.TH myproxy-server.config 5 "2005-12-2" "NCSA" "MyProxy".SH NAMEmyproxy-server.config \- myproxy-server configuration file.SH DESCRIPTIONThe.B myproxy-server.configfile sets the policy for the .BR myproxy-server (8),specifying what credentials may be stored in the server'srepository, who is authorized to retrieve credentials,and other configurable server behaviors.By default, the.BR myproxy-server (8)looks for this file in.I /etc/myproxy-server.configand if it is not found there, it looks in.IR $GLOBUS_LOCATION/etc/myproxy-server.config .A template is provided at.IR $GLOBUS_LOCATION/share/myproxy/myproxy-server.config .The.B myproxy-server -coption can be used to specify an alternative location..PPThe following lines in the configuration file use limited regular expressionsfor matching the distinguished names (DNs) of classes of users.The limited regular expressions support the shell-stype characters '*'and '?', where '*' matches any number of characters and '?' matchesany single character.The DN limited regexes should be delimited with double quotes (\*(lqDN regex\*(rq)..TP.BI accepted_credentials " \*(lqDN regex\*(rq"Each of these lines allows any clients whose DNs match thegiven limited regex to connect to the myproxy-server and storecredentials with it for future retrieval.  Any number of theselines may appear.  For backwards compatibility, these linescan also start with .B allowed_clients instead of.BR accepted_credentials .If no .B accepted_credentialslines are specified, the server will not allow any clients to storecredentials..TP.BI authorized_retrievers " \*(lqDN regex\*(rq"Each of these lines allows the server administrator to setserver-wide policies for credential retrievers. If the clientDN does not match the given limited regex, the client is notallowed to retrieve credentials from the server.  In addition to the server-wide policy, myproxy alsoprovides support for per-credential policy. The user canspecify the regex DN of the allowed retrievers of thecredential when uploading the credential (using.BR myproxy-init (1)or.BR myproxy-store (1)).The retrieval clientDN must also match the user specified regex. In order toretrieve credentials the client also needs to know the nameand pass phrase provided by the client when the credentialswere stored. Any number of these lines may appear.  Forbackwards compatibility, these lines can also start with.B allowed_services instead of .BR authorized_retrievers .If no .B authorized_retrieverslines are specified, the server will not allow any clients to retrievecredentials..TP.BI default_retrievers " \*(lqDN regex\*(rq"Each of these lines allows the server administrator to setserver-wide default policies. The regex specifies the clientswho can access the credentials. The default retriever policyis enforced if a per-credential policy is not specified onupload (using.BR myproxy-init (1)or.BR myproxy-store (1)).In other words, the client can override this policyfor a credential on upload.  The per-credential policy isenforced in addition to the server-wide policy specified bythe authorized_retrievers line (which clients can notoverride).  Any number of these lines may be present.  Forbackwards compatibility, if no .B default_retrievers line isspecified, the default policy is "*", which allows any clientto pass the per-credential policy check.  (The client muststill pass the .B authorized_retrievers check.).TP.BI authorized_renewers " \*(lqDN regex\*(rq"Each of these lines allows the server administrator to setserver-wide policies for authorized renewers. If the client DNdoes not match the given limited regex the client is notallowed to renew the credentials previously stored by aclient.  In addition to the server-wide policy, myproxy alsoprovides support for per-credential policy. The user canspecify the regex DN of the allowed renewers of the credentialon upload (using.BR myproxy-init (1)).The renewal client DN must match both this regexand the user specified regex. In this case, the client mustalso already have a credential with a DN matching the DN ofthe credentials to be retrieved, to be used in a secondauthorization step (see the.B -aoptions for.BR myproxy-logon (1)and.BR myproxy-retrieve (1))..TP.BI default_renewers " \*(lqDN regex\*(rq"Each of these lines allows the server administrator to setserver-wide default renewer policies. The regex specifies theclients who can renew the credentials. The default renewerpolicy is enforced if a per-credential policy is not specifiedon upload (using.BR myproxy-init (1)).This is enforced in addition to the server-widepolicy specified by the .B authorized_renewers line. Any numberof these lines may appear.  For backwards compatibility, if nodefault_renewers line is specified, the default policy is "*",which allows any client to pass the per-credential policycheck.  (The client must still pass the .B authorized_renewerscheck.).TP.BI authorized_key_retrievers " \*(lqDN regex\*(rq"This policy controls who can retrieve credentials (certificates andkeys) directly from the repository using.BR myproxy-retrieve (1).Clients must also match the.B authorized_retrieverspolicy.If no .B authorized_key_retrieverslines are specified, the server will not allow any clients to retrievekeys directly from the repository..TP.BI default_key_retrievers " \*(lqDN regex\*(rq"This policy applies if a per-credential policy is not specified onupload (using.BR myproxy-init (1)or.BR myproxy-store (1)).In other words, the client can override this policyfor a credential on upload.  The per-credential policy isenforced in addition to the server-wide policy specified bythe authorized_key_retrievers line (which clients can notoverride).  Any number of these lines may be present.  If no .B default_key_retrievers line isspecified, the default policy is "*", which allows any clientto pass the per-credential policy check.  (The client muststill pass the .B authorized_key_retrievers check.).TP.BI trusted_retrievers " \*(lqDN regex\*(rq"This policy controls who can retrieve credentials without furtherauthentication.By default, clients that match .B authorized_retrievers must perform additional authentication (such as passphrase, PAM, orSASL) to retrieve credentials.  However, authenticated clients thatmatch .B trusted_retrievers do not need to perform additional authentication..TP.BI default_trusted_retrievers " \*(lqDN regex\*(rq"If a user doesn't set a trusted retrieval policy with the credentialon upload (via .B 'myproxy-init .BR -Z' ), the .BR myproxy-server (8)will apply the following policy in addition to the .B trusted_retrievers policy.  If no .B default_trusted_retrievers policy is set, then only the .B trusted_retrievers policy is applied..PPThe following lines in the configuration file set other server policyoptions..TP.BI passphrase_policy_program " full-path-to-script"This line specifies a program to run whenever a passphrase is set orchanged for implementing a local password policy.The program is passed the new passphrase via stdin and is passed thefollowing arguments: username, distinguished name, credential name (ifany), per-credential retriever policy (if any), and per-credentialrenewal policy (if any).If the passphrase is acceptable, the program should exit with status 0.Otherwise, it should exit with non-zero status, causing the operationin progress (credential load, passphrase change) to fail with the errormessage provided by the program's stdout.Note: You must specify the full path to the external program.$GLOBUS_LOCATION can't be used in the myproxy-server.config file.A sample program is installed in.I $GLOBUS_LOCATION/share/myproxy/myproxy-passphrase-policybut is not enabled by default..TP.BI max_proxy_lifetime " hours"This line specifies a server-wide maximum lifetime for retrieved proxycredentials.  By default, no server-wide maximum is enforced.However, if this option is specified, the server will limit thelifetime of any retrieved proxy credentials to the value given..PPThe MyProxy server can be optionally configured for authenticationbased on Pluggable Authentication Modules (PAM) and/orthe Simple Authentication and Security Layer (SASL).Kerberos is one of the supported SASL authentication methods.The following options control the use of PAM and SASL..TP.BI pam " option"This linegoverns the use of PAM to check passphrases.MyProxy will attempt toauthenticate via PAM, with the supplied username and passphrase.Note that PAM will need to be configured externally for theapplication "myproxy" (usually in /etc/pam.d/), or for theapplication named by pam_id, below.Accepted values:.RS.TP.B requiredPAM password authentication is required under all conditions.  If thecredential is unencrypted (that is, it has no passphrase), a PAMpassword check is still required for authentication.  If thecredential is encrypted, its passphrase must match the PAM password..TP.B sufficientThe user's passphrase may match either the credential passphrase or,if the credential is unencrypted, the PAM passphrase.  If thecredential is encrypted, then the PAM password is not relevant.