ae77177087
several new kerberos related libraries and applications to FreeBSD: o kgetcred(1) allows one to manually get a ticket for a particular service. o kf(1) securily forwards ticket to another host through an authenticated and encrypted stream. o kcc(1) is an umbrella program around klist(1), kswitch(1), kgetcred(1) and other user kerberos operations. klist and kswitch are just symlinks to kcc(1) now. o kswitch(1) allows you to easily switch between kerberos credentials if you're running KCM. o hxtool(1) is a certificate management tool to use with PKINIT. o string2key(1) maps a password into key. o kdigest(8) is a userland tool to access the KDC's digest interface. o kimpersonate(8) creates a "fake" ticket for a service. We also now install manpages for some lirbaries that were not installed before, libheimntlm and libhx509. - The new HEIMDAL version no longer supports Kerberos 4. All users are recommended to switch to Kerberos 5. - Weak ciphers are now disabled by default. To enable DES support (used by telnet(8)), use "allow_weak_crypto" option in krb5.conf. - libtelnet, pam_ksu and pam_krb5 are now compiled with error on warnings disabled due to the function they use (krb5_get_err_text(3)) being deprecated. I plan to work on this next. - Heimdal's KDC now require sqlite to operate. We use the bundled version and install it as libheimsqlite. If some other FreeBSD components will require it in the future we can rename it to libbsdsqlite and use for these components as well. - This is not a latest Heimdal version, the new one was released while I was working on the update. I will update it to 1.5.2 soon, as it fixes some important bugs and security issues.
253 lines
6.9 KiB
Groff
253 lines
6.9 KiB
Groff
.\" $Id$
|
|
.\"
|
|
.Dd April 22, 2005
|
|
.Dt LOGIN 1
|
|
.Os HEIMDAL
|
|
.Sh NAME
|
|
.Nm login
|
|
.Nd authenticate a user and start new session
|
|
.Sh SYNOPSIS
|
|
.Nm
|
|
.Op Fl fp
|
|
.Op Fl a Ar level
|
|
.Op Fl h Ar hostname
|
|
.Ar [username]
|
|
.Sh DESCRIPTION
|
|
This manual page documents the
|
|
.Nm login
|
|
program distributed with the Heimdal Kerberos 5 implementation, it may
|
|
differ in important ways from your system version.
|
|
.Pp
|
|
The
|
|
.Nm login
|
|
programs logs users into the system. It is intended to be run by
|
|
system daemons like
|
|
.Xr getty 8
|
|
or
|
|
.Xr telnetd 8 .
|
|
If you are already logged in, but want to change to another user, you
|
|
should use
|
|
.Xr su 1 .
|
|
.Pp
|
|
A username can be given on the command line, else one will be prompted
|
|
for.
|
|
.Pp
|
|
A password is required to login, unless the
|
|
.Fl f
|
|
option is given (indicating that the calling program has already done
|
|
proper authentication). With
|
|
.Fl f
|
|
the user will be logged in without further questions.
|
|
.Pp
|
|
For password authentication Kerberos 5, Kerberos 4 (if compiled in),
|
|
OTP (if compiled in) and local
|
|
.No ( Pa /etc/passwd )
|
|
passwords are supported. OTP will be used if the the user is
|
|
registered to use it, and
|
|
.Nm login
|
|
is given the option
|
|
.Fl a Li otp .
|
|
When using OTP, a challenge is shown to the user.
|
|
.Pp
|
|
Further options are:
|
|
.Bl -tag -width Ds
|
|
.It Fl a Ar string
|
|
Which authentication mode to use, the only supported value is
|
|
currently
|
|
.Dq otp .
|
|
.It Fl f
|
|
Indicates that the user is already authenticated. This happens, for
|
|
instance, when login is started by telnetd, and the user has proved
|
|
authentic via Kerberos.
|
|
.It Fl h Ar hostname
|
|
Indicates which host the user is logging in from. This is passed from
|
|
telnetd, and is entered into the login database.
|
|
.It Fl p
|
|
This tells
|
|
.Nm login
|
|
to preserve all environment variables. If not given, only the
|
|
.Dv TERM
|
|
and
|
|
.Dv TZ
|
|
variables are preserved. It could be a security risk to pass random
|
|
variables to
|
|
.Nm login
|
|
or the user shell, so the calling daemon should make sure it only
|
|
passes
|
|
.Dq safe
|
|
variables.
|
|
.El
|
|
.Pp
|
|
The process of logging user in proceeds as follows.
|
|
.Pp
|
|
First a check is made that logins are allowed at all. This usually
|
|
means checking
|
|
.Pa /etc/nologin .
|
|
If it exists, and the user trying to login is not root, the contents
|
|
is printed, and then login exits.
|
|
.Pp
|
|
Then various system parameters are set up, like changing the owner of
|
|
the tty to the user, setting up signals, setting the group list, and
|
|
user and group id. Also various machine specific tasks are performed.
|
|
.Pp
|
|
Next
|
|
.Nm login
|
|
changes to the users home directory, or if that fails, to
|
|
.Pa / .
|
|
The environment is setup, by adding some required variables (such as
|
|
.Dv PATH ) ,
|
|
and also authentication related ones (such as
|
|
.Dv KRB5CCNAME ) .
|
|
If an environment file exists
|
|
.No ( Pa /etc/environment ) ,
|
|
variables are set according to
|
|
it.
|
|
.Pp
|
|
If one or more login message files are configured, their contents is
|
|
printed to the terminal.
|
|
.Pp
|
|
If a login time command is configured, it is executed. A logout time
|
|
command can also be configured, which makes
|
|
.Nm login
|
|
fork, and wait for the user shell to exit, and then run the command.
|
|
This can be used to clean up user credentials.
|
|
.Pp
|
|
Finally, the user's shell is executed. If the user logging in is root,
|
|
and root's login shell does not exist, a default shell (usually
|
|
.Pa /bin/sh )
|
|
is also tried before giving up.
|
|
.Sh ENVIRONMENT
|
|
These environment variables are set by login (not including ones set by
|
|
.Pa /etc/environment ) :
|
|
.Pp
|
|
.Bl -tag -compact -width USERXXLOGNAME
|
|
.It Dv PATH
|
|
the default system path
|
|
.It Dv HOME
|
|
the user's home directory (or possibly
|
|
.Pa / )
|
|
.It Dv USER , Dv LOGNAME
|
|
both set to the username
|
|
.It Dv SHELL
|
|
the user's shell
|
|
.It Dv TERM , Dv TZ
|
|
set to whatever is passed to
|
|
.Nm login
|
|
.It Dv KRB5CCNAME
|
|
if the password is verified via Kerberos 5, this will point to the
|
|
credentials cache file
|
|
.It Dv KRBTKFILE
|
|
if the password is verified via Kerberos 4, this will point to the
|
|
ticket file
|
|
.El
|
|
.Sh FILES
|
|
.Bl -tag -compact -width Ds
|
|
.It Pa /etc/environment
|
|
Contains a set of environment variables that should be set in addition
|
|
to the ones above. It should contain sh-style assignments like
|
|
.Dq VARIABLE=value .
|
|
Note that they are not parsed the way a shell would. No variable
|
|
expansion is performed, and all strings are literal, and quotation
|
|
marks should not be used. Everything after a hash mark is considered a
|
|
comment. The following are all different (the last will set the
|
|
variable
|
|
.Dv BAR ,
|
|
not
|
|
.Dv FOO ) .
|
|
.Bd -literal -offset indent
|
|
FOO=this is a string
|
|
FOO="this is a string"
|
|
BAR= FOO='this is a string'
|
|
.Ed
|
|
.It Pa /etc/login.access
|
|
See
|
|
.Xr login.access 5 .
|
|
.It Pa /etc/login.conf
|
|
This is a termcap style configuration file, that contains various
|
|
settings used by
|
|
.Nm login .
|
|
Currently only the
|
|
.Dq default
|
|
capability record is used. The possible capability strings include:
|
|
.Pp
|
|
.Bl -tag -compact -width Ds
|
|
.It Li environment
|
|
This is a comma separated list of environment files that are read in
|
|
the order specified. If this is missing the default
|
|
.Pa /etc/environment
|
|
is used.
|
|
.It Li login_program
|
|
This program will be executed just before the user's shell is started.
|
|
It will be called without arguments.
|
|
.It Li logout_program
|
|
This program will be executed just after the user's shell has
|
|
terminated. It will be called without arguments. This program will be
|
|
the parent process of the spawned shell.
|
|
.It Li motd
|
|
A comma separated list of text files that will be printed to the
|
|
user's terminal before starting the shell. The string
|
|
.Li welcome
|
|
works similarly, but points to a single file.
|
|
.It Li limits
|
|
Points to a file containing ulimit settings for various users. Syntax
|
|
is inspired by what pam_limits uses, and the default is
|
|
.Pa /etc/security/limits.conf .
|
|
.El
|
|
.It Pa /etc/nologin
|
|
If it exists, login is denied to all but root. The contents of this
|
|
file is printed before login exits.
|
|
.El
|
|
.Pp
|
|
Other
|
|
.Nm login
|
|
programs typically print all sorts of information by default, such as
|
|
last time you logged in, if you have mail, and system message files.
|
|
This version of
|
|
.Nm login
|
|
does not, so there is no reason for
|
|
.Pa .hushlogin
|
|
files or similar. We feel that these tasks are best left to the user's
|
|
shell, but the
|
|
.Li login_program
|
|
facility allows for a shell independent solution, if that is desired.
|
|
.Sh EXAMPLES
|
|
A
|
|
.Pa login.conf
|
|
file could look like:
|
|
.Bd -literal -offset indent
|
|
default:\\
|
|
:motd=/etc/motd,/etc/motd.local:\\
|
|
:limits=/etc/limits.conf:
|
|
.Ed
|
|
.Pp
|
|
The
|
|
.Pa limits.conf
|
|
file consists of a table with four whitespace separated fields. First
|
|
field is a username or a groupname (prefixed with
|
|
.Sq @ ) ,
|
|
or
|
|
.Sq * .
|
|
Second field is
|
|
.Sq soft ,
|
|
.Sq hard ,
|
|
or
|
|
.Sq -
|
|
(the last meaning both soft and hard).
|
|
Third field is a limit name (such as
|
|
.Sq cpu
|
|
or
|
|
.Sq core ) .
|
|
Last field is the limit value (a number or
|
|
.Sq -
|
|
for unlimited). In the case of data sizes, the value is in kilobytes,
|
|
and cputime is in minutes.
|
|
.Sh SEE ALSO
|
|
.Xr su 1 ,
|
|
.Xr login.access 5 ,
|
|
.Xr getty 8 ,
|
|
.Xr telnetd 8
|
|
.Sh AUTHORS
|
|
This login program was written for the Heimdal Kerberos 5
|
|
implementation. The login.access code was written by Wietse Venema.
|
|
.\".Sh BUGS
|