How to login from Mac OS¶
This section describes how to acquire Kerberos tickets and log in from different versions of Mac OS X.
KTH Mac OS X¶
In case you are using a Mac computer installed by KTH, everything should be installed. In case of any problems please contact firstname.lastname@example.org
Otherwise follow instructions below.
Own Mac OS X¶
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
Decide if you want Homebrew analytics:
brew analytics off
Add the repository where the patched openssh is:
brew tap rdp/homebrew-openssh-gssapi
Uninstall any old openssh:
brew uninstall openssh
Install the new openssh:
brew install rdp/homebrew-openssh-gssapi/openssh-patched --with-gssapi-support
Note that you may need to run the following command if it is suggested by
brew link --overwrite openssh-patched
Check if the proper ssh is installed:
The output should show ssh is
Congratulations! You are now all set and should be able to log in to our systems.
KRB5CCNAME does not work correctly with
kinit on some macOS X versions. So if you have it set from previous sessions, unset it:
Then get Kerberos tickets using
/usr/bin/kinit (note the full path to kinit):
Check that valid tickets exist:
You should get a similar output as the following one:
Credentials cache: API:0E4B40BC-F22B-43B8-87E2-BA13538CF042 Principal: your-username@NADA.KTH.SE Issued Expires Principal Dec 27 08:28:40 2020 Dec 27 18:28:37 2020 krbtgt/NADA.KTH.SE@NADA.KTH.SE
Notice that the tickets should be stored in the
API cache, not
KCM. If your tickets are in a
KCM cache, destroy them and get new ones. For example, if there is a
KCM:501 cache, run:
kdestroy -c KCM:501; /usr/bin/kinit
Now you are good to go:
ssh -o GSSAPIKeyExchange=yes -o GSSAPIAuthentication=yes -o GSSAPIDelegateCredentials=yes email@example.com
In this case, Tegner prompt should appear:
Check that tickets have been forwarded:
The output should be similar to this:
Credentials cache: FILE:/tmp/krb5cc_18118_oZ0CMh5rsk Principal: your-username@NADA.KTH.SE Issued Expires Principal Dec 27 08:30:05 2020 Dec 27 18:28:37 2020 krbtgt/NADA.KTH.SE@NADA.KTH.SE Dec 27 08:30:05 2020 Dec 27 18:28:37 2020 afs/pdc.kth.se@NADA.KTH.SE
Notice these are the tickets in the
FILE: cache in Tegner.
Other useful commands to check the state of your tickets are
klist -l, which shows all caches, and
klist -v, which shows more detailed information on the acquired tickets.