This post is also about the same but shows another approach with different tool, Macfusion. However, Kerberos sites are typically run by a central authority, so the administrator of one server is likely to already have access to the other services too so this would typically be less of a risk than SSH agent forwarding.In my last blog I showed how to mount home, scratch and archive from NYU HPC clusters onto a Mac. Note that, like SSH agent forwarding, there is a security implication in the use of this option: the administrator of the server you connect to, or anyone else who has cracked the administrator account on that server, could fake your identity when connecting to further Kerberos-supporting services. This option is the Kerberos analogue of SSH agent forwarding. If you enable this option, then not only will WinSCP be able to log in automatically to a server that accepts your Kerberos credentials, but also you will be able to connect out from that server to other Kerberos-supporting services and use the same credentials just as automatically. GSSAPI credential delegation is a mechanism for passing on your Kerberos (or other) identity to the session on the SSH server. This feature is available only in the latest beta release. When this setting is configured, WinSCP will honour it no matter whether the private key is found in a file, or loaded into Pageant. To do this, enter the pathname of the certificate file into the Certificate to use with the private key file selector. But another approach is to tell WinSCP itself where to find the public certificate file, and then it will automatically present that certificate when authenticating with the corresponding private key. One way to use a certificate is to incorporate it into your private key file. But if instead you configure all those servers once to accept keys signed as yours by a CA, then when you change your public key, all you have to do is to get the new key certified by the same CA as before, and then all your servers will automatically accept it without needing individual reconfiguration. When you change your key pair, you might otherwise have to edit the authorized_keys file (in case of OpenSSH) on every server individually, to make them all accept the new key. This can be a convenient setup if you have a very large number of servers. In some environments, user authentication keys can be signed in turn by a certifying authority (CA for short), and user accounts on an SSH server can be configured to automatically trust any key that’s certified by the right signature. After installing succeeds, the new private key will be inserted into the Private key file box. You can authenticate using a password or using another key (select it in Private key file box). You will need to authenticate to the server to install the key. You will be prompted to select key pair to install. Use the command Tools > Install Public Key into Server to install a public key into OpenSSH server. After you save your new key pair in PuTTYgen, WinSCP will detect it and automatically insert a path to the new key file into Private key file box. The command Tools > Generate New Key Pair with PuTTYgen starts PuTTYgen, in which you can generate a new private key pair. Use the button Display Public Key to display public key in a format suitable for pasting into OpenSSH authorized_keys file. In the latest beta version, if certificate file with the same name (but -cert.pub suffix) is found, it will be automatically added to the converted key file. If you select a key file in a different format (OpenSSH or ssh.com), WinSCP will offer you to convert the key to PuTTY format. Use this method carefully and only under special circumstances. If you need to login to server automatically without prompt, generate a key without passphrase. The passphrase cannot be entered in advance in session settings and thus it cannot be saved to site.
0 Comments
Leave a Reply. |