Skip to main content
To KTH's start page To KTH's start page

SSH login from Windows

Follow this guide to use SSH login from Windows.

To log in you need Kerberos tickets and an SSH client. You can use either of

To log in you need to

  1. Network Identity Manager (NIM) and the PuTTY ssh client, or
  2. kinit and ssh inside a Linux installed in Windows Subsystem for Linux (WSL).

Note: All examples use username and student-shell – replace this with your KTH username (without, and the server you can log in to .


Both PuTTY and NIM are available in Software Center on KTH Windows (WIKS). See links below if you are using standalone Windows.

If you have activated WSL, Ubuntu 18.04 or other Linux distributions are freely available in Microsoft Store.

Network Identity Manager (NIM)

In KTH Windows, Network Identity Manager is available in Software Center. (An older version may also be available as part of MIT Kerberos for Windows, but should be upgraded to the separate NIM package.)

For standalone systems, NIM's installer can be downloaded from MIT . Then run the installation for you system, modern system are recommended to install latest MIT Kerberos for windows which is currently kfw-4.1-amd64.msi, run then installation reboot the computer.

Start the software and press Get Ticket icon, 

get ticket

Fill in principal which will be username@KTH.SE then your KTH password then press ok, and everything should be good to go.

PuTTY SSH client

You should use version 0.72 or later of PuTTY, for GSSAPIKeyExchange support. It can be downloaded from PuTTY's homepage (external link) .

To log in to the student shell server, either change settings for the default session, or set up a saved session called StudentShell with

  • Session then Host Name:
  • Connection then SSH then Auth then GSSAPI: enable settings for
    • Attempt GSSAPI authentication
    • Attempt GSSAPI key exchange
    • Allow GSSAPI credential delegation
    • If using Network Identity Manager (NIM), set MIT Kerberos GSSAPI64.DLL as the preferred GSSAPI Library.

If you modified the default settings, mark Default Settings and click Save.
Then click Open.

PuTTY session with GSSAPI

If despite valid tickets in Network Identity Manager you are prompted for a password when you connect, GSSAPI did not work. In that case, try changing Preference order for GSSAPI libraries to use User-specified GSSAPI DLL. To find the DLL file, search for "GSSAPI" using Windows Explorer. The path is likely in some subdirectory to C:\Windows\ with "heimdal" in the name, but may vary depending on your setup.

In order to run graphical applications, you will also need to install an X server, such as Xming (external link) . (KTH Windows uses Xwin32, but it requires a license.)

Windows Subsystem for Linux (WSL)

If you have enabled Windows Subsystem for Linux, you can download a Linux distro, e.g. Ubuntu, from Microsoft Store. You can then install and use Kerberos and OpenSSH the same way you would in Linux :

sudo apt update      ## maybe also sudo apt dist-upgrade
sudo apt install heimdal-clients openssh-client
mkdir -p -m 0700 .ssh
nano .ssh/config     ## set up 'Host student-shell' with GSSAPI etc., see link above

kinit -f username@KTH.SE
ssh student-shell

WSL in Windows 10

At the time of writing, X11 forwarding does not work when using WSL, as the Linux subsystem does not have an X server. Nor can it access a locally running one, if you run Xming or X-Win32 as a separate Windows application.

For more information, see PDC's documentation .