-If you want kerberized logins on a server you run, you'll need a '''keytab''' from accounts. Send them an e-mail like "I want a host keytab for [some server you own]" or fill out the [http://web.mit.edu/accounts/www/srvtabform.html keytab request form] which sends them an e-mail.
+If you want kerberized logins on a server you run, you'll need a '''keytab''' from accounts. Fill out the [http://web.mit.edu/accounts/www/srvtabform.html keytab request form], which sends them an e-mail.
They'll probably give you a srvtab, unless you specifically ask for a keytab. A srvtab is Kerberos 4 and a keytab is Kerberos 5; you probably have no use for a srvtab. It will be in {{{/mit/accounts/srvtabs/FOR_YOURUSERNAME}}}, which is AFS and vaguely insecure, so you should randomize the key before you use it.
$ k5srvutil change
}}}
-Then make sure your {{{/etc/ssh/sshd_config}}} file includes the line {{{GSSAPIAuthentication yes}}}. This will let you SSH in with Kerberos.
+Then make sure your {{{/etc/ssh/sshd_config}}} file includes the lines
+
+{{{
+GSSAPIAuthentication yes
+GSSAPIKeyExchange yes
+}}}
+
+This will let you SSH in with Kerberos.
Then create a file called {{{.k5login}}} in the home directory of whichever users you want to be able log into with Kerberos. List the full KerberosPrincipal of each user, one per line (e.g., {{{joeuser@ATHENA.MIT.EDU}}})
\ No newline at end of file