Automatic kerberos ticket initialization on login
I would look into using pam-krb5.
On Debian and Ubuntu, it should be apt-get install libpam-krb5
.
The PAM configuration would look something like:
auth required pam_unix.so
auth optional pam_krb5.so try_first_pass
or
auth required pam_unix.so
auth optional pam_krb5.so use_first_pass
in /etc/pam.d/common-auth
.
It takes the password you used to authenticate locally, e.g. the password in /etc/shadow
, and then tries to use the same one as your Kerberos password.
If your Kerberos password is the same as your system password, you don't need to type it again.
If your Kerberos password is different from your system password, what happens depends on whether you used try_first_pass
or use_first_pass
:
try_first_pass
will ask you for your Kerberos passworduse_first_pass
won't ask you, but you'll have to runkinit
yourself later
Note that this probably makes ksshaskpass redundant too, because you can also have:
auth required pam_unix.so
auth optional pam_ssh.so try_first_pass
auth optional pam_krb5.so try_first_pass
On Debian and Ubuntu, that requires installing libpam-ssh.