Integrate kerberos and Keychain

Question

It it possible to make kinit ask Keychain for password and not me?

score 29 · Answer 1 · answered Aug 04 '15 at 20:40

29

kinit on Mac OS X now (since 10.9, possibly earlier) has built-in support for saving the password to the keychain via the --keychain argument, accomplishing the same thing as paul's answer.

Authenticate using kinit --keychain; the password will be saved upon successful authentication:

kinit --keychain
# or
kinit --keychain bob@MY.REAL.COM

Subsequent kinit invocations (which don't require the --keychain argument) will automatically get the saved password from your keychain instead of prompting you to enter it.

answered Aug 04 '15 at 20:40

Miles

445
4
10

1

Wow an option not even mentioned on the `kinit` man page, and works well. Nice. – rogerdpack Feb 02 '18 at 19:24
Note that macports' kerberos package may not have the --keychain option available...and is the first on the PATH if installed, but the built-in one does :) `kinit: unrecognized option --keychain'` – rogerdpack May 10 '21 at 17:00

score 15 · Answer 2 · edited Feb 19 '13 at 18:08

Actually it is possible. Let us say you have an account "bob" on the realm "MY.REAL.COM" with password "mypasswd". Then in a Terminal type on one single line

security add-generic-password -a "bob" -l "MY.REAL.COM (bob)" -s "MY.REALM.COM" -w "mypasswd" -c "aapl" -T "/usr/bin/kinit"

This will create an item in your default Keychain named "MY.REALM.COM (bob)" with your Kerberos credentials and kinit it will be authorized to access it. You can add as many -T "/fulpath/program" switches as you want, each will give access to the specific program to use your kerberos credentials. For example -T "/Applications/Mail.app/Contents/MacOS/Mail" will add access for Mail.app.

More details with man security.

After that kinit bob@MY.REAL.COM will not prompt you for a password but will get it from the keychain.

I couldn't make this work, however this does work with [Miles answer](https://superuser.com/a/950769/115951) — bric3, Jul 17 '17 at 08:18

score -2 · Answer 3 · answered Nov 23 '11 at 05:30

-2

With only kinit, this is impossible.

You'd have to write or have someone else write a separate interface that uses the Keychain Services API to store and access your passwords.

answered Nov 23 '11 at 05:30

surfasb

22,452
5
52
77

I just don't understand why Keychain is integrated so it remembers passphrase for ssh key, but can't remember password for kerberos. – tig Nov 23 '11 at 08:15
It's because no one bothered to program it. – surfasb Nov 23 '11 at 11:55

Integrate kerberos and Keychain

3 Answers3