1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
|
.\"
.\" This software may now be redistributed outside the US.
.\"
.\"Copyright (C) 1989 by the Massachusetts Institute of Technology
.\"
.\"Export of this software from the United States of America is assumed
.\"to require a specific license from the United States Government.
.\"It is the responsibility of any person or organization contemplating
.\"export to obtain such a license before exporting.
.\"
.\"WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
.\"distribute this software and its documentation for any purpose and
.\"without fee is hereby granted, provided that the above copyright
.\"notice appear in all copies and that both that copyright notice and
.\"this permission notice appear in supporting documentation, and that
.\"the name of M.I.T. not be used in advertising or publicity pertaining
.\"to distribution of the software without specific, written prior
.\"permission. M.I.T. makes no representations about the suitability of
.\"this software for any purpose. It is provided "as is" without express
.\"or implied warranty.
.\"
.\" $OpenBSD: kuserok.3,v 1.3 1998/02/18 11:54:04 art Exp $
.TH KUSEROK 3 "Kerberos Version 4.0" "MIT Project Athena"
.SH NAME
kuserok \- Kerberos version of ruserok
.SH SYNOPSIS
.nf
.nj
.ft B
#include <kerberosIV/krb.h>
.PP
.ft B
kuserok(kdata, localuser)
AUTH_DAT *auth_data;
char *localuser;
.fi
.ft R
.SH DESCRIPTION
.I kuserok
determines whether a Kerberos principal described by the structure
.I auth_data
is authorized to login as user
.I localuser
according to the authorization file
("~\fIlocaluser\fR/etc/kerberosIV/master_keylogin" by default). It returns 0 (zero) if authorized,
1 (one) if not authorized.
.PP
If there is no account for
.I localuser
on the local machine, authorization is not granted.
If there is no authorization file, and the Kerberos principal described
by
.I auth_data
translates to
.I localuser
(using
.IR krb_kntoln (3)),
authorization is granted.
If the authorization file
can't be accessed, or the file is not owned by
.IR localuser,
authorization is denied. Otherwise, the file is searched for
a matching principal name, instance, and realm. If a match is found,
authorization is granted, else authorization is denied.
.PP
The file entries are in the format:
.nf
.in +5n
name.instance@realm
.in -5n
.fi
with one entry per line.
.SH SEE ALSO
kerberos(3), ruserok(3), krb_kntoln(3)
.SH FILES
.TP 20n
~\fIlocaluser\fR/etc/kerberosIV/master_keylogin
authorization list
|