FreeBSD 8.0 Kerberos Login New Behaviour (.k5login)
John Marshall
john.marshall at riverwillow.com.au
Fri Oct 2 05:31:42 UTC 2009
Having just spent ages trying to discover why I couldn't log in to one
of my recently-upgraded FreeBSD 8.0-RC1 servers...
Kerberos login processing has changed!
I had a .k5login file on the server with a single entry:
john/admin at MY.REALM
On FreeBSD 7.2 that meant that I could log in as john on that server
with either my john@ (default principal/account mapping) or my
john/admin@ (by virtue of .k5login) principal.
On FreeBSD 8.0 that means that ONLY john/admin@ can login to that
account. The fact that a .k5login file is present restricts access to
principals listed in that file.
Anyone like to guess where the .k5login man page is?
Try krb5_kuserok(3).
FreeBSD 7.2 Kerberos Login
--------------------------
First krb5_kuserok check if there is a local account name
username. If there isn't, krb5_kuserok returns FALSE.
Then krb5_kuserok checks if principal is the same as user at realm
in any of the default realms. If that is the case, krb5_kuserok
returns TRUE.
After that it reads the file .k5login (if it exists) in the users
home directory and checks if principal is in the file. If it
does exists, TRUE is returned. If neither of the above turns out
to be true, is returned.
FreeBSD 8.0 Kerberos Login
--------------------------
The user may have a ~/.k5login file listing principals that are
allowed to login as that user. If that file does not exist, all
principals with a first component identical to the username, and
a realm considered local, are allowed access.
Note that if the file exists, no implicit access rights are given
to user@<localrealm>.
--
John Marshall
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20091002/43d69808/attachment.pgp
More information about the freebsd-stable
mailing list