« Samba + OpenLDAP + Kerberos + AFP + Leopard = ♥ | Main | About the Mac OS X SIG blog »

Getting Kerberos credentials at login

Many of us have Stanford Desktop Tools on our machine, or at least have a proper edu.mit.Kerberos file (aka krb5.conf) so that we can use Kerberos authentication for email programs like Mail.app or Eudora, web browsers like Safari with HTTP Negotiate, and other single sign-on services like filesharing. But out-of-the-box, we're faced with double-authentication scenarios, where we first log into our Mac, then we face a Kerberos dialogue box (where we enter our SUNet ID and password). Wouldn't it be nice to get our Kerberos credentials at the same time we log in?

This can be done, but it requires a little Mac kung-fu. If you follow these steps, you will not need to re-authenticate to a supplemental Kerberos dialogue box, provided your Mac's login name and password is the same as your SUNet ID and SUNet password. If your account name on your computer is something else (like "johnny" when your SUNet ID is "jdoe") it won't work.

Warning: you can really shoot yourself in the foot if you do this incorrectly. First, make a copy of the XML file /etc/authorization. Fire up the Terminal application and type:

sudo cp /etc/authorization /etc/authorization.orig
Next, let's begin editing the original.

Still in the Terminal, use your favorite text editor and search for the <key>system.login.console</key> line and find the <key>mechanisms</key> entry. There's an array that follows this key.

If you are using Mac OS X 10.4 (Tiger):
Change <string>authinternal</string> to <string>builtin:krb5authnoverify,privileged</string>.

If you are using Mac OS X 10.5 (Leopard):
Change <string>builtin:authenticate,privileged</string> to <string>builtin:krb5authnoverify,privileged</string>.

That should be it—when you next log into your computer, you'll have your Kerberos credentials (again, only if you have a valid /Library/Preferences/edu.mit.Kerberos file and your using your SUNet ID and password to log into your Mac).

Here are some external links:
Penn State's Guide
Apple's Support Document
Stanford Desktop Tools webpage
Stanford Kerberos for Macintosh Tool webpage

Backing out:
If you fat-finger your /etc/authorization file and can't log into your Mac, start up in single user mode. By default, your hard drive is read-only. Type mount -uw / to make your startup volume read/writable.

Next, replace your /etc/authorization with your original file. Type

cp /etc/authorization.orig /etc/authorization
Then, type shutdown -r now to reboot.

TrackBack

TrackBack URL for this entry:
http://www.stanford.edu/group/macosxsig/cgi-bin/mt/mt-tb.cgi/3

Comments (5)

Surajit Bose:

Nice. Thanks for posting this, Noah.

Jay Stamps:

You'll need to have a network available when you authenticate, obviously, in order to obtain a Kerberos TGT. Using Tiger w/ a wireless connection, eg, you may not succeed in authenticating to Kerberos at login; using Leopard you probably will succeed. If a network isn't available, you'll simply be authenticated locally.

Thanks for posting this, Noah. What's the risk of using the same username/password for your Mac and for your SUNet ID?

That's a good question. There's no risk per se, in the sense that it won't "do bad things" to your computer. But there are some considerations, and it's worthwhile looking at different scenarios.

If your Mac is exclusively bound to a central campus directory, then your un/pw is kept on a highly secure external system. I would say this is the least-risky scenario. In fact, it's a very smart idea, because you can securely change your SUNet/login password online anytime, thwarting unauthorized logins in the case of an unintended password disclosure.

More likely, your Mac is not bound to an external directory. If you choose to use your SUNet ID and password additionally as your Mac's un/pw, your information will be stored on your hard drive in NetInfo (if it's ≤ 10.4) or in the "local default" directory (if it's 10.5). Most admins would say password discovery is exceptionally unlikely, even after a compromise (keystroke loggers excepted). Your files are much more at risk than your password.

But I can think of a couple reasons why using one's SUNet ID and password to log into your Mac is a good idea, policy-wise.

First, University affiliates' SUNet ID passwords must meet requirements not present on Mac OS X. In fact, users need not have passwords at all.

Second, I think people are more discreet with their SUNet password than with a self-chosen local un/pw. At least my end user support experience suggests this. I've been more successful asking "What's the password you use to log into your Mac?" than "What is your email password?". Or, at least, people are think twice about the latter.

I think the best scenario is to have your desktop computer bound to an external directory, while having your Mac OS X Keychain password something different (and something very high quality).

Thanks for expanding. I should have been more clear in explaining that I have a laptop with a local user account that is not bound to an external directory. But your reply gives a good overview of multiple scenarios. Always good to learn more about security.

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)


About

This page contains a single entry from the blog posted on February 7, 2008 8:14 PM.

The previous post in this blog was Samba + OpenLDAP + Kerberos + AFP + Leopard = ♥.

The next post in this blog is About the Mac OS X SIG blog.

Many more can be found on the main index page or by looking through the archives.

Creative Commons License
This weblog is licensed under a Creative Commons License.
Traffic analyzed by Google Analytics. Site powered by Movable Type 4.32-en