Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 2 Oct 2009 15:31:35 +1000
From:      John Marshall <john.marshall@riverwillow.com.au>
To:        freebsd-stable@freebsd.org
Subject:   FreeBSD 8.0 Kerberos Login New Behaviour (.k5login)
Message-ID:  <20091002053134.GJ37304@rwpc12.mby.riverwillow.net.au>

next in thread | raw e-mail | index | archive | help

--pZs/OQEoSSbxGlYw
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Having just spent ages trying to discover why I couldn't log in to one
of my recently-upgraded FreeBSD 8.0-RC1 servers...

Kerberos login processing has changed!

I had a .k5login file on the server with a single entry:
 john/admin@MY.REALM

On FreeBSD 7.2 that meant that I could log in as john on that server
with either my john@ (default principal/account mapping) or my
john/admin@ (by virtue of .k5login) principal.

On FreeBSD 8.0 that means that ONLY john/admin@ can login to that
account.  The fact that a .k5login file is present restricts access to
principals listed in that file.

Anyone like to guess where the .k5login man page is?
Try krb5_kuserok(3).

   FreeBSD 7.2 Kerberos Login
   --------------------------
     First krb5_kuserok check if there is a local account name
     username. If there isn't, krb5_kuserok returns FALSE.

     Then krb5_kuserok checks if principal is the same as user@realm
     in any of the default realms. If that is the case, krb5_kuserok
     returns TRUE.

     After that it reads the file .k5login (if it exists) in the users
     home directory and checks if principal is in the file.  If it
     does exists, TRUE is returned.  If neither of the above turns out
     to be true, is returned.

  FreeBSD 8.0 Kerberos Login
  --------------------------
     The user may have a ~/.k5login file listing principals that are
     allowed to login as that user. If that file does not exist, all
     principals with a first component identical to the username, and
     a realm considered local, are allowed access.

     Note that if the file exists, no implicit access rights are given
     to user@<localrealm>.

--=20
John Marshall

--pZs/OQEoSSbxGlYw
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.13 (FreeBSD)

iEYEARECAAYFAkrFkDYACgkQw/tAaKKahKKqbACeIKegvu4rAjk8InK4J9loYDSr
w0wAoLjw+M1kQFH4A5cT+JE1fqdNZW3k
=EDdR
-----END PGP SIGNATURE-----

--pZs/OQEoSSbxGlYw--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20091002053134.GJ37304>