[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Newbie

On Thu, Aug 07, 2003 at 03:24:42PM +0300, Ozgur C. Demir wrote:
> Hello People,
> I have setup a realm, the thing i want to do is allow or deny some people to
> login on some hosts. That's why i have installed heimdal but how can i do
> it? For example,  i want to allow user1 on  my 10 different hosts, but when
> i need, i need to deny him all of them (or maybe one of them)  to log in.

Kerberos covers authentication, not authorization. In other words,
Kerberos can confirm that JoeUser really *is* JoeUser (authentication),
but it doesn't say what JoeUser is allowed to do (authorization).

Generally, the contents of /etc/passwd determine who is authorized to do
what on an individual server. The server may believe, through Kerberos,
that you are you who you say you are, but if you don't have an account
you aren't logging in.

Individual daemons often have extra controls. For example, ftpd
typically checks /etc/ftpusers for banned users (IMO, that's the
opposite of what the file name implies, but that's a whole *other*

If you want to centralize authorization, you might be interested in
looking at combining Kerberos with NIS (especially with netgroups) or
LDAP. This gives you the secure authentication of Kerberos with
distributed authorization. Kinda the best of both worlds.


Draw bamboos for ten years, become a bamboo, then forget all about bamboos
when you are drawing.
	Georges Duthuit