###  $Id: sfsauthd_config.in,v 1.8 2002/12/10 19:57:46 kaminsky Exp $
###
###  Specify a file containing the authserver's host key.  Generate such
###  a key using the "sfskey gen" command as with sfsrwsd.  If unspecified,
###  defaults as shown.  This file MUST exist.
#Keyfile sfs_host_key

###
###     Userfile [-update] [-passwd] [-admin] [-pub=<pubfile>] \
###              [-prefix=<prefix>] [-uid | -uidmap=<min>-<max>+<offset>] \
###              [-gid | -gidmap=<min>-<max>+<offset>] <userfilename>
###
### Specify files containing public keys
###
###    -update  Databases are read-only by default; allow updates.
###    -passwd  Allow users to (re)register using their UNIX passwords
###     -admin  Allow admin modification to the database
###       -pub  Store public keys in world-readable file
###    -prefix  Prepend a prefix to all keynames (for logging)
###       -uid  Map all users in database to given UID
###    -uidmap  Map UIDs in the range [<min>,<max>] to <offset>
###       -gid  Map all groups in database to given GID
###    -gidmap  Map GIDs in the range [<min>,<max>] to <offset>
###    -create  Create sfs_users if no such file exists
###
Userfile -update -passwd -create -pub=sfs_users.pub sfs_users

###  Specify a file containing a list of users that are to be explicitly
###  denied the ability to register and update keys on the authserver.
###  If unspecified, defaults as shown.  If the default file does not
###  exist, we assume an empty list.
#denyfile sfs_deny

###  Specify a file containing the SRP parameters that this authserver
###  will hand to remote clients that request them.  Generate such a 
###  file using the "sfskey gensrp" command.  If unspecified, defaults
###  as shown.  If the default file does not exist, serving pre-generated
###  SRP parameters is disabled.
#srpfile sfs_srp_parms

###  Define the realm to which this authserver will belong.  
###  Authentication information (including SRP) can be shared amongst
###  authservers that are in the same realm.  Thus, a user that wants
###  to authenticate to a realm, can contact any authserver in that realm.
###
###  If the realm directive does NOT appear in this file, the authserver
###  will not join any realm.  This behavior is the default.
###  To specify a realm for the authserver, uncomment the following line.
###
###  NOTE: Changing an authserver's realm after users have already 
###  registered using SRP requires all users to run "sfskey update."  The
###  realm is bound into the stored SRP information.  See the SFS 
###  documentation for more details.
#realm fs.net

###  Specify a file to log server signature endorsements. This file will
###  provide users with audit information if the client half of their private
###  Schnorr key is compromised.
LogFile /var/log/sfs_sign_log

###  Specify a certification path to return to the client during an 
###  "sfskey login"; this list of directories will become the arguments
###  to a dirsearch certprog.  That is, for a certpath <dir1> <dir2>
###  the client will add a certprog "dirsearch <dir1> <dir2>" to the
###  user's agent.  The certification path will be tagged with a prefix
###  equal to the authserver's realm (see above).
###
###  NOTE: The certpath directive only makes sense if the authserver is
###  part of a realm.  The certpath will be ignored if the realm directive
###  isn't specified.
###
###  There are three ways to specify a certpath directory:
###
###    certpath //dir1 /dir2 @sfs.host.domain,HOSTID/dir2
###
###  which can also be written
###
###    certpath //dir1
###    certpath /dir2
###    certpath @sfs.host.domain,HOSTID/dir2
###
###  A directory starting with two slashes ("//") is considered relative
###  to the client machine's root ("/").  A directory starting with one
###  slash ("/") is relative to the authserver's self-certifying pathname
###  (the authserver performs the substitution before it sends the dir).
###  The third form is a fully specified directory on SFS.
###
###  The default certpath is empty.
#certpath /server
