| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798 |
- .TH "pure-certd" "8" "@VERSION@" "Frank Denis" "Pure-FTPd"
- .SH "NAME"
- .LP
- pure\-certd \- TLS certificate agent for Pure\-FTPd.
- .SH "SYNTAX"
- .LP
- pure\-certd [\fI\-p\fP <\fI/path/to/pidfile\fP>] [\fI\-u\fP uid] [\fI\-g\fP gid] [\fI\-B\fP] <\fI\-s\fP /path/to/socket> \fI\-r\fP /program/to/run
- .SH "DESCRIPTION"
- .LP
- pure\-certd is a daemon that forks an authentication program, waits for a certificate path as a reply, and returns it to an application server.
- .LP
- pure\-certd listens to a local Unix socket. A new connection to that socket should send pure\-authd the following structure:
- .IP
- sni_name:xxx
- end
- .LP
- These content is passed to the authentication program, as an environment variable:
- .IP
- CERTD_SNI_NAME
- .LP
- The authentication program should take appropriate actions to select a TLS certificate, and reply to the standard output with the following format:
- .IP
- action:strict
- cert_file:/path/to/cert.pem
- key_file:/path/to/cert.pem
- end
- .TP
- \fBcert_file:\fRxxx
- Absolute path to the certificate in PEM format.
- .TP
- \fBkey_file:\fRxxx
- This is optional, as a certificate and its key can be concatenated in the same file.
- .TP
- \fBaction:\fRxxx
- If action is "deny", a certificate for that name was not found and access is denied.
- If xxx is "default", the default certificate will be used.
- If xxx is "strict", the certificate whose path is indicated in "cert_path" will be used. If absent or invalid, access will be denied.
- If xxx is "fallback", the certificate whose path is indicated in "cert_path" will be used. If absent or invalid, the default certificate will be used instead.
- .TP
- \fBuid:\fRxxx
- The system uid to be assigned to that user. Must be > 0.
- .TP
- \fBgid:\fRxxx
- The primary system gid. Must be > 0.
- .TP
- \fBdir:\fRxxx
- The absolute path to the home directory. Can contain /./ for a chroot jail.
- .LP
- \fIOnly one authentication program is forked at a time. It must return quickly.\fR
- .SH "OPTIONS"
- .TP
- \fB\-u\fR <\fIuid\fP>
- Have the daemon run with that uid.
- .TP
- \fB\-g\fR <\fIgid\fP>
- Have the daemon run with that gid.
- .TP
- \fB\-B\fR
- Fork in background (daemonization).
- .TP
- \fB\-s\fR <\fI/path/to/socket\fP>
- Set the full path to the local Unix socket.
- .TP
- \fB\-r\fR <\fI/path/to/program\fP>
- Set the full path to the authentication program.
- .TP
- \fB\-h\fR
- Output help information and exit.
- .SH "EXAMPLES"
- .LP
- To run this program the standard way type:
- .LP
- pure\-certd \-s @LOCALSTATEDIR@/run/certd.sock \-r /usr/bin/my\-cert\-program &
- .LP
- pure\-ftpd \-lextauth:@LOCALSTATEDIR@/run/certd.sock &
- .TP
- /usr/bin/my\-cert\-program can be as simple as:
- #! /bin/sh
- echo 'action:strict'
- echo 'cert_file:/etc/ssl/private/pure-ftpd/cert.pem'
- echo 'end'
- .SH "AUTHORS"
- .LP
- Frank DENIS <j at pureftpd dot org>
- .SH "SEE ALSO"
- .BR "ftp(1)" ,
- .BR "pure-ftpd(8)"
- .BR "pure-ftpwho(8)"
- .BR "pure-mrtginfo(8)"
- .BR "pure-uploadscript(8)"
- .BR "pure-statsdecode(8)"
- .BR "pure-pw(8)"
- .BR "pure-quotacheck(8)"
- .BR "pure-authd(8)"
|
