Using Cygwin at Fermilab

Cygwin is a surprisingly full-featured UNIX environment that runs on Windows. It's a great way to connect to UNIX computers from a windows PC. I think it's more elegant and useful than the WRQ/Reflection stuff and the price is certainly right. But there's a problem -- all Fermilab computers use kerberos for authentication and cygwin does not support this, nor are the ssh and scp programs built with kerberos support enabled.

However it is possible to add kerberos support to a regular plain-old-vanilla cygwin installation. This will enable you to open a cygwin xterm on your windows desktop and ssh into a Fermilab kerberized UNIX computer and/or transfer files with scp/ftp.


  1. Download the cygwin installer program and install cygwin on your PC. At a minimum install the network and x11 components. You can always re-run this installer to add more stuff like python, gcc, editors, etc. later.
  2. Start a cygwin bash shell, either using the desktop link or by opening an xterm (Start Menu, Cygwin-X, Xwin Server). The first time you start cygwin it should make a home directory for you.
  3. Unzip these executables and put them in the /usr/local/bin directory. These programs include the kerberos utilities (kinit, klist, kdestroy, kpasswd) and versions of ssh, ftp, and scp that have been rebuilt to include kerberos support.
  4. Get the latest Fermilab krb5.conf and put it in /etc
  5. Create a directory called .ssh in your home area and put the ssh config file there.
  6. Change the protections on the ssh config file
    $ chmod 600 ~/.ssh/config
  7. Add the following lines to your ~/.bashrc (assuming BASH is your default shell) 
    export KRB5_CONFIG=/etc/krb5.conf
export KRB5CCNAME=FILE:/var/tmp/krb5_cc_cache
  8. Open a new xterm and try it out! 
    $ kinit username@FNAL.GOV
$ klist
$ ssh username@fnalu

This has been tested with Cygwin 1.7.5 on Windows XP and Windows 7 and connects to Fermi linux machines running SLF3 through SLF5. Thanks to Jason Ormes at Fermilab for building the executables from source and thanks to Charles Plager for documenting it on his website.

If you're setting this up on a home machine and behind a NAT router/firewall you may need to do 

$ kinit -n username@FNAL.GOV
to get an address-less ticket.

last update 3 June 2010