| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596 |
- .\" Man page generated from reStructuredText.
- .
- .TH "K5LOGIN" "5" " " "1.20.1" "MIT Kerberos"
- .SH NAME
- k5login \- Kerberos V5 acl file for host access
- .
- .nr rst2man-indent-level 0
- .
- .de1 rstReportMargin
- \\$1 \\n[an-margin]
- level \\n[rst2man-indent-level]
- level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
- -
- \\n[rst2man-indent0]
- \\n[rst2man-indent1]
- \\n[rst2man-indent2]
- ..
- .de1 INDENT
- .\" .rstReportMargin pre:
- . RS \\$1
- . nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
- . nr rst2man-indent-level +1
- .\" .rstReportMargin post:
- ..
- .de UNINDENT
- . RE
- .\" indent \\n[an-margin]
- .\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
- .nr rst2man-indent-level -1
- .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
- .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
- ..
- .SH DESCRIPTION
- .sp
- The .k5login file, which resides in a user\(aqs home directory, contains
- a list of the Kerberos principals. Anyone with valid tickets for a
- principal in the file is allowed host access with the UID of the user
- in whose home directory the file resides. One common use is to place
- a .k5login file in root\(aqs home directory, thereby granting system
- administrators remote root access to the host via Kerberos.
- .SH EXAMPLES
- .sp
- Suppose the user \fBalice\fP had a .k5login file in her home directory
- containing just the following line:
- .INDENT 0.0
- .INDENT 3.5
- .sp
- .nf
- .ft C
- bob@FOOBAR.ORG
- .ft P
- .fi
- .UNINDENT
- .UNINDENT
- .sp
- This would allow \fBbob\fP to use Kerberos network applications, such as
- ssh(1), to access \fBalice\fP\(aqs account, using \fBbob\fP\(aqs Kerberos
- tickets. In a default configuration (with \fBk5login_authoritative\fP set
- to true in krb5.conf(5)), this .k5login file would not let
- \fBalice\fP use those network applications to access her account, since
- she is not listed! With no .k5login file, or with \fBk5login_authoritative\fP
- set to false, a default rule would permit the principal \fBalice\fP in the
- machine\(aqs default realm to access the \fBalice\fP account.
- .sp
- Let us further suppose that \fBalice\fP is a system administrator.
- Alice and the other system administrators would have their principals
- in root\(aqs .k5login file on each host:
- .INDENT 0.0
- .INDENT 3.5
- .sp
- .nf
- .ft C
- alice@BLEEP.COM
- joeadmin/root@BLEEP.COM
- .ft P
- .fi
- .UNINDENT
- .UNINDENT
- .sp
- This would allow either system administrator to log in to these hosts
- using their Kerberos tickets instead of having to type the root
- password. Note that because \fBbob\fP retains the Kerberos tickets for
- his own principal, \fBbob@FOOBAR.ORG\fP, he would not have any of the
- privileges that require \fBalice\fP\(aqs tickets, such as root access to
- any of the site\(aqs hosts, or the ability to change \fBalice\fP\(aqs
- password.
- .SH SEE ALSO
- .sp
- kerberos(1)
- .SH AUTHOR
- MIT
- .SH COPYRIGHT
- 1985-2022, MIT
- .\" Generated by docutils manpage writer.
- .
|
