Differences

This shows you the differences between the selected revisions of the page.

2011-11-01		2011-11-01
agent forwarding is now above gssapi (martin)		5.0.3 bug 583 (martin)
	Line 15:		Line 15:
	This option only affects SSH-2 connections. SSH-1 connections always require an authentication step. ((&puttydoccite))		This option only affects SSH-2 connections. SSH-1 connections always require an authentication step. ((&puttydoccite))

-	===== Attempt Authentication Using Pageant =====	+	===== Authentication Options =====
		+
		+	==== Attempt Authentication Using Pageant ====

	If this option is enabled, then WinSCP will look for [[ui_pageant\|Pageant]] and attempt to authenticate with any suitable public keys Pageant currently holds.		If this option is enabled, then WinSCP will look for [[ui_pageant\|Pageant]] and attempt to authenticate with any suitable public keys Pageant currently holds.
	Line 23:		Line 25:
	Learn how to use the [[public_key\|Pageant]] (PuTTY's SSH authentication agent) application for public key authentication.		Learn how to use the [[public_key\|Pageant]] (PuTTY's SSH authentication agent) application for public key authentication.

-	===== Attempt TIS or CryptoCard authentication =====	+	==== Attempt TIS or CryptoCard authentication ====

	TIS and CryptoCard authentication are (despite their names) generic forms of simple challenge/response authentication available in SSH-1 only. You might use them if you were using S/Key one-time passwords, for example, or if you had a physical security token that generated responses to authentication challenges. They can even be used to prompt for simple passwords.		TIS and CryptoCard authentication are (despite their names) generic forms of simple challenge/response authentication available in SSH-1 only. You might use them if you were using S/Key one-time passwords, for example, or if you had a physical security token that generated responses to authentication challenges. They can even be used to prompt for simple passwords.
	Line 29:		Line 31:
	With this switch enabled, WinSCP will attempt these forms of authentication if the server is willing to try them. You will be [[ui_authenticate#keyboard_interactive\|presented with a challenge string]] (which may be different every time) and must supply the correct response in order to log in. If your server supports this, you should talk to your system administrator about precisely what form these challenges and responses take. ((&puttydoccite))		With this switch enabled, WinSCP will attempt these forms of authentication if the server is willing to try them. You will be [[ui_authenticate#keyboard_interactive\|presented with a challenge string]] (which may be different every time) and must supply the correct response in order to log in. If your server supports this, you should talk to your system administrator about precisely what form these challenges and responses take. ((&puttydoccite))

-	===== Attempt keyboard-interactive authentication =====	+	==== Attempt keyboard-interactive authentication ====

	The SSH-2 equivalent of TIS authentication is called 'keyboard-interactive'. It is a flexible authentication method using an arbitrary sequence of [[ui_authenticate#keyboard_interactive\|requests and responses]]; so it is not only useful for challenge/response mechanisms such as S/Key, but it can also be used for (for example) asking the user for a new password when the old one has expired. ((&puttydoccite))		The SSH-2 equivalent of TIS authentication is called 'keyboard-interactive'. It is a flexible authentication method using an arbitrary sequence of [[ui_authenticate#keyboard_interactive\|requests and responses]]; so it is not only useful for challenge/response mechanisms such as S/Key, but it can also be used for (for example) asking the user for a new password when the old one has expired. ((&puttydoccite))
	Line 35:		Line 37:
	WinSCP leaves this option enabled by default, but supplies a switch to turn it off in case you should have trouble with it. If your server uses keyboard-interactive authentication to ask for your password only, and you wish to allow WinSCP to reply with password entered on //[[ui_login_session\|Session tab]]//, tick //Respond with password to the first prompt//.		WinSCP leaves this option enabled by default, but supplies a switch to turn it off in case you should have trouble with it. If your server uses keyboard-interactive authentication to ask for your password only, and you wish to allow WinSCP to reply with password entered on //[[ui_login_session\|Session tab]]//, tick //Respond with password to the first prompt//.

-	===== Allow agent forwarding =====	+	===== Authentication Parameters =====
		+
		+	==== [[forwarding]] Allow agent forwarding ====

	This option allows the SSH server to open forwarded connections back to your local copy of [[ui_pageant\|Pageant]]. If you are not running Pageant, this option will do nothing. Learn more about [[&url(puttyagentfwd)\|agent forwarding]].		This option allows the SSH server to open forwarded connections back to your local copy of [[ui_pageant\|Pageant]]. If you are not running Pageant, this option will do nothing. Learn more about [[&url(puttyagentfwd)\|agent forwarding]].

-	===== Attempt GSSAPI/SSPI authentication =====	+	===== GSSAPI =====
		+
		+	==== Attempt GSSAPI authentication ====
		+
		+	The switch controls the use of GSSAPI authentication. This is a mechanism which delegates the authentication exchange to a library elsewhere on the client machine, which in principle can authenticate in many different ways but in practice is usually used with the Kerberos single sign-on protocol.
		+
		+	GSSAPI is only available in the SSH-2 protocol.

-	The switch tells WinSCP to attempt GSSAPI or SSPI authentication.	+	If the option is disabled, GSSAPI will not be attempted at all and the rest of this panel is unused. If it is enabled, GSSAPI authentication will be attempted, and (typically) if your client machine has valid Kerberos credentials loaded, then WinSCP should be able to authenticate automatically to servers that support Kerberos logins.·

-	The GSSAPI is a generic API for doing client-server authentication. The	+	==== Allow GSSAPI credential delegation ====
-	motivation behind it is that every security system has its own API, and the	+	GSSAPI credential delegation is a mechanism for passing on your Kerberos (or other) identity to the session on the SSH server. If you enable this option, then not only will WinSCP be able to log in automatically to a server that accepts your Kerberos credentials, but also you will be able to connect out from that server to other Kerberos-supporting services and use the same credentials just as automatically.·
-	effort involved with adding different security systems to applications is	+
-	extremely difficult with the variance between security APIs. However, with a	+
-	common API, application vendors could use the generic API and it could	+
-	work with any number of security platforms (Kerberos, Entrust, ...).	+

-	The SSPI is Microsoft specific (non-standard) implementation of GSSAPI.	+	This option is the Kerberos analogue of [[ui_login_authentication#forwarding\|SSH agent forwarding]].

-	When you want to use [[integration_app#putty\|integration with PuTTY]], you may find Kerberos-enabled version of PuTTY useful. Such as [[&;url(qputty)\|Quest PuTTY]]. ((&puttydoccite))	+	Note that, like SSH agent forwarding, there is a security implication in the use of this option: the administrator of the server you connect to, or anyone else who has cracked the administrator account on that server, could fake your identity when connecting to further Kerberos-supporting services. However, Kerberos sites are typically run by a central authority, so the administrator of one server is likely to already have access to the other services too; so this would typically be less of a risk than SSH agent forwarding. ((&puttydoccite))

Differences

Documentation

Support

Associations

Follow Us