Configuring MacPorts Kerberos for Duo Authentication
Below are some helpful guidelines for configuring MacPorts Kerberos for Duo authentication on a Mac OS 10.8 or later...
Also see How do I login to MIT services that leverage Duo two-factor authentication?
Installing MacPorts Kerberos and OpenSSH on Mac OS 10.8+
Step 1: Install Xcode command line tools
- Launch Terminal.app
- In Terminal, type:
- In the pop-up window, click on Install
- Once complete, verify that you have installed the needed components by typing:
Output should look something like this, depending on OS version:
placebo@B12H87RFNE5L ~ % gcc --version
Apple clang version 14.0.0 (clang-1400.0.29.202)
Thread model: posix
Step 2: Install MacPorts
- Visit The MacPorts Project.
- Download the package corresponding to your OS release and install it.
- Once installed, open a new Terminal and type:
You will see:
placebo@B12H87RFNE5L ~ % type port
port is hashed
Step 3: Install necessary ports
- From Terminal.app, open a privileged shell by typing the command below in Terminal and providing the admin password for the logged in user:
- Your prompt should change from...
placebo@B12H87RFNE5L ~ % sudo -s
root@B12H87RFNE5L ~ #
- Type the following:
Let it run. It will take a few minutes.
- Then type:
port install kerberos5
This may take a half-hour to run.
- Then type:
Step 4: Install MIT Kerberos Extras for Macintosh package if not already installed
- Available from the IS&T Software Grid
Step 5: Configure OpenSSH
- Create ssh directory: mkdir ~/.ssh/
- Execute the following command to add "GSSAPIAuthentication yes" to ~/.ssh/config for the user:
echo "GSSAPIAuthentication yes" >> ~/.ssh/config
Step 6: Test!
|On MacOS Big Sur and later, you need to explicitly configure where the ticket cache is; in .bashrc, either|
export KRB5CCNAME=KCM:uid (to use the built in ticket cache)
export KRB5CCNAME=/tmp/tkt_username (a valid file name)
- User should now be able to kinit username/root at Terminal prompt and be prompted for both password
and Duo authentication
If your root instance is not working after following these steps, please move the directories for MacPorts (/opt/local/bin and /opt/local/sbin) to the front of your PATH so that they are evaluated first.
If it's still not working after moving the directories for MacPorts, please add 'Host *' above 'GSSAPIAuthentication yes' in the ~/.ssh/config file.
Jan 16, 2015
I would highly recommend building Kerberos from source on a Mac. The version on Macports is old and does not support ghudson's KCM cache fix to share your tickets with Heimdal Kerberos
Dec 04, 2015
This change is now in the Macports distributed kerberos5 package.
May 31, 2016
Note that on OSX, bash tries to find local profile files in the following order:
Once it finds a file, it processes it and subsequently skips looking for the next file(s) in the list.
After I installed XCode and MacPorts, I added a local ~/.bash_profile file (for an unrelated reason) which resulted in "Password incorrect" failures upon kinit username/root. It also resulted in `type port` command returning `type: port: not found` errors.
Deleting .bash_profile and restarting Terminal fixed my issue.
May 31, 2016
Using OSX 10.11.4, the App Store installer for XCode would not install. I successfully obtained the XCode dmg from https://developer.apple.com/downloads/ instead.