Mac – Obtaining A Kerberos TGT On SSH Login

You’re bound to Active Directory and get a Kerberos TGT on a GUI login great, right? Well what if you also wanted to get one automatically when you authenticate via SSH? It’s actually pretty easy to do! Assuming of course that you can successfully get one using kinit, and that you’re using 10.6 or later (10.5 and below does not have the required PAM module). The ticket was (sorry, couldn’t resist) editing the /etc/pam.d/sshd file, and more specifically changing the following line:

auth       optional use_kcminit


auth       optional default_principal

There should be no need to restart. If all went well the next time you log in via SSH you should receive a TGT. You can view Kerberos credentials by using the klist command. If you’re only bound to Open Directory and have everything set up correctly, you shouldn’t need to do this as the pam_krb5 module, by default, tries to obtain the principal from the user’s OpenDirectory record. By specifying the default_principal option you tell the module to construct the principal from the authenticating user’s username. Let me know in the comments if this worked for you or if have any questions!

Special thanks to my co-worker who helped me discover this.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s