krb5_kuserok(3)

NAME

     krb5_kuserok -- checks if a principal is permitted to login as a user

LIBRARY

     Kerberos 5 Library (libkrb5, -lkrb5)

SYNOPSIS

     #include <krb5.h>

     krb5_boolean
     krb5_kuserok(krb5_context context, krb5_principal principal,
         const char *user);

DESCRIPTION

     This function takes the name of a local user and checks if principal is
     allowed to log in as that user.

     The user may have a ~/.k5login file listing principals that are allowed
     to login as that user. If that file does not exist, all principals with a
     first component identical to the username, and a realm considered local,
     are allowed access.

     The .k5login file must contain one principal per line, be owned by user,
     and not be writable by group or other (but must be readable by anyone).

     Note that if the file exists, no implicit access rights are given to
     user@<localrealm>.

     Optionally, a set of files may be put in ~/.k5login.d (a directory), in
     which case they will all be checked in the same manner as .k5login.  The
     files may be called anything, but files starting with a hash (``#''), or
     ending with a tilde (``~'') are ignored. Subdirectories are not tra-
     versed. Note that this directory may not be checked by other implementa-
     tions.

RETURN VALUES

     krb5_kuserok returns TRUE if access should be granted, FALSE otherwise.

HISTORY

     The ~/.k5login.d feature appeared in Heimdal 0.7.

SEE ALSO

     krb5_get_default_realms(3), krb5_verify_user(3),
     krb5_verify_user_lrealm(3), krb5_verify_user_opt(3), krb5.conf(5)

HEIMDAL                           May 4, 2005                          HEIMDAL