Provided by: krb5-doc_1.13.2+dfsg-5_all bug

NAME

       k5identity - Kerberos V5 client principal selection rules

DESCRIPTION

       The  .k5identity  file, which resides in a user's home directory, contains a list of rules
       for selecting a client principals based on the server being  accessed.   These  rules  are
       used to choose a credential cache within the cache collection when possible.

       Blank lines and lines beginning with # are ignored.  Each line has the form:
          principal field=value ...

       If  the  server  principal meets all of the field constraints, then principal is chosen as
       the client principal.  The following fields are recognized:

       realm  If the realm of the server principal is known, it is matched against  value,  which
              may  be  a  pattern  using  shell wildcards.  For host-based server principals, the
              realm will  generally  only  be  known  if  there  is  a  domain_realm  section  in
              krb5.conf(5) with a mapping for the hostname.

       service
              If the server principal is a host-based principal, its service component is matched
              against value, which may be a pattern using shell wildcards.

       host   If the server principal is  a  host-based  principal,  its  hostname  component  is
              converted  to  lower  case  and matched against value, which may be a pattern using
              shell wildcards.

              If  the  server  principal  matches  the  constraints  of  multiple  lines  in  the
              .k5identity  file,  the principal from the first matching line is used.  If no line
              matches, credentials will be selected some other way, such as the  realm  heuristic
              or the current primary cache.

EXAMPLE

       The  following  example .k5identity file selects the client principal alice@KRBTEST.COM if
       the server principal is within that realm, the  principal  alice/root@EXAMPLE.COM  if  the
       server  host  is within a servers subdomain, and the principal alice/mail@EXAMPLE.COM when
       accessing the IMAP service on mail.example.com:

          alice@KRBTEST.COM       realm=KRBTEST.COM
          alice/root@EXAMPLE.COM  host=*.servers.example.com
          alice/mail@EXAMPLE.COM  host=mail.example.com service=imap

SEE ALSO

       kerberos(1), krb5.conf(5)

AUTHOR

       MIT

COPYRIGHT

       1985-2015, MIT