2 .\" Copyright (C) 2005 Red Hat, Inc. All Rights Reserved.
3 .\" Written by David Howells (dhowells@redhat.com)
5 .\" This program is free software; you can redistribute it and/or
6 .\" modify it under the terms of the GNU General Public License
7 .\" as published by the Free Software Foundation; either version
8 .\" 2 of the License, or (at your option) any later version.
10 .TH REQUEST-KEY.CONF 5 "11 July 2005" Linux "Linux Key Management Utilities"
12 request-key.conf - Instantiation handler configuration file
15 This file is used by the /sbin/request-key program to determine which program
16 it should run to instantiate a key.
18 request-key works scans through the file a line at a time until it finds a
19 match, which it will then use. If it doesn't find a match, it'll return an
20 error and the kernel will automatically negate the key.
22 Any blank line or line beginning with a hash mark '#' is considered to be a
25 All other lines are assumed to be command lines with a number of white space
28 <op> <type> <description> <callout-info> <prog> <arg1> <arg2> ...
30 The first four fields are used to match the parameters passed to request-key by
31 the kernel. \fIop\fR is the operation type; currently the only supported
32 operation is "create".
34 \fItype\fR, \fIdescription\fR and \fIcallout-info\fR match the three parameters
35 passed to \fBkeyctl request2\fR or the \fBrequest_key()\fR system call. Each of
36 these may contain one or more asterisk '*' characters as wildcards anywhere
39 Should a match be made, the program specified by <prog> will be exec'd. This
40 must have a fully qualified path name. argv[0] will be set from the part of the
41 program name that follows the last slash '/' character.
43 If the program name is prefixed with a pipe bar character '|', then the program
44 will be forked and exec'd attached to three pipes. The callout information will
45 be piped to it on it's stdin and the intended payload data will be retrieved
46 from its stdout. Anything sent to stderr will be posted in syslog. If the
47 program exits 0, then /sbin/request-key will attempt to instantiate the key
48 with the data read from stdout. If it fails in any other way, then request-key
49 will attempt to execute the appropriate 'negate' operation command.
51 The program arguments can be substituted with various macros. Only complete
52 argument substitution is supported - macro substitutions can't be embedded. All
53 macros begin with a percent character '%'. An argument beginning with two
54 percent characters will have one of them discarded.
56 The following macros are supported:
67 %c Callout information
73 %T Requestor's thread keyring
75 %P Requestor's process keyring
77 %S Requestor's session keyring
80 There's another macro substitution too that permits the interpolation of the
84 %{<type>:<description>}
87 This performs a lookup for a key of the given type and description on the
88 requestor's keyrings, and if found, substitutes the contents for the macro. If
89 not found an error will be logged and the key under construction will be
93 A basic file will be installed in the /etc. This will contain two debugging
94 lines that can be used to test the installation:
97 create user debug:* negate /bin/keyctl negate %k 30 %S
99 create user debug:loop:* * |/bin/cat
101 create user debug:* * /usr/share/keyutils/request-key-debug.sh %k %d %c %S
103 negate * * * /bin/keyctl negate %k 30 %S
106 This is set up so that something like:
109 keyctl request2 user debug:xxxx negate
112 will create a negative user-defined key, something like:
115 keyctl request2 user debug:yyyy spoon
118 will create an instantiated user-defined key with "Debug spoon" as the payload,
122 keyctl request2 user debug:loop:zzzz abcdefghijkl
125 will create an instantiated user-defined key with the callout information as
129 /etc/request-key.conf
132 \fBkeyctl\fR(1), \fBrequest-key.conf\fR(5)