Access Keys:
Skip to content (Access Key - 0)

Configuring MacPorts Kerberos for Duo Authentication

Below are some helpful guidelines for configuring MacPorts Kerberos for Duo authentication on a Mac OS 10.8 or later...

Also see How do I login to MIT services that leverage Duo two-factor authentication?

Installing MacPorts Kerberos and OpenSSH on Mac OS 10.8+

Step 1:  Install Xcode command line tools

  • Launch Terminal.app
  • In Terminal, type:
    xcode-select --install
  • In the pop-up window, click on Install
  • Once complete, verify that you have installed the needed components by typing:
    gcc --version

    Output should look something like this, depending on OS version:

    placebo@B12H87RFNE5L ~ % gcc --version
    Apple clang version 14.0.0 (clang-1400.0.29.202)
    Target: x86_64-apple-darwin22.1.0
    Thread model: posix
    InstalledDir: /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin

Step 2:  Install MacPorts

  • Visit The MacPorts Project.
  • Download the package corresponding to your OS release and install it.
  • Once installed, open a new Terminal and type:
    type port

    You will see:

    placebo@B12H87RFNE5L ~ % type port
    port is hashed

Step 3:  Install necessary ports

  • From Terminal.app, open a privileged shell by typing the command below in Terminal and providing the admin password for the logged in user:
    sudo -s
  • Your prompt should change from...

    placebo@B12H87RFNE5L ~ % sudo -s

    to

    root@B12H87RFNE5L ~ #

  • Type the following:
    port selfupdate

    Let it run. It will take a few minutes.

  • Then type:
    port install kerberos5

    This may take a half-hour to run.

  • Then type:
    exit

Step 4:  Install MIT Kerberos Extras for Macintosh package if not already installed

Step 5:  Configure OpenSSH

  • Create ssh directory: mkdir ~/.ssh/
  • Execute the following command to add "GSSAPIAuthentication yes" to ~/.ssh/config for the user:

echo "GSSAPIAuthentication yes" >> ~/.ssh/config

Step 6:  Test!

On MacOS Big Sur and later, you need to explicitly configure where the ticket cache is; in .bashrc, either
export KRB5CCNAME=KCM:uid (to use the built in ticket cache)
or
export KRB5CCNAME=/tmp/tkt_username (a valid file name)
  • User should now be able to kinit username/root at Terminal prompt and be prompted for both password
    and Duo authentication

If your root instance is not working after following these steps, please move the directories for MacPorts (/opt/local/bin and /opt/local/sbin) to the front of your PATH so that they are evaluated first.

If it's still not working after moving the directories for MacPorts, please add 'Host *' above 'GSSAPIAuthentication yes' in the ~/.ssh/config file.

IS&T Contributions

Documentation and information provided by IS&T staff members


Last Modified:

November 22, 2022

Get Help

Request help
from the Help Desk
Report a security incident
to the Security Team
Labels:
kerberos kerberos Delete
macports macports Delete
duo duo Delete
c-duo c-duo Delete
c-managed-hosting c-managed-hosting Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
Feedback
This product/service is:
Easy to use
Average
Difficult to use

This article is:
Helpful
Inaccurate
Obsolete
  1. Jan 16, 2015

    I would highly recommend building Kerberos from source on a Mac. The version on Macports is old and does not support ghudson's KCM cache fix to share your tickets with Heimdal Kerberos

    1. Dec 04, 2015

      This change is now in the Macports distributed kerberos5 package.

  2. May 31, 2016

    Note that on OSX, bash tries to find local profile files in the following order:

    ~/.bash_profile
    ~/.bash_login
    ~/.profile

    Once it finds a file, it processes it and subsequently skips looking for the next file(s) in the list.

    After I installed XCode and MacPorts, I added a local ~/.bash_profile file (for an unrelated reason) which resulted in "Password incorrect" failures upon kinit username/root. It also resulted in `type port` command returning `type: port: not found` errors.

    Deleting .bash_profile and restarting Terminal fixed my issue.

  3. May 31, 2016

    Using OSX 10.11.4, the App Store installer for XCode would not install. I successfully obtained the XCode dmg from https://developer.apple.com/downloads/ instead.

Adaptavist Theme Builder (4.2.3) Powered by Atlassian Confluence 3.5.13, the Enterprise Wiki