# Install krb5 with Homebrew, apk, apt, dnf, Nix, pacman, zypper

Network authentication protocol. Version 1.22.2 via Homebrew; verified 2026-05-14.

## Install

```sh
sudo av install brew:krb5
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install krb5
```

  Evidence: local Homebrew formula metadata

### Linux

- apk (92%):

```sh
sudo apk add krb5
```

  Evidence: Alpine Linux edge package indexes: krb5 from https://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz

- Debian apt (92%):

```sh
sudo apt install krb5-admin-server
```

  Evidence: Debian stable package indexes: krb5-admin-server from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz

- dnf (92%):

```sh
sudo dnf install krb5-devel
```

  Evidence: Fedora Rawhide package metadata: krb5-devel from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst

- Nix (92%):

```sh
nix profile install nixpkgs#krb5
```

  Evidence: nixpkgs package indexes: pkgs/by-name/kr/krb5/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

- pacman (92%):

```sh
sudo pacman -S krb5
```

  Evidence: Arch Linux sync databases: krb5 from https://geo.mirror.pkgbuild.com/core/os/x86_64/core.db.tar.gz

- zypper (92%):

```sh
sudo zypper install krb5
```

  Evidence: openSUSE Tumbleweed package metadata: krb5 from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst

## Package facts

- **Package key:** brew:krb5
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/krb5>
- **Version:** 1.22.2
- **Source summary:** Network authentication protocol
- **Homepage:** <https://web.mit.edu/kerberos/>
- **Repository:** <https://github.com/krb5/krb5>
- **Upstream docs:** <https://web.mit.edu/kerberos/krb5-latest/doc>
- **License:** BSD-2-Clause AND BSD-2-Clause-first-lines AND BSD-3-Clause AND BSD-4-Clause AND Brian-Gladman-2-Clause AND CMU-Mach-nodoc AND FSFULLRWD AND HPND AND HPND-export2-US AND HPND-export-US AND HPND-export-US-acknowledgement AND HPND-export-US-modify AND ISC AND MIT AND MIT-CMU AND OLDAP-2.8 AND OpenVision AND (BSD-2-Clause OR GPL-2.0-or-later)
- **Source archive:** <https://kerberos.org/dist/krb5/1.22/krb5-1.22.2.tar.gz>
- **Last updated:** 2026-05-14T09:32:34-04:00
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- compile_et (cli)
- gss-client (cli)
- gss-server (cli)
- k5srvutil (cli)
- kadmin (cli)
- kadmin.local (cli)
- kadmind (cli)
- kdb5_util (cli)
- kdestroy (cli)
- kinit (cli)
- klist (cli)
- kpasswd (cli)
- kprop (cli)
- kpropd (cli)
- kproplog (cli)
- krb5-config (cli)
- krb5-send-pr (cli)
- krb5kdc (cli)
- ksu (cli)
- kswitch (cli)
- ktutil (cli)
- kvno (cli)
- sclient (cli)
- sim_client (cli)
- sim_server (cli)
- sserver (cli)
- uuclient (cli)
- uuserver (cli)
- compile_et (alias)
- gss-client (alias)
- gss-server (alias)
- k5srvutil (alias)
- kadmin (alias)
- kadmin.local (alias)
- kadmind (alias)
- kdb5_util (alias)
- kdestroy (alias)
- kinit (alias)
- klist (alias)
- kpasswd (alias)
- kprop (alias)
- kpropd (alias)
- kproplog (alias)
- krb5-config (alias)
- krb5-send-pr (alias)
- krb5kdc (alias)
- ksu (alias)
- kswitch (alias)
- ktutil (alias)
- kvno (alias)
- sclient (alias)
- sim_client (alias)
- sim_server (alias)
- sserver (alias)
- uuclient (alias)
- uuserver (alias)

## Dependencies

- openssl@3

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 1.22.2
- Package-manager updated: 2026-05-14
- Local data: ok
- Upstream repository: https://web.mit.edu/kerberos/
- info: Release/tag comparison is only available for GitHub repositories.
## Project history and usage

MIT Kerberos is the reference implementation of the Kerberos network authentication protocol. Among packages in this batch, krb5 has the deepest systems history: it is both a protocol suite and a user/admin toolchain whose commands, libraries, config files, credential caches, and keytabs became standard Unix security plumbing.

### Project history

Kerberos was designed and implemented at MIT's Project Athena to solve open-network authentication problems for distributed workstations and services. MIT's overview describes it as a network authentication protocol using secret-key cryptography so clients and servers can prove identities over insecure networks.

The historical MIT dialogue about Kerberos was originally written in February 1988 and later updated with a Kerberos V5 afterword. Kerberos V5 was standardized by RFC 1510 and then clarified and superseded by RFC 4120 in July 2005.

MIT continues to publish krb5 source releases, documentation, user tools, administrator tools, GSS-API support, protocol documentation, and release notes. The public GitHub repository is described as a mirror of the MIT krb5 repository, while MIT's own web pages remain the authoritative release and documentation surface.

### Adoption history

Kerberos spread from MIT academic infrastructure into Unix, enterprise, and vendor authentication systems because it provided single sign-on semantics without sending reusable passwords to each service. MIT's site states that Kerberos is available in many commercial products as well as free source form.

Package-manager adoption is unusually broad because krb5 is not just an end-user utility: development headers, client commands such as kinit and klist, KDC/admin daemons, GSS-API libraries, keytab utilities, and service integrations all depend on it.

### How it is used

The CLI workflow centers on acquiring tickets with kinit, inspecting credential caches with klist, destroying tickets with kdestroy, changing passwords with kpasswd, and administering principals and keytabs with kadmin and ktutil. System operation uses /etc/krb5.conf for realm and library configuration, credential caches such as /tmp/krb5cc_%{uid}, and keytabs such as /etc/krb5.keytab.

For package maintainers, krb5 is a security-sensitive dependency that touches command-line tools, libraries, daemons, PAM or GSS-API consumers, protocol compatibility, encryption-type deprecations, and CVE-driven patch releases.

### Why package nerds care

krb5 is the kind of package that reveals the difference between an executable and an infrastructure component. Installing it may provide dozens of commands, shared libraries, config-file semantics, daemon behavior, protocol wire compatibility, and ABI/API commitments used by unrelated packages.

It is also a long-lived example of protocol packaging: the package has to track IETF standards, MIT release engineering, vendor interoperability, and security defaults such as DES, Triple-DES, RC4, PKINIT, PAC, and GSS-API changes over decades.

### Timeline

- 1988: Bill Bryant wrote MIT's Kerberos design dialogue, reflecting the Project Athena authentication model.
- 1996: MIT krb5 1.0-era releases entered the historical release archive.
- 2005-07: RFC 4120 specified Kerberos V5 and obsoleted RFC 1510.
- 2012-05-12: The public GitHub mirror repository was created.
- 2026-01-29: MIT released krb5-1.22.2.

### Related projects

- Related standards and APIs include RFC 4120 Kerberos V5 and GSS-API integrations. Related implementations and deployments include vendor Kerberos products and operating-system authentication stacks that consume MIT krb5 libraries or interoperate with the protocol.

### Sources

- <https://github.com/krb5/krb5>
- <https://web.mit.edu/kerberos/>
- <https://web.mit.edu/kerberos/dialogue.html>
- <https://web.mit.edu/kerberos/historical.html>
- <https://web.mit.edu/kerberos/krb5-1.22/>
- <https://web.mit.edu/kerberos/krb5-latest/doc>
- <https://www.rfc-editor.org/rfc/rfc4120>


## Security Notes

broad file, network, media, or database tool signal.

- **Geiger risk:** blue / medium
- broad file, network, media, or database tool signal


## Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.


## Configuration files

- Unix: /etc/krb5.conf

## Credential files

- Unix: /tmp/krb5cc_%{uid}, /etc/krb5.keytab
## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** krb5
- **Version Scheme:** 0
- **Revision:** 0
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** yes
- **URL Keys:** stable

## Other Package-Manager Records

- Debian apt - krb5-admin-server - 1.21.3-5: normalized package name match | Debian stable package indexes: krb5-admin-server from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | MIT Kerberos master server (kadmind) | https://web.mit.edu/kerberos/
- Debian apt - krb5-doc - 1.21.3-5: normalized package name match | Debian stable package indexes: krb5-doc from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | documentation for MIT Kerberos | https://web.mit.edu/kerberos/
- Debian apt - krb5-gss-samples - 1.21.3-5: normalized package name match | Debian stable package indexes: krb5-gss-samples from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | MIT Kerberos GSS Sample applications | https://web.mit.edu/kerberos/
- Debian apt - krb5-k5tls - 1.21.3-5: normalized package name match | Debian stable package indexes: krb5-k5tls from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | TLS plugin for MIT Kerberos | https://web.mit.edu/kerberos/
- Debian apt - krb5-kdc - 1.21.3-5: normalized package name match | Debian stable package indexes: krb5-kdc from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | MIT Kerberos key server (KDC) | https://web.mit.edu/kerberos/
- Debian apt - krb5-kdc-ldap - 1.21.3-5: normalized package name match | Debian stable package indexes: krb5-kdc-ldap from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | MIT Kerberos key server (KDC) LDAP plugin | https://web.mit.edu/kerberos/
- Debian apt - krb5-kpropd - 1.21.3-5: normalized package name match | Debian stable package indexes: krb5-kpropd from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | MIT Kerberos key server (Slave KDC Support) | https://web.mit.edu/kerberos/
- Debian apt - krb5-locales - 1.21.3-5: normalized package name match | Debian stable package indexes: krb5-locales from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | internationalization support for MIT Kerberos | https://web.mit.edu/kerberos/
- Debian apt - krb5-multidev - 1.21.3-5: normalized package name match | Debian stable package indexes: krb5-multidev from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | development files for MIT Kerberos without Heimdal conflict | https://web.mit.edu/kerberos/
- Debian apt - krb5-otp - 1.21.3-5: normalized package name match | Debian stable package indexes: krb5-otp from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | OTP plugin for MIT Kerberos | https://web.mit.edu/kerberos/
- Debian apt - krb5-pkinit - 1.21.3-5: normalized package name match | Debian stable package indexes: krb5-pkinit from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | PKINIT plugin for MIT Kerberos | https://web.mit.edu/kerberos/
- Debian apt - krb5-user - 1.21.3-5: normalized package name match | Debian stable package indexes: krb5-user from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | basic programs to authenticate using MIT Kerberos | https://web.mit.edu/kerberos/
- Debian apt - libgssapi-krb5-2 - 1.21.3-5: normalized package name match | Debian stable package indexes: libgssapi-krb5-2 from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | MIT Kerberos runtime libraries - krb5 GSS-API Mechanism | https://web.mit.edu/kerberos/
- Debian apt - libgssrpc4t64 - 1.21.3-5: normalized package name match | Debian stable package indexes: libgssrpc4t64 from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | MIT Kerberos runtime libraries - GSS enabled ONCRPC | https://web.mit.edu/kerberos/
- Debian apt - libk5crypto3 - 1.21.3-5: normalized package name match | Debian stable package indexes: libk5crypto3 from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | MIT Kerberos runtime libraries - Crypto Library | https://web.mit.edu/kerberos/
- Debian apt - libkadm5clnt-mit12 - 1.21.3-5: normalized package name match | Debian stable package indexes: libkadm5clnt-mit12 from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | MIT Kerberos runtime libraries - Administration Clients | https://web.mit.edu/kerberos/


## Related links

- [Secret-risk packages](https://www.automicvault.com/pkg/secret-risk-packages/) - Has protected-tool coverage, approval-gate, or non-low Geiger security signals.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [Security and crypto packages](https://www.automicvault.com/pkg/security-crypto-tools/) - Matched security, identity, cryptography, password, signing, or certificate metadata.
- [openssl@3](https://www.automicvault.com/pkg/brew/openssl-3/) - Runtime dependency declared by Homebrew.
- [cyrus-sasl](https://www.automicvault.com/pkg/brew/cyrus-sasl/) - Popular package that depends on this formula.
- [libpq](https://www.automicvault.com/pkg/brew/libpq/) - Popular package that depends on this formula.
- [msktutil](https://www.automicvault.com/pkg/brew/msktutil/) - Popular package that depends on this formula.
- [php@8.1](https://www.automicvault.com/pkg/brew/php-8-1/) - Popular package that depends on this formula.
- [php@8.2](https://www.automicvault.com/pkg/brew/php-8-2/) - Popular package that depends on this formula.
- [heimdal](https://www.automicvault.com/pkg/brew/heimdal/) - Shares av.db curated category or tags: authentication, cli, kerberos, security.
- [kstart](https://www.automicvault.com/pkg/brew/kstart/) - Shares av.db curated category or tags: authentication, cli, kerberos, security.
- [google-authenticator-libpam](https://www.automicvault.com/pkg/brew/google-authenticator-libpam/) - Shares av.db curated category or tags: authentication, cli, security.
- [linux-pam](https://www.automicvault.com/pkg/brew/linux-pam/) - Shares av.db curated category or tags: authentication, cli, security.
- [oath-toolkit](https://www.automicvault.com/pkg/brew/oath-toolkit/) - Shares av.db curated category or tags: authentication, cli, security.
- [oauth2_proxy](https://www.automicvault.com/pkg/brew/oauth2-proxy/) - Shares av.db curated category or tags: authentication, cli, security.
- [libu2f-server](https://www.automicvault.com/pkg/brew/libu2f-server/) - Security-sensitive metadata or terminology overlaps. Shared terms: authentication, cli, openssl, openssl-3, protocol.

## Combined YAML source

View the package source record on GitHub. [combined/krb5.yml](https://github.com/automic-vault/db/blob/main/combined/krb5.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated configuration and credential file locations
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
