Differences
This shows you the differences between the selected revisions of the page.
| 2007-01-31 | 2007-04-10 | ||
| advanced options (martin) | 4.0 sspi, ticket forwarding, server realm (martin) | ||
| Line 19: | Line 19: | ||
| WinSCP leaves this option enabled by default, but supplies a switch to turn it off in case you should have trouble with it. If your server uses keyboard-interactive authentication to ask for your password only, and you wish to allow WinSCP to reply with password entered on //[[ui_login_session|Session tab]]//, tick //Respond with password to the first prompt//. | WinSCP leaves this option enabled by default, but supplies a switch to turn it off in case you should have trouble with it. If your server uses keyboard-interactive authentication to ask for your password only, and you wish to allow WinSCP to reply with password entered on //[[ui_login_session|Session tab]]//, tick //Respond with password to the first prompt//. | ||
| - | ===== Attempt MIT Kerberos GSSAPI authentication ===== | + | ===== Attempt Kerberos 5 GSSAPI/SSPI authentication ===== |
| - | The switch tells WinSCP to attempt GSSAPI authentication through Kerberos. | + | The switch tells WinSCP to attempt GSSAPI or SSPI authentication. |
| The GSSAPI is a generic API for doing client-server authentication. The | The GSSAPI is a generic API for doing client-server authentication. The | ||
| Line 30: | Line 30: | ||
| work with any number of security platforms (Kerberos, Entrust, ...). | work with any number of security platforms (Kerberos, Entrust, ...). | ||
| - | Currently, only MIT Kerberos 5 implementation of GSSAPI is supported. | + | The SSPI is Microsoft specific (non-standard) implementation of GSSAPI. |
| - | The support of SSPI (Microsoft specific implementation of GSSAPI) is under development. | + | To use MIT Kerberos authentication, you need to have [[&url(kerberosforwin)|MIT Kerberos for Windows]] installed. |
| - | + | ||
| - | To use this authentication, you need to have [[&url(kerberosforwin)|Kerberos for Windows]] installed. | + | |
| ===== Allow agent forwarding ===== | ===== Allow agent forwarding ===== | ||
| This option allows the SSH server to open forwarded connections back to your local copy of Pageant. If you are not running Pageant, this option will do nothing. Learn more about [[&url(puttyagentfwd)|agent forwarding]]. ((&puttydoccite)) | This option allows the SSH server to open forwarded connections back to your local copy of Pageant. If you are not running Pageant, this option will do nothing. Learn more about [[&url(puttyagentfwd)|agent forwarding]]. ((&puttydoccite)) | ||
| + | |||
| + | ===== Allow Kerberos 5 ticket forwarding in GSSAPI/SSPI ===== | ||
| + | |||
| + | This option allows the forwarding of the locally stored Kerberos ticket to a remote server, from which you can authenticate to other servers using this ticket. | ||
| + | |||
| + | ===== Server realm (SSPI) ===== | ||
| + | The situation where it option is useful is where you do not have KfW on a local machine and are using cross realm where the realm of the server is not in AD. The local machine can be part of a domain, or a stand alone machine. It is proving handy for use from home for example. | ||
| + | |||
| + | When one of more of the realms are not AD, then the Microsoft ''ksetup'' command will need to be used to define the realms to the local machine. It can be found on the XP PRO CD under support tools which get installed into ''C:\Program Files\Support Tools\''. There is also a version for W2K. | ||
| + | |||
| + | <code> | ||
| + | ksetup /AddKdc <realm> <KdcName> | ||
| + | </code> | ||
| + | |||
| + | (Repeat for other KDCs) | ||
| + | |||
| + | <code> | ||
| + | ksetup /SetRealmFlags <realm> TCPSupported Delegate | ||
| + | </code> | ||
| + | |||
| + | If the realm has the DNS SRV records setup the ''KdcName'' is optional at least on XP. | ||
| + | |||
| + | MIT 1.3 KDCs supports TCP. The ''Delegate'' flag is needed for servers in the MIT realm as it does not return the ''OK_TO_DELEGATE'' flag. | ||