Integrate kerberos and Keychain

kinit on Mac OS X now (since 10.9, possibly earlier) has built-in support for saving the password to the keychain via the --keychain argument, accomplishing the same thing as paul's answer.

Authenticate using kinit --keychain; the password will be saved upon successful authentication:

kinit --keychain
# or
kinit --keychain [email protected]

Subsequent kinit invocations (which don't require the --keychain argument) will automatically get the saved password from your keychain instead of prompting you to enter it.


Actually it is possible. Let us say you have an account "bob" on the realm "MY.REAL.COM" with password "mypasswd". Then in a Terminal type on one single line

security add-generic-password -a "bob" -l "MY.REAL.COM (bob)" -s "MY.REALM.COM" -w "mypasswd" -c "aapl" -T "/usr/bin/kinit"

This will create an item in your default Keychain named "MY.REALM.COM (bob)" with your Kerberos credentials and kinit it will be authorized to access it. You can add as many -T "/fulpath/program" switches as you want, each will give access to the specific program to use your kerberos credentials. For example -T "/Applications/Mail.app/Contents/MacOS/Mail" will add access for Mail.app.

More details with man security.

After that kinit [email protected] will not prompt you for a password but will get it from the keychain.