Differences
This shows you the differences between the selected revisions of the page.
ui_login_authentication 2020-07-17 | ui_login_authentication 2024-09-20 (current) | ||
Line 11: | Line 11: | ||
===== [[bypassing]] Bypassing Authentication ===== | ===== [[bypassing]] Bypassing Authentication ===== | ||
- | In SSH-2, it is in principle possible to establish a connection without using SSH's mechanisms to identify or prove who you are to the server. Some servers may simply require no authentication whatsoever. | + | In SSH, it is in principle possible to establish a connection without using SSH's mechanisms to identify or prove who you are to the server. Some servers may simply require no authentication whatsoever. |
By default, WinSCP assumes the server requires authentication (we've never heard of one that doesn't), and thus must start this process with a username. If you find you are getting username prompts that you cannot answer, you could try enabling //Bypass authentication entirely//. However, most %%SSH%% servers will reject this. | By default, WinSCP assumes the server requires authentication (we've never heard of one that doesn't), and thus must start this process with a username. If you find you are getting username prompts that you cannot answer, you could try enabling //Bypass authentication entirely//. However, most %%SSH%% servers will reject this. | ||
This is not the option you want if you have a username and just want WinSCP to remember it; It's also probably not what if you're trying to set up passwordless | This is not the option you want if you have a username and just want WinSCP to remember it; It's also probably not what if you're trying to set up passwordless | ||
- | login to a mainstream %%SSH%% server; depending on the server, you probably wanted [[public_key|public-key authentication]] or perhaps [[#gssapi|GSSAPI authentication]]. (These are still forms of authentication, even if you don't have to interact with them.) | + | login to a mainstream %%SSH%% server; depending on the server, you probably wanted [[public_key|public-key authentication]] or perhaps [[#gssapi|GSSAPI authentication]]. (These are still forms of authentication, even if you don't have to interact with them.)((&puttydoccite)) |
- | + | ||
- | This option only affects %%SSH-2%% connections. SSH-1 connections always require an authentication step. ((&puttydoccite)) | + | |
===== Authentication Options ===== | ===== Authentication Options ===== | ||
Line 32: | Line 30: | ||
==== [[ki]] Attempt keyboard-interactive authentication ==== | ==== [[ki]] Attempt keyboard-interactive authentication ==== | ||
- | The SSH-2 equivalent of TIS authentication is called 'keyboard-interactive'. It is a flexible authentication method using an arbitrary sequence of [[ui_authenticate#keyboard_interactive|requests and responses]]; so it is not only useful for challenge/response mechanisms such as S/Key, but it can also be used for (for example) asking the user for a new password when the old one has expired. ((&puttydoccite)) | + | 'Keyboard-interactive' is a flexible authentication method using an arbitrary sequence of [[ui_authenticate#keyboard_interactive|requests and responses]]; so it is not only useful for challenge/response mechanisms such as S/Key, but it can also be used for (for example) asking the user for a new password when the old one has expired. ((&puttydoccite)) |
WinSCP leaves this option enabled by default, but supplies a switch to turn it off in case you should have trouble with it. If your server uses keyboard-interactive authentication to ask for your password only, and you wish to allow WinSCP to reply with password entered on [[ui_login|Login dialog]], tick //Respond with password to the first prompt//. | WinSCP leaves this option enabled by default, but supplies a switch to turn it off in case you should have trouble with it. If your server uses keyboard-interactive authentication to ask for your password only, and you wish to allow WinSCP to reply with password entered on [[ui_login|Login dialog]], tick //Respond with password to the first prompt//. | ||
- | |||
- | ==== Attempt TIS or CryptoCard authentication ==== | ||
- | |||
- | TIS and CryptoCard authentication are (despite their names) generic forms of simple challenge/response authentication available in SSH-1 only. You might use them if you were using S/Key one-time passwords, for example, or if you had a physical security token that generated responses to authentication challenges. They can even be used to prompt for simple passwords. | ||
- | |||
- | With this switch enabled, WinSCP will attempt these forms of authentication if the server is willing to try them. You will be [[ui_authenticate#keyboard_interactive|presented with a challenge string]] (which may be different every time) and must supply the correct response in order to log in. If your server supports this, you should talk to your system administrator about precisely what form these challenges and responses take. ((&puttydoccite)) | ||
- | |||
- | You must select %%SSH-1%% as a //[[ui_login_ssh|Preferred SSH protocol version]]// to enable this option. | ||
===== Authentication Parameters ===== | ===== Authentication Parameters ===== | ||
Line 60: | Line 50: | ||
The passphrase cannot be entered in advance in session settings and thus it cannot be saved to [[session_configuration#site|site]]. If you need to login to server automatically without prompt, generate a key without passphrase. Use this method carefully and only under special circumstances. | The passphrase cannot be entered in advance in session settings and thus it cannot be saved to [[session_configuration#site|site]]. If you need to login to server automatically without prompt, generate a key without passphrase. Use this method carefully and only under special circumstances. | ||
- | If you select a key file in a different format (OpenSSH or ssh.com), WinSCP will offer you to convert the key to PuTTY format. | + | If you select a key file in a different format (OpenSSH or ssh.com), WinSCP will offer you to ==convert== the key to PuTTY format. If certificate file with the same name((but ''-cert.pub'' or ''.pub-aadcert.pub'' //(latest beta only)// &beta suffixes.)) is found, it will be automatically added to the converted key file. |
=== [[private_key_tools]] Private Key Tools === | === [[private_key_tools]] Private Key Tools === | ||
Line 70: | Line 60: | ||
Use the command //Tools > Install Public Key into Server// to [[guide_public_key#configure_openssh|install a public key into OpenSSH server]]. You will be prompted to select key pair to install. You will need to authenticate to the server to install the key. You can authenticate using a password or using another key (select it in //Private key file// box). After installing succeeds, the new private key will be inserted into the //Private key file// box. | Use the command //Tools > Install Public Key into Server// to [[guide_public_key#configure_openssh|install a public key into OpenSSH server]]. You will be prompted to select key pair to install. You will need to authenticate to the server to install the key. You can authenticate using a password or using another key (select it in //Private key file// box). After installing succeeds, the new private key will be inserted into the //Private key file// box. | ||
+ | ==== [[certificate]] Certificate to use with the private key ==== | ||
+ | |||
+ | In some environments, user authentication keys can be signed in turn by a certifying authority (CA for short), and user accounts on an SSH server can be configured to automatically trust any key that's certified by the right signature. This is optional. If you don't know you need it, you can leave this blank. | ||
+ | |||
+ | This can be a convenient setup if you have a very large number of servers. When you change your key pair, you might otherwise have to [[guide_public_key#configure_openssh|edit the ''authorized_keys'' file]] (in case of OpenSSH) on every server individually, to make them all accept the new key. But if instead you configure all those servers once to accept keys signed as yours by a CA, then when you change your public key, all you have to do is to get the new key certified by the same CA as before, and then all your servers will automatically accept it without needing individual reconfiguration. | ||
+ | |||
+ | One way to use a certificate is to incorporate it into your private key file. You can [[ui_puttygen#certificate|do that using PuTTYgen]]. But another approach is to tell WinSCP itself where to find the public certificate file, and then it will automatically present that certificate when authenticating with the corresponding private key. | ||
+ | |||
+ | To do this, enter the pathname of the certificate file into the //Certificate to use with the private key// file selector. | ||
+ | |||
+ | When this setting is configured, WinSCP will honour it no matter whether the private key is found in a file, or loaded into Pageant.((&puttydoccite)) | ||
===== [[gssapi]] GSSAPI ===== | ===== [[gssapi]] GSSAPI ===== | ||
Line 75: | Line 76: | ||
==== Attempt GSSAPI authentication ==== | ==== Attempt GSSAPI authentication ==== | ||
- | The switch controls the use of GSSAPI authentication. This is a mechanism which delegates the authentication exchange to a library elsewhere on the client machine, which in principle can authenticate in many different ways but in practice is usually used with the Kerberos single sign-on protocol to implement passwordless login. | + | The GSSAPI authentication is a mechanism which delegates the authentication exchange to a library elsewhere on the client machine, which in principle can authenticate in many different ways but in practice is usually used with the Kerberos single sign-on protocol to implement passwordless login. |
+ | |||
+ | WinSCP supports two forms of GSSAPI-based authentication. In one of them, the SSH key exchange happens in the normal way, and GSSAPI is only involved in authenticating the user. The checkbox labelled //Attempt GSSAPI authentication// controls this form. | ||
+ | |||
+ | In the other method, GSSAPI-based authentication is combined with the SSH key exchange phase. If this succeeds, then the SSH authentication step has nothing left to do. See the [[ui_login_kex#gssapi|//Attempt GSSAPI key exchange// checkbox]] on the //Key exchange// page. | ||
- | %%GSSAPI%% authentication is only available in the SSH-2 protocol. | + | If one or both of these controls is enabled, then GSSAPI authentication will be attempted in one form or the other, and (typically) if your client machine has valid Kerberos credentials loaded, then WinSCP should be able to authenticate automatically to servers that support Kerberos logins. |
- | If the option is disabled, %%GSSAPI%% will not be attempted at all and the rest of this panel is unused. If it is enabled, %%GSSAPI%% authentication will be attempted, and (typically) if your client machine has valid Kerberos credentials loaded, then WinSCP should be able to authenticate automatically to servers that support Kerberos login. | + | If both of those checkboxes are disabled, WinSCP will not try any form of GSSAPI at all, and the rest of the //GSSAPI// box is unused. |
==== [[gssapi_delegation]] Allow GSSAPI credential delegation ==== | ==== [[gssapi_delegation]] Allow GSSAPI credential delegation ==== |