Manualshelf

KRB5 Client Version 1.3.5.03 Release Notes

ManualsBrandsHP ManualsSoftwareHP-UX Kerberos Data Security Software
12345678910
Table Of Contents
Kerberos Client 1.3.5.03 Release Notes
What Is New in This Version
Chapter 1 9
What Is New in This Version
The following new feature is included in Kerberos Client 1.3.5.03:
Administrators can now control the behavior of Kerberized login
applications that call the krb5_kuserok() API provided by the
libkrb5.sl library. In earlier versions of Kerberos Client,
krb5_kuserok() checked the .k5login file in the user’s home
directory for access permissions. This enabled users to modify the
.k5login file and allow access to others.
Administrators can now create files with the name
.k5login.<username> in the /etc/krb5 directory. Administrators
can also create symbolic links pointing to the .k5login file in the
user’s home directory. If the /etc/krb5 directory does not exist,
krb5_kuserok() continues to check the .k5login file in the user’s
home directory. If the /etc/krb5 directory exists, the
krb5_kuserok() API ignores any corresponding .k5login files in
the user’s home directory while making authorization decisions. The
format of the entries in the new files in /etc/krb5 continues to be
the same as that of the .k5login file in the user’s home directory.
Following examples depict various scenarios:
Example 1-1 If /etc/krb5 directory does not exist
If user1 attempts to login, the krb5_kuserok() API processes the
.k5login file in the user’s home directory only if this file is owned by
user or root. Only superusers must have permissions to write to this
file.
Example 1-2 The /etc/krb5/.k5login.user1 file exists
If user 1 attempts to login, the krb_kuserok()API processes this file
only if it is owned by user or root. Only superusers must have
permissions to write to this file.
Example 1-3 If /etc/krb5/.k5login.user1 exists as a symbolic link to the .k5login
file in the user’s home directory
If user1 attempts to login, the krb5_kuserok() API processes
/etc/krb5/.k5login.user1 only if it is owned by root, and if the
.k5login file in the user’s home directory is owned by root or the
user. Only superusers must have permissions to write to this file.