NCSA Home
Contact Us Intranet

User Information Home
Data
Security
Allocations
Consulting
Training

NCSA's Help Desk is available 24 hours a day, seven days a week, 365 days a year:
help.ncsa.illinois.edu
217-244-0710
help@ncsa.illinois.edu

Windows SSH Clients and Kerberos

One of the key benefits to Kerberos is not having to type your password every time you login to a system. Below you will find instructions on how to use Kerberos tickets to login to systems automatically using two popular SSH clients. Note: This will only work if the server you are connecting to is correctly configured to accept ssh logins using kerberos tickets.

If you haven't already done so, Install Kerberos for Windows.

Note: These clients will not work with the older Kerberos Credential Manager. You must be using the new Kerberos for Windows (KfW).

Getting an initial Kerberos ticket
Putty SSH Client (free)
SecureCRT SSH Client ($$$)

Getting an initial Kerberos ticket

  1. Open the Kerberos for Windows (KfW) Network Identity Manager. Then click the button with the yellow star to get new credentials.


  2. Type in your username, password, and make sure the selected Kerberos Realm is NCSA.EDU. Then click Ok.


  3. After successful authentication you will see an initial Kerberos 5 ticket (krbtgt) similar to this:


PuTTY SSH Client

  1. Download the latest PuTTY SSH Client w/ Kerberos support. The PuTTY client is a stand-along binary, so you can just run it directly without any installation process.
  2. When PuTTY starts you will be at the Session menu. Here is where you input the hostname of the machine you will be connecting to and later, you will come back here to save/load sessions. In this example, I'm connecting to public-linux.ncsa.uiuc.edu and I've saved a session under the same name.


  3. Now go to the Connection->Data section of the configuration window. Here simply insert your auto-login username.


  4. One more change to make. Under Connection->SSH->Auth, make sure you have both of the Kerberos 5 GSSAPI boxes checked.


  5. Go back to the Session options, enter a name, and save this configuration information. That way you won't have to repeat these steps later.
  6. Now clickOpen. The first time you connect to a host you will see a box similar to the following. Go ahead and click Yes.


  7. PuTTY will log you in automatically by using the kerberos ticket you obtained earlier:


  8. The curious can go back to the KfW window and click View->Refresh. You will now have a kerberos ticket associated with the host you just logged into.
  9. If you downloaded the entire set of binaries you will also have a PSCP.exe command. This is a command-line only program that works similarly to the Unix scp command. In order for Kerberos authentication to work you need to have already saved a working session configuration. For example, the following command will copy testfile to my home directory on public-linux. 

    pscp -load public-linux testfile dopheide@public-linux.ncsa.uiuc.edu:.



SecureCRT SSH Client

  1. SecureCRT is fairly nice to use, but it does cost money. However, you can use it for 30 days while you decide. Get SecureCRT.
  2. With SecureCRT installed, start it up and click Quick Connect to bring up the following dialog box. Here you will enter your username and the host you want to login to. Also, make sure the GSSAPI box is checked.


  3. Click Connect and you're good to go:


  4. SecureCRT also has an interface to open SFTP connections. At this point you're already connected so just go to File->Connect SFTP Tab:


  5. Now you have the original shell and a new tab with sftp:


Back to NCSA Kerberos Information

Questions or comments about this page may be sent to kerberos@ncsa.uiuc.edu

University of Illinois home page NCSA Home | About NCSA | NCSA Projects | Blue Waters | NCSA News | NCSA User Info
Contact NCSA | NCSA Intranet | Site Map
Contact webmaster with questions regarding this page. Last updated April 5, 2007.
All rights reserved. ©2013 Board of Trustees of the University of Illinois.