kerberos

OS X 10.4.9 seems to demolish Kerberos over ssh

March 29th, 2007  |  Tags: , , , , ,  |  1 Comment

I just installed the OS X 10.4.9 update yesterday. Since then, ssh has failed to forward my Kerberos and AFS tickets to the office. Saying this is a big pain is perhaps the understatement of the decade. (It’s thrilling to log in to my office computer and not have access rights to any of my files — it makes me feel like a secret ninja hacker, just like Matthew Broderick in Wargames!) As far as I can tell, this is the default behavior in the version of ssh included with 10.4.9 (bad idea, Apple). Fortunately, this simple solution worked for me:

  1. Open Terminal.
  2. Using your favorite editor, open the file /etc/ssh_config
  3. Uncomment (i.e. remove the “#”) from the following lines:
    • Host *
    • GSSAPIAuthentication
    • GSSAPIDelegateCredentials
    • GSSAPIKeyExchange
  4. If a no appears in the … part of any line you uncommented, change it to a yes.
  5. Save the file. You’ll need an administrator password.
  6. (Hopefully) enjoy functional ticket forwarding again, like before you upgraded.
  7. Grimace, since you haven’t tested any of your Audio Units under 10.4.9 yet. Be glad you made a backup.

This seems to make ssh slower, but it also seems to work.