/
and the mod_gss.c file into: 
  proftpd-dir/contrib/

Then follow the normal steps for using third-party modules in proftpd: 

  ./configure --with-modules=mod_gss
  make
  make install
or starting with proftpd 1.3 
  ./configure --enable-dso --with-shared=mod_gss 
  make
  make install
You may need to specify the location of the GSS/Kerberos5 header and library files in your configure command, e.g.: 
 ./configure --with-modules=mod_gss \
    --with-includes=/usr/local/include \
    --with-libraries=/usr/local/lib
or starting with proftpd 1.3 
  ./configure --enable-dso --with-shared=mod_gss \
    --with-includes=/usr/local/include \
    --with-libraries=/usr/local/lib

To be able to use GSS/Kerberos5 add the following line to the configuration file. 

 CommandBufferSize    1023

If the Kerberos5 credential cache is bigger than 1023 bytes (e.g. when using Active Directory as kdc) compile proftpd with --enable-buffer-size=max cache size


Author: $Author: mamoeller $
Last Updated: $Date: 2005/12/23 13:35:53 $

© Copyright 2002-2006 M Möller
All Rights Reserved

SourceForge.net Logo