PuTTY (Windows SSH client) with Kerberos support
Why use a customized build?
We can't use
Simon Tatham's PuTTY because its current Kerberos support (nightly builds as of spring 2009) does not support properly delegating Kerberos credentials. This typically results in a session that has Kerberos tickets but no AFS tokens.
SecureCRT 5.1 is available,[1] but its ability to authenticate via Kerberos can be sluggish and unreliable.
We recommend Matthew Loar's
PuTTY GSSAPI build because it has the compactness and reliability of Simon Tatham's PuTTY, plus the ability to authenticate fully to CSAIL Debian and Athena systems without passwords.
Installation/Configuration
- Ensure that MIT Kerberos 3.x is installed and configured correctly
- Uninstall any other versions of Putty on your system
- Download and install PuTTY GSSAPI from the TIG software distribution site
- Find
putty.exe in C:\Program Files\PuTTY\ -- drag it to your Desktop to create a shortcut if you like
- Run putty.exe, and modify the default settings:
- in Connection -> SSH -> Auth, set "Allow GSSAPI credential delegation in SSH-2" to
YES
- (optional) in Connection -> Data, set "Auto-login username" to your CSAIL username
- in Session -> select "Default Settings" -> click "Save"
All new connections will attempt to send your Kerberos credentials. If you often connect to non-CSAIL hosts, you should create separate connection profiles for them, where "Allow GSSAPI credential delegation" is set to
NO, and/or flip that setting in the default profile.
You will now be able to use
plink.exe as the SSH client for
Subversion and other tools.
Footnotes
[1] If you want to try SecureCRT, be sure to use
SecureCRT 5.1.
vsh.exe can be used in place of
plink.exe but sometimes needs a one-line batch file wrapper:
@VSH.EXE -kex Kerberos %*
--
ArthurProkosch - 21 Jul 2009
