Provided by: gensio-bin_2.3.5-1build2_amd64 
NAME
gtlsshd - Server for shell over TLS
SYNOPSIS
gtlsshd [options]
DESCRIPTION
The gtlsshd program receives connections from gtlssh, authenticates the connections, and
connects them to a shell or a program as requested.
gtlsshd will listen on both SCTP and TCP sockets unless told otherwise.
gtlsshd uses openssl public key certificate authentication both directions. When
something connections, it uses standard SSL handling to validate itself to the user with
the given key and certificate files.
On SSL does its job, it then runs an authentication protocol for the user on top of the
SSL connection. The user sends the username, and gtlsshd will use the
$HOME/.gtlssh/allowed_certs directory to authenticate a certificate the user presents. If
the user doesn't have a certificate that matches the presented certificate, gtlsshd will
attempt a normal password login if that is enabled.
TWO-FACTOR AUTHENTICATION
gtlsshd supports two-factor authentication in a number of ways. The certauth gensio
supports sending a second authentication token, gtlsshd will pick that up and use it if
PAM asks for it. If it's not there but PAM asks for it, it will interactively prompt the
user for the token unless --nointeractive is specified.
This requires, of course, proper PAM setup. It also direclty supports second
authentication tokens with certificates. You can specify a different PAM authentication
script for logins done with certificates using --pam-cert-auth to allow a second factor to
be added for just certificate authentications.
You can request that the other end prompt for a second-factor authentication token and
send it along with the password by adding the --do-2fa option. This will cause the other
end to always ask for a second factor.
OPTIONS
-p|--port port
Use the given port instead of the default port.
-h|--keyfile file
Use the given file for the key instead of the default. Defaults to
/etc/gtlssh/gtlsshd.key.
-c|--certfile file
Set the certificate to use. Defaults to /etc/gtlssh/gtlsshd.crt.
--permit-root
Allow root logins. Otherwise root or uid=0 is denied.
--allow-password
Allow password logins. By default only certificate-based logins are allowed.
Passwords are much less secure than certificate logins, so their use is
discouraged.
--do-2fa
Enable 2-factor authentication. This means that 2-factor authentication is enabled
in PAM for gtlssh. This will cause the client end to request 2-factor data and
transmit it over along with the password. During authentication, it is expected
that PAM will request two authentication tokens and the first will be the password
(if certificate failed). Note that this is not required to do 2-factor auth, but
is useful to allow gtlssh to read the 2-factor data and transfer it as part of the
login data.
--pam-cert-auth <name>
If the connection is authorized with a certificate, still do a PAM authentication,
but use the given name as the program name for PAM to use to find the rules. This
will allow 2-factor auth to be done on a certificate login, as the given set of
rules can be written to only do the second factor authentication part.
--oneshot
Do not fork the program at the beginning or when a connection is received. This
allows easier debugging of the program.
--nodaemon
Do not daemonize (double fork) the program.
--nointeractive
Disable interactive logins. All authentication information must be passed in via
the protocol.
--nosctp
Disable SCTP support.
--notcp
Disable TCP support
--other_acc <accepter>
Enable the given accepter to receive connections for gtlsshd. This does not
disable TCP or SCTP.
-P|--pidfile file
Create a standard pidfile using the given filename.
-4 Do IPv4 only.
-6 Do IPv6 only. -d|--debug Generate debugging output. Specifying more than once
increases the output. This also causes syslog output to go to standard error.
-h|--help
Help output
SEE ALSO
gensio(5), gtlssh(1), gtlssh-keygen(1)
KNOWN PROBLEMS
None.
AUTHOR
Corey Minyard <minyard@acm.org>