Processing .k5login (another patch)
Roland C. Dowdeswell
elric at imrryr.org
Thu Sep 2 19:17:40 EDT 2010
On Thu, Sep 02, 2010 at 11:53:13AM -0400, Greg Hudson wrote:
>
> On Wed, 2010-09-01 at 18:08 -0400, Russ Allbery wrote:
> > Nicolas Williams <Nicolas.Williams at oracle.com> writes:
> >
> > > I'd rather have an option for specifying the location of the k5login
> > > file, so it can be moved into a location where the user cannot control
> > > it.
> >
> > That would be very nice.
>
> Perhaps something like:
>
> [libdefaults]
> k5login = $HOME/.k5login # Default
> k5login = /var/lib/k5login/$USER # Centrally managed
> k5login = # Disable altogether
>
> I'm not fixated on that substitution syntax, but I imagine there'd need
> to be some way to substitute in the homedir and username. Python's
> ConfigParser supports a %() substitution syntax, but using that seems
> like it would be a mistake since it substitutes variables within the
> same section.
>
> I can't promise to implement this for 1.9, but I can write it up as an
> early project and perhaps do it on the margin later.
How about a syntax that's more like the krb5_aname_to_localname(), a
la:
k5login = <TYPE>[:<arg>]
where are includes interpolation of %h for home dir and %u for user.
So, you could do something like:
k5login = FILE:%h/.k5login
or
k5login = KDB:/var/kerberos/k5login.db
k5login = FILE:%h/.k5login
Defining types to be:
NONE nothing.
FILE simple file from argument
ANAME2LNAME use krb5_aname_to_lname() to see if it matches
KDB use a KDB looking for an entry of the form
principal\0luser
with a key of ``1'' indicating yes
with this, the current behaviour would be defined to be:
k5login = FILE:%h/.k5login
k5login = ANAME2LNAME
(roughly, because currently it looks like if ~/.k5login exists but is
not owned by the right people the ANAME2LNAME is short-circuited.)
--
Roland Dowdeswell http://Imrryr.ORG/~elric/
More information about the krbdev
mailing list