Address code review comments (use .Xr and .Pa macros in krb5.conf.5)

This commit is contained in:
Nicolas Williams
2011-12-10 14:03:26 -06:00
parent e00b43a94b
commit 27ba7a5982

View File

@@ -267,38 +267,57 @@ needed. This option is provided for compatibility with MIT krb5
configuration files.
.It Li k5login_authoritative = Va boolean
If true then if a principal is not found in k5login files then
krb5_userok() will not fallback on principal to username mapping. This
option is provided for compatibility with MIT krb5 configuration files.
.Xr krb5_userok 3
will not fallback on principal to username mapping. This option is
provided for compatibility with MIT krb5 configuration files.
.It Li kuserok = Va rule ...
Specifies krb5_kuserok(3) behavior. If multiple values are given, then
krb5_kuserok(3) will evaluate them in order until one succeeds or all
fail. Rules are implemented by plugins, with three built-in plugins
Specifies
.Xr krb5_userok 3
behavior. If multiple values are given, then
.Xr krb5_userok 3
will evaluate them in order until one succeeds or all fail. Rules are
implemented by plugins, with three built-in plugins
described below. Default: USER-K5LOGIN SIMPLE DENY.
.It Li kuserok = Va DENY
If set and evaluated then krb5_userok(3) will deny access to the given
username no matter what the principal name might be.
If set and evaluated then
.Xr krb5_userok 3
will deny access to the given username no matter what the principal name
might be.
.It Li kuserok = Va SIMPLE
If set and evaluated then krb5_userok(3) will use principal to username
mapping (see auth_to_local below). If the principal maps to the
requested username then access is allowed.
If set and evaluated then
.Xr krb5_userok 3
will use principal to username mapping (see auth_to_local below). If
the principal maps to the requested username then access is allowed.
.It Li kuserok = Va SYSTEM-K5LOGIN[:directory]
If set and evaluated then krb5_userok(3) will use k5login files named
after the
If set and evaluated then
.Xr krb5_userok 3
will use k5login files named after the
.Va luser
argument to krb5_kuserok(3) in the given directory or in
/etc/k5login.d/. If a directory is given then tokens will be expanded;
the %{luser} token will be replaced with the
argument to
.Xr krb5_userok 3
in the given directory or in
.Pa /etc/k5login.d/ .
If a directory is given
then tokens will be expanded; the %{luser} token will be replaced with
the
.Va luser
argument to krb5_kuserok(3). K5login files are text files, with each
line containing just a principal name; principals apearing in a user's
k5login file are permitted access to the user's account. Note: this rule
performs no ownership nor permissions checks on k5login files; proper
ownership and permissions/ACLs are expected due to the system k5login
location being a system location.
argument to
.Xr krb5_userok 3 .
K5login files are text files, with each line containing just a principal
name; principals apearing in a user's k5login file are permitted access
to the user's account. Note: this rule performs no ownership nor
permissions checks on k5login files; proper ownership and
permissions/ACLs are expected due to the system k5login location being a
system location.
.It Li kuserok = Va USER-K5LOGIN
If set and evaluated then krb5_userok(3) will use ~luser/.k5login and
~luser/.k5login.d/*. User k5login files and directories must be owned by
the user and must not have world nor group write permissions.
If set and evaluated then
.Xr krb5_userok 3
will use
.Pa ~luser/.k5login
and
.Pa ~luser/.k5login.d/* .
User k5login files and directories must be owned by the user and must
not have world nor group write permissions.
.It Li aname2lname-text-db = Va filename
The named file must be a sorted (in increasing order) text file where
every line consists of an unparsed principal name optionally followed by