[[!meta title="Enabling Kerberos logins for your server"]] If you want kerberized logins on a server you run, you'll need a *keytab* from accounts. Fill out the [keytab request form](http://web.mit.edu/accounts/www/srvtabform.html), which sends them an e-mail. Ask for a "keytab"; by default they'll give you a srvtab, the Kerberos 4 analogue. Your new keytab will be in `/mit/accounts/srvtabs/FOR_YOURUSERNAME`, which is AFS and vaguely insecure. You probably want to install it in `/etc/krb5.keytab`, and then randomize the key. # mv -f /etc/krb5.keytab /etc/krb5.keytab.old # back up any keytab you already have # mv /mit/accounts/srvtabs/FOR_JOEUSER/joeserver-new-keytab /etc/krb5.keytab # k5srvutil change Then make sure your `/etc/ssh/sshd_config` file includes the lines GSSAPIAuthentication yes GSSAPIKeyExchange yes This will let you SSH in with Kerberos. Then create a file called `.k5login` in the home directory of whichever users you want to be able log into with Kerberos. List the full Kerberos principal of each user, one per line (e.g., `joeuser@ATHENA.MIT.EDU`) ## Dealing with srvtabs If you don't specifically mention a "keytab" in your request to Accounts, they may give you the Kerberos 4 equivalent, a srvtab. In this case you'll want to convert the srvtab to a keytab, like so. $ ktutil ktutil: rst /mit/accounts/srvtabs/FOR_JOEUSER/joeserver-new-srvtab ktutil: wkt /etc/krb5.keytab ktutil: q