su privilegesIn an earlier example, we created a principal called jane
with an instance root. This was based on a user with the
same name as the principal, and this is a Kerberos default; that a
<principal>.<instance> of the form
<username>.root will allow that
<username> to su to root if the necessary
entries are in the .klogin file in root's home
directory:
grunt# cat /root/.klogin
jane.root@GRONDAR.ZA
Likewise, if a user has in their own home directory lines of the form:
[jane@grunt 10543] cat ~/.klogin
jane@GRONDAR.ZA
jack@GRONDAR.ZA
This allows anyone in the GRONDAR.ZA realm who has
authenticated themselves to jane or jack (via
kinit, see above) access to rlogin to jane's
account or files on this system (grunt) via rlogin,
rsh or rcp.
For example, Jane now logs into another system, using Kerberos:
[jane@grumble 573] kinit
MIT Project Athena (grunt.grondar.za)
Password:
[jane@grumble 574] rlogin grunt
Last login: Mon May 1 21:14:47 from grumble
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995
[jane@grunt 10567]
Or Jack logs into Jane's account on the same machine (Jane having set up
the .klogin file as above, and the person in charge of Kerberos
having set up principal jack with a null instance:
[jack@grumble 573] kinit
[jack@grumble 574] rlogin grunt -l jane
MIT Project Athena (grunt.grondar.za)
Password:
Last login: Mon May 1 21:16:55 from grumble
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995
[jane@grunt 10578]
su privileges