SYNOPSIS

       ksu [ target_user ] [ -n target_principal_name ] [ -c source_cache_name
       ] [ -k ] [ -D ] [ -r time ] [ -pf ] [ -l lifetime ] [ -zZ ] [ -q ] [ -e
       command [ args ...  ] ] [ -a [ args ...  ] ]


REQUIREMENTS

       Must  have  Kerberos  version  5 installed to compile ksu.  Must have a
       Kerberos version 5 server running to use ksu.


DESCRIPTION

       ksu is a Kerberized version of the su program that  has  two  missions:
       one is to securely change the real and effective user ID to that of the
       target user, and the other is to create a new  security  context.   For
       the  sake  of  clarity,  all  references  to and attributes of the user
       invoking the program will  start  with  'source'  (e.g.   source  user,
       source cache, etc.).  Likewise, all references to and attributes of the
       target account will start with 'target'.


AUTHENTICATION

       To fulfill the first mission, ksu operates in two  phases:  authentica‐
       tion  and  authorization.   Resolving  the target principal name is the
       first step in authentication.  The user can either specify his  princi‐
       pal  name  with  the -n option (e.g.  -n jqpublic@USC.EDU) or a default
       principal name will be assigned using  a  heuristic  described  in  the
       OPTIONS  section  (see  -n  option).   The target user name must be the
       first argument to ksu; if not specified root is the default.  If '.' is
       specified  then  the  target user will be the source user (e.g. ksu .).
       If the source user is root or the target user is the  source  user,  no
       authentication  or authorization takes place.  Otherwise, ksu looks for
       an appropriate Kerberos ticket in the source cache.

       The ticket can either be for the end-server or a ticket granting ticket
       (TGT)  for  the  target  principal's realm.  If the ticket for the end-
       server is already in the cache, it's decrypted and verified.   If  it's
       not  in  the cache but the TGT is, the TGT is used to obtain the ticket
       for the end-server.   The end-server ticket is then verified.  If  nei‐
       ther   ticket   is   in  the  cache,  but  ksu  is  compiled  with  the
       GET_TGT_VIA_PASSWD define, the user will be  prompted  for  a  Kerberos
       password  which  will then be used to get a TGT.  If the user is logged
       in remotely and does not have a secure channel,  the  password  may  be
       exposed.   If  neither ticket is in the cache and GET_TGT_VIA_PASSWD is
       not defined, authentication fails.


AUTHORIZATION

       This section describes authorization of the source  user  when  ksu  is
       invoked without the -e option.  For a description of the -e option, see
       the OPTIONS section.

       Upon successful authentication, ksu checks whether the target principal
       is  authorized to access the target account.  In the target user's home
       directory, ksu attempts to access two authorization files: .k5login and
       .k5users.   In the .k5login file each line contains the name of a prin‐
       without  any  trailing commands or followed only by '*' then the source
       user is authorized.  If either .k5login or .k5users exist but an appro‐
       priate  entry  for  the  target principal does not exist then access is
       denied. If neither file exists  then  the  principal  will  be  granted
       access  to the account according to the aname->lname mapping rules (see
       krb5_anadd(8) for more details).  Otherwise, authorization fails.


EXECUTION OF THE TARGET SHELL

       Upon successful authentication and authorization,  ksu  proceeds  in  a
       similar  fashion  to su.  The environment is unmodified with the excep‐
       tion of USER, HOME and SHELL variables.  If  the  target  user  is  not
       root,  USER  gets  set  to the target user name. Otherwise USER remains
       unchanged. Both HOME and SHELL are set to the  target  login's  default
       values.   In  addition, the environment variable KRB5CCNAME gets set to
       the name of the target cache.  The  real  and  effective  user  ID  are
       changed  to  that  of the target user.  The target user's shell is then
       invoked (the shell name is specified in the password file).  Upon  ter‐
       mination  of  the  shell,  ksu  deletes the target cache (unless ksu is
       invoked with the -k option).  This is implemented by first doing a fork
       and then an exec, instead of just exec, as done by su.


CREATING A NEW SECURITY CONTEXT

       Ksu can be used to create a new security context for the target program
       (either the target shell, or command specified via the -e option).  The
       target  program inherits a set of credentials from the source user.  By
       default, this set includes all of the credentials in the  source  cache
       plus  any  additional  credentials obtained during authentication.  The
       source user is able to limit the credentials in this set by using -z or
       -Z  option.   -z restricts the copy of tickets from the source cache to
       the target cache to only the tickets where client == the target princi‐
       pal  name.   The -Z option provides the target user with a fresh target
       cache (no creds in the cache). Note that for security reasons, when the
       source  user  is  root  and  target  user is non-root, -z option is the
       default mode of operation.

       While no authentication takes place if the source user is  root  or  is
       the  same  as the target user, additional tickets can still be obtained
       for the target cache.  If -n is specified and  no  credentials  can  be
       copied  to  the  target cache,  the  source user is prompted for a Ker‐
       beros password (unless -Z  specified  or  GET_TGT_VIA_PASSWD  is  unde‐
       fined). If successful,  a  TGT is obtained from the Kerberos server and
       stored in the target cache.  Otherwise, if a password is  not  provided
       (user hit return) ksu continues  in  a normal  mode  of  operation (the
       target cache will not contain the desired TGT).  If the wrong  password
       is typed in, ksu fails.

       Side  Note:  during  authentication,  only  the  tickets  that could be
       obtained without providing a password  are  cached  in  in  the  source
       cache.


OPTIONS

       -n target_principal_name
                 with the first principal listed  below,  ksu  checks  if  the
                 principal  is  authorized  to   access the target account and
                 whether there is a legitimate ticket for  that  principal  in
                 the  source  cache. If both conditions are met that principal
                 becomes the default target principal,  otherwise  go  to  the
                 next principal.

                 a) default principal of the source cache
                 b) target_user@local_realm
                 c) source_user@local_realm

                 If a-c fails try any principal for which there is a ticket in
                 the source cache and that is authorized to access the  target
                 account.   If  that  fails select the first principal that is
                 authorized to access the target account from the above  list.
                 If   none   are   authorized   and  ksu  is  configured  with
                 PRINC_LOOK_AHEAD turned on, select the default  principal  as
                 follows:

                 For  each  candidate  in the above list, select an authorized
                 principal that has the same realm name and first part of  the
                 principal  name  equal  to  the prefix of the candidate.  For
                 example  if  candidate  a)  is  jqpublic@ISI.EDU  and  jqpub‐
                 lic/secure@ISI.EDU is authorized to access the target account
                 then the default principal is set to jqpublic/secure@ISI.EDU.

                 Case 2: source user is root.
                 If the target user is non-root  then  the  default  principal
                 name  is  target_user@local_realm.  Else, if the source cache
                 exists the default principal name is set to the default prin‐
                 cipal  of  the  source  cache.  If  the source cache does not
                 exist, default principal name is set to root@local_realm.

       -c source_cache_name
                 Specify source cache name (e.g.  -c FILE:/tmp/my_cache).   If
                 -c  option  is  not  used  then  the  name  is  obtained from
                 KRB5CCNAME  environment  variable.   If  KRB5CCNAME  is   not
                 defined  the source cache name is set to krb5cc_<source uid>.
                 The target cache name is automatically set to  krb5cc_<target
                 uid>.(gen_sym()),  where  gen_sym generates a new number such
                 that the resulting cache does not already exist.
                 For example: krb5cc_1984.2

       -k        Do not delete the target cache upon termination of the target
                 shell  or  a  command ( -e command).  Without -k, ksu deletes
                 the target cache.

       -D        turn on debug mode.

       Ticket granting ticket options: -l lifetime -r time -pf
                 The ticket granting ticket options only  apply  to  the  case
                 where  there  are  no  appropriate  tickets  in  the cache to

       -p        option  specifies  that  the  PROXIABLE  option  should    be
                 requested for the ticket.

       -f        option  specifies  that  the  FORWARDABLE   option  should be
                 requested for the ticket.

       -z        restrict the copy of tickets from the  source  cache  to  the
                 target  cache  to only the tickets where client == the target
                 principal name. Use the -n option if you want the tickets for
                 other  then the default principal. Note that the -z option is
                 mutually exclusive with the -Z option.

       -Z        Don't copy any tickets from the source cache  to  the  target
                 cache.  Just  create  a fresh target cache, where the default
                 principal name of the cache  is  initialized  to  the  target
                 principal  name.   Note  that -Z option is mutually exclusive
                 with the -z option.

       -q        suppress the printing of status messages.

       -e command [args ...]
                 ksu proceeds exactly the same as if it  was  invoked  without
                 the  -e option, except instead of executing the target shell,
                 ksu executes the specified command (Example of usage: ksu bob
                 -e ls -lag).

                 The authorization algorithm for -e is as follows:

                 If  the source user is root or source user == target user, no
                 authorization takes place and the command  is  executed.   If
                 source  user id != 0, and ~target_user/.k5users file does not
                 exist, authorization fails.  Otherwise, ~target_user/.k5users
                 file  must  have an appropriate entry for target principal to
                 get authorized.

                 The .k5users file format:

                 A single principal entry on each line that may be followed by
                 a  list  of commands that the principal is authorized to exe‐
                 cute.  A principal name followed by a '*' means that the user
                 is  authorized to execute any command. Thus, in the following
                 example:

                 jqpublic@USC.EDU ls mail /local/kerberos/klist
                 jqpublic/secure@USC.EDU *
                 jqpublic/admin@USC.EDU

                 jqpublic@USC.EDU is only authorized to execute ls,  mail  and
                 klist commands. jqpublic/secure@USC.EDU is authorized to exe‐
                 cute any command. jqpublic/admin@USC.EDU is not authorized to
                 execute  any  command.   Note, that jqpublic/admin@USC.EDU is
                 specify either a full path or just the program name.

       -a args   specify arguments to be passed to the  target  shell.   Note:
                 that  all flags and parameters following -a will be passed to
                 the shell, thus all options intended for ksu must precede -a.
                 The  -a  option can be used to simulate the -e option if used
                 as follows: -a -c [command [arguments]].  -c  is  interpreted
                 by the c-shell to execute the command.


INSTALLATION INSTRUCTIONS

       ksu can be compiled with the following 4 flags (see the Imakefile):

       GET_TGT_VIA_PASSWD
                 in case no appropriate tickets are found in the source cache,
                 the user will be prompted for a Kerberos password.  The pass‐
                 word  is  then  used to get a ticket granting ticket from the
                 Kerberos server.  The danger of  configuring  ksu  with  this
                 macro  is  if  the source user is logged in remotely and does
                 not have a secure channel, the password may get exposed.

       PRINC_LOOK_AHEAD
                 during  the  resolution  of  the  default   principal   name,
                 PRINC_LOOK_AHEAD  enables  ksu to find principal names in the
                 .k5users file as described in the  OPTIONS  section  (see  -n
                 option).

       CMD_PATH  specifies  a  list  of  directories  containing programs that
                 users are authorized to execute (via .k5users file).

       HAS_GETUSERSHELL
                 If the source user is non-root, ksu insists that  the  target
                 user's  shell  to  be  invoked  is  a "legal shell". getuser‐
                 shell(3) is called to obtain the  names  of  "legal  shells".
                 Note that the target user's shell is obtained from the passwd
                 file.

       SAMPLE CONFIGURATION:
                 KSU_OPTS    =     -DGET_TGT_VIA_PASSWD     -DPRINC_LOOK_AHEAD
                 -DCMD_PATH='"/bin /usr/ucb /local/bin"

       PERMISSIONS FOR KSU
                 ksu  should  be  owned  by root and have the set user id  bit
                 turned on.

       END-SERVER ENTRY

                 ksu attempts to get a ticket for the end server just as  Ker‐
                 berized  telnet and rlogin.  Thus, there must be an entry for
                 the    server    in    the    Kerberos     database     (e.g.
                 host/nii.isi.edu@ISI.EDU).   The  keytab  file  must be in an
                 appropriate location.


Man(1) output converted with man2html