Post a reply

Before posting, please read how to report bug or request support effectively.

Bug reports without an attached log file are usually useless.

Options
Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.

(maximum 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)

Options

Topic review

martin

a178235 wrote:

Has support for auto detection of current username been completed?

Not yet.
a178235

Has support for auto detection of current username been completed? I am using version 4.2.7 and if I leave the username field blank or enter %USERNAME%, I still must enter a password. If I enter my username then GSSAPI authentication works.
martin

Actually I'm not really sure. I never tried either. I've just reused PuTTY's implementation once they've included Kerberos support. I suppose the two are not compatible.
blakeduffey

Should version 4.2.5 work with MIT Kerberos for Windows?

My previous question was using native kerberos in Windows 2008. My current situation includes KfW.

EDIT: I'm pretty sure the answer is NO - when PuTTY went to SSPI, this app did too (post 4.0.7)

Being able to use either would be nice... But I'm not sure it is realistic...
martin

Re: A useful addition but could implemented under request150/392

I have raised priority of this.
Anon

A useful addition but could implemented under request150/392

I like this feature and would also use it, but isn't this going to be possible once the features requested in tracker 150&392 are implemented?

Merely set the "user name" to %USERNAME% once WinSCP gets the ability to use Windows variables in it's sessions. This would save you having to mess around with changing your UI and users having yet another option to set somewhere to get this feature.
blakeduffey

Excellent! Thanks for all the hard work.

Take care,
Blake
martin

blakeduffey wrote:

I suppose PuTTY is just getting the user name from Windows.


Correct.
I have added support for this into tracker.
blakeduffey

When I save the username as part of the WinSCP session, it does work using native SSPI. I launch the session and it connects without any additional typing. I suppose PuTTY is just getting the user name from Windows.
blakeduffey

Yes, that did work (Connection -> Data -> Use System username)

I launch that session and it connects/authenticates hands free. I am hoping to get WinSCP to do the same.
blakeduffey

I have removed the Quest PuTTY. I have created the session using the 'offical development' version of PuTTY (2009-07-20:r8607) and manually modifed that key and it works - I simply launch the session and it connects - I enter nothing.

I'll try that option in the gui and see if I can create the session that way.

In this instance the Windows user name is the same as the kerberos principal name in the trusted domain (I set things up that way on purpose). I'll certainly try entering the user name - but if kerberos is working properly I wouldn't think I'd need to.

Thanks, as always, for your insight.

Blake
martin

blakeduffey wrote:

So I did a diff on the registry keys and found that:

UserNameFromEnvironment must be set to 1.

So if you set this option, does PuTTY work with SSPI on its own? Or do you still need to start the session using Quest PuTTY? Btw, all the option does is that it fills the username (Connection > Data > Auto-login username) with your Windows username.

If that is configurable via the gui I cannot find it.

Connection > Data > When username is not specified > Use system username

WinSCP does NOT connect.

So just try to enter your Windows username into username field in WinSCP.
blakeduffey

I wanted to report back my findings...

I am using the version of PuTTY you suggested. https://tartarus.org/~simon/putty-snapshots/w32/putty.exe

If I create a session using this version, it won't work using native SSPI. But if I used this binary using a session that was created using the Quest version, it DID work. So I did a diff on the registry keys and found that:

UserNameFromEnvironment must be set to 1.

If that is configurable via the gui I cannot find it.

Anyways...

So now I can use the 'official' development version of PuTTY and it works (if I change that key for the session).

WinSCP does NOT connect.

Thoughts?

Blake
blakeduffey

I'm able to get PuTTY to use SSPI

When I try WinSCP 4.22, I get this in the log:

. 2009-07-22 09:56:08.112 GSSAPI authentication request refused
! 2009-07-22 09:56:08.112 Access denied
. 2009-07-22 09:56:08.112 Access denied
blakeduffey

Thanks for your time. I'll try the beta and report back.

Blake
martin

[quote="blakeduffey"]Also - I'm not sure I understand your final post. Are you waiting for the official version of PuTTY to include this functionality in WinSCP?[/qoute]
No the functionality is already included since 4.2 beta.
blakeduffey

I'm sorry, I'll try that direct link again.

Also - I'm not sure I understand your final post. Are you waiting for the official version of PuTTY to include this functionality in WinSCP? I have WinSCP 421. This would be a wonderful addition.

Thanks
Blake
martin

blakeduffey wrote:

Is PuTTY using the 'native' SSPI functionality provided by Windows?

It does.

If I read the link on this page correctly:

https://www.chiark.greenend.org.uk/~sgtatham/putty/links.html

The 'official' version of PuTTY doesn't support SSPI...

The official does not. Only the development version does (the once I've sent you link to).

Please see:

<invalid hyperlink removed by admin>

WinSCP used to use this implementation of Kerberos/SSPI in past. In 4.2 we switched to official PuTTY implementation, once they have it.
blakeduffey

I'm seeing the same basic functionality. When I launch PuTTY I see no Kerberos traffic at all. I am assuming it is looking for the credential cache and, not finding it, gives up on kerberos?

Is PuTTY using the 'native' SSPI functionality provided by Windows? Kerberos support for Windows 2008 is MUCH better than previous versions - and I see no need to run something like MIT Kerberos for Windows if I don't need to. We have a trust between my AD domain and our MIT realm - and I can 'seamlessly' us the Quest version, which seems to truly support native SSPI, to connect to resources in our MIT realm, without the need for 'workarounds' like Kerberos for Windows.

If I read the link on this page correctly:

https://www.chiark.greenend.org.uk/~sgtatham/putty/links.html

The 'official' version of PuTTY doesn't support SSPI...

Please see:

<invalid hyperlink removed by admin>

Thoughts?
blakeduffey

I'll be happy to try - but I'm not sure what that will prove. WinSCP sends no kerberos traffic on my Windows 2008 server.

I will report back.

Blake
martin

blakeduffey wrote:

Thanks for your reply. I'm using the putty downloaded from here:

<invalid hyperlink removed by admin>

Can you try the official PuTTY instead?
blakeduffey

Thanks for your reply. I'm using the putty downloaded from here:

<invalid hyperlink removed by admin>
martin

Re: SSPI support

WinSCP uses the same SSPI implementation as PuTTY. Unless you use different version of PuTTY. So what version of PuTTY do you use?
blakeduffey

SSPI support

I am running WinSCP 4.2.1 on Windows 2008 x64 Datacenter Edition. I guess my question is - does the SSPI support (the native Windows support for Kerberos) work with WinSCP? The reason I ask it that way - when I launch WinSCP and enter the hostname (and tell it to auth via SSP) - I never see a ticket request via my network capture. I have a version of putty which supports this, as well as firefox (using native SSPI).

I'm not seeing any ticket request. There is no kerberos traffic at all.

Thoughts?

Thanks
Blake