Kerberos 5 Utilities

These programs have been tested with the MIT Kerberos implementation. They should work with Heimdal as well, but this has not been tested. Testing would be appreciated.

There are no Makefiles included with these programs. The command used to compile is listed last in the source files.


krb5-agent is a program that sits in the background and renews your credentials cache periodically. The reason it is called krb5-agent is because of how its use is similar to that of ssh-agent (not that the tasks they perform are particularly similar, however). Like ssh-agent, you can give it another command on the command line, which it will execute as a child process and then terminate when that child process terminates. It is therefore recommended that you use it in your Xsession script to launch the session manager.


Described in the normal manpage synopsis syntax, krb5-agent has the following invocation scheme:

krb5-agent [-hvqf] [-i interval] [program args...]

If program is given, krb5-agent will execute the program in a child process, and exit when that process exits (returning the same exit code as that of the child process). If the program to be called begins with a dash, prepend it with -- to prevent it from being parsed as a switch. Any args given will be passed to the child process. If program is not given, krb5-agent will run until killed.


Print a short usage message to the terminal and exit.
Increase verbosity.
Be completely silent.
Run in "failsafe" mode, meaning that krb5-agent will not exit because of errors, but continue running until the child process exits.
Specify the interval in seconds at which to renew the tickets. If -i is not given, the tickets will be renewed after 9/10 of their lifetime. The postfixes s, m, h and d are recognized to change the unit of time – for example, use -i 5h to renew the tickets every five hours.



pam_krb5auto is a PAM module that gets a TGT non-interactively using the key stored in a keytab. Its purpose is for using along with the auto login feature of GDM (or any other display manager that calls a PAM stack as part of its auto login procedure).

To use, put it in the appropriate PAM stack as an auth module (like pam_env, it should have been a session module, but works better with the pam_setcred function than the session family of functions). It will then request a TGT from the KDC when opening the session, and destroy the credentials cache when closing the session.

pam_krb5auto accepts the following PAM command-line options:

Use REALM instead of the default realm
Append INSTANCE to the principal name. If this option is not given, autologin will be appended. For example, if the user jpbarda is set to be logged in automatically, a TGT will be requested for the principal jpbarda/autologin.
Get the principal key from the keytab KEYTAB. If this option is not given, the system default keytab (normally /etc/krb5.keytab) will be used.
Make the TGT renewable for RENEWLIFE seconds. RENEWLIFE accepts the same postfixes as the -i option to krb5-agent, above.
Make the TGT forwardable.
Log debug messages to syslog.


To get forwardable tickets that are renewable for ten days when GDM logs in a user automatically, put this line in /etc/pam.d/gdm-autologin:

auth required /lib/security/pam_krb5auto.c forwardable renew=10d


Valid XHTML 1.1! Valid CSS! This site attempts not to be broken.
Author: Fredrik Tolf <>
Last changed: Sun Jun 11 03:17:08 2006