Configuring kerberos and ssh - Device and Productivity Software

<!doctype html> <html lang="en" class="no-js"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width,initial-scale=1"> <meta name="description" content="Device and Productivity Software Services Documentation"> <meta name="author" content="CERN Authoring"> <link rel="canonical" href="https://devices.docs.cern.ch/devices/mac/AboutKerberosAndSsh/"> <link rel="icon" href="../../../assets/images/favicon.png"> <meta name="generator" content="mkdocs-1.3.1, mkdocs-material-8.5.3"> <title>Configuring kerberos and ssh - Device and Productivity Software</title> <link rel="stylesheet" href="../../../assets/stylesheets/main.7a952b86.min.css"> <link rel="stylesheet" href="../../../assets/stylesheets/palette.cbb835fc.min.css"> <link rel="stylesheet" href="../../../css/style.css"> <link rel="stylesheet" href="../../../stylesheets/fonts.css"> <script>__md_scope=new URL("../../..",location),__md_hash=e=>[...e].reduce((e,_)=>(e<<5)-e+_.charCodeAt(0),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script> </head> <body dir="ltr" data-md-color-scheme="" data-md-color-primary="none" data-md-color-accent="none"> <input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off"> <input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off"> <label class="md-overlay" for="__drawer"></label> <div data-md-component="skip"> <a href="#about-kerberos-and-ssh" class="md-skip"> Skip to content </a> </div> <div data-md-component="announce"> </div> <header class="md-header" data-md-component="header"> <nav class="md-header__inner md-grid" aria-label="Header"> <a href="../../.." title="Device and Productivity Software" class="md-header__button md-logo" aria-label="Device and Productivity Software" data-md-component="logo"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54Z"/></svg> </a> <label class="md-header__button md-icon" for="__drawer"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2Z"/></svg> </label> <div class="md-header__title" data-md-component="header-title"> <div class="md-header__ellipsis"> <div class="md-header__topic"> <span class="md-ellipsis"> Device and Productivity Software </span> </div> <div class="md-header__topic" data-md-component="header-topic"> <span class="md-ellipsis"> Configuring kerberos and ssh </span> </div> </div> </div> <label class="md-header__button md-icon" for="__search"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg> </label> <div class="md-search" data-md-component="search" role="dialog"> <label class="md-search__overlay" for="__search"></label> <div class="md-search__inner" role="search"> <form class="md-search__form" name="search"> <input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required> <label class="md-search__icon md-icon" for="__search"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12Z"/></svg> </label> <nav class="md-search__options" aria-label="Search"> <button type="reset" class="md-search__icon md-icon" title="Clear" aria-label="Clear" tabindex="-1"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41Z"/></svg> </button> </nav> </form> <div class="md-search__output"> <div class="md-search__scrollwrap" data-md-scrollfix> <div class="md-search-result" data-md-component="search-result"> <div class="md-search-result__meta"> Initializing search </div> <ol class="md-search-result__list"></ol> </div> </div> </div> </div> </div> <div class="md-header__source"> <a href="https://gitlab.cern.ch/IT-DEP-CDA-AD/devices-docs" title="Go to repository" class="md-source" data-md-component="source"> <div class="md-source__icon md-icon"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg> </div> <div class="md-source__repository"> it-cda-ad/devices-docs </div> </a> </div> </nav> </header> <div class="md-container" data-md-component="container"> <nav class="md-tabs" aria-label="Tabs" data-md-component="tabs"> <div class="md-tabs__inner md-grid"> <ul class="md-tabs__list"> <li class="md-tabs__item"> <a href="../../.." class="md-tabs__link"> Introduction </a> </li> <li class="md-tabs__item"> <a href="../../" class="md-tabs__link md-tabs__link--active"> Devices </a> </li> <li class="md-tabs__item"> <a href="../../../pss/" class="md-tabs__link"> Productivity Software </a> </li> </ul> </div> </nav> <main class="md-main" data-md-component="main"> <div class="md-main__inner md-grid"> <div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" > <div class="md-sidebar__scrollwrap"> <div class="md-sidebar__inner"> <nav class="md-nav md-nav--primary md-nav--lifted" aria-label="Navigation" data-md-level="0"> <label class="md-nav__title" for="__drawer"> <a href="../../.." title="Device and Productivity Software" class="md-nav__button md-logo" aria-label="Device and Productivity Software" data-md-component="logo"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54Z"/></svg> </a> Device and Productivity Software </label> <div class="md-nav__source"> <a href="https://gitlab.cern.ch/IT-DEP-CDA-AD/devices-docs" title="Go to repository" class="md-source" data-md-component="source"> <div class="md-source__icon md-icon"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg> </div> <div class="md-source__repository"> it-cda-ad/devices-docs </div> </a> </div> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../.." class="md-nav__link"> Introduction </a> </li> <li class="md-nav__item md-nav__item--active md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_2" type="checkbox" id="__nav_2" checked> <label class="md-nav__link" for="__nav_2"> Devices <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Devices" data-md-level="1"> <label class="md-nav__title" for="__nav_2"> <span class="md-nav__icon md-icon"></span> Devices </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../" class="md-nav__link"> Introduction </a> </li> <li class="md-nav__item"> <a href="../../android/" class="md-nav__link"> Android </a> </li> <li class="md-nav__item md-nav__item--active md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_2_3" type="checkbox" id="__nav_2_3" checked> <label class="md-nav__link" for="__nav_2_3"> macOS <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="macOS" data-md-level="2"> <label class="md-nav__title" for="__nav_2_3"> <span class="md-nav__icon md-icon"></span> macOS </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../" class="md-nav__link"> Introduction </a> </li> <li class="md-nav__item"> <a href="../AboutAppleSiliconMacs/" class="md-nav__link"> About Apple Silicon ("M1") Macs </a> </li> <li class="md-nav__item"> <a href="../macos_versions/" class="md-nav__link"> About macOS Versions </a> </li> <li class="md-nav__item"> <a href="../AboutSoftwareUpdates/" class="md-nav__link"> About Software Updates </a> </li> <li class="md-nav__item"> <a href="../PurchasingAppleHardware/" class="md-nav__link"> Purchasing Apple Hardware </a> </li> <li class="md-nav__item"> <a href="../Installation/" class="md-nav__link"> Installation at CERN </a> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_2_3_7" type="checkbox" id="__nav_2_3_7" > <label class="md-nav__link" for="__nav_2_3_7"> Getting applications for macOS <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Getting applications for macOS" data-md-level="3"> <label class="md-nav__title" for="__nav_2_3_7"> <span class="md-nav__icon md-icon"></span> Getting applications for macOS </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../AcquiringApplications/" class="md-nav__link"> Introduction </a> </li> <li class="md-nav__item"> <a href="../MacSelfService/" class="md-nav__link"> The Mac Self-Service </a> </li> <li class="md-nav__item"> <a href="../AppleAppStore/" class="md-nav__link"> The Apple App Store </a> </li> <li class="md-nav__item"> <a href="../MicrosoftOfficeMac/" class="md-nav__link"> Microsoft Office Apps </a> </li> </ul> </nav> </li> <li class="md-nav__item"> <a href="../HomeFolders/" class="md-nav__link"> Home folders </a> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_2_3_9" type="checkbox" id="__nav_2_3_9" > <label class="md-nav__link" for="__nav_2_3_9"> The Mac Self-Service <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="The Mac Self-Service" data-md-level="3"> <label class="md-nav__title" for="__nav_2_3_9"> <span class="md-nav__icon md-icon"></span> The Mac Self-Service </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../MacSelfService/" class="md-nav__link"> Introduction </a> </li> <li class="md-nav__item"> <a href="../MacSelfService/Enrolling/" class="md-nav__link"> Enrolling a Mac </a> </li> <li class="md-nav__item"> <a href="../MacSelfService/Using/" class="md-nav__link"> Using the Self-Service app </a> </li> <li class="md-nav__item"> <a href="../MacSelfService/Troubleshooting/" class="md-nav__link"> Troubleshooting </a> </li> <li class="md-nav__item"> <a href="../MacSelfService/Unenrolling/" class="md-nav__link"> Unenrolling a Mac </a> </li> <li class="md-nav__item"> <a href="../MacSelfService/outdatedMajorOs/" class="md-nav__link"> Alerts for Unsupported Major OS versions </a> </li> </ul> </nav> </li> <li class="md-nav__item"> <a href="../printing/" class="md-nav__link"> Printing from macOS </a> </li> <li class="md-nav__item"> <a href="../RepairingAppleHardware/" class="md-nav__link"> Repairing Apple Hardware </a> </li> <li class="md-nav__item md-nav__item--active"> <input class="md-nav__toggle md-toggle" data-md-toggle="toc" type="checkbox" id="__toc"> <label class="md-nav__link md-nav__link--active" for="__toc"> Configuring kerberos and ssh <span class="md-nav__icon md-icon"></span> </label> <a href="./" class="md-nav__link md-nav__link--active"> Configuring kerberos and ssh </a> <nav class="md-nav md-nav--secondary" aria-label="Table of contents"> <label class="md-nav__title" for="__toc"> <span class="md-nav__icon md-icon"></span> Table of contents </label> <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix> <li class="md-nav__item"> <a href="#kerberos-configuration" class="md-nav__link"> Kerberos Configuration </a> <nav class="md-nav" aria-label="Kerberos Configuration"> <ul class="md-nav__list"> <li class="md-nav__item"> <a href="#kerberos-config-file-for-users-without-self-service" class="md-nav__link"> Kerberos config file for users without Self-Service </a> </li> <li class="md-nav__item"> <a href="#changes-for-centos8" class="md-nav__link"> Changes for Centos8 </a> </li> </ul> </nav> </li> <li class="md-nav__item"> <a href="#ssh-configuration" class="md-nav__link"> ssh Configuration </a> </li> <li class="md-nav__item"> <a href="#about-gssapitrustdns" class="md-nav__link"> About GSSAPITrustDNS </a> </li> <li class="md-nav__item"> <a href="#about-lang-lc_" class="md-nav__link"> About LANG LC_* </a> </li> <li class="md-nav__item"> <a href="#configuring-firefox-to-use-kerberos-for-sso" class="md-nav__link"> Configuring Firefox to use kerberos for SSO </a> </li> <li class="md-nav__item"> <a href="#about-git" class="md-nav__link"> About git </a> </li> <li class="md-nav__item"> <a href="#about-third-party-software" class="md-nav__link"> About third party software </a> </li> <li class="md-nav__item"> <a href="#troubleshooting" class="md-nav__link"> Troubleshooting </a> </li> </ul> </nav> </li> <li class="md-nav__item"> <a href="../sshTunnel/" class="md-nav__link"> Accessing Internal Webpages from Outside CERN </a> </li> <li class="md-nav__item"> <a href="../DiskEncryption/" class="md-nav__link"> Disk Encryption </a> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_2_3_15" type="checkbox" id="__nav_2_3_15" > <label class="md-nav__link" for="__nav_2_3_15"> Further information <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Further information" data-md-level="3"> <label class="md-nav__title" for="__nav_2_3_15"> <span class="md-nav__icon md-icon"></span> Further information </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../MacServiceDocs/" class="md-nav__link"> Mac Service (CERN Service Portal) </a> </li> <li class="md-nav__item"> <a href="../MacCERNKBs/" class="md-nav__link"> Knowledge Base (CERN Service Portal) </a> </li> <li class="md-nav__item"> <a href="../AppleDocs/" class="md-nav__link"> Apple Documentation </a> </li> </ul> </nav> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_2_4" type="checkbox" id="__nav_2_4" > <label class="md-nav__link" for="__nav_2_4"> iOS <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="iOS" data-md-level="2"> <label class="md-nav__title" for="__nav_2_4"> <span class="md-nav__icon md-icon"></span> iOS </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../ios/" class="md-nav__link"> Introduction </a> </li> <li class="md-nav__item"> <a href="../PurchasingAppleHardware/" class="md-nav__link"> Purchasing </a> </li> <li class="md-nav__item"> <a href="../../ios/FrequentIssues/" class="md-nav__link"> Frequent Issues </a> </li> </ul> </nav> </li> <li class="md-nav__item"> <a href="../../ppc/" class="md-nav__link"> Public PC </a> </li> <li class="md-nav__item"> <a href="../../kiosk/" class="md-nav__link"> Requesting a KIOSK </a> </li> <li class="md-nav__item"> <a href="../../PC-HW/" class="md-nav__link"> Screens for PCs and Macs </a> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_2_8" type="checkbox" id="__nav_2_8" > <label class="md-nav__link" for="__nav_2_8"> Windows <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Windows" data-md-level="2"> <label class="md-nav__title" for="__nav_2_8"> <span class="md-nav__icon md-icon"></span> Windows </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../windows/" class="md-nav__link"> Introduction </a> </li> <li class="md-nav__item"> <a href="../../windows/setupWindowsForCERN/" class="md-nav__link"> Set up Windows device for CERN </a> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_2_8_3" type="checkbox" id="__nav_2_8_3" > <label class="md-nav__link" for="__nav_2_8_3"> About Windows versions <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="About Windows versions" data-md-level="3"> <label class="md-nav__title" for="__nav_2_8_3"> <span class="md-nav__icon md-icon"></span> About Windows versions </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../windows/win11_new/" class="md-nav__link"> What is new in Windows 11 ? </a> </li> <li class="md-nav__item"> <a href="../../windows/version/" class="md-nav__link"> Windows versions </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_2_8_4" type="checkbox" id="__nav_2_8_4" > <label class="md-nav__link" for="__nav_2_8_4"> CMF <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="CMF" data-md-level="3"> <label class="md-nav__title" for="__nav_2_8_4"> <span class="md-nav__icon md-icon"></span> CMF </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../windows/cmf/" class="md-nav__link"> Introduction </a> </li> <li class="md-nav__item"> <a href="../../windows/cmf/users_guide/" class="md-nav__link"> How to use CMF </a> </li> <li class="md-nav__item"> <a href="../../windows/cmf/admin_guide/" class="md-nav__link"> Administrators Guide </a> </li> <li class="md-nav__item"> <a href="../../windows/cmf/project_requirements/" class="md-nav__link"> Project Requirements </a> </li> <li class="md-nav__item"> <a href="../../windows/cmf/technical_description/" class="md-nav__link"> Technical Description </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_2_8_5" type="checkbox" id="__nav_2_8_5" > <label class="md-nav__link" for="__nav_2_8_5"> CERN AppStore <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="CERN AppStore" data-md-level="3"> <label class="md-nav__title" for="__nav_2_8_5"> <span class="md-nav__icon md-icon"></span> CERN AppStore </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../windows/CERNAppstore/client/" class="md-nav__link"> How to use CERN AppStore </a> </li> </ul> </nav> </li> <li class="md-nav__item"> <a href="../../windows/encryption/" class="md-nav__link"> Disk Encryption </a> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_2_8_7" type="checkbox" id="__nav_2_8_7" > <label class="md-nav__link" for="__nav_2_8_7"> Further information <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Further information" data-md-level="3"> <label class="md-nav__title" for="__nav_2_8_7"> <span class="md-nav__icon md-icon"></span> Further information </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../windows/windowsServiceDocs/" class="md-nav__link"> Windows Service (CERN Service Portal) </a> </li> <li class="md-nav__item"> <a href="../../windows/windowsCERNKBs/" class="md-nav__link"> Knowledge Base (CERN Service Portal) </a> </li> <li class="md-nav__item"> <a href="../../windows/microsoftDocs/" class="md-nav__link"> Microsoft Documentation </a> </li> </ul> </nav> </li> <li class="md-nav__item"> <a href="../../windows/homeFolders/" class="md-nav__link"> Home folders </a> </li> <li class="md-nav__item"> <a href="../../windows/installation/" class="md-nav__link"> Installation at CERN </a> </li> <li class="md-nav__item"> <a href="../../windows/joindomain/" class="md-nav__link"> Joining the CERN domain </a> </li> <li class="md-nav__item"> <a href="../../windows/windowsUpgrades/" class="md-nav__link"> Upgrading your Windows version </a> </li> <li class="md-nav__item"> <a href="../../windows/updates/" class="md-nav__link"> Keeping your computer up-to-date </a> </li> <li class="md-nav__item"> <a href="../../windows/WebAuthnWindows/" class="md-nav__link"> Using your fingerprint for 2FA </a> </li> <li class="md-nav__item"> <a href="../../windows/win11_application/" class="md-nav__link"> Follow-up Windows 11 Migration </a> </li> <li class="md-nav__item"> <a href="../../windows/win11_downgrade/" class="md-nav__link"> Downgrade from Windows 11 to Windows 10 </a> </li> <li class="md-nav__item"> <a href="../../windows/create_a_windows_virtual_machine/" class="md-nav__link"> Create a Windows virtual machine </a> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_2_8_17" type="checkbox" id="__nav_2_8_17" > <label class="md-nav__link" for="__nav_2_8_17"> Managing permissions on the file system <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Managing permissions on the file system" data-md-level="3"> <label class="md-nav__title" for="__nav_2_8_17"> <span class="md-nav__icon md-icon"></span> Managing permissions on the file system </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../windows/permissions/" class="md-nav__link"> Best practices to manage permissions </a> </li> <li class="md-nav__item"> <a href="../../windows/acl/" class="md-nav__link"> ACLs, ACE, Permissions...How to handle File Security? </a> </li> </ul> </nav> </li> <li class="md-nav__item"> <a href="../../windows/renameandmove/" class="md-nav__link"> Moving or renaming your computer </a> </li> <li class="md-nav__item"> <a href="../../windows/printing/" class="md-nav__link"> Printing from Windows </a> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_2_8_20" type="checkbox" id="__nav_2_8_20" > <label class="md-nav__link" for="__nav_2_8_20"> Privacy on Windows <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Privacy on Windows" data-md-level="3"> <label class="md-nav__title" for="__nav_2_8_20"> <span class="md-nav__icon md-icon"></span> Privacy on Windows </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../windows/privacy/" class="md-nav__link"> Windows 10 </a> </li> <li class="md-nav__item"> <a href="../../windows/privacy_w11/" class="md-nav__link"> Windows 11 </a> </li> </ul> </nav> </li> <li class="md-nav__item"> <a href="../../windows/hardware/" class="md-nav__link"> Purchasing Windows hardware </a> </li> <li class="md-nav__item"> <a href="../../windows/hwRepair/" class="md-nav__link"> Repairing Windows hardware </a> </li> <li class="md-nav__item"> <a href="../../windows/reset/" class="md-nav__link"> Resetting Windows hardware </a> </li> <li class="md-nav__item"> <a href="../../windows/windowsServices/" class="md-nav__link"> Windows Toolbox webpage </a> </li> </ul> </nav> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3" type="checkbox" id="__nav_3" > <label class="md-nav__link" for="__nav_3"> Productivity Software <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Productivity Software" data-md-level="1"> <label class="md-nav__title" for="__nav_3"> <span class="md-nav__icon md-icon"></span> Productivity Software </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../../pss/" class="md-nav__link"> Introduction </a> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_2" type="checkbox" id="__nav_3_2" > <label class="md-nav__link" for="__nav_3_2"> Antivirus <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Antivirus" data-md-level="2"> <label class="md-nav__title" for="__nav_3_2"> <span class="md-nav__icon md-icon"></span> Antivirus </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../../pss/eset-windows/" class="md-nav__link"> ESET for Windows </a> </li> <li class="md-nav__item"> <a href="../../../pss/eset-mac/" class="md-nav__link"> ESET for MacOS </a> </li> <li class="md-nav__item"> <a href="../../../pss/morescan/" class="md-nav__link"> More security scanners for Windows </a> </li> <li class="md-nav__item"> <a href="../../../pss/mbamclean/" class="md-nav__link"> Malwarebytes Support Tool </a> </li> <li class="md-nav__item"> <a href="../../../pss/defend/" class="md-nav__link"> Windows Defender </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_3" type="checkbox" id="__nav_3_3" > <label class="md-nav__link" for="__nav_3_3"> Authoring (e-Learning) <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Authoring (e-Learning)" data-md-level="2"> <label class="md-nav__title" for="__nav_3_3"> <span class="md-nav__icon md-icon"></span> Authoring (e-Learning) </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../../pss/atomi-ap/" class="md-nav__link"> Atomi ActivePresenter </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_4" type="checkbox" id="__nav_3_4" > <label class="md-nav__link" for="__nav_3_4"> Connectivity software <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Connectivity software" data-md-level="2"> <label class="md-nav__title" for="__nav_3_4"> <span class="md-nav__icon md-icon"></span> Connectivity software </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../../pss/andftp/" class="md-nav__link"> AndFTP (Android) </a> </li> <li class="md-nav__item"> <a href="../../../pss/RemoteDesktopClientMac/" class="md-nav__link"> Windows App (Mac) </a> </li> <li class="md-nav__item"> <a href="../../../pss/putty/" class="md-nav__link"> PuTTY (Windows) </a> </li> <li class="md-nav__item"> <a href="../../../pss/PaloAltoVPN/" class="md-nav__link"> PaloAlto VPN (Windows) </a> </li> <li class="md-nav__item"> <a href="../../../pss/termbot/" class="md-nav__link"> Termbot (Android) </a> </li> <li class="md-nav__item"> <a href="../../../pss/xwin32/" class="md-nav__link"> XWin-32 (Windows) </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_5" type="checkbox" id="__nav_3_5" > <label class="md-nav__link" for="__nav_3_5"> Cloud storage <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Cloud storage" data-md-level="2"> <label class="md-nav__title" for="__nav_3_5"> <span class="md-nav__icon md-icon"></span> Cloud storage </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../../pss/cernbox/" class="md-nav__link"> CERNBox </a> </li> <li class="md-nav__item"> <a href="../../../pss/onedrive_cern/" class="md-nav__link"> OneDrive </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_6" type="checkbox" id="__nav_3_6" > <label class="md-nav__link" for="__nav_3_6"> Development <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Development" data-md-level="2"> <label class="md-nav__title" for="__nav_3_6"> <span class="md-nav__icon md-icon"></span> Development </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../../pss/visualstudio/" class="md-nav__link"> MS Visual Studio </a> </li> <li class="md-nav__item"> <a href="../../../pss/VSCode/" class="md-nav__link"> Visual Studio Code </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_7" type="checkbox" id="__nav_3_7" > <label class="md-nav__link" for="__nav_3_7"> Diagrams <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Diagrams" data-md-level="2"> <label class="md-nav__title" for="__nav_3_7"> <span class="md-nav__icon md-icon"></span> Diagrams </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../../pss/diagrams/" class="md-nav__link"> Introduction </a> </li> <li class="md-nav__item"> <a href="../../../pss/draw.io/" class="md-nav__link"> Draw.IO </a> </li> <li class="md-nav__item"> <a href="../../../pss/visionline/" class="md-nav__link"> MS Visio Online </a> </li> <li class="md-nav__item"> <a href="../../../pss/visio365/" class="md-nav__link"> MS Visio 365 </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_8" type="checkbox" id="__nav_3_8" > <label class="md-nav__link" for="__nav_3_8"> Graphics editing <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Graphics editing" data-md-level="2"> <label class="md-nav__title" for="__nav_3_8"> <span class="md-nav__icon md-icon"></span> Graphics editing </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../../pss/adobecreativecloud/" class="md-nav__link"> Adobe Creative Cloud </a> </li> <li class="md-nav__item"> <a href="../../../pss/gimp/" class="md-nav__link"> Gimp </a> </li> <li class="md-nav__item"> <a href="../../../pss/inkscape/" class="md-nav__link"> Inkscape </a> </li> <li class="md-nav__item"> <a href="../../../pss/paintnet/" class="md-nav__link"> Paint.NET (Windows) </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_9" type="checkbox" id="__nav_3_9" > <label class="md-nav__link" for="__nav_3_9"> Note taking <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Note taking" data-md-level="2"> <label class="md-nav__title" for="__nav_3_9"> <span class="md-nav__icon md-icon"></span> Note taking </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../../pss/codi/" class="md-nav__link"> CodiMD </a> </li> <li class="md-nav__item"> <a href="../../../pss/onenote/" class="md-nav__link"> OneNote </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_10" type="checkbox" id="__nav_3_10" > <label class="md-nav__link" for="__nav_3_10"> Office suites <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Office suites" data-md-level="2"> <label class="md-nav__title" for="__nav_3_10"> <span class="md-nav__icon md-icon"></span> Office suites </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../../pss/office-suites/" class="md-nav__link"> Introduction </a> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_10_2" type="checkbox" id="__nav_3_10_2" > <label class="md-nav__link" for="__nav_3_10_2"> Microsoft Office <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Microsoft Office" data-md-level="3"> <label class="md-nav__title" for="__nav_3_10_2"> <span class="md-nav__icon md-icon"></span> Microsoft Office </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../../pss/office365/" class="md-nav__link"> Using Office 365 </a> </li> <li class="md-nav__item"> <a href="../../../pss/ms_office/" class="md-nav__link"> Office 365 Privacy </a> </li> <li class="md-nav__item"> <a href="../../../pss/proofing/" class="md-nav__link"> Proofing Tools for Office 365 </a> </li> </ul> </nav> </li> <li class="md-nav__item"> <a href="../../../pss/overleaf/" class="md-nav__link"> Overleaf </a> </li> </ul> </nav> </li> <li class="md-nav__item"> <a href="../../../pss/pdf-reading/" class="md-nav__link"> PDF reading </a> </li> <li class="md-nav__item"> <a href="../../../pss/microsoft_copilot/" class="md-nav__link"> Microsoft Copilot </a> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_13" type="checkbox" id="__nav_3_13" > <label class="md-nav__link" for="__nav_3_13"> PDF editing <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="PDF editing" data-md-level="2"> <label class="md-nav__title" for="__nav_3_13"> <span class="md-nav__icon md-icon"></span> PDF editing </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../../pss/preview/" class="md-nav__link"> Preview (macOS) </a> </li> <li class="md-nav__item"> <a href="../../../pss/pdfxchange/" class="md-nav__link"> PDF-XChange (Windows) </a> </li> <li class="md-nav__item"> <a href="../../../pss/pdfexpert/" class="md-nav__link"> PDF Expert (macOS) </a> </li> <li class="md-nav__item"> <a href="../../../pss/adobeacrobat/" class="md-nav__link"> Adobe Acrobat Pro DC </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_14" type="checkbox" id="__nav_3_14" > <label class="md-nav__link" for="__nav_3_14"> Password management <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Password management" data-md-level="2"> <label class="md-nav__title" for="__nav_3_14"> <span class="md-nav__icon md-icon"></span> Password management </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../../pss/keepass2android/" class="md-nav__link"> Keepass2Android </a> </li> <li class="md-nav__item"> <a href="../../../pss/keepass_xc/" class="md-nav__link"> Keepass XC </a> </li> <li class="md-nav__item"> <a href="../../../pss/strongbox/" class="md-nav__link"> Strongbox (iOS) </a> </li> <li class="md-nav__item"> <a href="../../../pss/tbag/" class="md-nav__link"> tbag </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_15" type="checkbox" id="__nav_3_15" > <label class="md-nav__link" for="__nav_3_15"> Project management <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Project management" data-md-level="2"> <label class="md-nav__title" for="__nav_3_15"> <span class="md-nav__icon md-icon"></span> Project management </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../../pss/gantt-chart-viewer/" class="md-nav__link"> Gantt Chart Viewer </a> </li> <li class="md-nav__item"> <a href="../../../pss/jira/" class="md-nav__link"> JIRA </a> </li> <li class="md-nav__item"> <a href="../../../pss/project/" class="md-nav__link"> Microsoft Project </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_16" type="checkbox" id="__nav_3_16" > <label class="md-nav__link" for="__nav_3_16"> Virtualization software <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Virtualization software" data-md-level="2"> <label class="md-nav__title" for="__nav_3_16"> <span class="md-nav__icon md-icon"></span> Virtualization software </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../../pss/hyperv/" class="md-nav__link"> Hyper-V (Windows) </a> </li> <li class="md-nav__item"> <a href="../../../pss/openstack/" class="md-nav__link"> OpenStack </a> </li> <li class="md-nav__item"> <a href="../../../pss/virtualbox/" class="md-nav__link"> Oracle VirtualBox </a> </li> <li class="md-nav__item"> <a href="../../../pss/parallels/" class="md-nav__link"> Parallels (macOS) </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_17" type="checkbox" id="__nav_3_17" > <label class="md-nav__link" for="__nav_3_17"> Web Authoring software <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Web Authoring software" data-md-level="2"> <label class="md-nav__title" for="__nav_3_17"> <span class="md-nav__icon md-icon"></span> Web Authoring software </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../../pss/webauth/" class="md-nav__link"> Web Authoring tools for Desktops </a> </li> </ul> </nav> </li> </ul> </nav> </li> </ul> </nav> </div> </div> </div> <div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" > <div class="md-sidebar__scrollwrap"> <div class="md-sidebar__inner"> <nav class="md-nav md-nav--secondary" aria-label="Table of contents"> <label class="md-nav__title" for="__toc"> <span class="md-nav__icon md-icon"></span> Table of contents </label> <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix> <li class="md-nav__item"> <a href="#kerberos-configuration" class="md-nav__link"> Kerberos Configuration </a> <nav class="md-nav" aria-label="Kerberos Configuration"> <ul class="md-nav__list"> <li class="md-nav__item"> <a href="#kerberos-config-file-for-users-without-self-service" class="md-nav__link"> Kerberos config file for users without Self-Service </a> </li> <li class="md-nav__item"> <a href="#changes-for-centos8" class="md-nav__link"> Changes for Centos8 </a> </li> </ul> </nav> </li> <li class="md-nav__item"> <a href="#ssh-configuration" class="md-nav__link"> ssh Configuration </a> </li> <li class="md-nav__item"> <a href="#about-gssapitrustdns" class="md-nav__link"> About GSSAPITrustDNS </a> </li> <li class="md-nav__item"> <a href="#about-lang-lc_" class="md-nav__link"> About LANG LC_* </a> </li> <li class="md-nav__item"> <a href="#configuring-firefox-to-use-kerberos-for-sso" class="md-nav__link"> Configuring Firefox to use kerberos for SSO </a> </li> <li class="md-nav__item"> <a href="#about-git" class="md-nav__link"> About git </a> </li> <li class="md-nav__item"> <a href="#about-third-party-software" class="md-nav__link"> About third party software </a> </li> <li class="md-nav__item"> <a href="#troubleshooting" class="md-nav__link"> Troubleshooting </a> </li> </ul> </nav> </div> </div> </div> <div class="md-content" data-md-component="content"> <article class="md-content__inner md-typeset"> <a href="https://gitlab.cern.ch/IT-DEP-CDA-AD/devices-docs/blob/master/docs/devices/mac/AboutKerberosAndSsh.md" title="Edit this page" class="md-content__button md-icon"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20.71 7.04c.39-.39.39-1.04 0-1.41l-2.34-2.34c-.37-.39-1.02-.39-1.41 0l-1.84 1.83 3.75 3.75M3 17.25V21h3.75L17.81 9.93l-3.75-3.75L3 17.25Z"/></svg> </a> <h1 id="about-kerberos-and-ssh">About kerberos and ssh</h1> <p>If you have a valid kerberos ticket you can configure ssh to forward your credentials, allowing password-less connections to properly configured linux boxen. </p> <h2 id="kerberos-configuration">Kerberos Configuration</h2> <p>It is useful to create a kerberos config file. The Mac Self-Service has an action item called "kerberos config file new" in the category 'Configuration'. Once the config file is created (in /etc/krb5.conf), you can run <code>kinit yourCernAccountName</code> to create a kerberos token that you can use for your browser, for ssh, the Self-Service login and many other services.</p> <h3 id="kerberos-config-file-for-users-without-self-service">Kerberos config file for users without Self-Service</h3> <p>For users that cannot use the CERN Self-Service, to configure Kerberos write the following file in <code>/etc/krb5.conf</code>.</p> <div class="highlight"><pre><span></span><code>; AD : This Kerberos configuration is for CERN's Active Directory realm ; The line above this is magic and is used by cern-config-keytab. Do ; not remove. ; Installed with puppet from a series of ; template fragments. ; /etc/krb5.conf [libdefaults] default_realm = CERN.CH ticket_lifetime = 25h renew_lifetime = 120h forwardable = true proxiable = true default_etypes = aes256-cts-hmac-sha1-96 aes256-cts aes128-cts chpw_prompt = true [appdefaults] pam = { external = true krb4_convert = false krb4_convert_524 = false krb4_use_as_req = false } [domain_realm] .cern.ch = CERN.CH .fnal.gov = FNAL.GOV .hep.man.ac.uk = HEP.MAN.AC.UK .in2p3.fr = IN2P3.FR # No default domain for KFKI.HU specified. [realms] # Start of puppet output for CERN.CH CERN.CH = { default_domain = cern.ch kpasswd_server = cerndc.cern.ch admin_server = cerndc.cern.ch kdc = cerndc.cern.ch v4_name_convert = { host = { rcmd = host } } } # Start of puppet output for FNAL.GOV FNAL.GOV = { default_domain = fnal.gov admin_server = krb-fnal-admin.fnal.gov kdc = krb-fnal-1.fnal.gov:88 kdc = krb-fnal-2.fnal.gov:88 kdc = krb-fnal-3.fnal.gov:88 } # Start of puppet output for HEP.MAN.AC.UK HEP.MAN.AC.UK = { default_domain = hep.man.ac.uk kpasswd_server = afs4.hep.man.ac.uk admin_server = afs4.hep.man.ac.uk kdc = afs1.hep.man.ac.uk kdc = afs2.hep.man.ac.uk kdc = afs3.hep.man.ac.uk kdc = afs4.hep.man.ac.uk } # Start of puppet output for IN2P3.FR IN2P3.FR = { default_domain = in2p3.fr kpasswd_server = kerberos-admin.in2p3.fr admin_server = kerberos-admin.in2p3.fr kdc = kerberos-1.in2p3.fr kdc = kerberos-2.in2p3.fr kdc = kerberos-3.in2p3.fr } # Start of puppet output for KFKI.HU KFKI.HU = { admin_server = kerberos.kfki.hu kdc = kerberos.kfki.hu } </code></pre></div> <h3 id="changes-for-centos8">Changes for Centos8</h3> <p>Previous versions of the /etc/krb5.conf file used</p> <p><code>default_tkt_enctypes = arcfour-hmac-md5 aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc</code></p> <p>With that setting you can login to a Centos8 node, but you would not get an afs token. The new version of the /etc/krb5.conf file uses</p> <p><code>default_etypes = aes256-cts-hmac-sha1-96 aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc</code></p> <h2 id="ssh-configuration">ssh Configuration</h2> <p>You need to instruct ssh to use (or "forward") your kerberos token to login to lxplus or other services. This can be done on the command line, or more conveniently via the ssh configuration.</p> <p>The necessary configuration can be applied in two places on your Mac:</p> <ul> <li>In <code>/etc/ssh/ssh_config</code> (not <code>sshd_config</code>!)(was <code>/etc/ssh_config</code> prior to OS 10.12). In that case it is applied to all accounts on the Mac. Editing this file requires sudo privileges, but we will see further down why we want to edit this in any case...</li> <li>In <code>~/.ssh/config</code>. In that case it is applied to the current Mac account only.</li> </ul> <p>You should only forward your credentials to hosts that are trustworthy. If you forward your credentials to a roque host you run the risk that somebody abuses your credentials. So it is important to have the settings in question inside a 'Host' block for trusted hosts only! Do not put these settings in a 'Host *' block! In the following snippet the settings apply to the hosts "lxplus.cern.ch", "svn.cern.ch", "mylinuxbox.cern.ch" and all hosts matching "pcmydepmygroup*.cern.ch".</p> <blockquote> <p>#<br /> Host lxplus.cern.ch aiadm.cern.ch mylinuxbox.cern.ch pcmydepmygroup*.cern.ch</p> <p>GSSAPIAuthentication yes<br /> GSSAPIDelegateCredentials yes<br /> #...</p> </blockquote> <h2 id="about-gssapitrustdns">About GSSAPITrustDNS</h2> <p>Up to OS 10.11.6 the built-in ssh and scp binaries supported the option <code>GSSAPITrustDNS</code>, which at that time was very useful for connecting to lxplus. This option is not supported any longer, but due to an improved configuration of lxplus it is also not needed any more. If you used it in the past you will have to remove it from your ssh configuration files.</p> <h2 id="about-lang-lc_">About LANG LC_*</h2> <p>When connecting to lxplus or other linux boxen with OS prior to CC8, we might be greeted with messages like </p> <blockquote> <p>perl: warning: Setting locale failed.<br /> perl: warning: Please check that your locale settings:<br /> LANGUAGE = (unset),<br /> LC_ALL = (unset),<br /> LC_CTYPE = "UTF-8",<br /> LANG = "en_US.UTF-8"<br /> are supported and installed on your system.<br /> perl: warning: Falling back to the standard locale ("C").</p> </blockquote> <p>We can avoid these by deleting or commenting out the line</p> <blockquote> <p>SendEnv LANG LC_*</p> </blockquote> <p>from <code>/etc/ssh/ssh_config</code>. Unfortunately there is no way to achieve the same result by any parameter in <code>~/.ssh/config</code> - and Apple overwrites <code>/etc/ssh/ssh_config</code> with almost every OS or security update :(</p> <p>In case you have all required settings in <code>~/.ssh/config</code> and do not need any of the settings from <code>/etc/ssh/ssh_config</code> you can use the ssh or scp option '<code>-F ~/.ssh/config</code>' to avoid reading <code>/etc/ssh/ssh_config</code>, and thus avoid being bother by Apple re-activating the <code>SendEnv LANG LC_*</code> with every update to ssh.</p> <h2 id="configuring-firefox-to-use-kerberos-for-sso">Configuring Firefox to use kerberos for SSO</h2> <p>To enable Firefox to use your kerberos token apply the following steps:</p> <ul> <li>type <code>about:config</code> in the address bar</li> <li>type <code>negotiate</code> in the Search field</li> <li>click on the edit button for the <code>network.negotiate-auth.trusted-uris</code> field</li> <li>enter <code>cern.ch</code> in the text field</li> </ul> <h2 id="about-git">About git</h2> <p>The git version provided by Apple has a configuration that has problems handling git via kerberos. On cloning a repository you might get messages like</p> <blockquote> <p>remote: HTTP Basic: Access denied<br /> fatal: Authentication failed for 'https://:@gitlab.cern.ch:8443/macsupport/packaging-tools.git/'</p> </blockquote> <p>To avoid this run <code>git config --global http.emptyAuth true</code></p> <h2 id="about-third-party-software">About third party software</h2> <p>Some popular package managers like brew, macports etc provide own versions on kinit, ssh,... Unfortunately these use different places to store the kerberos token and as a result are incompatible with the executables provided by macOS. We recommend not using any third party kerberos or ssh binaries.</p> <h2 id="troubleshooting">Troubleshooting</h2> <p>If your ssh login asks for a password despite the fact that you have a kerberos token, run the command <code>klist</code> to display your tokens. The first line of the output should look like </p> <blockquote> <p><strong>Credentials cache:</strong> API:3A10A0E1-7B9E-407A-8CB0-1B5D331BA0B4</p> </blockquote> <p>where the '3A10A0E1-7B9E-407A-8CB0-1B5D331BA0B4' will be different for every user and every session.</p> <p>Different output indicates that you were using a non-standard kinit (and klist) command (for example, Anaconda installs one). </p> <p>Try using the command <code>/usr/bin/kinit</code> (and <code>/usr/bin/klist</code>) for generating and listing your tickets. If that works, it means that your $PATH variable was modified by some other software you installed, and when you use simply <code>kinit</code>/<code>klist</code>, it uses that version which is incompatible. To fix this permamently, you would have to alter your $PATH variable to point instead to these two built-in commands.</p> </article> </div> <script>var tabs=__md_get("__tabs");if(Array.isArray(tabs))e:for(var set of document.querySelectorAll(".tabbed-set")){var tab,labels=set.querySelector(".tabbed-labels");for(tab of tabs)for(var label of labels.getElementsByTagName("label"))if(label.innerText.trim()===tab){var input=document.getElementById(label.htmlFor);input.checked=!0;continue e}}</script> </div> </main> <footer class="md-footer"> <nav class="md-footer__inner md-grid" aria-label="Footer" > <a href="../RepairingAppleHardware/" class="md-footer__link md-footer__link--prev" aria-label="Previous: Repairing Apple Hardware" rel="prev"> <div class="md-footer__button md-icon"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12Z"/></svg> </div> <div class="md-footer__title"> <div class="md-ellipsis"> <span class="md-footer__direction"> Previous </span> Repairing Apple Hardware </div> </div> </a> <a href="../sshTunnel/" class="md-footer__link md-footer__link--next" aria-label="Next: Accessing Internal Webpages from Outside CERN" rel="next"> <div class="md-footer__title"> <div class="md-ellipsis"> <span class="md-footer__direction"> Next </span> Accessing Internal Webpages from Outside CERN </div> </div> <div class="md-footer__button md-icon"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M4 11v2h12l-5.5 5.5 1.42 1.42L19.84 12l-7.92-7.92L10.5 5.5 16 11H4Z"/></svg> </div> </a> </nav> <div class="md-footer-meta md-typeset"> <div class="md-footer-meta__inner md-grid"> <div class="md-copyright"> Made with <a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener"> Material for MkDocs </a> </div> </div> </div> </footer> </div> <div class="md-dialog" data-md-component="dialog"> <div class="md-dialog__inner md-typeset"></div> </div> <script id="__config" type="application/json">{"base": "../../..", "features": ["navigation.tabs", "content.tabs.link"], "search": "../../../assets/javascripts/workers/search.5bf1dace.min.js", "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.config.lang": "en", "search.config.pipeline": "trimmer, stopWordFilter", "search.config.separator": "[\\s\\-]+", "search.placeholder": "Search", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version.title": "Select version"}}</script> <script src="../../../assets/javascripts/bundle.37e9125f.min.js"></script> </body> </html>

CINXE.COM

Configuring kerberos and ssh - Device and Productivity Software