FreeBSD 8.0 Kerberos Login New Behaviour (.k5login)

[John Marshall]

Having just spent ages trying to discover why I couldn't log in to one
of my recently-upgraded FreeBSD 8.0-RC1 servers...

Kerberos login processing has changed!

I had a .k5login file on the server with a single entry:
 john/admin at MY.REALM

On FreeBSD 7.2 that meant that I could log in as john on that server
with either my john@ (default principal/account mapping) or my
john/admin@ (by virtue of .k5login) principal.

On FreeBSD 8.0 that means that ONLY john/admin@ can login to that
account.  The fact that a .k5login file is present restricts access to
principals listed in that file.

Anyone like to guess where the .k5login man page is?
Try krb5_kuserok(3).

   FreeBSD 7.2 Kerberos Login
   --------------------------
     First krb5_kuserok check if there is a local account name
     username. If there isn't, krb5_kuserok returns FALSE.

     Then krb5_kuserok checks if principal is the same as user at realm
     in any of the default realms. If that is the case, krb5_kuserok
     returns TRUE.

     After that it reads the file .k5login (if it exists) in the users
     home directory and checks if principal is in the file.  If it
     does exists, TRUE is returned.  If neither of the above turns out
     to be true, is returned.

  FreeBSD 8.0 Kerberos Login
  --------------------------
     The user may have a ~/.k5login file listing principals that are
     allowed to login as that user. If that file does not exist, all
     principals with a first component identical to the username, and
     a realm considered local, are allowed access.

     Note that if the file exists, no implicit access rights are given
     to user@<localrealm>.

-- 
John Marshall
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20091002/43d69808/attachment.pgp