After CERN IT required 2FA for SSH access for everyone, I was on the beta testing since the end of 2024. I was relying on a setup (blog post about it) that depended on the SSH agent of 1password plus the 1password CLI. This worked well, but I wanted a more native solution that would integrate seamlessly with my SSH config and not require the 1password CLI.

CERN supports Kerberos for SSH authentication, so I decided to set it up on my macOS machine. Here is how I did it.

macOS comes with the Heimdal Kerberos client by default, typically including the commands kinit, klist, and kdestroy. To check if the Kerberos client binaries are present, run this command in the terminal:

which kinit
which klist
which kdestroy

You should see output similar to this:

/usr/bin/kinit
/usr/bin/klist
/usr/bin/kdestroy

Kerberos tools are included in the base macOS system, so you usually do not need to install anything extra. However, if you have customized your system or removed developer tools, you may need to reinstall the Xcode Command Line Tools, which can be installed with:

xcode-select --install

Note that Kerberos client binaries are part of the base system rather than the Xcode tools themselves.

Configure Kerberos for CERN

We configure the Kerberos realm for CERN by creating or editing the configuration file krb5.conf. On macOS, the system-wide file is at /etc/krb5.conf. Some users may also have user-specific configs at ~/Library/Preferences/krb5.conf which override system settings.

Create or open the system config with:

sudo nano /etc/krb5.conf

Add the following content:

[libdefaults]
    default_realm = CERN.CH
    dns_lookup_realm = true
    dns_lookup_kdc = true
    ticket_lifetime = 25h
    renew_lifetime = 5d
    forwardable = true
    renewable = true
    proxiable = true
    default_etypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
    default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 camellia256-cts-cmac aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 camellia128-cts-cmac
    rdns = false

[realms]
    CERN.CH = {
        kdc = cerndc.cern.ch
        default_domain = cern.ch
    }

[domain_realm]
    .cern.ch = CERN.CH
    cern.ch = CERN.CH

This configuration tells your Kerberos client to use CERN's KDC and realm for authentication, leveraging DNS to locate the proper servers.

Obtain and Manage Kerberos Tickets

Now test the configuration by obtaining a Kerberos ticket:

kinit <your_cern_username>@CERN.CH

Replace <your_cern_username> with your CERN username. You will be prompted for your CERN password and 2FA during this step.

If successful, the ticket will be valid by default for 25 hours and renewable for up to 5 days. You can view your ticket details with:

klist

Example output:

Credentials cache: API:<redacted>
Principal: <your_cern_username>@CERN.CH
Issued: Nov 1 14:58:54 2025
Expires: Nov 2 15:58:49 2025

To renew an existing valid ticket within its renewable period, you can run:

kinit -R

To destroy the ticket (log out), run:

kdestroy

Configure SSH for Kerberos Authentication

Edit your SSH configuration file ~/.ssh/config and add the following lines:

Host *.cern.ch
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials yes
    PreferredAuthentications gssapi-with-mic
    User <your_cern_username>

Replace <your_cern_username> with your actual CERN account name.

This config enables SSH to use GSSAPI with Kerberos for authentication, allowing single sign-on using your Kerberos ticket. The delegation option allows forwarding credentials to remote hosts.

Testing SSH Login

Now you can test SSH login to a CERN host without entering your password every time:

ssh <your_cern_username>@lxplus.cern.ch

This will succeed without a password prompt if you have a valid Kerberos ticket. If no valid ticket is found, it will prompt for your password and 2FA.

2FA is required only when obtaining your Kerberos ticket (kinit), so subsequent SSH authentications are seamless as long as your ticket remains valid.

I actually have more complex ~/.ssh/config file that I use for my SSH connections, but the above configuration is the minimum required to set up Kerberos for SSH authentication with CERN. It does have *.cern.ch as the host, so it will work for all CERN hosts. You can also add more specific configurations for other CERN hosts if needed. This is specially needed is you have lbgw (Linux Batch Gateway) host where you need to tunnel through lxplus to access it. But it is not needed for the basic setup.

Note on 2FA prompts and SSH session persistence

While 2FA is required only when obtaining your Kerberos ticket using kinit, in practice, you may/will still be prompted for 2FA at each new SSH login if you do not maintain an active SSH session or persistent connection.

This happens because Kerberos authentication by itself does not keep SSH sessions alive or cache authentication across multiple connection attempts like SSH multiplexing features do.

To avoid repeated 2FA prompts during multiple SSH connections, consider enabling SSH connection multiplexing by adding this to your SSH config:

Host *.cern.ch
    ControlMaster auto
    ControlPath ~/.ssh/cm-%r@%h:%p
    ControlPersist 10m

With this setup, the first SSH connection to a host establishes a master session, and subsequent connections reuse it transparently, reducing the need to reauthenticate and enter 2FA again within the persistence window. Using Kerberos authentication together with SSH multiplexing combines secure ticket-based authentication and seamless session reuse, effectively replacing older password-based workflows with repeated 2FA.