NAME
login.krb5 - kerberos enhanced login program
SYNOPSIS
login.krb5 [-p] [-fFe username] [-r | -k | -K | -h hostname]
DESCRIPTION
login.krb5 is a modification of the BSD login program which is used for
two functions. It is the sub-process used by krlogind and telnetd to
initiate a user session and it is a replacement for the command-line
login program which, when invoked with a password, acquires Kerberos
tickets for the user.
login.krb5 will prompt for a username, or take one on the command line,
as login.krb5 username and will then prompt for a password. This
password will be used to acquire Kerberos Version 5 tickets (if
possible.) It will also attempt to run aklog to get AFS tokens for the
user. The version 5 tickets will be tested against a local krb5.keytab
if it is available, in order to verify the tickets, before letting the
user in. However, if the password matches the entry in /etc/passwd the
user will be unconditionally allowed (permitting use of the machine in
case of network failure.)
OPTIONS
-p preserve the current environment
-r hostname
pass hostname to rlogind. Must be the last argument.
-h hostname
pass hostname to telnetd, etc. Must be the last argument.
-f name
Perform pre-authenticated login, e.g., datakit, xterm, etc.;
allows preauthenticated login as root.
-F name
Perform pre-authenticated login, e.g., datakit, xterm, etc.;
allows preauthenticated login as root.
-e name
Perform pre-authenticated, encrypted login. Must do term
negotiation.
CONFIGURATION
login.krb5 is also configured via krb5.conf using the login stanza. A
collection of options dealing with initial authentication are provided:
krb5_get_tickets
Use password to get V5 tickets. Default value true.
krb_run_aklog
Attempt to run aklog. Default value false.
aklog_path
Where to find it [not yet implemented.] Default value
$(prefix)/bin/aklog.
accept_passwd
Don’t accept plaintext passwords [not yet implemented]. Default
value false.
DIAGNOSTICS
All diagnostic messages are returned on the connection or tty
associated with stderr.
SEE ALSO
rlogind(8), rlogin(1), telnetd(8)
LOGIN(8)