First, grab the patches as http://www.sxw.org.uk/computing/patches/openssh.html. You won't need PAM for much. You can then build a pam_krb5.so and have something like auth sufficient pam_unix.so auth required pam_krb5.so try_first_pass And users who supply a password will also get tickets provided that their password does not appear in /etc/passwd.