PAM Kerberos

The pam_krb5 module

© 2014 Dennis Leeuw dleeuw at made-it dot com
License: GPLv2 or later


    1. Introduction
    2. PAM configuration
    3. Test


First we are going to enable PAM. This has nothing to do with single sign on, this is just telling the system that it needs to look in the Kerberos database to find passwords. So this is "normal" authentication, just a different database. We are using the pam_krb5 module to make Kerberos integrate with PAM. For now we assume that you still have passwords in your LDAP-tree, which means we need to also support pam_ldap. The following configuration makes it possible to set a Kerberos password and simultaniously support the LDAP-password. If that's not what you want remove the userPassword field from LDAP or remove the pam_ldap lines from the PAM configuration.

After the installation of pam_krb5 module (libpam_krb5 on Debian based systems) add the following lines to the /etc/krb5.conf file:

    pam = {
	debug = false
	minimum_uid = 500
	    ignore_k5login = true
This section configures the pam_krb5 module. On Debian based systems replace 500 with 1000.

PAM configuration

Red Hat based system before 6 had a single global configuration file in the /etc/pam.d directory called system-auth, since version 6 there is also a password-auth file. Both files also have a corresponding -ac file.

Debian uses seperate files for auth, session, account, and password sections. Each file is prefixed with the common- prefix.

You have to figure out for your distribution what is needed, but the end result should look more or less like the following snippets, I skipped all other modules and only concentrated on, and

NOTE: On Debian based system replace 500 with 1000

auth        sufficient nullok 
auth        sufficient use_first_pass
auth        sufficient use_first_pass pam_min_uid=500
account     required  broken_shadow
account     sufficient
account     [default=bad success=ok user_unknown=ignore]
session     required 
session     optional 
session     optional  pam_min_uid=500
password    sufficient md5 shadow nullok try_first_pass use_authtok
password    sufficient use_authtok


If you created a principal in the previous section you should now be able to login (through login or ssh) on one of the KDC servers with the username and the password you set in Kerberos.