User config files
The following files in your home directory can be used to control the behavior of Kerberos as it applies to your account (unless they have been disabled by your host’s configuration):k5login and k5identity
.k5login
The .k5login file, which resides in a user’s home directory, contains a list of the Kerberos principals.One common use is to place a .k5login file in root’s home directory, thereby granting system administrators remote root access to the host via Kerberos.
Suppose the user alice had a .k5login file in her home directory containing just the following line:
bob@FOOBAR.ORG
This would allow bob to use Kerberos network applications, such as ssh(1), to access alice‘s account, using bob‘s Kerberos tickets
.k5identity¶
The .k5identity file, which resides in a user’s home directory, contains a list of rules for selecting a client principals based on the server being accessed. These rules are used to choose a credential cache within the cache collection when possible.
Blank lines and lines beginning with # are ignored. Each line has the form:
principal field=value ...
If the server principal meets all of the field constraints, then principal is chosen as the client principal. The following fields are recognized:
realm
If the realm of the server principal is known, it is matched against value, which may be a pattern using shell wildcards. For host-based server principals, the realm will generally only be known if there is a [domain_realm] section in krb5.conf with a mapping for the hostname.
service
If the server principal is a host-based principal, its service component is matched against value, which may be a pattern using shell wildcards.
host
If the server principal is a host-based principal, its hostname component is converted to lower case and matched against value, which may be a pattern using shell wildcards.
If the server principal matches the constraints of multiple lines in the .k5identity file, the principal from the first matching line is used. If no line matches, credentials will be selected some other way, such as the realm heuristic or the current primary cache.
EXAMPLE¶
The following example .k5identity file selects the client principal alice@KRBTEST.COM if the server principal is within that realm, the principal alice/root@EXAMPLE.COM if the server host is within a servers subdomain, and the principal alice/mail@EXAMPLE.COM when accessing the IMAP service on mail.example.com:
alice@KRBTEST.COM realm=KRBTEST.COM
alice/root@EXAMPLE.COM host=*.servers.example.com
alice/mail@EXAMPLE.COM host=mail.example.com service=imap
User commands¶
krb5.conf¶
The krb5.conf file contains Kerberos configuration information, including the locations of KDCs and admin servers for the Kerberos realms of interest, defaults for the current realm and for Kerberos applications, and mappings of hostnames onto Kerberos realms
You can override the default location by setting the environment variable KRB5_CONFIG
Structure
The krb5.conf file is set up in the style of a Windows INI file. Sections are headed by the section name, in square brackets. Each section may contain zero or more relations, of the form:
3万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
