--- /dev/null
+If you want kerberized logins on a server you run, you'll need a '''keytab''' from accounts. Send them an e-mail like "I want a host keytab for [some server you own]" or fill out the [http://web.mit.edu/accounts/www/srvtabform.html keytab request form] which sends them an e-mail.
+
+They'll probably give you a srvtab, unless you specifically ask for a keytab. A srvtab is Kerberos 4 and a keytab is Kerberos 5; you probably have no use for a srvtab. It will be in {{{/mit/accounts/srvtabs/FOR_YOURUSERNAME}}}, which is AFS and vaguely insecure, so you should randomize the key before you use it.
+
+You probably want to install it in {{{/etc/krb5.keytab}}}. (back up this file before proceeding if you already have one)
+
+First, read the srvtab and write it out as a keytab:
+{{{
+$ ktutil
+ktutil: rst /mit/accounts/srvtabs/FOR_JOEUSER/joeserver-new-srvtab
+ktutil: wkt /etc/krb5.keytab
+ktutil: q
+}}}
+
+Then randomize the key:
+{{{
+$ k5srvutil change
+}}}
+
+Then make sure your {{{/etc/ssh/sshd_config}}} file includes the line {{{GSSAPIAuthentication yes}}}. This will let you SSH in with Kerberos.
+
+Then create a file called {{{.k5login}}} in the home directory of whichever users you want to be able log into with Kerberos. List the full KerberosPrincipal of each user, one per line (e.g., {{{joeuser@ATHENA.MIT.EDU}}})
\ No newline at end of file