From e52cd0c4da8586bed7325b56d50a1f0adf0130d9 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 12 Jun 2006 18:19:26 +0000 Subject: [PATCH] Document the authorization logic used in the absence of .k5login files. Remove all remaining references to .rhosts authentication; the code to implement this was already removed. Ticket: 2577 Version_Reported: 1.3.3 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18112 dc483132-0cff-0310-8789-dd5450dbe970 --- src/appl/bsd/klogind.M | 20 +++++++++----------- src/appl/bsd/kshd.M | 16 +++++++++------- 2 files changed, 18 insertions(+), 18 deletions(-) diff --git a/src/appl/bsd/klogind.M b/src/appl/bsd/klogind.M index a05406a74..de4cd342e 100644 --- a/src/appl/bsd/klogind.M +++ b/src/appl/bsd/klogind.M @@ -34,22 +34,26 @@ When a service request is received, the following protocol is initiated: .IP 1) Check authentication. .IP 2) -Check authorization via the access-control files \fI.k5login\fP, \fI.klogin\fP -and \fI.rhosts\fP in the user's home directory. +Check authorization via the access-control files \fI.k5login\fP and +\fI.klogin\fP in the user's home directory. .IP 3) Prompt for password if any checks fail and the \fI-p\fP option was supplied. .PP If the authentication succeeds, login the user by calling the accompanying login.krb5 or /bin/login, according to the definition of -DO_NOT_USE_K_LOGIN. +DO_NOT_USE_K_LOGIN. .PP The configuration of \fIklogind\fP is done by command line arguments passed by inetd. The options are: .IP \fB\-5\fP 10 Allow Kerberos V5 authentication with the \fI.k5login\fP access control file to be trusted. If this authentication system is used by the client -and the authorization check is passed, then the user is allowed to log -in. +and the authorization check is passed, then the user is allowed to log in. +If the user has no \fI.k5login\fP file, the login will be authorized if +the results of krb5_aname_to_localname conversion matches the account +name. Unless special rules are configured, this will be true if and only +if the Kerberos principal of the connecting user is in the default local +realm and the principal portion matches the account name. .IP \fB\-4\fP Allow Kerberos V4 authentication with the \fI.klogin\fP access control @@ -107,12 +111,6 @@ clients--particularly clients predating the release of Kerberos V5 Beta5 (May 1995)--present bogus checksums that prevent Kerberos authentication from succeeding in the default mode. - -.PP -If the -~/.rhosts check is to be used, then the program verifies that the -client is connecting from a privileged port, before allowing login. - .PP The parent of the login process manipulates the master side of the pseduo terminal, operating as an intermediary between the login diff --git a/src/appl/bsd/kshd.M b/src/appl/bsd/kshd.M index 049660ee1..b6d50390a 100644 --- a/src/appl/bsd/kshd.M +++ b/src/appl/bsd/kshd.M @@ -37,8 +37,8 @@ When a service request is received, the following protocol is initiated: .IP 1) Authentication is checked .IP 2) -Check authorization via the access-control files \fI.k5login\fP, \fI.klogin\fP -and \fI.rhosts\fP in the user's home directory. +Check authorization via the access-control files \fI.k5login\fP and +\fI.klogin\fP in the user's home directory. .IP 3) A null byte is returned on the initial socket and the command line is passed to the normal login @@ -53,8 +53,13 @@ by \fIinetd(8)\fP. .IP \fB\-5\fP 10 Allow Kerberos5 authentication with the \fI.k5login\fP access control file -to be trusted. If this authentication system is used by the client and the -authorization check is passed, then the user is allowed to log in. +to be trusted. If this authentication system is used by the client and +the authorization check is passed, then the user is allowed to log in. If +the user has no \fI.k5login\fP file, the login will be authorized if the +results of krb5_aname_to_localname conversion matches the account name. +Unless special rules are configured, this will be true if and only if the +Kerberos principal of the connecting user is in the default local realm +and the principal portion matches the account name. .IP \fB\-4\fP Allow Kerberos4 authentication with the \fI.klogin\fP access control file @@ -107,9 +112,6 @@ Beta5 (May 1995)--present bogus checksums that prevent Kerberos authentication from succeeding in the default mode. -.PP -If the \fB\-r\fP or \fB\-R\fP options are used, the client must -connect from a privileged port. .PP \fIKrshd\fP supports six options which may be used for testing: -- 2.26.2