Friday, November 13, 2009

Setting Putty with Kerberos on Windows (including Windows 7)


note
If you don't know what is Kerberos and SSH - you probably don't need it. So read some of the other posts that may be more relevant for you.

introduction
If you do know that you want Kerberos and SSH on your machine - welcome to the post that will explain how to set it up on Windows. Unlike MacOSX that comes with Kerberos and kerberos aware SSH and Ubuntu, Red Hat and other major Linux distributions that have Kerberos and Kerberos aware SSH easily accessible, finding good Kerberized SSH client for Windows was a challenge.
Although I like challenges, I like to solve them once, and reuse them often - so this post is on how to setup yourself with Kerberized SSH and SCP for Windows.

installation
Best SSH client I have found for Windows is Putty, but default installation does not came with Kerberos enabled, so if you need Kerberized Putty, you can download it from Mattew Loar's web page.
In addition to Kerberized Putty you will need to install MIT's Kerberos for Windows.
As kerberos needs to be in the path, Putty may not work until you add it to the path (by for example restarting CMD or slickrun)
Install these two packages and you should have whole install.

why kerberos?
Cool thing about Kerberos is that separates your credentials (authentication) from your privilegies (authorization). By default you should be able to login to your account SSH enabled Unix server, but Kerberos makes it easy to allow someone else to login as you without giving them password - for example I can login as both root and myself on our server with same Kerberos ticket, and so guy next to me; but unlike non-Kerberized SSH revoking and adding people is matter of editing .k5login file.

how to do it with Putty?
1. Get a ticket.
2. Open Putty and select 'connection -> data' and setup user account you are authorized to access - for example root.
3. login to server by setting server name in session tab.

resources
UPDATE: Putty now supports Kerberos out of the box - see comment below
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

Putty with Kerberos authentication:

MIT Kerberos Package:

1 comment:

  1. I realise that the information in this post was correct at the time of writing, but since then the standard, supported, PuTTY Download has introduced 'Kerberized' SSH (GSSAPI) since version 0.61 (released 2011-07-12). It's available at the usual place, the author's putty download page, at:

    http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

    ReplyDelete