1
0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-25 09:12:24 +00:00

Demote SSH bypass-auth option; downplay in docs.

It's too esoteric to be the first thing on the Auth panel; I've never
heard of any SSH server that supports it in the decade since I
implemented it. The only Google hits are lost souls mistakenly believing
they need it for passwordless public-key login and the like.
This commit is contained in:
Jacob Nevins 2016-03-25 13:10:00 +00:00
parent e74f19cb6f
commit 98e5eeedd1
2 changed files with 33 additions and 21 deletions

View File

@ -2321,14 +2321,14 @@ void setup_config_box(struct controlbox *b, int midsession,
"Options controlling SSH authentication"); "Options controlling SSH authentication");
s = ctrl_getset(b, "Connection/SSH/Auth", "main", NULL); s = ctrl_getset(b, "Connection/SSH/Auth", "main", NULL);
ctrl_checkbox(s, "Bypass authentication entirely (SSH-2 only)", 'b',
HELPCTX(ssh_auth_bypass),
conf_checkbox_handler,
I(CONF_ssh_no_userauth));
ctrl_checkbox(s, "Display pre-authentication banner (SSH-2 only)", ctrl_checkbox(s, "Display pre-authentication banner (SSH-2 only)",
'd', HELPCTX(ssh_auth_banner), 'd', HELPCTX(ssh_auth_banner),
conf_checkbox_handler, conf_checkbox_handler,
I(CONF_ssh_show_banner)); I(CONF_ssh_show_banner));
ctrl_checkbox(s, "Bypass authentication entirely (SSH-2 only)", 'b',
HELPCTX(ssh_auth_bypass),
conf_checkbox_handler,
I(CONF_ssh_no_userauth));
s = ctrl_getset(b, "Connection/SSH/Auth", "methods", s = ctrl_getset(b, "Connection/SSH/Auth", "methods",
"Authentication methods"); "Authentication methods");

View File

@ -2596,22 +2596,6 @@ recommended ciphers.
The Auth panel allows you to configure \i{authentication} options for The Auth panel allows you to configure \i{authentication} options for
SSH sessions. SSH sessions.
\S{config-ssh-noauth} \q{Bypass authentication entirely}
\cfg{winhelp-topic}{ssh.auth.bypass}
In SSH-2, it is possible to establish a connection without using SSH's
mechanisms to identify or authenticate oneself to the server. Some
servers may prefer to handle authentication in the data channel, for
instance, or may simply require no authentication whatsoever.
By default, PuTTY assumes the server requires authentication (most
do), and thus must provide a username. If you find you are getting
unwanted username prompts, you could try checking this option.
This option only affects SSH-2 connections. SSH-1 connections always
require an authentication step.
\S{config-ssh-banner} \q{Display pre-authentication banner} \S{config-ssh-banner} \q{Display pre-authentication banner}
\cfg{winhelp-topic}{ssh.auth.banner} \cfg{winhelp-topic}{ssh.auth.banner}
@ -2627,6 +2611,34 @@ prompting for a login name, due to the nature of the protocol design).
By unchecking this option, display of the banner can be suppressed By unchecking this option, display of the banner can be suppressed
entirely. entirely.
\S{config-ssh-noauth} \q{Bypass authentication entirely}
\cfg{winhelp-topic}{ssh.auth.bypass}
In SSH-2, it is in principle possible to establish a connection
without using SSH's mechanisms to identify or prove who you are
to the server. An SSH server could prefer to handle authentication
in the data channel, for instance, or simply require no user
authentication whatsoever.
By default, PuTTY assumes the server requires authentication (we've
never heard of one that doesn't), and thus must start this process
with a username. If you find you are getting username prompts that
you cannot answer, you could try enabling this option. However,
most SSH servers will reject this.
This is not the option you want if you have a username and just want
PuTTY to remember it; for that see \k{config-username}.
It's also probably not what if you're trying to set up passwordless
login to a mainstream SSH server; depending on the server, you
probably wanted public-key authentication (\k{pubkey})
or perhaps GSSAPI authentication (\k{config-ssh-auth-gssapi}).
(These are still forms of authentication, even if you don't have to
interact with them.)
This option only affects SSH-2 connections. SSH-1 connections always
require an authentication step.
\S{config-ssh-tryagent} \q{Attempt authentication using Pageant} \S{config-ssh-tryagent} \q{Attempt authentication using Pageant}
\cfg{winhelp-topic}{ssh.auth.pageant} \cfg{winhelp-topic}{ssh.auth.pageant}
@ -2748,7 +2760,7 @@ GSSAPI authentication. This is a mechanism which delegates the
authentication exchange to a library elsewhere on the client authentication exchange to a library elsewhere on the client
machine, which in principle can authenticate in many different ways machine, which in principle can authenticate in many different ways
but in practice is usually used with the \i{Kerberos} \i{single sign-on} but in practice is usually used with the \i{Kerberos} \i{single sign-on}
protocol. protocol to implement \i{passwordless login}.
GSSAPI is only available in the SSH-2 protocol. GSSAPI is only available in the SSH-2 protocol.