Kerberos on Mac OS

Kerberos on MacOS

Kerberos tickets can provide authentication to a number of services, such as CSAIL OIDC, SSH, AFS, SAPGui, and others.

Configuring Kerberos

Kerberos support is already part of the base OS X system. You only need a single CSAIL-specific configuration file.

1. Download the CSAIL version of edu.mit.Kerberos.
2. In Finder, drag it to Macintosh HD Library Preferences and Authenticate when prompted.

Logging into Kerberos (aka Obtaining Kerberos tickets)

Use one of the following methods:

kinit

In Terminal, enter kinit (long form: kinit yourusername@CSAIL.MIT.EDU); klist shows all kerberos tickets you have (klist -f shows their flags).

Ticket Viewer

1. You will probably want to make a shortcut on your Dock for the Ticket Viewer, which is located at /System/Library/CoreServices/Ticket Viewer.app or /System/Library/CoreServices/Applications/Ticket Viewer.app.

As long as you leave this application running, it will continuously renew your Kerberos credentials until the end of their maximum renew-time.

1. Launch Ticket Viewer.app from your dock.
   • If it is your first time obtaining a ticket, click Add Identity
   • enter yourusername@CSAIL.MIT.EDU (case sensitive) and your CSAIL Kerberos password
   • On subsequent uses, you can simply click the renew button

Known issues

1. Ticket Viewer gives “Unable to read user preferences”, or kinit returns only “Usage: kinit [-V] …”
   • Cause: edu.mit.Kerberos was not correctly saved to /Library/Preferences/.
   • Solution: Make sure no “.txt” extension is present (eg, with File/Get Info)
2. Kerberos tickets don’t allow ssh login, and klist -f displays only RIA flags (not Forwardable or Proxiable)
   • Cause: incorrect values were cached to /Users/$YOU/Library/Preferences/edu.mit.Kerberos.IdentityManagement.plist
   • Solution: Delete this file and it will be re-created properly.