Re: .klogin file when K components are not installed? - BSD

This is a discussion on Re: .klogin file when K components are not installed? - BSD ; Dennis Davis wrote: >As has been pointed out, it's kerberos-related. It's put there as >part of the initial install. Installed when you install etc40.tgz >from your set of OpenBSD CDs. >However note the form of the kerberos principals: >user1.root@your.realm.wherever >These ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Re: .klogin file when K components are not installed?

  1. Re: .klogin file when K components are not installed?

    Dennis Davis wrote:

    >As has been pointed out, it's kerberos-related. It's put there as
    >part of the initial install. Installed when you install etc40.tgz
    >from your set of OpenBSD CDs.


    >However note the form of the kerberos principals:


    >user1.root@your.realm.wherever


    >These are kerberosIV principals. OpenBSD now comes with kerberosV;
    >kerberosIV support was withdrawn many releases ago. An equivalent
    >kerberosV principal would look like:


    >user1/root@your.realm.wherever


    >This, together with the date on the file (2002/06/09), almost
    >certainly means it's no longer used or required. Won't do
    >any harm to leave it there.


    >You're probably better off using the sudo command to provide
    >fine-grained control of who can run commands as root.


    >(I'm not even sure if the kerberosV (Heimdal) that comes with
    > OpenBSD supports an equivalent to the .klogin file. MIT's
    > kerberosV does, they use a .k5login file.)
    > --
    >Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
    >D.H.Davis@bath.ac.uk





    Thanks for the information Dennis , that explains why there
    appears to be no mention of the file via man or apropos. If
    it does serve no purpose , hopefully it will be removed from
    the default install.


    I've already deleted the file , I kept it in place until I
    could find out exactly what it was and where it came from.
    It made /root appear too untidy for my liking , if it had
    been in /etc it would probably still be there.


    Eventually i'll probably sort through /etc and probably sort
    through all executable-files on the system as well. I tend
    towards minimalism. It might be nicer if there were finer
    control available at install , to be able to select or
    de-select individual programs to be installed. As it is i'll
    probably write a script to delete things I do not need and that
    are not interrelated with things I do need. I'll probably add
    things to the script slowly over time.


    As i'm using OpenBSD as a desktop OS , I don't have any need to
    give anyone else root's privileges , but I only use su for my own
    needs. In the past i've read too many examples of sudo's controls
    being bypassed. It has been my understanding that it can be very
    difficult to offer sudo in a way that prevents users escalating *intended*
    privileges (one way or another). Out of curiosity do you prefer
    sudo over su for your personal use and have you had no problems with
    users finding ways to bypass sudo if you've seen it used on large
    multiuser systems? I haven't read that sudo can't be controlled ,
    only that it can be a very difficult , complex , and time-consuming
    task to achieve.


    An Odd User.





  2. Re: .klogin file when K components are not installed?

    Borked Pseudo Mailed wrote:
    > Dennis Davis wrote:

    [...]
    >>This, together with the date on the file (2002/06/09), almost
    >>certainly means it's no longer used or required. Won't do
    >>any harm to leave it there.

    [...]
    > Thanks for the information Dennis , that explains why there
    > appears to be no mention of the file via man or apropos. If
    > it does serve no purpose , hopefully it will be removed from
    > the default install.


    Hi Noman, Dennis and Borked!

    I am now looking at Ch. 25 of "Secure Architectures with OpenBSD";
    indeed, it seems that usage of principals and instances in realms
    has changed on KerberosV (yes, I do not use Kerberos...). A very
    good point!

    If this file needs to be updated/removed, why not opening a PR?
    It seems that it needs to be fixed (or removed...) but remains
    unchanged since june 2002, when todd removed a trailing whitespace.

    Perhaps starting a thread on misc@ is a good way to know if
    opening a problem report on this matter makes sense.

    Best regards,
    Igor.

+ Reply to Thread