You are here

Kerberos for macOS

Printer-friendly versionPrinter-friendly version

macOS comes with kerberos already installed.

There are two ways to authenticate to your DICE account using Kerberos on the Mac - using the command-line Terminal utility, or using the graphical Ticket Viewer. This document describes both.

Using Terminal

First, locate the Terminal application. This can be found in the Utilities folder:

Double-click on the Terminal application to launch it. Now type:

kinit yourusername@INF.ED.AC.UK (replacing 'yourusername' with your University login username)

(Note: case here is significant! Make sure to type 'INF.ED.AC.UK' rather than 'inf.ed.ac.uk'.)

Enter your password when prompted:

cuyp:~ toby$ kinit toby@INF.ED.AC.UK
toby@INF.ED.AC.UK's Password: 
cuyp:~ toby$ 

On more recent versions of MacOS you may see the following warning message:

Encryption type des3-cbc-sha1(16) used for authentication is weak and will be deprecated

You are seeing this message because 3DES ciphers (as used in our ticket-granting ticket) are steadily weakening in cryptographic strength and hence the process for deprecation in Kerberos has begun - the (heimdal-based) version of Kerberos in MacOS seems a little keener on this than other versions.

We consider the risk presented by known attacks to be very low, but we do have plans to rekey the parts of our infrastructure which use 3DES.

The klist command can be used to check the contents of your credentials cache. The following shows a credentials cache after a successful authentication:

cuyp:~ toby$ klist
Credentials cache: API:502:10
        Principal: toby@INF.ED.AC.UK

  Issued                Expires               Principal
Feb 21 13:15:18 2013  Feb 21 23:15:11 2013  krbtgt/INF.ED.AC.UK@INF.ED.AC.UK
cuyp:~ toby$

Using Ticket Viewer

The Ticket Viewer application provides a graphical front-end for ticket acquiry. It is slightly hidden away in the Mac file system. Locate the application by opening the /System/Library/CoreServices folder:

Locate the Ticket Viewer application:

And launch the application:

Click on Add Identity and enter yourusername@INF.ED.AC.UK and your password, replacing 'yourusername' with your University login username. You can tick the box to remember your password in your keychain, but be aware of the security implications of this - that your DICE password is then only as secure as your login password. Click Continue to authenticate:

You should see indication that a ticket has been successfully acquired. Click on Set as Default here.

You may find it useful to keep the Ticket Viewer application in your dock:

What Now?

Now that you have configured Kerberos, you may want to:

Last reviewed: 
24/06/2020

System Status

Home dirs (AFS)
Network
Mail
Other services
University services
Scheduled downtime

Choose a topic