Skip to main content

Benjamin Oakes

Photo of Ben Oakes

Hi, I'm Ben Oakes and this is my geek blog. Currently, I'm a Ruby/JavaScript Developer at Liaison. Previously, I was a Developer at Continuity and Hedgeye, a Research Assistant in the Early Social Cognition Lab at Yale University and a student at the University of Iowa. I also organize, ICRuby, OpenHack Iowa City, and previously organized NewHaven.rb. I have an amazing wife named Danielle Oakes.

Filtering for the month January, 2009. Clear

Kerberos for SSH authentication

by Ben

I had a problem using Kerberos for SSH authentication on a MacBook Pro using Mac OS X 10.5.5.

Edit: Here’s my original description of the problem on the Mac OS X Hints forums.

I can’t get Kerberos to work for my user on my MacBook Pro (MacBookPro1,1), OS X Leopard 10.5.5.

What I know so far:

1) It works correctly on my machine if I log in as a new user
2) I can get Kerberos tickets using both the GUI and kinit (i.e. they show up in klist) using my user
3) For some reason, when I make ssh verbose, I have:

debug3: preferred publickey,keyboard-interactive,password

…as my user, but as a different user (which works) I have:

debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password

gssapi should be Kerberos, so my user is just skipping my Kerberos tickets.

4) My /etc/ssh_config file looks fine. All other configuration that I can find isn’t work
5) ssh keys don’t work either

Any help would be appreciated — having to type in passwords with every bzr command isn’t fun!

After lots of trial and error, I knew:

debug3: publickey,keyboard-interactive,password

…as my user, but as a different user (which worked) I had:

debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password

(gssapi should be Kerberos)

It turned out that MacPorts was to blame. Running which ssh in my account gave:


On the other had, a newly created account would have:


The fix is to change $PATH, of course. However, I’m not sure why some MacPorts package would have installed ssh as a dependancy.