1 [[!meta title="Enabling Kerberos logins for your server"]]
3 If you want kerberized logins on a server you run, you'll need a
4 *keytab* from accounts. Fill out the
5 [keytab request form](http://web.mit.edu/accounts/www/srvtabform.html),
6 which sends them an e-mail. Ask for a "keytab"; by default they'll
7 give you a srvtab, the Kerberos 4 analogue.
9 Your new keytab will be in
10 `/mit/accounts/srvtabs/FOR_YOURUSERNAME`, which is AFS and vaguely
11 insecure. You probably want to install it in `/etc/krb5.keytab`,
12 and then randomize the key.
14 # mv -f /etc/krb5.keytab /etc/krb5.keytab.old # back up any keytab you already have
15 # mv /mit/accounts/srvtabs/FOR_JOEUSER/joeserver-new-keytab /etc/krb5.keytab
18 If you're using Debathena, you can install the `debathena-ssh-server-config` package to configure Kerberos authentication on the server side. If not, make sure your `/etc/ssh/sshd_config` file includes the lines
20 GSSAPIAuthentication yes
23 This will let you SSH in with Kerberos.
25 Then create a file called `.k5login` in the home directory of
26 whichever users you want to be able log into with Kerberos. List the
27 full Kerberos principal of each user, one per line (e.g.,
28 `joeuser@ATHENA.MIT.EDU`)
30 ## Dealing with srvtabs
32 If you don't specifically mention a "keytab" in your request to
33 Accounts, they may give you the Kerberos 4 equivalent, a srvtab.
35 In this case you'll want to convert the srvtab to a keytab, like so.
38 ktutil: rst /mit/accounts/srvtabs/FOR_JOEUSER/joeserver-new-srvtab
39 ktutil: wkt /etc/krb5.keytab