Differences
This shows you the differences between the selected revisions of the page.
2020-05-22 | 2020-12-01 | ||
grammar (martin) | 5.18 Bug 1863: GSSAPI key exchange authentication can be turned on. (martin) | ||
Line 32: | Line 32: | ||
If the first algorithm WinSCP finds is below the //warn below here// line, you will see a warning box when you make the connection, similar to that for [[ui_login_ssh#encryption_options|cipher selection]]. | If the first algorithm WinSCP finds is below the //warn below here// line, you will see a warning box when you make the connection, similar to that for [[ui_login_ssh#encryption_options|cipher selection]]. | ||
+ | |||
+ | ==== GSSAPI-based Key Exchange ==== | ||
+ | WinSCP supports a set of key exchange methods that also incorporates GSSAPI-based authentication. They are enabled with the //Attempt GSSAPI key exchange// checkbox. &beta_feature | ||
+ | |||
+ | WinSCP can only perform the GSSAPI-authenticated key exchange methods when using Kerberos V5, and not other GSSAPI mechanisms. If the user running WinSCP has current Kerberos V5 credentials, then WinSCP will select the GSSAPI key exchange methods in preference to any of the ordinary SSH key exchange methods configured in the preference list. | ||
+ | |||
+ | The advantage of doing GSSAPI authentication as part of the SSH key exchange is apparent when you are using [[ui_login_authentication#gssapi_delegation|credential delegation]]. The SSH key exchange can be repeated later in the session, and this allows your Kerberos V5 credentials (which are typically short-lived) to be automatically re-delegated to the server when they are refreshed on the client. (This feature is commonly referred to as "cascading credentials".) | ||
+ | |||
+ | If your server doesn't support GSSAPI key exchange, it may still support GSSAPI in the SSH user authentication phase. This will still let you log in using your Kerberos credentials, but will only allow you to delegate the credentials that are active at the beginning of the session; they can't be refreshed automatically later, in a long-running session. | ||
+ | |||
+ | Another effect of GSSAPI key exchange is that it replaces the usual [[ssh_verifying_the_host_key|SSH mechanism of permanent host keys]]. So if you use this method, then you won't be asked any interactive questions about whether to accept the server's host key. Instead, the Kerberos exchange will verify the identity of the host you connect to, at the same time as verifying your identity to it. | ||
===== [[reexchange]] Options Controlling Key Re-exchange ===== | ===== [[reexchange]] Options Controlling Key Re-exchange ===== |