GSSLibs and GSSCustom for all connections / all users on system

Advertisement

chanlists
Joined:
Posts:
5

GSSLibs and GSSCustom for all connections / all users on system

Dear all,

thanks for providing this great piece of software. I read about the new GSSLibs and GSSCustom options here:

https://winscp.net/tracker/578

Now I have been banging my head against the wall trying to understand how I use these for a connection, or ideally set these as a default for all users of my system (I want all users to use a specific path to the GSSAPI library). Thanks for any insights,

Christian

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
40,476
Location:
Prague, Czechia

Re: GSSLibs and GSSCustom for all connections / all users on system

I assume you want this:

[HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions\Default%20Settings]
"GSSLibs"="custom,gssapi32,sspi"
"GSSCustom"="..."

Reply with quote

Guest

Re: GSSLibs and GSSCustom for all connections / all users on system

martin wrote:

I assume you want this:

[HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions\Default%20Settings]
"GssLibs"="custom,gssapi32,sspi "
"GSSCustom"="..."

Thanks for the quick feedback. I have:

[HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions\Default%20Settings]
"GSSCustom"="C:\\Program Files\\Heimdal\\bin\\gssapi.dll"
"GssLibList"="custom"

I have kerberos tickets (using Heimdal kerberos), and I have checked

* Attempt GSSAPI authentication
* Allow GSSAPI credential delegation

I unchecked

* Attempt authentication using Pageant

How can I debug this further? From klist, I can see that no credentials are being acquired for the host/FQDN principal of the destination host... Thanks,

Christian

Reply with quote

martin
Site Admin
martin avatar

Re: GSSLibs and GSSCustom for all connections / all users on system

Are you testing this with a new session created after you set the defaults? Or are you testing this with an old session created previously? The default settings apply to new sessions only.
Also I've understood, that your problem was about distributing the settings. Now it seems like, that you were never able to connect.

Reply with quote

chanlists
Joined:
Posts:
5

Thanks for your reply. Just to make sure, I added a new connection, exported it to a script which looks like this:
open sftp://XXXXXX@XXXXXX/ -hostkey="ssh-rsa 2048 8e:85:93:e0:19:61:7a:0c:05:4a:b4:58:54:05:06:58" -rawsettings TryAgent=0 GSSAPIFwdTGT=1 GSSCustom="C:%5CProgram%20Files%20(x86)%5CHeimdal%5Cbin%5Cgssapi.dll"
exit
When running this from the command line, I get in the log:
. 2017-11-23 14:51:30.014 --------------------------------------------------------------------------
. 2017-11-23 14:51:30.014 WinSCP Version 5.11.2 (Build 7781) (OS 6.1.7601 Service Pack 1 - Windows 7 Enterprise)
. 2017-11-23 14:51:30.014 Configuration: nul
. 2017-11-23 14:51:30.015 Log level: Normal
[...]
. 2017-11-23 14:51:30.015 Command-line: "C:\Program Files (x86)\WinSCP\WinSCP.exe"  /log="C:\Users\XXXXXX\Desktop\WinSCP.log" /ini=nul /script="C:\Users\XXXXXX\Desktop\winscp.txt"
. 2017-11-23 14:51:30.015 Time zone: Current: GMT+1, Standard: GMT+1 (W. Europe Standard Time), DST: GMT+2 (W. Europe Daylight Time), DST Start: 26.03.2017, DST End: 29.10.2017
. 2017-11-23 14:51:30.015 Login time: Donnerstag, 23. November 2017 14:51:30
. 2017-11-23 14:51:30.015 --------------------------------------------------------------------------
. 2017-11-23 14:51:30.015 Script: Retrospectively logging previous script records:
> 2017-11-23 14:51:30.015 Script: open sftp://XXXXXX@XXXXXX/ -hostkey="ssh-rsa 2048 8e:85:93:e0:19:61:7a:0c:05:4a:b4:58:54:05:06:58" -rawsettings TryAgent=0 GSSAPIFwdTGT=1 GSSCustom="C:%5CProgram%20Files%20(x86)%5CHeimdal%5Cbin%5Cgssapi.dll"
. 2017-11-23 14:51:30.015 --------------------------------------------------------------------------
. 2017-11-23 14:51:30.015 Session name: XXXXXX@XXXXXX (Ad-Hoc site)
. 2017-11-23 14:51:30.015 Host name: XXXXXX (Port: 22)
. 2017-11-23 14:51:30.015 User name: XXXXXX (Password: No, Key file: No, Passphrase: No)
. 2017-11-23 14:51:30.015 Tunnel: No
. 2017-11-23 14:51:30.015 Transfer Protocol: SFTP
. 2017-11-23 14:51:30.015 Ping type: Off, Ping interval: 30 sec; Timeout: 15 sec
. 2017-11-23 14:51:30.015 Disable Nagle: No
. 2017-11-23 14:51:30.015 Proxy: None
. 2017-11-23 14:51:30.015 Send buffer: 262144
. 2017-11-23 14:51:30.015 SSH protocol version: 2; Compression: No
. 2017-11-23 14:51:30.015 Bypass authentication: No
. 2017-11-23 14:51:30.015 Try agent: No; Agent forwarding: No; TIS/CryptoCard: No; KI: Yes; GSSAPI: Yes
. 2017-11-23 14:51:30.015 GSSAPI: Forwarding: Yes
. 2017-11-23 14:51:30.016 Ciphers: aes,chacha20,blowfish,3des,WARN,arcfour,des; Ssh2DES: No
. 2017-11-23 14:51:30.016 KEX: ecdh,dh-gex-sha1,dh-group14-sha1,rsa,WARN,dh-group1-sha1
. 2017-11-23 14:51:30.016 SSH Bugs: Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto
. 2017-11-23 14:51:30.016 Simple channel: Yes
. 2017-11-23 14:51:30.016 Return code variable: Autodetect; Lookup user groups: Auto
. 2017-11-23 14:51:30.016 Shell: default
. 2017-11-23 14:51:30.016 EOL: LF, UTF: Auto
. 2017-11-23 14:51:30.016 Clear aliases: Yes, Unset nat.vars: Yes, Resolve symlinks: Yes; Follow directory symlinks: No
. 2017-11-23 14:51:30.016 LS: ls -la, Ign LS warn: Yes, Scp1 Comp: No
. 2017-11-23 14:51:30.016 SFTP Bugs: Auto,Auto
. 2017-11-23 14:51:30.016 SFTP Server: default
. 2017-11-23 14:51:30.016 Local directory: default, Remote directory: home, Update: Yes, Cache: Yes
. 2017-11-23 14:51:30.016 Cache directory changes: Yes, Permanent: Yes
. 2017-11-23 14:51:30.016 Recycle bin: Delete to: No, Overwritten to: No, Bin path: 
. 2017-11-23 14:51:30.016 DST mode: Unix
. 2017-11-23 14:51:30.016 --------------------------------------------------------------------------
. 2017-11-23 14:51:30.016 Looking up host "XXXXXX" for SSH connection
. 2017-11-23 14:51:30.026 Connecting to 130.75.103.223 port 22
. 2017-11-23 14:51:30.029 We claim version: SSH-2.0-WinSCP_release_5.11.2
. 2017-11-23 14:51:30.049 Server version: SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u1
. 2017-11-23 14:51:30.049 Using SSH protocol version 2
. 2017-11-23 14:51:30.050 Have a known host key of type rsa2
. 2017-11-23 14:51:30.054 Doing ECDH key exchange with curve Curve25519 and hash SHA-256
. 2017-11-23 14:51:30.179 Server also has ssh-ed25519/ecdsa-sha2-nistp256 host keys, but we don't know any of them
. 2017-11-23 14:51:30.179 Host key fingerprint is:
. 2017-11-23 14:51:30.179 ssh-rsa 2048 8e:85:93:e0:19:61:7a:0c:05:4a:b4:58:54:05:06:58
. 2017-11-23 14:51:30.179 Verifying host key rsa2 0x23,0xa42a961ac636acff cc124e739131d082 7f2f37cd8585630f d352291543367e49 6480d8cd387d93bb feafdc0552373dc4 f77fdb12a095edf0 f64c19dc0303bcee fecce0d09b939c8d 5629efd996c2ed1a afef0ebe25817c20 e6230d31cd6cf97f a4664edc093842e5 fa77ddf4b5cdf21f eb3716147947dbf5 a51a894d56f205d4 feda8ea2185a211e 6287a3cf7487500f 665a4ca13824fab5 d90c285a25238b85 de8ff1356f658c2d e1531a0165ff1789 b298f0f1a4c7f5c2 7146d22a6dd1c4fe 2abd0f07a20c04d4 0ec3c9f0de22a59a 46a01d819fc38cf1 ce47060e3c25d6e1 6c78ddbc8dd41d80 0819f8a87befd4d4 5b4b265f6ac061fd 91e0c282e14d9c87  with fingerprint ssh-rsa 2048 8e:85:93:e0:19:61:7a:0c:05:4a:b4:58:54:05:06:58
. 2017-11-23 14:51:30.179 Host key matches configured key
. 2017-11-23 14:51:30.179 Initialised AES-256 SDCTR client->server encryption
. 2017-11-23 14:51:30.179 Initialised HMAC-SHA-256 client->server MAC algorithm
. 2017-11-23 14:51:30.179 Initialised AES-256 SDCTR server->client encryption
. 2017-11-23 14:51:30.179 Initialised HMAC-SHA-256 server->client MAC algorithm
! 2017-11-23 14:51:30.226 Using username "XXXXXX".
. 2017-11-23 14:51:30.232 Server offered these authentication methods: publickey,gssapi-keyex,gssapi-with-mic,password
. 2017-11-23 14:51:31.198 Using SSPI from SECUR32.DLL
. 2017-11-23 14:51:31.198 Attempting GSSAPI authentication
. 2017-11-23 14:51:31.204 GSSAPI authentication initialisation failed
. 2017-11-23 14:51:31.204 No credentials are available in the security package.
. 2017-11-23 14:51:31.204 Prompt (password, "SSH password", <no instructions>, "&Password: ")
. 2017-11-23 14:51:31.205 Disconnected: Unable to authenticate

So it seems that it does not even try to load the custom gssapi.dll...

Thanks for your advice,

Christian

Reply with quote

Advertisement

chanlists
Joined:
Posts:
5

OK, thanks for your reply. Still the same:

. 2017-11-27 09:30:52.755 --------------------------------------------------------------------------
. 2017-11-27 09:30:52.756 WinSCP Version 5.11.2 (Build 7781) (OS 6.1.7601 Service Pack 1 - Windows 7 Enterprise)
. 2017-11-27 09:30:52.756 Configuration: nul
. 2017-11-27 09:30:52.756 Log level: Normal
. 2017-11-27 09:30:52.756 Local account: QC-DL-01\XXXXXX
. 2017-11-27 09:30:52.756 Working directory: C:\Users\XXXXXX\Desktop
. 2017-11-27 09:30:52.756 Process ID: 7172
. 2017-11-27 09:30:52.756 Command-line: "\Program Files (x86)\WinSCP\WinSCP.exe"  /log="c:\Users\XXXXXX\Desktop\WinSCP.log" /ini=nul /script="c:\Users\XXXXXX\Desktop\winscp.txt"
. 2017-11-27 09:30:52.756 Time zone: Current: GMT+1, Standard: GMT+1 (W. Europe Standard Time), DST: GMT+2 (W. Europe Daylight Time), DST Start: 26.03.2017, DST End: 29.10.2017
. 2017-11-27 09:30:52.756 Login time: Montag, 27. November 2017 09:30:52
. 2017-11-27 09:30:52.756 --------------------------------------------------------------------------
. 2017-11-27 09:30:52.757 Script: Retrospectively logging previous script records:
> 2017-11-27 09:30:52.757 Script: open sftp://XXXXXX@XXXXXX/ -hostkey="ssh-rsa 2048 8e:85:93:e0:19:61:7a:0c:05:4a:b4:58:54:05:06:58" -rawsettings TryAgent=0 GSSAPIFwdTGT=1 GSSLibs="custom" GSSCustom="C:%5CProgram%20Files%20(x86)%5CHeimdal%5Cbin%5Cgssapi.dll" 
. 2017-11-27 09:30:52.757 --------------------------------------------------------------------------
. 2017-11-27 09:30:52.757 Session name: XXXXXX@XXXXXX (Ad-Hoc site)
. 2017-11-27 09:30:52.757 Host name: XXXXXX (Port: 22)
. 2017-11-27 09:30:52.757 User name: XXXXXX (Password: No, Key file: No, Passphrase: No)
. 2017-11-27 09:30:52.757 Tunnel: No
. 2017-11-27 09:30:52.757 Transfer Protocol: SFTP
. 2017-11-27 09:30:52.757 Ping type: Off, Ping interval: 30 sec; Timeout: 15 sec
. 2017-11-27 09:30:52.757 Disable Nagle: No
. 2017-11-27 09:30:52.757 Proxy: None
. 2017-11-27 09:30:52.757 Send buffer: 262144
. 2017-11-27 09:30:52.757 SSH protocol version: 2; Compression: No
. 2017-11-27 09:30:52.757 Bypass authentication: No
. 2017-11-27 09:30:52.757 Try agent: No; Agent forwarding: No; TIS/CryptoCard: No; KI: Yes; GSSAPI: Yes
. 2017-11-27 09:30:52.757 GSSAPI: Forwarding: Yes
. 2017-11-27 09:30:52.757 Ciphers: aes,chacha20,blowfish,3des,WARN,arcfour,des; Ssh2DES: No
. 2017-11-27 09:30:52.757 KEX: ecdh,dh-gex-sha1,dh-group14-sha1,rsa,WARN,dh-group1-sha1
. 2017-11-27 09:30:52.757 SSH Bugs: Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto
. 2017-11-27 09:30:52.757 Simple channel: Yes
. 2017-11-27 09:30:52.757 Return code variable: Autodetect; Lookup user groups: Auto
. 2017-11-27 09:30:52.757 Shell: default
. 2017-11-27 09:30:52.757 EOL: LF, UTF: Auto
. 2017-11-27 09:30:52.757 Clear aliases: Yes, Unset nat.vars: Yes, Resolve symlinks: Yes; Follow directory symlinks: No
. 2017-11-27 09:30:52.757 LS: ls -la, Ign LS warn: Yes, Scp1 Comp: No
. 2017-11-27 09:30:52.757 SFTP Bugs: Auto,Auto
. 2017-11-27 09:30:52.757 SFTP Server: default
. 2017-11-27 09:30:52.757 Local directory: default, Remote directory: home, Update: Yes, Cache: Yes
. 2017-11-27 09:30:52.757 Cache directory changes: Yes, Permanent: Yes
. 2017-11-27 09:30:52.757 Recycle bin: Delete to: No, Overwritten to: No, Bin path: 
. 2017-11-27 09:30:52.757 DST mode: Unix
. 2017-11-27 09:30:52.757 --------------------------------------------------------------------------
. 2017-11-27 09:30:52.757 Looking up host "XXXXXX" for SSH connection
. 2017-11-27 09:30:52.761 Connecting to 130.75.103.223 port 22
. 2017-11-27 09:30:52.762 We claim version: SSH-2.0-WinSCP_release_5.11.2
. 2017-11-27 09:30:52.779 Server version: SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u1
. 2017-11-27 09:30:52.779 Using SSH protocol version 2
. 2017-11-27 09:30:52.780 Have a known host key of type rsa2
. 2017-11-27 09:30:52.783 Doing ECDH key exchange with curve Curve25519 and hash SHA-256
. 2017-11-27 09:30:52.853 Server also has ssh-ed25519/ecdsa-sha2-nistp256 host keys, but we don't know any of them
. 2017-11-27 09:30:52.853 Host key fingerprint is:
. 2017-11-27 09:30:52.853 ssh-rsa 2048 8e:85:93:e0:19:61:7a:0c:05:4a:b4:58:54:05:06:58
. 2017-11-27 09:30:52.853 Verifying host key rsa2 0x23,0xa42a961ac636acff cc124e739131d082 7f2f37cd8585630f d352291543367e49 6480d8cd387d93bb feafdc0552373dc4 f77fdb12a095edf0 f64c19dc0303bcee fecce0d09b939c8d 5629efd996c2ed1a afef0ebe25817c20 e6230d31cd6cf97f a4664edc093842e5 fa77ddf4b5cdf21f eb3716147947dbf5 a51a894d56f205d4 feda8ea2185a211e 6287a3cf7487500f 665a4ca13824fab5 d90c285a25238b85 de8ff1356f658c2d e1531a0165ff1789 b298f0f1a4c7f5c2 7146d22a6dd1c4fe 2abd0f07a20c04d4 0ec3c9f0de22a59a 46a01d819fc38cf1 ce47060e3c25d6e1 6c78ddbc8dd41d80 0819f8a87befd4d4 5b4b265f6ac061fd 91e0c282e14d9c87  with fingerprint ssh-rsa 2048 8e:85:93:e0:19:61:7a:0c:05:4a:b4:58:54:05:06:58
. 2017-11-27 09:30:52.854 Host key matches configured key
. 2017-11-27 09:30:52.854 Initialised AES-256 SDCTR client->server encryption
. 2017-11-27 09:30:52.854 Initialised HMAC-SHA-256 client->server MAC algorithm
. 2017-11-27 09:30:52.854 Initialised AES-256 SDCTR server->client encryption
. 2017-11-27 09:30:52.854 Initialised HMAC-SHA-256 server->client MAC algorithm
! 2017-11-27 09:30:52.898 Using username "XXXXXX".
. 2017-11-27 09:30:52.899 Server offered these authentication methods: publickey,gssapi-keyex,gssapi-with-mic,password
. 2017-11-27 09:30:52.906 Using SSPI from SECUR32.DLL
. 2017-11-27 09:30:52.906 Attempting GSSAPI authentication
. 2017-11-27 09:30:52.914 GSSAPI authentication initialisation failed
. 2017-11-27 09:30:52.914 No credentials are available in the security package.
. 2017-11-27 09:30:52.914 Prompt (password, "SSH password", <no instructions>, "&Password: ")
. 2017-11-27 09:30:52.915 Disconnected: Unable to authenticate

It does not seem to pick up the library... GSSApi authentication works with firefox and putty on the same machine. Cheers,

Christian

Reply with quote

Advertisement

You can post new topics in this forum