1 files changed, 53 insertions, 0 deletions

diff --git a/doc/users/user_config/k5login.rst b/doc/users/user_config/k5login.rst
new file mode 100644
index 0000000000..00f5a5a3ae
--- /dev/null
+++ b/doc/users/user_config/k5login.rst
@@ -0,0 +1,53 @@
+.. _.k5login(5):
+
+.k5login
+========
+
+DESCRIPTION
+-----------
+
+The .k5login file, which resides in a user's home directory, contains
+a list of the Kerberos principals.  Anyone with valid tickets for a
+principal in the file is allowed host access with the UID of the user
+in whose home directory the file resides.  One common use is to place
+a .k5login file in root's home directory, thereby granting system
+administrators remote root access to the host via Kerberos.
+
+
+EXAMPLES
+--------
+
+Suppose the user ``alice`` had a .k5login file in her home directory
+containing the following line:
+
+ ::
+
+    bob@FOOBAR.ORG
+
+This would allow ``bob`` to use Kerberos network applications, such as
+ssh(1), to access ``alice``'s account, using ``bob``'s Kerberos
+tickets.
+
+Let us further suppose that ``alice`` is a system administrator.
+Alice and the other system administrators would have their principals
+in root's .k5login file on each host:
+
+ ::
+
+    alice@BLEEP.COM
+
+    joeadmin/root@BLEEP.COM
+
+This would allow either system administrator to log in to these hosts
+using their Kerberos tickets instead of having to type the root
+password.  Note that because ``bob`` retains the Kerberos tickets for
+his own principal, ``bob@FOOBAR.ORG``, he would not have any of the
+privileges that require ``alice``'s tickets, such as root access to
+any of the site's hosts, or the ability to change ``alice``'s
+password.
+
+
+SEE ALSO
+--------
+
+kerberos(1)