From 98e5eeedd1456656f73894c26a359bb6355c1b4e Mon Sep 17 00:00:00 2001 From: Jacob Nevins Date: Fri, 25 Mar 2016 13:10:00 +0000 Subject: [PATCH] Demote SSH bypass-auth option; downplay in docs. It's too esoteric to be the first thing on the Auth panel; I've never heard of any SSH server that supports it in the decade since I implemented it. The only Google hits are lost souls mistakenly believing they need it for passwordless public-key login and the like. --- config.c | 8 ++++---- doc/config.but | 46 +++++++++++++++++++++++++++++----------------- 2 files changed, 33 insertions(+), 21 deletions(-) diff --git a/config.c b/config.c index 53ad2f91..c48493be 100644 --- a/config.c +++ b/config.c @@ -2321,14 +2321,14 @@ void setup_config_box(struct controlbox *b, int midsession, "Options controlling SSH authentication"); s = ctrl_getset(b, "Connection/SSH/Auth", "main", NULL); - ctrl_checkbox(s, "Bypass authentication entirely (SSH-2 only)", 'b', - HELPCTX(ssh_auth_bypass), - conf_checkbox_handler, - I(CONF_ssh_no_userauth)); ctrl_checkbox(s, "Display pre-authentication banner (SSH-2 only)", 'd', HELPCTX(ssh_auth_banner), conf_checkbox_handler, I(CONF_ssh_show_banner)); + ctrl_checkbox(s, "Bypass authentication entirely (SSH-2 only)", 'b', + HELPCTX(ssh_auth_bypass), + conf_checkbox_handler, + I(CONF_ssh_no_userauth)); s = ctrl_getset(b, "Connection/SSH/Auth", "methods", "Authentication methods"); diff --git a/doc/config.but b/doc/config.but index 5fe81bfe..a4e7fb83 100644 --- a/doc/config.but +++ b/doc/config.but @@ -2596,22 +2596,6 @@ recommended ciphers. The Auth panel allows you to configure \i{authentication} options for SSH sessions. -\S{config-ssh-noauth} \q{Bypass authentication entirely} - -\cfg{winhelp-topic}{ssh.auth.bypass} - -In SSH-2, it is possible to establish a connection without using SSH's -mechanisms to identify or authenticate oneself to the server. Some -servers may prefer to handle authentication in the data channel, for -instance, or may simply require no authentication whatsoever. - -By default, PuTTY assumes the server requires authentication (most -do), and thus must provide a username. If you find you are getting -unwanted username prompts, you could try checking this option. - -This option only affects SSH-2 connections. SSH-1 connections always -require an authentication step. - \S{config-ssh-banner} \q{Display pre-authentication banner} \cfg{winhelp-topic}{ssh.auth.banner} @@ -2627,6 +2611,34 @@ prompting for a login name, due to the nature of the protocol design). By unchecking this option, display of the banner can be suppressed entirely. +\S{config-ssh-noauth} \q{Bypass authentication entirely} + +\cfg{winhelp-topic}{ssh.auth.bypass} + +In SSH-2, it is in principle possible to establish a connection +without using SSH's mechanisms to identify or prove who you are +to the server. An SSH server could prefer to handle authentication +in the data channel, for instance, or simply require no user +authentication whatsoever. + +By default, PuTTY assumes the server requires authentication (we've +never heard of one that doesn't), and thus must start this process +with a username. If you find you are getting username prompts that +you cannot answer, you could try enabling this option. However, +most SSH servers will reject this. + +This is not the option you want if you have a username and just want +PuTTY to remember it; for that see \k{config-username}. +It's also probably not what if you're trying to set up passwordless +login to a mainstream SSH server; depending on the server, you +probably wanted public-key authentication (\k{pubkey}) +or perhaps GSSAPI authentication (\k{config-ssh-auth-gssapi}). +(These are still forms of authentication, even if you don't have to +interact with them.) + +This option only affects SSH-2 connections. SSH-1 connections always +require an authentication step. + \S{config-ssh-tryagent} \q{Attempt authentication using Pageant} \cfg{winhelp-topic}{ssh.auth.pageant} @@ -2748,7 +2760,7 @@ GSSAPI authentication. This is a mechanism which delegates the authentication exchange to a library elsewhere on the client machine, which in principle can authenticate in many different ways but in practice is usually used with the \i{Kerberos} \i{single sign-on} -protocol. +protocol to implement \i{passwordless login}. GSSAPI is only available in the SSH-2 protocol. -- 2.45.2