Strong Authentication at Fermilab
Chapter 23: Kerberos on a Macintosh System

Chapter Contents

Chapter 23: Kerberos on a Macintosh System
  23.1 Kerberos on Mac OS X 10.7 and later
    23.1.1 Client Configuration
    23.1.4 Authenticate to Kerberos
    23.1.5 Time Synchronization



View or print PDF file of chapter

Back to Strong Auth Index Page
CD Home Page
Fermilab at Work
Fermilab Home

Chapter 23: Kerberos on a Macintosh System

In this chapter we describe how to configure Kerberos for Mac OS X 10.x in order to access Kerberized machines and encrypt your data transmissions.

23.1 Kerberos on Mac OS X 10.7 and later

23.1.1 Client Configuration

Heimdal Kerberos is shipped as part of Mac OS X (as of the OS X 10.7 "Lion" release).  Heimdal Kerberos is an alternate implementation of the Kerberos protocol and (mostly) interoperates with the more common MIT Kerberos (such as installed on Fermilab Linux systems).

In order to configure Kerberos on the Macintosh, obtain the Fermilab Kerberos configuration file krb5.conf from the Fermilab Security web site. The current version can be found at or  The system expects to find this configuration file in one, and only one, of two places. Check for the existence of either of the following two files. (/etc is a private directory, requires root privileges):



The recommended practice is to rename the file to /etc/krb5.conf. If the second file ( is present it needs to be deleted.
Make sure the Kerberos configuration file only exists in one of these two places!

If you commonly work from behind a NAT (Network Address Translation) router, as is typical of many cable and DSL internet users, you should also add to the [libdefaults] section of the Kerberos configuration the following line:

noaddresses = TRUE

Once you have set up Kerberos, you have:

You will not have Kerberized ftp, rlogin, and rsh.

23.1.2 AFS Client

  1. For AFS access: Download the latest release of OpenAFS from site, selecting the version for your Mac OS X version.
  2. During the install, the OpenAFS Client Cell panel prompts for the default AFS cell.  Enter "" to connect to the Fermilab AFS cell.
  3. Alternatively, go to /var/db/openafs/etc/ (requires root privileges) and edit the ThisCell file so that it contains only a single line containing the text "".
  4. Restart your computer.

23.1.3 Authenticate to Kerberos

To authenticate, use either the command line kinit as you would on a Linix system, or use the OS X GUI application Ticket Viewer.

Command Line kinit

Open a terminal window and run the command kinit. See section 12.1 kinit.  If you are using AFS, run the aklog command after the kinit in order to get the necessaary AFS token.


  1. Open Keychain Access (also in the /Applications/Utilities folder)and select Ticket Viewer from under the Keychain Access menu.
  2. Click Add Identity in the Ticket Viewer.

    Screenshot of Ticket Viewer with Add Identity

  3. Check that your username is right and the realm is FNAL.GOV. Enter your Kerberos password and click OK.

    Screenshot of Ticket Viewer Add Identity dialog box

  4. You'll see your principal name appear and a Time Remaining for your tickets. You can click the triangle to reveal a list of the tickets.

    Screenshot of Ticket Viewer after Kerberos ticket

  5. Now you are ready to connect to a Linix system with ssh, or to a Windows 2000 domain file server with the Finder's Command-K function. You can quit the Kerberos GUI application without losing your tickets.

23.1.4 SSH Server Configuration (To be able to Connect to your Macintosh)

In order to setup your Macintosh for incoming SSH connections that comply with Fermilab Security policies, you will need to edit /etc/sshd_config and make the following settings as listed here (you might also need to uncomment lines by removing the leading '#'. 
PasswordAuthentication no
PermitEmptyPasswords no

GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

If your Mac is a DHCP client, make sure it gets a stable hostname when connected. Go to System Preferences, click Network, choose each network interface in turn that you intend to use (probably just "Ethernet" and "Airport"or "Wi-Fi"). For each one, click Advanced, go to the TCP/IP tab, and fill in the "DHCP Client ID" box with just your hostname (not the fully qualified name). For example, let's suppose you've registered your Macintosh with the hostname fondulac. Just put fondulac in the box, even though your full domain name is

Go to Fermilab Service Now and click on Service Catalog in the Self-Service menu section on the left side. In the Accounts section click on Additional Kerberos Items request. Fill out the form and select Host and FTP Principals under Check Item(s) Needed to request a "host principal" and provide the fully qualified domain name (i.e. in the provided box. In the Additional Information box at the bottom, specify that you do NOT need an ftp principal.

Once you get email back with an initial host principal password,  you need to create a keytab file to hold the principal key but you will not be able to do this on your Macintosh because the Heimdal-based kadmin utility present on the Macintosh will not inter-operate with the kadmin server on the Master KDC.  Instead you will have to log into a Linux system and create the keytab there and then securely transport the file back to your Macintosh where it will be stored as the file /etc/krb5.keytab (you can use the SSH file copy utility scp to accomplish this).
On the Linux system, run this command:
/usr/krb5/sbin/kadmin -p host/ -q "ktadd -k fondulac.keytab host/"

Provide the password when prompted -- it can only be used one time. If successful the terminal will display a message to the effect of "Entry for principal host/ ... added to keytab fondulac.keytab."  Use a secure method to transfer fondulac.keytab to your Macintosh to be saved as /etc/krb5.keytab.

Open System Preferences, pick "Sharing', click "Remote Login" to enable incoming SSH. Make sure your correct hostname (not the fully qualified name) is in the Computer Name field.

Add a .k5login file to the home directory of any account to which you want to be able to log in remotely, and include the appropriate principals which are allowed to log into the account.  (full principal name with no spaces along with the Kerberos realm name in upper case). This file must be writable only by the account itself and/or root.

23.1.5 Time Synchronization

If1 you get the error "KDC reply did not match expectations" or "Clock skew too great while getting initial credentials", your computer's date and time are too different than the date and time on the Kerberos server. Should you see this error, make sure your date and time are correct.

On a Macintosh, the Date and Time in the System Preferences or Control Panel has an option for using a network time server. To set the date and time:

If the problem persists, restart your computer.


View/print PDF file | Back to Strong Auth Index Page | Computing Division | Fermilab at Work | Fermilab Home
This page generated on: 09/20/06 10:33:25