Learn the UNIX/Linux command line
Home Man Pages
LOGIN(8) LOGIN(8)
NAME
login.krb5 - kerberos enhanced login program
SYNOPSIS
login.krb5 [-p] [-fFe username] [-r | -k | -K | -h hostname]
DESCRIPTION
login.krb5 is a modification of the BSD login program which is used
for two functions. It is the sub-process used by krlogind and telnetd
to initiate a user session and it is a replacement for the command-
line login program which, when invoked with a password, acquires Ker-
beros tickets for the user.
login.krb5 will prompt for a username, or take one on the command
line, as login.krb5 username and will then prompt for a password. This
password will be used to acquire Kerberos Version 5 tickets and Ker-
beros Version 4 tickets (if possible.) It will also attempt to run
aklog to get AFS tokens for the user. The version 5 tickets will be
tested against a local krb5.keytab if it is available, in order to
verify the tickets, before letting the user in. However, if the pass-
word matches the entry in /etc/passwd the user will be unconditionally
allowed (permitting use of the machine in case of network failure.)
OPTIONS
-p preserve the current environment
-r hostname
pass hostname to rlogind. Must be the last argument.
-h hostname
pass hostname to telnetd, etc. Must be the last argument.
-k hostname
Use Kerberos V4 to login. Must be the last argument.
-K hostname
Use Kerberos V4 to login. Must be the last argument.
-f name
Perform pre-authenticated login, e.g., datakit, xterm, etc.;
allows preauthenticated login as root.
-F name
Perform pre-authenticated login, e.g., datakit, xterm, etc.;
allows preauthenticated login as root.
-e name
Perform pre-authenticated, encrypted login. Must do term nego-
tiation.
CONFIGURATION
login.krb5 is also configured via krb5.conf using the login stanza. A
collection of options dealing with initial authentication are pro-
vided:
krb5_get_tickets
Use password to get V5 tickets. Default value true.
krb4_get_tickets
Use password to get V4 tickets. Default value false.
krb4_convert
Use Kerberos conversion daemon to get V4 tickets. Default value
false. If false, and krb4_get_tickets is true, then login will
get the V5 tickets directly using the Kerberos V4 protocol
directly. This does not currently work with non MIT-V4 salt
types (such as the AFS3 salt type.) Note that if configuration
parameter is true, and the krb524d is not running, login will
hang for approximately a minute under Solaris, due to a
Solaris socket emulation bug.
krb_run_aklog
Attempt to run aklog. Default value false.
aklog_path
Where to find it [not yet implemented.] Default value $(pre-
fix)/bin/aklog.
accept_passwd
Don't accept plaintext passwords [not yet implemented]. Default
value false.
DIAGNOSTICS
All diagnostic messages are returned on the connection or tty associ-
ated with stderr.
SEE ALSO
rlogind(8), rlogin(1), telnetd(8)
BUGS
Should use a config file to select use of V5, V4, and AFS, as well as
policy for startup.
LOGIN(8)
UNIX/Linux commands referenced on this page: