Kerberos Authentication with Ubuntu
This howto is for Stanford System Administrators. It allows users with SUnet IDs as well as local user accounts to log into Stanford University hosted Ubuntu servers.
# /etc/krb5.conf -- Kerberos V5 general configuration.
# $Id: krb5.conf 12503 2009-01-10 13:55:13Z rra $
# This is the standard Kerberos v5 configuration file for all of our
# servers. It is based on the Stanford-wide configuration, the canonical
# version of which is in /usr/pubsw/etc/krb5.conf.
# This configuration allows any enctypes. Some systems with really old
# Kerberos software may have to limit to triple-DES and DES.
default_lifetime = 25hrs
krb4_get_tickets = false
krb4_convert = false
krb4_convert_524 = false
krb5_get_tickets = true
krb5_get_forwardable = true
.... "removed for security reasons. Log into a Leland server and look for the file listed under /etc/krb5.conf"
kdc = SYSLOG:NOTICE
admin_server = SYSLOG:NOTICE
default = SYSLOG:NOTICE
Edit /etc/ssh/sshd_config and add
account sufficient pam_unix.so
account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] pam_ldap.so
account required pam_krb5.so
auth sufficient pam_unix.so try_first_pass nullok_secure
auth [success=ok default=die] pam_krb5.so use_first_pass forwardable
auth sufficient /lib/security/pam_krb5.so use_first_pass
password required pam_unix.so nullok obscure min=4 max=8 md5
session optional pam_krb5.so
session required pam_unix.so