Specify a Kerberos target principal name. Used in authentication
and authorization phases of ksu.
If ksu is invoked without -n, a default principal name is assigned via the following heuristic:
Case 1: source user is non-root.
If the target user is the source user the default principal name is set to the default principal of the source cache. If the cache does not exist then the default principal name is set to target_user@local_realm. If the source and target users are different and neither ~target_user/.k5users nor ~target_user/.k5login exist then the default principal name is target_user_login_name@local_realm. Otherwise, starting with the first principal listed below, ksu checks if the principal is authorized to access the target account and whether there is a legitimate ticket for that principal in the source cache. If both conditions are met that principal becomes the default target principal, otherwise go to the next principal.
|a.||default principal of the source cache|
If a-c fails try any principal for which there is a ticket in the source cache and that is authorized to access the target account. If that fails select the first principal that is authorized to access the target account from the above list. If none are authorized and ksu is configured with PRINC_LOOK_AHEAD turned on, select the default principal as follows:
For each candidate in the above list, select an authorized principal that has the same realm name and first part of the principal name equal to the prefix of the candidate. For example if candidate a) is jqpublic@ISI.EDU and jqpublic/secure@ISI.EDU is authorized to access the target account then the default principal is set to jqpublic/secure@ISI.EDU.
Case 2: source user is root.
If the target user is non-root then the default principal name is target_user@local_realm. Else, if the source cache exists the default principal name is set to the default principal of the source cache. If the source cache does not exist, default principal name is set to root\@local_realm.
-c source_cache_name Specify source cache name (e.g., -c FILE:/tmp/my_cache). If -c option is not used then the name is obtained from KRB5CCNAME environment variable. If KRB5CCNAME is not defined the source cache name is set to krb5cc_<source uid>. The target cache name is automatically set to krb5cc_<target uid>.(gen_sym()), where gen_sym generates a new number such that the resulting cache does not already exist. For example:
|-k||Do not delete the target cache upon termination of the target shell or a command (-e command). Without -k, ksu deletes the target cache.|
|-z||Restrict the copy of tickets from the source cache to the target cache to only the tickets where client == the target principal name. Use the -n option if you want the tickets for other then the default principal. Note that the -z option is mutually exclusive with the -Z option.|
|-Z||Dont copy any tickets from the source cache to the target cache. Just create a fresh target cache, where the default principal name of the cache is initialized to the target principal name. Note that the -Z option is mutually exclusive with the -z option.|
|-q||Suppress the printing of status messages.|
Ticket granting ticket options:
|-l lifetime -r time -pf|
|The ticket granting ticket options only apply to the case where there are no appropriate tickets in the cache to authenticate the source user. In this case if ksu is configured to prompt users for a Kerberos password (GET_TGT_VIA_PASSWD is defined), the ticket granting ticket options that are specified will be used when getting a ticket granting ticket from the Kerberos server.|
|(duration string.) Specifies the lifetime to be requested for the ticket; if this option is not specified, the default ticket lifetime (12 hours) is used instead.|
|-r time||(duration string.) Specifies that the renewable option should be requested for the ticket, and specifies the desired total lifetime of the ticket.|
|-p||specifies that the proxiable option should be requested for the ticket.|
|-f||option specifies that the forwardable option should be requested for the ticket.|
|-e command [args ...]|
ksu proceeds exactly the same as if it was invoked without the
-e option, except instead of executing the target shell, ksu
executes the specified command. Example of usage:
ksu bob -e ls -lag
The authorization algorithm for -e is as follows:
If the source user is root or source user == target user, no authorization takes place and the command is executed. If source user id != 0, and ~target_user/.k5users file does not exist, authorization fails. Otherwise, ~target_user/.k5users file must have an appropriate entry for target principal to get authorized.
The .k5users file format:
A single principal entry on each line that may be followed by a list of commands that the principal is authorized to execute. A principal name followed by a * means that the user is authorized to execute any command. Thus, in the following example:
jqpublic@USC.EDU ls mail /local/kerberos/klist jqpublic/secure@USC.EDU * jqpublic/admin@USC.EDU
jqpublic@USC.EDU is only authorized to execute ls, mail and klist commands. jqpublic/secure@USC.EDU is authorized to execute any command. jqpublic/admin@USC.EDU is not authorized to execute any command. Note, that jqpublic/admin@USC.EDU is authorized to execute the target shell (regular ksu, without the -e option) but jqpublic@USC.EDU is not.
The commands listed after the principal name must be either a full path names or just the program name. In the second case, CMD_PATH specifying the location of authorized programs must be defined at the compilation time of ksu. Which command gets executed?
If the source user is root or the target user is the source user or the user is authorized to execute any command (* entry) then command can be either a full or a relative path leading to the target program. Otherwise, the user must specify either a full path or just the program name.
Specify arguments to be passed to the target shell. Note that all
flags and parameters following -a will be passed to the shell,
thus all options intended for ksu must precede -a.
The -a option can be used to simulate the -e option if used as follows:
-a -c [command [arguments]].
-c is interpreted by the c-shell to execute the command.
ksu can be compiled with the following four flags:
GET_TGT_VIA_PASSWD In case no appropriate tickets are found in the source cache, the user will be prompted for a Kerberos password. The password is then used to get a ticket granting ticket from the Kerberos server. The danger of configuring ksu with this macro is if the source user is logged in remotely and does not have a secure channel, the password may get exposed. PRINC_LOOK_AHEAD During the resolution of the default principal name, PRINC_LOOK_AHEAD enables ksu to find principal names in the .k5users file as described in the OPTIONS section (see -n option). CMD_PATH Specifies a list of directories containing programs that users are authorized to execute (via .k5users file). HAVE_GETUSERSHELL If the source user is non-root, ksu insists that the target users shell to be invoked is a "legal shell". getusershell(3) is called to obtain the names of "legal shells". Note that the target users shell is obtained from the passwd file.
KSU_OPTS = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH="/bin /usr/ucb /local/bin"
ksu should be owned by root and have the set user id bit turned on.
ksu attempts to get a ticket for the end server just as Kerberized
telnet and rlogin. Thus, there must be an entry for the server in the
Kerberos database (e.g., host/nii.isi.edu@ISI.EDU). The keytab
file must be in an appropriate location.
ksu deletes all expired tickets from the source cache.
GENNADY (ARI) MEDVINSKY