diff options
Diffstat (limited to 'doc/users/user_config/k5login.rst')
-rw-r--r-- | doc/users/user_config/k5login.rst | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/doc/users/user_config/k5login.rst b/doc/users/user_config/k5login.rst new file mode 100644 index 0000000000..00f5a5a3ae --- /dev/null +++ b/doc/users/user_config/k5login.rst @@ -0,0 +1,53 @@ +.. _.k5login(5): + +.k5login +======== + +DESCRIPTION +----------- + +The .k5login file, which resides in a user's home directory, contains +a list of the Kerberos principals. Anyone with valid tickets for a +principal in the file is allowed host access with the UID of the user +in whose home directory the file resides. One common use is to place +a .k5login file in root's home directory, thereby granting system +administrators remote root access to the host via Kerberos. + + +EXAMPLES +-------- + +Suppose the user ``alice`` had a .k5login file in her home directory +containing the following line: + + :: + + bob@FOOBAR.ORG + +This would allow ``bob`` to use Kerberos network applications, such as +ssh(1), to access ``alice``'s account, using ``bob``'s Kerberos +tickets. + +Let us further suppose that ``alice`` is a system administrator. +Alice and the other system administrators would have their principals +in root's .k5login file on each host: + + :: + + alice@BLEEP.COM + + joeadmin/root@BLEEP.COM + +This would allow either system administrator to log in to these hosts +using their Kerberos tickets instead of having to type the root +password. Note that because ``bob`` retains the Kerberos tickets for +his own principal, ``bob@FOOBAR.ORG``, he would not have any of the +privileges that require ``alice``'s tickets, such as root access to +any of the site's hosts, or the ability to change ``alice``'s +password. + + +SEE ALSO +-------- + +kerberos(1) |