Differences
This shows you the differences between the selected revisions of the page.
| 2009-03-05 | 2009-03-05 | ||
| 4.2 putty doc update (martin) | 4.2 all kerberos related stuff unsupported by putty implementation removed (martin) | ||
| Line 35: | Line 35: | ||
| WinSCP leaves this option enabled by default, but supplies a switch to turn it off in case you should have trouble with it. If your server uses keyboard-interactive authentication to ask for your password only, and you wish to allow WinSCP to reply with password entered on //[[ui_login_session|Session tab]]//, tick //Respond with password to the first prompt//. | WinSCP leaves this option enabled by default, but supplies a switch to turn it off in case you should have trouble with it. If your server uses keyboard-interactive authentication to ask for your password only, and you wish to allow WinSCP to reply with password entered on //[[ui_login_session|Session tab]]//, tick //Respond with password to the first prompt//. | ||
| - | ===== Attempt Kerberos 5 GSSAPI/SSPI authentication ===== | + | ===== Attempt GSSAPI/SSPI authentication ===== |
| The switch tells WinSCP to attempt GSSAPI or SSPI authentication. | The switch tells WinSCP to attempt GSSAPI or SSPI authentication. | ||
| Line 47: | Line 47: | ||
| The SSPI is Microsoft specific (non-standard) implementation of GSSAPI. | The SSPI is Microsoft specific (non-standard) implementation of GSSAPI. | ||
| - | |||
| - | To use MIT Kerberos authentication, you need to have [[&url(kerberosforwin)|MIT Kerberos for Windows]] installed. | ||
| - | |||
| - | If your Kerberos realm is not in the AD, MIT Kerberos authentication will not be used. For this you will need to specify a //[[ui_login_authentication#service_principal_name_sspi|Service Principal Name]]// as described below. Then, either store the password for ''<user>@<realm>'' by going to //Windows Start Menu > Settings > Control Panel > User Accounts > Advanced > Manage Passwords > Add// or use following command to start WinSCP: ((If the latter method is used, the credentials that get established at startup after providing the kerberos password are only available to children of the initial process)) | ||
| - | runas /netonly /user:<user>@<realm> <path_to_winscp> | ||
| When you want to use [[integration_app#putty|integration with PuTTY]], you may find Kerberos-enabled version of PuTTY useful. Such as [[&url(qputty)|Quest PuTTY]]. | When you want to use [[integration_app#putty|integration with PuTTY]], you may find Kerberos-enabled version of PuTTY useful. Such as [[&url(qputty)|Quest PuTTY]]. | ||
| Line 59: | Line 54: | ||
| This option allows the SSH server to open forwarded connections back to your local copy of Pageant. If you are not running Pageant, this option will do nothing. Learn more about [[&url(puttyagentfwd)|agent forwarding]]. ((&puttydoccite)) | This option allows the SSH server to open forwarded connections back to your local copy of Pageant. If you are not running Pageant, this option will do nothing. Learn more about [[&url(puttyagentfwd)|agent forwarding]]. ((&puttydoccite)) | ||
| - | ===== Service principal name (SSPI) ===== | ||
| - | The situation where this option is useful is where you do not have Kerberos for Windows on a local machine and are using cross realm where the realm of the server is not in AD. The local machine can be part of a domain, or a stand alone machine. It is proving handy for use from home for example. | ||
| - | |||
| - | The //Service Principal Name// should be entered in the form: | ||
| - | |||
| - | <code> | ||
| - | host/<hostname>@<realm> | ||
| - | </code> | ||
| - | |||
| - | When one of more of the realms are not in AD, then the Microsoft ''ksetup'' command will need to be used to define the realms to the local machine. It can be found on the Windows XP PRO CD under support tools which get installed into ''C:\Program Files\Support Tools\''. There is also a version for Windows 2000. | ||
| - | |||
| - | <code> | ||
| - | ksetup /AddKdc <realm> <kdc_name> | ||
| - | </code> | ||
| - | |||
| - | (Repeat for other KDCs) | ||
| - | |||
| - | <code> | ||
| - | ksetup /SetRealmFlags <realm> TCPSupported Delegate | ||
| - | </code> | ||
| - | |||
| - | If the realm has the DNS SRV records setup the ''kdc_name'' is optional at least on XP. | ||
| - | |||
| - | MIT 1.3 KDCs supports TCP. The ''Delegate'' flag is needed for servers in the MIT realm as it does not return the ''OK_TO_DELEGATE'' flag. The ''Delegate'' flag is also needed to have an AFS token issued when the server is using the Andrew File System. | ||