Skip to content Skip to navigation

Stanford Kerberos Authentication with Ubuntu

Posted by: 

Kerberos Authentication with Ubuntu

This howto is for Stanford System Administrators. It allows users with SUnet IDs as well as local user accounts to log into Stanford University hosted Ubuntu servers.

  • Tested with Ubuntu Server 9.04. This does not work for 9.10 due to the package libkrb53 becoming obsolete.
  • Instructions from
  • If you skip the instructions do this.
  • Create the krb5.conf file under /etc/krb5.conf. I pasted the file below, but it can be found on the Leland servers.

# /etc/krb5.conf -- Kerberos V5 general configuration.
# $Id: krb5.conf 12503 2009-01-10 13:55:13Z rra $
# This is the standard Kerberos v5 configuration file for all of our
# servers. It is based on the Stanford-wide configuration, the canonical
# version of which is in /usr/pubsw/etc/krb5.conf.
# This configuration allows any enctypes. Some systems with really old
# Kerberos software may have to limit to triple-DES and DES.

default_lifetime = 25hrs
krb4_get_tickets = false
krb4_convert = false
krb4_convert_524 = false
krb5_get_tickets = true
krb5_get_forwardable = true

.... "removed for security reasons. Log into a Leland server and look for the file listed under /etc/krb5.conf"

admin_server = SYSLOG:NOTICE

  • sudo apt-get install krb5-user krb5-clients
  • If it ask you to configure it, click cancel.
  • Now it time to test Kerberos.
    • Type kinit SUnetID. Enter your SUnet Password when prompted
    • Type klist Check to if your ticket is listed.
  • Creating A keytab
    • If there is an error with wallet-client: Depends: libremctl1 (>= 2.10)
    • Use aptitude and not apt-get
    • After you create the keytab type wallet -f get keytab host/ move it and rename it to /etc/krb5.keytab. It should only have 600 permissions.
    • Type chmod 600 /etc/krb5.keytab
  • Test that Kerberos is working again before moving to the PAM configurations


Edit /etc/ssh/sshd_config and add

GSSAPIAuthentication yes
GSSAPIKeyExchange yes
GSSAPICleanupCredentials yes

  • Also check if the line UsePAM yes is listed under /etc/ssh/sshd_config
  • Edit these files under /etc/pam.d/


account sufficient
account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore]
account required


auth sufficient try_first_pass nullok_secure
auth [success=ok default=die] use_first_pass forwardable


auth sufficient /lib/security/ use_first_pass


password required nullok obscure min=4 max=8 md5


session optional
session required


  • Check /var/log/auth.log for errors