Kerberos Client Version D.1.3.5.06 Release Notes
Kerberos Client D.1.3.5.06 Release Notes
What Is New in This Version
Chapter 1 11
What Is New in This Version
Kerberos Client D.1.3.5.06 supports the following new features:
• Administrators can now patch the core Kerberos Client even if the
Web upgrade is installed on the system. Patch PHSS_34991 patches
the core Kerberos Client. This patch is a part of the KRB5CLIENT
bundle, and is a prerequisite for installing Kerberos Client
D.1.3.5.06.
• Administrators can now control the behavior of Kerberized login
applications that call the krb5_kuserok() API provided by the
libkrb5.so library. In earlier versions of Kerberos Client,
krb5_kuserok() checked the .k5login file in the user’s home
directory for access permissions. This enabled users to modify the
.k5login file and allow access to others.
Administrators can now create files with the name
.k5login.<username> in the /etc/krb5 directory. Administrators
can also create symbolic links pointing to the .k5login file in the
user’s home directory. If the /etc/krb5 directory does not exist,
krb5_kuserok() continues to check the .k5login file in the user’s
home directory. If the /etc/krb5 directory exists, the
krb5_kuserok() API ignores any corresponding .k5login files in
the user’s home directory while making authorization decisions. The
format of the entries in the new files in /etc/krb5 continues to be
the same as that of the .k5login file in the user’s home directory.
Following examples depict various scenarios:
Example 1-1 If /etc/krb5 directory does not exist
If user1 attempts to login, the krb5_kuserok() API processes the
.k5login file in the user’s home directory only if this file is owned by
user or root. Only superusers must have permissions to write to this
file.
Example 1-2 The /etc/krb5/.k5login.user1 file exists
If user 1 attempts to login, the krb_kuserok()API processes this file
only if it is owned by root. Only superusers must have permissions to
write to this file.