MIT Kerberos on FreeBSD


The environment I am targeting is a bit different than most. It needs to have a bunch of client laptops that do not have any Kerberos configuration done on them. Kerberos only comes into play when the user connects via ssh to one of any FreeBSD machines. Basically I need to have central auth with enforced password changes every 90 days. It is pretty easy to configure the machine to auth against Kerberos for ssh using pam_krb5. The problem comes down to when you need to have password changes work properly when they expire. This document will outline how the configuration works.


With an MIT KDC with -pwexpire set on a principal. The client will need the following:


After installing them, disable the normal sshd and enable sshd from ports:


Configure the /usr/local/etc/ssh/sshd_config with the following two options:

UsePAM yes
ChallengeResponseAuthentication yes

Securely copy over the keytab from the KDC for the new machine and place the file in /etc/krb5.keytab

Configure the realm in /etc/krb5.conf, in this case my test env is LAB.COM:

        default_realm = LAB.COM
        dns_lookup_realm = false
        dns_lookup_kdc = false
	default_ccache_name = FILE:/home/%{username}/.krb5cc

        LAB.COM = {
                kdc =
                admin_server =

Configure the /etc/pam.d/ssh file for Kerberos auth:

# $FreeBSD: release/10.0.0/etc/pam.d/sshd 197769 2009-10-05 09:28:54Z des $
# PAM configuration for the "sshd" service

# auth
auth		sufficient		no_warn no_fake_prompts
auth		requisite	no_warn allow_local
#auth		sufficient		no_warn try_first_pass
#auth		sufficient		no_warn try_first_pass
auth		sufficient	/usr/local/lib/security/ minimum_uid=1000 debug
auth		required		no_warn try_first_pass

# account
account		required
#account	required
account		required
account		required	/usr/local/lib/security/ minimum_uid=1000 debug
account		required

# session
#session	optional		want_agent
session		required
session		optional	/usr/local/lib/security/ minimum_uid=1000 debug

# password
#password	sufficient		no_warn try_first_pass
password	sufficient	/usr/local/lib/security/ minimum_uid=1000 debug
#password	required		no_warn try_first_pass

Once this is all complete, everything should work including password change via ssh:

> ssh foo01
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
Warning: Your password will expire in 24 hours on Wed Jun  4 16:11:03 2014
Last login: Mon Jun  2 16:03:09 2014 from
FreeBSD 10.0-RELEASE-p3 (GENERIC) #0: Tue May 13 18:31:10 UTC 2014

Welcome to FreeBSD!

brd@foo01:~ %


Powered by FreeBSD! r4l domain registration