NAME
ksu - Kerberized super-user SYNOPSIS
ksu [ targetuser ] [ -n targetprincipalname ] [ -c sourcecachename
] [ -k ] [ -r time ] [ -pf ] [ -l lifetime ] [ -z | Z ] [ -q ] [ -e
command [ args ... ] ] [ -a [ args ... ] ] REQUIREMENTS Must have Kerberos version 5 installed to compile ksu. Must have a Kerberos version 5 server running to use ksu. DESCRIPTION ksu is a Kerberized version of the su program that has two missions: one is to securely change the real and effective user ID to that of the target user, and the other is to create a new security context. NOTE: For the sake of clarity, all references to and attributes of the user invoking the program will start with "source" (e.g., "source user", "source cache", etc.). Likewise, all references to and attributes of the target account will start with "target". AUTHENTICATION To fulfill the first mission, ksu operates in two phases: authentica‐ tion and authorization. Resolving the target principal name is the first step in authentication. The user can either specify his princi‐
pal name with the -n option (e.g., -n jqpublic@USC.EDU) or a default principal name will be assigned using a heuristic described in the
OPTIONS section (see -n option). The target user name must be the first argument to ksu; if not specified root is the default. If . is specified then the target user will be the source user (e.g., ksu .). If the source user is root or the target user is the source user, no authentication or authorization takes place. Otherwise, ksu looks for an appropriate Kerberos ticket in the source cache.
The ticket can either be for the end-server or a ticket granting ticket (TGT) for the target principal's realm. If the ticket for the
end-server is already in the cache, it's decrypted and verified. If it's not in the cache but the TGT is, the TGT is used to obtain the
ticket for the end-server. The end-server ticket is then verified. If neither ticket is in the cache, but ksu is compiled with the GETTGTVIAPASSWD define, the user will be prompted for a Kerberos password which will then be used to get a TGT. If the user is logged in remotely and does not have a secure channel, the password may be exposed. If neither ticket is in the cache and GETTGTVIAPASSWD is not defined, authentication fails. AUTHORIZATION This section describes authorization of the source user when ksu is
invoked without the -e option. For a description of the -e option, see the OPTIONS section. Upon successful authentication, ksu checks whether the target principal is authorized to access the target account. In the target user's home directory, ksu attempts to access two authorization files: .k5login(5) and .k5users. In the .k5login file each line contains the name of a principal that is authorized to access the account. For example: jqpublic@USC.EDU jqpublic/secure@USC.EDU jqpublic/admin@USC.EDU The format of .k5users is the same, except the principal name may be followed by a list of commands that the principal is authorized to exe‐
cute (see the -e option in the OPTIONS section for details). Thus if the target principal name is found in the .k5login file the source user is authorized to access the target account. Otherwise ksu looks in the .k5users file. If the target principal name is found without any trailing commands or followed only by * then the source user is authorized. If either .k5login or .k5users exist but an appro‐ priate entry for the target principal does not exist then access is denied. If neither file exists then the principal will be granted
access to the account according to the aname->lname mapping rules. Otherwise, authorization fails. EXECUTION OF THE TARGET SHELL Upon successful authentication and authorization, ksu proceeds in a similar fashion to su. The environment is unmodified with the excep‐ tion of USER, HOME and SHELL variables. If the target user is not root, USER gets set to the target user name. Otherwise USER remains unchanged. Both HOME and SHELL are set to the target login's default values. In addition, the environment variable KRB5CCNAME gets set to the name of the target cache. The real and effective user ID are changed to that of the target user. The target user's shell is then invoked (the shell name is specified in the password file). Upon ter‐ mination of the shell, ksu deletes the target cache (unless ksu is
invoked with the -k option). This is implemented by first doing a fork and then an exec, instead of just exec, as done by su. CREATING A NEW SECURITY CONTEXT ksu can be used to create a new security context for the target program
(either the target shell, or command specified via the -e option). The target program inherits a set of credentials from the source user. By default, this set includes all of the credentials in the source cache plus any additional credentials obtained during authentication. The
source user is able to limit the credentials in this set by using -z or
-Z option. -z restricts the copy of tickets from the source cache to the target cache to only the tickets where client == the target princi‐
pal name. The -Z option provides the target user with a fresh target cache (no creds in the cache). Note that for security reasons, when
the source user is root and target user is non-root, -z option is the default mode of operation. While no authentication takes place if the source user is root or is the same as the target user, additional tickets can still be obtained
for the target cache. If -n is specified and no credentials can be copied to the target cache, the source user is prompted for a Kerberos
password (unless -Z specified or GETTGTVIAPASSWD is undefined). If successful, a TGT is obtained from the Kerberos server and stored in the target cache. Otherwise, if a password is not provided (user hit return) ksu continues in a normal mode of operation (the target cache will not contain the desired TGT). If the wrong password is typed in, ksu fails. NOTE: During authentication, only the tickets that could be obtained with‐ out providing a password are cached in in the source cache. OPTIONS
-n targetprincipalname Specify a Kerberos target principal name. Used in authentica‐ tion and authorization phases of ksu.
If ksu is invoked without -n, a default principal name is assigned via the following heuristic:
· Case 1: source user is non-root. If the target user is the source user the default principal name is set to the default principal of the source cache. If the cache does not exist then the default principal name is set to targetuser@localrealm. If the source and target users are different and neither ~targetuser/.k5users nor ~targetuser/.k5login exist then the default principal name is targetuserloginname@localrealm. Otherwise, starting with the first principal listed below, ksu checks if the principal is authorized to access the target account and whether there is a legitimate ticket for that principal in the source cache. If both conditions are met that principal becomes the default target principal, otherwise go to the next principal. a. default principal of the source cache b. targetuser@localrealm c. sourceuser@localrealm
If a-c fails try any principal for which there is a ticket in the source cache and that is authorized to access the target account. If that fails select the first principal that is authorized to access the target account from the above list. If none are authorized and ksu is configured with PRINCLOOKAHEAD turned on, select the default principal as follows: For each candidate in the above list, select an authorized principal that has the same realm name and first part of the principal name equal to the prefix of the candidate. For example if candidate a) is jqpublic@ISI.EDU and jqpub‐ lic/secure@ISI.EDU is authorized to access the target account then the default principal is set to jqpublic/secure@ISI.EDU. · Case 2: source user is root.
If the target user is non-root then the default principal name is targetuser@localrealm. Else, if the source cache exists the default principal name is set to the default principal of the source cache. If the source cache does not exist, default principal name is set to root\@localrealm.
-c sourcecachename
Specify source cache name (e.g., -c FILE:/tmp/mycache). If -c option is not used then the name is obtained from KRB5CCNAME envi‐ ronment variable. If KRB5CCNAME is not defined the source cache name is set to krb5cc