diff --git a/cmdline.c b/cmdline.c index 112463c3..39f57bbf 100644 --- a/cmdline.c +++ b/cmdline.c @@ -291,6 +291,19 @@ int cmdline_process_param(char *p, char *value, int need_save, Config *cfg) cmdline_password = value; } + if (!strcmp(p, "-agent") || !strcmp(p, "-pagent") || + !strcmp(p, "-pageant")) { + RETURN(1); + UNAVAILABLE_IN(TOOLTYPE_NONNETWORK); + cfg->tryagent = TRUE; + } + if (!strcmp(p, "-noagent") || !strcmp(p, "-nopagent") || + !strcmp(p, "-nopageant")) { + RETURN(1); + UNAVAILABLE_IN(TOOLTYPE_NONNETWORK); + cfg->tryagent = FALSE; + } + if (!strcmp(p, "-A")) { RETURN(1); UNAVAILABLE_IN(TOOLTYPE_FILETRANSFER | TOOLTYPE_NONNETWORK); diff --git a/config.c b/config.c index 39da6c2a..c844e059 100644 --- a/config.c +++ b/config.c @@ -1841,6 +1841,10 @@ void setup_config_box(struct controlbox *b, int midsession, s = ctrl_getset(b, "Connection/SSH/Auth", "methods", "Authentication methods"); + ctrl_checkbox(s, "Attempt authentication using Pageant", 'p', + HELPCTX(ssh_auth_pageant), + dlg_stdcheckbox_handler, + I(offsetof(Config,tryagent))); ctrl_checkbox(s, "Attempt TIS or CryptoCard auth (SSH-1)", 'm', HELPCTX(ssh_auth_tis), dlg_stdcheckbox_handler, diff --git a/doc/config.but b/doc/config.but index 4281f6c8..d0ec32e5 100644 --- a/doc/config.but +++ b/doc/config.but @@ -2310,6 +2310,24 @@ unwanted username prompts, you could try checking this option. This option only affects SSH-2 connections. SSH-1 connections always require an authentication step. +\S{config-ssh-tryagent} \q{Attempt authentication using Pageant} + +\cfg{winhelp-topic}{ssh.auth.pageant} + +If this option is enabled, then PuTTY will look for Pageant (the SSH +private-key storage agent) and attempt to authenticate with any +suitable public keys Pageant currently holds. + +This behaviour is almost always desirable, and is therefore enabled +by default. In rare cases you might need to turn it off in order to +force authentication by some non-public-key method such as +passwords. + +This option can also be controlled using the \c{-noagent} +command-line option. See \k{using-cmdline-agentauth}. + +See \k{pageant} for more information about Pageant in general. + \S{config-ssh-tis} \q{Attempt \I{TIS authentication}TIS or \i{CryptoCard authentication}} diff --git a/doc/pageant.but b/doc/pageant.but index 548aa8bf..f84fb64d 100644 --- a/doc/pageant.but +++ b/doc/pageant.but @@ -42,6 +42,10 @@ automatically from Pageant, and use it to authenticate. You can now open as many PuTTY sessions as you like without having to type your passphrase again. +(PuTTY can be configured not to try to use Pageant, but it will try +by default. See \k{config-ssh-tryagent} and +\k{using-cmdline-agentauth} for more information.) + When you want to shut down Pageant, click the right button on the Pageant icon in the System tray, and select \q{Exit} from the menu. Closing the Pageant main window does \e{not} shut down Pageant. diff --git a/doc/using.but b/doc/using.but index 663aa057..1aa22115 100644 --- a/doc/using.but +++ b/doc/using.but @@ -685,6 +685,22 @@ Note that the \c{-pw} option only works when you are using the SSH protocol. Due to fundamental limitations of Telnet and Rlogin, these protocols do not support automated password authentication. +\S2{using-cmdline-agentauth} \i\c{-agent} and \i\c{-noagent}: +control use of Pageant for authentication + +The \c{-agent} option turns on SSH authentication using Pageant, and +\c{-noagent} turns it off. These options are only meaningful if you +are using SSH. + +See \k{pageant} for general information on \i{Pageant} + +These options are equivalent to the agent authentication checkbox in +the Auth panel of the PuTTY configuration box (see +\k{config-ssh-tryagent}). + +These options are not available in the file transfer tools PSCP and +PSFTP. + \S2{using-cmdline-agent} \I{-A-upper}\c{-A} and \i\c{-a}: control \i{agent forwarding} diff --git a/putty.h b/putty.h index f1733407..ae417391 100644 --- a/putty.h +++ b/putty.h @@ -432,6 +432,7 @@ struct config_tag { int ssh_kexlist[KEX_MAX]; int ssh_rekey_time; /* in minutes */ char ssh_rekey_data[16]; + int tryagent; int agentfwd; int change_username; /* allow username switching in SSH-2 */ int ssh_cipherlist[CIPHER_MAX]; diff --git a/settings.c b/settings.c index 98eefce3..76d02c0f 100644 --- a/settings.c +++ b/settings.c @@ -297,6 +297,7 @@ void save_open_settings(void *sesskey, int do_host, Config *cfg) write_setting_s(sesskey, "LocalUserName", cfg->localusername); write_setting_i(sesskey, "NoPTY", cfg->nopty); write_setting_i(sesskey, "Compression", cfg->compression); + write_setting_i(sesskey, "TryAgent", cfg->tryagent); write_setting_i(sesskey, "AgentFwd", cfg->agentfwd); write_setting_i(sesskey, "ChangeUsername", cfg->change_username); wprefs(sesskey, "Cipher", ciphernames, CIPHER_MAX, @@ -556,6 +557,7 @@ void load_open_settings(void *sesskey, int do_host, Config *cfg) sizeof(cfg->localusername)); gppi(sesskey, "NoPTY", 0, &cfg->nopty); gppi(sesskey, "Compression", 0, &cfg->compression); + gppi(sesskey, "TryAgent", 1, &cfg->tryagent); gppi(sesskey, "AgentFwd", 0, &cfg->agentfwd); gppi(sesskey, "ChangeUsername", 0, &cfg->change_username); gprefs(sesskey, "Cipher", "\0", diff --git a/ssh.c b/ssh.c index 7e183880..aa619e3e 100644 --- a/ssh.c +++ b/ssh.c @@ -3222,7 +3222,7 @@ static int do_ssh1_login(Ssh ssh, unsigned char *in, int inlen, while (pktin->type == SSH1_SMSG_FAILURE) { s->pwpkt_type = SSH1_CMSG_AUTH_PASSWORD; - if (agent_exists() && !s->tried_agent) { + if (ssh->cfg.tryagent && agent_exists() && !s->tried_agent) { /* * Attempt RSA authentication using Pageant. */ @@ -6613,7 +6613,7 @@ static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen, s->nkeys = 0; s->agent_response = NULL; s->pkblob_in_agent = NULL; - if (agent_exists()) { + if (ssh->cfg.tryagent && agent_exists() && ssh->cfg.tryagent) { void *r; diff --git a/unix/uxplink.c b/unix/uxplink.c index 90b151f7..0e27366e 100644 --- a/unix/uxplink.c +++ b/unix/uxplink.c @@ -628,8 +628,6 @@ int main(int argc, char **argv) if (!*cfg.host) { char *q = p; - do_defaults(NULL, &cfg); - /* * If the hostname starts with "telnet:", set the * protocol to Telnet and process the string as a diff --git a/windows/winhelp.h b/windows/winhelp.h index 750d3794..40fcf724 100644 --- a/windows/winhelp.h +++ b/windows/winhelp.h @@ -99,6 +99,7 @@ #define WINHELP_CTX_ssh_auth_privkey "ssh.auth.privkey" #define WINHELP_CTX_ssh_auth_agentfwd "ssh.auth.agentfwd" #define WINHELP_CTX_ssh_auth_changeuser "ssh.auth.changeuser" +#define WINHELP_CTX_ssh_auth_pageant "ssh.auth.pageant" #define WINHELP_CTX_ssh_auth_tis "ssh.auth.tis" #define WINHELP_CTX_ssh_auth_ki "ssh.auth.ki" #define WINHELP_CTX_selection_buttons "selection.buttons"