Differences

This shows you the differences between the selected revisions of the page.

2020-07-17 2020-12-01
Restored revision 1590141923. Undoing revision 1594958578. (martin) (hidden) 5.18 Bug 1863: GSSAPI key exchange authentication can be turned on. (martin)
Line 75: Line 75:
==== Attempt GSSAPI authentication ==== ==== Attempt GSSAPI authentication ====
-The switch controls the use of GSSAPI authentication. This is a mechanism which delegates the authentication exchange to a library elsewhere on the client machine, which in principle can authenticate in many different ways but in practice is usually used with the Kerberos single sign-on protocol to implement passwordless login.+The GSSAPI authentication is a mechanism which delegates the authentication exchange to a library elsewhere on the client machine, which in principle can authenticate in many different ways but in practice is usually used with the Kerberos single sign-on protocol to implement passwordless login.
%%GSSAPI%% authentication is only available in the SSH-2 protocol. %%GSSAPI%% authentication is only available in the SSH-2 protocol.
-If the option is disabled, %%GSSAPI%% will not be attempted at all and the rest of this panel is unused. If it is enabled, %%GSSAPI%% authentication will be attempted, and (typically) if your client machine has valid Kerberos credentials loaded, then WinSCP should be able to authenticate automatically to servers that support Kerberos login.+WinSCP supports two forms of GSSAPI-based authentication. In one of them, the SSH key exchange happens in the normal way, and GSSAPI is only involved in authenticating the user. The checkbox labelled //Attempt GSSAPI authentication// controls this form.  
 + 
 +In the other method, GSSAPI-based authentication is combined with the SSH key exchange phase. If this succeeds, then the SSH authentication step has nothing left to do. See the [[ui_login_kex#gssapi|//Attempt GSSAPI key exchange// checkbox]] on the //Key exchange// page. 
 + 
 +If one or both of these controls is enabled, then GSSAPI authentication will be attempted in one form or the other, and (typically) if your client machine has valid Kerberos credentials loaded, then WinSCP should be able to authenticate automatically to servers that support Kerberos logins.  
 + 
 +If both of those checkboxes are disabled, WinSCP will not try any form of GSSAPI at all, and the rest of the //GSSAPI// box is unused.
==== [[gssapi_delegation]] Allow GSSAPI credential delegation ==== ==== [[gssapi_delegation]] Allow GSSAPI credential delegation ====

Last modified: by martin