Provided by: krb5-rsh-server_1.6.dfsg.3~beta1-2ubuntu1_i386 bug

NAME

       login.krb5 - kerberos enhanced login program

SYNOPSIS

       login.krb5 [-p] [-fFe username] [-r | -k | -K | -h hostname]

DESCRIPTION

       login.krb5 is a modification of the BSD login program which is used for
       two functions.  It is the sub-process used by krlogind and  telnetd  to
       initiate  a  user  session and it is a replacement for the command-line
       login program which, when invoked with a  password,  acquires  Kerberos
       tickets for the user.

       login.krb5 will prompt for a username, or take one on the command line,
       as login.krb5 username and  will  then  prompt  for  a  password.  This
       password  will  be  used  to  acquire  Kerberos  Version  5 tickets and
       Kerberos Version 4 tickets (if possible.) It will also attempt  to  run
       aklog  to  get  AFS  tokens for the user. The version 5 tickets will be
       tested against a local krb5.keytab if it  is  available,  in  order  to
       verify  the  tickets,  before  letting  the  user  in.  However, if the
       password  matches  the  entry  in  /etc/passwd   the   user   will   be
       unconditionally  allowed  (permitting  use  of  the  machine in case of
       network failure.)

OPTIONS

       -p     preserve the current environment

       -r hostname
              pass hostname to rlogind.  Must be the last argument.

       -h hostname
              pass hostname to telnetd, etc.  Must be the last argument.

       -k hostname
              Use Kerberos V4 to login.  Must be the last argument.

       -K hostname
              Use Kerberos V4 to login.  Must be the last argument.

       -f name
              Perform pre-authenticated login,  e.g.,  datakit,  xterm,  etc.;
              allows preauthenticated login as root.

       -F name
              Perform  pre-authenticated  login,  e.g.,  datakit, xterm, etc.;
              allows preauthenticated login as root.

       -e name
              Perform  pre-authenticated,  encrypted  login.   Must  do   term
              negotiation.

CONFIGURATION

       login.krb5  is  also configured via krb5.conf using the login stanza. A
       collection of options dealing with initial authentication are provided:

       krb5_get_tickets
              Use password to get V5 tickets. Default value true.

       krb4_get_tickets
              Use password to get V4 tickets. Default value false.

       krb4_convert
              Use  Kerberos conversion daemon to get V4 tickets. Default value
              false. If false, and krb4_get_tickets is true, then  login  will
              get  the  V5  tickets  directly  using  the Kerberos V4 protocol
              directly.  This does not currently work  with  non  MIT-V4  salt
              types  (such as the AFS3 salt type.)  Note that if configuration
              parameter is true, and the krb524d is not  running,  login  will
              hang for approximately a minute  under Solaris, due to a Solaris
              socket emulation bug.

       krb_run_aklog
              Attempt to run aklog. Default value false.

       aklog_path
              Where  to  find  it  [not  yet   implemented.]   Default   value
              $(prefix)/bin/aklog.

       accept_passwd
              Don’t  accept plaintext passwords [not yet implemented]. Default
              value false.

DIAGNOSTICS

       All  diagnostic  messages  are  returned  on  the  connection  or   tty
       associated with stderr.

SEE ALSO

       rlogind(8), rlogin(1), telnetd(8)

BUGS

       Should  use  a config file to select use of V5, V4, and AFS, as well as
       policy for startup.

                                                                      LOGIN(8)