PuTTY wish kerberos-gssapi

Home | Licence | FAQ | Docs | Download | Keys | Links
Mirrors | Updates | Feedback | Changes | Wishlist | Team

We occasionally get requests for Kerberos and/or GSSAPI support.

This looks complicated and messy, and isn't that important to us, so we're rather unlikely to add it ourselves.

Any proposed solution should take into account our design guidelines to be even considered for inclusion. In particular, some submissions have not taken into account PuTTY's cross-platform nature.

In SSH-2, Kerberos is supported through GSSAPI; RFC 4462 (formerly draft-ietf-secsh-gsskeyex) describes GSSAPI key exchange and user authentication in SSH-2. (Some of the patches here appear to be based on earlier versions of this specification, for instance the userauth method "gssapi".)

It appears that Globus GSI authentication also uses GSSAPI, though for some reason needs a different client implementation (and yet a third if you want to support both).

Patches we've seen (links are on our Links page):

• Certified Security Solutions have a patched version of PuTTY which supports Kerberos 5 in SSH-1 and GSSAPI key exchange and user authentication in SSH-2. For GSSAPI, Win9x/NT require the MIT Kerberos library; Win2K/XP can use Microsoft SSPI.
• Another patch (unreviewed): 1067597353.3fa23e29bf70c@webmail.technion.ac.il
  User authentication; secur32.lib (Windows) / krb5-config (Unix)
• Another patch from sweb.cz adds support for GSSAPI user authentication using the MIT Kerberos library. (A previous version of this patch has been reviewed and found wanting.)
• Yet another patch: Quest PuTTY (formerly Vintela PuTTY)
  3-term BSD licence; GSSAPI (Kerberos-specific?) user authentication using MS SSPI; not thoroughly reviewed but doesn't look hopeful

Binary-only versions:

• Centrify provide a modified version of PuTTY which uses the Windows SSPI for GSSAPI support. It includes features specific to their other products.

Audit trail for this wish.