Administration
This page
Other pages
Account
Configuring MacPorts Kerberos for Duo Authentication
Below are some helpful guidelines for configuring MacPorts Kerberos for Duo authentication on a Mac OS 10.8 or later...
Also see How do I login to MIT services that leverage Duo two-factor authentication?
Installing MacPorts Kerberos and OpenSSH on Mac OS 10.8+
Step 1: Install Xcode command line tools
- Launch Terminal.app
- In Terminal, type:
xcode-select --install
- In the pop-up window, click on Install
- Once complete, verify that you have installed the needed components by typing:
gcc --version
Output should look something like this, depending on OS version:
placebo@B12H87RFNE5L ~ % gcc --version
Apple clang version 14.0.0 (clang-1400.0.29.202)
Target: x86_64-apple-darwin22.1.0
Thread model: posix
InstalledDir: /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin
Step 2: Install MacPorts
- Visit The MacPorts Project.
- Download the package corresponding to your OS release and install it.
- Once installed, open a new Terminal and type:
type port
You will see:
placebo@B12H87RFNE5L ~ % type port
port is hashed
Step 3: Install necessary ports
- From Terminal.app, open a privileged shell by typing the command below in Terminal and providing the admin password for the logged in user:
sudo -s
- Your prompt should change from...
placebo@B12H87RFNE5L ~ % sudo -s
to
root@B12H87RFNE5L ~ #
- Type the following:
port selfupdate
Let it run. It will take a few minutes.
- Then type:
port install kerberos5 +universal
- Then type:
port install openssh +kerberos5
This may take a half-hour to run.
- Then type:
exit
- Close and re-open your Terminal, then type:
which kinit; which ssh
This should report both commands in /opt/local/bin/.
Step 4: Install MIT Kerberos Extras for Macintosh package if not already installed
- Available from the IS&T Software Grid
Step 5: Configure OpenSSH
- Create ssh directory: mkdir ~/.ssh/
- Execute the following command to add "GSSAPIAuthentication yes" to ~/.ssh/config for the user:
echo "GSSAPIAuthentication yes" >> ~/.ssh/config
Step 6: Test!
 | On MacOS Big Sur and later, you need to explicitly configure where the ticket cache is; in .bashrc, either export KRB5CCNAME=KCM:uid (to use the built in ticket cache) or export KRB5CCNAME=/tmp/tkt_username (a valid file name) |
- User should now be able to kinit username/root at Terminal prompt and be prompted for both password
and Duo authentication
If your root instance is not working after following these steps, please move the directories for MacPorts (/opt/local/bin and /opt/local/sbin) to the front of your PATH so that they are evaluated first.
If it's still not working after moving the directories for MacPorts, please add 'Host *' above 'GSSAPIAuthentication yes' in the ~/.ssh/config file.
4 Comments
comments.show.hideJan 16, 2015
Teddy Thomas
I would highly recommend building Kerberos from source on a Mac. The version on Macports is old and does not support ghudson's KCM cache fix to share your tickets with Heimdal Kerberos
Dec 04, 2015
Jonathon Weiss
This change is now in the Macports distributed kerberos5 package.
May 31, 2016
Karen Piotrowski
Note that on OSX, bash tries to find local profile files in the following order:
~/.bash_profile
~/.bash_login
~/.profile
Once it finds a file, it processes it and subsequently skips looking for the next file(s) in the list.
After I installed XCode and MacPorts, I added a local ~/.bash_profile file (for an unrelated reason) which resulted in "Password incorrect" failures upon kinit username/root. It also resulted in `type port` command returning `type: port: not found` errors.
Deleting .bash_profile and restarting Terminal fixed my issue.
May 31, 2016
Karen Piotrowski
Using OSX 10.11.4, the App Store installer for XCode would not install. I successfully obtained the XCode dmg from https://developer.apple.com/downloads/ instead.