So I recently setup a Kerberos server on my local network to use with a file server running NFSv4. The share is mounted upon boot using systemd and
/etc/fstab. So far so good. However, because the NFS share is secured with
sec=krb5, a Kerberos ticket is required to be able to actually access anything on the share.
However, it would be nice to actually acquire this ticket automatically upon logging in on my desktop computer, rather than having to run
As I use the same password for my local login as for my Kerberos principal, I felt that this should be possible. What I want is the following:
- Upon login I enter my local UNIX password to authenticate myself. Thus I don't want to use Kerberos authentication. This is because I still want to be able to login even if something happens to my Kerberos server. Accessing the file server is not critical, since I don't have my home directory there anyway.
- As I do the local login above, I want a Kerberos ticket, without having to enter my password twice. This should be possible, since I use the same password on my local computer and for my Kerberos principal.
pam-krb5 to the rescue!
This can be solved by using
pam-krb5 . I start by installing
pam-krb5. Since I use Arch Linux, I install it with pacman.
# pacman -S pam-krb5
I then proceed to configure PAM to actually use the newly installed module. I want to use the module for local logins only, thus I modify
/etc/pam.d/system-local-login to this:
#%PAM-1.0 auth include system-login auth optional pam_krb5.so minimum_uid=1000 use_first_pass account include system-login account optional pam_krb5.so password include system-login session include system-login session optional pam_krb5.so
- I set the control field to
optionalto avoid doing actual authorization with Kerberos. Thus, access control is still done locally with
- I include the
minimum_uidoption to avoid contacting the Kerberos server on root logins (good if the Kerberos server is unresponsive).
- I use
use_first_passto use the previously entered password for
pam_unixfor Kerberos authentication. If the passwords do not match, login proceeds anyway, but without a Kerberos ticket of course.