Opened 14 years ago

Closed 13 years ago

#33 closed enhancement (fixed)

Add information on Kerberos logins to scripts to FAQ

Reported by: andersk Owned by:
Priority: minor Milestone:
Component: documentation Keywords:

Description (last modified by andersk)

(Imported from #548433.)


Hm, this'd be useful in general: "Go look at Scripts faq #N; s/", etc.

Here's some sample text for people to play with, if anyone's interested. Intended to replace the last paragraph of FAQ #41. I used really informal markup; feel free to be un-lazy and make it better / consistent with whatever conventions you have.

If you're trying to log into from home and you don't
have an SSH client on your computer, you can log into from <>, and log
into scripts from there.

You can also log in directly from most personal computers, with the
correct software installed. To connect to from a
Windows computer, install MIT SecureCRT and Kerberos For Win from <

Then, open MIT SecureCRT (from the Start menu). Click the "Quick
Connect" button in the toolbar of the Sessions dialog box that appears
(the second button from the left). Fill out the dialog that appears,
as follows:

Protocol: SSH2
Port: 22
Firewall: None
Username: /Athena Username/

If you are connecting to a group locker, replace /Athena Username/
with the name of the locker.

In the "Authentication" selectbox, scroll down and click on "GSSAPI"
to highlight it. Make sure that the checkbox beside it is checked.
Then, use the black arrows to the right of the box to move "GSSAPI" to
the top of the list of Authentication methods.

Then, click "Connect" to connect to You may be
prompted for your MIT username and password; if so, enter them.

To connect to from a Mac, download and install the MIT
Kerberos Extras from <>. Then,
open "Terminal" (in /Applications/Utilities/), and type:

kinit /Athena Username/
ssh -k /Athena Username/

If you're connecting to a group locker, replace /Athena Username/ with
the name of the locker you want to connect to.

The "-k" flag to ssh doesn't exist for older MacOS X versions. For
these versions and with Apple's default ssh configuration, it is safe
to not use this flag. If you have customized your ssh configuration,
make sure you have "GSSAPIAuthentication yes" and
"GSSAPIDelegateCredentials no" set for

To connect from a Linux (or other UNIX) computer, install ssh and
Kerberos, and set up Kerberos to use the ATHENA.MIT.EDU realm. Many
Linux distributions provide packages that can do this for you. Then,
run the two Mac command-line commands listed above.

Change History (4)

comment:1 Changed 14 years ago by andersk

  • Description modified (diff)

comment:2 Changed 14 years ago by quentin

There were versions of OS X that did not have GSSAPI authentication enabled by default and did not support -k, so we can't simply tell them to not worry about it if their ssh doesn't take -k.

comment:3 Changed 14 years ago by anonymous

Installing the Kerberos Extras turns on GSSAPIAuthentication, so -k for Macs shouldn't be necessary. The only problem is that one of the updates to 10.4 turned it back off again.

comment:4 Changed 13 years ago by quentin

  • Resolution set to fixed
  • Status changed from new to closed

I've put text similar to this in the FAQ.

Note: See TracTickets for help on using tickets.