diff --git a/config.c b/config.c index 71d3ac05..0a470803 100644 --- a/config.c +++ b/config.c @@ -1817,6 +1817,12 @@ void setup_config_box(struct controlbox *b, int midsession, ctrl_settitle(b, "Connection/SSH/Auth", "Options controlling SSH authentication"); + s = ctrl_getset(b, "Connection/SSH/Auth", "main", NULL); + ctrl_checkbox(s, "Bypass authentication entirely (SSH-2 only)", 'b', + HELPCTX(ssh_auth_bypass), + dlg_stdcheckbox_handler, + I(offsetof(Config,ssh_no_userauth))); + s = ctrl_getset(b, "Connection/SSH/Auth", "methods", "Authentication methods"); ctrl_checkbox(s, "Attempt TIS or CryptoCard auth (SSH-1)", 'm', diff --git a/doc/config.but b/doc/config.but index 81570ed9..aae0b39c 100644 --- a/doc/config.but +++ b/doc/config.but @@ -2278,6 +2278,22 @@ protection than SSH-2 without rekeys. The Auth panel allows you to configure \i{authentication} options for SSH sessions. +\S{config-ssh-noauth} \q{Bypass authentication entirely} + +\cfg{winhelp-topic}{ssh.auth.bypass} + +In SSH-2, it is possible to establish a connection without using SSH's +mechanisms to identify or authenticate oneself to the server. Some +servers may prefer to handle authentication in the data channel, for +instance, or may simply require no authentication whatsoever. + +By default, PuTTY assumes the server requires authentication (most +do), and thus must provide a username. If you find you are getting +unwanted username prompts, you could try checking this option. + +This option only affects SSH-2 connections. SSH-1 connections always +require an authentication step. + \S{config-ssh-tis} \q{Attempt \I{TIS authentication}TIS or \i{CryptoCard authentication}} diff --git a/putty.h b/putty.h index 0dfb42ce..d8a778ed 100644 --- a/putty.h +++ b/putty.h @@ -432,6 +432,7 @@ struct config_tag { Filename keyfile; int sshprot; /* use v1 or v2 when both available */ int ssh2_des_cbc; /* "des-cbc" unrecommended SSH-2 cipher */ + int ssh_no_userauth; /* bypass "ssh-userauth" (SSH-2 only) */ int try_tis_auth; int try_ki_auth; int ssh_subsys; /* run a subsystem rather than a command */ diff --git a/settings.c b/settings.c index 4058b7dc..c2fd1b4e 100644 --- a/settings.c +++ b/settings.c @@ -300,6 +300,7 @@ void save_open_settings(void *sesskey, int do_host, Config *cfg) wprefs(sesskey, "KEX", kexnames, KEX_MAX, cfg->ssh_kexlist); write_setting_i(sesskey, "RekeyTime", cfg->ssh_rekey_time); write_setting_s(sesskey, "RekeyBytes", cfg->ssh_rekey_data); + write_setting_i(sesskey, "SshNoAuth", cfg->ssh_no_userauth); write_setting_i(sesskey, "AuthTIS", cfg->try_tis_auth); write_setting_i(sesskey, "AuthKI", cfg->try_ki_auth); write_setting_i(sesskey, "SshNoShell", cfg->ssh_no_shell); @@ -572,6 +573,7 @@ void load_open_settings(void *sesskey, int do_host, Config *cfg) sizeof(cfg->ssh_rekey_data)); gppi(sesskey, "SshProt", 2, &cfg->sshprot); gppi(sesskey, "SSH2DES", 0, &cfg->ssh2_des_cbc); + gppi(sesskey, "SshNoAuth", 0, &cfg->ssh_no_userauth); gppi(sesskey, "AuthTIS", 0, &cfg->try_tis_auth); gppi(sesskey, "AuthKI", 1, &cfg->try_ki_auth); gppi(sesskey, "SshNoShell", 0, &cfg->ssh_no_shell); diff --git a/ssh.c b/ssh.c index b5fa3f21..8b986ffa 100644 --- a/ssh.c +++ b/ssh.c @@ -6428,6 +6428,7 @@ static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen, AUTH_TYPE_KEYBOARD_INTERACTIVE, AUTH_TYPE_KEYBOARD_INTERACTIVE_QUIET } type; + int done_service_req; int gotit, need_pw, can_pubkey, can_passwd, can_keyb_inter; int tried_pubkey_config, tried_agent; int kbd_inter_running, kbd_inter_refused; @@ -6455,16 +6456,33 @@ static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen, crBegin(ssh->do_ssh2_authconn_crstate); - /* - * Request userauth protocol, and await a response to it. - */ - s->pktout = ssh2_pkt_init(SSH2_MSG_SERVICE_REQUEST); - ssh2_pkt_addstring(s->pktout, "ssh-userauth"); - ssh2_pkt_send(ssh, s->pktout); - crWaitUntilV(pktin); - if (pktin->type != SSH2_MSG_SERVICE_ACCEPT) { - bombout(("Server refused user authentication protocol")); - crStopV; + s->done_service_req = FALSE; + s->we_are_in = FALSE; + if (!ssh->cfg.ssh_no_userauth) { + /* + * Request userauth protocol, and await a response to it. + */ + s->pktout = ssh2_pkt_init(SSH2_MSG_SERVICE_REQUEST); + ssh2_pkt_addstring(s->pktout, "ssh-userauth"); + ssh2_pkt_send(ssh, s->pktout); + crWaitUntilV(pktin); + if (pktin->type == SSH2_MSG_SERVICE_ACCEPT) + s->done_service_req = TRUE; + } + if (!s->done_service_req) { + /* + * Request connection protocol directly, without authentication. + */ + s->pktout = ssh2_pkt_init(SSH2_MSG_SERVICE_REQUEST); + ssh2_pkt_addstring(s->pktout, "ssh-connection"); + ssh2_pkt_send(ssh, s->pktout); + crWaitUntilV(pktin); + if (pktin->type == SSH2_MSG_SERVICE_ACCEPT) { + s->we_are_in = TRUE; /* no auth required */ + } else { + bombout(("Server refused service request")); + crStopV; + } } /* @@ -6493,7 +6511,7 @@ static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen, */ s->username[0] = '\0'; s->got_username = FALSE; - do { + while (!s->we_are_in) { /* * Get a username. */ @@ -7234,12 +7252,10 @@ static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen, crStopV; } } - } while (!s->we_are_in); + } /* - * Now we're authenticated for the connection protocol. The - * connection protocol will automatically have started at this - * point; there's no need to send SERVICE_REQUEST. + * Now the connection protocol has started, one way or another. */ ssh->channels = newtree234(ssh_channelcmp); diff --git a/windows/winhelp.h b/windows/winhelp.h index 2aa5a149..750d3794 100644 --- a/windows/winhelp.h +++ b/windows/winhelp.h @@ -95,6 +95,7 @@ #define WINHELP_CTX_ssh_compress "ssh.compress" #define WINHELP_CTX_ssh_kexlist "ssh.kex.order" #define WINHELP_CTX_ssh_kex_repeat "ssh.kex.repeat" +#define WINHELP_CTX_ssh_auth_bypass "ssh.auth.bypass" #define WINHELP_CTX_ssh_auth_privkey "ssh.auth.privkey" #define WINHELP_CTX_ssh_auth_agentfwd "ssh.auth.agentfwd" #define WINHELP_CTX_ssh_auth_changeuser "ssh.auth.changeuser"