So I recently setup a Kerberos server on my local network to use with a file server running NFSv4. The share is mounted upon boot using systemd and
/etc/fstab. So far so good. However, because the NFS share is secured with
sec=krb5, a Kerberos ticket is required to be able to actually access anything on the share.
However, it would be nice to actually acquire this ticket automatically upon logging in on my desktop computer, rather than having to run
As I use the same password for my local login as for my Kerberos principal, I felt that this should be possible. What I want is the following:
pam-krb5to the rescue!
This can be solved by using
pam-krb5 . I start by installing
pam-krb5. Since I use Arch Linux, I install it with pacman.
# pacman -S pam-krb5
I then proceed to configure PAM to actually use the newly installed module. I want to use the module for local logins only, thus I modify
/etc/pam.d/system-local-login to this:
#%PAM-1.0 auth include system-login auth optional pam_krb5.so minimum_uid=1000 use_first_pass account include system-login account optional pam_krb5.so password include system-login session include system-login session optional pam_krb5.so
optionalto avoid doing actual authorization with Kerberos. Thus, access control is still done locally with
minimum_uidoption to avoid contacting the Kerberos server on root logins (good if the Kerberos server is unresponsive).
use_first_passto use the previously entered password for
pam_unixfor Kerberos authentication. If the passwords do not match, login proceeds anyway, but without a Kerberos ticket of course.