Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.security.ssh > #141

Re: PuTTY version 0.61 is released

From Owen Dunn <owend@chiark.greenend.org.uk>
Newsgroups comp.security.ssh
Subject Re: PuTTY version 0.61 is released
Date 2011-07-13 10:38 +0100
Message-ID <83pqlewmf6.fsf@chiark.greenend.org.uk> (permalink)
References <93h*+LYHt@news.chiark.greenend.org.uk> <m2liw2n7y0.fsf@darwin.oankali.net>

Show all headers | View raw

Richard E. Silverman <res@qoxp.net> writes:

> Simon Tatham <anakin@pobox.com> writes:
>
>>  - Support for SSH-2 authentication using GSSAPI, on both Windows and
>>    Unix. Users in a Kerberos realm should now be able to use their
>>    existing Kerberos single sign-on in their PuTTY SSH connections.
>
> Does this include the GSSAPI key exchange, or only userauth?

Just userauth.

> Does it work only with SSPI, or can it also use a GSSAPI library if
> present (e.g. MIT Kerberos), as e.g. Firefox can do?

On Windows it can work with both SSPI and a GSSAPI implementation.
The GSSAPI panel lets you choose which library you want to use.

http://the.earth.li/~sgtatham/putty/0.61/htmldoc/Chapter4.html#config-ssh-auth-gssapi

>>    (While this has been successfully deployed in several realms, some
>>    small gaps are known to exist in this functionality, and we would
>>    welcome further testing and advice from Kerberos experts.)
>
> I have a lot of Kerberos experience and administrate a multi-realm
> installation include Unix and Windows hosts, currently using Quest
> PuTTY; I'd by happy to test and advise.  :) Are the lacunae documented
> somewhere?

Not yet.  From memory there's some uncertainty about whether it
requests tickets properly in a cross-realm authentication environment
(although the author of that bug report later told us he was an idiot
and it worked after all).  IIRC there's also some nastiness to do with
short host aliases vs FQDNs when constructing principal names ;
conventional wisdom seems to be to canonicalise aliases using the DNS
but trusting the DNS doesn't seem particularly wise.

Others of our number will probably have more specific details than I
can currently provide.

(S)

Back to comp.security.ssh | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

PuTTY version 0.61 is released Simon Tatham <anakin@pobox.com> - 2011-07-12 20:52 +0100
  Re: PuTTY version 0.61 is released Richard E. Silverman <res@qoxp.net> - 2011-07-13 00:03 -0400
    Re: PuTTY version 0.61 is released Jacob Nevins <jacobn@chiark.greenend.org.uk> - 2011-07-13 10:23 +0100
    Re: PuTTY version 0.61 is released Owen Dunn <owend@chiark.greenend.org.uk> - 2011-07-13 10:38 +0100
  Re: PuTTY version 0.61 is released Man-wai Chang <toylet.toylet@gmail.com> - 2011-07-15 01:01 +0800
  Re: PuTTY version 0.61 is released TALguru <TALguru@comcast.net> - 2011-07-17 10:42 -0700

csiph-web