Go to main content

man pages section 7: Standards, Environments, Macros, Character Sets, and Miscellany

Exit Print View

Updated: Thursday, June 13, 2019

krb5_auth_rules (7)


krb5_auth_rules - overview of Kerberos V5 authorization


Please see following description for synopsis


Standards, Environments, and Macros                         krb5_auth_rules(7)

       krb5_auth_rules - overview of Kerberos V5 authorization

       When  kerberized versions of the ftp, rcp, rlogin, rsh, ssh, telnet, or
       ssh clients are used to connect to a server, the identity of the origi-
       nating  user  must  be  authenticated to the Kerberos V5 authentication
       system. Account access can then be authorized  if  appropriate  entries
       exist  in  the  ~/.k5login  file,  the gsscred table, or if the default
       GSS/Kerberos authentication rules successfully map the Kerberos princi-
       pal name to Unix login name.

       To  avoid  security  problems, the ~/.k5login file must be owned by the
       remote user on the server the client is attempting to access. The  file
       should contain a private authorization list comprised of Kerberos prin-
       cipal names of the form principal/instance@ realm. The /instance  vari-
       able  is  optional  in Kerberos principal names. For example, different
       principal      names      such      as       jdb@ENG.ACME.COM       and
       jdb/happy.eng.acme.com@ENG.ACME.COM  would  each  be  legal, though not
       equivalent, Kerberos principals. The client is granted  access  if  the
       ~/.k5login  file  is  located in the login directory of the remote user
       account and if the originating user can be authenticated to one of  the
       principals  named in the file. See kadm5.acl(4) for more information on
       Kerberos principal names.

       When no ~/.k5login file is found in the remote  user's  login  account,
       the  Kerberos V5 principal name associated with the originating user is
       checked against the gsscred table. If a gsscred table  exists  and  the
       principal  name  is matched in the table, access is granted if the Unix
       user ID listed in the table corresponds to the user account the  client
       is  attempting to access. If the Unix user ID does not match, access is
       denied. See gsscred(1M).

       For example, an originating user listed in the gsscred table  with  the
       principal name jdb@ENG.ACME.COM and the uid  23154 is granted access to
       the jdb-user account if 23154 is also the uid of jdb-user listed in the
       user account database. See passwd(5).

       Finally, if there is no ~/.k5login file and the Kerberos V5 identity of
       the originating user is not in the gsscred table, or if the gsscred ta-
       ble  does  not exist, the client is granted access to the account under
       the following conditions (default GSS/Kerberos auth rules):

           o      The user part of the authenticated  principal  name  is  the
                  same as the Unix account name specified by the client.

           o      The realm part of the client and server are the same, unless
                  the krb5.conf(4)  auth_to_local_realm parameter is  used  to
                  create equivalence.

           o      The Unix account name exists on the server.

       For   example,   if   the  originating  user  has  the  principal  name
       jdb@ENG.ACME.COM and if the server  is  in  realm  SALES.ACME.COM,  the
       client  would  be  denied access even if jdb is a valid account name on
       the server. This is because the realms SALES.ACME.COM and  ENG.ACME.COM

       The krb5.conf(4)  auth_to_local_realm parameter also affects authoriza-
       tion. Non-default realms can be equated  with  the  default  realm  for
       authenticated name-to-local name mapping.

       ~/.k5login     Per user-account authorization file.

       /etc/passwd    System  account  file. This information may also be in a
                      directory service. See passwd(5).

       See attributes(7) for descriptions of the following attributes:

       |Availability   | security/kerberos-5    |
       |Stability      | Pass-through committed |
       ftp(1),   rcp(1),   rsh(1),   telnet(1),   gsscred(1M),   kadm5.acl(4),
       krb5.conf(4), passwd(5), attributes(7), gss_auth_rules(5)

       This     software     was    built    from    source    available    at
       https://github.com/oracle/solaris-userland.   The  original   community
       source      was      downloaded      from      https://web.mit.edu/ker-

       Further information about this software can be found on the open source
       community website at https://web.mit.edu/kerberos/.

Solaris 11.4                      5 Jun 2012                krb5_auth_rules(7)