mirror of
https://git.tartarus.org/simon/putty.git
synced 2025-01-09 01:18:00 +00:00
8c534c26fd
To try to prime readers learning the often-seen "unknown host key" warning to recognise the rarer and scarier "wrong host key" warning, if they see it.
188 lines
8.9 KiB
Plaintext
188 lines
8.9 KiB
Plaintext
\C{gs} Getting started with PuTTY
|
|
|
|
This chapter gives a quick guide to the simplest types of
|
|
interactive login session using PuTTY.
|
|
|
|
\H{gs-insecure} \ii{Starting a session}
|
|
|
|
When you start PuTTY, you will see a \i{dialog box}. This dialog box
|
|
allows you to control everything PuTTY can do. See \k{config} for
|
|
details of all the things you can control.
|
|
|
|
You don't usually need to change most of the configuration options.
|
|
To start the simplest kind of session, all you need to do is to
|
|
enter a few basic parameters.
|
|
|
|
In the \q{Host Name} box, enter the Internet \i{host name} of the server
|
|
you want to connect to. You should have been told this by the
|
|
provider of your login account.
|
|
|
|
Now select a login \i{protocol} to use, from the \q{Connection type}
|
|
controls. For a login session, you should select \i{SSH}, \i{Telnet},
|
|
\i{Rlogin}, or \i{SUPDUP}. See \k{which-one} for a description of the
|
|
differences between these protocols, and advice on which one to
|
|
use. The \I{raw protocol}\e{Raw} protocol is not used for interactive
|
|
login sessions; you would usually use this for debugging other Internet
|
|
services (see \k{using-rawprot}). The \e{Serial} option is used for
|
|
connecting to a local serial line, and works somewhat differently:
|
|
see \k{using-serial} for more information on this.
|
|
\#{FIXME: describe bare ssh-connection}
|
|
|
|
When you change the selected protocol, the number in the \q{Port}
|
|
box will change. This is normal: it happens because the various
|
|
login services are usually provided on different network ports by
|
|
the server machine. Most servers will use the standard port numbers,
|
|
so you will not need to change the port setting. If your server
|
|
provides login services on a non-standard port, your system
|
|
administrator should have told you which one. (For example, many
|
|
\i{MUDs} run Telnet service on a port other than 23.)
|
|
|
|
Once you have filled in the \q{Host Name}, \q{Connection type}, and
|
|
possibly \q{Port} settings, you are ready to connect. Press the
|
|
\q{Open} button at the bottom of the dialog box, and PuTTY will
|
|
begin trying to connect you to the server.
|
|
|
|
\H{gs-hostkey} \ii{Verifying the host key} (SSH only)
|
|
|
|
If you are not using the \i{SSH} protocol, you can skip this
|
|
section.
|
|
|
|
If you are using SSH to connect to a server for the first time, you
|
|
will probably see a message looking something like this:
|
|
|
|
\c The host key is not cached for this server:
|
|
\c ssh.example.com (port 22)
|
|
\c You have no guarantee that the server is the computer you think it is.
|
|
\c The server's ssh-ed25519 key fingerprint is:
|
|
\c ssh-ed25519 255 SHA256:TddlQk20DVs4LRcAsIfDN9pInKpY06D+h4kSHwWAj4w
|
|
\c If you trust this host, press "Accept" to add the key to PuTTY's
|
|
\c cache and carry on connecting.
|
|
\c If you want to carry on connecting just once, without adding the key
|
|
\c to the cache, press "Connect Once".
|
|
\c If you do not trust this host, press "Cancel" to abandon the connection.
|
|
|
|
This is a feature of the SSH protocol. It is designed to protect you
|
|
against a network attack known as \i\e{spoofing}: secretly
|
|
redirecting your connection to a different computer, so that you
|
|
send your password to the wrong machine. Using this technique, an
|
|
attacker would be able to learn the password that guards your login
|
|
account, and could then log in as if they were you and use the
|
|
account for their own purposes.
|
|
|
|
To prevent this attack, each server has a unique identifying code,
|
|
called a \e{host key}. These keys are created in a way that prevents
|
|
one server from forging another server's key. So if you connect to a
|
|
server and it sends you a different host key from the one you were
|
|
expecting, PuTTY can warn you that the server may have been switched
|
|
and that a spoofing attack might be in progress.
|
|
|
|
PuTTY \I{host key cache}records the host key for each server you
|
|
connect to, in the Windows \i{Registry}. Every time you connect to a
|
|
server, it checks that the host key presented by the server is the
|
|
same host key as it was the last time you connected. If it is not,
|
|
you will see a stronger warning, and you will have the chance to
|
|
abandon your connection before you type any private information (such
|
|
as a password) into it. (See \k{errors-hostkey-wrong} for what that
|
|
looks like.)
|
|
|
|
However, when you connect to a server you have not connected to
|
|
before, PuTTY has no way of telling whether the host key is the
|
|
right one or not. So it gives the warning shown above, and asks you
|
|
whether you want to \I{trusting host keys}trust this host key or
|
|
not.
|
|
|
|
Whether or not to trust the host key is your choice. If you are
|
|
connecting within a company network, you might feel that all the
|
|
network users are on the same side and spoofing attacks are
|
|
unlikely, so you might choose to trust the key without checking it.
|
|
If you are connecting across a hostile network (such as the
|
|
Internet), you should check with your system administrator, perhaps
|
|
by telephone or in person. (When verifying the fingerprint, be careful
|
|
with letters and numbers that can be confused with each other:
|
|
\c{0}/\c{O}, \c{1}/\c{I}/\c{l}, and so on.)
|
|
|
|
Many servers have more than one host key. If the system administrator
|
|
sends you more than one \I{host key fingerprint}fingerprint, you should
|
|
make sure the one PuTTY shows you is on the list, but it doesn't matter
|
|
which one it is.
|
|
|
|
If you don't have any fingerprints that look like the example
|
|
(\I{SHA256 fingerprint}\c{SHA256:} followed by a long string of
|
|
characters), but instead have pairs of characters separated by colons
|
|
like \c{a4:db:96:a7:...}, try pressing the \q{More info...} button and
|
|
see if you have a fingerprint matching the \q{\i{MD5 fingerprint}}
|
|
there. This is an older and less secure way to summarise the same
|
|
underlying host key; it's possible for an attacker to create their
|
|
own host key with the same fingerprint; so you should avoid relying on
|
|
this fingerprint format unless you have no choice. The
|
|
\q{More info...} dialog box also shows the full host public key, in
|
|
case that is easier to compare than a fingerprint.
|
|
|
|
See \k{config-ssh-hostkey} for advanced options for managing host keys.
|
|
|
|
\# FIXME: this is all very fine but of course in practice the world
|
|
doesn't work that way. Ask the team if they have any good ideas for
|
|
changes to this section!
|
|
|
|
\H{gs-login} \ii{Logging in}
|
|
|
|
After you have connected, and perhaps verified the server's host
|
|
key, you will be asked to log in, probably using a \i{username} and
|
|
a \i{password}. Your system administrator should have provided you
|
|
with these. (If, instead, your system administrator has asked you to
|
|
provide, or provided you with, a \q{public key} or \q{key file}, see
|
|
\k{pubkey}.)
|
|
|
|
PuTTY will display a text window (the \q{\i{terminal window}} \dash it
|
|
will have a black background unless you've changed the defaults), and
|
|
prompt you to type your username and password into that window. (These
|
|
prompts will include the \i{PuTTY icon}, to distinguish them from any
|
|
text sent by the server in the same window.)
|
|
|
|
Enter the username and the password, and the server should grant you
|
|
access and begin your session. If you have
|
|
\I{mistyping a password}mistyped your password, most servers will give
|
|
you several chances to get it right.
|
|
|
|
While you are typing your password, you will not usually see the
|
|
cursor moving in the window, but PuTTY \e{is} registering what you
|
|
type, and will send it when you press Return. (It works this way to
|
|
avoid revealing the length of your password to anyone watching your
|
|
screen.)
|
|
|
|
If you are using SSH, be careful not to type your username wrongly,
|
|
because you will not have a chance to correct it after you press
|
|
Return; many SSH servers do not permit you to make two login attempts
|
|
using \i{different usernames}. If you type your username wrongly, you
|
|
must close PuTTY and start again.
|
|
|
|
If your password is refused but you are sure you have typed it
|
|
correctly, check that Caps Lock is not enabled. Many login servers,
|
|
particularly Unix computers, treat upper case and lower case as
|
|
different when checking your password; so if Caps Lock is on, your
|
|
password will probably be refused.
|
|
|
|
\H{gs-session} After logging in
|
|
|
|
After you log in to the server, what happens next is up to the
|
|
server! Most servers will print some sort of login message and then
|
|
present a \i{prompt}, at which you can type
|
|
\I{commands on the server}commands which the
|
|
server will carry out. Some servers will offer you on-line help;
|
|
others might not. If you are in doubt about what to do next, consult
|
|
your system administrator.
|
|
|
|
\H{gs-logout} \ii{Logging out}
|
|
|
|
When you have finished your session, you should log out by typing
|
|
the server's own logout command. This might vary between servers; if
|
|
in doubt, try \c{logout} or \c{exit}, or consult a manual or your
|
|
system administrator. When the server processes your logout command,
|
|
the PuTTY window should close itself automatically.
|
|
|
|
You \e{can} close a PuTTY session using the \i{Close button} in the
|
|
window border, but this might confuse the server - a bit like
|
|
hanging up a telephone unexpectedly in the middle of a conversation.
|
|
We recommend you do not do this unless the server has stopped
|
|
responding to you and you cannot close the window any other way.
|