$OpenBSD: patch-doc_sample_config,v 1.23 2020/10/04 14:36:12 bket Exp $

no seccomp, gssapi

Index: doc/sample.config
--- doc/sample.config.orig
+++ doc/sample.config
@@ -35,15 +35,6 @@
 # Acct-Interim-Interval, and Session-Timeout values.
 #
 # See doc/README-radius.md for the supported radius configuration atributes.
-#
-# gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]
-#  The gssapi option allows one to use authentication methods supported by GSSAPI,
-# such as Kerberos tickets with ocserv. It should be best used as an alternative
-# to PAM (i.e., have pam in auth and gssapi in enable-auth), to allow users with
-# tickets and without tickets to login. The default value for require-local-user-map
-# is true. The 'tgt-freshness-time' if set, it would require the TGT tickets presented
-# to have been issued within the provided number of seconds. That option is used to
-# restrict logins even if the KDC provides long time TGT tickets.
 
 #auth = "pam"
 #auth = "pam[gid-min=1000]"
@@ -58,8 +49,6 @@ auth = "plain[passwd=./sample.passwd]"
 # When multiple options are present, they are OR composed (any of them
 # succeeding allows login).
 #enable-auth = "certificate"
-#enable-auth = "gssapi"
-#enable-auth = "gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]"
 
 # Accounting methods available:
 # radius: can be combined with any authentication method, it provides
@@ -110,8 +99,8 @@ udp-port = 443
 # The user the worker processes will be run as. This should be a dedicated
 # unprivileged user (e.g., 'ocserv') and no other services should run as this
 # user.
-run-as-user = nobody
-run-as-group = daemon
+run-as-user = _ocserv
+run-as-group = _ocserv
 
 # socket file used for IPC with occtl. You only need to set that,
 # if you use more than a single servers.
@@ -120,7 +109,7 @@ run-as-group = daemon
 # socket file used for server IPC (worker-main), will be appended with .PID
 # It must be accessible within the chroot environment (if any), so it is best
 # specified relatively to the chroot directory.
-socket-file = /var/run/ocserv-socket
+socket-file = ${LOCALSTATEDIR}/run/ocserv-socket
 
 # The default server directory. Does not require any devices present.
 #chroot-dir = /var/lib/ocserv
@@ -180,16 +169,6 @@ ca-cert = ../tests/certs/ca.pem
 ### failures during the reloading time.
 
 
-# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of 
-# system calls allowed to a worker process, in order to reduce damage from a
-# bug in the worker process. It is available on Linux systems at a performance cost.
-# The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8).
-# Note however, that process isolation is restricted to the specific libc versions
-# the isolation was tested at. If you get random failures on worker processes, try
-# disabling that option and report the failures you, along with system and debugging
-# information at: https://gitlab.com/ocserv/ocserv/issues
-isolate-workers = true
-
 # A banner to be displayed on clients after connection
 #banner = "Welcome"
 
@@ -350,9 +329,8 @@ min-reauth-time = 300
 # Banning clients in ocserv works with a point system. IP addresses
 # that get a score over that configured number are banned for
 # min-reauth-time seconds. By default a wrong password attempt is 10 points,
-# a KKDCP POST is 1 point, and a connection is 1 point. Note that
-# due to difference processes being involved the count of points
-# will not be real-time precise.
+# and a connection is 1 point. Note that due to different processes
+# being involved the count of points will not be real-time precise.
 #
 # Score banning cannot be reliably used when receiving proxied connections
 # locally from an HTTP server (i.e., when listen-clear-file is used).
@@ -366,7 +344,6 @@ ban-reset-time = 1200
 # In case you'd like to change the default points.
 #ban-points-wrong-password = 10
 #ban-points-connection = 1
-#ban-points-kkdcp = 1
 
 # Cookie timeout (in seconds)
 # Once a client is authenticated he's provided a cookie with
@@ -441,7 +418,7 @@ rekey-method = ssl
 use-occtl = true
 
 # PID file. It can be overridden in the command line.
-pid-file = /var/run/ocserv.pid
+pid-file = ${LOCALSTATEDIR}/run/ocserv.pid
 
 # Set the protocol-defined priority (SO_PRIORITY) for packets to
 # be sent. That is a number from 0 to 6 with 0 being the lowest
@@ -558,6 +535,11 @@ no-route = 192.168.5.0/255.255.255.0
 # any other routes. In case of defaultroute, the no-routes are restricted.
 # All the routes applied by ocserv can be reverted using /etc/ocserv/ocserv-fw
 # --removeall. This option can be set globally or in the per-user configuration.
+#
+# OpenBSD package notes:
+# to use this with PF, you will need to supply your own ocserv-fw script,
+# probably the best approach would be to add via a table or an anchor.
+#
 #restrict-user-to-routes = true
 
 # This option implies restrict-user-to-routes set to true. If set, the
@@ -630,23 +612,6 @@ no-route = 192.168.5.0/255.255.255.0
 # and '%{G}', if present will be replaced by the username and group name.
 #proxy-url = http://example.com/
 #proxy-url = http://example.com/%{U}/
-
-# This option allows you to specify a URL location where a client can
-# post using MS-KKDCP, and the message will be forwarded to the provided
-# KDC server. That is a translation URL between HTTP and Kerberos.
-# In MIT kerberos you'll need to add in realms:
-#   EXAMPLE.COM = {
-#     kdc = https://ocserv.example.com/KdcProxy
-#     http_anchors = FILE:/etc/ocserv-ca.pem
-#   }
-# In some distributions the krb5-k5tls plugin of kinit is required.
-#
-# The following option is available in ocserv, when compiled with GSSAPI support. 
-
-#kkdcp = "SERVER-PATH KERBEROS-REALM PROTOCOL@SERVER:PORT"
-#kkdcp = "/KdcProxy KERBEROS.REALM udp@127.0.0.1:88"
-#kkdcp = "/KdcProxy KERBEROS.REALM tcp@127.0.0.1:88"
-#kkdcp = "/KdcProxy KERBEROS.REALM tcp@[::1]:88"
 
 # Client profile xml. This can be used to advertise alternative servers
 # to the client. A minimal file can be:
