Provided by: munge_0.5.10-1_amd64 bug

NAME

       munged - MUNGE daemon

SYNOPSIS

       munged [OPTION]...

DESCRIPTION

       The  munged  daemon  is  responsible  for authenticating local MUNGE clients and servicing
       their credential encode & decode requests.  All munged daemons  within  a  security  realm
       share a secret key.  This key is used to protect the contents of a credential.

       When a credential is created, munged embeds metadata within it including the effective UID
       and GID of the requesting client (as determined  by  munged)  and  the  current  time  (as
       determined  by  the  local  clock).   It  then  compresses  the  data,  computes a message
       authentication code, encrypts the data, and base64-encodes the result before returning the
       credential to the client.

       When  a  credential  is  validated, munged first checks the message authentication code to
       ensure the credential has not been subsequently altered.  Next,  it  checks  the  embedded
       UID/GID  restrictions  to determine whether the requesting client is allowed to decode it.
       Then, it checks the embedded encode time against the  current  time;  if  this  difference
       exceeds the embedded time-to-live, the credential has expired.  Finally, it checks whether
       this credential has been previously decoded on this host; if so, the credential  has  been
       replayed.   If  all  checks  pass, the credential metadata and payload are returned to the
       client.

OPTIONS

       -h, --help
              Display a summary of the command-line options.

       -L, --license
              Display license information.

       -V, --version
              Display version information.

       -f, --force
              Force the daemon to run if  at  all  possible.   This  overrides  warnings  for  an
              existing  local  domain  socket,  a  lack  of  entropy  for  the PRNG, and insecure
              file/directory permissions.

       -F, --foreground
              Run the daemon in the foreground.

       -S, --socket path
              Specify the local domain socket for communicating with clients.

       --auth-server-dir directory
              Specify an alternate directory in which the daemon will create  the  pipe  used  to
              authenticate  clients.   The  recommended  permissions for this directory are 0711.
              This option is only valid on platforms where client authentication is performed via
              a file-descriptor passing mechanism.

       --auth-client-dir directory
              Specify  an  alternate  directory  in  which  clients  will create the file used to
              authenticate themselves to  the  daemon.   The  recommended  permissions  for  this
              directory  are  1733.   This  option  is  only  valid  on  platforms  where  client
              authentication is performed via a file-descriptor passing mechanism.

       --group-check-mtime boolean
              Specify whether the modification  time  of  /etc/group  should  be  checked  before
              updating  the  supplementary  group membership mapping.  If this value is non-zero,
              the check will be enabled and the mapping will not be updated unless the  file  has
              been modified since the last update.

       --group-update-time integer
              Specify the number of seconds between updates to the supplementary group membership
              mapping; this mapping is used when restricting credentials by GID.  A  value  of  0
              causes  it  to  be  computed  initially  but  never  updated (unless triggered by a
              SIGHUP).  A value of -1 causes it to be disabled.

       --key-file file
              Specify an alternate secret key file.

       --num-threads integer
              Specify the number of threads to spawn for processing credential requests.

SIGNALS

       SIGHUP Immediately update the supplementary group membership mapping  instead  of  waiting
              for the next scheduled update; this mapping is used when restricting credentials by
              GID.

       SIGTERM
              Terminate the daemon.

NOTES

       All clocks within a security realm must be kept in sync within the credential time-to-live
       setting.

       While munged prevents a given credential from being decoded on a particular host more than
       once, nothing prevents a credential from  being  decoded  on  multiple  hosts  within  the
       security realm before it expires.

AUTHOR

       Chris Dunlap <cdunlap@llnl.gov>

COPYRIGHT

       Copyright (C) 2007-2011 Lawrence Livermore National Security, LLC.
       Copyright (C) 2002-2007 The Regents of the University of California.

       MUNGE  is  free  software: you can redistribute it and/or modify it under the terms of the
       GNU General Public License as published by the Free Software Foundation, either version  3
       of the License, or (at your option) any later version.

       Additionally  for  the  MUNGE library (libmunge), you can redistribute it and/or modify it
       under the terms of the GNU Lesser General Public License as published by the Free Software
       Foundation, either version 3 of the License, or (at your option) any later version.

SEE ALSO

       munge(1), remunge(1), unmunge(1), munge(3), munge_ctx(3), munge_enum(3), munge(7).

       http://munge.googlecode.com/