Table of Contents
Advertisement
The pam_unix2 module also supports Kerberos authentication and password update.
To enable Kerberos support in pam_unix2, edit the file /etc/security/pam
_unix2.conf so it contains the following lines:
auth:
use_krb5 nullok
account:
use_krb5
password:
use_krb5 nullok
session:
none
After that, all programs evaluating the entries in this file use Kerberos for user authen-
tication. For a user that does not have a Kerberos principal, pam_unix2 falls back on
the normal password authentication mechanism. For those users who have a principal,
it should now be possible to change their Kerberos passwords transparently using the
passwd command.
To make fine adjustments to the way in which pam_krb5 is used, edit the file /etc/
krb5.conf and add default applications to pam. For details, refer to the manual page
with man 5 pam_krb5.
The pam_krb5 module was specifically not designed for network services that accept
Kerberos tickets as part of user authentication. This is an entirely different matter, which
is discussed below.
47.10 Configuring SSH for Kerberos
Authentication
OpenSSH supports Kerberos authentication in both protocol version 1 and 2. In ver-
sion 1, there are special protocol messages to transmit Kerberos tickets. Version 2 does
not use Kerberos directly anymore, but relies on GSSAPI, the General Security Services
API. This is a programming interface that is not specific to Kerberos—it was designed
to hide the peculiarities of the underlying authentication system, be it Kerberos, a public-
key authentication system like SPKM, or others. The GSSAPI library included supports
only Kerberos, however.
To use sshd with Kerberos authentication, edit /etc/ssh/sshd_config and set
the following options:
# These are for protocol version 1
#
# KerberosAuthentication yes
Installing and Administering Kerberos
867
Advertisement
Table of Contents
Troubleshooting
