This page contain information about Shishi, a free implementation of
the Kerberos 5 network security system.
If you do not know what Kerberos 5 is, I suggest to read
the Kerberos V5
standard. Also see the page with
related research papers that may be of interest.
The goals of this project are:
- Full standards compliance.
- Thread safe library.
- Internationalization, both for client messages but also for
non-ASCII username and passwords.
- Integrate with existing password management systems
(/etc/passwd, PAM, SASL).
- Support authentication using OpenPGP and X.509 through
TLS, including smart card support.
- Clean room implementation with clear copyright and
Shishi is licensed under the GPLv3, and the Shishi manual is
licensed under the GFDL.
Refer to the Shishi Manual web page for links
to the manual in all formats; however, quick links to the most
Shishi has received some real-world testing and should be considered
stable, although it is still a fairly young implementation. Basic
support for acquiring and managing tickets are working, as well as
serving requests in a Key Distribution Center daemon. DES, 3DES and
AES cipher suites are supported. A PAM module for host
security is included, as well as a Shishi port of a
A telnet client and server with Kerberos authentication is
supported via GNU InetUtils.
A SSH client and server with Kerberos authentication is
supported via GSS
and GSS-LSH. A IMAP server
with Kerberos authentication (GSSAPI SASL mechanism) is supported
via GNU MailUtils. A IMAP
command line client with Kerberos authentication (GSSAPI SASL
mechanism) is supported via GNU SASL, which
also provide authentication (including Kerberos 5 via GSSAPI) via
the SASL API for any application.
Shishi is developed for the GNU/Linux system, but runs on over 20
platforms including most major Unix platforms and Windows, and many
kind of devices including iPAQ handhelds and S/390 mainframes.
Shishi requires GNU Libtasn1, which is
included in the package, so you do not need to install it
Shishi can optionally use GnuTLS (for
OpenPGP and X.509 authentication), GNU
Libidn (recommended for non-ASCII support),
Note that new releases are only mentioned here if they introduce a
major feature or is significant in some other way. Read
mailing list if you seek more frequent announcements.
Version 1.0.0 released, takes Shishi out of alpha testing.
Version 0.0.32 released under the GPLv3.
Version 0.0.23 released, mainly as a foundation to build
official Debian packages.
- 2006-01-17: Experimental Shishi packages for Debian are
- 2004-11-12: The experimental STARTTLS support is now
documented in an
- 2004-06-13: The InetUtils work has its
own home page now, and will be a playground for new features
(even non-Shishi related) in GNU InetUtils.
- 2004-01-22: New releases are no longer announced here, and
hasn't been for a while. Instead,
or check the release directory from time to time. By the
0.0.14 was just released.
- 2004-01-13: A new snapshot of GNU InetUtils with Shishi support
was released. Build it as usual for Kerberos support, i.e.,
--enable-encryption --enable-authentication. It
includes telnet(d), rsh(d) and rlogin(d) with Shishi support.
- 2004-01-01: Savannah had problems last month, and still isn't
operating fully. CVS has been moved to a private machine, a
read-only mirror of it will hopefully be available via Savannah in
- 2003-10-16: Shishi 0.0.8 released. STARTTLS upgrade of TCP
connections (only anonymous DH for now). Password processing
via SASLprep instead of KRBprep. Authorization and
- 2003-10-11: Snapshot of Shishi-port of GNU InetUtils released,
contains telnet(d) and rsh(d) with Kerberos 5 support via Shishi.
Developed by Nicolas Pouvesle.
- 2003-10-01: Shishi-port of GNOME Ticket Applet added,
- 2003-09-21: Shishi 0.0.7 released. DES-CBC-CRC and ARCFOUR
works. Short-hand aliases for encryption type names are
- 2003-09-14: Shishi 0.0.6 released. Proxiable, proxy,
forwardable and forwarded tickets supported. Man pages for all
public functions are included. The internal crypto interface now
- 2003-09-07: Shishi 0.0.5 released. SAFE and PRIV fixes. Server
name to realm mapping via DNS. Reference manual.
- 2003-08-31: Shishi 0.0.4 released. KDC works. Shishi port of
rsh/rlogin client, contributed by Nicolas Pouvesle, included.
Accompanies GSSLib 0.0.5.
- 2003-08-25: Shishi becomes a GNU project.
- 2003-08-22: Shishi 0.0.3 released.
- 2003-08-17: Shishi 0.0.2 released.
- 2003-08-10: Shishi 0.0.1 released. Few new features, but
improved internally. Accompanies GSSLib
- 2003-06-23: A patch for telnet(d) in GNU
InetUtils that implement Kerberos 5 authentication via
- 2003-06-02: Shishi 0.0.0 released. No major changes compared to
last snapshot, but used by Generic Security
Services API (GSS-API) 0.0.0.
- 2003-02-11: Another snapshot release. Used
by GNU SASL.
project to savannah.
- 2002-12-14: Second snapshot released.
- 2002-12-13: PAM works.
- 2002-12-08: Telnetd works.
- 2002-12-01: Web page opened and a snapshot released.
- 2002-11-25: Telnet works.
- 2002-10-26: Code moved into CVS.
- 2002-09-30: Started coding.
A mailing list where Shishi users may help each other exists, and
you can reach it by sending e-mail
Archives of the mailing list discussions, and an interface to manage
subscriptions, is available through the World Wide Web at
If you are interested in paid support of Shishi, or sponsor the
development, please contact
me. If you provide paid services for Shishi, and would like to
be mentioned here, also contact
The following organizations provide paid support for Shishi:
If you find GNU Shishi useful, please consider making a donation. No
amount is too small!
The stable releases are distributed from
All official releases are signed with an
OpenPGP key with fingerprint
Shishi project page. You
can check out
the sources by using git as
$ git clone git://git.savannah.gnu.org/shishi.git
git interface is available.
If you have trouble using git, you may download
a daily snapshot.
The snapshots are prepared similar to regular releases, i.e., you
simply build them using
./configure && make.
Build logs from building the package, where you can also contribute
a build system for your own platform, are available from
the Shishi autobuild
on how to bootstrap and build the package from version controlled
For every release, we publish
cyclomatic code complexity charts for the package. There is
also self-test code coverage charts
Since Shishi is a library, there isn't much in the way of graphical
user interfaces to show. However,
the GNOME 2
Applet support Shishi, so we can at least show how it looks.
There is a snapshot release of Ticket Applet available from
You can also
browse the CVS of the Shishi port of Ticket Applet.