Blog

Kerberos Authentication on MacOS August 20, 2014

NOTE: It appears that MacOS 10.12 (Sierra) has dropped support for this method of Kerberos authentication. If I figure out a way to make this work, I will update this post.

When you're working with a server that utilizes Kerberos authentication you can set up an identity and create a ticket that grants you access for a specific time limit, after which you will need to renew the ticket. With a valid ticket in place you can SSH into the server and will not be asked for a password, the authentication occurs between your system and the server in the background.

On the Mac you can create identities, or renew tickets for those identities using the Ticket Viewer.app, which can be found in Macintosh HD/System/Library/CoreServices

An identity is in the form of an email address, user@domain.com which will have had to have been established on Authentication Server for the network that you are connecting to.

Your MacOS system most likely does not have the Generic Security Service Application Program Interface (GSSAPI) enabled for SSH sessions so you will need to edit the ssh_config file on your local machine (found in /private/etc or /private/etc/ssh) and change these two settings from:

# GSSAPIAuthentication no
# GSSAPITrustDNS no

to these:

GSSAPIAuthentication yes
GSSAPITrustDNS yes

If you would like to only allow this for a specific user you can create the file ~/.ssh/config and add those two lines.

With these pieces in place you can now SSH into the server without needing to enter a password. Since SFTP uses SSH YummyFTP will not require a password either.

If you get tired of manually renewing your tickets, there is an open source (MIT License) project called Heracles that can build a Mac app that will automatically obtain, and renew tickets for you. To do its job Heracles does require that you store your Kerberos password in your Keychain and also requires that you turn off automatic login (for security reasons). Since it provides access to your Kerberos-protected servers to anyone who has access to your computer, it's also a good idea to require a password when waking from sleep.

Background information on these technologies can be found here:

Rewriting CSS using Javascript June 18, 2021
- Web
Bike Touring Tips December 20, 2020
- Travel
Japan Travel Tips June 5, 2019
- Travel
Wood's Law of Cables February 21, 2019
- Audio
Controlling my DAW in the Background December 17, 2018
- Audio
Portland Pride Parade June 20, 2018
- Social
Fix it in the Mix April 24, 2018
- Audio
10 All-Time Favorite Albums March 24, 2018
- Music
Wood's Law of Conspiracies February 18, 2018
- Social
My Universal Audio Universe December 9, 2017
- Audio
A Few of my Favorite MacOS Utilities September 19, 2017
- Computers
A Few of my Favorite Web Tools January 30, 2017
- Web
External Storage - A Story of Death and Rebirth December 23, 2016
- Computers
Why I Don't Do Live Sound Very Often November 23, 2016
- Audio
Thoughts on Software Subscriptions June 12, 2016
- Computers
A Year as a Peripatetic February 18, 2016
- Travel
Unusual Versions of Classic Christmas Songs December 15, 2015
- Music
My Heptannual Website Update November 9, 2015
- Web
Kerberos Authentication on MacOS August 20, 2014
- Computers
200 Miles of California August 29, 2007
- Travel
How to Ventilate a Mac March 11, 2002
- Computers