Computer Laboratory

Information for Mac OS X users

Configuring SSH access

You can use the ssh command-line tool that comes with OS X to connect to other Unix/Linux machines in the department, including the Linux time-sharing servers. Password-based login via ssh is generally deactivated on departmental Linux servers, but several other authentication techniques are available.

Using Kerberos

A “Kerberos ticket” is a piece of cryptographic data that you can obtain from the department’s Kerberos server using your “Kerberos password”, and which allows you to log into other machines or access the filer without having to type your password each time. Our Kerberos tickets are valid for up to 30 days.

For domain-joined desktop machines (where you log in with your departmental Kerberos password), you already receive a Kerberos ticket when you login.

Otherwise (e.g., for a laptop), first get a Kerberos ticket manually by typing into a Terminal shell

$ kinit crsid@AD.CL.CAM.AC.UK

If you want to do this from outside the Cambridge University Data Network (CUDN), use the VPN service.

Either way, once you have a Kerberos ticket (klist will show it), you then can connect using e.g.

$ ssh -K

To save yourself having to type “-K” each time you can also enable Kerberos authentication and delegation by editing ~/.ssh/config or /etc/ssh_config to append the following options:

    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials yes

Note that “ssh -K” only works with the actual hostname (e.g.,, and not with DNS entries associated with alternative IP addresses of the same machine (e.g.,

The actual host list (set above to * should be restricted to machines you trust for maximum security, since a forwarded ticket with delegation will enable a rogue machine to trivially impersonate you.

Using public/private key pair

Public-key authentication is more complicated to set up and will usually have to be used together with some other means to obtain the Kerberos ticket needed on the server to access one’s home directory on the filer.

Generating the keys

On the Mac, in spotlight type 'terminal' and open a terminal window. In the terminal window type


Accept the default location and enter a suitable passphrase.

Copying the public keys to the laboratory filespace

Copy the file in .ssh called to the lab home filespace unix home directory using a memory stick to transfer it via a public Linux machine into the .ssh folder in your home directory.

Then login to a laboratory computer and move the public key into the correct location.

cd .ssh
cat ../ >> authorized_keys

You should then edit the authorized_keys file and set the addresses that this public key can be used form by inserting at the front of the line you just added a string like:-


where you enter the domain you will be using the machine form. You can add multiple domains as a comma seperated list. See the main ssh documentation for more details.

Connecting using ssh

When you have completed the above you should be able to login to laboratory ssh servers by typing something like:-


See also