Below are some helpful guidelines for configuring MacPorts Kerberos for Duo authentication on a Mac OS 10.8 or later...
Step 1: Install Xcode command line tools
- Launch Terminal.app
- In Terminal, type
- In the pop-up window, click on Install
Once complete, verify that you have installed the needed components by running
from a Terminal.app window. Output should look something like this, depending on OS version:
Step 2: Install MacPorts
- Visit The MacPorts Project
- Download the package corresponding to your OS release and install it
- Once installed, open a new Terminal and verify that the ‘port’ command is installed:
Step 3: Install necessary ports
- From Terminal.app, open a privileged shell by running sudo -s and providing the admin password for the logged in user
- Your prompt should change from bash-3.2$ to bash-3.2#
- At the bash-3.2# prompt, type the following:
Step 4: Install MIT Kerberos Extras for Macintosh package if not already installed
- Available from the IS&T Software Grid
Step 5: Configure OpenSSH
- Create ssh directory: mkdir ~/.ssh/
- Execute the following command to add "GSSAPIAuthentication yes" to ~/.ssh/config for the user:
Step 6: Test!
|On MacOS Big Sur and later, you need to explicitly configure where the ticket cache is; in .bashrc, either|
export KRB5CCNAME=KCM:uid (to use the built in ticket cache)
export KRB5CCNAME=/tmp/tkt_username (a valid file name)
- User should now be able to kinit username/root at Terminal prompt and be prompted for both password
and Duo authentication
If your root instance is not working after following these steps, please move the directories for MacPorts (/opt/local/bin and /opt/local/sbin) to the front of your PATH so that they are evaluated first.
If it's still not working after moving the directories for MacPorts, please add 'Host *' above 'GSSAPIAuthentication yes' in the ~/.ssh/config file.