|
Packit |
fd8b60 |
.\" Man page generated from reStructuredText.
|
|
Packit |
fd8b60 |
.
|
|
Packit |
fd8b60 |
.TH "K5LOGIN" "5" " " "1.18.2" "MIT Kerberos"
|
|
Packit |
fd8b60 |
.SH NAME
|
|
Packit |
fd8b60 |
k5login \- Kerberos V5 acl file for host access
|
|
Packit |
fd8b60 |
.
|
|
Packit |
fd8b60 |
.nr rst2man-indent-level 0
|
|
Packit |
fd8b60 |
.
|
|
Packit |
fd8b60 |
.de1 rstReportMargin
|
|
Packit |
fd8b60 |
\\$1 \\n[an-margin]
|
|
Packit |
fd8b60 |
level \\n[rst2man-indent-level]
|
|
Packit |
fd8b60 |
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
|
Packit |
fd8b60 |
-
|
|
Packit |
fd8b60 |
\\n[rst2man-indent0]
|
|
Packit |
fd8b60 |
\\n[rst2man-indent1]
|
|
Packit |
fd8b60 |
\\n[rst2man-indent2]
|
|
Packit |
fd8b60 |
..
|
|
Packit |
fd8b60 |
.de1 INDENT
|
|
Packit |
fd8b60 |
.\" .rstReportMargin pre:
|
|
Packit |
fd8b60 |
. RS \\$1
|
|
Packit |
fd8b60 |
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
|
|
Packit |
fd8b60 |
. nr rst2man-indent-level +1
|
|
Packit |
fd8b60 |
.\" .rstReportMargin post:
|
|
Packit |
fd8b60 |
..
|
|
Packit |
fd8b60 |
.de UNINDENT
|
|
Packit |
fd8b60 |
. RE
|
|
Packit |
fd8b60 |
.\" indent \\n[an-margin]
|
|
Packit |
fd8b60 |
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
|
Packit |
fd8b60 |
.nr rst2man-indent-level -1
|
|
Packit |
fd8b60 |
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
|
Packit |
fd8b60 |
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
|
|
Packit |
fd8b60 |
..
|
|
Packit |
fd8b60 |
.SH DESCRIPTION
|
|
Packit |
fd8b60 |
.sp
|
|
Packit |
fd8b60 |
The .k5login file, which resides in a user\(aqs home directory, contains
|
|
Packit |
fd8b60 |
a list of the Kerberos principals. Anyone with valid tickets for a
|
|
Packit |
fd8b60 |
principal in the file is allowed host access with the UID of the user
|
|
Packit |
fd8b60 |
in whose home directory the file resides. One common use is to place
|
|
Packit |
fd8b60 |
a .k5login file in root\(aqs home directory, thereby granting system
|
|
Packit |
fd8b60 |
administrators remote root access to the host via Kerberos.
|
|
Packit |
fd8b60 |
.SH EXAMPLES
|
|
Packit |
fd8b60 |
.sp
|
|
Packit |
fd8b60 |
Suppose the user \fBalice\fP had a .k5login file in her home directory
|
|
Packit |
fd8b60 |
containing just the following line:
|
|
Packit |
fd8b60 |
.INDENT 0.0
|
|
Packit |
fd8b60 |
.INDENT 3.5
|
|
Packit |
fd8b60 |
.sp
|
|
Packit |
fd8b60 |
.nf
|
|
Packit |
fd8b60 |
.ft C
|
|
Packit |
fd8b60 |
bob@FOOBAR.ORG
|
|
Packit |
fd8b60 |
.ft P
|
|
Packit |
fd8b60 |
.fi
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.sp
|
|
Packit |
fd8b60 |
This would allow \fBbob\fP to use Kerberos network applications, such as
|
|
Packit |
fd8b60 |
ssh(1), to access \fBalice\fP\(aqs account, using \fBbob\fP\(aqs Kerberos
|
|
Packit |
fd8b60 |
tickets. In a default configuration (with \fBk5login_authoritative\fP set
|
|
Packit |
fd8b60 |
to true in krb5.conf(5)), this .k5login file would not let
|
|
Packit |
fd8b60 |
\fBalice\fP use those network applications to access her account, since
|
|
Packit |
fd8b60 |
she is not listed! With no .k5login file, or with \fBk5login_authoritative\fP
|
|
Packit |
fd8b60 |
set to false, a default rule would permit the principal \fBalice\fP in the
|
|
Packit |
fd8b60 |
machine\(aqs default realm to access the \fBalice\fP account.
|
|
Packit |
fd8b60 |
.sp
|
|
Packit |
fd8b60 |
Let us further suppose that \fBalice\fP is a system administrator.
|
|
Packit |
fd8b60 |
Alice and the other system administrators would have their principals
|
|
Packit |
fd8b60 |
in root\(aqs .k5login file on each host:
|
|
Packit |
fd8b60 |
.INDENT 0.0
|
|
Packit |
fd8b60 |
.INDENT 3.5
|
|
Packit |
fd8b60 |
.sp
|
|
Packit |
fd8b60 |
.nf
|
|
Packit |
fd8b60 |
.ft C
|
|
Packit |
fd8b60 |
alice@BLEEP.COM
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
joeadmin/root@BLEEP.COM
|
|
Packit |
fd8b60 |
.ft P
|
|
Packit |
fd8b60 |
.fi
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.sp
|
|
Packit |
fd8b60 |
This would allow either system administrator to log in to these hosts
|
|
Packit |
fd8b60 |
using their Kerberos tickets instead of having to type the root
|
|
Packit |
fd8b60 |
password. Note that because \fBbob\fP retains the Kerberos tickets for
|
|
Packit |
fd8b60 |
his own principal, \fBbob@FOOBAR.ORG\fP, he would not have any of the
|
|
Packit |
fd8b60 |
privileges that require \fBalice\fP\(aqs tickets, such as root access to
|
|
Packit |
fd8b60 |
any of the site\(aqs hosts, or the ability to change \fBalice\fP\(aqs
|
|
Packit |
fd8b60 |
password.
|
|
Packit |
fd8b60 |
.SH SEE ALSO
|
|
Packit |
fd8b60 |
.sp
|
|
Packit |
fd8b60 |
kerberos(1)
|
|
Packit |
fd8b60 |
.SH AUTHOR
|
|
Packit |
fd8b60 |
MIT
|
|
Packit |
fd8b60 |
.SH COPYRIGHT
|
|
Packit |
fd8b60 |
1985-2020, MIT
|
|
Packit |
fd8b60 |
.\" Generated by docutils manpage writer.
|
|
Packit |
fd8b60 |
.
|