Skip to content Skip to site navigation Skip to service navigation

How to Use Kerberos on macOS

Overview

The Kerberos subsystem has been included in macOS since its initial launch in March 2001. It has evolved along with macOS over time.

At Stanford your SUNetID is your Kerberos identity. They are one and the same.

Kerberos files

The files for working with Kerberos are located in the folder /usr/bin. The primary binary files are:

  • The command to authenticate to the Kerberos system: /usr/bin/kinit <SUNetID>. This is also referred to as “acquiring a TGT or ticket-granting ticket."
  • The command to display currently held TGTs: /usr/bin/klist.
  • The command to delete current TGTs: /usr/bin/kdestroy.
  • The command to change your Kerberos password, /usr/bin/kpasswd, is included in the Apple Kerberos system but is not used at Stanford. To change your Kerberos password go to Account Manager.

Kerberos is configured for Stanford in a file that is user-installed in /Library/Preferences/edu.mit.Kerberos. It's a somewhat non-standard file name that has been a part of macOS since the beginning. Learn more about Kerberos on macOS and Kerberos at Stanford.

How to work with Kerberos

There are two methods for working with Kerberos authentication on macOS:

  • The traditional method of working from the command line in Terminal.app
  • Using the included, but hard to find, Ticket Viewer.app.

Both methods can be used for the basic tasks of authentication to Kerberos.

This document describes the basic Kerberos-related tasks on both of those tools.

Instructions

Terminal.app instructions

  • This is the traditional method for managing Kerberos credentials, because Kerberos pre-dates most modern graphical operating systems. Each of the four commands listed in the Overview above are manually entered into a terminal window and executed.

    Terminal app code

 

Ticket Viewer.app instructions

  1. This app is part of the Kerberos subsystem that is included in macOS by Apple. It can be found at: /System/Library/CoreServices/Ticket\ Viewer.app

  2. Ticket Viewer is a graphical user interface for the Kerberos system and features buttons for each of the four commands listed in the Overview above. A Ticket Viewer shortcut can be added to the Dock by dragging the app from Finder to the desired location on the Dock. When launched, the user is presented with this view:

    Ticket viewer screen

  3. To authenticate (obtain a TGT) click the Add Identity button. A drop-down dialog box for entering your SUNetID and password is displayed.

    Ticket viewer screen with dialog box to enter SUNet ID and password

  4. After successful authentication you will see the SUNetID and an expiration date/time.

    Ticket viewer screen with expiration date and time

Auristor AFS client instructions

  1. If the Auristor AFS client for Mac is installed, there will be an addition to System Preferences. This Preference Pane contains options and controls for managing and using Kerberos as well as AFS.

    Auristor icon

  2. When you launch the Preference Pane you will be presented with this screen:

    Auristor screen after Preference Pane is launched

  3. To use this Preference Pane to manage Kerberos, select the checkboxes for Backgrounder and Use aklog.

    Selecting Backgrounder and Use akalog on the Auristor screen

  4. Select the Get new Token button to display a Kerberos authentication dialog box. Enter your SUNetID and Password and an entry will be displayed in the Tokens List.

    Kerberos authentication dialog box

  5. At this point you have successfully acquired a Kerberos TGT as well as an AFS token.

Last modified February 28, 2024