Dennis Davis wrote:

>As has been pointed out, it's kerberos-related. It's put there as
>part of the initial install. Installed when you install etc40.tgz
>from your set of OpenBSD CDs.

>However note the form of the kerberos principals:

>user1.root@your.realm.wherever

>These are kerberosIV principals. OpenBSD now comes with kerberosV;
>kerberosIV support was withdrawn many releases ago. An equivalent
>kerberosV principal would look like:

>user1/root@your.realm.wherever

>This, together with the date on the file (2002/06/09), almost
>certainly means it's no longer used or required. Won't do
>any harm to leave it there.

>You're probably better off using the sudo command to provide
>fine-grained control of who can run commands as root.

>(I'm not even sure if the kerberosV (Heimdal) that comes with
> OpenBSD supports an equivalent to the .klogin file. MIT's
> kerberosV does, they use a .k5login file.)
> --
>Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
>D.H.Davis@bath.ac.uk




Thanks for the information Dennis , that explains why there
appears to be no mention of the file via man or apropos. If
it does serve no purpose , hopefully it will be removed from
the default install.


I've already deleted the file , I kept it in place until I
could find out exactly what it was and where it came from.
It made /root appear too untidy for my liking , if it had
been in /etc it would probably still be there.


Eventually i'll probably sort through /etc and probably sort
through all executable-files on the system as well. I tend
towards minimalism. It might be nicer if there were finer
control available at install , to be able to select or
de-select individual programs to be installed. As it is i'll
probably write a script to delete things I do not need and that
are not interrelated with things I do need. I'll probably add
things to the script slowly over time.


As i'm using OpenBSD as a desktop OS , I don't have any need to
give anyone else root's privileges , but I only use su for my own
needs. In the past i've read too many examples of sudo's controls
being bypassed. It has been my understanding that it can be very
difficult to offer sudo in a way that prevents users escalating *intended*
privileges (one way or another). Out of curiosity do you prefer
sudo over su for your personal use and have you had no problems with
users finding ways to bypass sudo if you've seen it used on large
multiuser systems? I haven't read that sudo can't be controlled ,
only that it can be a very difficult , complex , and time-consuming
task to achieve.


An Odd User.