GSSAPI authentication and OpenSSH on Windows

Alf Håkansson
Thu Sep 26 12:58:00 GMT 2013

Hello Ghis,
That might work but the user will not be logged on to the windows
machine. I.E. sshd will not be able to get hold of a security token
with the AD users context.
Going for that solution will only authenticate the user but when the
user gets the shell it will not be in the right context.

I think one needs to replace Heimdal/MIT Kerberos with the Windows
SSPI interface.


Hi Alf,

Seems we both are close to a solution, but I didn't do any progress on
this issue on my side.

Your statement regarding ktpass for the keytab generation confirms my
initial fears...

I searched a little more on this this morning and I stumble upon this:

Basically, it says that setting GSSAPIStrictAcceptorCheck to no in
sshd_config wil make sshd.exe use the first entry in the keytab,
regardless of the principal name.  So, theoretically, we could
generate a keytab containing any principal name at sshd.exe would use
this happily.

Unfortunately, it seems this configuration directive is not supported
by the offical OpenSSH release.  This article mentions a certain patch
that should do the trick:

The only thing left to do/try, is to get a hand on the OpenSSH
sources, on the patch and try to rebuild OpenSSH.

Anyone could help in doing this?  Just provinding pointers on howtos
would be great! ;o)

Thank you!


On Wed, Sep 18, 2013 at 3:55 PM, Alf Håkansson <> wrote:
> Hello!
> I am trying to get Kerberos authentication to work with openssh on a
> Windows machine that is part of a windows domain.
> I have read all I could find on the internet about this issue but no
> one seems to have succeeded.
> OpenSSH is built with the Heimdal package.
> There is a post that pretty well describes all the steps to take to
> get it to work (but it does not)
> As I subscribed after that post I have no idea how to reply to it.
> The problem occurs when I am making the keytab file with help of ktpass.exe.
>  I need the principal HOST/
> Thing is that the machine itself is already registered with that
> principal and as the Domain Controler only can have one entry for that
> principal the machine will be deregistered and you can no longer logon
> with a domain user to the console.
> So please if anyone has any experience in this topic let me know!
> /Alf

Problem reports:
Unsubscribe info:

More information about the Cygwin mailing list