[[!meta title="Enabling Kerberos logins for your server"]] If you want kerberized logins on a server you run, you'll need a *keytab* from accounts. Fill out the [keytab request form](http://web.mit.edu/accounts/www/srvtabform.html), which sends them an e-mail. Your new keytab will be in `/mit/accounts/srvtabs/FOR_YOURUSERNAME`, which is AFS and vaguely insecure. You probably want to install it in `/etc/krb5.keytab`, and then set a new (random) key. # mv -f /etc/krb5.keytab /etc/krb5.keytab.old # back up any keytab you already have # mv /mit/accounts/srvtabs/FOR_JOEUSER/joeserver-new-keytab /etc/krb5.keytab # k5srvutil change # k5srvutil delold If you're using Debathena, you can install the `debathena-ssh-server-config` package to configure Kerberos authentication on the server side. If not, make sure your `/etc/ssh/sshd_config` file includes the lines GSSAPIAuthentication yes GSSAPIKeyExchange yes This will let you SSH in with Kerberos. Then create a file called `.k5login` in the home directory of whichever users you want to be able to log into with Kerberos. List the full Kerberos principal of each user, one per line (e.g., `joeuser@ATHENA.MIT.EDU`) If you don't want it to be possible to log in to a user account via Kerberos, create an empty `.k5login` file in their home directory. Otherwise, by default, you can log in to a user account with a Kerberos principal from the default realm (ATHENA, presumably) whose username matches; that is to say, an Athena user whose username matches a local username can log in to that local account. (One option to avoid this is to create a `.k5login` file in `/etc/skel` so that new accounts you later add get this file by default.)