[16229] in Kerberos_V5_Development
Re: Processing .k5login (another patch)
daemon@ATHENA.MIT.EDU (Russ Allbery)
Wed Sep 1 18:50:01 2010
From: Russ Allbery <rra@stanford.edu>
To: "krbdev\@mit.edu" <krbdev@mit.edu>
In-Reply-To: <20100901224053.GD20547@mournblade.imrryr.org> (Roland
C. Dowdeswell's message of "Wed, 1 Sep 2010 23:40:53 +0100")
Date: Wed, 01 Sep 2010 15:49:57 -0700
Message-ID: <87eiddt6y2.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
"Roland C. Dowdeswell" <elric@imrryr.org> writes:
> On Wed, Sep 01, 2010 at 03:35:41PM -0700, Russ Allbery wrote:
>> Can that support the case where multiple principals are authorized to
>> log on to the local account? The use case I have in mind are for
>> things like the oracle account.
> Yes. The BDB is a hash of principal to local name. Local name
> can be the same for multiple principals.
The common scenario here is for all the DBAs to have their own individual
accounts on the system with their individual .k5login files, plus all have
access to the oracle account via .k5login. Maybe it's a failure of the
imagination, but I don't see how any hash of one value to one other value
would work for that. I think multiple values would have to be allowed.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
