Kerberos Authentication on MacOS

NOTE: It appears that MacOS 10.12 (Sierra) has dropped support for this method of Kerberos authentication. If I figure out a way to make this work, I will update this post.

When you're working with a server that utilizes Kerberos authentication you can set up an identity and create a ticket that grants you access for a specific time limit, after which you will need to renew the ticket. With a valid ticket in place you can SSH into the server and will not be asked for a password, the authentication occurs between your system and the server in the background.

On the Mac you can create identities, or renew tickets for those identities using the Ticket, which can be found in Macintosh HD/System/Library/CoreServices

An identity is in the form of an email address, which will have had to have been established on Authentication Server for the network that you are connecting to.

Your MacOS system most likely does not have the Generic Security Service Application Program Interface (GSSAPI) enabled for SSH sessions so you will need to edit the ssh_config file on your local machine (found in /private/etc or /private/etc/ssh) and change these two settings from:

# GSSAPIAuthentication no

to these:

GSSAPIAuthentication yes

If you would like to only allow this for a specific user you can create the file ~/.ssh/config and add those two lines.

With these pieces in place you can now SSH into the server without needing to enter a password. Since SFTP uses SSH YummyFTP will not require a password either.

If you get tired of manually renewing your tickets, there is an open source (MIT License) project called Heracles that can build a Mac app that will automatically obtain, and renew tickets for you. To do its job Heracles does require that you store your Kerberos password in your Keychain and also requires that you turn off automatic login (for security reasons). Since it provides access to your Kerberos-protected servers to anyone who has access to your computer, it's also a good idea to require a password when waking from sleep.

Background information on these technologies can be found here:

RSS Feed