Skip to main content
To KTH's start page To KTH's start page

SSH login from macOS

Instructions for logging in on GVS IT's public shell servers, using a macOS SSH client.

How to log in?

To log in to the student shell server, edit your ssh settings in ~/.ssh/config to add

Host student-shell
  User username
  PreferredAuthentications gssapi-with-mic
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes

You may also need ~/.ssh/known_hosts, a list of host keys. Host keys for all public servers are available here, Shell servers .

Then you can log in with

kinit -f username@KTH.SE
ssh student-shell

Note: All examples use username and student-shell – replace this with your KTH username (without, and the server you can log in to Shell servers .


The default versions of kinit and ssh in macOS will work in most cases.

MacOS's built-in SSH client does not support GSSAPIKeyExchange, but you can use host keys (known_hosts above) instead when connecting to all GVS IT's public shell servers.

You can also install a third-party client, OpenSSH with full GSSAPI support can be installed using either HomeBrew or MacPorts. See PDC's documentation  for details. This is not necessary to connect to the public shell servers, but if you do install it you can enable GSSAPIKeyExchange the same way as on Linux .

FAQ / Known problems

To debug problems, note the difference between running e.g. klist on your local client, and running it on the server you log in to. The first checks that kinit has received tickets; the second that the ssh client successfully forwarded the tickets to the server.

Non-standard ssh client or Kerberos (HomeBrew, MacPorts, etc.)

To check which ssh client and Kerberos distribution you are using, use the which command, i.e. which ssh; which kinit; which klist.

While mostly equivalent, applications may have different capabilities, in particular command-line options. For example, there are differences between Heimdal Kerberos (including macOS's) and MIT Kerberos, but either can be used for Kerberized SSH.

Note that third-party clients are not updated as part of macOS. You need to configure automatic updates within the package manager, or upgrade manually.

Broken ticket cache – KCM:501 or KRB5CCNAME

Some Kerberos clients are configured to use a KCM daemon instead of macOS's standard API ticket cache. If klist shows

    Ticket cache: KCM:501

instead of the standard

    Credentials cache: API:E336F6A4-34B6-7514-F687-06D434B494B5

use kdestroy -c KCM:501; /usb/bin/kinit -f … to destroy that cache and use standard kinit to get new tickets.

See also PDC's documentation  if you have old configuration that sets a KRB5CCNAME environment variable.

MIT Kerberos  has more information on ticket cache types.

Use FQDN if you have disabled reverse DNS lookup

If your local Kerberos configuration (e.g. /etc/krb5.conf) uses rdns=false, you should replace the alias with the server's FQDN,, and the equivalent for the other servers.