Post a reply

Options
Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.

(maximum 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)

Options

Topic review

Christopher

Re: Kerberos Ticket forwarding

Hi,

just checked the new beta 4.0. Kerberos Ticket forwarding works just as it should! Thank you a lot!


Regards,

Christopher
martin

Re: Kerberos Ticket forwarding

The next version of WinSCP will support ticket forwarding.
Christopher

Re: Kerberos Ticket forwarding

The interesting part is in ssh.c:
int deleg_flag = 0;
 
if (deleg_creds) {
        deleg_flag = GSS_C_DELEG_FLAG;
        logevent("GSSAPI: delegating credentials");
}
 
ctx->major = gss_init_sec_context(&ctx->minor,
    GSS_C_NO_CREDENTIAL, &ctx->context, ctx->name, ctx->oid,
    GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag,
    0, NULL, recv_tok, NULL, send_tok, flags, NULL);

If deleg_creds is set, credentials should be forwarded. This variable is mapped to ssh->cfg.gssapi_fwd_tgt. But: gssapi_fwd_tgt is not mentioned anywhere else in the source. So it seems to me that there is simply no connection between the GUI check box and this variable.

To check if this really is the missing piece, could you just build a test version with deleg_creds hard set to 1? I don't have any Borland compiler around...

Thanks,
Christopher
martin

Re: Kerberos Ticket forwarding

I'll check it.
Christopher

Re: Kerberos Ticket forwarding

Hi,

just to mention: Just at the bottom of
<invalid hyperlink removed by admin>
I found the patch to PuTTY which adds GSSAPI support with ticket forwarding. Maybe that helps.

Thanks,
Christopher
Christopher

Kerberos Ticket forwarding

Hi,

Kerberos authentication works really well, thanks a lot. But there is one small feature that lacks: Ticket forwarding. We use Kerberos at our university for nearly everything, even for the network filesystem (AFS, Andrew Filesystem). Without the ticket (TGT) there is no access to the home directory.

Would it be possible to add this small feature? Maybe as a configuration option (forward TGT to remote site)?

Thank you for this excellent program,

Christopher