Computer Laboratory

Information for Mac OS X users

Configuring SSH access

Using Kerberos for machines within the lab

For domain-joined machines the simplest option is to use the Kerberos ticket you have from login to access Unix machines.

Otherwise, you first have to get a Kerberos ticket manually by typing into a Terminal shell

$ kinit crsid@AD.CL.CAM.AC.UK

You then can connect using

$ ssh -K

To save yourself having to type “-K” each time, you can also enable Kerberos authentication and delegation by editing /etc/ssh_config to set the following options on

    GSSAPITrustDns yes
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials yes

The actual host list (set above to * should be restricted to machines you trust for maximum security, since a forwarded ticket with delegation will enable a rogue machine to trivially impersonate you.

Using public/private key pair

Generating the keys

On the Mac, in spotlight type 'terminal' and open a terminal window. In the terminal window type


and accept the default location and enter a suitable passphrase.

Copying the public keys to the laboratory filespace

Copy the file in .ssh called to the lab home filespace unix home directory using a memory stick to transfer it via a public Linux machine into the .ssh folder in your home directory.

Then login to a laboratory computer and move the public key into the correct location.

cd .ssh
cat ../ >> authorized_keys

You should then edit the authorized_keys file and set the addresses that this public key can be used form by inserting at the front of the line you just added a string like:-


where you enter the domain you will be using the machine form. You can add multiple domains as a comma seperated list. See the main ssh documentation for more details.

Connecting using ssh

When you have completed the above you should be able to login to laboratory ssh servers by typing something like:-