Provided by: krb5-rsh-server_1.0.1-1_amd64
login.krb5 - kerberos enhanced login program
login.krb5 [-p] [-fFe username] [-r | -k | -K | -h hostname]
login.krb5 is a modification of the BSD login program which is used for two functions. It is the sub-process used by krlogind and telnetd to initiate a user session and it is a replacement for the command-line login program which, when invoked with a password, acquires Kerberos tickets for the user. login.krb5 will prompt for a username, or take one on the command line, as login.krb5 username and will then prompt for a password. This password will be used to acquire Kerberos Version 5 tickets (if possible.) It will also attempt to run aklog to get AFS tokens for the user. The version 5 tickets will be tested against a local krb5.keytab if it is available, in order to verify the tickets, before letting the user in. However, if the password matches the entry in /etc/passwd the user will be unconditionally allowed (permitting use of the machine in case of network failure.)
-p preserve the current environment -r hostname pass hostname to rlogind. Must be the last argument. -h hostname pass hostname to telnetd, etc. Must be the last argument. -f name Perform pre-authenticated login, e.g., datakit, xterm, etc.; allows preauthenticated login as root. -F name Perform pre-authenticated login, e.g., datakit, xterm, etc.; allows preauthenticated login as root. -e name Perform pre-authenticated, encrypted login. Must do term negotiation.
login.krb5 is also configured via krb5.conf using the login stanza. A collection of options dealing with initial authentication are provided: krb5_get_tickets Use password to get V5 tickets. Default value true. krb_run_aklog Attempt to run aklog. Default value false. aklog_path Where to find it [not yet implemented.] Default value $(prefix)/bin/aklog. accept_passwd Don't accept plaintext passwords [not yet implemented]. Default value false.
All diagnostic messages are returned on the connection or tty associated with stderr.