Access Keys:
Skip to content (Access Key - 0)

Q: How do I configure SSH to always delegate my Kerberos tickets?


Delegation and
When using Kerberos over SSH, you can choose to merely use Kerberos to authenticate yourself, or you can choose to use Kerberos to delegate your tickets in addition to authentication. While some workstations may let you log in without delegation, does not. The reason for this is that without delegation, cannot obtain Kerberos tickets for you to use once logged in, and cannot obtain AFS tokens necessary to access your files. Rather than let you end up logged in without access to your files, requires that you delegate tickets, use traditional password-based authentication, or explicitly opt-in to public-key authentication.

Most ssh client configurations (such as those on MacOS X and Ubuntu) do not delegate (forward) Kerberos tickets by default, to avoid inadvertently exposing your Kerberos tickets to a malicious machine. Normally, you must use ssh -K to delegate your tickets on a per-connection basis. For example, instead of typing:


you would now type:

ssh -K

NOTE for Mac OS X: Kerberos Extras will configure your ssh client to delegate kerberos tickets.

Delegating by default

If you wish to delegate your tickets by default, you can add a line like the following to your ~/.ssh/config file:

    GSSAPIDelegateCredentials yes

That will cause ssh to delegate your credentials when connecting to (but not when connecting to other machines). You can specify multiple hosts like so:

    GSSAPIDelegateCredentials yes

You can even specify wildcards, though we do not recommend you do this:

Host * 
    GSSAPIDelegateCredentials yes
On MacOS Big Sur, if you want to use kinit on the command line, you need to explicitly configure where the ticket cache is; in .bashrc, either
export KRB5CCNAME=KCM:uid
export KRB5CCNAME=/tmp/tkt_username (a valid file name)

It will also work if you use the ticket viewer application to get tickets, and leave KRB5CCNAME unset.

IS&T Contributions

Documentation and information provided by IS&T staff members

Last Modified:

December 01, 2020

Get Help

Request help
from the Help Desk
Report a security incident
to the Security Team
debathena debathena Delete
c-kerberos c-kerberos Delete
ssh ssh Delete
kerberos kerberos Delete
ticket ticket Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
This product/service is:
Easy to use
Difficult to use

This article is:
Adaptavist Theme Builder (4.2.3) Powered by Atlassian Confluence 3.5.13, the Enterprise Wiki