Access Keys:
Skip to content (Access Key - 0)

Configuring MacPorts Kerberos for Duo Authentication

Below are some helpful guidelines for configuring MacPorts Kerberos for Duo authentication on a Mac OS 10.8 or later...

Also see How do I login to MIT services that leverage Duo two-factor authentication?

Installing MacPorts Kerberos and OpenSSH on Mac OS 10.8+

Step 1:  Install Xcode command line tools

  • Launch
  • In Terminal, type
    xcode-select --install
  • In the pop-up window, click on Install

Once complete, verify that you have installed the needed components by running

gcc --version

from a window. Output should look something like this, depending on OS version:

bash-3.2$ gcc --version
Configured with: --prefix=/Applications/ --with-gxx-include-dir=/usr/include/c++/4.2.1
Apple LLVM version 5.0 (clang-500.2.79) (based on LLVM 3.3svn)
Target: x86_64-apple-darwin13.0.0
Thread model: posix

Step 2:  Install MacPorts

  • Visit The MacPorts Project
  • Download the package corresponding to your OS release and install it
  • Once installed, open a new Terminal and verify that the ‘port’ command is installed:

bash-3.2$ type port
port is hashed (/opt/local/bin/port)

Step 3:  Install necessary ports

  • From, open a privileged shell by running sudo -s and providing the admin password for the logged in user
  • Your prompt should change from bash-3.2$ to bash-3.2#
  • At the bash-3.2# prompt, type the following:

port selfupdate
port install kerberos5

Step 4:  Install MIT Kerberos Extras for Macintosh package if not already installed

Step 5:  Configure OpenSSH

  • Create ssh directory: mkdir ~/.ssh/
  • Execute the following command to add "GSSAPIAuthentication yes" to ~/.ssh/config for the user:

echo "GSSAPIAuthentication yes" >> ~/.ssh/config

Step 6:  Test!

  • User should now be able to kinit username/root at Terminal prompt and be prompted for both password
    and Duo authentication

If your root instance is not working after following these steps, please move the directories for MacPorts (/opt/local/bin and /opt/local/sbin) to the front of your PATH so that they are evaluated first.

If it's still not working after moving the directories for MacPorts, please add 'Host *' above 'GSSAPIAuthentication yes' in the ~/.ssh/config file.

IS&T Contributions

Documentation and information provided by IS&T staff members

Last Modified:

October 10, 2019

Get Help

Request help
from the Help Desk
Report a security incident
to the Security Team
kerberos kerberos Delete
macports macports Delete
duo duo Delete
c-duo c-duo Delete
c-managed-hosting c-managed-hosting Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
This product/service is:
Easy to use
Difficult to use

This article is:
  1. Jan 16, 2015

    I would highly recommend building Kerberos from source on a Mac. The version on Macports is old and does not support ghudson's KCM cache fix to share your tickets with Heimdal Kerberos

    1. Dec 04, 2015

      This change is now in the Macports distributed kerberos5 package.

  2. May 31, 2016

    Note that on OSX, bash tries to find local profile files in the following order:


    Once it finds a file, it processes it and subsequently skips looking for the next file(s) in the list.

    After I installed XCode and MacPorts, I added a local ~/.bash_profile file (for an unrelated reason) which resulted in "Password incorrect" failures upon kinit username/root. It also resulted in `type port` command returning `type: port: not found` errors.

    Deleting .bash_profile and restarting Terminal fixed my issue.

  3. May 31, 2016

    Using OSX 10.11.4, the App Store installer for XCode would not install. I successfully obtained the XCode dmg from instead.

Adaptavist Theme Builder (4.2.3) Powered by Atlassian Confluence 3.5.13, the Enterprise Wiki