Man Linux: Main Page and Category List

NAME

       munged - MUNGE daemon

SYNOPSIS

       munged [OPTION]...

DESCRIPTION

       The munged daemon is responsible for authenticating local MUNGE clients
       and servicing their credential encode & decode  requests.   All  munged
       daemons  within  a security realm share a secret key.  This key is used
       to protect the contents of a credential.

       When  a  credential  is  created,  munged  embeds  metadata  within  it
       including  the  effective  UID  and  GID  of  the requesting client (as
       determined by munged) and the current time (as determined by the  local
       clock).  It then compresses the data, computes a message authentication
       code, encrypts the data, and base64-encodes the result before returning
       the credential to the client.

       When  a  credential  is  validated,  munged  first  checks  the message
       authentication code to ensure the credential has not been  subsequently
       altered.    Next,  it  checks  the  embedded  UID/GID  restrictions  to
       determine whether the requesting client is allowed to decode it.  Then,
       it  checks  the  embedded encode time against the current time; if this
       difference  exceeds  the  embedded  time-to-live,  the  credential  has
       expired.    Finally,   it  checks  whether  this  credential  has  been
       previously decoded on  this  host;  if  so,  the  credential  has  been
       replayed.   If all checks pass, the credential metadata and payload are
       returned to the client.

OPTIONS

       -h, --help
              Display a summary of the command-line options.

       -L, --license
              Display license information.

       -V, --version
              Display version information.

       -f, --force
              Force the daemon to run if  at  all  possible.   This  overrides
              warnings  for an existing local domain socket, a lack of entropy
              for the PRNG, and insecure file/directory permissions.

       -F, --foreground
              Run the daemon in the foreground.

       -S, --socket path
              Specify the local domain socket for communicating with  clients.

       --auth-server-dir directory
              Specify  an  alternate directory in which the daemon will create
              the  pipe  used  to  authenticate  clients.    The   recommended
              permissions  for  this  directory are 0711.  This option is only
              valid on platforms where client authentication is performed  via
              a file-descriptor passing mechanism.

       --auth-client-dir directory
              Specify  an alternate directory in which clients will create the
              file  used  to  authenticate  themselves  to  the  daemon.   The
              recommended  permissions  for  this  directory  are  1733.  This
              option is only valid on platforms where client authentication is
              performed via a file-descriptor passing mechanism.

       --group-check-mtime boolean
              Specify  whether  the  modification time of /etc/group should be
              checked  before  updating  the  supplementary  group  membership
              mapping.   If  this value is non-zero, the check will be enabled
              and the mapping will not be updated unless  the  file  has  been
              modified since the last update.

       --group-update-time integer
              Specify   the   number   of   seconds  between  updates  to  the
              supplementary group membership mapping;  this  mapping  is  used
              when  restricting credentials by GID.  A value of 0 causes it to
              be computed initially but never updated (unless triggered  by  a
              SIGHUP).  A value of -1 causes it to be disabled.

       --key-file file
              Specify an alternate secret key file.

       --num-threads integer
              Specify the number of threads to spawn for processing credential
              requests.

SIGNALS

       SIGHUP Immediately update the supplementary  group  membership  mapping
              instead  of  waiting for the next scheduled update; this mapping
              is used when restricting credentials by GID.

       SIGTERM
              Terminate the daemon.

NOTES

       All clocks within a security realm must be  kept  in  sync  within  the
       credential time-to-live setting.

       While  munged  prevents  a  given  credential  from  being decoded on a
       particular host more than once,  nothing  prevents  a  credential  from
       being  decoded  on  multiple  hosts within the security realm before it
       expires.

AUTHOR

       Chris Dunlap <cdunlap@llnl.gov>

COPYRIGHT

       Copyright (C) 2007-2010 Lawrence Livermore National Security, LLC.
       Copyright (C) 2002-2007 The Regents of the University of California.

       MUNGE is free software: you can redistribute it and/or modify it  under
       the  terms  of  the GNU General Public License as published by the Free
       Software Foundation, either version 3  of  the  License,  or  (at  your
       option)   any  later  version.   Additionally  for  the  MUNGE  library
       (libmunge), you can redistribute it and/or modify it under the terms of
       the GNU Lesser General Public License as published by the Free Software
       Foundation, either version 3 of the License, or (at  your  option)  any
       later version.

SEE ALSO

       munge(1),     remunge(1),     unmunge(1),    munge(3),    munge_ctx(3),
       munge_enum(3), munge(7).

       http://home.gna.org/munge/