
Kerberos Authentication with Ubuntu
This howto is for Stanford System Administrators. It allows users with SUnet IDs as well as local user accounts to log into Stanford University hosted Ubuntu servers.
# /etc/krb5.conf -- Kerberos V5 general configuration.
# $Id: krb5.conf 12503 2009-01-10 13:55:13Z rra $
#
# This is the standard Kerberos v5 configuration file for all of our
# servers. It is based on the Stanford-wide configuration, the canonical
# version of which is in /usr/pubsw/etc/krb5.conf.
#
# This configuration allows any enctypes. Some systems with really old
# Kerberos software may have to limit to triple-DES and DES.
[appdefaults]
default_lifetime = 25hrs
krb4_get_tickets = false
krb4_convert = false
krb4_convert_524 = false
krb5_get_tickets = true
krb5_get_forwardable = true
.... "removed for security reasons. Log into a Leland server and look for the file listed under /etc/krb5.conf"
[logging]
kdc = SYSLOG:NOTICE
admin_server = SYSLOG:NOTICE
default = SYSLOG:NOTICE
PAM
Edit /etc/ssh/sshd_config and add
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
GSSAPICleanupCredentials yes
common-account
account sufficient pam_unix.so
account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] pam_ldap.so
account required pam_krb5.so
common-auth
auth sufficient pam_unix.so try_first_pass nullok_secure
auth [success=ok default=die] pam_krb5.so use_first_pass forwardable
common-krb5
auth sufficient /lib/security/pam_krb5.so use_first_pass
common-password
password required pam_unix.so nullok obscure min=4 max=8 md5
common-session
session optional pam_krb5.so
session required pam_unix.so
Troubleshoot