Differences
This shows you the differences between the selected revisions of the page.
| 2016-01-21 | 2016-01-21 | ||
| nonsense reference to data channel (martin) | limit acronym recognition (martin) | ||
| Line 61: | Line 61: | ||
| The switch controls the use of GSSAPI authentication. This is a mechanism which delegates the authentication exchange to a library elsewhere on the client machine, which in principle can authenticate in many different ways but in practice is usually used with the Kerberos single sign-on protocol. | The switch controls the use of GSSAPI authentication. This is a mechanism which delegates the authentication exchange to a library elsewhere on the client machine, which in principle can authenticate in many different ways but in practice is usually used with the Kerberos single sign-on protocol. | ||
| - | GSSAPI is only available in the SSH-2 protocol. | + | %%GSSAPI%% is only available in the SSH-2 protocol. |
| - | If the option is disabled, GSSAPI will not be attempted at all and the rest of this panel is unused. If it is enabled, GSSAPI authentication will be attempted, and (typically) if your client machine has valid Kerberos credentials loaded, then WinSCP should be able to authenticate automatically to servers that support Kerberos login. | + | If the option is disabled, %%GSSAPI%% will not be attempted at all and the rest of this panel is unused. If it is enabled, %%GSSAPI%% authentication will be attempted, and (typically) if your client machine has valid Kerberos credentials loaded, then WinSCP should be able to authenticate automatically to servers that support Kerberos login. |
| ==== Allow GSSAPI credential delegation ==== | ==== Allow GSSAPI credential delegation ==== | ||
| - | GSSAPI credential delegation is a mechanism for passing on your Kerberos (or other) identity to the session on the SSH server. If you enable this option, then not only will WinSCP be able to log in automatically to a server that accepts your Kerberos credentials, but also you will be able to connect out from that server to other Kerberos-supporting services and use the same credentials just as automatically. | + | %%GSSAPI%% credential delegation is a mechanism for passing on your Kerberos (or other) identity to the session on the SSH server. If you enable this option, then not only will WinSCP be able to log in automatically to a server that accepts your Kerberos credentials, but also you will be able to connect out from that server to other Kerberos-supporting services and use the same credentials just as automatically. |
| This option is the Kerberos analogue of [[#forwarding|SSH agent forwarding]]. | This option is the Kerberos analogue of [[#forwarding|SSH agent forwarding]]. | ||
| - | Note that, like SSH agent forwarding, there is a security implication in the use of this option: the administrator of the server you connect to, or anyone else who has cracked the administrator account on that server, could fake your identity when connecting to further Kerberos-supporting services. However, Kerberos sites are typically run by a central authority, so the administrator of one server is likely to already have access to the other services too; so this would typically be less of a risk than SSH agent forwarding. ((&puttydoccite)) | + | Note that, like %%SSH%% agent forwarding, there is a security implication in the use of this option: the administrator of the server you connect to, or anyone else who has cracked the administrator account on that server, could fake your identity when connecting to further Kerberos-supporting services. However, Kerberos sites are typically run by a central authority, so the administrator of one server is likely to already have access to the other services too; so this would typically be less of a risk than %%SSH%% agent forwarding. ((&puttydoccite)) |
| ===== Further Reading ===== | ===== Further Reading ===== | ||
| Read more about [[ui_login|Login dialog]] and [[ui_login_advanced|Advanced Site Settings dialog]]. | Read more about [[ui_login|Login dialog]] and [[ui_login_advanced|Advanced Site Settings dialog]]. | ||