Configuring Kerberos

Kerberos support is already part of the base OS X system. However, you do need to use a custom configuration file.

1. Download the CSAIL version of edu.mit.Kerberos (Ctrl+Click to choose Save Link As; remove any extra ".txt" extension)
2. In Finder, drag it to /Library/Preferences and enter an administrator password when prompted.

You will also probably want to make a shortcut on your Dock for the Kerberos credential manager, which for reasons unknown is located at /System/Library/CoreServices/Kerberos.app. As long as you leave this application running, it will continuously renew your Kerberos credentials until the end of their maximum renew-time.

Known issues

1. (10.6) Ticket Viewer gives "Unable to read user preferences", or kinit returns only "Usage: kinit [-V] ..."
   • Cause: edu.mit.Kerberos was not correctly saved to /Library/Preferences/. Make sure no ".txt" extension is present (eg, with File/Get Info)
2. (10.6) Your Kerberos tickets expire after 8-12 hours without renewing, even when Ticket Viewer is kept open
   • Cause: /System/Library/com.apple.Kerberos.renew.plist is the new way to auto-renew tickets in 10.6, and it's failing by default. We're working on it.

Using Kerberos with SSH

If you expect to connect to CSAIL Debian machines frequently using ssh or sftp, we also recommend configuring ssh to to use Kerberos authentication. (For infrequent access, you can simply ssh $YOU@login.csail.mit.edu and enter a password.) To set up ssh to use Kerberos, place the following in the .ssh/config file within your local home directory (ie, /Users/$YOU/.ssh/config) [1]

# Kerberos options
# Ticket forwarding is enabled by default for csail machines
# It's not enabled globally because forwarding tickets to an
# untrusted system can be very bad.
# Enable for systems you trust.
Host *.csail.mit.edu
  GSSAPIAuthentication yes
  GSSAPIKeyExchange yes
  GSSAPIDelegateCredentials yes

The above will allow you to connect using Kerberos to hosts using their fully qualified domain names (eg, ssh login.csail.mit.edu). If you want to also use X11 (to run extra xterms or MATLAB remotely, for example), make sure X11.app is installed on your mac and then add ForwardX11 yes to just after GSSAPIDelegateCredentials yes.

Only if your machine is a desktop and never leaves the CSAIL network, you may append the following lines and connect with bare hostnames (like ssh login).

# exclude anything that looks fully-qualified but not CSAIL
Host *.*
    GSSAPIDelegateCredentials no
    ForwardX11 no
    ForwardAgent no

# if not matched above, allow Kerberos and X11 as a CSAIL-local host
Host *
    GSSAPIDelegateCredentials yes
    GSSAPIAuthentication yes
    GSSAPIKeyExchange yes
    # optional, should match Host *.csail.mit.edu
    #ForwardX11 yes

[1] to affect all accounts on the machine, use sudo to add the above lines to /etc/ssh_config instead of ~/.ssh/config

Topic InstallingKerberosOnMacOSX . { Edit Attach Backlinks: Web All webs Printable History: r17 < r16 < r15 < r14 < r13 More }