| blob | 0407c9c51b018ebfd0b573a2390a2d0e2bb59af1 |
1 # Example PWMD configuration file. Edit and save to ~/.pwmd/config or
2 # specify with the -f command line option. See the pwmd(1) manual page or the
3 # pwmd.info documentation for complete details of the options.
4 #
5 # The global section is for non-file related settings and defaults for data
6 # files without a file section of their own.
7 [global]
9 # Location of the pinentry binary.
10 #pinentry_path=/usr/bin/pinentry
12 # The number of seconds to wait for a pinentry before giving up.
13 #pinentry_timeout=30
15 # Location of the listening socket.
16 #socket_path=~/.pwmd/socket
18 # Socket permissions. This will override any umask setting.
19 #socket_perms=0600
21 # Usernames or groups obtained via SO_PEERCRED which are allowed to
22 # connect to the socket. Groups should be prefixed with a '@'. When not
23 # specified only the invoking user is allowed. You can also specify an SHA256
24 # TLS fingerprint by prefixing it with a '#'.
25 #allowed = username,another_user,@group,!not_this_user,#TLS-FINGERPRINT
27 # Same syntax as the 'allowed' parameter with one entry per line.
28 #allowed_file=~/path/to/file
30 # Username to use as the default in an element ACL. The default is the
31 # user that starts pwmd.
32 #invoking_user=nobody,@group,!notme,#TLSFINGERPRINT
34 # Same syntax as the 'invoking_user' parameter with one entry per line.
35 #invoking_file=~/path/to/file
37 # When false, disable keeping backups for data files.
38 #backup=true
40 # Log file location.
41 #log_path=~/.pwmd/log
43 # Set to true to enable logging to log_path.
44 #enable_logging=false
46 # Disable to close the logging file descriptor (log_path) after writing each
47 # line.
48 #log_keepopen=true
50 # Set to true to enable logging to syslog.
51 #syslog=false
53 # The logging level: 0=connections and errors, 1=client commands.
54 #log_level=0
56 # Enable gpg-agent support.
57 #use_agent=false
59 # The location of the gpg-agent socket.
60 #gpg_agent_socket=~/.gnupg/S.gpg-agent
62 # Kill the smartcard daemon after each OPEN or SAVE.
63 #kill_scd=false
65 # Require the passphrase needed for a data file before each SAVE.
66 #require_save_key=true
68 # Set to false to call mlockall(2) after a client connects. Uses more memory
69 # but is also more secure. Most will probably find it overkill since the
70 # contents of all memory is cleared before being freed.
71 #disable_mlockall=true
73 # Disable the XPATH, LIST and DUMP commands. When "true" and a client sends
74 # these commands the error GPG_ERR_NOT_IMPLEMENTED will be returned.
75 #disable_list_and_dump=false
77 # When sending data to the client an XFER status message will be sent after
78 # N bytes. N is rounded to ASSUAN_LINELENGTH (1002) bytes.
79 #xfer_progress=8196
81 # A comma separated list of filenames to add to the file cache upon startup.
82 # You will be prompted for the passphrasefor each file if required. The files
83 # are looked for in ~/.pwmd/data. This also affects rcfile reloading via
84 # SIGHUP.
85 #cache_push=somefile,anotherfile
87 # The number of seconds to keep a file in the cache. If -1, the file will be
88 # kept forever. If 0 then every OPEN will require a passphrase.
89 #cache_timeout=600
91 # The maximum recursion depth when resolving elements that contain a "target"
92 # attribute. When this value is exceeded an error will be returned.
93 #recursion_depth=100
95 # The priority or nice value of the server process. The default is inherited
96 # from the parent process.
97 #priority=10
99 # The cipher to use for newly created files.
100 #cipher=aes256
102 # The number of cipher encryption iterations of the data. This differs from
103 # the s2k_count option (see below) that determines the hash iterations of the
104 # passphrase.
105 #cipher_iterations=0
107 # Send a status message to the client after this many encryption/decryption
108 # iterations.
109 #cipher_progress=2000
111 # The default key parameters to use when generating a new keypair
112 # (RSA 2048 bit).
113 #keyparam=(genkey (rsa (nbits 4:2048)))
115 # The number of passphrase hashing iterations for new files and when changing
116 # the passphrase of a secret key. The default is the calibrated value of the
117 # machine, or 0.
118 #s2k_count=0
120 # In tenths of a second, the amount of time to wait for a file lock before
121 # returning an error to the client.
122 #lock_timeout=50
124 # Whether to enable TCP/TLS server support. If enabled, both TCP and the local
125 # unix domain socket will listen for connections.
126 #enable_tcp=false
128 # If TCP is enabled, the port to listen on.
129 #tcp_port=6466
131 # The network interface to listen on.
132 #tcp_interface=eth1
134 # The number of seconds to wait for a network read and write to complete
135 # for TLS connections.
136 #tls_timeout=300
138 # Require the client to provide the key to open a file even if the file is
139 # cached.
140 #tcp_require_key=false
142 # The time in tenths of a second to wait for a new TCP connection. Setting to
143 # 0 will disable waiting.
144 #tcp_wait=3
146 # Accept TCP connections from the specified protocol. One of: ipv4, ipv6 or
147 # any. The default is "any".
148 #tcp_bind=any
150 # The GnuTLS cipher suite and protocol to use.
151 #tls_cipher_suite=SECURE256
153 # TLS key exchange security level: low, medium or high.
154 #tls_dh_level=medium
156 # The interval in seconds to send the KEEPALIVE status message when
157 # not in a command.
158 #keepalive_interval=60
160 # Send client state information to all connected clients. 0=disable, 1=all,
161 # 2=invoking user clients only.
162 #send_state=2
164 # END GLOBAL SETTINGS
166 # File specific settings are allowed by placing the filename in braces. Each
167 # file can have it's own configuration settings from those listed below.
168 #[somefile]
169 #allowed=@group,!not_this_user,!#DENIEDFINGERPRINT
170 #cache_timeout=300
171 #passphrase=password
172 #passphrase_file=/path/to/file.key
173 #backup=true
174 #xfer_progress=1024
175 #recursion_depth=200