diff options
| author | Russ Allbery <rra@stanford.edu> | 2006-06-12 18:19:26 +0000 |
|---|---|---|
| committer | Russ Allbery <rra@stanford.edu> | 2006-06-12 18:19:26 +0000 |
| commit | e52cd0c4da8586bed7325b56d50a1f0adf0130d9 (patch) | |
| tree | e9ffae33e5ff3950f3dfe33ee0b202bcf3377354 /src/appl/bsd | |
| parent | d838a541588b4235eea323b8894c96205641329f (diff) | |
| download | krb5-e52cd0c4da8586bed7325b56d50a1f0adf0130d9.tar.gz krb5-e52cd0c4da8586bed7325b56d50a1f0adf0130d9.tar.xz krb5-e52cd0c4da8586bed7325b56d50a1f0adf0130d9.zip | |
Document the authorization logic used in the absence of .k5login files.
Remove all remaining references to .rhosts authentication; the code to
implement this was already removed.
Ticket: 2577
Version_Reported: 1.3.3
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18112 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/appl/bsd')
| -rw-r--r-- | src/appl/bsd/klogind.M | 20 | ||||
| -rw-r--r-- | src/appl/bsd/kshd.M | 16 |
2 files changed, 18 insertions, 18 deletions
diff --git a/src/appl/bsd/klogind.M b/src/appl/bsd/klogind.M index a05406a747..de4cd342e9 100644 --- a/src/appl/bsd/klogind.M +++ b/src/appl/bsd/klogind.M @@ -34,22 +34,26 @@ When a service request is received, the following protocol is initiated: .IP 1) Check authentication. .IP 2) -Check authorization via the access-control files \fI.k5login\fP, \fI.klogin\fP -and \fI.rhosts\fP in the user's home directory. +Check authorization via the access-control files \fI.k5login\fP and +\fI.klogin\fP in the user's home directory. .IP 3) Prompt for password if any checks fail and the \fI-p\fP option was supplied. .PP If the authentication succeeds, login the user by calling the accompanying login.krb5 or /bin/login, according to the definition of -DO_NOT_USE_K_LOGIN. +DO_NOT_USE_K_LOGIN. .PP The configuration of \fIklogind\fP is done by command line arguments passed by inetd. The options are: .IP \fB\-5\fP 10 Allow Kerberos V5 authentication with the \fI.k5login\fP access control file to be trusted. If this authentication system is used by the client -and the authorization check is passed, then the user is allowed to log -in. +and the authorization check is passed, then the user is allowed to log in. +If the user has no \fI.k5login\fP file, the login will be authorized if +the results of krb5_aname_to_localname conversion matches the account +name. Unless special rules are configured, this will be true if and only +if the Kerberos principal of the connecting user is in the default local +realm and the principal portion matches the account name. .IP \fB\-4\fP Allow Kerberos V4 authentication with the \fI.klogin\fP access control @@ -107,12 +111,6 @@ clients--particularly clients predating the release of Kerberos V5 Beta5 (May 1995)--present bogus checksums that prevent Kerberos authentication from succeeding in the default mode. - -.PP -If the -~/.rhosts check is to be used, then the program verifies that the -client is connecting from a privileged port, before allowing login. - .PP The parent of the login process manipulates the master side of the pseduo terminal, operating as an intermediary between the login diff --git a/src/appl/bsd/kshd.M b/src/appl/bsd/kshd.M index 049660ee1f..b6d50390a7 100644 --- a/src/appl/bsd/kshd.M +++ b/src/appl/bsd/kshd.M @@ -37,8 +37,8 @@ When a service request is received, the following protocol is initiated: .IP 1) Authentication is checked .IP 2) -Check authorization via the access-control files \fI.k5login\fP, \fI.klogin\fP -and \fI.rhosts\fP in the user's home directory. +Check authorization via the access-control files \fI.k5login\fP and +\fI.klogin\fP in the user's home directory. .IP 3) A null byte is returned on the initial socket and the command line is passed to the normal login @@ -53,8 +53,13 @@ by \fIinetd(8)\fP. .IP \fB\-5\fP 10 Allow Kerberos5 authentication with the \fI.k5login\fP access control file -to be trusted. If this authentication system is used by the client and the -authorization check is passed, then the user is allowed to log in. +to be trusted. If this authentication system is used by the client and +the authorization check is passed, then the user is allowed to log in. If +the user has no \fI.k5login\fP file, the login will be authorized if the +results of krb5_aname_to_localname conversion matches the account name. +Unless special rules are configured, this will be true if and only if the +Kerberos principal of the connecting user is in the default local realm +and the principal portion matches the account name. .IP \fB\-4\fP Allow Kerberos4 authentication with the \fI.klogin\fP access control file @@ -108,9 +113,6 @@ authentication from succeeding in the default mode. .PP -If the \fB\-r\fP or \fB\-R\fP options are used, the client must -connect from a privileged port. -.PP \fIKrshd\fP supports six options which may be used for testing: .IP \fB\-S\ keytab\fP 10 |