Topic "SSPI support"

Author Message
blakeduffey
[View user's profile]

Joined: 2009-07-13
Posts: 14
Location: Virginia, USA
I am running WinSCP 4.2.1 on Windows 2008 x64 Datacenter Edition. I guess my question is - does the SSPI support (the native Windows support for Kerberos) work with WinSCP? The reason I ask it that way - when I launch WinSCP and enter the hostname (and tell it to auth via SSP) - I never see a ticket request via my network capture. I have a version of putty which supports this, as well as firefox (using native SSPI).

I'm not seeing any ticket request. There is no kerberos traffic at all.

Thoughts?

Thanks
Blake
Advertisements
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24530
Location: Prague, Czechia
WinSCP uses the same SSPI implementation as PuTTY. Unless you use different version of PuTTY. So what version of PuTTY do you use?
_________________
Martin Prikryl
blakeduffey
[View user's profile]

Joined: 2009-07-13
Posts: 14
Location: Virginia, USA
Thanks for your reply. I'm using the putty downloaded from here:

http://rc.quest.com/topics/putty/
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24530
Location: Prague, Czechia
blakeduffey wrote:
Thanks for your reply. I'm using the putty downloaded from here:

http://rc.quest.com/topics/putty/

Can you try the official PuTTY instead?
blakeduffey
[View user's profile]

Joined: 2009-07-13
Posts: 14
Location: Virginia, USA
I'll be happy to try - but I'm not sure what that will prove. WinSCP sends no kerberos traffic on my Windows 2008 server.

I will report back.

Blake
blakeduffey
[View user's profile]

Joined: 2009-07-13
Posts: 14
Location: Virginia, USA
I'm seeing the same basic functionality. When I launch PuTTY I see no Kerberos traffic at all. I am assuming it is looking for the credential cache and, not finding it, gives up on kerberos?

Is PuTTY using the 'native' SSPI functionality provided by Windows? Kerberos support for Windows 2008 is MUCH better than previous versions - and I see no need to run something like MIT Kerberos for Windows if I don't need to. We have a trust between my AD domain and our MIT realm - and I can 'seamlessly' us the Quest version, which seems to truly support native SSPI, to connect to resources in our MIT realm, without the need for 'workarounds' like Kerberos for Windows.

If I read the link on this page correctly:

http://www.chiark.greenend.org.uk/~sgtatham/putty/links.html

The 'official' version of PuTTY doesn't support SSPI...

Please see:

http://rc.quest.com/topics/putty/

Thoughts?
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24530
Location: Prague, Czechia
blakeduffey wrote:
Is PuTTY using the 'native' SSPI functionality provided by Windows?

It does.

Quote:
If I read the link on this page correctly:

http://www.chiark.greenend.org.uk/~sgtatham/putty/links.html

The 'official' version of PuTTY doesn't support SSPI...

The official does not. Only the development version does (the once I've sent you link to).


WinSCP used to use this implementation of Kerberos/SSPI in past. In 4.2 we switched to official PuTTY implementation, once they have it.
_________________
Martin Prikryl
blakeduffey
[View user's profile]

Joined: 2009-07-13
Posts: 14
Location: Virginia, USA
I'm sorry, I'll try that direct link again.

Also - I'm not sure I understand your final post. Are you waiting for the official version of PuTTY to include this functionality in WinSCP? I have WinSCP 421. This would be a wonderful addition.

Thanks
Blake
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24530
Location: Prague, Czechia
[quote="blakeduffey"]Also - I'm not sure I understand your final post. Are you waiting for the official version of PuTTY to include this functionality in WinSCP?[/qoute]
No the functionality is already included since 4.2 beta.
_________________
Martin Prikryl
blakeduffey
[View user's profile]

Joined: 2009-07-13
Posts: 14
Location: Virginia, USA
Thanks for your time. I'll try the beta and report back.

Blake
blakeduffey
[View user's profile]

Joined: 2009-07-13
Posts: 14
Location: Virginia, USA
I'm able to get PuTTY to use SSPI

When I try WinSCP 4.22, I get this in the log:

. 2009-07-22 09:56:08.112 GSSAPI authentication request refused
! 2009-07-22 09:56:08.112 Access denied
. 2009-07-22 09:56:08.112 Access denied
blakeduffey
[View user's profile]

Joined: 2009-07-13
Posts: 14
Location: Virginia, USA
I wanted to report back my findings...

I am using the version of PuTTY you suggested. http://tartarus.org/~simon/putty-snapshots/x86/putty.exe

If I create a session using this version, it won't work using native SSPI. But if I used this binary using a session that was created using the Quest version, it DID work. So I did a diff on the registry keys and found that:

UserNameFromEnvironment must be set to 1.

If that is configurable via the gui I cannot find it.

Anyways...

So now I can use the 'official' development version of PuTTY and it works (if I change that key for the session).

WinSCP does NOT connect.

Thoughts?

Blake
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24530
Location: Prague, Czechia
blakeduffey wrote:
So I did a diff on the registry keys and found that:

UserNameFromEnvironment must be set to 1.

So if you set this option, does PuTTY work with SSPI on its own? Or do you still need to start the session using Quest PuTTY? Btw, all the option does is that it fills the username (Connection > Data > Auto-login username) with your Windows username.

Quote:
If that is configurable via the gui I cannot find it.

Connection > Data > When username is not specified > Use system username

Quote:
WinSCP does NOT connect.

So just try to enter your Windows username into username field in WinSCP.
blakeduffey
[View user's profile]

Joined: 2009-07-13
Posts: 14
Location: Virginia, USA
I have removed the Quest PuTTY. I have created the session using the 'offical development' version of PuTTY (2009-07-20:r8607) and manually modifed that key and it works - I simply launch the session and it connects - I enter nothing.

I'll try that option in the gui and see if I can create the session that way.

In this instance the Windows user name is the same as the kerberos principal name in the trusted domain (I set things up that way on purpose). I'll certainly try entering the user name - but if kerberos is working properly I wouldn't think I'd need to.

Thanks, as always, for your insight.

Blake
blakeduffey
[View user's profile]

Joined: 2009-07-13
Posts: 14
Location: Virginia, USA
Yes, that did work (Connection -> Data -> Use System username)

I launch that session and it connects/authenticates hands free. I am hoping to get WinSCP to do the same.
blakeduffey
[View user's profile]

Joined: 2009-07-13
Posts: 14
Location: Virginia, USA
When I save the username as part of the WinSCP session, it does work using native SSPI. I launch the session and it connects without any additional typing. I suppose PuTTY is just getting the user name from Windows.
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24530
Location: Prague, Czechia
blakeduffey wrote:
I suppose PuTTY is just getting the user name from Windows.


Correct.
I have added support for this into tracker.
_________________
Martin Prikryl
blakeduffey
[View user's profile]

Joined: 2009-07-13
Posts: 14
Location: Virginia, USA
Excellent! Thanks for all the hard work.

Take care,
Blake
Anon

Guest


I like this feature and would also use it, but isn't this going to be possible once the features requested in tracker 150&392 are implemented?

Merely set the "user name" to %USERNAME% once WinSCP gets the ability to use Windows variables in it's sessions. This would save you having to mess around with changing your UI and users having yet another option to set somewhere to get this feature.
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24530
Location: Prague, Czechia
I have raised priority of this.
_________________
Martin Prikryl
blakeduffey
[View user's profile]

Joined: 2009-07-13
Posts: 14
Location: Virginia, USA
Should version 4.2.5 work with MIT Kerberos for Windows?

My previous question was using native kerberos in Windows 2008. My current situation includes KfW.

EDIT: I'm pretty sure the answer is NO - when PuTTY went to SSPI, this app did too (post 4.0.7)

Being able to use either would be nice... But I'm not sure it is realistic...
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24530
Location: Prague, Czechia
Actually I'm not really sure. I never tried either. I've just reused PuTTY's implementation once they've included Kerberos support. I suppose the two are not compatible.
_________________
Martin Prikryl
a178235
[View user's profile]

Joined: 2010-07-06
Posts: 3
Has support for auto detection of current username been completed? I am using version 4.2.7 and if I leave the username field blank or enter %USERNAME%, I still must enter a password. If I enter my username then GSSAPI authentication works.
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24530
Location: Prague, Czechia
a178235 wrote:
Has support for auto detection of current username been completed?

Not yet.
_________________
Martin Prikryl
Advertisements

You can post new topics in this forum






Search Site

What is WinSCP?

It is award-winning SFTP client, SCP client, FTPS client and FTP client integrated into one software program for file transfer to FTP server or secure SFTP server. [More]

And it's free!

Donate

About donations

$9   $19   $49   $99

About donations

Recommend

WinSCP Privacy Policy

WinSCP License