krb5_auth_rules man page on SmartOS

Man page or keyword search:  
man Server   16655 pages
apropos Keyword Search (all sections)
Output format
SmartOS logo
[printable version]


       krb5_auth_rules - overview of Kerberos V5 authorization

       When  kerberized	 versions of the ftp, rdist, rcp, rlogin, rsh, telnet,
       or ssh clients are used to connect to a server,	the  identity  of  the
       originating  user  must be authenticated to the Kerberos V5 authentica‐
       tion system. Account access  can	 then  be  authorized  if  appropriate
       entries	exist  in  the	~/.k5login  file, the gsscred table, or if the
       default GSS/Kerberos authentication rules successfully map the Kerberos
       principal name to Unix login name.

       To  avoid  security  problems, the ~/.k5login file must be owned by the
       remote user on the server the client is attempting to access. The  file
       should contain a private authorization list comprised of Kerberos prin‐
       cipal names of the form principal/instance@realm. The  /instance	 vari‐
       able  is	 optional  in Kerberos principal names. For example, different
       principal      names	 such	   as	    jdb@ENG.ACME.COM	   and
       jdb/  would  each	 be  legal, though not
       equivalent, Kerberos principals. The client is granted  access  if  the
       ~/.k5login  file	 is  located in the login directory of the remote user
       account and if the originating user can be authenticated to one of  the
       principals named in the file. See gkadmin(1M) and kadm5.acl(4) for more
       information on Kerberos principal names.

       When no ~/.k5login file is found in the remote  user's  login  account,
       the  Kerberos V5 principal name associated with the originating user is
       checked against the gsscred table. If a gsscred table  exists  and  the
       principal  name	is matched in the table, access is granted if the Unix
       user ID listed in the table corresponds to the user account the	client
       is  attempting to access. If the Unix user ID does not match, access is
       denied. See gsscred(1M).

       For example, an originating user listed in the gsscred table  with  the
       principal  name jdb@ENG.ACME.COM and the uid 23154 is granted access to
       the jdb-user account if 23154 is also the uid of jdb-user listed in the
       user account database. See passwd(4).

       Finally, if there is no ~/.k5login file and the Kerberos V5 identity of
       the originating user is not in the gsscred table, or if the gsscred ta‐
       ble  does  not exist, the client is granted access to the account under
       the following conditions (default GSS/Kerberos auth rules):

	   o	  The user part of the authenticated  principal	 name  is  the
		  same as the Unix account name specified by the client.

	   o	  The realm part of the client and server are the same, unless
		  the krb5.conf(4) auth_to_local_realm parameter  is  used  to
		  create equivalence.

	   o	  The Unix account name exists on the server.

       For   example,	if   the  originating  user  has  the  principal  name
       jdb@ENG.ACME.COM and if the server  is  in  realm  SALES.ACME.COM,  the
       client  would  be  denied access even if jdb is a valid account name on
       the server. This is because the realms SALES.ACME.COM and  ENG.ACME.COM

       The  krb5.conf(4) auth_to_local_realm parameter also affects authoriza‐
       tion. Non-default realms can be equated	with  the  default  realm  for
       authenticated name-to-local name mapping.

		      Per user-account authorization file.

		      System  account  file. This information may also be in a
		      directory service. See passwd(4).

       See attributes(5) for a description of the following attributes:

       │Interface Stability │ Evolving	      │

       ftp(1), rcp(1), rdist(1), rlogin(1),  rsh(1),  telnet(1),  gkadmin(1M),
       gsscred(1M),   kadm5.acl(4),  krb5.conf(4),  passwd(4),	attributes(5),

				 Apr 07, 2006		    KRB5_AUTH_RULES(5)

List of man pages available for SmartOS

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
Vote for polarhome
Free Shell Accounts :: the biggest list on the net