IPB
>  Man Pages > Unix > Solaris 10 11/06 > Section 5 > krb5_auth_rules man page

krb5_auth_rules man page

Section 5 - Solaris 10 11/06 Man Pages

Other operating system man pages available here

Advanced Search

Hopefully, this page is exactly what you are looking for, but if not, you can always find further assistance on Unix/Linux Forum!





Standards, Environments, and Macros            krb5_auth_rules(5)



NAME
     krb5_auth_rules - Overview of Kerberos V5 authorization

DESCRIPTION
     When kerberized versions of the  ftp,  rdist,  rcp,  rlogin,
     rsh, telnet, or ssh clients are used to connect to a server,
     the identity of the originating user must  be  authenticated
     to  the Kerberos V5 authentication system.Account access can
     then be authorized  if  appropriate  entries  exist  in  the
     ~/.k5login  file,  the  gsscred  table,  or  if  the default
     GSS/Kerberos authentication rules successfully map the  Ker-
     beros principal name to Unix login name.

     To avoid security problems,  the  ~/.k5login  file  must  be
     owned  by  the  remote  user  on  the  server  the client is
     attempting to access. The  file  should  contain  a  private
     authorization  list comprised of Kerberos principal names of
     the form principal/instance@realm. The /instance variable is
     optional in Kerberos principal names. For example, different
     principal    names    such    as    jdb@ENG.ACME.COM     and
     jdb/happy.eng.acme.com@ENG.ACME.COM  would  each  be  legal,
     though not equivalent, Kererbos principals.  The  client  is
     granted  access  if  the  ~/.k5login  file is located in the
     login directory of the remote user account and if  the  ori-
     ginating  user can be authenticated to one of the principals
     named in the file. See gkadmin(1M) and kadm5.acl(4) for more
     information on Kerberos principal names.

     When no ~/.k5login file is found in the remote user's  login
     account,  the Kerberos V5 principal name associated with the
     originating user is checked against the gsscred table. If  a
     gsscred  table  exists  and the principal name is matched in
     the table, access is granted if the Unix user ID  listed  in
     the  table  corresponds  to  the  user account the client is
     attempting to access. If the Unix user ID  does  not  match,
     access is denied. See gsscred(1M).

     For example, an originating user listed in the gsscred table
     with  the  principal name jdb@ENG.ACME.COM and the uid 23154
     is granted access to the jdb-user account if 23154  is  also
     the uid of jdb-user listed in the user account database. See
     passwd(4).

     Finally, if there is no ~/.k5login file and the Kerberos  V5
     identity  of  the  originating  user  is  not in the gsscred
     table, or if the gsscred table does not exist, the client is
     granted access to the account under the following conditions
     (default GSS/Kerberos auth rules):

       o  The user part of the authenticated  principal  name  is
          the  same  as  the  Unix  account name specified by the
          client.



SunOS 5.10          Last change: 07 Apr 2006                    1






Standards, Environments, and Macros            krb5_auth_rules(5)



       o  The realm part of the client and server are  the  same,
          unless  the  krb5.conf(4) auth_to_local_realm parameter
          is used to create equivalence.

       o  The Unix account name exists on the server.


     For example, if the originating user has the principal  name
     jdb@ENG.ACME.COM   and   if   the   server   is   in   realm
     SALES.ACME.COM, the client would be denied  access  even  if
     jdb  is  a valid account name on the server. This is because
     the realms SALES.ACME.COM and ENG.ACME.COM differ.

     The krb5.conf(4) auth_to_local_realm parameter also  affects
     authorization.  Non-default  realms  can be equated with the
     default realm for authenticated name-to-local name mapping.

FILES
     ~/.k5login      Per user-account authorization file.



     /etc/passwd     System account file.  This  information  may
                     also   be   in   a  directory  service.  See
                     passwd(4).



ATTRIBUTES
     See attributes(5) for a description of the following  attri-
     butes:

     ____________________________________________________________
    |       ATTRIBUTE TYPE        |       ATTRIBUTE VALUE       |
    |_____________________________|_____________________________|
    | Interface Stability         | Evolving                    |
    |_____________________________|_____________________________|


SEE ALSO
     ftp(1),  rcp(1),  rdist(1),  rlogin(1),  rsh(1),  telnet(1),
     gkadmin(1M),    gsscred(1M),   kadm5.acl(4),   krb5.conf(4),
     passwd(4), attributes(5), gss_auth_rules(5)












SunOS 5.10          Last change: 07 Apr 2006                    2

Man(1) output converted with man2html and wrapped by fishsponge

This page was generated on Wed Sep 12 11:27:50 GMT 2007

Your favourite pages:

No pages logged yet.
Trying to save cookie...

Top 10 most popular pages:

sqlite3 man page (5334 hits)
(openSUSE 10.2)

svn man page (5208 hits)
(FreeBSD 6.2)

adv_cap_autoneg man page (4870 hits)
(Solaris 10 11_06)

CPAN man page (4607 hits)
(Suse Linux 10.1)

ssh man page (4342 hits)
(Suse Linux 10.1)

ssh-socks5-proxy-connect man page (2876 hits)
(Solaris 10 11_06)

netcat man page (2717 hits)
(Suse Linux 10.1)

pprosetup man page (2487 hits)
(Solaris 10 11_06)

startproc man page (2471 hits)
(Suse Linux 10.1)

signal man page (2407 hits)
(Suse Linux 10.1)

Useful Links

Go Back

Visitor Statistics


Valid XHTML 1.0 Transitional     Valid CSS!

Partners: Cambridge Plus :: Pyrenees Golf Courses :: PIC Project Development :: <Link Available>
Unix Man Pages / Linux Man Pages :: HiFi Forum :: SIP VoIP Phone & Provider Reviews :: UNIX/Linux Forum Archives

More info on advertising on Unix/Linux Forum