diff options
| author | Cy Schubert <cy@FreeBSD.org> | 2017-07-07 17:03:42 +0000 |
|---|---|---|
| committer | Cy Schubert <cy@FreeBSD.org> | 2017-07-07 17:03:42 +0000 |
| commit | 33a9b234e7087f573ef08cd7318c6497ba08b439 (patch) | |
| tree | d0ea40ad3bf5463a3c55795977c71bcb7d781b4b /doc/html/_sources/user/user_config/k5login.txt | |
Notes
Diffstat (limited to 'doc/html/_sources/user/user_config/k5login.txt')
| -rw-r--r-- | doc/html/_sources/user/user_config/k5login.txt | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/doc/html/_sources/user/user_config/k5login.txt b/doc/html/_sources/user/user_config/k5login.txt new file mode 100644 index 000000000000..8a9753da336e --- /dev/null +++ b/doc/html/_sources/user/user_config/k5login.txt @@ -0,0 +1,54 @@ +.. _.k5login(5): + +.k5login +======== + +DESCRIPTION +----------- + +The .k5login file, which resides in a user's home directory, contains +a list of the Kerberos principals. Anyone with valid tickets for a +principal in the file is allowed host access with the UID of the user +in whose home directory the file resides. One common use is to place +a .k5login file in root's home directory, thereby granting system +administrators remote root access to the host via Kerberos. + + +EXAMPLES +-------- + +Suppose the user ``alice`` had a .k5login file in her home directory +containing just the following line:: + + bob@FOOBAR.ORG + +This would allow ``bob`` to use Kerberos network applications, such as +ssh(1), to access ``alice``'s account, using ``bob``'s Kerberos +tickets. In a default configuration (with **k5login_authoritative** set +to true in :ref:`krb5.conf(5)`), this .k5login file would not let +``alice`` use those network applications to access her account, since +she is not listed! With no .k5login file, or with **k5login_authoritative** +set to false, a default rule would permit the principal ``alice`` in the +machine's default realm to access the ``alice`` account. + +Let us further suppose that ``alice`` is a system administrator. +Alice and the other system administrators would have their principals +in root's .k5login file on each host:: + + alice@BLEEP.COM + + joeadmin/root@BLEEP.COM + +This would allow either system administrator to log in to these hosts +using their Kerberos tickets instead of having to type the root +password. Note that because ``bob`` retains the Kerberos tickets for +his own principal, ``bob@FOOBAR.ORG``, he would not have any of the +privileges that require ``alice``'s tickets, such as root access to +any of the site's hosts, or the ability to change ``alice``'s +password. + + +SEE ALSO +-------- + +kerberos(1) |