auth_to_local method for local user matching

Greg Hudson ghudson at MIT.EDU
Wed Aug 21 14:12:09 EDT 2013


On 08/21/2013 01:28 PM, Ben H wrote:
> So how exactly is krb5_kuserok determining luser ?

It's not.  krb5_kuserok receives the local username as input.  The
application is deciding which value to pass.

> Also - I'm not sure your reference to k5login_directory?  Did you mean
> to recommend it as an alternative to homedir stored .k5login files?
> If so - thanks for the pointer.  While there are some situations that a
> .k5login is necessary for, I feel that in general they are
> an unnecessary risk and burden to utilize.
> E.g. - a user can grant another user access to his account without any
> administrative intervention (KerberosUseKuserok in ssh can prevent).

With k5login_directory, you can store .k5login files in a directory
owned by root, thus preventing users from granting access to their own
accounts.

It may still be burdensome to have to create the .k5login files, but if
they are the only option, k5login_directory may make it a little easier,
depending on the details of your situation.



More information about the Kerberos mailing list