Skip to content Skip to site navigation Skip to service navigation

Installing Kerberos on Debian

Debian GNU/Linux and Ubuntu are very similar and share almost all of their packages. Installation of Kerberos on either system is therefore essentially the same. Both Linux distributions come with a complete set of Kerberos packages and with configuration for Stanford's Kerberos realm which is sufficient for most uses.

Clients and basic configuration

For a basic Kerberos install on Debian or Ubuntu, run:

    aptitude install krb5-user

This will install the basic kinit, klist, kdestroy, and kpasswd clients. It will also automatically install a Kerberos configuration. When prompted for your local realm, enter "" (without the quotes) in all lowercase. You should not have to enter any additional information about the Stanford realm, since our realm information is already present in the configuration files that ship with Debian and Ubuntu. However, you may still want to download the sitewide version of /etc/krb5.conf and replace the system version with it since it contains some additional realm mappings that are sometimes helpful.

If you are using AFS on this system, also run:

    aptitude install openafs-krb5

When prompted for your local cell, enter to install the aklog program, which obtains AFS tokens from Kerberos tickets. For more information about installing AFS on Debian or Ubuntu, install the openafs-client package and look in /usr/share/doc/openafs-client/README.Debian.gz.

The SSH client in Debian or Ubuntu (in the openssh-client package) supports and enables GSSAPI authentication without any special configuration.

Remote logins

First, before enabling remote logins with Kerberos, you should make sure that all accounts on your system with logins enabled either match the SUNet IDs of those users or contain a .k5login file (which should be empty if Kerberos logins aren't permitted for that account). By default, the servers that accept Kerberos logins will allow a user to log in to an account if their Kerberos principal matches the account name. The presence of a .k5login file overrides this logic and only principals listed in that file will be permitted to log in to that account.

See UNIX Kerberos Commands in the user guide for more information on creating a .k5login file. If the account names on your system generally do not match SUNet IDs, you may wish to create an empty /etc/skel/.k5login file, which will be copied to the home directory of any new account you create.

To authenticate connections to your system using Kerberos, the system needs its own Kerberos service principal and a keytab for that principal. The service principal is an account in Kerberos, similar to a SUNet ID but for a service instead of a person. The keytab is, in essence, the password for that account stored in a file on your system. For information on how to obtain a service principal, see Downloading Keytabs with Wallet.

The SSH server in Debian or Ubuntu (in the openssh-server package) includes GSSAPI support, but that support is disabled by default. To enable it, add:

    GSSAPIAuthentication yes
    GSSAPIKeyExchange yes
    GSSAPICleanupCredentials yes

to /etc/ssh/sshd_config. You can ignore the Kerberos* options; those are for an older version of Kerberos support that's not recommended or particularly useful. After modifying this file, restart sshd with /etc/init.d/sshd restart.

This only adds Kerberos support for users who have a Kerberos-aware SSH client. To allow users to log in with a username and password but check that password against Kerberos and use it to acquire Kerberos tickets, enable PAM support in sshd (UsePAM in /etc/ssh/sshd_config) and see the next section.

If you want to allow Kerberos rlogin, rsh, and rcp connections, run:

    aptitude install krb5-rsh-server

This will install the necessary programs and add the Kerberos rlogin and rsh services to /etc/inetd.conf.

Local logins

Logins with a username and password, which includes console logins, login managers such as gdm or kdm, SSH with a username and password, and screen lock programs, use PAM to verify that password and to obtain user credentials such as Kerberos tickets. Therefore, enabling use of Kerberos passwords for local login means adding a Kerberos PAM module to your PAM configuration.

First, install the Kerberos PAM module with:

    aptitude install libpam-krb5

Then, read /usr/share/doc/libpam-krb5/README.Debian, which explains how to configure your system to use this module. You may also want to read the pam_krb5 man page.

Last modified April 12, 2023