How to login from Mac OS

This section describes how to acquire Kerberos tickets and log in from different versions of Mac OS X.

If you are using SSH with an SSH key pair, please refer to the page How to log in with SSH keys


In case you are using a Mac computer installed by KTH, everything should be installed. In case of any problems please contact

Otherwise follow instructions below.

Own Mac OS X

First get Kerberos tickets using default kinit (full path /usr/bin/kinit):

kinit your-username@NADA.KTH.SE

Check that valid tickets exist:

klist -f

You should get a similar output as the following one:

Credentials cache: API:0E4B40BC-F22B-43B8-87E2-BA13538CF042
      Principal: your-username@NADA.KTH.SE

      Issued                Expires               Principal
      Aug 27 08:28:40 2023  Aug 27 18:28:37 2023  krbtgt/NADA.KTH.SE@NADA.KTH.SE

Now you are good to go:

ssh -o GSSAPIAuthentication=yes

In this case, dardel prompt should appear:


Check that tickets have been forwarded:

dardel-login-2:~$ klist

The output should be similar to this:

Credentials cache: FILE:/tmp/krb5cc_18118_oZ0CMh5rsk
      Principal: your-username@NADA.KTH.SE

      Issued                Expires               Principal
      Aug 27 08:30:05 2020  Aug 27 18:28:37 2023  krbtgt/NADA.KTH.SE@NADA.KTH.SE
      Aug 27 08:30:05 2020  Aug 27 18:28:37 2023  afs/

Notice these are the tickets in the FILE: cache in Dardel.

Other useful commands to check the state of your tickets are klist -l, which shows all caches, and klist -v, which shows more detailed information on the acquired tickets.

Additional note:

In order to login you need to supply the option directly to the ssh command.

ssh -o GSSAPIAuthentication=yes

OpenSSH can be configured with command line arguments or a configuration file to simplify the login procedure. The options in the configuration file are parsed in order. Create or modify the file ~/.ssh/config

# Hosts we want to authenticate to with Kerberos
Host * *
# User authentication based on GSSAPI is allowed
GSSAPIAuthentication yes
# Hosts to which we want to delegate credentials. Try to limit this to
# hosts you trust, and where you really have use for forwarded tickets.
Host * * * * * *
# All other hosts
Host *

Do remember to set the right permission on the file

chmod 644 ~/.ssh/config

After this, you can log in by using