InstallingKerberosOnMacOSX < TIG

Webmail | WebDNS | DHCP registration

Kerberos support is already part of the base OS X system. However, you do need to use a custom configuration file. Create the following file: /Library/Preferences/edu.mit.Kerberos.

At CSAIL we use the following content for that file. Cut and paste it in.

[domain_realm]
        .mit.edu = ATHENA.MIT.EDU
        mit.edu = ATHENA.MIT.EDU
        .csail.mit.edu = CSAIL.MIT.EDU
        csail.mit.edu = CSAIL.MIT.EDU

[libdefaults]
        default_realm = CSAIL.MIT.EDU
        noaddresses = TRUE
       
[realms]

        ATHENA.MIT.EDU = {
                kdc = kerberos.mit.edu.:88
                kdc = kerberos-1.mit.edu.:88
                kdc = kerberos-2.mit.edu.:88
                admin_server = kerberos.mit.edu.
                default_domain = mit.edu
        }

        CSAIL.MIT.EDU = {
                kdc = kerberos-1.csail.mit.edu
                kdc = kerberos-2.csail.mit.edu
                kdc = krb524.csail.mit.edu
                admin_server = kerberos.csail.mit.edu.
                default_domain = csail.mit.edu
        }

[v4 realms]
        ATHENA.MIT.EDU = {
                kdc = kerberos.mit.edu.
                kdc = kerberos-1.mit.edu.
                kdc = kerberos-2.mit.edu.
                admin_server = kerberos.mit.edu.
                default_domain = mit.edu
                string_to_key_type = mit_string_to_key
        }

[v4 domain_realm]
        .mit.edu = ATHENA.MIT.EDU
        mit.edu = ATHENA.MIT.EDU

You will also probably want to make a shortcut on your Dock for the Kerberos credential manager, which for reasons unknown is located at /System/Library/CoreServices/Kerberos.app. As long as you leave this application running, it will continuously renew your Kerberos credentials until the end of their maximum renew-time.

Using Kerberos with SSH

If you expect to use ssh or sftp to connect to CSAIL Debian machines, we also recommend configuring ssh to connect to those machines using your Kerberos credentials. To do so, place the following in your ~/.ssh/config file:[1]

# Kerberos options
# Ticket forwarding is enabled by default for csail machines
# It's not enabled globally because forwarding tickets to an
# untrusted system can be very bad.
# Enable for systems you trust.
Host *.csail.mit.edu
  GSSAPIAuthentication yes
  GSSAPIKeyExchange yes
  GSSAPIDelegateCredentials yes
  ForwardX11 yes

Note: the above configuration requires you to connect to hosts using their fully qualified domain names (eg, ssh login.csail.mit.edu) for Kerberos authentication to occur. Allowing bare hostnames (like ssh login) can be risky (if the machine ever connects to a non-CSAIL local network), but is possible by appending the below lines to ~/.ssh/config.

# exclude anything that looks fully-qualified but not CSAIL
Host *.*
    GSSAPIDelegateCredentials no
    ForwardX11 no
    ForwardAgent no

# if not matched above, allow Kerberos and X11 as a CSAIL-local host
Host *
    GSSAPIDelegateCredentials yes
    GSSAPIAuthentication yes
    GSSAPIKeyExchange yes
    ForwardX11 yes

[1] to affect all accounts on the machine, add the above lines to /etc/ssh_config instead of ~/.ssh/config. sudo access required.

Topic InstallingKerberosOnMacOSX . { Edit
Attach
Backlinks: Web All webs
Printable
History: r7 < r6 < r5 < r4 < r3 More }

HQ Wiki | TIG Wiki

Using Kerberos with SSH