You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Microsoft's distribution of OpenSSH for WIndows https://github.com/PowerShell/openssh-portable supports Kerberos GSSAPI logins using the OS's integrated credentials cache. Openssh distributed with msys2 does not, but rather uses Heimdal or MIT Kerberos with a separate credentials cache. Heimdal and MIT Kerberos both had some attempts to use MSLSA credentials cache, but neither has a working implementation. For reference, Postgresql client in msys2 uses Windows SSPI directly (same as MS does with openssh-for-windows) for kerberos, and works out of the box with GSSAPI logins.
Expected behavior
login to windows domain account
1a) cmd> klist shows KRBTGT for domain
ssh to kerberos-enabled host
shell prompt is reached without password prompt
3a) cmd> klist now shows service ticket HOST/myhost
Actual behavior
login to windows domain account
ssh to kerberos enabled host
msys2 (heimdal) kinit is required first to get separate KRBTGT for MSYS otherwise passsword is requested
it should be noted also, that by default installing openssh hides the native C:\Windows\SYSTEM32\OpenSSH\ssh.exe in the path. uncommenting MSYS2_PATH_TYPE=inherit or adding to beginning of $PATH in .bashrc is required. Installing git for example pulls in openssh, thus requiring manual configuration to use native windows ssh client.
I have tried to compile that openssh project with a custom cmake file (not complete yet). The header files in contrib/win32/win32compat/inc directory conflict with mingw-w64 headers.
Description / Steps to reproduce the issue
Microsoft's distribution of OpenSSH for WIndows https://github.com/PowerShell/openssh-portable supports Kerberos GSSAPI logins using the OS's integrated credentials cache. Openssh distributed with msys2 does not, but rather uses Heimdal or MIT Kerberos with a separate credentials cache. Heimdal and MIT Kerberos both had some attempts to use MSLSA credentials cache, but neither has a working implementation. For reference, Postgresql client in msys2 uses Windows SSPI directly (same as MS does with openssh-for-windows) for kerberos, and works out of the box with GSSAPI logins.
Expected behavior
1a) cmd> klist shows KRBTGT for domain
3a) cmd> klist now shows service ticket HOST/myhost
Actual behavior
Verification
Windows Version
MSYS_NT-10.0-19045
MINGW environments affected
Are you willing to submit a PR?
not at this time
The text was updated successfully, but these errors were encountered: