This page contain information about Shishi, a free implementation of the Kerberos 5 network security system.
The goals of this project are:
- Full standards compliance.
- Thread safe library.
- Internationalization, both for client messages but also for non-ASCII username and passwords.
- Integrate with existing password management systems (/etc/passwd, PAM, SASL).
- Support authentication using OpenPGP and X.509 through TLS, including smart card support.
- Clean room implementation with clear copyright and license.
Shishi is licensed under the GPLv3, and the Shishi manual is licensed under the GFDL.
Refer to the Shishi Manual web page for links to the manual in all formats; however, quick links to the most popular formats:
Shishi has received some real-world testing and should be considered stable, although it is still a fairly young implementation. Basic support for acquiring and managing tickets are working, as well as serving requests in a Key Distribution Center daemon. DES, 3DES and AES cipher suites are supported. A PAM module for host security is included, as well as a Shishi port of a rsh/rlogin client.
A telnet client and server with Kerberos authentication is supported via GNU InetUtils. A SSH client and server with Kerberos authentication is supported via GSS and GSS-LSH. A IMAP server with Kerberos authentication (GSSAPI SASL mechanism) is supported via GNU MailUtils. A IMAP command line client with Kerberos authentication (GSSAPI SASL mechanism) is supported via GNU SASL, which also provide authentication (including Kerberos 5 via GSSAPI) via the SASL API for any application.
Shishi is developed for the GNU/Linux system, but runs on over 20 platforms including most major Unix platforms and Windows, and many kind of devices including iPAQ handhelds and S/390 mainframes.
Shishi requires GNU Libtasn1, which is included in the package, so you do not need to install it separately.
Note that new releases are only mentioned here if they introduce a major feature or is significant in some other way. Read the info-gnu mailing list if you seek more frequent announcements.
- 2010-05-20: Version 1.0.0 released, takes Shishi out of alpha testing.
- 2007-06-29: Version 0.0.32 released under the GPLv3.
- 2006-03-25: Version 0.0.23 released, mainly as a foundation to build official Debian packages.
- 2006-01-17: Experimental Shishi packages for Debian are available.
- 2004-11-12: The experimental STARTTLS support is now documented in an Internet draft.
- 2004-06-13: The InetUtils work has its own home page now, and will be a playground for new features (even non-Shishi related) in GNU InetUtils.
- 2004-01-22: New releases are no longer announced here, and hasn't been for a while. Instead, read info-gnu or check the release directory from time to time. By the way, Shishi 0.0.14 was just released.
- 2004-01-13: A new snapshot of GNU InetUtils with Shishi support
was released. Build it as usual for Kerberos support, i.e.,
--enable-encryption --enable-authentication. It includes telnet(d), rsh(d) and rlogin(d) with Shishi support.
- 2004-01-01: Savannah had problems last month, and still isn't operating fully. CVS has been moved to a private machine, a read-only mirror of it will hopefully be available via Savannah in the future.
- 2003-10-16: Shishi 0.0.8 released. STARTTLS upgrade of TCP connections (only anonymous DH for now). Password processing via SASLprep instead of KRBprep. Authorization and documentation improvements.
- 2003-10-11: Snapshot of Shishi-port of GNU InetUtils released, contains telnet(d) and rsh(d) with Kerberos 5 support via Shishi. Developed by Nicolas Pouvesle.
- 2003-10-01: Shishi-port of GNOME Ticket Applet added, see below.
- 2003-09-21: Shishi 0.0.7 released. DES-CBC-CRC and ARCFOUR works. Short-hand aliases for encryption type names are supported.
- 2003-09-14: Shishi 0.0.6 released. Proxiable, proxy, forwardable and forwarded tickets supported. Man pages for all public functions are included. The internal crypto interface now fully modularized.
- 2003-09-07: Shishi 0.0.5 released. SAFE and PRIV fixes. Server name to realm mapping via DNS. Reference manual.
- 2003-08-31: Shishi 0.0.4 released. KDC works. Shishi port of rsh/rlogin client, contributed by Nicolas Pouvesle, included. Accompanies GSSLib 0.0.5.
- 2003-08-25: Shishi becomes a GNU project.
- 2003-08-22: Shishi 0.0.3 released.
- 2003-08-17: Shishi 0.0.2 released.
- 2003-08-10: Shishi 0.0.1 released. Few new features, but improved internally. Accompanies GSSLib 0.0.4.
- 2003-06-23: A patch for telnet(d) in GNU InetUtils that implement Kerberos 5 authentication via Shishi is published.
- 2003-06-02: Shishi 0.0.0 released. No major changes compared to last snapshot, but used by Generic Security Services API (GSS-API) 0.0.0.
- 2003-02-11: Another snapshot release. Used by GNU SASL.
- 2002-12-26: Moved project to savannah.
- 2002-12-14: Second snapshot released.
- 2002-12-13: PAM works.
- 2002-12-08: Telnetd works.
- 2002-12-01: Web page opened and a snapshot released.
- 2002-11-25: Telnet works.
- 2002-10-26: Code moved into CVS.
- 2002-09-30: Started coding.
A mailing list where Shishi users may help each other exists, and you can reach it by sending e-mail to email@example.com. Archives of the mailing list discussions, and an interface to manage subscriptions, is available through the World Wide Web at http://lists.gnu.org/mailman/listinfo/help-shishi.
The following organizations provide paid support for Shishi:
If you find GNU Shishi useful, please consider making a donation. No amount is too small!
The stable releases are distributed from ftp://ftp.gnu.org/gnu/shishi/.
All official releases are signed with an OpenPGP key with fingerprint 0xB565716F.
$ git clone git://git.savannah.gnu.org/shishi.git
The online git interface is available.
If you have trouble using git, you may download
a daily snapshot.
The snapshots are prepared similar to regular releases, i.e., you
simply build them using
./configure && make.
Build logs from building the package, where you can also contribute a build system for your own platform, are available from the Shishi autobuild page.
See the file README-alpha on how to bootstrap and build the package from version controlled sources.
There is a snapshot release of Ticket Applet available from ftp://alpha.gnu.org/pub/gnu/shishi/ticket-applet-shishi-*.tar.gz.
You can also browse the CVS of the Shishi port of Ticket Applet.