Administration
This page
Other pages
Account
Configuring MacPorts Kerberos for Duo Authentication
Below are some helpful guidelines for configuring MacPorts Kerberos for Duo authentication on a Mac OS 10.8 or later...
Also see How do I login to MIT services that leverage Duo two-factor authentication?
Installing MacPorts Kerberos and OpenSSH on Mac OS 10.8+
Step 1: Install Xcode command line tools
- Launch Terminal.app
- In Terminal, type
xcode-select --install
- In the pop-up window, click on Install
Once complete, verify that you have installed the needed components by running
gcc --version
from a Terminal.app window. Output should look something like this, depending on OS version:
bash-3.2$ gcc --version
Configured with: --prefix=/Applications/Xcode.app/Contents/Developer/usr --with-gxx-include-dir=/usr/include/c++/4.2.1
Apple LLVM version 5.0 (clang-500.2.79) (based on LLVM 3.3svn)
Target: x86_64-apple-darwin13.0.0
Thread model: posix
Step 2: Install MacPorts
- Visit The MacPorts Project
- Download the package corresponding to your OS release and install it
- Once installed, open a new Terminal and verify that the ‘port’ command is installed:
bash-3.2$ type port
port is hashed (/opt/local/bin/port)
Step 3: Install necessary ports
- From Terminal.app, open a privileged shell by running sudo -s and providing the admin password for the logged in user
- Your prompt should change from bash-3.2$ to bash-3.2#
- At the bash-3.2# prompt, type the following:
port selfupdate
port install kerberos5
Step 4: Install MIT Kerberos Extras for Macintosh package if not already installed
- Available from the IS&T Software Grid
Step 5: Configure OpenSSH
- Create ssh directory: mkdir ~/.ssh/
- Execute the following command to add "GSSAPIAuthentication yes" to ~/.ssh/config for the user:
echo "GSSAPIAuthentication yes" >> ~/.ssh/config
Step 6: Test!
 | On MacOS Big Sur and later, you need to explicitly configure where the ticket cache is; in .bashrc, either export KRB5CCNAME=KCM:uid (to use the built in ticket cache) or export KRB5CCNAME=/tmp/tkt_username (a valid file name) |
- User should now be able to kinit username/root at Terminal prompt and be prompted for both password
and Duo authentication
If your root instance is not working after following these steps, please move the directories for MacPorts (/opt/local/bin and /opt/local/sbin) to the front of your PATH so that they are evaluated first.
If it's still not working after moving the directories for MacPorts, please add 'Host *' above 'GSSAPIAuthentication yes' in the ~/.ssh/config file.
4 Comments
comments.show.hideJan 16, 2015
Teddy Thomas
I would highly recommend building Kerberos from source on a Mac. The version on Macports is old and does not support ghudson's KCM cache fix to share your tickets with Heimdal Kerberos
Dec 04, 2015
Jonathon Weiss
This change is now in the Macports distributed kerberos5 package.
May 31, 2016
Karen Piotrowski
Note that on OSX, bash tries to find local profile files in the following order:
~/.bash_profile
~/.bash_login
~/.profile
Once it finds a file, it processes it and subsequently skips looking for the next file(s) in the list.
After I installed XCode and MacPorts, I added a local ~/.bash_profile file (for an unrelated reason) which resulted in "Password incorrect" failures upon kinit username/root. It also resulted in `type port` command returning `type: port: not found` errors.
Deleting .bash_profile and restarting Terminal fixed my issue.
May 31, 2016
Karen Piotrowski
Using OSX 10.11.4, the App Store installer for XCode would not install. I successfully obtained the XCode dmg from https://developer.apple.com/downloads/ instead.