From owner-freebsd-stable@FreeBSD.ORG Fri Oct 2 05:31:42 2009 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3C295106566B for ; Fri, 2 Oct 2009 05:31:42 +0000 (UTC) (envelope-from john.marshall@riverwillow.com.au) Received: from mail1.riverwillow.net.au (mail1.riverwillow.net.au [203.58.93.36]) by mx1.freebsd.org (Postfix) with ESMTP id B5FB18FC14 for ; Fri, 2 Oct 2009 05:31:41 +0000 (UTC) Received: from rwpc12.mby.riverwillow.net.au (rwpc12.mby.riverwillow.net.au [172.25.24.168]) (authenticated bits=0) by mail1.riverwillow.net.au (8.14.3/8.14.3) with ESMTP id n925VaeZ012054 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Fri, 2 Oct 2009 15:31:36 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=riverwillow.com.au; s=m1001; t=1254461496; bh=Oo/e5F8hLYVa03FCjS4j/WhVPLhjCisk7hVmImlFYEM=; h=Date:From:To:Subject:Message-ID:Mime-Version:Content-Type; b=xB4GkD5PDyG+qBq16qTc6eC3i16XgCe67hfsEIGsGTJZJ3wofRMROKqWRPLzz0jeV WwBgnzzbKyNblJIbfsHHqy8OO2HFYTcdHE+OzkfecstHyJZI/74tx7fT3coR7pGXo+ ujI0RHI7pld/HsWsH+MFAzCQcdpHczUkEcPb66BU= Received: from rwpc12.mby.riverwillow.net.au (localhost [127.0.0.1]) by rwpc12.mby.riverwillow.net.au (8.14.3/8.14.3) with ESMTP id n925VZNB058183 for ; Fri, 2 Oct 2009 15:31:36 +1000 (AEST) (envelope-from john.marshall@riverwillow.com.au) Received: (from john@localhost) by rwpc12.mby.riverwillow.net.au (8.14.3/8.14.3/Submit) id n925VZmq058182 for freebsd-stable@freebsd.org; Fri, 2 Oct 2009 15:31:35 +1000 (AEST) (envelope-from john) Date: Fri, 2 Oct 2009 15:31:35 +1000 From: John Marshall To: freebsd-stable@freebsd.org Message-ID: <20091002053134.GJ37304@rwpc12.mby.riverwillow.net.au> Mail-Followup-To: freebsd-stable@freebsd.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="pZs/OQEoSSbxGlYw" Content-Disposition: inline User-Agent: Mutt/1.4.2.3i OpenPGP: id=A29A84A2; url=http://pki.riverwillow.net.au/pgp/johnmarshall.asc Subject: FreeBSD 8.0 Kerberos Login New Behaviour (.k5login) X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Oct 2009 05:31:42 -0000 --pZs/OQEoSSbxGlYw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Having just spent ages trying to discover why I couldn't log in to one of my recently-upgraded FreeBSD 8.0-RC1 servers... Kerberos login processing has changed! I had a .k5login file on the server with a single entry: john/admin@MY.REALM On FreeBSD 7.2 that meant that I could log in as john on that server with either my john@ (default principal/account mapping) or my john/admin@ (by virtue of .k5login) principal. On FreeBSD 8.0 that means that ONLY john/admin@ can login to that account. The fact that a .k5login file is present restricts access to principals listed in that file. Anyone like to guess where the .k5login man page is? Try krb5_kuserok(3). FreeBSD 7.2 Kerberos Login -------------------------- First krb5_kuserok check if there is a local account name username. If there isn't, krb5_kuserok returns FALSE. Then krb5_kuserok checks if principal is the same as user@realm in any of the default realms. If that is the case, krb5_kuserok returns TRUE. After that it reads the file .k5login (if it exists) in the users home directory and checks if principal is in the file. If it does exists, TRUE is returned. If neither of the above turns out to be true, is returned. FreeBSD 8.0 Kerberos Login -------------------------- The user may have a ~/.k5login file listing principals that are allowed to login as that user. If that file does not exist, all principals with a first component identical to the username, and a realm considered local, are allowed access. Note that if the file exists, no implicit access rights are given to user@. --=20 John Marshall --pZs/OQEoSSbxGlYw Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.13 (FreeBSD) iEYEARECAAYFAkrFkDYACgkQw/tAaKKahKKqbACeIKegvu4rAjk8InK4J9loYDSr w0wAoLjw+M1kQFH4A5cT+JE1fqdNZW3k =EDdR -----END PGP SIGNATURE----- --pZs/OQEoSSbxGlYw--