Using SSH with Kerberos from Mac

Configure Kerberos

The Kerberos Configuration Tool (KCT) app provided by Stanford's IT Services will prepare your Mac to work with @CS.STANFORD.EDU realm as well as many others, e.g., the default

If you use the @CS.STANFORD.EDU realm most of the time, you might want to change the default realm in /Library/Preferences/ This will let you omit the @CS.STANFORD.EDU part or even the entire argument when typing kinit commands.

Configure SSH

Stanford IT Service's KCT app will add a few lines to your ~/.ssh/config resembling the following.

# Stanford Kerberos Auth
Host *
    GSSAPIDelegateCredentials yes
    GSSAPIAuthentication yes

You may want to enable a few more options to avoid some known issues since Lion (10.7).

    GSSAPIKeyExchange yes
    GSSAPITrustDNS yes

If you were using for single sign-on (to corn/cardinal farmshare machines or WebAuth), and/or want to use @CS.STANFORD.EDU realm along with it smoothly, you should specify which principal each host expects explicitly in ~/.ssh/config. SSH logins will then work for hosts in both realms regardless of your active Kerberos credential cache. Otherwise, you will have to go through the hassle of switching back and forth with at least kswitch -i command each time you login to a host in different realm.

Host il*  madmax*
    GSSAPIClientIdentity your_cs_id@CS.STANFORD.EDU

Host *

GUI for Managing/Refreshing Kerberos Tickets

There's an excellent app built-in to OS X for managing Kerberos tickets, called Ticket Viewer. (No need to rely on tedious klist/kinit commands from Terminal or other crappy Kerberos login apps.) This gem is hidden in an obscure place: /System/Library/CoreServices/Ticket You can open it once by navigating to the location with Finder (Cmd+Shift+G) or from Terminal (open ... command), and keep the icon on your Dock to make it handy.

Screenshot of Ticket Viewer


last edited 2014-04-30 06:14:32 by netj