1
0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-10 01:48:00 +00:00
Commit Graph

46 Commits

Author SHA1 Message Date
Simon Tatham
2762a2025f Merge the 0.74 release branch back to master.
Two minor memory-leak fixes on 0.74 seem not to be needed on master:
the fix in an early exit path of pageant_add_keyfile is done already
on master in a different way, and the missing sfree(fdlist) in
uxsftp.c is in code that's been completely rewritten in the uxcliloop
refactoring.

Other minor conflicts: the rework in commit b52641644905 of
ssh1login.c collided with the change from FLAG_VERBOSE to
seat_verbose(), and master and 0.74 each added an unrelated extra
field to the end of struct SshServerConfig.
2020-06-27 08:11:22 +01:00
Simon Tatham
08f1e2a506 Add an option to disable the dynamic host key policy.
This mitigates CVE-2020-14002: if you're in the habit of clicking OK
to unknown host keys (the TOFU policy - trust on first use), then an
active attacker looking to exploit that policy to substitute their own
host key in your first connection to a server can use the host key
algorithm order in your KEXINIT to (not wholly reliably) detect
whether you have a key already stored for this host, and if so, abort
their attack to avoid giving themself away.

However, for users who _don't_ use the TOFU policy and instead check
new host keys out of band, the dynamic policy is more useful. So it's
provided as a configurable option.
2020-06-21 16:39:47 +01:00
Lars Brinkhoff
315933c114 Add support for the SUPDUP protocol.
Based on work by Josh Dersch, with permission.
2020-03-10 07:11:32 +00:00
Jacob Nevins
464e351c7b Remove most traces of WinHelp support.
Remove the 'winhelp-topic' IDs from the Halibut source, and from the
code. Now we have one fewer name to think of every time we add a
setting.

I've left the HELPCTX system in place, with the vague notion that it
might be a useful layer of indirection for some future help system on a
platform like Mac OS X.

(I've left the putty.hlp target in doc/Makefile, if nothing else because
this is a convenient test case for Halibut's WinHelp support. But the
resulting help file will no longer support context help.)
2019-03-26 00:27:04 +00:00
Jacob Nevins
a8d3008143 Stop shipping old WinHelp (.HLP) file.
The executables were already ignoring it.

This is a minimal change; PUTTY.HLP can still be built, and there's
still all the context IDs lying around.

Buildscr changes are untested.
2019-03-16 12:25:23 +00:00
Jonathan Liu
822d2fd4c3 Add option whether to include header when logging.
It is useful to be able to exclude the header so that the log file
can be used for realtime input to other programs such as Kst for
plotting live data from sensors.
2018-09-26 12:13:01 +01:00
Simon Tatham
6afa955a2e Option to support VT100 line drawing in UTF-8 mode.
Thanks to Jiri Kaspar for sending this patch (apart from the new docs
section, which is in my own words), which implements a feature we've
had as a wishlist item ('utf8-plus-vt100') for a long time.

I was actually surprised it was possible to implement it in so few
lines of code! I'd forgotten, or possibly never noticed in the first
place, that even in UTF-8 mode PuTTY not only accepts but still
_processes_ all the ISO 2022 control sequences and shift characters,
and keeps running track of all the same state in term->cset and
term->cset_attrs that it tracks in IS0-2022-enabled modes. It's just
that in UTF-8 mode, at the very last minute when a character+attribute
pair is about to be written into the terminal's character buffer, it
deliberately ignores the contents of those variables.

So all that was needed was a new flag checked at that last moment
which causes it not quite to ignore them after all, and bingo,
utf8-plus-vt100 is supported. And it works no matter which ISO 2022
sequences you're using; whether you're using ESC ( 0 to select the
line drawing set directly into GL and ESC ( B to get back when you're
done, or whether you send a preliminary ESC ( B ESC ) 0 to get GL/GR
to be ASCII and line drawing respectively so you can use SI and SO as
one-byte mode switches thereafter, both work just as well.

This implementation strategy has a couple of consequences, which I
don't think matter very much one way or the other but I document them
just in case they turn out to be important later:

 - if an application expecting this mode has already filled your
   terminal window with lqqqqqqqqk, then enabling this mode in Change
   Settings won't retroactively turn them into the line drawing
   characters you wanted, because no memory is preserved in the screen
   buffer of what the ISO 2022 state was when they were printed. So
   the application still has to do a screen refresh.

 - on the other hand, if you already sent the ESC ( 0 or whatever to
   put the terminal _into_ line drawing mode, and then you turn on
   this mode in Change Settings, you _will_ still be in line drawing
   mode, because the system _does_ remember your current ISO 2022
   state at all times, whether it's currently applying it to output
   printing characters or not.
2018-05-12 08:48:20 +01:00
Simon Tatham
d515e4f1a3 Support GSS key exchange, for Kerberos 5 only.
This is a heavily edited (by me) version of a patch originally due to
Nico Williams and Viktor Dukhovni. Their comments:

 * Don't delegate credentials when rekeying unless there's a new TGT
   or the old service ticket is nearly expired.

 * Check for the above conditions more frequently (every two minutes
   by default) and rekey when we would delegate credentials.

 * Do not rekey with very short service ticket lifetimes; some GSSAPI
   libraries may lose the race to use an almost expired ticket. Adjust
   the timing of rekey checks to try to avoid this possibility.

My further comments:

The most interesting thing about this patch to me is that the use of
GSS key exchange causes a switch over to a completely different model
of what host keys are for. This comes from RFC 4462 section 2.1: the
basic idea is that when your session is mostly bidirectionally
authenticated by the GSSAPI exchanges happening in initial kex and
every rekey, host keys become more or less vestigial, and their
remaining purpose is to allow a rekey to happen if the requirements of
the SSH protocol demand it at an awkward moment when the GSS
credentials are not currently available (e.g. timed out and haven't
been renewed yet). As such, there's no need for host keys to be
_permanent_ or to be a reliable identifier of a particular host, and
RFC 4462 allows for the possibility that they might be purely
transient and only for this kind of emergency fallback purpose.

Therefore, once PuTTY has done a GSS key exchange, it disconnects
itself completely from the permanent host key cache functions in
storage.h, and instead switches to a _transient_ host key cache stored
in memory with the lifetime of just that SSH session. That cache is
populated with keys received from the server as a side effect of GSS
kex (via the optional SSH2_MSG_KEXGSS_HOSTKEY message), and used if
later in the session we have to fall back to a non-GSS key exchange.
However, in practice servers we've tested against do not send a host
key in that way, so we also have a fallback method of populating the
transient cache by triggering an immediate non-GSS rekey straight
after userauth (reusing the code path we also use to turn on OpenSSH
delayed encryption without the race condition).
2018-04-26 07:21:16 +01:00
Jacob Nevins
ce7c18f600 Paste-controls: make the help topic names match.
Ahem.
2018-03-29 23:24:15 +01:00
Jacob Nevins
c67389e1fb Document 'Permit control characters in pasted text'
And the consequent GUI rearrangements.
2018-03-24 15:35:46 +00:00
Simon Tatham
0e7f0883a9 Add GUI configuration for choice of clipboards.
On all platforms, you can now configure which clipboard the mouse
pastes from, which clipboard Ctrl-Ins and Shift-Ins access, and which
Ctrl-Shift-C and Ctrl-Shift-V access. In each case, the options are:

 - nothing at all
 - a clipboard which is implicitly written by the act of mouse
   selection (the PRIMARY selection on X, CLIP_LOCAL everywhere else)
 - the standard clipboard written by explicit copy/paste UI actions
   (CLIPBOARD on X, the unique system clipboard elsewhere).

Also, you can control whether selecting text with the mouse _also_
writes to the explicitly accessed clipboard.

The wording of the various messages changes between platforms, but the
basic UI shape is the same everywhere.
2017-12-17 17:02:56 +00:00
Simon Tatham
2f9738a282 Make terminal true-colour mode configurable.
I know some users don't like any colour _at all_, and we have a
separate option to turn off xterm-style 256-colour sequences, so it
seems remiss not to have an option to disable true colour as well.
2017-10-05 21:04:23 +01:00
Jacob Nevins
33f4c8303f Document proxy logging control.
(This was added in 7c65b9c57.)
2017-02-11 23:30:52 +00:00
Simon Tatham
fa91b55eec Make ESC[3J (clear scrollback) a disableable escape sequence.
A user complained that it was being done nonconsensually, and it seems
reasonable that the user should have the choice to prevent it.
2016-11-17 20:25:27 +00:00
Simon Tatham
d06098622c Configurable preference list for SSH host key types.
Now we actually have enough of them to worry about, and especially
since some of the types we support are approved by organisations that
people might make their own decisions about whether to trust, it seems
worth having a config list for host keys the same way we have one for
kex types and ciphers.

To make room for this, I've created an SSH > Host Keys config panel,
and moved the existing host-key related configuration (manually
specified fingerprints) into there from the Kex panel.
2016-03-25 16:32:17 +00:00
Simon Tatham
62a1bce7cb Support RFC 4419.
PuTTY now uses the updated version of Diffie-Hellman group exchange,
except for a few old OpenSSH versions which Darren Tucker reports only
support the old version.

FIXME: this needs further work because the Bugs config panel has now
overflowed.
2015-04-25 10:54:18 +01:00
Simon Tatham
70ab076d83 New option to manually configure the expected host key(s).
This option is available from the command line as '-hostkey', and is
also configurable through the GUI. When enabled, it completely
replaces all of the automated host key management: the server's host
key will be checked against the manually configured list, and the
connection will be allowed or disconnected on that basis, and the host
key store in the registry will not be either consulted or updated.

The main aim is to provide a means of automatically running Plink,
PSCP or PSFTP deep inside Windows services where HKEY_CURRENT_USER
isn't available to have stored the right host key in. But it also
permits you to specify a list of multiple host keys, which means a
second use case for the same mechanism will probably be round-robin
DNS names that select one of several servers with different host keys.

Host keys can be specified as the standard MD5 fingerprint or as an
SSH-2 base64 blob, and are canonicalised on input. (The base64 blob is
more unwieldy, especially with Windows command-line length limits, but
provides a means of specifying the _whole_ public key in case you
don't trust MD5. I haven't bothered to provide an analogous mechanism
for SSH-1, on the basis that anyone worrying about MD5 should have
stopped using SSH-1 already!)

[originally from svn r10220]
2014-09-09 11:46:24 +00:00
Simon Tatham
aaaf70a0fc Implement this year's consensus on CHANNEL_FAILURE vs CHANNEL_CLOSE.
We now expect that after the server has sent us CHANNEL_CLOSE, we
should not expect to see any replies to our outstanding channel
requests, and conversely after we have sent CHANNEL_CLOSE we avoid
sending any reply to channel requests from the server. This was the
consensus among implementors discussing the problem on ietf-ssh in
April 2014.

To cope with current OpenSSH's (and perhaps other servers we don't
know about yet) willingness to send request replies after
CHANNEL_CLOSE, I introduce a bug-compatibility flag which is detected
for every OpenSSH version up to and including the current 6.6 - but
not beyond, since https://bugzilla.mindrot.org/show_bug.cgi?id=1818
promises that 6.7 will also implement the new consensus behaviour.

[originally from svn r10200]
2014-07-06 14:05:39 +00:00
Jacob Nevins
98eb785c9b Fix up the Windows help context stuff for the new connection sharing controls.
[originally from svn r10088]
2013-11-18 22:34:57 +00:00
Simon Tatham
bb78583ad2 Implement connection sharing between instances of PuTTY.
The basic strategy is described at the top of the new source file
sshshare.c. In very brief: an 'upstream' PuTTY opens a Unix-domain
socket or Windows named pipe, and listens for connections from other
PuTTYs wanting to run sessions on the same server. The protocol spoken
down that socket/pipe is essentially the bare ssh-connection protocol,
using a trivial binary packet protocol with no encryption, and the
upstream has to do some fiddly transformations that I've been
referring to as 'channel-number NAT' to avoid resource clashes between
the sessions it's managing.

This is quite different from OpenSSH's approach of using the Unix-
domain socket as a means of passing file descriptors around; the main
reason for that is that fd-passing is Unix-specific but this system
has to work on Windows too. However, there are additional advantages,
such as making it easy for each downstream PuTTY to run its own
independent set of port and X11 forwardings (though the method for
making the latter work is quite painful).

Sharing is off by default, but configuration is intended to be very
easy in the normal case - just tick one box in the SSH config panel
and everything else happens automatically.

[originally from svn r10083]
2013-11-17 14:05:41 +00:00
Simon Tatham
71f0c7546d Add a bug-compatibility flag to disable the
winadj@putty.projects.tartarus.org request. Not currently enabled
automatically, but should be usable as a manual workaround.

[originally from svn r9592]
2012-07-28 19:30:12 +00:00
Jacob Nevins
af1060856e Add an option to disable SSH-2 banners.
[originally from svn r9055]
2010-12-27 01:19:13 +00:00
Simon Tatham
406e62f77b Cleanups of the GSSAPI support. On Windows, standard GSS libraries
are now loaded from standard locations (system32 for SSPI, the
registry-stored MIT KfW install location for KfW) rather than using
the risky default DLL search path; I've therefore also added an
option to manually specify a GSS DLL we haven't heard of (which
should in principle Just Work provided it supports proper GSS-API as
specified in the RFC). The same option exists on Unix too, because
it seemed like too useful an idea to reserve to Windows. In
addition, GSSAPI is now documented, and also (unfortunately) its GUI
configuration has been moved out into a sub-subpanel on the grounds
that it was too big to fit in Auth.

[originally from svn r9003]
2010-09-25 07:16:56 +00:00
Simon Tatham
ae5f3711f6 Bah, missed out a tiny but build-breaking part of r8926.
[originally from svn r8927]
[r8926 == d5aa23c116]
2010-04-24 07:14:29 +00:00
Jacob Nevins
dc896b79af New option to allow use of the local OS username for login to the remote side
if we have no better ideas, with UI shamelessly stolen from Quest PuTTY.

Off by default, which effectively reverts the change to using the local
username by default that came in with GSSAPI support in r8138. Anyone wanting
seamless single sign-on will need to set the new option. (The previous
default behaviour was getting in the way in ad-hoc scenarios.)

Note that the PSCP and Unix-Plink behaviour of using the local username by
default have remained unchanged throughout; they are not affected by the new
option. Not sure if that's the Right Thing.

[originally from svn r8324]
[r8138 == de5dd9d65c]
2008-11-24 17:51:42 +00:00
Simon Tatham
ca6fc3a4da Revamp of the local X11 connection code. We now parse X display
strings more rigorously, and then we look up the local X authority
data in .Xauthority _ourself_ rather than delegating to an external
xauth program. This is (negligibly) more efficient on Unix, assuming
I haven't got it wrong in some subtle way, but its major benefit is
that we can now support X authority lookups on Windows as well
provided the user points us at an appropriate X authority file in
the standard format. A new Windows-specific config option has been
added for this purpose.

[originally from svn r8305]
2008-11-17 18:38:09 +00:00
Simon Tatham
e81a8cf795 Been meaning to do this for years: introduce a configuration option
to manually tweak the host name and port number under which the SSH
host key is read and written.

I've put it in the cross-platform Connection panel. Partly under the
flimsy pretext that other backends _can_ use it if they so wish (and
in fact it overrides the host name for title-bar purposes in all
network backends, though it has no other effect in anything but
SSH); but mostly because the SSH panel was too full already :-)

[originally from svn r8033]
2008-06-01 11:16:32 +00:00
Simon Tatham
9024621b91 r7804 neglected to add a help context #define to winhelp.h.
[originally from svn r7815]
[r7804 == 1940b37ff0]
2007-12-15 10:41:40 +00:00
Ben Harris
8659f5145f "CR implies LF" patch, based on one from Paul Coldrey.
[originally from svn r7669]
2007-08-04 19:16:46 +00:00
Simon Tatham
1dac1bc911 Initial support for HTML Help. All the ad-hoc help-file finding code
and various calls to WinHelp() have been centralised into a new file
winhelp.c, which in turn has been modified to detect a .CHM file as
well as .HLP and select between them as appropriate. It explicitly
tries to load HHCTRL.OCX and use GetProcAddress, meaning that it
_should_ still work correctly on pre-HTML-Help platforms, falling
gracefully back to WinHelp, but although I tested this by
temporarily renaming my own HHCTRL.OCX I haven't yet been able to
test it on a real HTML-Help-free platform.

Also in this checkin: a new .but file and docs makefile changes to
make it convenient to build the sources for a .CHM. As yet, owing to
limitations of Halibut's CHM support, I'm not able to write a .CHM
directly, more's the pity.

[originally from svn r7000]
2006-12-17 11:16:07 +00:00
Simon Tatham
34f747421d Support for Windows PuTTY connecting straight to a local serial port
in place of making a network connection. This has involved a couple
of minor infrastructure changes:
 - New dlg_label_change() function in the dialog.h interface, which
   alters the label on a control. Only used, at present, to switch
   the Host Name and Port boxes into Serial Line and Speed, which
   means that any platform not implementing serial connections (i.e.
   currently all but Windows) does not need to actually do anything
   in this function. Yet.
 - New small piece of infrastructure: cfg_launchable() determines
   whether a Config structure describes a session ready to be
   launched. This was previously determined by seeing if it had a
   non-empty host name, but it has to check the serial line as well
   so there's a centralised function for it. I haven't gone through
   all front ends and arranged for this function to be used
   everywhere it needs to be; so far I've only checked Windows.
 - Similarly, cfg_dest() returns the destination of a connection
   (host name or serial line) in a text format suitable for putting
   into messages such as `Unable to connect to %s'.

[originally from svn r6815]
2006-08-28 10:35:12 +00:00
Simon Tatham
c2b2d9c539 Introduce a new checkbox and command-line option to inhibit use of
Pageant for local authentication. (This is a `don't use Pageant for
authentication at session startup' button rather than a `pretend
Pageant doesn't exist' button: that is, agent forwarding is
independent of this option.)

[originally from svn r6572]
2006-02-19 12:05:12 +00:00
Jacob Nevins
b099456c87 Implement `bypass-ssh2-userauth', since from correspondence it sounds like
there are servers which could in principle operate in this mode, although I
don't know if any do in practice. (Hence, I haven't been able to test it.)

[originally from svn r5748]
[this svn revision also touched putty-wishlist]
2005-05-05 22:37:54 +00:00
Jacob Nevins
fb581ac625 First crack at `terminal-modes' in SSH. PuTTY now sends ERASE by default,
Unix Plink sends everything sensible it can find, and it's fully configurable
from the GUI.

I'm not entirely sure about the precise set of modes that Unix Plink should
look at; informed tweaks are welcome.

Also the Mac bits are guesses (but trivial).

[originally from svn r5653]
[this svn revision also touched putty-wishlist]
2005-04-21 13:57:08 +00:00
Jacob Nevins
faf59c78be Add an option to use wcwidth_cjk() instead of wcwidth(), as several people
have asked for it.

[originally from svn r5542]
2005-03-22 23:20:23 +00:00
Jacob Nevins
36fc6c0a76 Try to make our PGP signing more useful:
* All the PuTTY tools for Windows and Unix now contain the fingerprints of
   the Master Keys. The method for accessing them is crude but universal:
   a new "-pgpfp" command-line option. (Except Unix PuTTYgen, which takes
   "--pgpfp" just to be awkward.)

 * Move the key policy discussion from putty-website/keys.html to
   putty/doc/pgpkeys.but, and autogenerate the former from the latter.
   Also tweak the text somewhat and include the fingerprints of the
   Master Keys themselves.
   (I've merged the existing autogeneration scripts into a single new
   one; I've left the old scripts and keys.html around until such time
   as the webmonster reviews the changes and plumbs in the new script;
   he should remove the old files then.)

[originally from svn r5524]
[this svn revision also touched putty-website]
2005-03-19 02:26:58 +00:00
Jacob Nevins
a2b583f137 Add context help to a couple of message boxes. Unfortunately the ones
I wanted to get to -- "software caused connection abort" and friends --
are going to be more involved (probably requiring some cross-platform
notion of help contexts), and these ones hardly seem worth the effort.
Still, I've done it now.

Side-effect: Pageant now uses the same `hinst' and `hwnd' globals as
everything else. Tested basic functionality.

[originally from svn r5417]
2005-03-01 01:16:57 +00:00
Jacob Nevins
182a511ec3 Move the MessageBox-with-help function out into winutils.c, although it's
still only used for the host key popups. Side-effects:
 - requested_help is a winstuff.h global
 - Pageant now defines winstuff.h globals

(Also, my previous fix to my improved host-key dialogs only got the "changed"
case, not the "unknown" case. Some days I shouldn't be let near a keyboard.)

[originally from svn r5415]
2005-03-01 00:00:09 +00:00
Jacob Nevins
99122767f5 The Windows host key dialogs now have a `Help' button that should give
appropriate context help, iff the help file is present. (Shame it's prey to
`winhelp-crash'.)

(I've perpetrated a widening of visibility of `hwnd'; the alternative, putting
it into a frontend handle, seemed too likely to cause maintenance trouble if
we don't also _use_ that frontend handle everywhere we now use the global
`hwnd'.)

[originally from svn r5309]
2005-02-15 22:23:47 +00:00
Simon Tatham
e7b53c3ad5 Servers announcing themselves as `Sun_SSH_1.0' apparently cannot
deal with rekeys at all: they totally ignore mid-session KEXINIT
sent by the client. Hence, a new bug entry so we don't try it.

[originally from svn r5092]
2005-01-11 10:37:55 +00:00
Simon Tatham
6daf6faede Integrate unfix.org's IPv6 patches up to level 10, with rather a lot
of polishing to bring them to what I think should in principle be
release quality. Unlike the unfix.org patches themselves, this
checkin enables IPv6 by default; if you want to leave it out, you
have to build with COMPAT=-DNO_IPV6.

I have tested that this compiles on Visual C 7 (so the nightlies
_should_ acquire IPv6 support without missing a beat), but since I
don't have IPv6 set up myself I haven't actually tested that it
_works_. It still seems to make correct IPv4 connections, but that's
all I've been able to verify for myself. Further testing is needed.

[originally from svn r5047]
[this svn revision also touched putty-wishlist]
2004-12-30 16:45:11 +00:00
Jacob Nevins
30896d650e Basic configurability for client-initiated rekeys.
[originally from svn r5027]
2004-12-24 13:39:32 +00:00
Jacob Nevins
3c98d6e60d Add a preference list for SSH-2 key exchange algorithms, on a new "Kex" panel
(which will gain more content anon).

Retire BUG_SSH2_DH_GEX and add a backwards-compatibility wart, since we never
did find a way of automatically detecting this alleged server bug, and in any
case there was only ever one report (<3D91F3B5.7030309@inwind.it>, FWIW).

Also generalise askcipher() to a new askalg() (thus touching all the
front-ends).

I've made some attempt to document what SSH key exchange is and why you care,
but it could use some review for clarity (and outright lies).

[originally from svn r5022]
2004-12-23 02:24:07 +00:00
Jacob Nevins
a2e01a5604 Abe Crabtree complains that flushing the log file as often as we do in 0.56
results in unacceptable performance for him on Win2000. Add a checkbox to
revert to the old behaviour.

[originally from svn r4988]
[this svn revision also touched putty-wishlist]
2004-12-16 15:22:36 +00:00
Simon Tatham
e4e10e494b Implement xterm 256-colour mode.
[originally from svn r4917]
[this svn revision also touched putty-wishlist]
2004-11-28 15:13:34 +00:00
Simon Tatham
cb45b9cc25 Now that we have Subversion's file renaming ability, it's time at
long last to move all the Windows-specific source files down into a
`windows' subdirectory. Only platform-specific files remain at the
top level. With any luck this will act as a hint to anyone still
contemplating sending us a Windows-centric patch...

[originally from svn r4792]
2004-11-16 22:14:56 +00:00