mirror of
https://git.tartarus.org/simon/putty.git
synced 2025-03-22 06:38:37 -05:00
Tweak docs for GSSAPI key exchange.
This commit is contained in:
Jacob Nevins
parent
9ee6a220e0
commit
7d0ade7eac
@ -1961,7 +1961,7 @@ implementing \i{single sign-on}, a more sensible default may be to use
|
|||||||
the name of the user logged in to the local operating system (if any);
|
the name of the user logged in to the local operating system (if any);
|
||||||
this is particularly likely to be useful with \i{GSSAPI} key exchange
|
this is particularly likely to be useful with \i{GSSAPI} key exchange
|
||||||
and user authentication (see \k{config-ssh-auth-gssapi} and
|
and user authentication (see \k{config-ssh-auth-gssapi} and
|
||||||
\k{config-ssh-kex}). This control allows you to change the default
|
\k{config-ssh-gssapi-kex}). This control allows you to change the default
|
||||||
behaviour.
|
behaviour.
|
||||||
|
|
||||||
The current system username is displayed in the dialog as a
|
The current system username is displayed in the dialog as a
|
||||||
@ -2579,6 +2579,8 @@ well-known groups, if possible.
|
|||||||
effort on the part of the client, and somewhat less on the part of
|
effort on the part of the client, and somewhat less on the part of
|
||||||
the server, than Diffie-Hellman key exchange.
|
the server, than Diffie-Hellman key exchange.
|
||||||
|
|
||||||
|
\b \q{GSSAPI key exchange}: see \k{config-ssh-gssapi-kex}.
|
||||||
|
|
||||||
If the first algorithm PuTTY finds is below the \q{warn below here}
|
If the first algorithm PuTTY finds is below the \q{warn below here}
|
||||||
line, you will see a warning box when you make the connection, similar
|
line, you will see a warning box when you make the connection, similar
|
||||||
to that for cipher selection (see \k{config-ssh-encryption}).
|
to that for cipher selection (see \k{config-ssh-encryption}).
|
||||||
@ -2586,23 +2588,23 @@ to that for cipher selection (see \k{config-ssh-encryption}).
|
|||||||
\S2{config-ssh-gssapi-kex} GSSAPI-based key exchange
|
\S2{config-ssh-gssapi-kex} GSSAPI-based key exchange
|
||||||
|
|
||||||
PuTTY supports a set of key exchange methods that also incorporates
|
PuTTY supports a set of key exchange methods that also incorporates
|
||||||
GSSAPI-based authentication.
|
GSSAPI-based authentication. They are enabled with the
|
||||||
|
\q{Attempt GSSAPI key exchange} checkbox (which also appears on the
|
||||||
|
\q{GSSAPI} panel).
|
||||||
|
|
||||||
PuTTY can only perform the GSSAPI-authenticated key exchange methods
|
PuTTY can only perform the GSSAPI-authenticated key exchange methods
|
||||||
when using Kerberos V5, and not other GSSAPI mechanisms. PuTTY will
|
when using Kerberos V5, and not other GSSAPI mechanisms. If the user
|
||||||
attempt to select these methods if it is configured to use GSSAPI
|
running PuTTY has current Kerberos V5 credentials, then PuTTY will
|
||||||
authentication (\k{config-ssh-auth-gssapi}), and if the user running
|
select the GSSAPI key exchange methods in preference to any of the
|
||||||
it has current Kerberos V5 credentials. If both of those are true,
|
ordinary SSH key exchange methods configured in the preference list.
|
||||||
then PuTTY will select the GSSAPI key exchange methods in preference
|
|
||||||
to any of the ordinary SSH key exchange methods configured in the
|
|
||||||
preference list.
|
|
||||||
|
|
||||||
The advantage of doing GSSAPI authentication as part of the SSH key
|
The advantage of doing GSSAPI authentication as part of the SSH key
|
||||||
exchange is that the SSH key exchange can be repeated later in the
|
exchange is apparent when you are using credential delegation (see
|
||||||
session, and this allows your Kerberos V5 credentials (which are
|
\k{config-ssh-auth-gssapi-delegation}). The SSH key exchange can be
|
||||||
typically short-lived) to be automatically re-delegated to the server
|
repeated later in the session, and this allows your Kerberos V5
|
||||||
when they are refreshed on the client. (This feature is commonly
|
credentials (which are typically short-lived) to be automatically
|
||||||
referred to as \q{cascading credentials}.)
|
re-delegated to the server when they are refreshed on the client.
|
||||||
|
(This feature is commonly referred to as \q{\i{cascading credentials}}.)
|
||||||
|
|
||||||
If your server doesn't support GSSAPI key exchange, it may still
|
If your server doesn't support GSSAPI key exchange, it may still
|
||||||
support GSSAPI in the SSH user authentication phase. This will still
|
support GSSAPI in the SSH user authentication phase. This will still
|
||||||
@ -2612,11 +2614,11 @@ the session; they can't be refreshed automatically later, in a
|
|||||||
long-running session.
|
long-running session.
|
||||||
|
|
||||||
Another effect of GSSAPI key exchange is that it replaces the usual
|
Another effect of GSSAPI key exchange is that it replaces the usual
|
||||||
SSH mechanism of permanent host keys. So if you use this method, then
|
SSH mechanism of permanent host keys described in \k{gs-hostkey}.
|
||||||
you won't be asked any interactive questions about whether to accept
|
So if you use this method, then you won't be asked any interactive
|
||||||
the server's host key. Instead, the Kerberos exchange will verify the
|
questions about whether to accept the server's host key. Instead, the
|
||||||
identity of the host you connect to, at the same time as verifying
|
Kerberos exchange will verify the identity of the host you connect to,
|
||||||
your identity to it.
|
at the same time as verifying your identity to it.
|
||||||
|
|
||||||
\S{config-ssh-kex-rekey} \ii{Repeat key exchange}
|
\S{config-ssh-kex-rekey} \ii{Repeat key exchange}
|
||||||
|
|
||||||
@ -2660,7 +2662,7 @@ purposes, rekeys have much the same properties as keepalives.
|
|||||||
should bear that in mind when deciding whether to turn them off.)
|
should bear that in mind when deciding whether to turn them off.)
|
||||||
Note, however, the the SSH \e{server} can still initiate rekeys.
|
Note, however, the the SSH \e{server} can still initiate rekeys.
|
||||||
|
|
||||||
\b \q{Minutes between GSSAPI cache checks}, if you're using GSSAPI key
|
\b \q{Minutes between GSSAPI checks}, if you're using GSSAPI key
|
||||||
exchange, specifies how often the GSSAPI credential cache is checked
|
exchange, specifies how often the GSSAPI credential cache is checked
|
||||||
to see whether new tickets are available for delegation, or current
|
to see whether new tickets are available for delegation, or current
|
||||||
ones are near expiration. If forwarding of GSSAPI credentials is
|
ones are near expiration. If forwarding of GSSAPI credentials is
|
||||||
@ -3032,7 +3034,8 @@ In the other method, GSSAPI-based authentication is combined with the
|
|||||||
SSH key exchange phase. If this succeeds, then the SSH authentication
|
SSH key exchange phase. If this succeeds, then the SSH authentication
|
||||||
step has nothing left to do. See \k{config-ssh-gssapi-kex} for more
|
step has nothing left to do. See \k{config-ssh-gssapi-kex} for more
|
||||||
information about this method. The checkbox labelled \q{Attempt GSSAPI
|
information about this method. The checkbox labelled \q{Attempt GSSAPI
|
||||||
key exchange} controls this form.
|
key exchange} controls this form. (The same checkbox appears on the
|
||||||
|
\q{Kex} panel.)
|
||||||
|
|
||||||
If one or both of these controls is enabled, then GSSAPI
|
If one or both of these controls is enabled, then GSSAPI
|
||||||
authentication will be attempted in one form or the other, and
|
authentication will be attempted in one form or the other, and
|
||||||
@ -3069,6 +3072,10 @@ administrator of one server is likely to already have access to the
|
|||||||
other services too; so this would typically be less of a risk than
|
other services too; so this would typically be less of a risk than
|
||||||
SSH agent forwarding.
|
SSH agent forwarding.
|
||||||
|
|
||||||
|
If your connection is not using GSSAPI key exchange, it is possible
|
||||||
|
for the delegation to expire during your session. See
|
||||||
|
\k{config-ssh-gssapi-kex} for more information.
|
||||||
|
|
||||||
\S{config-ssh-auth-gssapi-libraries} Preference order for GSSAPI
|
\S{config-ssh-auth-gssapi-libraries} Preference order for GSSAPI
|
||||||
libraries
|
libraries
|
||||||
|
|
||||||
@ -3080,7 +3087,7 @@ than one authentication library may exist on your system which can
|
|||||||
be accessed using GSSAPI.
|
be accessed using GSSAPI.
|
||||||
|
|
||||||
PuTTY contains native support for a few well-known such libraries
|
PuTTY contains native support for a few well-known such libraries
|
||||||
(including Windows' SSPI), and will look for all of them on your system
|
(including Windows' \i{SSPI}), and will look for all of them on your system
|
||||||
and use whichever it finds. If more than one exists on your system and
|
and use whichever it finds. If more than one exists on your system and
|
||||||
you need to use a specific one, you can adjust the order in which it
|
you need to use a specific one, you can adjust the order in which it
|
||||||
will search using this preference list control.
|
will search using this preference list control.
|
||||||
|
|||||||
@ -874,6 +874,9 @@ saved sessions from
|
|||||||
\IM{GSSAPI credential delegation} credential delegation, GSSAPI
|
\IM{GSSAPI credential delegation} credential delegation, GSSAPI
|
||||||
\IM{GSSAPI credential delegation} delegation, of GSSAPI credentials
|
\IM{GSSAPI credential delegation} delegation, of GSSAPI credentials
|
||||||
|
|
||||||
|
\IM{cascading credentials} cascading credentials
|
||||||
|
\IM{cascading credentials} credentials, cascading
|
||||||
|
|
||||||
\IM{SYSTEM32} \cw{SYSTEM32} directory, on Windows
|
\IM{SYSTEM32} \cw{SYSTEM32} directory, on Windows
|
||||||
|
|
||||||
\IM{32-bit Windows} 32-bit Windows
|
\IM{32-bit Windows} 32-bit Windows
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user