SSPI support

Advertisement

blakeduffey
Joined:
Posts:
14
Location:
Virginia, USA

SSPI support

I am running WinSCP 4.2.1 on Windows 2008 x64 Datacenter Edition. I guess my question is - does the SSPI support (the native Windows support for Kerberos) work with WinSCP? The reason I ask it that way - when I launch WinSCP and enter the hostname (and tell it to auth via SSP) - I never see a ticket request via my network capture. I have a version of putty which supports this, as well as firefox (using native SSPI).

I'm not seeing any ticket request. There is no kerberos traffic at all.

Thoughts?

Thanks
Blake

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
41,532
Location:
Prague, Czechia

Re: SSPI support

WinSCP uses the same SSPI implementation as PuTTY. Unless you use different version of PuTTY. So what version of PuTTY do you use?

Reply with quote

blakeduffey
Joined:
Posts:
14
Location:
Virginia, USA

I'll be happy to try - but I'm not sure what that will prove. WinSCP sends no kerberos traffic on my Windows 2008 server.

I will report back.

Blake

Reply with quote

Advertisement

blakeduffey
Joined:
Posts:
14
Location:
Virginia, USA

I'm seeing the same basic functionality. When I launch PuTTY I see no Kerberos traffic at all. I am assuming it is looking for the credential cache and, not finding it, gives up on kerberos?

Is PuTTY using the 'native' SSPI functionality provided by Windows? Kerberos support for Windows 2008 is MUCH better than previous versions - and I see no need to run something like MIT Kerberos for Windows if I don't need to. We have a trust between my AD domain and our MIT realm - and I can 'seamlessly' us the Quest version, which seems to truly support native SSPI, to connect to resources in our MIT realm, without the need for 'workarounds' like Kerberos for Windows.

If I read the link on this page correctly:

https://www.chiark.greenend.org.uk/~sgtatham/putty/links.html

The 'official' version of PuTTY doesn't support SSPI...

Please see:

<invalid hyperlink removed by admin>

Thoughts?

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
41,532
Location:
Prague, Czechia

blakeduffey wrote:

Is PuTTY using the 'native' SSPI functionality provided by Windows?
It does.

If I read the link on this page correctly:

https://www.chiark.greenend.org.uk/~sgtatham/putty/links.html

The 'official' version of PuTTY doesn't support SSPI...
The official does not. Only the development version does (the once I've sent you link to).

Please see:

<invalid hyperlink removed by admin>
WinSCP used to use this implementation of Kerberos/SSPI in past. In 4.2 we switched to official PuTTY implementation, once they have it.

Reply with quote

blakeduffey
Joined:
Posts:
14
Location:
Virginia, USA

I'm sorry, I'll try that direct link again.

Also - I'm not sure I understand your final post. Are you waiting for the official version of PuTTY to include this functionality in WinSCP? I have WinSCP 421. This would be a wonderful addition.

Thanks
Blake

Reply with quote

martin
Site Admin
martin avatar

[quote="blakeduffey"]Also - I'm not sure I understand your final post. Are you waiting for the official version of PuTTY to include this functionality in WinSCP?[/qoute]
No the functionality is already included since 4.2 beta.

Reply with quote

Advertisement

blakeduffey
Joined:
Posts:
14
Location:
Virginia, USA

I'm able to get PuTTY to use SSPI

When I try WinSCP 4.22, I get this in the log:

. 2009-07-22 09:56:08.112 GSSAPI authentication request refused
! 2009-07-22 09:56:08.112 Access denied
. 2009-07-22 09:56:08.112 Access denied

Reply with quote

blakeduffey
Joined:
Posts:
14
Location:
Virginia, USA

I wanted to report back my findings...

I am using the version of PuTTY you suggested. https://tartarus.org/~simon/putty-snapshots/w32/putty.exe

If I create a session using this version, it won't work using native SSPI. But if I used this binary using a session that was created using the Quest version, it DID work. So I did a diff on the registry keys and found that:

UserNameFromEnvironment must be set to 1.

If that is configurable via the gui I cannot find it.

Anyways...

So now I can use the 'official' development version of PuTTY and it works (if I change that key for the session).

WinSCP does NOT connect.

Thoughts?

Blake

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
41,532
Location:
Prague, Czechia

blakeduffey wrote:

So I did a diff on the registry keys and found that:

UserNameFromEnvironment must be set to 1.
So if you set this option, does PuTTY work with SSPI on its own? Or do you still need to start the session using Quest PuTTY? Btw, all the option does is that it fills the username (Connection > Data > Auto-login username) with your Windows username.

If that is configurable via the gui I cannot find it.
Connection > Data > When username is not specified > Use system username

WinSCP does NOT connect.
So just try to enter your Windows username into username field in WinSCP.

Reply with quote

Advertisement

blakeduffey
Joined:
Posts:
14
Location:
Virginia, USA

I have removed the Quest PuTTY. I have created the session using the 'offical development' version of PuTTY (2009-07-20:r8607) and manually modifed that key and it works - I simply launch the session and it connects - I enter nothing.

I'll try that option in the gui and see if I can create the session that way.

In this instance the Windows user name is the same as the kerberos principal name in the trusted domain (I set things up that way on purpose). I'll certainly try entering the user name - but if kerberos is working properly I wouldn't think I'd need to.

Thanks, as always, for your insight.

Blake

Reply with quote

blakeduffey

Yes, that did work (Connection -> Data -> Use System username)

I launch that session and it connects/authenticates hands free. I am hoping to get WinSCP to do the same.

Reply with quote

blakeduffey

When I save the username as part of the WinSCP session, it does work using native SSPI. I launch the session and it connects without any additional typing. I suppose PuTTY is just getting the user name from Windows.

Reply with quote

Advertisement

Anon
Guest

A useful addition but could implemented under request150/392

I like this feature and would also use it, but isn't this going to be possible once the features requested in tracker 150&392 are implemented?

Merely set the "user name" to %USERNAME% once WinSCP gets the ability to use Windows variables in it's sessions. This would save you having to mess around with changing your UI and users having yet another option to set somewhere to get this feature.

Reply with quote

blakeduffey
Joined:
Posts:
14
Location:
Virginia, USA

Should version 4.2.5 work with MIT Kerberos for Windows?

My previous question was using native kerberos in Windows 2008. My current situation includes KfW.

EDIT: I'm pretty sure the answer is NO - when PuTTY went to SSPI, this app did too (post 4.0.7)

Being able to use either would be nice... But I'm not sure it is realistic...

Reply with quote

Advertisement

martin
Site Admin
martin avatar

Actually I'm not really sure. I never tried either. I've just reused PuTTY's implementation once they've included Kerberos support. I suppose the two are not compatible.

Reply with quote

a178235
Joined:
Posts:
3

Has support for auto detection of current username been completed? I am using version 4.2.7 and if I leave the username field blank or enter %USERNAME%, I still must enter a password. If I enter my username then GSSAPI authentication works.

Reply with quote

Advertisement

You can post new topics in this forum