Implement `bypass-ssh2-userauth', since from correspondence it sounds like

there are servers which could in principle operate in this mode, although I
don't know if any do in practice. (Hence, I haven't been able to test it.)

[originally from svn r5748]
[this svn revision also touched putty-wishlist]

config.c

@@ -1817,6 +1817,12 @@ void setup_config_box(struct controlbox *b, int midsession,
 	    ctrl_settitle(b, "Connection/SSH/Auth",
 			  "Options controlling SSH authentication");
 
+	    s = ctrl_getset(b, "Connection/SSH/Auth", "main", NULL);
+	    ctrl_checkbox(s, "Bypass authentication entirely (SSH-2 only)", 'b',
+			  HELPCTX(ssh_auth_bypass),
+			  dlg_stdcheckbox_handler,
+			  I(offsetof(Config,ssh_no_userauth)));
+
 	    s = ctrl_getset(b, "Connection/SSH/Auth", "methods",
 			    "Authentication methods");
 	    ctrl_checkbox(s, "Attempt TIS or CryptoCard auth (SSH-1)", 'm',

doc/config.but

@@ -2278,6 +2278,22 @@ protection than SSH-2 without rekeys.
 The Auth panel allows you to configure \i{authentication} options for
 SSH sessions.
 
+\S{config-ssh-noauth} \q{Bypass authentication entirely}
+
+\cfg{winhelp-topic}{ssh.auth.bypass}
+
+In SSH-2, it is possible to establish a connection without using SSH's
+mechanisms to identify or authenticate oneself to the server. Some
+servers may prefer to handle authentication in the data channel, for
+instance, or may simply require no authentication whatsoever.
+
+By default, PuTTY assumes the server requires authentication (most
+do), and thus must provide a username. If you find you are getting
+unwanted username prompts, you could try checking this option.
+
+This option only affects SSH-2 connections. SSH-1 connections always
+require an authentication step.
+
 \S{config-ssh-tis} \q{Attempt \I{TIS authentication}TIS or
 \i{CryptoCard authentication}}
 

putty.h

@@ -432,6 +432,7 @@ struct config_tag {
     Filename keyfile;
     int sshprot;		       /* use v1 or v2 when both available */
     int ssh2_des_cbc;		       /* "des-cbc" unrecommended SSH-2 cipher */
+    int ssh_no_userauth;	       /* bypass "ssh-userauth" (SSH-2 only) */
     int try_tis_auth;
     int try_ki_auth;
     int ssh_subsys;		       /* run a subsystem rather than a command */

settings.c

@@ -300,6 +300,7 @@ void save_open_settings(void *sesskey, int do_host, Config *cfg)
     wprefs(sesskey, "KEX", kexnames, KEX_MAX, cfg->ssh_kexlist);
     write_setting_i(sesskey, "RekeyTime", cfg->ssh_rekey_time);
     write_setting_s(sesskey, "RekeyBytes", cfg->ssh_rekey_data);
+    write_setting_i(sesskey, "SshNoAuth", cfg->ssh_no_userauth);
     write_setting_i(sesskey, "AuthTIS", cfg->try_tis_auth);
     write_setting_i(sesskey, "AuthKI", cfg->try_ki_auth);
     write_setting_i(sesskey, "SshNoShell", cfg->ssh_no_shell);
@@ -572,6 +573,7 @@ void load_open_settings(void *sesskey, int do_host, Config *cfg)
 	 sizeof(cfg->ssh_rekey_data));
     gppi(sesskey, "SshProt", 2, &cfg->sshprot);
     gppi(sesskey, "SSH2DES", 0, &cfg->ssh2_des_cbc);
+    gppi(sesskey, "SshNoAuth", 0, &cfg->ssh_no_userauth);
     gppi(sesskey, "AuthTIS", 0, &cfg->try_tis_auth);
     gppi(sesskey, "AuthKI", 1, &cfg->try_ki_auth);
     gppi(sesskey, "SshNoShell", 0, &cfg->ssh_no_shell);

ssh.c

@@ -6428,6 +6428,7 @@ static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen,
 		AUTH_TYPE_KEYBOARD_INTERACTIVE,
 		AUTH_TYPE_KEYBOARD_INTERACTIVE_QUIET
 	} type;
+	int done_service_req;
 	int gotit, need_pw, can_pubkey, can_passwd, can_keyb_inter;
 	int tried_pubkey_config, tried_agent;
 	int kbd_inter_running, kbd_inter_refused;
@@ -6455,16 +6456,33 @@ static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen,
 
     crBegin(ssh->do_ssh2_authconn_crstate);
 
-    /*
-     * Request userauth protocol, and await a response to it.
-     */
-    s->pktout = ssh2_pkt_init(SSH2_MSG_SERVICE_REQUEST);
-    ssh2_pkt_addstring(s->pktout, "ssh-userauth");
-    ssh2_pkt_send(ssh, s->pktout);
-    crWaitUntilV(pktin);
-    if (pktin->type != SSH2_MSG_SERVICE_ACCEPT) {
-	bombout(("Server refused user authentication protocol"));
-	crStopV;
+    s->done_service_req = FALSE;
+    s->we_are_in = FALSE;
+    if (!ssh->cfg.ssh_no_userauth) {
+	/*
+	 * Request userauth protocol, and await a response to it.
+	 */
+	s->pktout = ssh2_pkt_init(SSH2_MSG_SERVICE_REQUEST);
+	ssh2_pkt_addstring(s->pktout, "ssh-userauth");
+	ssh2_pkt_send(ssh, s->pktout);
+	crWaitUntilV(pktin);
+	if (pktin->type == SSH2_MSG_SERVICE_ACCEPT)
+	    s->done_service_req = TRUE;
+    }
+    if (!s->done_service_req) {
+	/*
+	 * Request connection protocol directly, without authentication.
+	 */
+	s->pktout = ssh2_pkt_init(SSH2_MSG_SERVICE_REQUEST);
+	ssh2_pkt_addstring(s->pktout, "ssh-connection");
+	ssh2_pkt_send(ssh, s->pktout);
+	crWaitUntilV(pktin);
+	if (pktin->type == SSH2_MSG_SERVICE_ACCEPT) {
+	    s->we_are_in = TRUE; /* no auth required */
+	} else {
+	    bombout(("Server refused service request"));
+	    crStopV;
+	}
     }
 
     /*
@@ -6493,7 +6511,7 @@ static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen,
      */
     s->username[0] = '\0';
     s->got_username = FALSE;
-    do {
+    while (!s->we_are_in) {
 	/*
 	 * Get a username.
 	 */
@@ -7234,12 +7252,10 @@ static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen,
 		crStopV;
 	    }
 	}
-    } while (!s->we_are_in);
+    }
 
     /*
-     * Now we're authenticated for the connection protocol. The
-     * connection protocol will automatically have started at this
-     * point; there's no need to send SERVICE_REQUEST.
+     * Now the connection protocol has started, one way or another.
      */
 
     ssh->channels = newtree234(ssh_channelcmp);

windows/winhelp.h

@@ -95,6 +95,7 @@
 #define WINHELP_CTX_ssh_compress "ssh.compress"
 #define WINHELP_CTX_ssh_kexlist "ssh.kex.order"
 #define WINHELP_CTX_ssh_kex_repeat "ssh.kex.repeat"
+#define WINHELP_CTX_ssh_auth_bypass "ssh.auth.bypass"
 #define WINHELP_CTX_ssh_auth_privkey "ssh.auth.privkey"
 #define WINHELP_CTX_ssh_auth_agentfwd "ssh.auth.agentfwd"
 #define WINHELP_CTX_ssh_auth_changeuser "ssh.auth.changeuser"