Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.security.ssh > #141
| Path | csiph.com!x330-a1.tempe.blueboxinc.net!usenet.pasdenom.info!selfless.tophat.at!news-transit.tcx.org.uk!nntp-feed.chiark.greenend.org.uk!ewrotcd!not-for-mail |
|---|---|
| From | Owen Dunn <owend@chiark.greenend.org.uk> |
| Newsgroups | comp.security.ssh |
| Subject | Re: PuTTY version 0.61 is released |
| Date | Wed, 13 Jul 2011 10:38:05 +0100 |
| Lines | 41 |
| Message-ID | <83pqlewmf6.fsf@chiark.greenend.org.uk> (permalink) |
| References | <93h*+LYHt@news.chiark.greenend.org.uk> <m2liw2n7y0.fsf@darwin.oankali.net> |
| NNTP-Posting-Host | chiark.greenend.org.uk |
| Mime-Version | 1.0 |
| Content-Type | text/plain; charset=us-ascii |
| X-Trace | chiark.greenend.org.uk 1310549885 3626 212.13.197.229 (13 Jul 2011 09:38:05 GMT) |
| X-Complaints-To | abuse@chiark.greenend.org.uk |
| NNTP-Posting-Date | Wed, 13 Jul 2011 09:38:05 +0000 (UTC) |
| User-Agent | Gnus/5.110006 (No Gnus v0.6) XEmacs/21.4.21 (linux) |
| Cancel-Lock | sha1:wH9Stvti3wcl/H8ZY3kq/sVYjgE= |
| Originator | owend@chiark.greenend.org.uk ([212.13.197.229]) |
| Xref | x330-a1.tempe.blueboxinc.net comp.security.ssh:141 |
Show key headers only | View raw
Richard E. Silverman <res@qoxp.net> writes: > Simon Tatham <anakin@pobox.com> writes: > >> - Support for SSH-2 authentication using GSSAPI, on both Windows and >> Unix. Users in a Kerberos realm should now be able to use their >> existing Kerberos single sign-on in their PuTTY SSH connections. > > Does this include the GSSAPI key exchange, or only userauth? Just userauth. > Does it work only with SSPI, or can it also use a GSSAPI library if > present (e.g. MIT Kerberos), as e.g. Firefox can do? On Windows it can work with both SSPI and a GSSAPI implementation. The GSSAPI panel lets you choose which library you want to use. http://the.earth.li/~sgtatham/putty/0.61/htmldoc/Chapter4.html#config-ssh-auth-gssapi >> (While this has been successfully deployed in several realms, some >> small gaps are known to exist in this functionality, and we would >> welcome further testing and advice from Kerberos experts.) > > I have a lot of Kerberos experience and administrate a multi-realm > installation include Unix and Windows hosts, currently using Quest > PuTTY; I'd by happy to test and advise. :) Are the lacunae documented > somewhere? Not yet. From memory there's some uncertainty about whether it requests tickets properly in a cross-realm authentication environment (although the author of that bug report later told us he was an idiot and it worked after all). IIRC there's also some nastiness to do with short host aliases vs FQDNs when constructing principal names ; conventional wisdom seems to be to canonicalise aliases using the DNS but trusting the DNS doesn't seem particularly wise. Others of our number will probably have more specific details than I can currently provide. (S)
Back to comp.security.ssh | Previous | Next — Previous in thread | Next in thread | Find similar
PuTTY version 0.61 is released Simon Tatham <anakin@pobox.com> - 2011-07-12 20:52 +0100
Re: PuTTY version 0.61 is released Richard E. Silverman <res@qoxp.net> - 2011-07-13 00:03 -0400
Re: PuTTY version 0.61 is released Jacob Nevins <jacobn@chiark.greenend.org.uk> - 2011-07-13 10:23 +0100
Re: PuTTY version 0.61 is released Owen Dunn <owend@chiark.greenend.org.uk> - 2011-07-13 10:38 +0100
Re: PuTTY version 0.61 is released Man-wai Chang <toylet.toylet@gmail.com> - 2011-07-15 01:01 +0800
Re: PuTTY version 0.61 is released TALguru <TALguru@comcast.net> - 2011-07-17 10:42 -0700
csiph-web