Implement k5login_directory and k5login_authoritative options

Add and document two new options for controlling k5login behavior.

ticket: 6792

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24402 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 14 insertions, 0 deletions

diff --git a/doc/admin.texinfo b/doc/admin.texinfo
index 8603b93ae..2a811de96 100644
--- a/doc/admin.texinfo
+++ b/doc/admin.texinfo
@@ -468,6 +468,20 @@ Sets the maximum allowable amount of clockskew in seconds that the
 library  will tolerate before assuming that a Kerberos message is
 invalid.  The default value is @value{DefaultClockskew}.
 
+@itemx k5login_authoritative
+If the value of this relation is true (the default), principals must
+be listed in a local user's k5login file to be granted login access,
+if a k5login file exists.  If the value of this relation is false, a
+principal may still be granted login access through other mechanisms
+even if a k5login file exists but does not list the principal.
+
+@itemx k5login_directory
+If set, the library will look for a local user's k5login file within the
+named directory, with a filename corresponding to the local username.
+If not set, the library will look for k5login files in the user's home
+directory, with the filename @code{.k5login}.  For security reasons,
+k5login files must be owned by the local user or by root.
+
 @itemx kdc_timesync
 If this is set to 1 (for true), then client machines will compute the
 difference between their time and the time returned by the KDC in the