So I recently setup a Kerberos server on my local network to use with a file server running NFSv4. The share is mounted upon boot using systemd and /etc/fstab. So far so good. However, because the NFS share is secured with sec=krb5, a Kerberos ticket is required to be able to actually access anything on the share.

However, it would be nice to actually acquire this ticket automatically upon logging in on my desktop computer, rather than having to run kinit manually.

As I use the same password for my local login as for my Kerberos principal, I felt that this should be possible. What I want is the following:

  • Upon login I enter my local UNIX password to authenticate myself. Thus I don't want to use Kerberos authentication. This is because I still want to be able to login even if something happens to my Kerberos server. Accessing the file server is not critical, since I don't have my home directory there anyway.
  • As I do the local login above, I want a Kerberos ticket, without having to enter my password twice. This should be possible, since I use the same password on my local computer and for my Kerberos principal.

pam-krb5 to the rescue!

This can be solved by using pam-krb5 [1]. I start by installing pam-krb5. Since I use Arch Linux, I install it with pacman.

# pacman -S pam-krb5

I then proceed to configure PAM to actually use the newly installed module. I want to use the module for local logins only, thus I modify /etc/pam.d/system-local-login to this:

#%PAM-1.0

auth      include   system-login
auth      optional  pam_krb5.so    minimum_uid=1000 use_first_pass
account   include   system-login
account   optional  pam_krb5.so
password  include   system-login
session   include   system-login
session   optional  pam_krb5.so
  • I set the control field to optional to avoid doing actual authorization with Kerberos. Thus, access control is still done locally with pam_unix.
  • I include the minimum_uid option to avoid contacting the Kerberos server on root logins (good if the Kerberos server is unresponsive).
  • I use use_first_pass to use the previously entered password for pam_unix for Kerberos authentication. If the passwords do not match, login proceeds anyway, but without a Kerberos ticket of course.

References

[1] http://www.eyrie.org/~eagle/software/pam-krb5/