Authorization
Kerberos V5 authorization is the process by which users verify that they may access remote accounts on specified servers. Authorization depends on successful user principal validation
through the Kerberos V5 authentication protocol.
For Kerberos V5 authorization to succeed, a mapping must exist on the application server that authorizes the user principal to operate as the login user. The term "login user'' refers to the user
whose account is being accessed on the remote host. This is not necessarily the same user who originally issued the kinit or dce_login command.
Assume David has already issued the kinit command. In this example, David enters the following command, in which Susan is the login user:
$ rlogin -l susan hostA
Authorization is successful if both of the following requirements are met:
· The login user must have an entry in the /etc/passwd file on the application server (remote host).
· One of the following conditions must be true:
- A $HOME/.k5login file must exist in the login user's home directory on the application server and contain an entry for the authenticated user principal. This file must be owned by the
login user, and only the login user can have write permission.
- A Kerberos V5 authorization name database file called /krb5/aname must exist on the application server and contain a mapping of the user principal to the login user. This condition
requires additional tools only available in a full Kerberos environment.
- The user name in the user principal must be the same as the login user name, and the client and server systems must be in the same realm.
|