Address code review comments (use .Xr and .Pa macros in krb5.conf.5)
This commit is contained in:
@@ -267,38 +267,57 @@ needed. This option is provided for compatibility with MIT krb5
|
||||
configuration files.
|
||||
.It Li k5login_authoritative = Va boolean
|
||||
If true then if a principal is not found in k5login files then
|
||||
krb5_userok() will not fallback on principal to username mapping. This
|
||||
option is provided for compatibility with MIT krb5 configuration files.
|
||||
.Xr krb5_userok 3
|
||||
will not fallback on principal to username mapping. This option is
|
||||
provided for compatibility with MIT krb5 configuration files.
|
||||
.It Li kuserok = Va rule ...
|
||||
Specifies krb5_kuserok(3) behavior. If multiple values are given, then
|
||||
krb5_kuserok(3) will evaluate them in order until one succeeds or all
|
||||
fail. Rules are implemented by plugins, with three built-in plugins
|
||||
Specifies
|
||||
.Xr krb5_userok 3
|
||||
behavior. If multiple values are given, then
|
||||
.Xr krb5_userok 3
|
||||
will evaluate them in order until one succeeds or all fail. Rules are
|
||||
implemented by plugins, with three built-in plugins
|
||||
described below. Default: USER-K5LOGIN SIMPLE DENY.
|
||||
.It Li kuserok = Va DENY
|
||||
If set and evaluated then krb5_userok(3) will deny access to the given
|
||||
username no matter what the principal name might be.
|
||||
If set and evaluated then
|
||||
.Xr krb5_userok 3
|
||||
will deny access to the given username no matter what the principal name
|
||||
might be.
|
||||
.It Li kuserok = Va SIMPLE
|
||||
If set and evaluated then krb5_userok(3) will use principal to username
|
||||
mapping (see auth_to_local below). If the principal maps to the
|
||||
requested username then access is allowed.
|
||||
If set and evaluated then
|
||||
.Xr krb5_userok 3
|
||||
will use principal to username mapping (see auth_to_local below). If
|
||||
the principal maps to the requested username then access is allowed.
|
||||
.It Li kuserok = Va SYSTEM-K5LOGIN[:directory]
|
||||
If set and evaluated then krb5_userok(3) will use k5login files named
|
||||
after the
|
||||
If set and evaluated then
|
||||
.Xr krb5_userok 3
|
||||
will use k5login files named after the
|
||||
.Va luser
|
||||
argument to krb5_kuserok(3) in the given directory or in
|
||||
/etc/k5login.d/. If a directory is given then tokens will be expanded;
|
||||
the %{luser} token will be replaced with the
|
||||
argument to
|
||||
.Xr krb5_userok 3
|
||||
in the given directory or in
|
||||
.Pa /etc/k5login.d/ .
|
||||
If a directory is given
|
||||
then tokens will be expanded; the %{luser} token will be replaced with
|
||||
the
|
||||
.Va luser
|
||||
argument to krb5_kuserok(3). K5login files are text files, with each
|
||||
line containing just a principal name; principals apearing in a user's
|
||||
k5login file are permitted access to the user's account. Note: this rule
|
||||
performs no ownership nor permissions checks on k5login files; proper
|
||||
ownership and permissions/ACLs are expected due to the system k5login
|
||||
location being a system location.
|
||||
argument to
|
||||
.Xr krb5_userok 3 .
|
||||
K5login files are text files, with each line containing just a principal
|
||||
name; principals apearing in a user's k5login file are permitted access
|
||||
to the user's account. Note: this rule performs no ownership nor
|
||||
permissions checks on k5login files; proper ownership and
|
||||
permissions/ACLs are expected due to the system k5login location being a
|
||||
system location.
|
||||
.It Li kuserok = Va USER-K5LOGIN
|
||||
If set and evaluated then krb5_userok(3) will use ~luser/.k5login and
|
||||
~luser/.k5login.d/*. User k5login files and directories must be owned by
|
||||
the user and must not have world nor group write permissions.
|
||||
If set and evaluated then
|
||||
.Xr krb5_userok 3
|
||||
will use
|
||||
.Pa ~luser/.k5login
|
||||
and
|
||||
.Pa ~luser/.k5login.d/* .
|
||||
User k5login files and directories must be owned by the user and must
|
||||
not have world nor group write permissions.
|
||||
.It Li aname2lname-text-db = Va filename
|
||||
The named file must be a sorted (in increasing order) text file where
|
||||
every line consists of an unparsed principal name optionally followed by
|
||||
|
Reference in New Issue
Block a user