From a9a153eb38d1b1f3ee2b6860de3de4eba48bbbeb Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Fri, 1 Oct 2010 15:56:30 +0000 Subject: Implement k5login_directory and k5login_authoritative options Add and document two new options for controlling k5login behavior. ticket: 6792 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24402 dc483132-0cff-0310-8789-dd5450dbe970 --- src/config-files/krb5.conf.M | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'src/config-files') diff --git a/src/config-files/krb5.conf.M b/src/config-files/krb5.conf.M index 2995aa2bef..e658e8997f 100644 --- a/src/config-files/krb5.conf.M +++ b/src/config-files/krb5.conf.M @@ -155,6 +155,20 @@ This relation sets the maximum allowable amount of clockskew in seconds that the library will tolerate before assuming that a Kerberos message is invalid. The default value is 300 seconds, or five minutes. +.IP k5login_authoritative +If the value of this relation is true (the default), principals must +be listed in a local user's k5login file to be granted login access, +if a k5login file exists. If the value of this relation is false, a +principal may still be granted login access through other mechanisms +even if a k5login file exists but does not list the principal. + +.IP k5login_directory +If set, the library will look for a local user's k5login file within +the named directory, with a filename corresponding to the local +username. If not set, the library will look for k5login files in the +user's home directory, with the filename .k5login. For security +reasons, k5login files must be owned by the local user or by root. + .IP kdc_timesync If the value of this relation is non-zero (the default), the library will compute the difference between the system clock and the time -- cgit