|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
<html xmlns="http://www.w3.org/1999/xhtml">
|
|
Packit |
fd8b60 |
<head>
|
|
Packit |
fd8b60 |
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
Packit |
fd8b60 |
<title>ksu — MIT Kerberos Documentation</title>
|
|
Packit |
fd8b60 |
<link rel="stylesheet" href="../../_static/agogo.css" type="text/css" />
|
|
Packit |
fd8b60 |
<link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />
|
|
Packit |
fd8b60 |
<link rel="stylesheet" href="../../_static/kerb.css" type="text/css" />
|
|
Packit |
fd8b60 |
<script type="text/javascript">
|
|
Packit |
fd8b60 |
var DOCUMENTATION_OPTIONS = {
|
|
Packit |
fd8b60 |
URL_ROOT: '../../',
|
|
Packit |
fd8b60 |
VERSION: '1.18.2',
|
|
Packit |
fd8b60 |
COLLAPSE_INDEX: false,
|
|
Packit |
fd8b60 |
FILE_SUFFIX: '.html',
|
|
Packit |
fd8b60 |
HAS_SOURCE: true,
|
|
Packit |
fd8b60 |
SOURCELINK_SUFFIX: '.txt'
|
|
Packit |
fd8b60 |
};
|
|
Packit |
fd8b60 |
</script>
|
|
Packit |
fd8b60 |
<script type="text/javascript" src="../../_static/jquery.js"></script>
|
|
Packit |
fd8b60 |
<script type="text/javascript" src="../../_static/underscore.js"></script>
|
|
Packit |
fd8b60 |
<script type="text/javascript" src="../../_static/doctools.js"></script>
|
|
Packit |
fd8b60 |
<link rel="author" title="About these documents" href="../../about.html" />
|
|
Packit |
fd8b60 |
<link rel="index" title="Index" href="../../genindex.html" />
|
|
Packit |
fd8b60 |
<link rel="search" title="Search" href="../../search.html" />
|
|
Packit |
fd8b60 |
<link rel="copyright" title="Copyright" href="../../copyright.html" />
|
|
Packit |
fd8b60 |
<link rel="next" title="kswitch" href="kswitch.html" />
|
|
Packit |
fd8b60 |
<link rel="prev" title="krb5-config" href="krb5-config.html" />
|
|
Packit |
fd8b60 |
</head>
|
|
Packit |
fd8b60 |
<body>
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
accesskey="C">Contents |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
accesskey="P">previous |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
accesskey="N">next |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
accesskey="I">index |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
accesskey="S">Search |
|
|
Packit |
fd8b60 |
feedback
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
ksu¶
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
SYNOPSIS¶
|
|
Packit |
fd8b60 |
ksu
|
|
Packit |
fd8b60 |
[ target_user ]
|
|
Packit |
fd8b60 |
[ -n target_principal_name ]
|
|
Packit |
fd8b60 |
[ -c source_cache_name ]
|
|
Packit |
fd8b60 |
[ -k ]
|
|
Packit |
fd8b60 |
[ -r time ]
|
|
Packit |
fd8b60 |
[ -p | -P]
|
|
Packit |
fd8b60 |
[ -f | -F]
|
|
Packit |
fd8b60 |
[ -l lifetime ]
|
|
Packit |
fd8b60 |
[ -z | Z ]
|
|
Packit |
fd8b60 |
[ -q ]
|
|
Packit |
fd8b60 |
[ -e command [ args … ] ] [ -a [ args … ] ]
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
REQUIREMENTS¶
|
|
Packit |
fd8b60 |
Must have Kerberos version 5 installed to compile ksu. Must have a
|
|
Packit |
fd8b60 |
Kerberos version 5 server running to use ksu.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
DESCRIPTION¶
|
|
Packit |
fd8b60 |
ksu is a Kerberized version of the su program that has two missions:
|
|
Packit |
fd8b60 |
one is to securely change the real and effective user ID to that of
|
|
Packit |
fd8b60 |
the target user, and the other is to create a new security context.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Note
|
|
Packit |
fd8b60 |
For the sake of clarity, all references to and attributes of
|
|
Packit |
fd8b60 |
the user invoking the program will start with “source”
|
|
Packit |
fd8b60 |
(e.g., “source user”, “source cache”, etc.).
|
|
Packit |
fd8b60 |
Likewise, all references to and attributes of the target
|
|
Packit |
fd8b60 |
account will start with “target”.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
AUTHENTICATION¶
|
|
Packit |
fd8b60 |
To fulfill the first mission, ksu operates in two phases:
|
|
Packit |
fd8b60 |
authentication and authorization. Resolving the target principal name
|
|
Packit |
fd8b60 |
is the first step in authentication. The user can either specify his
|
|
Packit |
fd8b60 |
principal name with the -n option (e.g., -n jqpublic@USC.EDU)
|
|
Packit |
fd8b60 |
or a default principal name will be assigned using a heuristic
|
|
Packit |
fd8b60 |
described in the OPTIONS section (see -n option). The target user
|
|
Packit |
fd8b60 |
name must be the first argument to ksu; if not specified root is the
|
|
Packit |
fd8b60 |
default. If . is specified then the target user will be the
|
|
Packit |
fd8b60 |
source user (e.g., ksu .). If the source user is root or the
|
|
Packit |
fd8b60 |
target user is the source user, no authentication or authorization
|
|
Packit |
fd8b60 |
takes place. Otherwise, ksu looks for an appropriate Kerberos ticket
|
|
Packit |
fd8b60 |
in the source cache.
|
|
Packit |
fd8b60 |
The ticket can either be for the end-server or a ticket granting
|
|
Packit |
fd8b60 |
ticket (TGT) for the target principal’s realm. If the ticket for the
|
|
Packit |
fd8b60 |
end-server is already in the cache, it’s decrypted and verified. If
|
|
Packit |
fd8b60 |
it’s not in the cache but the TGT is, the TGT is used to obtain the
|
|
Packit |
fd8b60 |
ticket for the end-server. The end-server ticket is then verified.
|
|
Packit |
fd8b60 |
If neither ticket is in the cache, but ksu is compiled with the
|
|
Packit |
fd8b60 |
GET_TGT_VIA_PASSWD define, the user will be prompted for a
|
|
Packit |
fd8b60 |
Kerberos password which will then be used to get a TGT. If the user
|
|
Packit |
fd8b60 |
is logged in remotely and does not have a secure channel, the password
|
|
Packit |
fd8b60 |
may be exposed. If neither ticket is in the cache and
|
|
Packit |
fd8b60 |
GET_TGT_VIA_PASSWD is not defined, authentication fails.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
AUTHORIZATION¶
|
|
Packit |
fd8b60 |
This section describes authorization of the source user when ksu is
|
|
Packit |
fd8b60 |
invoked without the -e option. For a description of the -e
|
|
Packit |
fd8b60 |
option, see the OPTIONS section.
|
|
Packit |
fd8b60 |
Upon successful authentication, ksu checks whether the target
|
|
Packit |
fd8b60 |
principal is authorized to access the target account. In the target
|
|
Packit |
fd8b60 |
user’s home directory, ksu attempts to access two authorization files:
|
|
Packit |
fd8b60 |
.k5login and .k5users. In the .k5login file each line
|
|
Packit |
fd8b60 |
contains the name of a principal that is authorized to access the
|
|
Packit |
fd8b60 |
account.
|
|
Packit |
fd8b60 |
For example:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
jqpublic/secure@USC.EDU
|
|
Packit |
fd8b60 |
jqpublic/admin@USC.EDU
|