Kerberizing Slackware without PAM

27 Jan 2011

This document guides the configuration of Slackware to use Kerberos for authentication. Slackware is (in)famous for not using PAM, so this effort will follow that philosophy. Below are the steps required to configure a KDC, a Kerberos client station which can collect tickets from the KDC and allow console logins with Kerberos credentials, and to network applications which accept Kerberos credentials. Tested releases are Slackware 13.0 and 13.1 on i386 and Slackware 13.37 on x86_64. Please send all comments, corrections, or questions to Tom Canich.


Use this information at your own risk. No warranty is expressed or implied.
Slackware is a registered trademark of Slackware Linux, Inc..



This procedure will result in a new Kerberos realm. If you already have access to a Kerberos KDC, you can skip to the client and application server parts. Also, the below procedure is very abbreviated and is not a substitute for reading the documentation supplied in the package or on the MIT Kerberos website.

  1. Install krb5 package.
  2. Configure /etc/krb5.conf, /var/krb5kdc/kdc.conf and /var/krb5kdc/kadm5.acl . These files are examples which you should adjust after reading the Kerberos documentation.
            default_realm = EXAMPLE.COM
            dns_kdc_lookup = true
            dns_realm_lookup = true
            forwardable = true
            renewable = true
    			kdc =
    			kdc =
    			admin_server =
            kdc_ports = 749,88
            EXAMPLE.COM = {
                    database_name = /var/krb5kdc/principal
                    admin_keytab = FILE:/var/krb5kdc/kadm5.keytab
                    acl_file = /var/krb5kdc/kadm5.acl
                    key_stash_file = /var/krb5kdc/.k5.EXAMPLE.COM
                    kdc_ports = 749,88
                    max_life = 10h 0m 0s
                    max_renewable_life = 7d 0h 0m 0s
                    supported_keytypes = aes256-cts des-cbc-crc des-cbc-md5
    krb5adminprinc/admin   *
  3. Create the database.
    /usr/kerberos/sbin/kdb5_util create -r EXAMPLE.COM -s
  4. Extract the admin server keys to /var/krb5kdc/kadm5.keytab.
    kadmin.local: xst -k /var/krb5kdc/kadm5.keytab kadmin/admin kadmin/changepw
  5. Create host and other principals; extract to /etc/krb5.keytab
    kadmin.local: ank -randkey host/
    kadmin.local: xst -k /etc/krb5.keytab host/
  6. Create admin, user principals
    kadmin.local: ank krb5adminprinc/admin
    kadmin.local: ank krb5userprinc
    kadmin.local: quit
  7. Create startup script /etc/rc.d/rc.krb5
    rc.krb5 - shamelessly ripped off from rc.samba from Slackware 13.0
    # /etc/rc.d/rc.krb5
    # Start/stop/restart the MIT Kerberos V KDC
    # To make Kerberos start automatically at boot, make this
    # file executable:  chmod 755 /etc/rc.d/rc.krb5
    krb5_start() {
      if [ -x /usr/kerberos/sbin/krb5kdc -a -x /usr/kerberos/sbin/kadmind -a -r /etc/krb5.conf -a -r /var/krb5kdc/kdc.conf ]; then
        echo "Starting Kerberos:  /usr/kerberos/sbin/krb5kdc"
        echo "                 /usr/kerberos/sbin/kadmind"
    krb5_stop() {
      killall krb5kdc kadmind
    krb5_restart() {
      sleep 2
    case "$1" in
      # Default is "start", for backwards compatibility with previous
      # Slackware versions.  This may change to a 'usage' error someday.
  8. Start KDC daemons:
    # sh /etc/rc.d/rc.krb5 start
    . Remember to make the rc.krb5 script executable if you want the KDC to start automatically at boot.
  9. Verify connectivity to KDC with kadmin, kinit:
    $ kinit krb5userprinc
    $ klist
    $ kadmin -p krb5adminprinc/admin

The Client

This procedure will result in a client capable of retrievving Kerberos tickets from a KDC and allow Kerberos principals to login at the console. Successful console login by a principal will generate tickets in the user's cache. Failed login by a principal (because the principal doesn't exist, or the wrong password was supplied) should fall through to local authentications (/etc/shadow). Note: the principal must be associated with an account on the system, either in the local passwd database or via a network system such as NIS or LDAP.

  1. Install krb5 package and krb5-appl package.
  2. Setup /etc/krb5.conf:
            default_realm = EXAMPLE.COM
            dns_kdc_lookup = true
            dns_realm_lookup = true
            forwardable = true
            renewable = true
    			kdc =
    			kdc =
    			admin_server =
  3. Verify kadmin, kinit working
    $ kinit krb5userprinc
    $ klist
    $ kadmin -p krb5adminprinc/admin
  4. Add host principal, and extract host principal to /etc/krb5.keytab using kadmin and admin principal:
    # kadmin -p krb5adminprinc/admin
    kadmin: ank -randkey host/
    kadmin: xst -k /etc/krb5.keytab host/
    kadmin: quit
  5. Patch /etc/inittab to use login.krb5 (Patch).
  6. Optional: if /usr is a separate filesystem, copy libraries from /usr/kerberos/lib to /lib (so you can still login if /usr isn't mounted):
    # cp /usr/kerberos/lib/{,,,} /lib

The Application Server

This procedure will result in network listening services which accept Kerberos tickets, or which will verify a password against the Kerberos database via the Kerberos libraries.

  1. Setup following Client steps.
  2. Unpack the OpenSSH source archive from the Slackware distribution. Patch openssh.SlackBuild (Patch). Build and install the new package.
    $ cd openssh
    $ patch -p0 < openssh_SlackBuild-13.1-SK5.patch
    # sh openssh.SlackBuild
    # removepkg openssh
    # installpkg /tmp/openssh-5.5p1-i486-1_SK5.txz
  3. Extract keytabs for ssh/ to /etc/krb5.keytab.
    # kadmin -p krb5adminprinc/admin
    kadmin: ank -randkey ssh/
    kadmin: xst -k /etc/krb5.keytab ssh/
  4. Patch /etc/ssh/sshd_config for GSSAPI support (Patch). Restart sshd
    # /etc/rc.d/rc.sshd restart
  5. Patch /etc/ssh/ssh_config to support GSSAPI (Patch). Do this on every client where you will use kerberos tickets to authenticate to the server
  6. Alternative to previous step: setup a per-user .ssh/ssh_config file to specify GSSAPI authentication.
  7. Alternative #2: invoke SSH with
    -o preferredAuthentications=gssapi

Repeat this general procedure for all programs which will use Kerberos authentication. Kerberized alternatives for telnet, rlogin, rsh, rcp, and ftp clients and daemons are available in /usr/kerberos/sbin. Modify /etc/inetd.conf or create symbolic links to use these daemons in place of the stock daemons.

Patches to several Slackware package build scripts are available on this page: nfs-utils cyrus-sasl. Rebuilt packages are tagged with the suffix "_SK5" to avoid confusion with the stock Slackware packages. Refer to the software documentation, HOWTOs, or other documents for configuration and usage details of these packages.

The SK5 nfs-utils package, along with the required support libraries, allows NFSv4 GSSAPI mounts. This is poorly tested; consider it experimental.

The SK5 cyrus-sasl adds the SASL GSSAPI mechanism to the available mechanisms for any SASL-aware program.

If you use slackpkg(8), be sure to blacklist any packages which are rebuilt with Kerberos support. Updates to these packages will have to be rebuilt from source, after patching the build scripts as above, or upgraded with binary packages from this page.

Note: Kerberos is only for authentication. LDAP, YP, or flat files should be used to control authorization of kerberos principals. nss_ldap is available from

Table of patches, packages, and build scripts

Below is a complete listing of patches and packages referenced above. Packages which I have produced are available on this site as SlackBuild (from source) packages and binary packages. Additionally, I am providing binary "rebuilt" packages for the various Slackware packages which are rebuilt to be Kerberos-aware. I don't have access to an x86_64 build machine; Slack64 folks will have to patch the SlackBuild scripts and rebuild from source.

SlackBuild patches Description Download(s) Checksum (MD5)
cyrus-sasl Patch to the Slackware source cyrus-sasl.SlackBuild script. Requires: krb5. cyrus-sasl SlackBuild patch (13.0)
cyrus-sasl SlackBuild patch (13.1)
cyrus-sasl SlackBuild patch (13.37)
openssh Patch to the Slackware source openssh.SlackBuild script. Requires: krb5. openssh SlackBuild patch (13.0)
openssh SlackBuild patch (13.1)
openssh SlackBuild patch (13.37)
nfs-utils Patch to the Slackware source nfs-utils.SlackBuild script. Allows AUTH_GSS and NFSv4. Requires: krb5, libgssglue, libtirpc, libnfsidmap, librpcsecgss, libevent. nfs-utils SlackBuild patch (13.0)
nfs-utils SlackBuild patch (13.1)
nfs-utils SlackBuild patch (13.37)
mailx Patch to the Slackware source mailx.SlackBuild script. Allows GSSAPI connections to IMAP servers. Requires krb5. mailx SlackBuild patch (13.37) d57843fbf63e86d9c85f27f84a610f54
Configuration file patches Description Download(s) Checksum (MD5)
/etc/inittab Configures login console to use /usr/kerberos/sbin/login.krb5 instead of /bin/login. Allows Kerberos principal authentication, and collects initial Kerberos tickets at login. Falls back to local authentication when Kerberos fails. inittab login.krb5 patch (13.0,13.1) 46ca6c54f676dad53d94f149298bdfd0
/etc/ssh/ssh_config Configures OpenSSH client to try GSSAPI authentication. ssh_config patch (13.0,13.1,13.37) fcf97bf03e92f6f7f049d740499be5a7
/etc/ssh/sshd_config Configures OpenSSH daemon to accept GSSAPI authentication. sshd_config patch (13.0,13.1,13.37) 8db0f7f43e95707dab74f960865eed56
SlacK5 packages and build scripts Description Download(s) Checksum (MD5)
libgssglue libgssglue libgssglue-0.1-i486-1_SK5.tgz (13.0)
libgssglue-0.1-i486-1_SK5.tgz (13.1)
libgssglue 0.1 SK5 SlackBuild (13.0)
libgssglue 0.1 SK5 SlackBuild (13.1)
libgssglue 0.1 SK5 SlackBuild (13.37)
librpcsecgss librpcsecgss. Requires libgssglue. librpcsecgss-0.19-i486-1_SK5.tgz (13.0)
librpcsecgss-0.19-i486-1_SK5.tgz (13.1)
librpcsecgss 0.19 SK5 SlackBuild (13.0)
librpcsecgss 0.19 SK5 SlackBuild (13.1)
librpcsecgss 0.19 SK5 SlackBuild (13.37)
libnfsidmap libnfsidmap. Requires libgssglue, librpcsecgss, libtirpc, and libevent (SBo). libnfsidmap-0.24-i486-1_SK5.tgz (13.0)
libnfsidmap-0.24-i486-1_SK5.tgz (13.1)
libnfsidmap 0.24 SK5 SlackBuild (13.0)
libnfsidmap 0.24 SK5 SlackBuild (13.1)
libnfsidmap 0.24 SK5 SlackBuild (13.37)
libtirpc libtirpc. Requires libgssglue. libtirpc-0.2.1-i486-1_SK5.tgz (13.0)
libtirpc-0.2.1-i486-1_SK5.tgz (13.1)
libtirpc 0.2.1 SK5 SlackBuild (13.0)
libtirpc 0.2.1 SK5 SlackBuild (13.1)
libtirpc 0.2.1 SK5 SlackBuild (13.37)
krb5 MIT Kerberos V krb5-1.9-i486-1_SK5.tgz (13.1)
krb5 1.9 SK5 SlackBuild (13.1)
krb5 1.9.2 SK5 SlackBuild (13.37)
krb5-appl MIT Kerberos V applications. Requires: krb5 krb5-appl-1.0.1-i486-1_SK5.tgz (13.1)
krb5-appl 1.0.1 SK5 SlackBuild (13.1)
krb5-appl 1.0.2 SK5 SlackBuild (13.37)
Slackware package "rebuilds" Description Download(s) Checksum (MD5)
cyrus-sasl Cyrus-sasl 2.1.23 linked to MIT Kerberos. Requires: krb5 cyrus-sasl-2.1.23-i486-1_SK5.txz (13.1) e687f37973dddecf6b1bf8147957778b
openssh OpenSSH 5.5p1 linked to MIT Kerberos. Requires: krb5 openssh-5.5p1-i486-1_SK5.txz (13.1) 1fe6d23951e7be161bfc7b3afab4dfb4
nfs-utils nfs-utils 1.2.2 linked to MIT Kerberos with NFSv4 support. Requires: krb5, libgssglue, librpcsecgss, libtirpc, libevent, libnfsidmap. nfs-utils-1.2.2-i486-1_SK5.txz (13.1) 282dd561c704b640c5915bfaeb13368c

Further work