Implement k5login_directory and k5login_authoritative options

Add and document two new options for controlling k5login behavior.

ticket: 6792

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24402 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 14 insertions, 0 deletions

diff --git a/src/config-files/krb5.conf.M b/src/config-files/krb5.conf.M
index 2995aa2bef..e658e8997f 100644
--- a/src/config-files/krb5.conf.M
+++ b/src/config-files/krb5.conf.M
@@ -155,6 +155,20 @@ This relation sets the maximum allowable amount of clockskew in seconds
 that the library will tolerate before assuming that a Kerberos message
 is invalid.  The default value is 300 seconds, or five minutes.
 
+.IP k5login_authoritative
+If the value of this relation is true (the default), principals must
+be listed in a local user's k5login file to be granted login access,
+if a k5login file exists.  If the value of this relation is false, a
+principal may still be granted login access through other mechanisms
+even if a k5login file exists but does not list the principal.
+
+.IP k5login_directory
+If set, the library will look for a local user's k5login file within
+the named directory, with a filename corresponding to the local
+username.  If not set, the library will look for k5login files in the
+user's home directory, with the filename .k5login.  For security
+reasons, k5login files must be owned by the local user or by root.
+
 .IP kdc_timesync 
 If the value of this relation is non-zero (the default), the library
 will compute the difference between the system clock and the time