Charles Plager's Windows Kerberos at FNAL page

Short List of Kerberizing for the Impatient

  1. Download Fermi's Kerberized ssh zip file
  2. Unzip it and put it in c:\Program Files\Cygwin_kerberos (you will have to make that directory.
  3. Download and save these bat files:
  4. Edit fnal.bat and scp.bat so that
  5. Make a shortcut of fnal.bat on your desktop to make easy access.
  6. Run it

SSH - More Details

In order to be able to ssh from your windows box into machines at FNAL.GOV:
  1. Download Fermilab's Cygwin kerberos utilities and kerberized ssh.
  2. Unzip it and put it in a directory.
  3. Note: With the latest download of Fermilab's kerberized ssh/scp, you no longer need to edit your krb5.conf file when you are behind a NAT router. Simply get a ticket using kinit -n. The following instructions are for people with older versions of kerberos.
    krb5.conf file so that there is a line under '[libdefaults]' that says
        proxy_gateway =
    where is the IP address that your wireless router thinks you have.  If you are not behind a NAT router (e.g. wireless router at home), you do not need to do this. You can leave the IP address of your router at home in when your computer is at work.

    Go to a command line window (-r then type 'cmd'), ask your laptop what your IP number is ('ipconfig').  If it starts with 192.168, you are behind a NAT router and you need to figure out what it's IP address is (you can usually log into your router using your web browser, for example, or visit

    Note 1: If you have perl and LWP installed on your computer, you can modify this Perl script to update your krb5.conf file automatically.

    Note 2: First, the IP address of your router can change with very little notice. If you find that the following script starts asking you for your password on fcdflnx2, this is probably what happened. Just repeat the above procedure. Second, if you are not behind a NAT router, you do not need to update the proxy_gateway line. In my case, I always have my proxy_gateway as my routers IP address, even when my laptop is at FNAL.

  4. I then use the following batch file:
    SET KRB5_CONFIG=.\krb5.conf
    SET KRB5CCNAME=FILE:.\krb5_cc_cache
    SET USER=cplager
    SET DISPLAY=localhost:0
    Echo Starting SSH connection to %HOST%...
    .\klist -s
    REM Request a TGT for current/requested user
    .\kinit -n %USER%
    .\ssh -X -l %USER% %HOST%

    Note 1: If your computer gets a new IP address, but your old ticket has not expired, the above batch file will not ask you for your kerberos password because it looks as if you have a valid ticket. When you try to ssh into a computer, you will be asked for your password on that computer because the IP address in your ticket is different than your current IP address. If this happens, use this batch file (saved in the same directory as the rest of your Cygwin kerberos), to destroy your tickets. When you run fnal.bat, you will be prompted for your kerberos password and everything should be fine. If you are still having troubles and are behind a NAT (e.g. wireless) router, check that your current IP address is in your krb5.conf file (as seen above).

    Note 2: The ' -n' in the kinit' command should give you what is called an addressless ticket and therefore not require you to play with the 'proxy_gateway'.

  5. You should be ready to go. To make sure that you are tunnelling, check your display (unix> echo $DISPLAY). If you see where 22 could be any integer > 10, then you are set and everything should be good to go. If not...

    If you are running Exceed or some other X Window manager, you can simply start up an xterm from the ssh login (unix> xterm -ls&). For a free X Window manager, check out Cygwin and XFree86. XFree86 is not perfect, but it's much, much better than nothing.

Debugging Problems

After editting fnal.bat, it should run simply by double-clicking on it. If it doesn't work, however, the window will disappear making debugging the problem difficult.

To get around this problem, run the batch script from the cmd.exe window. Using the Windows start button, select Run.... When the window pops up, type cmd.exe. In the command window, cd "c:\Program Files\Cygwin_kerberos". Now run fnal.bat. This will at least let you get the error message.

Some common error messages:

Kerberos with Cygwin

Cygwin is a unix-like environment for windows that I highly recommend (please see my Hints for setting up Cygwin page). Not only does it come with (if you choose) bash, emacs, xterm, latex, gcc, etc. but you can get special Cygwin versions of root as well as build your own versions of many linux-based software. Enough of the advertising.

NEW: If you find that you need a newer version of ssh, you can try here after following the instructions below.

Before starting, cd to /bin and copy ssh.exe to ssh_standard.exe. From the Cygwin, copy the following files to your /bin area (usually found in c:\Cygwin\bin):

Copy the new versions of ssh.exe to ssh_kerb.exe (When you update Cygwin, it may decide that the kerberized versions of ssh and scp are simply old and replace them. If this happens, just copy the _kerb versions back.). Put the following lines in your .bashrc file:

export KRB5_CONFIG=/bin/krb5.conf
export KRB5CCNAME=FILE:/bin/krb5_cc_cache

Start a new bash window, do a kinit -n and you should be ready to go with ssh (the -n tells kinit to use an addressless ticket so it will work behind a NAT router).. Remeber, if you are using X-Windows, you want to use:

ssh -X

See above for help with the krb5.conf file.


  1. Do NOT put any of the .dlls from the .zip in a directory that is in path for Cygwin.
  2. For more kerberos clients (e.g., rcp, ftp) for Cygwin, see Axel Naumann's download directory.

SCP problems With Cygwin

Version of scp.exe

The version of scp that comes with the FNAL zip file doesn't work with a full installation of Cygwin (it does work with the command prompt using this scp.bat batch file if you run it in the same directory where the kerberos files are installed). If you are using scp with Cygwin, please grab this version of scp.exe. Do not grab this version if you are putting your files in c:\Program Files\Cygwin_kerberos; keep the version that comes in the tar ball.

Copying Large Files

I have had problems copying large (> 500 Mb) files using scp; it gets 99% of the way through and then it hangs. To get around this, I wrote a simple Perl script, that uses ssh and tar to pull files from linux computers to my Windows computer.

Usage: direc/tory file1 file2 file*3

File Transfers

There is a nice Kerberized FTP client called Filezilla.  The following instructions are a little unpolished.
Note: I have not been able to get Filezilla to work from behind a NAT router. It works great, however from inside FNAL. Since getting ssh and scp above to work, however, I have stopped using Filezilla.
  1. Get Leash32 from MIT.
  2. Unzip Leash32 and put it somewhere on your computer. Some hints:
    • delete the file krbv4w32.dll
    • Put the directory with the kerberos executable in your path
      • The following instructions work for Windows XP. It is close for other flavors of windows.
      • Right-click on My Computer and choose Properties
      • Choose the Advanced tab and click on Environment Variables
      • Select the Path variable in the list of System Variables and click on Edit
      • Go to the end of the Variable value and add ;c:\MyKerberosDirectory (Don't forget the ; (semi-colon) at the beginning and hit Cancel if you are afraid that you have messed it up.).
      • Hit the OK (three times)
    • Run Leash32
      • In the Options menu, choose Kerberos V5 properties
      • Change the configuration file to point at the same file krb5.conf you used above in ssh installation
      • Choose Get Ticket in the Action menu. Enter username@FNAL.GOV and your password where appropriate.
    • For a different/more complete explination, see Fermi's Configure Leash32 page
  3. Click on Filezilla and download the latest version (you want Filezilla, not Filezilla Server or System DLL updater).
  4. Install this program.
  5. Get kerberos ticket
  6. Run Filezilla.
    • Go to Settings in the Edit file menu.
    • Make sure Passive Mode is checked in Firewall Settings
    • Go down to'Connections/GSS support' and make sure 'Enable Kerberos GSS support' is checked. Take out and put in
  7. Connect to your favorite server.
    • Choose Site Manager in the File Menu
    • Click new site.
    • For Logontype Select Normal and check Bypass proxy settings
    • Enter your username but leave password blank.
    • Connect.

Last modified: Tue Mar 23 14:13:54 CDT 2010 by Charles Plager.