check the user's ~/.k5login.d directory for access files, all of which

is handled like the regular ~/.k5login


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@15083 ec53bebd-3082-4978-b11e-865c3cabbd6b

lib/krb5/krb5_kuserok.3

@@ -1,4 +1,4 @@
-.\" Copyright (c) 2003-2004 Kungliga Tekniska H<>gskolan
+.\" Copyright (c) 2003-2005 Kungliga Tekniska H<>gskolan
 .\" (Royal Institute of Technology, Stockholm, Sweden).
 .\" All rights reserved.
 .\"
@@ -31,12 +31,12 @@
 .\"
 .\" $Id$
 .\"
-.Dd August 19, 2004
+.Dd May 4, 2005
 .Dt KRB5_KUSEROK 3
 .Os HEIMDAL
 .Sh NAME
 .Nm krb5_kuserok
-.Nd "verifies if a principal can log in as a user"
+.Nd "checks if a principal is permitted to login as a user"
 .Sh LIBRARY
 Kerberos 5 Library (libkrb5, -lkrb5)
 .Sh SYNOPSIS
@@ -67,10 +67,23 @@ The
 .Pa .k5login
 file must contain one principal per line, be owned by
 .Fa user ,
-and not be writable by group or other.
+and not be writable by group or other (but must be readable by
+anyone).
 .Pp
 Note that if the file exists, no implicit access rights are given to
 .Fa user Ns @ Ns Aq localrealm .
+.Pp
+Optionally, a set of files may be put in 
+.Pa ~/.k5login.d ( Ns
+a directory), in which case they will all be checked in the same
+manner as
+.Pa .k5login .
+The files may be called anything, but files starting with a hash
+.Dq ( # ) ,
+or ending with a tilde
+.Dq ( ~ )
+are ignored. Subdirectories are not traversed. Note that this
+directory may not be checked by other implementations.
 .Sh RETURN VALUES
 .Nm
 returns
@@ -78,6 +91,10 @@ returns
 if access should be granted,
 .Dv FALSE
 otherwise.
+.Sh HISTORY
+The
+.Pa ~/.k5login.d
+feature appeared in Heimdal 0.7.
 .Sh SEE ALSO
 .Xr krb5_get_default_realms 3 ,
 .Xr krb5_verify_user 3 ,