Below are some helpful guidelines for configuring MacPorts Kerberos for Duo authentication on a Mac OS 10.8 or later...
Step 1: Install Xcode command line tools
- Launch Terminal.app
- In Terminal, type:
- In the pop-up window, click on Install
- Once complete, verify that you have installed the needed components by typing:
Output should look something like this, depending on OS version:
Step 2: Install MacPorts
- Visit The MacPorts Project.
- Download the package corresponding to your OS release and install it.
- Once installed, open a new Terminal and type:
You will see:
Step 3: Install necessary ports
- From Terminal.app, open a privileged shell by typing the command below in Terminal and providing the admin password for the logged in user:
- Your prompt should change from...
- Type the following:
Let it run. It will take a few minutes.
- Then type:
This may take a half-hour to run.
- Then type:
Step 4: Install MIT Kerberos Extras for Macintosh package if not already installed
- Available from the IS&T Software Grid
Step 5: Configure OpenSSH
- Create ssh directory: mkdir ~/.ssh/
- Execute the following command to add "GSSAPIAuthentication yes" to ~/.ssh/config for the user:
Step 6: Test!
|On MacOS Big Sur and later, you need to explicitly configure where the ticket cache is; in .bashrc, either|
export KRB5CCNAME=KCM:uid (to use the built in ticket cache)
export KRB5CCNAME=/tmp/tkt_username (a valid file name)
- User should now be able to kinit username/root at Terminal prompt and be prompted for both password
and Duo authentication
If your root instance is not working after following these steps, please move the directories for MacPorts (/opt/local/bin and /opt/local/sbin) to the front of your PATH so that they are evaluated first.
If it's still not working after moving the directories for MacPorts, please add 'Host *' above 'GSSAPIAuthentication yes' in the ~/.ssh/config file.