How to login from Mac OS

This section describes how to acquire Kerberos tickets and log in from different versions of Mac OS X.


In case you are using a Mac computer installed by KTH, everything should be installed. In case of any problems please contact

Otherwise follow instructions below.

Own Mac OS X

Install Homebrew:

/bin/bash -c "$(curl -fsSL"

Decide if you want Homebrew analytics:

brew analytics off

Add the repository where the patched openssh is:

brew tap rdp/homebrew-openssh-gssapi

Uninstall any old openssh:

brew uninstall openssh

Install the new openssh:

brew install rdp/homebrew-openssh-gssapi/openssh-patched --with-gssapi-support

Note that you may need to run the following command if it is suggested by brew

brew link --overwrite openssh-patched

Rehash the PATH variable:


Check if the proper ssh is installed:

type ssh

The output should show ssh is /usr/local/bin/ssh

Next, see SSH for how to configure your SSH client for use with Kerberos.

Additional note

KRB5CCNAME does not work correctly with kinit on some macOS X versions. So if you have it set from previous sessions, unset it:


Then get Kerberos tickets using /usr/bin/kinit (note the full path to kinit):

/usr/bin/kinit your-username@NADA.KTH.SE

Check that valid tickets exist:


You should get a similar output as the following one:

Credentials cache: API:0E4B40BC-F22B-43B8-87E2-BA13538CF042
      Principal: your-username@NADA.KTH.SE

      Issued                Expires               Principal
      Dec 27 08:28:40 2020  Dec 27 18:28:37 2020  krbtgt/NADA.KTH.SE@NADA.KTH.SE

Notice that the tickets should be stored in the API cache, not KCM. If your tickets are in a KCM cache, destroy them and get new ones. For example, if there is a KCM:501 cache, run:

kdestroy -c KCM:501; /usr/bin/kinit

Now you are good to go:

ssh -o GSSAPIKeyExchange=yes -o GSSAPIAuthentication=yes -o GSSAPIDelegateCredentials=yes

In this case, Tegner prompt should appear:


Check that tickets have been forwarded:


The output should be similar to this:

Credentials cache: FILE:/tmp/krb5cc_18118_oZ0CMh5rsk
      Principal: your-username@NADA.KTH.SE

      Issued                Expires               Principal
      Dec 27 08:30:05 2020  Dec 27 18:28:37 2020  krbtgt/NADA.KTH.SE@NADA.KTH.SE
      Dec 27 08:30:05 2020  Dec 27 18:28:37 2020  afs/

Notice these are the tickets in the FILE: cache in Tegner.

Other useful commands to check the state of your tickets are klist -l, which shows all caches, and klist -v, which shows more detailed information on the acquired tickets.

Installing AFS (optional)

If you want you can install OpenAFS to easily access your files on your local computer. You can read more about AFS at AFS (on Beskow and Tegner) To need to install AFS, follow instructions at Using AFS client from OSX