Kerberos Single sign-On over SSH under OS X

An advantage of using Kerberos along with SSH is that it makes entering passwords obsolete when establishing connections. Unfortunately this is not working out of the box under OS X in the first place:

$ kinit cstan@STANKOWIC.LOC
cstan@STANKOWIC.LOC's password:
$ klist
Credentials cache: API:xxx
 Principal: cstan@STANKOWIC.LOC

 Issued Expires Principal
Oct 22 11:17:30 2016 Oct 22 21:17:37 2016 krbtgt/STANKOWIC.LOC@STANKOWIC.LOC

$ ssh cstan@giertz.stankowic.loc
cstan@giertz's password:

In spite of having a valid Kerberos ticket it is still necessary to enter a password. The reason for this behavior is that the SSH client is not using GSSAPI (Generic Security Service Application Program Interface). The following command did the trick for my OS X installation:

$ ssh -o GSSAPIAuthentication=true cstan@giertz.stankowic.loc

According to StackOverflow it might also be necessary to specify the GSSAPITrustDNS parameter.

The avoid specifying these options with every single SSH command, they can be stored in configuration files – e.g. in your personal SSH configuration ˜/.ssh/config:

GSSAPIAuthentication yes

Host *
      User cstan

The last two lines ensure to pre-select a username for all SSH connections. As a result, you also don’t need to enter a username. 🙂

Of course you can override this behavior by specifying a different username with the -l parameter. It is also possible to override these settings per hostname or domain:

Host *
     User max

Host *.mydmz.loc
     User simone

SSH logins should now be possible without specifying a username and password as long as a valid Kerberos ticket is available:

$ ssh giertz
Last login: Sat Oct 22 11:38:13 2016 from shittyrobots.loc
$ whoami

OS X also offers a hidden ticket viewer as an alternative for using kinit to generate tickets. The tool can be found at /System/Library/CoreServices/, it is a frontend for the Kerberos utilities:


Sharing is caring

Leave a Reply