klogin, ktelnet

(Kerberos rlogin or telnet with v4 ticket forwarding)


klogin [-AfhTVvx] [-l username] [rlogin options] host [port]

ktelnet [-AfhVvx] [-l username] [telnet options] host [port]


klogin forwards your Kerberos ticket-granting ticket to the machine host using kftgt(1) and then connects to that machine using Kerberos rlogin. If invoked with the -T option or as ktelnet, it uses Kerberos telnet instead, and also takes an optional port argument to connect to a non-standard port. If kftgt fails with an error indicating that the remote system isn't running kftgtd, the user has no Kerberos v4 ticket cache, or the user has no .klogin file on the remote system, klogin continues anyway (in case Kerberos v5 will work fine). Otherwise, klogin fails if kftgt fails.

By default, klogin always uses encryption (the -x option to rlogin or telnet) and always forwards forwardable Kerberos v5 tickets (the -F option). When invoking telnet, klogin always passes the -a flag to tell telnet to automatically log on to the remote system.

You can also give klogin any options supported by either telnet or rlogin and then will be passed to telnet or rlogin as appropriate. Note, however, that the -a option to telnet isn't recognized because klogin always uses -a when using telnet, and the meanings of the -f, -F, and -x flags are reversed (see below).

The host given to klogin is put through a forward and then reverse DNS lookup before being used, to resolve any CNAMEs to their canonical hosts and to handle load-balanced hosts or hosts with multiple A records.



Don't forward tickets to the remote host. This both tells klogin not to run kftgt(1) and tells it not to pass either -f or -F to rlogin or telnet so that Kerberos v5 tickets won't be forwarded.


Don't forward forwardable Kerberos v5 tickets. This tells klogin to pass the -f option to telnet or rlogin rather than -F. Kerberos v4 tickets will still be forwarded, as will Kerberos v5 tickets, but the forwarded Kerberos v5 tickets cannot be forwarded to another host.

--help, -h

Print a summary of options and exit.

--login=username, -l username

Set the username on the remote system to username. This is the user to log in as as well as user to which to forward tickets. If this option is not given, the default will be the username on the local host. This option will often be necessary if the local username differs from the Kerberos principal name, since kftgt and rlogin differ on the default otherwise.

--telnet, -T

Use telnet rather than rlogin. Using this option has the same effect as invoking klogin as ktelnet.

--verbose, -V

Print out each command and the arguments used before it's executed.

--version, -v

Print the version number of klogin and exit.


Don't use encryption. Use of this option is not recommended, as anything sent through the resulting connection can be read by a potential attacker.

--xauth, -A

Try to forward the .Xauthority file to the remote host. This is done using rcp and the .Xauthority file on the remote system will be overwritten, not merged. Note that if the remote system uses AFS as its file system, your dotfiles must be set up so that rcp to that system after a ticket has been forwarded will acquire a token and be able to write to your home directory.

In addition, klogin tries to recognize rlogin and telnet options and pass them along to rlogin or telnet as appropriate.


See kftgt(1) for some additional details about Kerberos v4 ticket forwarding and some of the peculiarities thereof.


klogin was originally written by Roland Schemers <schemers@stanford.edu> and updated and maintained by Larry Schwimmer <opusl@stanford.edu>. It was rewritten completely by Russ Allbery <rra@stanford.edu>.

Questions and bug reports may be sent to Russ Allbery <rra@stanford.edu>, but please be aware that we only support Stanford affiliates and may not be able to help with problems at other sites.


Copyright 1994, 1996, 1997, 1999, 2001, 2002, 2003, 2005, 2007 Board of Trustees, Leland Stanford Jr. University

All rights reserved.

Export of this software from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting.

WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of Stanford University not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Stanford University makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty.



kftgt(1), rlogin(1), telnet(1)

Last spun 2014-07-26 from POD modified 2007-06-06