Authentication and authorization
================================

We use/support the following authentication mechanisms:

- SSH keys/certificates
- Kerberos tickets (AD)
- Password (checked against AD), not for the ``root`` account

Login is restricted to certain users and groups on each system. This is
implemented locally using :manpage:`pam_access(8)`.

Shared Credentials
------------------

Shared credentials should be avoided, eg. by using ``.k5login`` or
``AuthorizedPrincipalsFile`` (see :manpage:`sshd_config(5)` for details).