How to use Kerberos for single sign-on in a NetBSD client

Your organization has a Kerberos realm EXAMPLE.COM. You have a login password for the principal jruser@EXAMPLE.COM. How do you log in and authenticate to services?

  1. Create a directory ~/.krb5 and a file ~/.krb5/config with the following content to enable Kerberos on the client side:

            name_canon_rules = as-is:
  2. Get a ticket:

    $ kinit jruser@EXAMPLE.COM
    jruser@EXAMPLE.COM's Password: 

Now any kerberized applications such as ssh and Firefox can authenticate as jruser@EXAMPLE.COM on your behalf to services!

  1. ssh
  2. Firefox
  3. Kerberos for local login


To enable ssh(1) to use Kerberos authentication when logging into any host under *, add the following stanza to the end of ~/.ssh/config (ssh_config(5)):

Match host *
        GSSAPIAuthentication yes

Now log in to without a password!

If you trust the remote host to act on your behalf, and you need to authenticate to kerberized applications on the remote host, you can also forward your Kerberos tickets with:

Match host *
        GSSAPIAuthentication yes
        GSSAPIDelegateCredentials yes

Now run kerberized applications on through ssh without a password!


To log into kerberized web sites at https://*

  1. Go to about:config.
  2. Search for negotiate-auth.
  3. Set network.negotiate-auth.trusted-uris to the string (Note: Not network.negotiate-auth.delegation-uris.)
  4. If you need more sites like https://* too, set it to a comma-separated string like,

Now go to a page that requires kerberized login!


Kerberos for local login

To use Kerberos for local logins, e.g. at the console or in a display manager such as xdm(8), when your local login name matches your Kerberos principal name in the realm:

  1. Get a keytab from your realm administrator at /etc/krb5.keytab.

  2. Create a system-wide /etc/krb5.conf file (krb5.conf(5)) with the following content:

            default_realm = EXAMPLE.COM
            name_canon_rules = as-is:
  3. Uncomment the lines (pam_krb5(8)) in /etc/pam.d/display_manager.

Now log out and log back in again as jruser@EXAMPLE.COM, and see with klist(1) that you automatically got tickets!