diff options
author | Ben Kaduk <kaduk@mit.edu> | 2014-03-13 15:11:49 -0400 |
---|---|---|
committer | Ben Kaduk <kaduk@mit.edu> | 2014-03-13 15:11:49 -0400 |
commit | 8cdc21ef051f43ea8dcabf42540d5cff13b5adeb (patch) | |
tree | e764a8de664309f6a770cbc456a5b335b1e8c898 | |
parent | 27b136d2e3181e787b2d4a03ee712d5d5137f5cd (diff) | |
download | krb5-8cdc21ef051f43ea8dcabf42540d5cff13b5adeb.tar.gz krb5-8cdc21ef051f43ea8dcabf42540d5cff13b5adeb.tar.xz krb5-8cdc21ef051f43ea8dcabf42540d5cff13b5adeb.zip |
Mention k5login_authoritative in k5login docs
In particular, it is set by default. This can lead to confusing
behavior wherein adding a k5login file removes a user's remote
access.
Make an example more concrete to account for this case.
ticket: 7876 (new)
target_version: 1.12.2
tags: pullup
-rw-r--r-- | doc/user/user_config/k5login.rst | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/doc/user/user_config/k5login.rst b/doc/user/user_config/k5login.rst index 00f5a5a3a..90e486593 100644 --- a/doc/user/user_config/k5login.rst +++ b/doc/user/user_config/k5login.rst @@ -18,7 +18,7 @@ EXAMPLES -------- Suppose the user ``alice`` had a .k5login file in her home directory -containing the following line: +containing just the following line: :: @@ -26,7 +26,12 @@ containing the following line: This would allow ``bob`` to use Kerberos network applications, such as ssh(1), to access ``alice``'s account, using ``bob``'s Kerberos -tickets. +tickets. In a default configuration (with **k5login_authoritative** set +to true in :ref:`krb5.conf(5)`), this .k5login file would not let +``alice`` use those network applications to access her account, since +she is not listed! With no .k5login file, or with **k5login_authoritative** +set to false, a default rule would permit the principal ``alice`` in the +machine's default realm to access the ``alice`` account. Let us further suppose that ``alice`` is a system administrator. Alice and the other system administrators would have their principals |