Secure Shell (SSH) for Windows

Important! As of Nov. 26, 2007, ssh1 is no longer supported at SLAC; you must use a terminal emulator that supports ssh2.

Single-Sign-On at SLAC

For Windows Machines. SLAC has recently started supporting ssh2 with kerberos5 ticket forwarding to allow access to AFS on SLAC unix. The tools described in this section work well together to provide convenient access to SLAC Unix from Windows machines. Using these tools, it is possible to sign on once using kerberos with your unix username and password, and then use that token for access to AFS, ssh, cvs and scp.

EXPORT LAW WARNINGS:

Export of MIT Kerberos software from the United States of America may be subject to the Export Administration Regulations of the United States Department of Commerce, currently (October 2003) codified as Title 15 CFR Parts 730-774. You are responsible for complying with all applicable export regulations, including obtaining an export license if required. You may not download this software if you are located in, or are a citizen or national of, any country for which the US government prohibits the export of encryption source code, currently (October 2003) Cuba, Iran, Iraq, Libya, North Korea, Sudan, or Syria. (15 CFR Sections 734(b)(3), 740.13(e)(4))

Kerberos Setup

1. Download and install the Core Binaries and MSI Installer, in that order, for M.I.T.'s kerberos for Windows.

2. Unzip the Core Binaries.

3. Launch the MSI Installer.

4. Select Typical Installation.

5. The software will be installed in C:\Program Files\MIT\Kerberos.

Note: There should now be a new icon in your Windows taskbar for the Kerberos Network Identity Manager.

6. To launch the Network Identity Manager, click on the icon in the taskbar, or go to C:\Program Files\MIT\Kerberos\bin and click on the netidmgr.exe.

7. Click on the new credentials icon.

Enter Username, Realm, and Password, then click OK.

8. Be sure the Default is selected as shown below:

PuTTY

1. Download PuTTy (0.58 with GSSAPI extensions) and unzip to c:\ProgramFiles\.

2. To configure putty, go to:

   C:\Program Files\PuTTY-0.58-GSSAPI-2005-07-24

   and double-click on:

   putty.exe

3. In the Category pane, click on: Connection --> SSH --> Auth to access the "Options controlling SSH authentication" pane and:

- In the Authentication methods, select:

Attempt "keyboard-interactive" auth (SSH-2)

Attempt Kerberos 5 GSSAPI/SSPI auth (SSH-2)

- In Authentication parameters, select:

Allow Kerberos 5 ticket forwarding in GSSAPI/SSF

4. In the Category pane, click on: Connection --> Data to access the "Data to send to the server" pane and enter your "Auto-login username".

5. In the Category pane, click on: Session to access the "Basic options for your PuTTY session" pane and:

1. Enter: Host Name (or IP address).
2. If you wish to save the settings for this session, enter the session name (e.g., noric), then click on the Save button.
3. Click on the Open button.

Note: If you save the settings for a session, the next time you want to set up the same session, you simply access the "Basic options..." pane, click on the saved session name, then click on the Open button.

Tip: If you wish to review the settings for a saved session before opening it, click on the saved session name, then click on the Load button.

View Credentials

Below is a screenshot with a set of native Windows credentials and additional Kerberos credentials obtained via MIT's KfW shown in Network Identity Manager. Note that the Unix Kerberos credentials are the default credentials.

 

End of SSH Install procedure.

Last updated by: Chuck Patterson 11/20/2007

Back to Top