Installing Kerberos on Mac OS

Configuring Kerberos

Kerberos support is already part of the base OS X system.You need to use a CSAIL-specific configuration file. NOTE: if the computer is set up for ATHENA Kerberos, you still need to follow these instructions, which will allow you access to both Kerberos realms (CSAIL and ATHENA.MIT.EDU).
  1. Download the CSAIL version of edu.mit.Kerberos. Ctrl+Click to choose Save Link As -> Save as "All Files". Once it's saved, rename it to remove any extra ".txt" extension.
  2. In Finder, drag it to Macintosh HD > Library > Preferences and Authenticate when prompted. In 10.7 and 10.8 Library is hidden by default. Use a terminal to enter "chflags nohidden ~/Library/" to make it visible.

Ticket Viewer:

You will also probably want to make a shortcut on your Dock for the Ticket Viewer, which for reasons unknown is located at /System/Library/CoreServices/Ticket Viewer.app. As long as you leave this application running, it will continuously renew your Kerberos credentials until the end of their maximum renew-time.

Logging into Kerberos (aka Obtaining Kerberos tickets)

Use one of the following methods:
  1. (Recommended) If using the AFS menu, clicking AFS menu -> Get new token will first obtain a Kerberos ticket for you
  2. If using Mac OS 10.5, you can click the Kerberos icon in the Dock and click "New".
  3. In Terminal, enter kinit (long form: kinit yourusername@CSAIL.MIT.EDU); klist shows all kerberos tickets you have (klist -f shows their flags).

Known issues

  1. Ticket Viewer gives "Unable to read user preferences", or kinit returns only "Usage: kinit [-V] ..."
    • Cause: edu.mit.Kerberos was not correctly saved to /Library/Preferences/.
    • Solution: Make sure no ".txt" extension is present (eg, with File/Get Info)
  2. Kerberos tickets don't allow ssh login, and klist -f displays only RIA flags (not Forwardable or Proxiable)
    • Cause: incorrect values were cached to /Users/$YOU/Library/Preferences/edu.mit.Kerberos.IdentityManagement.plist
    • Solution: Delete this file and it will be re-created properly.
  3. Your Kerberos tickets expire after 8-12 hours without renewing, even when Ticket Viewer is kept open
    • Cause: This behavior is by design (Apple discarded Kerberos.app, which would renew tickets, without replacing that functionality in 10.6 or later. The new app is /System/Library/CoreServices/ticket.app ).
    • Workaround: Installing OpenAFS and using the AFS Backgrounder will allow Kerberos tickets to be auto-renewed, but AFS tokens will still need to be renewed manually (AFS lock icon -> get new token)

Using Kerberos with SSH (optional)

If you expect to connect to CSAIL Debian machines frequently using ssh or sftp, we also recommend configuring ssh to to use Kerberos authentication. (For infrequent access, you can simply ssh $YOU@login.csail.mit.edu and enter a password.) To set up ssh to use Kerberos, place the following in the .ssh/config file within your local home directory (ie, /Users/$YOU/.ssh/config). [1]

Using Kerberos with SSH for Mac OS 10.12

# Ticket forwarding is enabled by default for csail machines
# It's not enabled globally because forwarding tickets to an
# untrusted system can be very bad.
# Enable for systems you trust.
Host *.csail.mit.edu
   GSSAPIAuthentication yes
   GSSAPIDelegateCredentials yes
   # optional, if X forwarding is desired
   #ForwardX11 yes
   # optional, if your local username does not match YOUR_CSAIL_USERNAME
   #User YOUR_CSAIL_USERNAME

Using Kerberos with SSH for Mac OS 10.11 and earlier

# Kerberos options
# Ticket forwarding is enabled by default for csail machines
# It's not enabled globally because forwarding tickets to an
# untrusted system can be very bad.
# Enable for systems you trust.
Host *.csail.mit.edu
   GSSAPIAuthentication yes
   GSSAPIKeyExchange yes
   GSSAPIDelegateCredentials yes
   GSSAPITrustDNS yes
   # optional, if X forwarding is desired
   #ForwardX11 yes
   # optional, if your local username does not match YOUR_CSAIL_USERNAME
   #User YOUR_CSAIL_USERNAME

The above will allow you to connect using Kerberos to hosts using their fully qualified domain names (eg, ssh login.csail.mit.edu). If you want to also use X11 (to run extra xterms or MATLAB remotely, for example), make sure X11.app is installed on your mac and then add ForwardX11 yes to just after GSSAPIDelegateCredentials yes.

Only if your machine is a desktop and never leaves the CSAIL network, you may append the following lines and connect with bare hostnames (like ssh login).
# exclude anything that looks fully-qualified but not CSAIL
Host *.*
   GSSAPIDelegateCredentials no
   ForwardX11 no
   ForwardAgent no

# if not matched above, allow Kerberos and X11 as a CSAIL-local host
Host *
   GSSAPIDelegateCredentials yes
   GSSAPIAuthentication yes
   GSSAPIKeyExchange yes
   GSSAPITrustDNS yes
   # optional, should match Host *.csail.mit.edu
   #ForwardX11 yes
   # optional, if your local username does not match YOUR_CSAIL_USERNAME
   #User YOUR_CSAIL_USERNAME

Once you save the file, make sure that you are its owner and no one else can write to it. For example:
$ chmod 600 config
$ chown $YOU config

[1] to affect all accounts on the machine, use sudo to add the above lines to /etc/ssh_config instead of ~/.ssh/config
Topic attachments
I Attachment Action Size Date Who Comment
edu.mit.KerberosKerberos edu.mit.Kerberos manage 1.3 K 31 Oct 2011 - 21:21 ArthurProkosch removing defunct krb524.csail.mit.edu
Topic revision: 17 Oct 2017, JasonDorfman
 

MIT Computer Science and Artificial Intelligence Laboratory

 

  • About CSAIL
  • Research
  • News + Events
  • Resources
  • People

This site is powered by Foswiki MIT: Massachusetts Institute of Technology