• doc»

If you want kerberized logins on a server you run, you'll need a keytab from accounts. Fill out the keytab request form, which sends them an e-mail. Ask for a "keytab"; by default they'll give you a srvtab, the Kerberos 4 analogue.

Your new keytab will be in /mit/accounts/srvtabs/FOR_YOURUSERNAME, which is AFS and vaguely insecure. You probably want to install it in /etc/krb5.keytab, and then randomize the key.

# mv -f /etc/krb5.keytab /etc/krb5.keytab.old  # back up any keytab you already have
# mv /mit/accounts/srvtabs/FOR_JOEUSER/joeserver-new-keytab /etc/krb5.keytab
# k5srvutil change

Then make sure your /etc/ssh/sshd_config file includes the lines

GSSAPIAuthentication yes
GSSAPIKeyExchange yes

This will let you SSH in with Kerberos.

Then create a file called .k5login in the home directory of whichever users you want to be able log into with Kerberos. List the full Kerberos principal of each user, one per line (e.g., joeuser@ATHENA.MIT.EDU)

Dealing with srvtabs

If you don't specifically mention a "keytab" in your request to Accounts, they may give you the Kerberos 4 equivalent, a srvtab.

In this case you'll want to convert the srvtab to a keytab, like so.

$ ktutil
ktutil: rst /mit/accounts/srvtabs/FOR_JOEUSER/joeserver-new-srvtab
ktutil: wkt /etc/krb5.keytab
ktutil: q