Configure Heimdal Kerberos on FreeBSD


Below is a quick guide on configuring Heimdal Kerberos included in the base installation of FreeBSD. However, unlike the official version, this is abbreviated to be used as more of a cheat sheet.

The same conventions will be used in this document as is with FreeBSD's, whereby the domain is and the realm is EXAMPLE.ORG.



Although this guide doesn't use DNS for distributing the KDC information, a working DNS for the domain is advised. Otherwise /etc/hosts will need to be configured and the kdc and admin_server attributes in the /etc/krb5.conf file will need to be their respective IP addresses.


Run Control Configuration

Enable the services systematically in /etc/rc.conf.local on the KDC:



Configure Realm

The primary configuration for Kerberos is /etc/krb5.conf and is the same on all systems in the realm.

 default_realm = EXAMPLE.ORG
  kdc =
  admin_server =
[domain_realm] = EXAMPLE.ORG


Set Master Key

Run the following command to set the master key for encrypting the KDC database:

# kstash


Initialise Database

Run the following to initialise the database for the realm:

# kadmin -l
kadmin> init EXAMPLE.ORG


Add User Principal

# kadmin -l
kadmin> add luser


Add Host Principal

# kadmin -l
kadmin> add --random-key host/
kadmin> ext_keytab --keytab=/tmp/example.keytab host/

Copy the extracted keytab file to /etc/krb5.keytab with 0600 permissions.


Kerberise SSH

Edit /etc/ssh/sshd_config:

GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

Edit /etc/ssh/ssh_config or ~/.ssh/config:

Host *
 GSSAPIAuthentication yes
 GSSAPIDelegateCredentials yes


Service Accounts

To allow users to access a service account, add the following to the account's ~/.k5login file:


Users can then access the account via ssh


Control Services

# service kdc|kadmind start|stop|restart


Firewall Rules

On the KDC:

pass in on $if inet proto {tcp,udp} from $subnet to $kdcip port 88
pass in on $if inet proto tcp from $subnet to $kdcip port 749

On a client:

pass out on $if inet proto {tcp,udp} from $clientip to $kdcip port 88
pass out on $if inet proto tcp from $clientip to $kdcip port 749


Copyright 2018