Processing .k5login (another patch)

Russ Allbery rra at stanford.edu
Wed Sep 1 17:34:37 EDT 2010


Greg Hudson <ghudson at MIT.EDU> writes:
> On Wed, 2010-09-01 at 16:07 -0400, Roland C. Dowdeswell wrote:

>> It is not always appropriate for users to be able to decide who is
>> allowed to login to their accounts.  I propose a krb5.conf setting to
>> disable this called ``use-k5login'' which defaults to the current
>> behaviour.

> I'd be interested in feedback from others on whether this knob is
> desirable.

We maintained a somewhat related patch against MIT Kerberos 1.4 for years.
Our patch allowed us to require a .k5login to exist and remove the
fallback to krb5_aname_to_lname and username comparison.  I think both
features are desirable.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the krbdev mailing list