Kerberos on OSX

Apple ships a version of Kerberos on newer OSX systems. It needs to be configured to know about the realms you wish to use.

The OSX Kerberos client stores tickets in memory instead of on disk and has the feature of being able to maintain multiple cached tickets. Additionally, there is a handy GUI available.

The ssh on OS X 10.3+ works with Kerberos tickets.



Like any other Kerberos client, you need to setup the a configuration file for the realms you want to get tickets for. Attached is an example that works for FNAL.GOV, and HEP.PA.MSU.EDU realms. This file needs to be named and placed in /Library/Preferences. Download the config file, open a terminal in the directory and then issue the command:

sudo cp /Library/Preferences
sudo chown root:admin /Library/Preferences/


OS X includes a nice GUI for ticket management etc. It is named and is in /System/Library/CoreServices. I suggest putting this on your Dock for quick access...

Since the MAC can have multiple tickets cached at once, the GUI has a pull down for selecting the active ticket. There is also a command line util named kswitch which sets the active ticket.

Integrate with X11

Apple's X11 package includes a simple customizable Applications menu for launching programs. We can create menu items that launch an X11 window that opens an ssh session to a given node. With Kerberos we won't even have to give out password (if we have a valid ticket).

Here is an example (see the linked screen shot as well):

Menu Name Command
cap kswitch -p rockwell@HEP.PA.MSU.EDU; xterm -e ssh -Y cap

