.k5login wildcard

Tim Alsop Tim.Alsop at CyberSafe.Ltd.UK
Tue Oct 21 15:50:16 EDT 2003


Would you be interested in a pam authorisation (not authentication) module that allowed you to store and manage this account name mapping information centrally in an ldap directory (or other central repository of information) ? You would not need to manage .k5login files in user home directories on 2000 machines if this was available ?

I posted a question about this a few weeks ago, but had limited feedback, and clearly you have a potential need for such a module ?

Thanks, Tim. 

-----Original Message-----
From: Michael Conlen [mailto:mconlen at neutelligent.com] 
Sent: 21 October 2003 20:43
To: kerberos at mit.edu
Subject: .k5login wildcard

I am trying to work out a system where a principle

*/root at REALM

has access to login to an account (guess which one) or su to that account. I noticed a few years ago David Cross merged in a patch with alpha support for wildcards in the .k5login file, but that's the last I ever saw of it. This functionality would by hyperuseful for us as we could assign or revoke privs based on available principles as opposed to updating 2000 machines. (Consider an administrator being fired, you have to update all those machines fast, or just remove a principle in the KDC).

In any case, is this functionality around in code anymore, and if so how would one go about using it.

Thank you for your time.

Michael Conlen

Kerberos mailing list           Kerberos at mit.edu

More information about the Kerberos mailing list