LOGIN(8) UNIX System V LOGIN(8)
NAME
login.krb5 - kerberos enhanced login program
SYNOPSIS
login.krb5 [-p] [-fFe username] [-r | -k | -K | -h hostname]
DESCRIPTION
login.krb5 is a modification of the BSD login program which
is used for two functions. It is the sub-process used by
krlogind and telnetd to initiate a user session and it is a
replacement for the command-line login program which, when
invoked with a password, acquires Kerberos tickets for the
user.
login.krb5 will prompt for a username, or take one on the
command line, as login.krb5 username and will then prompt
for a password. This password will be used to acquire
Kerberos Version 5 tickets and Kerberos Version 4 tickets
(if possible.) It will also attempt to run aklog to get AFS
tokens for the user. The version 5 tickets will be tested
against a local krb5.keytab if it is available, in order to
verify the tickets, before letting the user in. However, if
the password matches the entry in /etc/passwd the user will
be unconditionally allowed (permitting use of the machine in
case of network failure.)
OPTIONS
-p preserve the current environment
-r hostname
pass hostname to rlogind. Must be the last argument.
-h hostname
pass hostname to telnetd, etc. Must be the last
argument.
-k hostname
Use Kerberos V4 to login. Must be the last argument.
-K hostname
Use Kerberos V4 to login. Must be the last argument.
-f name
Perform pre-authenticated login, e.g., datakit, xterm,
etc.; allows preauthenticated login as root.
-F name
Perform pre-authenticated login, e.g., datakit, xterm,
etc.; allows preauthenticated login as root.
-e name
Perform pre-authenticated, encrypted login. Must do
Page 1 (printed 4/3/05)
LOGIN(8) UNIX System V LOGIN(8)
term negotiation.
CONFIGURATION
login.krb5 is also configured via krb5.conf using the login
stanza. A collection of options dealing with initial
authentication are provided:
krb5_get_tickets
Use password to get V5 tickets. Default value true.
krb4_get_tickets
Use password to get V4 tickets. Default value false.
krb4_convert
Use Kerberos conversion daemon to get V4 tickets.
Default value false. If false, and krb4_get_tickets is
true, then login will get the V5 tickets directly using
the Kerberos V4 protocol directly. This does not
currently work with non MIT-V4 salt types (such as the
AFS3 salt type.) Note that if configuration parameter
is true, and the krb524d is not running, login will
hang for approximately a minute under Solaris, due to
a Solaris socket emulation bug.
krb_run_aklog
Attempt to run aklog. Default value false.
aklog_path
Where to find it [not yet implemented.] Default value
$(prefix)/bin/aklog.
accept_passwd
Don't accept plaintext passwords [not yet implemented].
Default value false.
DIAGNOSTICS
All diagnostic messages are returned on the connection or
tty associated with stderr.
SEE ALSO
rlogind(8), rlogin(1), telnetd(8)
BUGS
Should use a config file to select use of V5, V4, and AFS,
as well as policy for startup.
Page 2 (printed 4/3/05)