1
1
.\"****************************************************************************
2
.\" $Id: munged.8.in 771 2010-03-02 23:14:07Z dun $
2
.\" $Id: munged.8.in 890 2011-01-20 01:54:21Z chris.m.dunlap $
3
3
.\"****************************************************************************
4
4
.\" Written by Chris Dunlap <cdunlap@llnl.gov>.
5
.\" Copyright (C) 2007-2010 Lawrence Livermore National Security, LLC.
5
.\" Copyright (C) 2007-2011 Lawrence Livermore National Security, LLC.
6
6
.\" Copyright (C) 2002-2007 The Regents of the University of California.
7
7
.\" UCRL-CODE-155910.
9
9
.\" This file is part of the MUNGE Uid 'N' Gid Emporium (MUNGE).
10
.\" For details, see <http://home.gna.org/munge/>.
10
.\" For details, see <http://munge.googlecode.com/>.
12
12
.\" MUNGE is free software: you can redistribute it and/or modify it under
13
13
.\" the terms of the GNU General Public License as published by the Free
52
52
When a credential is validated, \fBmunged\fR first checks the message
53
authentication code to ensure the credential has not been subsequently altered.
54
Next, it checks the embedded UID/GID restrictions to determine whether the
55
requesting client is allowed to decode it. Then, it checks the embedded
56
encode time against the current time; if this difference exceeds the embedded
57
time-to-live, the credential has expired. Finally, it checks whether this
58
credential has been previously decoded on this host; if so, the credential
59
has been replayed. If all checks pass, the credential metadata and payload
60
are returned to the client.
53
authentication code to ensure the credential has not been subsequently
54
altered. Next, it checks the embedded UID/GID restrictions to determine
55
whether the requesting client is allowed to decode it. Then, it checks
56
the embedded encode time against the current time; if this difference
57
exceeds the embedded time-to-live, the credential has expired. Finally,
58
it checks whether this credential has been previously decoded on this host;
59
if so, the credential has been replayed. If all checks pass, the credential
60
metadata and payload are returned to the client.
82
82
Specify the local domain socket for communicating with clients.
84
84
.BI "--auth-server-dir " directory
85
Specify an alternate directory in which the daemon will create the pipe used to
86
authenticate clients. The recommended permissions for this directory are 0711.
87
This option is only valid on platforms where client authentication is performed
88
via a file-descriptor passing mechanism.
85
Specify an alternate directory in which the daemon will create the pipe used
86
to authenticate clients. The recommended permissions for this directory
87
are 0711. This option is only valid on platforms where client authentication
88
is performed via a file-descriptor passing mechanism.
90
90
.BI "--auth-client-dir " directory
91
Specify an alternate directory in which clients will create the file used to
92
authenticate themselves to the daemon. The recommended permissions for this
93
directory are 1733. This option is only valid on platforms where client
94
authentication is performed via a file-descriptor passing mechanism.
91
Specify an alternate directory in which clients will create the file used
92
to authenticate themselves to the daemon. The recommended permissions
93
for this directory are 1733. This option is only valid on platforms where
94
client authentication is performed via a file-descriptor passing mechanism.
96
96
.BI "--group-check-mtime " boolean
97
97
Specify whether the modification time of \fI/etc/group\fR should be checked
98
before updating the supplementary group membership mapping. If this value is
99
non-zero, the check will be enabled and the mapping will not be updated unless
100
the file has been modified since the last update.
98
before updating the supplementary group membership mapping. If this value
99
is non-zero, the check will be enabled and the mapping will not be updated
100
unless the file has been modified since the last update.
102
102
.BI "--group-update-time " integer
103
103
Specify the number of seconds between updates to the supplementary group
138
Copyright (C) 2007-2010 Lawrence Livermore National Security, LLC.
138
Copyright (C) 2007-2011 Lawrence Livermore National Security, LLC.
140
140
Copyright (C) 2002-2007 The Regents of the University of California.
142
MUNGE is free software: you can redistribute it and/or modify it under
143
the terms of the GNU General Public License as published by the Free
144
Software Foundation, either version 3 of the License, or (at your option)
145
any later version. Additionally for the MUNGE library (libmunge), you
146
can redistribute it and/or modify it under the terms of the GNU Lesser
147
General Public License as published by the Free Software Foundation,
148
either version 3 of the License, or (at your option) any later version.
142
MUNGE is free software: you can redistribute it and/or modify it under the
143
terms of the GNU General Public License as published by the Free Software
144
Foundation, either version 3 of the License, or (at your option) any later
147
Additionally for the MUNGE library (libmunge), you can redistribute it
148
and/or modify it under the terms of the GNU Lesser General Public License as
149
published by the Free Software Foundation, either version 3 of the License,
150
or (at your option) any later version.