NOTE: This setup was tested only in Ubuntu 18.04 x64


The objective is to perform a SSH login and authenticate to a local Microsoft AD. There are many ways out there to do this, but most involving joining the Domain, I did not want that, The best options were:

  • Kerberos
  • SAML with shibboleth

In the past I have used Open pbis to join the domain and then performs the remote authentication, the big issue is that PBIS does not encrypt traffic and works only with regular LDAP port 389.

I ended up using an official Ubuntu documentation that provides a very very dangerous setup!

Somewhere it tell us to run: ‘auth-client-config -a -p kerberos_example’ opsss now any user was able to login without entering a password and ‘su -‘ Luckly I found a great post about the

problem here:

After few weeks of testing and retesting I was able to make it work using
SSH → PAM → Kerberos (port 88) → Active Directory

Important thing to consider:

  • Users must be pre created local with same name as of the AD.
  • You will need to reach the Domain Controller on port 88 (TCP/UDP)

The setup involves quite a lot of configuration steps, I am working on having a simple script to configure it all, but I think its very important to document and understand it first
let’s try to go one by one…


apt install -y libpam-krb5 libpam-ccreds auth-client-config krb5-user


Lets use the group called ict and it is important to keep the UID over 5000 (will be used as a filter later on).
IMPORTANT: The <USER> must be exatcly the same name of a valid AD user account!

groupadd -g 5000 ict
useradd -u 5001 -g ict -G sudo -s /bin/bash -m -c “AD Login via Kerberos” -d /home/USERNAME -p ‘!!’ USERNAME

Also adding the users of the group ict to sudoers, There are 2 options one to request the password for sudo and one without, select what is best for you.

echo “%ict ALL=(ALL:ALL) ALL” > /etc/sudoers.d/domain_kerberos
echo “%ict ALL=(ALL) NOPASSWD:ALL” > /etc/sudoers.d/domain_kerberos
chmod 0440 /etc/sudoers.d/domain_kerberos
visudo -c

2) SSH

This are very standard configurations if in any part of the setup you think to have done something wrong just disable PAM by doing ‘UsePAM no’ There is a nice setup where you can request a Key and AD password!

Very simple just change to: ‘authenticationmethods publickey password’


UsePAM yes
KbdInteractiveAuthentication yes
Match Group ict
AuthenticationMethods password

PAM is Pluggable Authentication Modules. When a program needs to authenticate a user, PAM provides a library containing the functions for the proper authentication scheme.
Because this library is loaded dynamically, changing authentication schemes can be done by simply editing a configuration file.
The config files are located in “/etc/pam.d/” take a look at them. Since PAM is not as famous as SSH I will intro to how it is configured:PAM configuration tokens

3) PAM

Now that we understand the basics of PAM let’s configure it! I choose to keep it all ssh in one single file, it will be used for ssh, but we must configure also common-auth that is used by sudo or su. Please backup your origin config before editing


auth required
auth sufficient nullok try_first_pass
auth sufficient try_first_pass
auth required
account required broken_shadow
account sufficient uid < 5000 quiet
account [default=bad success=ok user_unknown=ignore]
account required

password sufficient md5 shadow nullok try_first_pass use_authtok
password sufficient use_authtok minimum_uid=5000 try_first_pass
password required

session optional revoke
session required
session required umask=0022 skel=/etc/skel
session optional debug
session required debug

For the sudo and us we must add only this line

auth [sucess=1 default=ignore] try_first_pass


Kerberos is a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.

The Keytab File – All Kerberos server machines need a keytab file, called /etc/krb5.keytab, to authenticate to the KDC. The keytab file is an encrypted, local, on-disk copy of the host’s key. So a kerberos client has no need for it.


For Kerberos to work we require a valid ticket as a Preauthentication so we have to run: set the kerberos ticket cache location and create a renewable ticket (10 hours lifetime + renewable for 7 days)

echo “export KRB5CCNAME=/tmp/my_krbtkt” >> /etc/profile source /etc/profile kinit -r7d -l10h


Add to crontab to auto renew the ticket

echo “0 */6 * * * kinit -R -c /tmp/my_krbtkt” >> /var/spool/cron/crontabs/root


default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
default_realm = example.local
dns_lookup_realm = false Keytab (not needed)
dns_lookup_kdc = true
ticket_lifetime = 24h
default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
forwardable = yes
example.local = {
kdc = example.local:88 
default_domain = example.local
.example.local = example.local
example.local = example.local
pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false 


First place to look is your /var/log/auth.log

kinit: krb5_get_init_creds: unable to reach any KDC in realm
it is a must to reach UDP and TCP port 88 for Kerberos to work correctly
test it by doing:
nc -vz -t 88
nc -vz -u 88
I found a problem where kinit thru UDP would not work so changing the parametr
kdc = tcp/ would work for kinit command
but then it would not work for SSH !
Going back to the kdc = made it work!
TIP: tcpdump is a good help

parse_name failed: Configuration file does not specify default realm
Add default_realm in libdefaults

krb5_get_init_creds_password: Preauthentication failed
did you create a Kerberos account for your machine? Did you add it to your local keytab?Either the password for the relevant account in the Active Directory has changed since the keytab file was created or The system clock is off by about 5 minutes from that of the Active Directory


Problem as described here: (EVIL kerberos-example

Good simple How to

About Kerberos
Keytab (not needed)
Troubleshooting help

Tags: , , , , ,

2 thoughts on “Configure Kerberos for SSH

  1. PowerBroker binding is not in clear text ( or plain password ) but use SASL/GSSAPI for AD over LDAP as transport security.

  2. Well done.
    You should not need to join domain if you configure NSS with NSS_LDAP.
    As AD is, basically, an LDAP server, you can use it as you reference repository to manage accounts.

Leave a Reply

Your email address will not be published. Required fields are marked *