Security

Regaining Kerberos support in OS X 10.6 for Single-Sign On authentication

Vincent Danen was very disappointed that Apple removed the Kerberos GUI tool in the latest version of Mac OS X. To regain SSO authentication, he shares a shell script that he wrote to get back the functionality.

Vincent Danen was very disappointed that Apple removed the Kerberos GUI tool in the latest version of Mac OS X. To regain SSO authentication, he shares a shell script that he wrote to get back the functionality.

---------------------------------------------------------------------------------------

Mac OS X 10.5 was the first version of OS X that I seriously attempted to set up and use with Kerberos Single-Sign On (SSO) authentication. One weekend I set up my home network (all local machines and all virtual machines) to use Kerberos and, when that effort was done, I had an extremely nice SSO setup that worked very well. OS X played well with the Linux systems and I was using SSO with subversion, SSH, and Apache (even to the point where I could auto-login to MediaWiki due to the mod_auth_kerb apache module). There was a great GUI tool to help configure Kerberos and obtain/refresh Kerberos tickets. OS X 10.5 was pretty much on-par with my Fedora workstations as far as Kerberos support was concerned.

So imagine my surprise when I upgraded to 10.6 and found that the Kerberos GUI tool was removed in favour of an extremely lame and function-lacking tool called Ticket Viewer. The Ticket Viewer offers less than half the functionality of what the Kerberos utility did. And to make matters worse, the Kerberos tool itself has been removed.

Why Apple made this absolutely brain-dead move is beyond me. Now when my Kerberos ticket expires, I am no longer prompted to re-authenticate to obtain a new ticket. When an application attempts to negotiate credentials without a valid ticket, I'm no longer asked for my Kerberos password to satisfy the request and obtain a new ticket.

In other words, Kerberos support in 10.6 regressed to the point of being functional but not at all convenient. Where I enjoy a nice little key icon in GNOME's menubar on Fedora, I have to open a Terminal and kinit every time I need to obtain a ticket. Not such a big deal for me as I always have Terminal open. But for my wife? This certainly is a big deal as she all of a sudden wonders why some Web services on the local network are no longer available to her.

So, in the spirit of scratching my own itch, I wrote a shell script that I run out of GeekTool to provide the functionality I need. Essentially, all it needs to do is prompt for a Kerberos password when a ticket needs to be refreshed or checked out.

I made this script work with GeekTool but it could probably be made to work with cron. Essentially, the script checks to see when the TGT (ticket granting ticket) expires. It will output the expiry time unless there is less than one hour until expiry at which point it indicates how many minutes are left. If there are less than 10 minutes left until it expires or if there is no ticket, it calls kinit to prompt for the password. Interestingly, if you try to pass anything as standard input to kinit, it opens a GUI password dialog.

There are two oddities, however. The first is you need to pass a lifetime option to kinit or for some reason, when run under GeekTool, it will obtain a ticket with a one-minute lifetime. As well, the BSD date tool is different from the GNU date tool, so much so that /bin/date will not allow you to set a timespec other than "now". This could be worked around with a python script, but with fink installed (and specifically the coreutils-default package), /sw/bin/date is much more useful.

Interestingly enough, when providing input to kinit, it pops up a GUI dialog for the password, so providing it some input makes it much friendlier. As well, call it with a ticket lifetime of 86400 seconds, or 24hrs, to get the maximum ticket lifetime you can.

#!/bin/sh
kexpire=$(klist|grep krbtgt|awk '{print $3, $4}')
expiretime=$(/sw/bin/date +%s -d "$(echo ${kexpire})")
currenttime=$(/sw/bin/date +%s)
let timeleft=${expiretime}-${currenttime}
let timeleft=${timeleft}/60
function call_kinit()
{
    if [ ! "$(ps ax | grep ' kinit' | grep -v grep)" ]; then
        echo '' | kinit -l 86400 &
    fi
}
if [ "${timeleft}" -lt 0 ]; then
    echo "WARNING: Kerberos TGT is expired!"
    call_kinit
    exit 1
fi
if [ "${timeleft}" -lt 60 ]; then
    echo "WARNING: Kerberos TGT expires in ${timeleft} minutes!"
    if [ ${timeleft} -lt 10 ]; then
        call_kinit
    fi
    exit 1
else
    echo "Kerberos TGT expires at ${kexpire}"
    exit 0
fi

With the above, Kerberos support in 10.6 is no longer a tooth-pulling affair. It is unfortunate that Apple neglected the enterprise and educational sectors so badly in this area as SSO support is important to a lot of people and considering how well it worked in 10.5, there really is no excuse for this regression.

About

Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.

2 comments
ArnarGunnarsson
ArnarGunnarsson

Here's a "patch" for using the builtin OSX /bin/date command instead of GNU date from macports/fink Change expiretime and currenttime so they look like this. expiretime=$(date -j -f "%D %T" "$(echo ${kexpire})" +%s) currenttime=$(date +%s)

Jasonology
Jasonology

Vincent, is there any way to get this script to work with a vanilla 10.6.5 setup, without me having to install macports on everyone's mac just for this time function?