Using SSH with Kerberos from Mac

Configure Kerberos

The Kerberos Configuration Tool (KCT) app provided by Stanford's IT Services will prepare your Mac to work with @CS.STANFORD.EDU realm as well as many others, e.g., the default @stanford.edu.

If you use the @CS.STANFORD.EDU realm most of the time, you might want to change the default realm in /Library/Preferences/edu.mit.Kerberos. This will let you omit the @CS.STANFORD.EDU part or even the entire argument when typing kinit commands.

Configure SSH

Stanford IT Service's KCT app will add a few lines to your ~/.ssh/config resembling the following.

# Stanford Kerberos Auth
Host *.stanford.edu
    GSSAPIDelegateCredentials yes
    GSSAPIAuthentication yes

You may want to enable a few more options to avoid some known issues since Lion (10.7).

    GSSAPIKeyExchange yes
    GSSAPITrustDNS yes

If you were using @stanford.edu for single sign-on (to corn/cardinal farmshare machines or WebAuth), and/or want to use @CS.STANFORD.EDU realm along with it smoothly, you should specify which principal each host expects explicitly in ~/.ssh/config. SSH logins will then work for hosts in both realms regardless of your active Kerberos credential cache. Otherwise, you will have to go through the hassle of switching back and forth with at least kswitch -i command each time you login to a host in different realm.

Host il*.stanford.edu  madmax.stanford.edu rulk.stanford.edu hulk.stanford.edu rocky.stanford.edu rambo.stanford.edu bruce.stanford.edu zarya.stanford.edu eel.stanford.edu  snap.stanford.edu shark.stanford.edu skate.stanford.edu whale.stanford.edu silk.stanford.edu
    GSSAPIClientIdentity your_cs_id@CS.STANFORD.EDU

Host *.stanford.edu
    GSSAPIClientIdentity your_sunetid@stanford.edu

References

• Kerberos Preferences on Mac OS X Documentation

• Installing Kerberos On Mac OS X - CSAIL, MIT

• Using SSH and GSSAPI authentication - SLAC, Stanford

• Tips on Credential cache server - KCM - HEIMDAL