diff --git a/pkg/login-validator/cmd/auth_krb5.go b/pkg/login-validator/cmd/auth_krb5.go
new file mode 100644
index 0000000..4068d9e
--- /dev/null
+++ b/pkg/login-validator/cmd/auth_krb5.go
@@ -0,0 +1,61 @@
+package main
+
+import (
+	"errors"
+	"strings"
+
+	"github.com/jcmturner/gokrb5/v8/client"
+	"github.com/jcmturner/gokrb5/v8/config"
+	"github.com/jcmturner/gokrb5/v8/iana/etypeID"
+	"github.com/jcmturner/gokrb5/v8/krberror"
+)
+
+type Krb5Auth struct {
+	Realm string
+}
+
+func parseETypes(s []string, w bool) []int32 {
+	var eti []int32
+	for _, et := range s {
+		if !w {
+			var weak bool
+			for _, wet := range strings.Fields(config.WeakETypeList) {
+				if et == wet {
+					weak = true
+					break
+				}
+			}
+			if weak {
+				continue
+			}
+		}
+		i := etypeID.EtypeSupported(et)
+		if i != 0 {
+			eti = append(eti, i)
+		}
+	}
+	return eti
+}
+
+func (f *Krb5Auth) checkAuth(username, password string) (res bool, err error) {
+	cnf := config.New()
+	cnf.LibDefaults.DNSLookupKDC = true
+	cnf.LibDefaults.DNSLookupRealm = true
+	cnf.LibDefaults.DefaultTGSEnctypeIDs = parseETypes(cnf.LibDefaults.DefaultTGSEnctypes, cnf.LibDefaults.AllowWeakCrypto)
+	cnf.LibDefaults.DefaultTktEnctypeIDs = parseETypes(cnf.LibDefaults.DefaultTktEnctypes, cnf.LibDefaults.AllowWeakCrypto)
+	cnf.LibDefaults.PermittedEnctypeIDs = parseETypes(cnf.LibDefaults.PermittedEnctypes, cnf.LibDefaults.AllowWeakCrypto)
+
+	c := client.NewWithPassword(username, f.Realm, password, cnf)
+	if err := c.Login(); err != nil {
+		if errk, ok := err.(krberror.Krberror); ok {
+			if errk.RootCause == krberror.NetworkingError {
+				return false, errors.New(`{"status": "Authentication system unavailable, please retry."}`)
+			} else if errk.RootCause == krberror.KDCError {
+				return false, errors.New(`{"status": "Invalid username or password"}`)
+			}
+		}
+		return false, err
+	} else {
+		return true, nil
+	}
+}
diff --git a/pkg/login-validator/cmd/main.go b/pkg/login-validator/cmd/main.go
index d3cdfb1..d311c56 100644
--- a/pkg/login-validator/cmd/main.go
+++ b/pkg/login-validator/cmd/main.go
@@ -24,10 +24,12 @@ func main() {
 	flag.StringVar(&tftpDir, "tftpdir", "/var/tftp/", "Path to TFTPd directory")
 	flag.StringVar(&loginSalt, "loginsalt", "adelina", "secret used in login HMAC")
 
-	var auth = flag.String("auth", "none", "Auth method: none, ldap, fwd")
+	var auth = flag.String("auth", "none", "Auth method: none, fwd, ldap, krb5")
 
 	var fwdURI = flag.String("fwduri", "https://srs.epita.fr:443/", "URI to forward auth requests")
 
+	var krb5Realm = flag.String("krb5realm", "CRI.EPITA.FR", "Kerberos Realm")
+
 	var ldapAddr = flag.String("ldaphost", "auth.cri.epita.fr", "LDAP host")
 	var ldapPort = flag.Int("ldapport", 636, "LDAP port")
 	var ldaptls = flag.Bool("ldaptls", false, "Is LDAP connection LDAPS?")
@@ -56,6 +58,11 @@ func main() {
 			BindUsername: *ldapbindusername,
 			BindPassword: *ldapbindpassword,
 		}
+	} else if auth != nil && *auth == "krb5" && krb5Realm != nil {
+		log.Printf("Auth method: KRB5(%s)", *krb5Realm)
+		lc.authMethod = &Krb5Auth{
+			Realm: *krb5Realm,
+		}
 	} else if auth != nil && *auth == "fwd" && fwdURI != nil {
 		if uri, err := url.Parse(*fwdURI); err != nil {
 			log.Fatal("Unable to parse FWD URL:", err)
diff --git a/server.yml b/server.yml
index cab8d53..94739d3 100644
--- a/server.yml
+++ b/server.yml
@@ -145,8 +145,9 @@ services:
      - /var/lib/adlin/pxelinux.cfg:/srv/tftp/pxelinux.cfg
 
   - name: login-validator
-    image: nemunaire/adlin-login-validator:87f1cf05e8037b934d293a48704bd3f8ee678d41
+    image: nemunaire/adlin-login-validator:00a36b31bcf77a953d62e8c0027c659bc420f393
 #    command: ["/bin/login-validator", "-bind=:8081", "-auth=ldap", "-ldaphost=auth.cri.epita.net", "-ldapport=636", "-ldaptls", "-ldapbase=dc=epita,dc=net"]
+#    command: ["/bin/login-validator", "-bind=:8081", "-auth=krb5", "-krb5realm=CRI.EPITA.FR"]
     command: ["/bin/login-validator", "-bind=:8081", "-auth=fwd", "-fwduri=https://adlin.nemunai.re/auth"]
 #    command: ["/bin/login-validator", "-bind=:8081", "-auth=none"]
     net: /run/netns/login
diff --git a/token-validator/auth.go b/token-validator/auth.go
index 2da0767..f90fec9 100644
--- a/token-validator/auth.go
+++ b/token-validator/auth.go
@@ -5,14 +5,19 @@ import (
 	"encoding/json"
 	"errors"
 	"net/http"
+	"strings"
 	"time"
 
+	"github.com/jcmturner/gokrb5/v8/client"
+	"github.com/jcmturner/gokrb5/v8/config"
+	"github.com/jcmturner/gokrb5/v8/iana/etypeID"
+	"github.com/jcmturner/gokrb5/v8/krberror"
 	"github.com/julienschmidt/httprouter"
 
 	"git.nemunai.re/lectures/adlin/libadlin"
 )
 
-var AuthFunc = checkAuth
+var AuthFunc = checkAuthKrb5
 
 func init() {
 	router.GET("/api/auth", apiAuthHandler(validateAuthToken))
@@ -87,7 +92,7 @@ func dummyAuth(w http.ResponseWriter, _ httprouter.Params, body []byte) (interfa
 	return map[string]string{"status": "OK"}, completeAuth(w, lf.Username, nil)
 }
 
-func checkAuth(w http.ResponseWriter, _ httprouter.Params, body []byte) (interface{}, error) {
+func checkAuthHttp(w http.ResponseWriter, _ httprouter.Params, body []byte) (interface{}, error) {
 	var lf loginForm
 	if err := json.Unmarshal(body, &lf); err != nil {
 		return nil, err
@@ -111,3 +116,54 @@ func checkAuth(w http.ResponseWriter, _ httprouter.Params, body []byte) (interfa
 		}
 	}
 }
+
+func parseETypes(s []string, w bool) []int32 {
+	var eti []int32
+	for _, et := range s {
+		if !w {
+			var weak bool
+			for _, wet := range strings.Fields(config.WeakETypeList) {
+				if et == wet {
+					weak = true
+					break
+				}
+			}
+			if weak {
+				continue
+			}
+		}
+		i := etypeID.EtypeSupported(et)
+		if i != 0 {
+			eti = append(eti, i)
+		}
+	}
+	return eti
+}
+
+func checkAuthKrb5(w http.ResponseWriter, _ httprouter.Params, body []byte) (interface{}, error) {
+	var lf loginForm
+	if err := json.Unmarshal(body, &lf); err != nil {
+		return nil, err
+	}
+
+	cnf := config.New()
+	cnf.LibDefaults.DNSLookupKDC = true
+	cnf.LibDefaults.DNSLookupRealm = true
+	cnf.LibDefaults.DefaultTGSEnctypeIDs = parseETypes(cnf.LibDefaults.DefaultTGSEnctypes, cnf.LibDefaults.AllowWeakCrypto)
+	cnf.LibDefaults.DefaultTktEnctypeIDs = parseETypes(cnf.LibDefaults.DefaultTktEnctypes, cnf.LibDefaults.AllowWeakCrypto)
+	cnf.LibDefaults.PermittedEnctypeIDs = parseETypes(cnf.LibDefaults.PermittedEnctypes, cnf.LibDefaults.AllowWeakCrypto)
+
+	c := client.NewWithPassword(lf.Username, "CRI.EPITA.FR", lf.Password, cnf)
+	if err := c.Login(); err != nil {
+		if errk, ok := err.(krberror.Krberror); ok {
+			if errk.RootCause == krberror.NetworkingError {
+				return nil, errors.New(`{"status": "Authentication system unavailable, please retry."}`)
+			} else if errk.RootCause == krberror.KDCError {
+				return nil, errors.New(`{"status": "Invalid username or password"}`)
+			}
+		}
+		return nil, err
+	} else {
+		return dummyAuth(w, nil, body)
+	}
+}