PuTTY wish kerberos-gssapi
summary: Support for GSSAPI (for Kerberos, GSI, etc)
class: wish: This is a request for an enhancement.
difficulty: taxing: Needs external things we don't have (standards, users etc)
priority: low: We aren't sure whether to fix this or not.
fixed-in: r8952 99fffd6ed357d25a228637be173e8187746b6b77 2010-05-20 (0.61)
We occasionally get requests for Kerberos and/or GSSAPI support.
This looks complicated and messy.
Any proposed solution should take into account our
to be even considered for inclusion. In particular, some submissions
have not taken into account PuTTY's cross-platform nature.
In SSH-2, Kerberos is supported through
GSSAPI; RFC 4462
describes GSSAPI key exchange and user authentication in SSH-2.
(Some of the patches here appear to be based
on earlier versions of this specification, for instance the userauth
It appears that Globus
GSI authentication also uses GSSAPI, though for some reason needs
a different client implementation (and yet a third if you want to support
Patches we've seen (links are on our Links page):
- Certified Security Solutions have a patched
version of PuTTY which supports Kerberos 5 in SSH-1 and GSSAPI key
exchange and user authentication in SSH-2. For GSSAPI, Win9x/NT
MIT Kerberos library;
Win2K/XP can use Microsoft SSPI.
Another patch (unreviewed): email@example.com
User authentication; secur32.lib (Windows) /
Another patch from sweb.cz adds support
for GSSAPI user authentication using the MIT Kerberos library. (A
previous version of this patch has been reviewed and found wanting.)
Yet another patch: Quest PuTTY (formerly Vintela PuTTY)
3-term BSD licence; GSSAPI (Kerberos-specific?) user
authentication using MS SSPI; not thoroughly reviewed but doesn't look
Centrify provide a
modified version of PuTTY
which uses the Windows SSPI for GSSAPI support. It includes features
specific to their other products.
Update: some forms of Kerberos support are now implemented:
Things not done:
- As of 2008-08-10, r8138: support for Kerberos user authentication in
SSH-2 using a single library (SSPI in Windows, build-time choice on Unix);
- As of 2010-05-20, r8952: support for multiple libraries with choice
at run time; Windows builds now support
MIT Kerberos in addition to SSPI.
- GSSAPI key exchange [implemented much later, see gss-key-exchange];
- Any authentication protocol other than Kerberos;
- SSH-1 support (we are very unlikely to do anything about this; SSH-1
If you want to comment on this web site, see the