1KSU(1) General Commands Manual KSU(1)
2
3
4
6 ksu - Kerberized super-user
7
9 ksu [ target_user ] [ -n target_principal_name ] [ -c source_cache_name
10 ] [ -k ] [ -D ] [ -r time ] [ -pf ] [ -l lifetime ] [ -zZ ] [ -q ] [ -e
11 command [ args ... ] ] [ -a [ args ... ] ]
12
14 Must have Kerberos version 5 installed to compile ksu. Must have a
15 Kerberos version 5 server running to use ksu.
16
18 ksu is a Kerberized version of the su program that has two missions:
19 one is to securely change the real and effective user ID to that of the
20 target user, and the other is to create a new security context. For
21 the sake of clarity, all references to and attributes of the user
22 invoking the program will start with 'source' (e.g. source user,
23 source cache, etc.). Likewise, all references to and attributes of the
24 target account will start with 'target'.
25
27 To fulfill the first mission, ksu operates in two phases: authentica‐
28 tion and authorization. Resolving the target principal name is the
29 first step in authentication. The user can either specify his princi‐
30 pal name with the -n option (e.g. -n jqpublic@USC.EDU) or a default
31 principal name will be assigned using a heuristic described in the
32 OPTIONS section (see -n option). The target user name must be the
33 first argument to ksu; if not specified root is the default. If '.' is
34 specified then the target user will be the source user (e.g. ksu .).
35 If the source user is root or the target user is the source user, no
36 authentication or authorization takes place. Otherwise, ksu looks for
37 an appropriate Kerberos ticket in the source cache.
38
39 The ticket can either be for the end-server or a ticket granting ticket
40 (TGT) for the target principal's realm. If the ticket for the end-
41 server is already in the cache, it's decrypted and verified. If it's
42 not in the cache but the TGT is, the TGT is used to obtain the ticket
43 for the end-server. The end-server ticket is then verified. If nei‐
44 ther ticket is in the cache, but ksu is compiled with the
45 GET_TGT_VIA_PASSWD define, the user will be prompted for a Kerberos
46 password which will then be used to get a TGT. If the user is logged
47 in remotely and does not have a secure channel, the password may be
48 exposed. If neither ticket is in the cache and GET_TGT_VIA_PASSWD is
49 not defined, authentication fails.
50
52 This section describes authorization of the source user when ksu is
53 invoked without the -e option. For a description of the -e option, see
54 the OPTIONS section.
55
56 Upon successful authentication, ksu checks whether the target principal
57 is authorized to access the target account. In the target user's home
58 directory, ksu attempts to access two authorization files: .k5login and
59 .k5users. In the .k5login file each line contains the name of a prin‐
60 cipal that is authorized to access the account.
61
62 For example:
63 jqpublic@USC.EDU
64 jqpublic/secure@USC.EDU
65 jqpublic/admin@USC.EDU
66
67 The format of .k5users is the same, except the principal name may be
68 followed by a list of commands that the principal is authorized to exe‐
69 cute. (see the -e option in the OPTIONS section for details).
70
71 Thus if the target principal name is found in the .k5login file the
72 source user is authorized to access the target account. Otherwise ksu
73 looks in the .k5users file. If the target principal name is found
74 without any trailing commands or followed only by '*' then the source
75 user is authorized. If either .k5login or .k5users exist but an appro‐
76 priate entry for the target principal does not exist then access is
77 denied. If neither file exists then the principal will be granted
78 access to the account according to the aname->lname mapping rules (see
79 krb5_anadd(8) for more details). Otherwise, authorization fails.
80
82 Upon successful authentication and authorization, ksu proceeds in a
83 similar fashion to su. The environment is unmodified with the excep‐
84 tion of USER, HOME and SHELL variables. If the target user is not
85 root, USER gets set to the target user name. Otherwise USER remains
86 unchanged. Both HOME and SHELL are set to the target login's default
87 values. In addition, the environment variable KRB5CCNAME gets set to
88 the name of the target cache. The real and effective user ID are
89 changed to that of the target user. The target user's shell is then
90 invoked (the shell name is specified in the password file). Upon ter‐
91 mination of the shell, ksu deletes the target cache (unless ksu is
92 invoked with the -k option). This is implemented by first doing a fork
93 and then an exec, instead of just exec, as done by su.
94
96 Ksu can be used to create a new security context for the target program
97 (either the target shell, or command specified via the -e option). The
98 target program inherits a set of credentials from the source user. By
99 default, this set includes all of the credentials in the source cache
100 plus any additional credentials obtained during authentication. The
101 source user is able to limit the credentials in this set by using -z or
102 -Z option. -z restricts the copy of tickets from the source cache to
103 the target cache to only the tickets where client == the target princi‐
104 pal name. The -Z option provides the target user with a fresh target
105 cache (no creds in the cache). Note that for security reasons, when the
106 source user is root and target user is non-root, -z option is the
107 default mode of operation.
108
109 While no authentication takes place if the source user is root or is
110 the same as the target user, additional tickets can still be obtained
111 for the target cache. If -n is specified and no credentials can be
112 copied to the target cache, the source user is prompted for a Ker‐
113 beros password (unless -Z specified or GET_TGT_VIA_PASSWD is unde‐
114 fined). If successful, a TGT is obtained from the Kerberos server and
115 stored in the target cache. Otherwise, if a password is not provided
116 (user hit return) ksu continues in a normal mode of operation (the
117 target cache will not contain the desired TGT). If the wrong password
118 is typed in, ksu fails.
119
120 Side Note: during authentication, only the tickets that could be
121 obtained without providing a password are cached in in the source
122 cache.
123
125 -n target_principal_name
126 Specify a Kerberos target principal name. Used in authenti‐
127 cation and authorization phases of ksu.
128
129 If ksu is invoked without -n, a default principal name is
130 assigned via the following heuristic:
131
132 Case 1: source user is non-root.
133 If the target user is the source user the default principal
134 name is set to the default principal of the source cache. If
135 the cache does not exist then the default principal name is
136 set to target_user@local_realm. If the source and target
137 users are different and neither ~target_user/.k5users nor
138 ~target_user/.k5login exist then the default principal name
139 is target_user_login_name@local_realm. Otherwise, starting
140 with the first principal listed below, ksu checks if the
141 principal is authorized to access the target account and
142 whether there is a legitimate ticket for that principal in
143 the source cache. If both conditions are met that principal
144 becomes the default target principal, otherwise go to the
145 next principal.
146
147 a) default principal of the source cache
148 b) target_user@local_realm
149 c) source_user@local_realm
150
151 If a-c fails try any principal for which there is a ticket in
152 the source cache and that is authorized to access the target
153 account. If that fails select the first principal that is
154 authorized to access the target account from the above list.
155 If none are authorized and ksu is configured with
156 PRINC_LOOK_AHEAD turned on, select the default principal as
157 follows:
158
159 For each candidate in the above list, select an authorized
160 principal that has the same realm name and first part of the
161 principal name equal to the prefix of the candidate. For
162 example if candidate a) is jqpublic@ISI.EDU and jqpub‐
163 lic/secure@ISI.EDU is authorized to access the target account
164 then the default principal is set to jqpublic/secure@ISI.EDU.
165
166 Case 2: source user is root.
167 If the target user is non-root then the default principal
168 name is target_user@local_realm. Else, if the source cache
169 exists the default principal name is set to the default prin‐
170 cipal of the source cache. If the source cache does not
171 exist, default principal name is set to root@local_realm.
172
173 -c source_cache_name
174 Specify source cache name (e.g. -c FILE:/tmp/my_cache). If
175 -c option is not used then the name is obtained from
176 KRB5CCNAME environment variable. If KRB5CCNAME is not
177 defined the source cache name is set to krb5cc_<source uid>.
178 The target cache name is automatically set to krb5cc_<target
179 uid>.(gen_sym()), where gen_sym generates a new number such
180 that the resulting cache does not already exist.
181 For example: krb5cc_1984.2
182
183 -k Do not delete the target cache upon termination of the target
184 shell or a command ( -e command). Without -k, ksu deletes
185 the target cache.
186
187 -D turn on debug mode.
188
189 Ticket granting ticket options: -l lifetime -r time -pf
190 The ticket granting ticket options only apply to the case
191 where there are no appropriate tickets in the cache to
192 authenticate the source user. In this case if ksu is config‐
193 ured to prompt users for a Kerberos password
194 (GET_TGT_VIA_PASSWD is defined), the ticket granting ticket
195 options that are specified will be used when getting a ticket
196 granting ticket from the Kerberos server.
197
198 -l lifetime
199 option specifies the lifetime to be requested for the ticket;
200 if this option is not specified, the default ticket lifetime
201 (configured by each site) is used instead.
202
203 -r time option specifies that the RENEWABLE option should be
204 requested for the ticket, and specifies the desired total
205 lifetime of the ticket.
206
207 -p option specifies that the PROXIABLE option should be
208 requested for the ticket.
209
210 -f option specifies that the FORWARDABLE option should be
211 requested for the ticket.
212
213 -z restrict the copy of tickets from the source cache to the
214 target cache to only the tickets where client == the target
215 principal name. Use the -n option if you want the tickets for
216 other then the default principal. Note that the -z option is
217 mutually exclusive with the -Z option.
218
219 -Z Don't copy any tickets from the source cache to the target
220 cache. Just create a fresh target cache, where the default
221 principal name of the cache is initialized to the target
222 principal name. Note that -Z option is mutually exclusive
223 with the -z option.
224
225 -q suppress the printing of status messages.
226
227 -e command [args ...]
228 ksu proceeds exactly the same as if it was invoked without
229 the -e option, except instead of executing the target shell,
230 ksu executes the specified command (Example of usage: ksu bob
231 -e ls -lag).
232
233 The authorization algorithm for -e is as follows:
234
235 If the source user is root or source user == target user, no
236 authorization takes place and the command is executed. If
237 source user id != 0, and ~target_user/.k5users file does not
238 exist, authorization fails. Otherwise, ~target_user/.k5users
239 file must have an appropriate entry for target principal to
240 get authorized.
241
242 The .k5users file format:
243
244 A single principal entry on each line that may be followed by
245 a list of commands that the principal is authorized to exe‐
246 cute. A principal name followed by a '*' means that the user
247 is authorized to execute any command. Thus, in the following
248 example:
249
250 jqpublic@USC.EDU ls mail /local/kerberos/klist
251 jqpublic/secure@USC.EDU *
252 jqpublic/admin@USC.EDU
253
254 jqpublic@USC.EDU is only authorized to execute ls, mail and
255 klist commands. jqpublic/secure@USC.EDU is authorized to exe‐
256 cute any command. jqpublic/admin@USC.EDU is not authorized to
257 execute any command. Note, that jqpublic/admin@USC.EDU is
258 authorized to execute the target shell (regular ksu, without
259 the -e option) but jqpublic@USC.EDU is not.
260
261 The commands listed after the principal name must be either a
262 full path names or just the program name. In the second
263 case, CMD_PATH specifying the location of authorized programs
264 must be defined at the compilation time of ksu.
265
266 Which command gets executed ?
267
268 If the source user is root or the target user is the source
269 user or the user is authorized to execute any command ('*'
270 entry) then command can be either a full or a relative path
271 leading to the target program. Otherwise, the user must
272 specify either a full path or just the program name.
273
274 -a args specify arguments to be passed to the target shell. Note:
275 that all flags and parameters following -a will be passed to
276 the shell, thus all options intended for ksu must precede -a.
277 The -a option can be used to simulate the -e option if used
278 as follows: -a -c [command [arguments]]. -c is interpreted
279 by the c-shell to execute the command.
280
282 ksu can be compiled with the following 4 flags (see the Imakefile):
283
284 GET_TGT_VIA_PASSWD
285 in case no appropriate tickets are found in the source cache,
286 the user will be prompted for a Kerberos password. The pass‐
287 word is then used to get a ticket granting ticket from the
288 Kerberos server. The danger of configuring ksu with this
289 macro is if the source user is logged in remotely and does
290 not have a secure channel, the password may get exposed.
291
292 PRINC_LOOK_AHEAD
293 during the resolution of the default principal name,
294 PRINC_LOOK_AHEAD enables ksu to find principal names in the
295 .k5users file as described in the OPTIONS section (see -n
296 option).
297
298 CMD_PATH specifies a list of directories containing programs that
299 users are authorized to execute (via .k5users file).
300
301 HAS_GETUSERSHELL
302 If the source user is non-root, ksu insists that the target
303 user's shell to be invoked is a "legal shell". getuser‐
304 shell(3) is called to obtain the names of "legal shells".
305 Note that the target user's shell is obtained from the passwd
306 file.
307
308 SAMPLE CONFIGURATION:
309 KSU_OPTS = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD
310 -DCMD_PATH='"/bin /usr/ucb /local/bin"
311
312 PERMISSIONS FOR KSU
313 ksu should be owned by root and have the set user id bit
314 turned on.
315
316 END-SERVER ENTRY
317
318 ksu attempts to get a ticket for the end server just as Ker‐
319 berized telnet and rlogin. Thus, there must be an entry for
320 the server in the Kerberos database (e.g.
321 host/nii.isi.edu@ISI.EDU). The keytab file must be in an
322 appropriate location.
323
324
326 ksu deletes all expired tickets from the source cache.
327
329 KSU(1)