## page was renamed from SshKerberosMacOSX = Using SSH with Kerberos from Mac = === Configure Kerberos === The [[https://itservices.stanford.edu/service/ess/mac/kfm|Kerberos Configuration Tool (KCT) app]] provided by Stanford's IT Services will prepare your Mac to work with {{{@CS.STANFORD.EDU}}} realm as well as many others, e.g., the default {{{@stanford.edu}}}. If you use the {{{@CS.STANFORD.EDU}}} realm most of the time, you might want to change the default realm in {{{/Library/Preferences/edu.mit.Kerberos}}}. This will let you omit the {{{@CS.STANFORD.EDU}}} part or even the entire argument when typing {{{kinit}}} commands. === Configure SSH === Stanford IT Service's KCT app will add a few lines to your {{{~/.ssh/config}}} resembling the following. {{{ # Stanford Kerberos Auth Host *.stanford.edu GSSAPIDelegateCredentials yes GSSAPIAuthentication yes }}} You may want to enable a few more options to avoid some known issues since Lion (10.7). {{{ GSSAPIKeyExchange yes GSSAPITrustDNS yes }}} If you were using {{{@stanford.edu}}} for single sign-on (to corn/cardinal farmshare machines or !WebAuth), and/or want to use {{{@CS.STANFORD.EDU}}} realm along with it smoothly, you should specify which principal each host expects explicitly in {{{~/.ssh/config}}}. SSH logins will then work for hosts in both realms regardless of your active Kerberos credential cache. Otherwise, you will have to go through the hassle of switching back and forth with at least {{{kswitch -i}}} command each time you login to a host in different realm. {{{ Host il*.stanford.edu madmax*.stanford.edu rulk.stanford.edu hulk.stanford.edu rocky.stanford.edu rambo.stanford.edu bruce.stanford.edu zarya.stanford.edu eel.stanford.edu snap.stanford.edu shark.stanford.edu skate.stanford.edu whale.stanford.edu silk.stanford.edu GSSAPIClientIdentity your_cs_id@CS.STANFORD.EDU Host *.stanford.edu GSSAPIClientIdentity your_sunetid@stanford.edu }}} === GUI for Managing/Refreshing Kerberos Tickets === There's an excellent app built-in to OS X for managing Kerberos tickets, called Ticket Viewer. (No need to rely on tedious `klist`/`kinit` commands from Terminal or other crappy Kerberos login apps.) This gem is hidden in an obscure place: `/System/Library/CoreServices/Ticket Viewer.app`. You can open it once by navigating to the location with Finder (Cmd+Shift+G) or from Terminal (`open ...` command), and keep the icon on your Dock to make it handy. {{attachment:TicketViewerScreenshot.png|Screenshot of Ticket Viewer|align="center"}} === References === * [[http://web.mit.edu/macdev/KfM/Common/Documentation/preferences-osx.html|Kerberos Preferences on Mac OS X Documentation]] * [[http://tig.csail.mit.edu/wiki/TIG/InstallingKerberosOnMacOSX|Installing Kerberos On Mac OS X - CSAIL, MIT]] * [[http://www.slac.stanford.edu/comp/unix/sshGSSAPI.html|Using SSH and GSSAPI authentication - SLAC, Stanford]] * [[http://www.h5l.org/manual/HEAD/info/heimdal/Credential-cache-server-_002d-KCM.html|Tips on Credential cache server - KCM - HEIMDAL]]