[28283] in CVS-changelog-for-Kerberos-V5

home help back first fref pref prev next nref lref last post

krb5 commit: Mention k5login_authoritative in k5login docs

daemon@ATHENA.MIT.EDU (Benjamin Kaduk)
Thu Mar 13 15:11:59 2014

Date: Thu, 13 Mar 2014 15:11:55 -0400
From: Benjamin Kaduk <kaduk@mit.edu>
Message-Id: <201403131911.s2DJBtlm023990@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu

https://github.com/krb5/krb5/commit/8cdc21ef051f43ea8dcabf42540d5cff13b5adeb
commit 8cdc21ef051f43ea8dcabf42540d5cff13b5adeb
Author: Ben Kaduk <kaduk@mit.edu>
Date:   Thu Mar 13 15:11:49 2014 -0400

    Mention k5login_authoritative in k5login docs
    
    In particular, it is set by default.  This can lead to confusing
    behavior wherein adding a k5login file removes a user's remote
    access.
    
    Make an example more concrete to account for this case.
    
    ticket: 7876 (new)
    target_version: 1.12.2
    tags: pullup

 doc/user/user_config/k5login.rst |    9 +++++++--
 1 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/doc/user/user_config/k5login.rst b/doc/user/user_config/k5login.rst
index 00f5a5a..90e4865 100644
--- a/doc/user/user_config/k5login.rst
+++ b/doc/user/user_config/k5login.rst
@@ -18,7 +18,7 @@ EXAMPLES
 --------
 
 Suppose the user ``alice`` had a .k5login file in her home directory
-containing the following line:
+containing just the following line:
 
  ::
 
@@ -26,7 +26,12 @@ containing the following line:
 
 This would allow ``bob`` to use Kerberos network applications, such as
 ssh(1), to access ``alice``'s account, using ``bob``'s Kerberos
-tickets.
+tickets.  In a default configuration (with **k5login_authoritative** set
+to true in :ref:`krb5.conf(5)`), this .k5login file would not let
+``alice`` use those network applications to access her account, since
+she is not listed!  With no .k5login file, or with **k5login_authoritative**
+set to false, a default rule would permit the principal ``alice`` in the
+machine's default realm to access the ``alice`` account.
 
 Let us further suppose that ``alice`` is a system administrator.
 Alice and the other system administrators would have their principals
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
home help back first fref pref prev next nref lref last post