FAS kerberos SSO from a Mac?

Does anyone happen to know of any documentation r.e. how to setup FAS SSO with kerberos on a Mac… or any good generic kerberos on Mac documentation?

I have a couple of Fedora / EPEL packages I have to work on relatively infrequently. I do this only as part of my employment, and don’t use a personal (e.g. Linux laptop) machine for any work out of principle. My work GUI machine is a Mac, and I go slightly crazy each time having to repeatedly sign-in with OTP across all the different web services :slight_smile:

Sadly, a graphical Fedora Workstation VM under UTM on the Mac has always seemed pretty unstable.

Probably a long-shot, but thought I’d ask.

I don’t use a Mac. But all you need is kinit and the realm definition for fedoraproject.org right? It looks like macOS has included kinit since 2001. Here is the fp.o realm definition from my Fedora Linux system.

        kdc = https://id.fedoraproject.org/KdcProxy
        pkinit_anchors = FILE:/etc/pki/ipa/fedoraproject_ipa_ca.crt
 .fedoraproject.org = FEDORAPROJECT.ORG
 fedoraproject.org = FEDORAPROJECT.ORG
 .centos.org = FEDORAPROJECT.ORG

You should be able to add that definition to /etc/krb5.conf (or a separate file in a drop-in directory if macOS has those).

Beyond that, it is just a matter of running the kinit command with the correct parameters and it can even be scripted on startup if you want. FWIW, below is a startup script that I use (I call it from my .bashrc).


exec &> /dev/null

pass=`secret-tool lookup fedora pass`
code=`secret-tool lookup fedora code`
totp=`/usr/bin/oathtool --totp $code`

cd '/tmp'

kinit -c "FILE:$file" -n "@$kdom"

kinit -T "FILE:$file" "$user@$kdom" \
  <<< "$pass$totp"

rm -f "$file"

klist -s

I doubt macOS has the secret-tool command for storing and retrieving saved passwords or OTP secrets from your keychain. But maybe it has something equivalent. (Or better yet, if you have a Yubikey, you could use something like ykman oath accounts code fedora | grep -o '[0-9]\{6\}$' to retrieve your OTP.)


Edit: That klist -s at the end is somewhat unnecessary. It is just there so the script will exit with a status code indicating whether it succeeded or not. At one time, I was calling it from a custom systemd user service definition under ~/.config/systemd/user.