Krb5-auth-dialog is a tray applet for the GNOME Desktop that monitors Kerberos tickets.


  • It can alert the user via notifications when the ticket is about to expire.
  • Tickets can be acquired by clicking on the tray icon.
  • If the notification daemon supports persistence (like in GNOME 3) the tray icon can be avoided and resident notifications are used.
  • Current tickets in the credential cache can be listed.
  • It can be extended using plugins. This can be used to extend krb5-auth-dialog to e.g. handle things like kx509.
  • These plugins are currently available:
    • afs: a plugin to acquire AFS tickets
    • dummy: a sample plugin printing to the console
    • pam: a plugin invoking the pam stack
  • A DBus API for applications to acquire a Kerberos ticket and to remove the credentials cache is provided.
  • DBus signals notify applications about acquired, renewed and expired tickets.
  • It supports PKinit (e.g. via SmartCard) when built against Heimdal.

Source Code

The source code is available and browseable via GNOMEs GIT:

git clone git://


Releases are availale from The current stable release is 3.8.0.

Debian Packages

Debian packges are available from


The tray icon can be seen here and here. Below are pictures of the password and preferences dialogs:

password dialog preferences dialog

The notifications under GNOME 3 look like this:

valid ticket notification expired ticket notification


There are currently three plugins available:

  • afs - call aklog or afslog to aquire AFS tickets
  • pam - invoke PAM modules
  • dummy - example plugin

These plugins can be activated using a key in GSettings


  • There's a DBus API to acquire Kerberos ticktes. See the examples. virt-manager is using this and here's a patch for offlineimap.
  • DBus signals notify about acquired, renewed or expired tickets. This can be used to e.g. run aklog via this example.


  • Add gnome keyring support (567701)
  • Remove all wakeups, rely on our gio watch of the ticket cache
  • Add cache version, etc. to ticket dialog
  • Add fast principal switching
  • Make more applications use the DBUS API to make Kerberos a smooth experience on the desktop:
    • libsoup - used by nautilus and evolution for calendars
    • Thunderbird
    • Evolution IMAP and SMTP
    • ssh client

GNOME 3 Readiness

  • krb5-auth-dialog uses persistent notifications instead of a tray icon
  • Settings were moved from a stand alone dialog into the gnome-control-center panel


Status of current Gnome goals in krb5-auth-dialog:


krb5-auth-dialog was originally written by Christopher Aillon and is now maintained by Guido G√ľnther <>.


Please file bug reports via GNOME's bugzilla.


krb5-auth-dialog is free software and licensed under the GPL Version 2.