On 08/21/2013 01:28 PM, Ben H wrote: > So how exactly is krb5_kuserok determining luser ?
It's not. krb5_kuserok receives the local username as input. The application is deciding which value to pass. > Also - I'm not sure your reference to k5login_directory? Did you mean > to recommend it as an alternative to homedir stored .k5login files? > If so - thanks for the pointer. While there are some situations that a > .k5login is necessary for, I feel that in general they are > an unnecessary risk and burden to utilize. > E.g. - a user can grant another user access to his account without any > administrative intervention (KerberosUseKuserok in ssh can prevent). With k5login_directory, you can store .k5login files in a directory owned by root, thus preventing users from granting access to their own accounts. It may still be burdensome to have to create the .k5login files, but if they are the only option, k5login_directory may make it a little easier, depending on the details of your situation. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
