GSSAPI via MIT Kerberos

[TobyShaw]

Summary of the new feature / enhancement

Does Powershell/openssh-portable support GSSAPI with MIT Kerberos? The Windows build instructions on the Wiki don't reference any customization, and debugging ssh.exe I can only see it using SSPI, but perhaps there's a configuration method I'm missing?

Proposed technical implementation details (optional)

No response

[tgauth]

Yes, this is supported. Please see these issues for more info: https://github.com/PowerShell/Win32-OpenSSH/issues/1157#issuecomment-455771466 https://github.com/PowerShell/Win32-OpenSSH/issues/1295#issuecomment-789705655

Let us know if you have any additional questions!

[TobyShaw]

Sorry, I believe I may have expressed myself unclearly. I was actually asking if MIT's Kerberos for Windows was supported, rather than Kerberos in general.

I've convinced myself it's not supported by default. Right now when I open the Win32-OpenSSH.sln file, #KRB5 is not defined. When I run with the -K flag enabled, I am hitting ssh_gss_sspi_init, I also see that it's using secur32.dll rather than gssapi64.dll.

If there are build customizations I'm missing, I'd love to know.

[tgauth]

That's my bad - I wasn't familiar with the distinction, but I think you're right - MIT Kerberos isn't supported yet. There may be additional work required when building with the KRB5 to get it running on Windows.

It does seem like workarounds to use Windows Kerberos instead of MIT Kerberos exist, but not sure if that's relevant to your scenario - any additional context would be helpful!

[jborean93]

Are you able to share the reason why you want to use MIT Kerberos here. Does it support something that SSPI does not?

[TobyShaw]

This was just about documenting differences between plink and openssh, as there are documented differences between the two kerberos implementations (see https://github.com/PowerShell/Win32-OpenSSH/issues/1295#issuecomment-789705655) and plink supports MIT Kerberos for Windows.