This is an old revision of the document!

Documentation » Configuration » Login Dialog » Advanced » SSH »

Authentication Tab (Login Dialog)

Authentication tab allows you to configure authentication options of SSH protocol.

Advertisement

You need to check Advanced options to reveal the tab. The tab is not available for FTP protocol.

Bypassing Authentication

In SSH-2, it is possible to establish a connection without using SSH’s mechanisms to identify or authenticate oneself to the server. Some servers may prefer to handle authentication in the data channel, for instance, or may simply require no authentication whatsoever.

By default, WinSCP assumes the server requires authentication (most do), and thus must provide a username. If you find you are getting unwanted username prompts, you could try checking Bypass authentication entirely.

This option only affects SSH-2 connections. SSH-1 connections always require an authentication step.1

Attempt Authentication Using Pageant

If this option is enabled, then WinSCP will look for Pageant and attempt to authenticate with any suitable public keys Pageant currently holds.

This behaviour is almost always desirable, and is therefore enabled by default. In rare cases you might need to turn it off in order to force authentication by some non-public-key method such as passwords.1

Advertisement

Learn how to use the Pageant (PuTTY’s SSH authentication agent) application for public key authentication.

Attempt TIS or CryptoCard authentication

TIS and CryptoCard authentication are (despite their names) generic forms of simple challenge/response authentication available in SSH-1 only. You might use them if you were using S/Key one-time passwords, for example, or if you had a physical security token that generated responses to authentication challenges. They can even be used to prompt for simple passwords.

With this switch enabled, WinSCP will attempt these forms of authentication if the server is willing to try them. You will be presented with a challenge string (which may be different every time) and must supply the correct response in order to log in. If your server supports this, you should talk to your system administrator about precisely what form these challenges and responses take.1

Attempt keyboard-interactive authentication

The SSH-2 equivalent of TIS authentication is called ‘keyboard-interactive’. It is a flexible authentication method using an arbitrary sequence of requests and responses; so it is not only useful for challenge/response mechanisms such as S/Key, but it can also be used for (for example) asking the user for a new password when the old one has expired.1

WinSCP leaves this option enabled by default, but supplies a switch to turn it off in case you should have trouble with it. If your server uses keyboard-interactive authentication to ask for your password only, and you wish to allow WinSCP to reply with password entered on Session tab, tick Respond with password to the first prompt.

Allow agent forwarding

This option allows the SSH server to open forwarded connections back to your local copy of Pageant. If you are not running Pageant, this option will do nothing. Learn more about agent forwarding.

Attempt GSSAPI/SSPI authentication

The switch tells WinSCP to attempt GSSAPI or SSPI authentication.

The GSSAPI is a generic API for doing client-server authentication. The motivation behind it is that every security system has its own API, and the effort involved with adding different security systems to applications is extremely difficult with the variance between security APIs. However, with a common API, application vendors could use the generic API and it could work with any number of security platforms (Kerberos, Entrust, …).

The SSPI is Microsoft specific (non-standard) implementation of GSSAPI.

When you want to use integration with PuTTY, you may find Kerberos-enabled version of PuTTY useful. Such as Quest PuTTY.1

  1. The text is copy of PuTTY User Manual or was inspired by it.Back

Last modified: by martin