Go to main content

man pages section 7: Standards, Environments, Macros, Character Sets, and Miscellany

Exit Print View

Updated: Wednesday, July 27, 2022

krb5_auth_rules (7)


krb5_auth_rules - overview of Kerberos V5 authorization


Please see following description for synopsis


Standards, Environments, and Macros                         krb5_auth_rules(7)

       krb5_auth_rules - overview of Kerberos V5 authorization

       When  kerberized versions of the ftp, rcp, rlogin, rsh, ssh, telnet, or
       ssh clients are used to connect to a server, the identity of the origi-
       nating  user  must  be  authenticated to the Kerberos V5 authentication
       system. Account access can then be authorized  if  appropriate  entries
       exist  in  the  ~/.k5login  file,  the gsscred table, or if the default
       GSS/Kerberos authentication rules successfully map the Kerberos princi-
       pal name to Unix login name.

       To  avoid  security  problems, the ~/.k5login file must be owned by the
       remote user on the server the client is attempting to access. The  file
       should contain a private authorization list comprised of Kerberos prin-
       cipal names of the form principal/instance@ realm. The /instance  vari-
       able  is  optional  in Kerberos principal names. For example, different
       principal names such  as  jdb@ENG.EXAMPLE.COM  and  jdb/happy.eng.exam-
       ple.com@ENG.EXAMPLE.COM  would  each  be  legal, though not equivalent,
       Kerberos principals. The client is granted  access  if  the  ~/.k5login
       file  is  located in the login directory of the remote user account and
       if the originating user can be authenticated to one of  the  principals
       named  in  the  file. See kadm5.acl(5) for more information on Kerberos
       principal names.

       When no ~/.k5login file is found in the remote  user's  login  account,
       the  Kerberos V5 principal name associated with the originating user is
       checked against the gsscred table. If a gsscred table  exists  and  the
       principal  name  is matched in the table, access is granted if the Unix
       user ID listed in the table corresponds to the user account the  client
       is  attempting to access. If the Unix user ID does not match, access is
       denied. See gsscred(8).

       For example, an originating user listed in the gsscred table  with  the
       principal name jdb@ENG.EXAMPLE.COM and the uid  23154 is granted access
       to the jdb-user account if 23154 is also the uid of jdb-user listed  in
       the user account database. See passwd(5).

       Finally, if there is no ~/.k5login file and the Kerberos V5 identity of
       the originating user is not in the gsscred table, or if the gsscred ta-
       ble  does  not exist, the client is granted access to the account under
       the following conditions (default GSS/Kerberos auth rules):

           o      The user part of the authenticated  principal  name  is  the
                  same as the Unix account name specified by the client.

           o      The realm part of the client and server are the same, unless
                  the krb5.conf(5)  auth_to_local_realm parameter is  used  to
                  create equivalence.

           o      The Unix account name exists on the server.

       For   example,   if   the  originating  user  has  the  principal  name
       jdb@ENG.EXAMPLE.COM and if the server is  in  realm  SALES.EXAMPLE.COM,
       the  client  would be denied access even if jdb is a valid account name
       on the  server.  This  is  because  the  realms  SALES.EXAMPLE.COM  and
       ENG.EXAMPLE.COM differ.

       The krb5.conf(5)  auth_to_local_realm parameter also affects authoriza-
       tion. Non-default realms can be equated  with  the  default  realm  for
       authenticated name-to-local name mapping.

       ~/.k5login     Per user-account authorization file.

       /etc/passwd    System  account  file. This information may also be in a
                      directory service. See passwd(5).

       See attributes(7) for descriptions of the following attributes:

       |Availability   | security/kerberos-5    |
       |Stability      | Pass-through committed |

       ftp(1),   rcp(1),   rsh(1),   telnet(1)   kadm5.acl(5),   krb5.conf(5),
       passwd(5), attributes(7), gss_auth_rules(7), gsscred(8),

       Source  code  for open source software components in Oracle Solaris can
       be found at https://www.oracle.com/downloads/opensource/solaris-source-

       This     software     was    built    from    source    available    at
       https://github.com/oracle/solaris-userland.   The  original   community
       source      was      downloaded      from       http://web.mit.edu/ker-

       Further information about this software can be found on the open source
       community website at http://web.mit.edu/kerberos/.

Solaris 11.4                      21 Jun 2021               krb5_auth_rules(7)