--- wikisrc/kerberos/system.mdwn	2009/11/11 17:20:26	1.4
+++ wikisrc/kerberos/system.mdwn	2013/05/26 14:37:31	1.10
@@ -1,24 +1,15 @@
 [[!tag kerberos howto]]
 
-#### Why enable Kerberos on your system?
+## Why enable Kerberos on your system?
 
 Convenience and security. With
 [Kerberos](http://web.mit.edu/Kerberos/dialogue.html), a single
 login grants access to all NetBSD web services. Configuration is easy
 and you only have to do it once (sometimes less).
 
-#### [[!toggle id="macosx" text="Mac OS X"]]
-[[!toggleable id="macosx" text="""
-OS X autodiscovers and uses the NETBSD.ORG KDC as defined in DNS.
-To use Kerberized TNF services, log in with your Kerberos [[password]]:
-
-`$ kinit <username>@NETBSD.ORG`
 
-The right-hand side is a Kerberos realm, not a DNS domain. Case is significant!
-"""]]
+## NetBSD
 
-#### [[!toggle id="netbsd" text="NetBSD"]]
-[[!toggleable id="netbsd" text="""
 NetBSD needs to be configured to prevent Kerberos from being used
 to log into _your_ system, and then to enable Kerberos.
 
@@ -33,29 +24,73 @@ NetBSD will now autodiscover and uses th
 in DNS. To use Kerberized TNF services, log in with your Kerberos
 [[password]]:
 
-`$ kinit <username>@NETBSD.ORG`
+    $ kinit <username>@NETBSD.ORG
 
 The right-hand side is a Kerberos realm, not a DNS domain. Case is significant!
-"""]]
 
-#### [[!toggle id="windows" text="Windows XP"]]
-[[!toggleable id="windows" text="""
 
-Windows does not provide an easy way to configure and use KDCs different from the one embedded into an Active Directory.
+## Mac OS X
+
+OS X autodiscovers and uses the NETBSD.ORG KDC as defined in DNS.
+To use Kerberized TNF services, log in with your Kerberos [[password]]:
+
+    $ kinit <username>@NETBSD.ORG
+
+The right-hand side is a Kerberos realm, not a DNS domain. Case is significant!
 
-Therefore, to use [[Kerberos]], you should follow the following steps:
+### A Keychain.app trick
 
-7. Download the [MIT Kerberos for Windows](http://web.mit.edu/Kerberos/dist/#kfw-3.2) installer. It is composed of different tools traditionally found with Kerberos distributions, like [[!template id=man name=kinit section=1]] or [[!template id=man name=klist section=1]], and a Network Identity Manager, an application used to manage credential caching of Kerberos tickets.
+To pop up a GUI password dialog:
 
-7. Install the package. Use the default provided options, then restart the computer.
+    $ kinit <username>@NETBSD.ORG </dev/null
 
-7. The Network Identity Manager [(PDF)](http://web.mit.edu/kerberos/kfw-3.2/kfw-3.2.2/netidmgr_userdoc.pdf) should automatically start when you login. As there is no principal currently configured, it should open a dialog box to obtain the new credentials.
+Check "Remember this password in my keychain" to make future Kerberos
+logins (sans input redirection) prompt-free.
 
-7. Enter your principal:
+### Storing the Kerberos Password in Your Keychain
+
+Let us say you have an account "bob" on the realm "NETBSD.ORG" with password "mypasswd". Then in a Terminal type on one single line
 
-        Username: <username>
-        Realm: NETBSD.ORG
+    security add-generic-password -a "bob" -l "NETBSD.ORG (bob)" -s "NETBSD.ORG" -w "mypasswd" -c "aapl" -T "/usr/bin/kinit"
+
+This will create an item in your default Keychain named "NETBSD.ORG (bob)" with your Kerberos credentials and kinit it will be authorized to access it. You can add as many -T "/fulpath/program" switches as you want, each will give access to the specific program to use your kerberos credentials. For example -T "/Applications/Mail.app/Contents/MacOS/Mail" will add access for Mail.app.
+
+More details with man security.
+
+After that kinit bob@NETBSD.ORG will not prompt you for a password but will get it from the keychain.
+
+(This tip is orignally from [superuser.com](http://superuser.com/questions/360262/integrate-kerberos-and-keychain))
+
+## Windows XP
+
+Windows does not provide an easy way to configure and use KDCs
+different from the one embedded into an Active Directory.
+
+Therefore, to use [[Kerberos]], you should follow the following
+steps:
+
+7. Download the
+   [MIT Kerberos for Windows](http://web.mit.edu/Kerberos/dist/#kfw-3.2)
+   installer. It is composed of different tools traditionally found
+   with Kerberos distributions, like
+   [[!template id=man name=kinit section=1]] or
+   [[!template id=man name=klist section=1]], and a Network Identity
+   Manager, an application used to manage credential caching of
+   Kerberos tickets.
+
+7. Install the package. Use the default provided options, then
+   restart the computer.
+
+7. The Network Identity Manager
+   [(PDF)](http://web.mit.edu/kerberos/kfw-3.2/kfw-3.2.2/netidmgr_userdoc.pdf)
+   should automatically start when you login. As there is no principal
+   currently configured, it should open a dialog box to obtain the
+   new credentials.
+
+7. Enter your principal:
 
-7. Click `Ok`. After a few seconds, it should obtain the TGT for you from NetBSD.ORG KDC.
+    Username: <username>
+    Realm: NETBSD.ORG
 
-"""]]
+7. Click `Ok`. After a few seconds, it should obtain the TGT for
+   you from the NETBSD.ORG KDC.