The aim is to try to reduce the incidence of the two least helpful
classes of those reports: the ones which have just got mismatched
checksum files, and the ones which don't tell us the information that
would help.
(cherry picked from commit 8ff3b22243)
What should have been links to the old DSA keys were actually a second
copy of the links to the old RSA ones. Ahem.
(cherry picked from commit b62af0f40a)
This gives pride of place to the new set of keys we've recently
generated, and relegates the old ones to an afterthought.
(cherry picked from commit bb68baf53b)
Users have requested this from time to time, for distinguishing log
file names when there's more than one SSH server running on different
ports of the same host. Since we do take account of that possibility
in other areas (e.g. we cache host keys indexed by (host,port) rather
than just host), it doesn't seem unreasonable to do so here too.
(cherry picked from commit 0550943b51)
The validation end of XDM-AUTHORIZATION-1 needs to check that two
time_t values differ by at most XDM_MAXSKEW, which it was doing by
subtracting them and passing the result to abs(). This provoked a
warning from OS X's clang, on the reasonable enough basis that the
value passed to abs was unsigned.
Fixed by using the (well defined) unsigned arithmetic wraparound: to
check that the mathematical difference of two unsigned numbers is in
the interval [-k,+k], compute their difference _plus k_ as an
unsigned, and check the result is in the interval [0,2k] by doing an
unsigned comparison against 2k.
The aim is to try to reduce the incidence of the two least helpful
classes of those reports: the ones which have just got mismatched
checksum files, and the ones which don't tell us the information that
would help.
Users have requested this from time to time, for distinguishing log
file names when there's more than one SSH server running on different
ports of the same host. Since we do take account of that possibility
in other areas (e.g. we cache host keys indexed by (host,port) rather
than just host), it doesn't seem unreasonable to do so here too.
PuTTY now uses the updated version of Diffie-Hellman group exchange,
except for a few old OpenSSH versions which Darren Tucker reports only
support the old version.
FIXME: this needs further work because the Bugs config panel has now
overflowed.
(cherry picked from commit 62a1bce7cb)
PuTTY now uses the updated version of Diffie-Hellman group exchange,
except for a few old OpenSSH versions which Darren Tucker reports only
support the old version.
FIXME: this needs further work because the Bugs config panel has now
overflowed.
It would be rare to have a host keypair in .ppk format or on a client
machine to load into PuTTYgen, and it might confuse people into thinking
they are required to do so.
I don't think anyone has ever actually called it that, colloquially
_or_ formally, and if anyone ever did (in a bug report, say) I'd
probably have to stop and think to work out what they meant. It's
universally called Plink, and should be officially so as well :-)
I've shifted away from using the SVN revision number as a monotonic
version identifier (replacing it in the Windows version resource with
a count of days since an arbitrary epoch), and I've removed all uses
of SVN keyword expansion (replacing them with version information
written out by Buildscr).
While I'm at it, I've done a major rewrite of the affected code which
centralises all the computation of the assorted version numbers and
strings into Buildscr, so that they're all more or less alongside each
other rather than scattered across multiple source files.
I've also retired the MD5-based manifest file system. A long time ago,
it seemed like a good idea to arrange that binaries of PuTTY would
automatically cease to identify themselves as a particular upstream
version number if any changes were made to the source code, so that if
someone made a local tweak and distributed the result then I wouldn't
get blamed for the results. Since then I've decided the whole idea is
more trouble than it's worth, so now distribution tarballs will have
version information baked in and people can just cope with that.
[originally from svn r10262]
This option is available from the command line as '-hostkey', and is
also configurable through the GUI. When enabled, it completely
replaces all of the automated host key management: the server's host
key will be checked against the manually configured list, and the
connection will be allowed or disconnected on that basis, and the host
key store in the registry will not be either consulted or updated.
The main aim is to provide a means of automatically running Plink,
PSCP or PSFTP deep inside Windows services where HKEY_CURRENT_USER
isn't available to have stored the right host key in. But it also
permits you to specify a list of multiple host keys, which means a
second use case for the same mechanism will probably be round-robin
DNS names that select one of several servers with different host keys.
Host keys can be specified as the standard MD5 fingerprint or as an
SSH-2 base64 blob, and are canonicalised on input. (The base64 blob is
more unwieldy, especially with Windows command-line length limits, but
provides a means of specifying the _whole_ public key in case you
don't trust MD5. I haven't bothered to provide an analogous mechanism
for SSH-1, on the basis that anyone worrying about MD5 should have
stopped using SSH-1 already!)
[originally from svn r10220]
We now expect that after the server has sent us CHANNEL_CLOSE, we
should not expect to see any replies to our outstanding channel
requests, and conversely after we have sent CHANNEL_CLOSE we avoid
sending any reply to channel requests from the server. This was the
consensus among implementors discussing the problem on ietf-ssh in
April 2014.
To cope with current OpenSSH's (and perhaps other servers we don't
know about yet) willingness to send request replies after
CHANNEL_CLOSE, I introduce a bug-compatibility flag which is detected
for every OpenSSH version up to and including the current 6.6 - but
not beyond, since https://bugzilla.mindrot.org/show_bug.cgi?id=1818
promises that 6.7 will also implement the new consensus behaviour.
[originally from svn r10200]
questionnaires in unfriendly formats like Excel, apparently in the
mistaken belief that we have some kind of incentive to answer them. I
hope I've managed to identify the key reason why they make this
mistake.
[originally from svn r10156]
The basic strategy is described at the top of the new source file
sshshare.c. In very brief: an 'upstream' PuTTY opens a Unix-domain
socket or Windows named pipe, and listens for connections from other
PuTTYs wanting to run sessions on the same server. The protocol spoken
down that socket/pipe is essentially the bare ssh-connection protocol,
using a trivial binary packet protocol with no encryption, and the
upstream has to do some fiddly transformations that I've been
referring to as 'channel-number NAT' to avoid resource clashes between
the sessions it's managing.
This is quite different from OpenSSH's approach of using the Unix-
domain socket as a means of passing file descriptors around; the main
reason for that is that fd-passing is Unix-specific but this system
has to work on Windows too. However, there are additional advantages,
such as making it easy for each downstream PuTTY to run its own
independent set of port and X11 forwardings (though the method for
making the latter work is quite painful).
Sharing is off by default, but configuration is intended to be very
easy in the normal case - just tick one box in the SSH config panel
and everything else happens automatically.
[originally from svn r10083]
winadj@putty.projects.tartarus.org request. Not currently enabled
automatically, but should be usable as a manual workaround.
[originally from svn r9592]
Done in much the same way as it is in the GTK front end: the character
cell width is determined using the font's digits (which seems to give
generally not-too-offensive spacing in most cases, at the expense of
Ms and Ws typically overhanging a bit into adjacent cells) and each
character is centred in its cell. Overhangs never leave permanent
droppings on the window, because the existing work done in r5003
handles them just fine even in this stressful scenario.
There's a hacky new checkbox in the Appearance panel to make
variable-pitch fonts appear in the font selector (they still don't by
default, because I still think it's _usually_ not What You Want); the
checkbox state is not actually stored as part of a saved session, but
it should be automatically ticked when reloading a session that's got
a variable pitch font selected.
(I'm half-expecting a potential flurry of requests for this feature in
the wake of http://xkcd.com/840/ , so I thought I'd pre-empt them :-)
[originally from svn r9063]
[r5003 == ba470dec5e]
are now loaded from standard locations (system32 for SSPI, the
registry-stored MIT KfW install location for KfW) rather than using
the risky default DLL search path; I've therefore also added an
option to manually specify a GSS DLL we haven't heard of (which
should in principle Just Work provided it supports proper GSS-API as
specified in the RFC). The same option exists on Unix too, because
it seemed like too useful an idea to reserve to Windows. In
addition, GSSAPI is now documented, and also (unfortunately) its GUI
configuration has been moved out into a sub-subpanel on the grounds
that it was too big to fit in Auth.
[originally from svn r9003]
today reported an SSH2_MSG_UNIMPLEMENTED from a Cisco router which
looks as if it was triggered by SSH2_MSG_IGNORE, so I'm
experimentally putting this flag in. Currently must be manually
enabled, though if it turns out to solve the user's problem then
I'll probably add at least one version string...
[Edited commit message: actually, I also committed in error a piece
of experimental code as part of this checkin. Serve me right for not
running 'svn diff' first.]
[originally from svn r8926]
page. Define in more detail what we mean by "Windows" in the Ports section of
the FAQ.
[originally from svn r8733]
[this svn revision also touched putty-website]
if we have no better ideas, with UI shamelessly stolen from Quest PuTTY.
Off by default, which effectively reverts the change to using the local
username by default that came in with GSSAPI support in r8138. Anyone wanting
seamless single sign-on will need to set the new option. (The previous
default behaviour was getting in the way in ad-hoc scenarios.)
Note that the PSCP and Unix-Plink behaviour of using the local username by
default have remained unchanged throughout; they are not affected by the new
option. Not sure if that's the Right Thing.
[originally from svn r8324]
[r8138 == de5dd9d65c]
strings more rigorously, and then we look up the local X authority
data in .Xauthority _ourself_ rather than delegating to an external
xauth program. This is (negligibly) more efficient on Unix, assuming
I haven't got it wrong in some subtle way, but its major benefit is
that we can now support X authority lookups on Windows as well
provided the user points us at an appropriate X authority file in
the standard format. A new Windows-specific config option has been
added for this purpose.
[originally from svn r8305]
on received data. Experiment and suggestion suggest that the character set
configuration applies equally to keystrokes sent to the server, or at least
that that's close enough to being true that we should document it as a first
approximation.
[originally from svn r8209]
Attempts at damage limitation from the name similarity with pterm.
Also try to refresh the ports section of the FAQ a bit.
[originally from svn r8139]
[this svn revision also touched putty-website]
to manually tweak the host name and port number under which the SSH
host key is read and written.
I've put it in the cross-platform Connection panel. Partly under the
flimsy pretext that other backends _can_ use it if they so wish (and
in fact it overrides the host name for title-bar purposes in all
network backends, though it has no other effect in anything but
SSH); but mostly because the SSH panel was too full already :-)
[originally from svn r8033]
advertise so that the server can't exceed our maximum packet size.
Enable it for "1.36_sshlib GlobalSCAPE" which apparently sends oversize
packets otherwise.
[originally from svn r7804]
know how I'd go about retrieving money from them any more because my
last exchange transaction went through a company who subsequently
turned out to be dodgy; and a user points out that e-gold is in
legal trouble, which suggests that avoiding it is probably wise.
[originally from svn r7604]
We now have an option where a remote window title query returns a well-formed
response containing the empty string. This should keep stop any server-side
application that was expecting a response from hanging, while not permitting
the response to be influenced by an attacker.
We also retain the ability to stay schtum. The existing checkbox has thus
grown into a set of radio buttons.
I've changed the default to the "empty string" response, even in the backward-
compatibility mode of loading old settings, which is a change in behaviour;
any users who want the old behaviour back will have to explicitly select it. I
think this is probably the Right Thing. (The only drawback I can think of is
that an attacker could still potentially use the relevant fixed strings for
mischief, but we already have other, similar reports.)
[originally from svn r7043]
and various calls to WinHelp() have been centralised into a new file
winhelp.c, which in turn has been modified to detect a .CHM file as
well as .HLP and select between them as appropriate. It explicitly
tries to load HHCTRL.OCX and use GetProcAddress, meaning that it
_should_ still work correctly on pre-HTML-Help platforms, falling
gracefully back to WinHelp, but although I tested this by
temporarily renaming my own HHCTRL.OCX I haven't yet been able to
test it on a real HTML-Help-free platform.
Also in this checkin: a new .but file and docs makefile changes to
make it convenient to build the sources for a .CHM. As yet, owing to
limitations of Halibut's CHM support, I'm not able to write a .CHM
directly, more's the pity.
[originally from svn r7000]
to comp.security.ssh, posting queries that are clearly about PuTTY to
newsgroups without actually mentioning PuTTY, and so on. They may have been
directed there by this document :( Add a futile attempt to instil a sense of
etiquette.
[originally from svn r6895]
BUG_NEEDS_SSH1_PLAIN_PASSWORD do exactly what it says on the tin, independent
of whether BUG_CHOKES_ON_SSH1_IGNORE is set.
This is invisible in the default configuration, as all servers marked as having
the second bug have the first one too, but it would allow one to manually
configure PuTTY to cope with a SSH-1 server that got upset by ignore messages
during authentication, but was fine with their use as keepalives.
[originally from svn r6876]
- changes to Logging panel
- breaks in serial backend
(Plus, completely unrelated, an index term entry related to port forwarding
which seems to have been sitting around for ages, possibly waiting for me to
think about `see also' index terms in Halibut.)
[originally from svn r6836]
there): `plink host -nc host2:port' causes the SSH connection's main
channel to be replaced with a direct-tcpip connection to the
specified destination. This feature is mainly designed for use as a
local proxy: setting your local proxy command to `plink %proxyhost
-nc %host:%port' lets you tunnel SSH over SSH with a minimum of
fuss. Works on all platforms.
[originally from svn r6823]
in place of making a network connection. This has involved a couple
of minor infrastructure changes:
- New dlg_label_change() function in the dialog.h interface, which
alters the label on a control. Only used, at present, to switch
the Host Name and Port boxes into Serial Line and Speed, which
means that any platform not implementing serial connections (i.e.
currently all but Windows) does not need to actually do anything
in this function. Yet.
- New small piece of infrastructure: cfg_launchable() determines
whether a Config structure describes a session ready to be
launched. This was previously determined by seeing if it had a
non-empty host name, but it has to check the serial line as well
so there's a centralised function for it. I haven't gone through
all front ends and arranged for this function to be used
everywhere it needs to be; so far I've only checked Windows.
- Similarly, cfg_dest() returns the destination of a connection
(host name or serial line) in a text format suitable for putting
into messages such as `Unable to connect to %s'.
[originally from svn r6815]
- fix diagnostic if keyfile and '-t' both specified
- add diagnostic for generating a key but discarding the private part
- document '-q' option
[originally from svn r6750]
Pageant for local authentication. (This is a `don't use Pageant for
authentication at session startup' button rather than a `pretend
Pageant doesn't exist' button: that is, agent forwarding is
independent of this option.)
[originally from svn r6572]
that the SSH-2 server is happy with. Fixed, and since I'm here, fix
`pubkeyfile-and-pageant' as well (for SSH-1 and SSH-2).
Also, in SSH-2, we now reexamine "methods that can continue" for every
Pageant key offer, which is technically more correct although it seems
unlikely that it was causing any real problems.
(It's not entirely pretty, but neither was the old code. We could probably
do with some sort of abstraction for public/private keys to avoid carting
lots of fiddly bits of data around.)
[originally from svn r6459]
[r6437 == 8719f92c14]
[this svn revision also touched putty-wishlist]
Discourage more strongly mirrors in well-served areas in the Feedback section.
Also, duplicate that text on the Mirrors page, along with a request to tell us
the country (since lots of people still don't).
[originally from svn r6109]
[this svn revision also touched putty-website]
rationale (as mailed to him):
I think you're right. I got the pronunciation there from the second edition
of the OED and my Collins dictionary at home, both of which believe that
"pretty" is pronounced /'prItI/, but, at least to me, those two vowels are
different. Both of them think that /i/ doesn't occur in English words, the
vowel in "beat" being /i:/. The third edition of the OED, though, adds /i/
as an English vowel in its pronunciation guide, with "happy" as an example
of its use. I'll update the FAQ following your suggestion.
[originally from svn r5989]
there are servers which could in principle operate in this mode, although I
don't know if any do in practice. (Hence, I haven't been able to test it.)
[originally from svn r5748]
[this svn revision also touched putty-wishlist]
SOCKS5 should always be able to do this, and I suspect our not doing so
dates from when the SOCKS proxy types were under a single configuration
option (pre-r3168).
[originally from svn r5654]
Unix Plink sends everything sensible it can find, and it's fully configurable
from the GUI.
I'm not entirely sure about the precise set of modes that Unix Plink should
look at; informed tweaks are welcome.
Also the Mac bits are guesses (but trivial).
[originally from svn r5653]
[this svn revision also touched putty-wishlist]
