<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>.k5login — MIT Kerberos Documentation</title>
<link rel="stylesheet" href="../../_static/agogo.css" type="text/css" />
<link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />
<link rel="stylesheet" href="../../_static/kerb.css" type="text/css" />
<script type="text/javascript">
var DOCUMENTATION_OPTIONS = {
URL_ROOT: '../../',
VERSION: '1.18.2',
COLLAPSE_INDEX: false,
FILE_SUFFIX: '.html',
HAS_SOURCE: true,
SOURCELINK_SUFFIX: '.txt'
};
</script>
<script type="text/javascript" src="../../_static/jquery.js"></script>
<script type="text/javascript" src="../../_static/underscore.js"></script>
<script type="text/javascript" src="../../_static/doctools.js"></script>
<link rel="author" title="About these documents" href="../../about.html" />
<link rel="index" title="Index" href="../../genindex.html" />
<link rel="search" title="Search" href="../../search.html" />
<link rel="copyright" title="Copyright" href="../../copyright.html" />
<link rel="next" title=".k5identity" href="k5identity.html" />
<link rel="prev" title="kerberos" href="kerberos.html" />
</head>
<body>
<div class="header-wrapper">
<div class="header">
<h1><a href="../../index.html">MIT Kerberos Documentation</a></h1>
<div class="rel">
<a href="../../index.html" title="Full Table of Contents"
accesskey="C">Contents</a> |
<a href="kerberos.html" title="kerberos"
accesskey="P">previous</a> |
<a href="k5identity.html" title=".k5identity"
accesskey="N">next</a> |
<a href="../../genindex.html" title="General Index"
accesskey="I">index</a> |
<a href="../../search.html" title="Enter search criteria"
accesskey="S">Search</a> |
<a href="mailto:krb5-bugs@mit.edu?subject=Documentation__.k5login">feedback</a>
</div>
</div>
</div>
<div class="content-wrapper">
<div class="content">
<div class="document">
<div class="documentwrapper">
<div class="bodywrapper">
<div class="body" role="main">
<div class="section" id="k5login">
<span id="k5login-5"></span><h1>.k5login<a class="headerlink" href="#k5login" title="Permalink to this headline">¶</a></h1>
<div class="section" id="description">
<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2>
<p>The .k5login file, which resides in a user’s home directory, contains
a list of the Kerberos principals. Anyone with valid tickets for a
principal in the file is allowed host access with the UID of the user
in whose home directory the file resides. One common use is to place
a .k5login file in root’s home directory, thereby granting system
administrators remote root access to the host via Kerberos.</p>
</div>
<div class="section" id="examples">
<h2>EXAMPLES<a class="headerlink" href="#examples" title="Permalink to this headline">¶</a></h2>
<p>Suppose the user <code class="docutils literal"><span class="pre">alice</span></code> had a .k5login file in her home directory
containing just the following line:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">bob</span><span class="nd">@FOOBAR</span><span class="o">.</span><span class="n">ORG</span>
</pre></div>
</div>
<p>This would allow <code class="docutils literal"><span class="pre">bob</span></code> to use Kerberos network applications, such as
ssh(1), to access <code class="docutils literal"><span class="pre">alice</span></code>’s account, using <code class="docutils literal"><span class="pre">bob</span></code>’s Kerberos
tickets. In a default configuration (with <strong>k5login_authoritative</strong> set
to true in <a class="reference internal" href="../../admin/conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>), this .k5login file would not let
<code class="docutils literal"><span class="pre">alice</span></code> use those network applications to access her account, since
she is not listed! With no .k5login file, or with <strong>k5login_authoritative</strong>
set to false, a default rule would permit the principal <code class="docutils literal"><span class="pre">alice</span></code> in the
machine’s default realm to access the <code class="docutils literal"><span class="pre">alice</span></code> account.</p>
<p>Let us further suppose that <code class="docutils literal"><span class="pre">alice</span></code> is a system administrator.
Alice and the other system administrators would have their principals
in root’s .k5login file on each host:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">alice</span><span class="nd">@BLEEP</span><span class="o">.</span><span class="n">COM</span>
<span class="n">joeadmin</span><span class="o">/</span><span class="n">root</span><span class="nd">@BLEEP</span><span class="o">.</span><span class="n">COM</span>
</pre></div>
</div>
<p>This would allow either system administrator to log in to these hosts
using their Kerberos tickets instead of having to type the root
password. Note that because <code class="docutils literal"><span class="pre">bob</span></code> retains the Kerberos tickets for
his own principal, <code class="docutils literal"><span class="pre">bob@FOOBAR.ORG</span></code>, he would not have any of the
privileges that require <code class="docutils literal"><span class="pre">alice</span></code>’s tickets, such as root access to
any of the site’s hosts, or the ability to change <code class="docutils literal"><span class="pre">alice</span></code>’s
password.</p>
</div>
<div class="section" id="see-also">
<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2>
<p>kerberos(1)</p>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="sidebar">
<h2>On this page</h2>
<ul>
<li><a class="reference internal" href="#">.k5login</a><ul>
<li><a class="reference internal" href="#description">DESCRIPTION</a></li>
<li><a class="reference internal" href="#examples">EXAMPLES</a></li>
<li><a class="reference internal" href="#see-also">SEE ALSO</a></li>
</ul>
</li>
</ul>
<br/>
<h2>Table of contents</h2>
<ul class="current">
<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For users</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="../pwd_mgmt.html">Password management</a></li>
<li class="toctree-l2"><a class="reference internal" href="../tkt_mgmt.html">Ticket management</a></li>
<li class="toctree-l2 current"><a class="reference internal" href="index.html">User config files</a><ul class="current">
<li class="toctree-l3"><a class="reference internal" href="kerberos.html">kerberos</a></li>
<li class="toctree-l3 current"><a class="current reference internal" href="#">.k5login</a></li>
<li class="toctree-l3"><a class="reference internal" href="k5identity.html">.k5identity</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../user_commands/index.html">User commands</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../admin/index.html">For administrators</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li>
</ul>
<br/>
<h4><a href="../../index.html">Full Table of Contents</a></h4>
<h4>Search</h4>
<form class="search" action="../../search.html" method="get">
<input type="text" name="q" size="18" />
<input type="submit" value="Go" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
<div class="clearer"></div>
</div>
</div>
<div class="footer-wrapper">
<div class="footer" >
<div class="right" ><i>Release: 1.18.2</i><br />
© <a href="../../copyright.html">Copyright</a> 1985-2020, MIT.
</div>
<div class="left">
<a href="../../index.html" title="Full Table of Contents"
>Contents</a> |
<a href="kerberos.html" title="kerberos"
>previous</a> |
<a href="k5identity.html" title=".k5identity"
>next</a> |
<a href="../../genindex.html" title="General Index"
>index</a> |
<a href="../../search.html" title="Enter search criteria"
>Search</a> |
<a href="mailto:krb5-bugs@mit.edu?subject=Documentation__.k5login">feedback</a>
</div>
</div>
</div>
</body>
</html>