These programs have been tested with the MIT Kerberos implementation. They should work with Heimdal as well, but this has not been tested. Testing would be appreciated.
There are no Makefiles included with these programs. The command used to compile is listed last in the source files.
krb5-agent
is a program that sits in the background and
renews your credentials cache periodically. The reason it is called
krb5-agent
is because of how its use is similar to that
of ssh-agent
(not that the tasks they perform are
particularly similar, however). Like ssh-agent
, you can
give it another command on the command line, which it will execute as
a child process and then terminate when that child process
terminates. It is therefore recommended that you use it in your
Xsession
script to launch the session manager.
Described in the normal manpage synopsis syntax,
krb5-agent
has the following invocation scheme:
krb5-agent [-hvqf] [-i interval] [program args...]
If program
is given, krb5-agent
will
execute the program in a child process, and exit when that process
exits (returning the same exit code as that of the child process). If
the program to be called begins with a dash, prepend it with
--
to prevent it from being parsed as a switch. Any
args
given will be passed to the child process. If
program
is not given, krb5-agent
will run
until killed.
-h
-v
-q
-f
krb5-agent
will
not exit because of errors, but continue running until the child
process exits.-i
-i
is not given, the tickets will be renewed after 9/10
of their lifetime. The postfixes s, m, h and d are recognized to
change the unit of time – for example, use -i 5h
to
renew the tickets every five hours.
pam_krb5auto
is a PAM
module that gets a TGT
non-interactively using the key stored in a keytab. Its purpose is for using along with
the auto login feature of GDM
(or any other display manager that calls a PAM stack as part of its
auto login procedure).
To use, put it in the appropriate PAM stack as an auth
module (like pam_env
, it should have been a
session
module, but works better with the
pam_setcred
function than the session family of
functions). It will then request a TGT from the
KDC when opening
the session, and destroy the credentials cache when closing the
session.
pam_krb5auto
accepts the following PAM command-line
options:
realm=REALM
REALM
instead of the default realminstance=INSTANCE
INSTANCE
to the principal name. If this
option is not given, autologin
will be appended. For
example, if the user jpbarda
is set to be logged in
automatically, a TGT will be requested for the principal
jpbarda/autologin
.keytab=KEYTAB
KEYTAB
. If this
option is not given, the system default keytab (normally
/etc/krb5.keytab
) will be used.renew=RENEWLIFE
RENEWLIFE
seconds. RENEWLIFE
accepts the same postfixes as the
-i
option to krb5-agent
, above.forwardable
debug
To get forwardable tickets that are renewable for ten days when GDM
logs in a user automatically, put this line in
/etc/pam.d/gdm-autologin
:
auth required /lib/security/pam_krb5auto.c forwardable renew=10d