Kerberos Account Access by Multiple Users
Intended for:
Kerberos users and system administrators.
Scenario/Use case:
Kerberos provides a way to grant account login access to multiple users, each with his/her own principal. This article provides instructions on how to grant account access to multiple users.
Instructions:
Account Access by Multiple Users
Kerberos provides a way to grant account login access to multiple users, each with his/her own principal. There must be a .k5login file in the account's home directory and the principals must obtain credentials before logging into the target account.
| Important: Kerberos requires that the .k5login and .k5users files be owned by the target account and be located in the home directory of that account. |
The .k5login File
The .k5login file is a text file that may exist in an account's home directory on a UNIX (or Linux or Macintosh) machine. It contains a list of the principals who have permission to log into the account. Authenticated principals that are listed in the file can log in and use the account without limitations. A .k5login file is valid only on the individual strengthened host on which it resides.
Make sure that all principals that require login access are listed in it, including your own FNAL.GOV principal! Each principal must be on a separate line, with no trailing blanks. The principal must be complete and include the Kerberos realm (usually FNAL.GOV but could also be FERMI.WIN.FNAL.GOV).
Note that the .k5login file must be owned by the target account and only writable to that account.
On some systems you may also need to run restorcon -F ~/.k5login ~/.k5users to setup selinux rights. If your home area is not in a traditional location you may also need to run sudo semanage fcontext -a -e /home /home1 before running restorecon.
Use of the .k5login file overrides all other rules for granting login access!
Do you need a .k5login file?
As long as the only principal to log into your account is your own FNAL.GOV principal, and your principal matches your login id, you don't need a .k5login file. If other principals need login access to the account, and/or if your login id doesn't match your principal, you need one. And it must include your own principal!
If you want to be able to login into your account from a Windows system in the FERMI Domain, create a .k5login file with your FNAL.GOV principal (i.e. nagy@FNAL.GOV) and add an additional entry which lists your username and with a realm of FERMI.WIN.FNAL.GOV (i.e. nagy@FERMI.WIN.FNAL.GOV).
If you want your own cron job running on another system to access your account, then you need to add your cron principal from that remote system to the local .k5login file to allow access.
| Important rule to remember: if you are using a .k5login file in your account you must include your own FNAL.GOV principal or you will not be able to log into your own account! |
Sample .k5login files
xsmith@FNAL.GOV qjones@FNAL.GOV jenniferp@FNAL.GOV jpedersen@MYUNIV.EDU
nagy@FNAL.GOV
nagy@PILOT.FNAL.GOV
nagy@FERMI.WIN.FNAL.GOV
nagy/cron/flxi01.fnal.gov@FNAL.GOV
About Group or Shared Accounts
Sharing of any Kerberos password is a violation of Fermilab policy. Therefore, a multiple-user account must have a .k5login file in its home directory containing an entry for each user that needs to log into the account. The account may have but does not need a corresponding principal.
Users log in to the multiple-user account as follows:
- Authenticate to Kerberos under your own account.
- Log in to the multiple-user account, by identifying it on the connection program command line, and forward the ticket, e.g.,
% ssh -f -l <group-account-name> <host>.
- Assuming tickets are automatically forwarded, you're now logged on under the account name, but your Kerberos ticket is associated with your principal name.
The .k5users File
If you want to give restricted access to your account to another principal (access method limited to ksu; see section Kerberized su (ksu)), you can create a .k5users file. The .k5users file is similar to the .k5login file, except that each principal is optionally followed by a list of commands which restricts the principal to those commands, and the file is only consulted by the ksu command.
Here is a sample .k5users file:
firstuser@MYUNIV.EDU /bin/ls /usr/bin/more seconduser@MYUNIV.EDU /bin/ls jenniferp@FNAL.GOV jpedersen@MYUNIV.EDU
This restricts the first and second listed principals to the shown commands, and prohibits jenniferp@FNAL.GOV and jpedersen@MYUNIV.EDU from executing any command.
Notes:
- Be aware that arbitrary flags and arguments may be given to the listed commands by the authorized ksu user.
- If you list a principal more than once in this file, only the first entry is used.
See Also: