Thursday, August 17, 2017

Mac OS SSH Kerberose Single-Sign-On

To use Kerberos Single-Sign-On on a MacBookPro, you can do as follows:
  • Make a copy of /etc/krb5.conf from a server in your company network.
  • Save it into /etc/krb5.confon your MacBookPro. You probably need sudo.
  • Run kinit <your-login>@<realm_name>. If you don’t know what is the realm name is, take a look at /etc/krb5.conf
    [libdefaults]
    default_realm = MY.COMPANY.COM
    
  • Add this line to ~/.ssh/config. Without this line, password method is preferred.
    GSSAPIAuthentication yes
    
  • Then you can ssh to any host supporting kerberos without typing a password.
  • If your kerberos ticket expires, just run kinit again. You don’t have to provide the principal <your-login>@<realm_name> at this time.
  • Use klist to show when the ticket will expire.

No comments:

Post a Comment