summaryrefslogtreecommitdiffstats
path: root/source/configuration/modules/gssapi.rst
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-15 16:27:18 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-15 16:27:18 +0000
commitf7f20c3f5e0be02585741f5f54d198689ccd7866 (patch)
tree190d5e080f6cbcc40560b0ceaccfd883cb3faa01 /source/configuration/modules/gssapi.rst
parentInitial commit. (diff)
downloadrsyslog-doc-f7f20c3f5e0be02585741f5f54d198689ccd7866.tar.xz
rsyslog-doc-f7f20c3f5e0be02585741f5f54d198689ccd7866.zip
Adding upstream version 8.2402.0+dfsg.upstream/8.2402.0+dfsg
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r--source/configuration/modules/gssapi.rst73
1 files changed, 73 insertions, 0 deletions
diff --git a/source/configuration/modules/gssapi.rst b/source/configuration/modules/gssapi.rst
new file mode 100644
index 0000000..157f5a3
--- /dev/null
+++ b/source/configuration/modules/gssapi.rst
@@ -0,0 +1,73 @@
+GSSAPI module support in rsyslog v3
+===================================
+
+What is it good for.
+
+- client-serverauthentication
+- Log messages encryption
+
+Requirements.
+
+- Kerberos infrastructure
+- rsyslog, rsyslog-gssapi
+
+Configuration.
+
+Let's assume there are 3 machines in Kerberos Realm:
+
+- the first is running KDC (Kerberos Authentication Service and Key
+ Distribution Center),
+- the second is a client sending its logs to the server,
+- the third is receiver, gathering all logs.
+
+1. KDC:
+
+- Kerberos database must be properly set-up on KDC machine first. Use
+ kadmin/kadmin.local to do that. Two principals need to be add in our
+ case:
+
+#. sender@REALM.ORG
+
+- client must have ticket for principal sender
+- REALM.ORG is kerberos Realm
+
+#. host/receiver.mydomain.com@REALM.ORG - service principal
+
+- Use ktadd to export service principal and transfer it to
+ /etc/krb5.keytab on receiver
+
+2. CLIENT:
+
+- set-up rsyslog, in /etc/rsyslog.conf
+- $ModLoad omgssapi - load output gss module
+- $GSSForwardServiceName otherThanHost - set the name of service
+ principal, "host" is the default one
+- \*.\* :omgssapi:receiver.mydomain.com - action line, forward logs to
+ receiver
+- kinit root - get the TGT ticket
+- service rsyslog start
+
+3. SERVER:
+
+- set-up rsyslog, in /etc/rsyslog.conf
+
+- $ModLoad `imgssapi <imgssapi.html>`_ - load input gss module
+
+- $InputGSSServerServiceName otherThanHost - set the name of service
+ principal, "host" is the default one
+
+- $InputGSSServerPermitPlainTCP on - accept GSS and TCP connections
+ (not authenticated senders), off by default
+
+- $InputGSSServerRun 514 - run server on port
+
+- service rsyslog start
+
+The picture demonstrate how things work.
+
+.. figure:: gssapi.png
+ :align: center
+ :alt: rsyslog gssapi support
+
+ rsyslog gssapi support
+