svn rev #25767: trunk/doc/rst_source/krb_users/ user_commands/ user_config/

ghudson@MIT.EDU ghudson at MIT.EDU
Wed Mar 14 15:55:50 EDT 2012 

http://src.mit.edu/fisheye/changelog/krb5/?cs=25767
Commit By: ghudson
Log Message:
Add config file section in RST user guide

Move the .k5identity and .k5login man pages to a separate section from
user commands.  Also, kadmin.local and k5srvutil are not user-oriented
commands, so don't link to them in the user_commands index.


Changed Files:
U   trunk/doc/rst_source/krb_users/index.rst
U   trunk/doc/rst_source/krb_users/user_commands/index.rst
D   trunk/doc/rst_source/krb_users/user_commands/k5identity.rst
D   trunk/doc/rst_source/krb_users/user_commands/k5login.rst
A   trunk/doc/rst_source/krb_users/user_config/
A   trunk/doc/rst_source/krb_users/user_config/index.rst
A   trunk/doc/rst_source/krb_users/user_config/k5identity.rst
A   trunk/doc/rst_source/krb_users/user_config/k5login.rst
Modified: trunk/doc/rst_source/krb_users/index.rst
===================================================================
--- trunk/doc/rst_source/krb_users/index.rst	2012-03-14 19:55:44 UTC (rev 25766)
+++ trunk/doc/rst_source/krb_users/index.rst	2012-03-14 19:55:49 UTC (rev 25767)
@@ -17,4 +17,5 @@
 
    pwd_mgmt.rst
    tkt_mgmt.rst
+   user_config/index.rst
    user_commands/index.rst

Modified: trunk/doc/rst_source/krb_users/user_commands/index.rst
===================================================================
--- trunk/doc/rst_source/krb_users/user_commands/index.rst	2012-03-14 19:55:44 UTC (rev 25766)
+++ trunk/doc/rst_source/krb_users/user_commands/index.rst	2012-03-14 19:55:49 UTC (rev 25767)
@@ -18,9 +18,5 @@
    kpasswd.rst
    kvno.rst
    ksu.rst
-   k5login.rst
-   k5identity.rst
-   ../../krb_admins/admin_commands/kadmin_local.rst
-   ../../krb_admins/admin_commands/k5srvutil.rst
    sclient.rst
    send-pr.rst

Added: trunk/doc/rst_source/krb_users/user_config/index.rst
===================================================================
--- trunk/doc/rst_source/krb_users/user_config/index.rst	                        (rev 0)
+++ trunk/doc/rst_source/krb_users/user_config/index.rst	2012-03-14 19:55:49 UTC (rev 25767)
@@ -0,0 +1,12 @@
+User config files
+=================
+
+The following files in your home directory can be used to control the
+behavior of Kerberos as it applies to your account (unless they have
+been disabled by your host's configuration):
+
+.. toctree::
+   :maxdepth: 1
+
+   k5login.rst
+   k5identity.rst

Copied: trunk/doc/rst_source/krb_users/user_config/k5identity.rst (from rev 25766, trunk/doc/rst_source/krb_users/user_commands/k5identity.rst)
===================================================================
--- trunk/doc/rst_source/krb_users/user_config/k5identity.rst	                        (rev 0)
+++ trunk/doc/rst_source/krb_users/user_config/k5identity.rst	2012-03-14 19:55:49 UTC (rev 25767)
@@ -0,0 +1,71 @@
+.. _.k5identity(5):
+
+.k5identity
+===========
+
+SYNOPSIS
+--------
+
+**~/.k5identity**
+
+DESCRIPTION
+-----------
+
+The .k5identity file, which resides in a user's home directory,
+contains a list of rules for selecting a client principals based on
+the server being accessed.  These rules are used to choose a
+credential cache within the cache collection when possible.
+
+Blank lines and lines beginning with ``#`` are ignored.  Each line has
+the form:
+
+    *principal* *field*\=\ *value* ...
+
+If the server principal meets all of the field constraints, then
+principal is chosen as the client principal.  The following fields are
+recognized:
+
+**realm**
+    If the realm of the server principal is known, it is matched
+    against *value*, which may be a pattern using shell wildcards.
+    For host-based server principals, the realm will generally only be
+    known if there is a :ref:`domain_realm` section in
+    :ref:`krb5.conf(5)` with a mapping for the hostname.
+
+**service**
+    If the server principal is a host-based principal, its service
+    component is matched against *value*, which may be a pattern using
+    shell wildcards.
+
+**host**
+    If the server principal is a host-based principal, its hostname
+    component is converted to lower case and matched against *value*,
+    which may be a pattern using shell wildcards.
+
+    If the server principal matches the constraints of multiple lines
+    in the .k5identity file, the principal from the first matching
+    line is used.  If no line matches, credentials will be selected
+    some other way, such as the realm heuristic or the current primary
+    cache.
+
+
+EXAMPLE
+-------
+
+The following example .k5identity file selects the client principal
+``alice at KRBTEST.COM`` if the server principal is within that realm,
+the principal ``alice/root at EXAMPLE.COM`` if the server host is within
+a servers subdomain, and the principal ``alice/mail at EXAMPLE.COM`` when
+accessing the IMAP service on ``mail.example.com``:
+
+ ::
+
+    alice at KRBTEST.COM       realm=KRBTEST.COM
+    alice/root at EXAMPLE.COM  host=*.servers.example.com
+    alice/mail at EXAMPLE.COM  host=mail.example.com service=imap
+
+
+SEE ALSO
+--------
+
+kerberos(1), :ref:`krb5.conf(5)`

Copied: trunk/doc/rst_source/krb_users/user_config/k5login.rst (from rev 25766, trunk/doc/rst_source/krb_users/user_commands/k5login.rst)
===================================================================
--- trunk/doc/rst_source/krb_users/user_config/k5login.rst	                        (rev 0)
+++ trunk/doc/rst_source/krb_users/user_config/k5login.rst	2012-03-14 19:55:49 UTC (rev 25767)
@@ -0,0 +1,58 @@
+.. _.k5login(5):
+
+.k5login
+========
+
+SYNOPSIS
+--------
+**~/.k5login**
+
+
+DESCRIPTION
+-----------
+
+The .k5login file, which resides in a user's home directory, contains
+a list of the Kerberos principals.  Anyone with valid tickets for a
+principal in the file is allowed host access with the UID of the user
+in whose home directory the file resides.  One common use is to place
+a .k5login file in root's home directory, thereby granting system
+administrators remote root access to the host via Kerberos.
+
+
+EXAMPLES
+--------
+
+Suppose the user ``alice`` had a .k5login file in her home directory
+containing the following line:
+
+ ::
+
+    bob at FOOBAR.ORG
+
+This would allow ``bob`` to use any of the Kerberos network
+applications, such as telnet(1), rlogin(1), rsh(1), and rcp(1), to
+access ``alice``'s account, using ``bob``'s Kerberos tickets.
+
+Let us further suppose that ``alice`` is a system administrator.
+Alice and the other system administrators would have their principals
+in root's .k5login file on each host:
+
+ ::
+
+    alice at BLEEP.COM
+
+    joeadmin/root at BLEEP.COM
+
+This would allow either system administrator to log in to these hosts
+using their Kerberos tickets instead of having to type the root
+password.  Note that because ``bob`` retains the Kerberos tickets for
+his own principal, ``bob at FOOBAR.ORG``, he would not have any of the
+privileges that require ``alice``'s tickets, such as root access to
+any of the site's hosts, or the ability to change ``alice``'s
+password.
+
+
+SEE ALSO
+--------
+
+telnet(1), rlogin(1), rsh(1), rcp(1), ksu(1), telnetd(8), klogind(8)

More information about the cvs-krb5 mailing list