Demote SSH bypass-auth option; downplay in docs.

It's too esoteric to be the first thing on the Auth panel; I've never
heard of any SSH server that supports it in the decade since I
implemented it. The only Google hits are lost souls mistakenly believing
they need it for passwordless public-key login and the like.

diff --git a/config.c b/config.c
index 53ad2f910e24a340a2e325a814a0296938be39c7..c48493befc8ba42b7291c3746e2a9e3e9046b32f 100644 (file)
--- a/config.c
+++ b/config.c
@@ -2321,14 +2321,14 @@ void setup_config_box(struct controlbox *b, int midsession,
                          "Options controlling SSH authentication");
 
            s = ctrl_getset(b, "Connection/SSH/Auth", "main", NULL);
                          "Options controlling SSH authentication");
 
            s = ctrl_getset(b, "Connection/SSH/Auth", "main", NULL);

-           ctrl_checkbox(s, "Bypass authentication entirely (SSH-2 only)", 'b',
-                         HELPCTX(ssh_auth_bypass),
-                         conf_checkbox_handler,
-                         I(CONF_ssh_no_userauth));

            ctrl_checkbox(s, "Display pre-authentication banner (SSH-2 only)",
                          'd', HELPCTX(ssh_auth_banner),
                          conf_checkbox_handler,
                          I(CONF_ssh_show_banner));
            ctrl_checkbox(s, "Display pre-authentication banner (SSH-2 only)",
                          'd', HELPCTX(ssh_auth_banner),
                          conf_checkbox_handler,
                          I(CONF_ssh_show_banner));

+           ctrl_checkbox(s, "Bypass authentication entirely (SSH-2 only)", 'b',
+                         HELPCTX(ssh_auth_bypass),
+                         conf_checkbox_handler,
+                         I(CONF_ssh_no_userauth));

 
            s = ctrl_getset(b, "Connection/SSH/Auth", "methods",
                            "Authentication methods");
 
            s = ctrl_getset(b, "Connection/SSH/Auth", "methods",
                            "Authentication methods");

diff --git a/doc/config.but b/doc/config.but
index 5fe81bfeb2ec137a6497a28a1d37d4ccaa26e8f7..a4e7fb839d6b35495f87e4a66449a72aee9aa9a6 100644 (file)
--- a/doc/config.but
+++ b/doc/config.but
@@ -2596,22 +2596,6 @@ recommended ciphers.
 The Auth panel allows you to configure \i{authentication} options for
 SSH sessions.
 
 The Auth panel allows you to configure \i{authentication} options for
 SSH sessions.
 

-\S{config-ssh-noauth} \q{Bypass authentication entirely}
-
-\cfg{winhelp-topic}{ssh.auth.bypass}
-
-In SSH-2, it is possible to establish a connection without using SSH's
-mechanisms to identify or authenticate oneself to the server. Some
-servers may prefer to handle authentication in the data channel, for
-instance, or may simply require no authentication whatsoever.
-
-By default, PuTTY assumes the server requires authentication (most
-do), and thus must provide a username. If you find you are getting
-unwanted username prompts, you could try checking this option.
-
-This option only affects SSH-2 connections. SSH-1 connections always
-require an authentication step.
-

 \S{config-ssh-banner} \q{Display pre-authentication banner}
 
 \cfg{winhelp-topic}{ssh.auth.banner}
 \S{config-ssh-banner} \q{Display pre-authentication banner}
 
 \cfg{winhelp-topic}{ssh.auth.banner}


@@ -2627,6 +2611,34 @@ prompting for a login name, due to the nature of the protocol design).
 By unchecking this option, display of the banner can be suppressed
 entirely.
 
 By unchecking this option, display of the banner can be suppressed
 entirely.
 

+\S{config-ssh-noauth} \q{Bypass authentication entirely}
+
+\cfg{winhelp-topic}{ssh.auth.bypass}
+
+In SSH-2, it is in principle possible to establish a connection
+without using SSH's mechanisms to identify or prove who you are
+to the server. An SSH server could prefer to handle authentication
+in the data channel, for instance, or simply require no user
+authentication whatsoever.
+
+By default, PuTTY assumes the server requires authentication (we've
+never heard of one that doesn't), and thus must start this process
+with a username. If you find you are getting username prompts that
+you cannot answer, you could try enabling this option. However,
+most SSH servers will reject this.
+
+This is not the option you want if you have a username and just want
+PuTTY to remember it; for that see \k{config-username}.
+It's also probably not what if you're trying to set up passwordless
+login to a mainstream SSH server; depending on the server, you
+probably wanted public-key authentication (\k{pubkey})
+or perhaps GSSAPI authentication (\k{config-ssh-auth-gssapi}).
+(These are still forms of authentication, even if you don't have to
+interact with them.)
+
+This option only affects SSH-2 connections. SSH-1 connections always
+require an authentication step.
+

 \S{config-ssh-tryagent} \q{Attempt authentication using Pageant}
 
 \cfg{winhelp-topic}{ssh.auth.pageant}
 \S{config-ssh-tryagent} \q{Attempt authentication using Pageant}
 
 \cfg{winhelp-topic}{ssh.auth.pageant}


@@ -2748,7 +2760,7 @@ GSSAPI authentication. This is a mechanism which delegates the
 authentication exchange to a library elsewhere on the client
 machine, which in principle can authenticate in many different ways
 but in practice is usually used with the \i{Kerberos} \i{single sign-on}
 authentication exchange to a library elsewhere on the client
 machine, which in principle can authenticate in many different ways
 but in practice is usually used with the \i{Kerberos} \i{single sign-on}

-protocol.
+protocol to implement \i{passwordless login}.

 
 GSSAPI is only available in the SSH-2 protocol.
 
 
 GSSAPI is only available in the SSH-2 protocol.