author | Will Fiveash <will.fiveash@oracle.com> |
Wed, 24 Feb 2016 10:43:57 -0600 | |
changeset 5490 | 9bf0bc57423a |
child 6621 | 08009c15e349 |
permissions | -rw-r--r-- |
5490
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
1 |
'\" te |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
2 |
.\" Copyright (c) 2004, Sun Microsystems, Inc. All Rights Reserved |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
3 |
.TH gss_auth_rules 5 "13 Apr 2004" "SunOS 5.12" "Standards, Environments, and Macros" |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
4 |
.SH NAME |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
5 |
gss_auth_rules \- overview of GSS authorization |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
6 |
.SH DESCRIPTION |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
7 |
.sp |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
8 |
.LP |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
9 |
The establishment of the veracity of a user's credentials requires both authentication (Is this an authentic user?) and authorization (Is this authentic user, in fact, authorized?). |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
10 |
.sp |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
11 |
.LP |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
12 |
When a user makes use of Generic Security Services (GSS) versions of the \fBftp\fR or \fBssh\fR clients to connect to a server, the user is not necessarily authorized, even if his claimed GSS identity is authenticated, Authentication merely establishes that the user is who he says he is to the GSS mechanism's authentication system. Authorization is then required: it determines whether the GSS identity is permitted to access the specified Solaris user account. |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
13 |
.sp |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
14 |
.LP |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
15 |
The GSS authorization rules are as follows: |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
16 |
.RS +4 |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
17 |
.TP |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
18 |
.ie t \(bu |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
19 |
.el o |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
20 |
If the mechanism of the connection has a set of authorization rules, then use those rules. For example, if the mechanism is Kerberos, then use the \fBkrb5_auth_rules\fR(5), so that authorization is consistent between raw Kerberos applications and GSS/Kerberos applications. |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
21 |
.RE |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
22 |
.RS +4 |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
23 |
.TP |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
24 |
.ie t \(bu |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
25 |
.el o |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
26 |
If the mechanism of the connection does not have a set of authorization rules, then authorization is successful if the remote user's \fBgssname\fR matches the local user's \fBgssname\fR exactly, as compared by \fBgss_compare_name\fR(3GSS). |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
27 |
.RE |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
28 |
.SH FILES |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
29 |
.sp |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
30 |
.ne 2 |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
31 |
.mk |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
32 |
.na |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
33 |
\fB\fB/etc/passwd\fR\fR |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
34 |
.ad |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
35 |
.RS 15n |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
36 |
.rt |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
37 |
System account file. This information may also be in a directory service. See \fBpasswd\fR(4). |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
38 |
.RE |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
39 |
|
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
40 |
.SH ATTRIBUTES |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
41 |
.sp |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
42 |
.LP |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
43 |
See \fBattributes\fR(5) for a description of the following attributes: |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
44 |
.sp |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
45 |
|
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
46 |
.sp |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
47 |
.TS |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
48 |
tab() box; |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
49 |
cw(2.75i) |cw(2.75i) |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
50 |
lw(2.75i) |lw(2.75i) |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
51 |
. |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
52 |
ATTRIBUTE TYPEATTRIBUTE VALUE |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
53 |
_ |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
54 |
Interface StabilityCommitted |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
55 |
.TE |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
56 |
|
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
57 |
.SH SEE ALSO |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
58 |
.sp |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
59 |
.LP |
9bf0bc57423a
PSARC/2015/144 Kerberos 1.13 Delivery to Userland
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
60 |
\fBftp\fR(1), \fBssh\fR(1), \fBgsscred\fR(1M), \fBgss_compare_name\fR(3GSS), \fBpasswd\fR(4), \fBattributes\fR(5), \fBkrb5_auth_rules\fR(5) |