PuTTY User Manual Pu TTY
User Manual:
Open the PDF directly: View PDF .
Page Count: 513 [warning: Documents this large are best viewed by clicking the View PDF Link!]
- PuTTY User Manual
- Introduction to PuTTY
- Getting started with PuTTY
- Using PuTTY
- During your session
- Creating a log file of your session
- Altering your character set configuration
- Using X11 forwarding in SSH
- Using port forwarding in SSH
- Making raw TCP connections
- Connecting to a local serial line
- The PuTTY command line
- Starting a session from the command line
- -cleanup
- Standard command-line options
- -load: load a saved session
- Selecting a protocol: -ssh, -telnet, -rlogin, -raw -serial
- -v: increase verbosity
- -l: specify a login name
- -L, -R and -D: set up port forwardings
- -m: read a remote command or script from a file
- -P: specify a port number
- -pw: specify a password
- -agent and -noagent: control use of Pageant for authentication
- -A and -a: control agent forwarding
- -X and -x: control X11 forwarding
- -t and -T: control pseudo-terminal allocation
- -N: suppress starting a shell or command
- -nc: make a remote network connection in place of a remote shell or command
- -C: enable compression
- -1 and -2: specify an SSH protocol version
- -4 and -6: specify an Internet protocol version
- -i: specify an SSH private key
- -loghost: specify a logical host name
- -hostkey: manually specify an expected host key
- -pgpfp: display PGP key fingerprints
- -sercfg: specify serial port configuration
- -sessionlog, -sshlog, -sshrawlog: specify session logging
- -proxycmd: specify a local proxy command
- -restrict-acl: restrict the Windows process ACL
- Configuring PuTTY
- The Session panel
- The Logging panel
- The Terminal panel
- The Keyboard panel
- Changing the action of the Backspace key
- Changing the action of the Home and End keys
- Changing the action of the function keys and keypad
- Controlling Application Cursor Keys mode
- Controlling Application Keypad mode
- Using NetHack keypad mode
- Enabling a DEC-like Compose key
- Control-Alt is different from AltGr
- The Bell panel
- The Features panel
- Disabling application keypad and cursor keys
- Disabling xterm-style mouse reporting
- Disabling remote terminal resizing
- Disabling switching to the alternate screen
- Disabling remote window title changing
- Response to remote window title querying
- Disabling remote scrollback clearing
- Disabling destructive backspace
- Disabling remote character set configuration
- Disabling Arabic text shaping
- Disabling bidirectional text display
- The Window panel
- The Appearance panel
- The Behaviour panel
- The Translation panel
- The Selection panel
- The Colours panel
- The Connection panel
- The Data panel
- The Proxy panel
- The Telnet panel
- The Rlogin panel
- The SSH panel
- The Kex panel
- The Host Keys panel
- The Cipher panel
- The Auth panel
- The GSSAPI panel
- The TTY panel
- The X11 panel
- The Tunnels panel
- The Bugs and More Bugs panels
- Chokes on SSH-1 ignore messages
- Refuses all SSH-1 password camouflage
- Chokes on SSH-1 RSA authentication
- Chokes on SSH-2 ignore messages
- Chokes on PuTTY's SSH-2 winadj requests
- Miscomputes SSH-2 HMAC keys
- Miscomputes SSH-2 encryption keys
- Requires padding on SSH-2 RSA signatures
- Misuses the session ID in SSH-2 PK auth
- Handles SSH-2 key re-exchange badly
- Ignores SSH-2 maximum packet size
- Replies to requests on closed channels
- Only supports pre-RFC4419 SSH-2 DH GEX
- The Serial panel
- Storing configuration in a file
- Using PSCP to transfer files securely
- Using PSFTP to transfer files securely
- Starting PSFTP
- Running PSFTP
- General quoting rules for PSFTP commands
- Wildcards in PSFTP
- The open command: start a session
- The quit command: end your session
- The close command: close your connection
- The help command: get quick online help
- The cd and pwd commands: changing the remote working directory
- The lcd and lpwd commands: changing the local working directory
- The get command: fetch a file from the server
- The put command: send a file to the server
- The mget and mput commands: fetch or send multiple files
- The reget and reput commands: resuming file transfers
- The dir command: list remote files
- The chmod command: change permissions on remote files
- The del command: delete remote files
- The mkdir command: create remote directories
- The rmdir command: remove remote directories
- The mv command: move and rename remote files
- The ! command: run a local Windows command
- Using public key authentication with PSFTP
- Using the command-line connection tool Plink
- Using public keys for SSH authentication
- Public key authentication - an introduction
- Using PuTTYgen, the PuTTY key generator
- Generating a new key
- Selecting the type of key
- Selecting the size (strength) of the key
- The Generate button
- The Key fingerprint box
- Setting a comment for your key
- Setting a passphrase for your key
- Saving your private key to a disk file
- Saving your public key to a disk file
- Public key for pasting into authorized_keys file
- Reloading a private key
- Dealing with private keys in other formats
- Getting ready for public key authentication
- Using Pageant for authentication
- Common error messages
- The server's host key is not cached in the registry
- WARNING - POTENTIAL SECURITY BREACH!
- SSH protocol version 2 required by our configuration but server only provides (old, insecure) SSH-1
- The first cipher supported by the server is ... below the configured warning threshold
- Server sent disconnect message type 2 (protocol error): "Too many authentication failures for root"
- Out of memory
- Internal error, Internal fault, Assertion failed
- Unable to use this private key file, Couldn't load private key, Key is of wrong type
- Server refused our public key or Key refused
- Access denied, Authentication refused
- No supported authentication methods available
- Incorrect CRC received on packet or Incorrect MAC received on packet
- Incoming packet was garbled on decryption
- PuTTY X11 proxy: various errors
- Network error: Software caused connection abort
- Network error: Connection reset by peer
- Network error: Connection refused
- Network error: Connection timed out
- Network error: Cannot assign requested address
- PuTTY FAQ
- Introduction
- Features supported in PuTTY
- Does PuTTY support SSH-2?
- Does PuTTY support reading OpenSSH or ssh.com SSH-2 private key files?
- Does PuTTY support SSH-1?
- Does PuTTY support local echo?
- Does PuTTY support storing settings, so I don't have to change them every time?
- Does PuTTY support storing its settings in a disk file?
- Does PuTTY support full-screen mode, like a DOS box?
- Does PuTTY have the ability to remember my password so I don't have to type it every time?
- Is there an option to turn off the annoying host key prompts?
- Will you write an SSH server for the PuTTY suite, to go with the client?
- Can PSCP or PSFTP transfer files in ASCII mode?
- Ports to other operating systems
- Embedding PuTTY in other programs
- Details of PuTTY's operation
- HOWTO questions
- What login name / password should I use?
- What commands can I type into my PuTTY terminal window?
- How can I make PuTTY start up maximised?
- How can I create a Windows shortcut to start a particular saved session directly?
- How can I start an SSH session straight from the command line?
- How do I copy and paste between PuTTY and other Windows applications?
- How do I use all PuTTY's features (public keys, proxying, cipher selection, etc.) in PSCP, PSFTP and Plink?
- How do I use PSCP.EXE? When I double-click it gives me a command prompt window which then closes instantly.
- How do I use PSCP to copy a file whose name has spaces in?
- Should I run the 32-bit or the 64-bit version?
- Troubleshooting
- Why do I see Fatal: Protocol error: Expected control record in PSCP?
- I clicked on a colour in the Colours panel, and the colour didn't change in my terminal.
- After trying to establish an SSH-2 connection, PuTTY says Out of memory and dies.
- When attempting a file transfer, either PSCP or PSFTP says Out of memory and dies.
- PSFTP transfers files much slower than PSCP.
- When I run full-colour applications, I see areas of black space where colour ought to be, or vice versa.
- When I change some terminal settings, nothing happens.
- My PuTTY sessions unexpectedly close after they are idle for a while.
- PuTTY's network connections time out too quickly when network connectivity is temporarily lost.
- When I cat a binary file, I get PuTTYPuTTYPuTTY on my command line.
- When I cat a binary file, my window title changes to a nonsense string.
- My keyboard stops working once PuTTY displays the password prompt.
- One or more function keys don't do what I expected in a server-side application.
- Why do I see Couldn't load private key from ...? Why can PuTTYgen load my key but not PuTTY?
- When I'm connected to a Red Hat Linux 8.0 system, some characters don't display properly.
- Since I upgraded to PuTTY 0.54, the scrollback has stopped working when I run screen.
- Since I upgraded Windows XP to Service Pack 2, I can't use addresses like 127.0.0.2.
- PSFTP commands seem to be missing a directory separator (slash).
- Do you want to hear about Software caused connection abort?
- My SSH-2 session locks up for a few seconds every so often.
- PuTTY fails to start up. Windows claims that the application configuration is incorrect.
- When I put 32-bit PuTTY in C:\WINDOWS\SYSTEM32 on my 64-bit Windows system, Duplicate Session doesn't work.
- Security questions
- Administrative questions
- Would you like me to register you a nicer domain name?
- Would you like free web hosting for the PuTTY web site?
- Would you link to my web site from the PuTTY web site?
- Why don't you move PuTTY to SourceForge?
- Why can't I subscribe to the putty-bugs mailing list?
- If putty-bugs isn't a general-subscription mailing list, what is?
- How can I donate to PuTTY development?
- Can I have permission to put PuTTY on a cover disk / distribute it with other software / etc?
- Can you sign an agreement indemnifying us against security problems in PuTTY?
- Can you sign this form granting us permission to use/distribute PuTTY?
- Can you write us a formal notice of permission to use PuTTY?
- Can you sign anything for us?
- If you won't sign anything, can you give us some sort of assurance that you won't make PuTTY closed-source in future?
- Can you provide us with export control information / FIPS certification for PuTTY?
- As one of our existing software vendors, can you just fill in this questionnaire for us?
- The sha1sums / sha256sums / etc files on your download page don't match the binaries.
- Miscellaneous questions
- Feedback and bug reporting
- PuTTY Licence
- PuTTY hacking guide
- Cross-OS portability
- Multiple backends treated equally
- Multiple sessions per process on some platforms
- C, not C++
- Security-conscious coding
- Independence of specific compiler
- Small code size
- Single-threaded code
- Keystrokes sent to the server wherever possible
- 640×480 friendliness in configuration panels
- Automatically generated Makefiles
- Coroutines in ssh.c
- Single compilation of each source file
- Do as we say, not as we do
- PuTTY download keys and signatures
- SSH-2 names specified for PuTTY
PuTTYUserManual
PuTTYisafree(MIT-licensed)WindowsTelnetandSSHclient.This
manualdocumentsPuTTY,anditscompanionutilitiesPSCP,PSFTP,
Plink,PageantandPuTTYgen.
NotetoUnixusers:thismanualcurrentlyprimarilydocumentsthe
WindowsversionsofthePuTTYutilities.Someoptionsaretherefore
mentionedthatareabsentfromtheUnixversion;theUnixversionhas
featuresnotdescribedhere;andtheptermandcommand-lineputtygen
utilitiesarenotdescribedatall.TheonlyUnix-specificdocumentation
thatcurrentlyexistsisthemanpages.
Thismanualiscopyright1997-2017SimonTatham.Allrightsreserved.
YoumaydistributethisdocumentationundertheMITlicence.See
appendixCforthelicencetextinfull.
Chapter1:IntroductiontoPuTTY
1.1WhatareSSH,TelnetandRlogin?
1.2HowdoSSH,TelnetandRlogindiffer?
Chapter2:GettingstartedwithPuTTY
2.1Startingasession
2.2Verifyingthehostkey(SSHonly)
2.3Loggingin
2.4Afterloggingin
2.5Loggingout
Chapter3:UsingPuTTY
3.1Duringyoursession
3.2Creatingalogfileofyoursession
3.3Alteringyourcharactersetconfiguration
3.4UsingX11forwardinginSSH
3.5UsingportforwardinginSSH
3.6MakingrawTCPconnections
3.7Connectingtoalocalserialline
3.8ThePuTTYcommandline
Chapter4:ConfiguringPuTTY
4.1TheSessionpanel
4.2TheLoggingpanel
4.3TheTerminalpanel
4.4TheKeyboardpanel
4.5TheBellpanel
4.6TheFeaturespanel
4.7TheWindowpanel
4.8TheAppearancepanel
4.9TheBehaviourpanel
4.10TheTranslationpanel
4.11TheSelectionpanel
4.12TheColourspanel
4.13TheConnectionpanel
4.14TheDatapanel
4.15TheProxypanel
4.16TheTelnetpanel
4.17TheRloginpanel
4.18TheSSHpanel
4.19TheKexpanel
4.20TheHostKeyspanel
4.21TheCipherpanel
4.22TheAuthpanel
4.23TheGSSAPIpanel
4.24TheTTYpanel
4.25TheX11panel
4.26TheTunnelspanel
4.27TheBugsandMoreBugspanels
4.28TheSerialpanel
4.29Storingconfigurationinafile
Chapter5:UsingPSCPtotransferfilessecurely
5.1StartingPSCP
5.2PSCPUsage
Chapter6:UsingPSFTPtotransferfilessecurely
6.1StartingPSFTP
6.2RunningPSFTP
6.3UsingpublickeyauthenticationwithPSFTP
Chapter7:Usingthecommand-lineconnectiontoolPlink
7.1StartingPlink
7.2UsingPlink
7.3UsingPlinkinbatchfilesandscripts
7.4UsingPlinkwithCVS
7.5UsingPlinkwithWinCVS
Chapter8:UsingpublickeysforSSHauthentication
8.1Publickeyauthentication-anintroduction
8.2UsingPuTTYgen,thePuTTYkeygenerator
8.3Gettingreadyforpublickeyauthentication
Chapter9:UsingPageantforauthentication
9.1GettingstartedwithPageant
9.2ThePageantmainwindow
9.3ThePageantcommandline
9.4Usingagentforwarding
9.5Securityconsiderations
Chapter10:Commonerrormessages
10.1‘Theserver'shostkeyisnotcachedintheregistry’
10.2‘WARNING-POTENTIALSECURITYBREACH!’
10.3‘SSHprotocolversion2requiredbyourconfigurationbut
serveronlyprovides(old,insecure)SSH-1’
10.4‘Thefirstciphersupportedbytheserveris...belowthe
configuredwarningthreshold’
10.5‘Serversentdisconnectmessagetype2(protocolerror):
"Toomanyauthenticationfailuresforroot"’
10.6‘Outofmemory’
10.7‘Internalerror’,‘Internalfault’,‘Assertionfailed’
10.8‘Unabletousethisprivatekeyfile’,‘Couldn'tloadprivate
key’,‘Keyisofwrongtype’
10.9‘Serverrefusedourpublickey’or‘Keyrefused’
10.10‘Accessdenied’,‘Authenticationrefused’
10.11‘Nosupportedauthenticationmethodsavailable’
10.12‘IncorrectCRCreceivedonpacket’or‘IncorrectMAC
receivedonpacket’
10.13‘Incomingpacketwasgarbledondecryption’
10.14‘PuTTYX11proxy:variouserrors’
10.15‘Networkerror:Softwarecausedconnectionabort’
10.16‘Networkerror:Connectionresetbypeer’
10.17‘Networkerror:Connectionrefused’
10.18‘Networkerror:Connectiontimedout’
10.19‘Networkerror:Cannotassignrequestedaddress’
AppendixA:PuTTYFAQ
A.1Introduction
A.2FeaturessupportedinPuTTY
A.3Portstootheroperatingsystems
A.4EmbeddingPuTTYinotherprograms
A.5DetailsofPuTTY'soperation
A.6HOWTOquestions
A.7Troubleshooting
A.8Securityquestions
A.9Administrativequestions
A.10Miscellaneousquestions
AppendixB:Feedbackandbugreporting
B.1Generalguidelines
B.2Reportingbugs
B.3Reportingsecurityvulnerabilities
B.4Requestingextrafeatures
B.5Requestingfeaturesthathavealreadybeenrequested
B.6Supportrequests
B.7Webserveradministration
B.8Askingpermissionforthings
B.9MirroringthePuTTYwebsite
B.10Praiseandcompliments
B.11E-mailaddress
AppendixC:PuTTYLicence
AppendixD:PuTTYhackingguide
D.1Cross-OSportability
D.2Multiplebackendstreatedequally
D.3Multiplesessionsperprocessonsomeplatforms
D.4C,notC++
D.5Security-consciouscoding
D.6Independenceofspecificcompiler
D.7Smallcodesize
D.8Single-threadedcode
D.9Keystrokessenttotheserverwhereverpossible
D.10640×480friendlinessinconfigurationpanels
D.11AutomaticallygeneratedMakefiles
D.12Coroutinesinssh.c
D.13Singlecompilationofeachsourcefile
D.14Doaswesay,notaswedo
AppendixE:PuTTYdownloadkeysandsignatures
E.1Publickeys
E.2Securitydetails
1.1WhatareSSH,TelnetandRlogin?
IfyoualreadyknowwhatSSH,TelnetandRloginare,youcansafelyskip
ontothenextsection.
SSH,TelnetandRloginarethreewaysofdoingthesamething:logging
intoamulti-usercomputerfromanothercomputer,overanetwork.
Multi-useroperatingsystems,suchasUnixandVMS,usuallypresenta
command-lineinterfacetotheuser,muchlikethe‘CommandPrompt’or
‘MS-DOSPrompt’inWindows.Thesystemprintsaprompt,andyoutype
commandswhichthesystemwillobey.
Usingthistypeofinterface,thereisnoneedforyoutobesittingatthe
samemachineyouaretypingcommandsto.Thecommands,and
responses,canbesentoveranetwork,soyoucansitatonecomputer
andgivecommandstoanotherone,oreventomorethanone.
SSH,TelnetandRloginarenetworkprotocolsthatallowyoutodothis.
Onthecomputeryousitat,yourunaclient,whichmakesanetwork
connectiontotheothercomputer(theserver).Thenetworkconnection
carriesyourkeystrokesandcommandsfromtheclienttotheserver,and
carriestheserver'sresponsesbacktoyou.
Theseprotocolscanalsobeusedforothertypesofkeyboard-based
interactivesession.Inparticular,therearealotofbulletinboards,talker
systemsandMUDs(Multi-UserDungeons)whichsupportaccessusing
Telnet.ThereareevenafewthatsupportSSH.
YoumightwanttouseSSH,TelnetorRloginif:
youhaveanaccountonaUnixorVMSsystemwhichyouwanttobe
abletoaccessfromsomewhereelse
yourInternetServiceProviderprovidesyouwithaloginaccountona
webserver.(Thismightalsobeknownasashellaccount.Ashellis
theprogramthatrunsontheserverandinterpretsyourcommands
foryou.)
youwanttouseabulletinboardsystem,talkerorMUDwhichcanbe
accessedusingTelnet.
YouprobablydonotwanttouseSSH,TelnetorRloginif:
youonlyuseWindows.Windowscomputershavetheirownwaysof
networkingbetweenthemselves,andunlessyouaredoing
somethingfairlyunusual,youwillnotneedtouseanyofthese
remoteloginprotocols.
1.2HowdoSSH,TelnetandRlogindiffer?
ThislistsummarisessomeofthedifferencesbetweenSSH,Telnetand
Rlogin.
SSH(whichstandsfor‘secureshell’)isarecentlydesigned,high-
securityprotocol.Itusesstrongcryptographytoprotectyour
connectionagainsteavesdropping,hijackingandotherattacks.
TelnetandRloginarebotholderprotocolsofferingminimalsecurity.
SSHandRloginbothallowyoutologintotheserverwithouthaving
totypeapassword.(Rlogin'smethodofdoingthisisinsecure,and
canallowanattackertoaccessyouraccountontheserver.SSH's
methodismuchmoresecure,andtypicallybreakingthesecurity
requirestheattackertohavegainedaccesstoyouractualclient
machine.)
SSHallowsyoutoconnecttotheserverandautomaticallysenda
command,sothattheserverwillrunthatcommandandthen
disconnect.Soyoucanuseitinautomatedprocessing.
TheInternetisahostileenvironmentandsecurityiseverybody's
responsibility.IfyouareconnectingacrosstheopenInternet,thenwe
recommendyouuseSSH.Iftheserveryouwanttoconnecttodoesn't
supportSSH,itmightbeworthtryingtopersuadetheadministratorto
installit.
Ifyourclientandserverarebothbehindthesame(good)firewall,itis
morelikelytobesafetouseTelnetorRlogin,butwestillrecommendyou
useSSH.
2.1Startingasession
WhenyoustartPuTTY,youwillseeadialogbox.Thisdialogboxallows
youtocontroleverythingPuTTYcando.Seechapter4fordetailsofall
thethingsyoucancontrol.
Youdon'tusuallyneedtochangemostoftheconfigurationoptions.To
startthesimplestkindofsession,allyouneedtodoistoenterafew
basicparameters.
Inthe‘HostName’box,entertheInternethostnameoftheserveryou
wanttoconnectto.Youshouldhavebeentoldthisbytheproviderofyour
loginaccount.
Nowselectaloginprotocoltouse,fromthe‘Connectiontype’buttons.
Foraloginsession,youshouldselectTelnet,RloginorSSH.Seesection
1.2foradescriptionofthedifferencesbetweenthethreeprotocols,and
adviceonwhichonetouse.Thefourthprotocol,Raw,isnotusedfor
interactiveloginsessions;youwouldusuallyusethisfordebuggingother
Internetservices(seesection3.6).Thefifthoption,Serial,isusedfor
connectingtoalocalserialline,andworkssomewhatdifferently:see
section3.7formoreinformationonthis.
Whenyouchangetheselectedprotocol,thenumberinthe‘Port’boxwill
change.Thisisnormal:ithappensbecausethevariousloginservicesare
usuallyprovidedondifferentnetworkportsbytheservermachine.Most
serverswillusethestandardportnumbers,soyouwillnotneedto
changetheportsetting.Ifyourserverprovidesloginservicesonanon-
standardport,yoursystemadministratorshouldhavetoldyouwhichone.
(Forexample,manyMUDsrunTelnetserviceonaportotherthan23.)
Onceyouhavefilledinthe‘HostName’,‘Protocol’,andpossibly‘Port’
settings,youarereadytoconnect.Pressthe‘Open’buttonatthebottom
ofthedialogbox,andPuTTYwillbegintryingtoconnectyoutothe
server.
2.2Verifyingthehostkey(SSHonly)
IfyouarenotusingtheSSHprotocol,youcanskipthissection.
IfyouareusingSSHtoconnecttoaserverforthefirsttime,youwill
probablyseeamessagelookingsomethinglikethis:
Theserver'shostkeyisnotcachedintheregistry.You
havenoguaranteethattheserveristhecomputeryou
thinkitis.
Theserver'srsa2keyfingerprintis:
ssh-rsa10247b:e5:6f:a7:f4:f9:81:62:5c:e3:1f:bf:8b:57:6c:5a
Ifyoutrustthishost,hitYestoaddthekeyto
PuTTY'scacheandcarryonconnecting.
Ifyouwanttocarryonconnectingjustonce,without
addingthekeytothecache,hitNo.
Ifyoudonottrustthishost,hitCanceltoabandonthe
connection.
ThisisafeatureoftheSSHprotocol.Itisdesignedtoprotectyouagainst
anetworkattackknownasspoofing:secretlyredirectingyourconnection
toadifferentcomputer,sothatyousendyourpasswordtothewrong
machine.Usingthistechnique,anattackerwouldbeabletolearnthe
passwordthatguardsyourloginaccount,andcouldthenloginasifthey
wereyouandusetheaccountfortheirownpurposes.
Topreventthisattack,eachserverhasauniqueidentifyingcode,calleda
hostkey.Thesekeysarecreatedinawaythatpreventsoneserverfrom
forginganotherserver'skey.Soifyouconnecttoaserveranditsends
youadifferenthostkeyfromtheoneyouwereexpecting,PuTTYcan
warnyouthattheservermayhavebeenswitchedandthataspoofing
attackmightbeinprogress.
PuTTYrecordsthehostkeyforeachserveryouconnectto,inthe
WindowsRegistry.Everytimeyouconnecttoaserver,itchecksthatthe
hostkeypresentedbytheserveristhesamehostkeyasitwasthelast
timeyouconnected.Ifitisnot,youwillseeawarning,andyouwillhave
thechancetoabandonyourconnectionbeforeyoutypeanyprivate
information(suchasapassword)intoit.
However,whenyouconnecttoaserveryouhavenotconnectedto
before,PuTTYhasnowayoftellingwhetherthehostkeyistherightone
ornot.Soitgivesthewarningshownabove,andasksyouwhetheryou
wanttotrustthishostkeyornot.
Whetherornottotrustthehostkeyisyourchoice.Ifyouareconnecting
withinacompanynetwork,youmightfeelthatallthenetworkusersare
onthesamesideandspoofingattacksareunlikely,soyoumightchoose
totrustthekeywithoutcheckingit.Ifyouareconnectingacrossahostile
network(suchastheInternet),youshouldcheckwithyoursystem
administrator,perhapsbytelephoneorinperson.(Manyservershave
morethanonehostkey.Ifthesystemadministratorsendsyoumorethan
onefingerprint,youshouldmakesuretheonePuTTYshowsyouison
thelist,butitdoesn'tmatterwhichoneitis.)
Seesection4.20foradvancedoptionsformanaginghostkeys.
2.3Loggingin
Afteryouhaveconnected,andperhapsverifiedtheserver'shostkey,you
willbeaskedtologin,probablyusingausernameandapassword.Your
systemadministratorshouldhaveprovidedyouwiththese.Enterthe
usernameandthepassword,andtheservershouldgrantyouaccess
andbeginyoursession.Ifyouhavemistypedyourpassword,most
serverswillgiveyouseveralchancestogetitright.
IfyouareusingSSH,becarefulnottotypeyourusernamewrongly,
becauseyouwillnothaveachancetocorrectitafteryoupressReturn;
manySSHserversdonotpermityoutomaketwologinattemptsusing
differentusernames.Ifyoutypeyourusernamewrongly,youmustclose
PuTTYandstartagain.
Ifyourpasswordisrefusedbutyouaresureyouhavetypeditcorrectly,
checkthatCapsLockisnotenabled.Manyloginservers,particularly
Unixcomputers,treatuppercaseandlowercaseasdifferentwhen
checkingyourpassword;soifCapsLockison,yourpasswordwill
probablyberefused.
2.4Afterloggingin
Afteryoulogintotheserver,whathappensnextisuptotheserver!Most
serverswillprintsomesortofloginmessageandthenpresentaprompt,
atwhichyoucantypecommandswhichtheserverwillcarryout.Some
serverswillofferyouon-linehelp;othersmightnot.Ifyouareindoubt
aboutwhattodonext,consultyoursystemadministrator.
2.5Loggingout
Whenyouhavefinishedyoursession,youshouldlogoutbytypingthe
server'sownlogoutcommand.Thismightvarybetweenservers;ifin
doubt,trylogoutorexit,orconsultamanualoryoursystem
administrator.Whentheserverprocessesyourlogoutcommand,the
PuTTYwindowshouldcloseitselfautomatically.
YoucancloseaPuTTYsessionusingtheClosebuttoninthewindow
border,butthismightconfusetheserver-abitlikehangingupa
telephoneunexpectedlyinthemiddleofaconversation.Werecommend
youdonotdothisunlesstheserverhasstoppedrespondingtoyouand
youcannotclosethewindowanyotherway.
Chapter3:UsingPuTTY
Thischapterprovidesageneralintroductiontosomemoreadvanced
featuresofPuTTY.Forextremedetailandreferencepurposes,chapter4
islikelytocontainmoreinformation.
3.1Duringyoursession
3.1.1Copyingandpastingtext
3.1.2Scrollingthescreenback
3.1.3TheSystemmenu
3.2Creatingalogfileofyoursession
3.3Alteringyourcharactersetconfiguration
3.4UsingX11forwardinginSSH
3.5UsingportforwardinginSSH
3.6MakingrawTCPconnections
3.7Connectingtoalocalserialline
3.8ThePuTTYcommandline
3.8.1Startingasessionfromthecommandline
3.8.2-cleanup
3.8.3Standardcommand-lineoptions
3.1Duringyoursession
AlotofPuTTY'scomplexityandfeaturesareintheconfigurationpanel.
Onceyouhaveworkedyourwaythroughthatandstartedasession,
thingsshouldbereasonablysimpleafterthat.Nevertheless,therearea
fewmoreusefulfeaturesavailable.
3.1.1Copyingandpastingtext
3.1.2Scrollingthescreenback
3.1.3TheSystemmenu
3.1.3.1ThePuTTYEventLog
3.1.3.2Specialcommands
3.1.3.3Startingnewsessions
3.1.3.4Changingyoursessionsettings
3.1.3.5CopyAlltoClipboard
3.1.3.6Clearingandresettingtheterminal
3.1.3.7Fullscreenmode
3.1.1Copyingandpastingtext
OfteninaPuTTYsessionyouwillfindtextonyourterminalscreenwhich
youwanttotypeinagain.Likemostotherterminalemulators,PuTTY
allowsyoutocopyandpastethetextratherthanhavingtotypeitagain.
Also,copyandpasteusestheWindowsclipboard,sothatyoucanpaste
(forexample)URLsintoawebbrowser,orpastefromawordprocessor
orspreadsheetintoyourterminalsession.
PuTTY'scopyandpasteworksentirelywiththemouse.Inordertocopy
texttotheclipboard,youjustclicktheleftmousebuttonintheterminal
window,anddragtoselecttext.Whenyouletgoofthebutton,thetextis
automaticallycopiedtotheclipboard.YoudonotneedtopressCtrl-Cor
Ctrl-Ins;infact,ifyoudopressCtrl-C,PuTTYwillsendaCtrl-Ccharacter
downyoursessiontotheserverwhereitwillprobablycauseaprocessto
beinterrupted.
Pastingisdoneusingtherightbutton(orthemiddlemousebutton,ifyou
haveathree-buttonmouseandhavesetitup;seesection4.11.2).
(PressingShift-Ins,orselecting‘Paste’fromtheCtrl+right-clickcontext
menu,havethesameeffect.)Whenyouclicktherightmousebutton,
PuTTYwillreadwhateverisintheWindowsclipboardandpasteitinto
yoursession,exactlyasifithadbeentypedatthekeyboard.(Therefore,
becarefulofpastingformattedtextintoaneditorthatdoesautomatic
indenting;youmayfindthatthespacespastedfromtheclipboardplus
thespacesaddedbytheeditoradduptotoomanyspacesandruinthe
formatting.ThereisnothingPuTTYcandoaboutthis.)
Ifyoudouble-clicktheleftmousebutton,PuTTYwillselectawholeword.
Ifyoudouble-click,holddownthesecondclick,anddragthemouse,
PuTTYwillselectasequenceofwholewords.(Youcanadjustprecisely
whatPuTTYconsiderstobepartofaword;seesection4.11.5.)Ifyou
triple-click,ortriple-clickanddrag,thenPuTTYwillselectawholelineor
sequenceoflines.
Ifyouwanttoselectarectangularregioninsteadofselectingtotheend
ofeachline,youcandothisbyholdingdownAltwhenyoumakeyour
selection.Youcanalsoconfigurerectangularselectiontobethedefault,
andthenholdingdownAltgivesthenormalbehaviourinstead:see
section4.11.4fordetails.
(InsomeUnixenvironments,Alt+dragisinterceptedbythewindow
manager.Shift+Alt+dragshouldworkforrectangularselectionaswell,so
youcouldtrythatinstead.)
Ifyouhaveamiddlemousebutton,thenyoucanuseittoadjustan
existingselectionifyouselectedsomethingslightlywrong.(Ifyouhave
configuredthemiddlemousebuttontopaste,thentherightmousebutton
doesthisinstead.)Clickthebuttononthescreen,andyoucanpickup
thenearestendoftheselectionanddragittosomewhereelse.
It'spossiblefortheservertoasktohandlemouseclicksinthePuTTY
windowitself.Ifthishappens,themousepointerwillturnintoanarrow,
andusingthemousetocopyandpastewillonlyworkifyouholddown
Shift.Seesection4.6.2andsection4.11.3fordetailsofthisfeatureand
howtoconfigureit.
3.1.2Scrollingthescreenback
PuTTYkeepstrackoftextthathasscrolledupoffthetopoftheterminal.
Soifsomethingappearsonthescreenthatyouwanttoread,butit
scrollstoofastandit'sgonebythetimeyoutrytolookforit,youcanuse
thescrollbarontherightsideofthewindowtolookbackupthesession
historyandfinditagain.
Aswellasusingthescrollbar,youcanalsopagethescrollbackupand
downbypressingShift-PgUpandShift-PgDn.Youcanscrollalineata
timeusingCtrl-PgUpandCtrl-PgDn.Thesearestillavailableifyou
configurethescrollbartobeinvisible.
Bydefaultthelast2000linesscrolledoffthetoparepreservedforyouto
lookat.Youcanincrease(ordecrease)thisvalueusingtheconfiguration
box;seesection4.7.3.
3.1.3TheSystemmenu
Ifyouclicktheleftmousebuttonontheiconinthetopleftcornerof
PuTTY'sterminalwindow,orclicktherightmousebuttononthetitlebar,
youwillseethestandardWindowssystemmenucontainingitemslike
Minimise,Move,SizeandClose.
PuTTY'ssystemmenucontainsextraprogramfeaturesinadditiontothe
Windowsstandardoptions.Theseextramenucommandsaredescribed
below.
(Theseoptionsarealsoavailableinacontextmenubroughtupby
holdingCtrlandclickingwiththerightmousebuttonanywhereinthe
PuTTYwindow.)
3.1.3.1ThePuTTYEventLog
3.1.3.2Specialcommands
3.1.3.3Startingnewsessions
3.1.3.4Changingyoursessionsettings
3.1.3.5CopyAlltoClipboard
3.1.3.6Clearingandresettingtheterminal
3.1.3.7Fullscreenmode
3.1.3.1ThePuTTYEventLog
Ifyouchoose‘EventLog’fromthesystemmenu,asmallwindowwillpop
upinwhichPuTTYlogssignificanteventsduringtheconnection.Mostof
theeventsinthelogwillprobablytakeplaceduringsessionstartup,buta
fewcanoccuratanypointinthesession,andoneortwooccurrightat
theend.
YoucanusethemousetoselectoneormorelinesoftheEventLog,and
hittheCopybuttontocopythemtotheclipboard.Ifyouarereportinga
bug,it'softenusefultopastethecontentsoftheEventLogintoyourbug
report.
(TheEventLogisnotthesameasthefacilitytocreatealogfileofyour
session;that'sdescribedinsection3.2.)
3.1.3.2Specialcommands
Dependingontheprotocolusedforthecurrentsession,theremaybea
submenuof‘specialcommands’.Theseareprotocol-specifictokens,
suchasa‘break’signal,thatcanbesentdownaconnectioninaddition
tonormaldata.Theirpreciseeffectisusuallyuptotheserver.Currently
onlyTelnet,SSH,andserialconnectionshavespecialcommands.
The‘break’signalcanalsobeinvokedfromthekeyboardwithCtrl-Break.
ThefollowingspecialcommandsareavailableinTelnet:
AreYouThere
Break
Synch
EraseCharacter
PuTTYcanalsobeconfiguredtosendthiswhentheBackspacekey
ispressed;seesection4.16.3.
EraseLine
GoAhead
NoOperation
Shouldhavenoeffect.
AbortProcess
AbortOutput
InterruptProcess
PuTTYcanalsobeconfiguredtosendthiswhenCtrl-Cistyped;see
section4.16.3.
SuspendProcess
PuTTYcanalsobeconfiguredtosendthiswhenCtrl-Zistyped;see
section4.16.3.
EndOfRecord
EndOfFile
InanSSHconnection,thefollowingspecialcommandsareavailable:
IGNOREmessage
Shouldhavenoeffect.
Repeatkeyexchange
OnlyavailableinSSH-2.Forcesarepeatkeyexchangeimmediately
(andresetsassociatedtimersandcounters).Formoreinformation
aboutrepeatkeyexchanges,seesection4.19.2.
Cachenewhostkeytype
OnlyavailableinSSH-2.Thissubmenuappearsonlyiftheserver
hashostkeysofatypethatPuTTYdoesn'talreadyhavecached,
andsowon'tconsider.SelectingakeyherewillallowPuTTYtouse
thatkeynowandinfuture:PuTTYwilldoafreshkey-exchangewith
theselectedkey,andimmediatelyaddthatkeytoitspermanent
cache(relyingonthehostkeyusedatthestartoftheconnectionto
cross-certifythenewkey).Thatkeywillbeusedfortherestofthe
currentsession;itmaynotactuallybeusedforfuturesessions,
dependingonyourpreferences(seesection4.20.1).
Normally,PuTTYwillcarryonusingahostkeyitalreadyknows,
eveniftheserverofferskeyformatsthatPuTTYwouldotherwise
prefer,toavoidhostkeyprompts.Asaresult,ifyou'vebeenusinga
serverforsomeyears,youmaystillbeusinganolderkeythana
newuserwoulduse,duetoserverupgradesinthemeantime.The
SSHprotocolunfortunatelydoesnothaveorganisedfacilitiesfor
hostkeymigrationandrollover,butthisallowsyoutomanually
upgrade.
Break
OnlyavailableinSSH-2,andonlyduringasession.Optional
extension;maynotbesupportedbyserver.PuTTYrequeststhe
server'sdefaultbreaklength.
Signals(SIGINT,SIGTERMetc)
OnlyavailableinSSH-2,andonlyduringasession.Sendsvarious
POSIXsignals.Nothonouredbyallservers.
Withaserialconnection,theonlyavailablespecialcommandis‘Break’.
3.1.3.3Startingnewsessions
PuTTY'ssystemmenuprovidessomeshortcutwaystostartnew
sessions:
Selecting‘NewSession’willstartacompletelynewinstanceof
PuTTY,andbringuptheconfigurationboxasnormal.
Selecting‘DuplicateSession’willstartasessioninanewwindow
withpreciselythesameoptionsasyourcurrentone-connectingto
thesamehostusingthesameprotocol,withallthesameterminal
settingsandeverything.
Inaninactivewindow,selecting‘RestartSession’willdothesameas
‘DuplicateSession’,butinthecurrentwindow.
The‘SavedSessions’submenugivesyouquickaccesstoanysets
ofstoredsessiondetailsyouhavepreviouslysaved.Seesection
4.1.2fordetailsofhowtocreatesavedsessions.
3.1.3.4Changingyoursessionsettings
Ifyouselect‘ChangeSettings’fromthesystemmenu,PuTTYwilldisplay
acut-downversionofitsinitialconfigurationbox.Thisallowsyouto
adjustmostpropertiesofyourcurrentsession.Youcanchangethe
terminalsize,thefont,theactionsofvariouskeypresses,thecolours,and
soon.
Someoftheoptionsthatareavailableinthemainconfigurationboxare
notshowninthecut-downChangeSettingsbox.Theseareusually
optionswhichdon'tmakesensetochangeinthemiddleofasession(for
example,youcan'tswitchfromSSHtoTelnetinmid-session).
Youcansavethecurrentsettingstoasavedsessionforfutureusefrom
thisdialogbox.Seesection4.1.2formoreonsavedsessions.
3.1.3.5CopyAlltoClipboard
Thissystemmenuoptionprovidesaconvenientwaytocopythewhole
contentsoftheterminalscreen(uptothelastnonemptyline)and
scrollbacktotheclipboardinonego.
3.1.3.6Clearingandresettingtheterminal
The‘ClearScrollback’optiononthesystemmenutellsPuTTYtodiscard
allthelinesoftextthathavebeenkeptaftertheyscrolledoffthetopof
thescreen.Thismightbeuseful,forexample,ifyoudisplayedsensitive
informationandwantedtomakesurenobodycouldlookoveryour
shoulderandseeit.(Notethatthisonlypreventsacasualuserfrom
usingthescrollbartoviewtheinformation;thetextisnotguaranteednot
tostillbeinPuTTY'smemory.)
The‘ResetTerminal’optioncausesafullresetoftheterminalemulation.
AVT-seriesterminalisacomplexpieceofsoftwareandcaneasilyget
intoastatewhereallthetextprintedbecomesunreadable.(Thiscan
happen,forexample,ifyouaccidentallyoutputabinaryfiletoyour
terminal.)Ifthishappens,selectingResetTerminalshouldsortitout.
3.1.3.7Fullscreenmode
Ifyoufindthetitlebaronamaximisedwindowtobeuglyordistracting,
youcanselectFullScreenmodetomaximisePuTTY‘evenmore’.When
youselectthis,PuTTYwillexpandtofillthewholescreenandits
borders,titlebarandscrollbarwilldisappear.(Youcanconfigurethe
scrollbarnottodisappearinfull-screenmodeifyouwanttokeepit;see
section4.7.3.)
Whenyouareinfull-screenmode,youcanstillaccessthesystemmenu
ifyouclicktheleftmousebuttonintheextremetopleftcornerofthe
screen.
3.2Creatingalogfileofyoursession
Forsomepurposesyoumayfindyouwanttologeverythingthatappears
onyourscreen.Youcandothisusingthe‘Logging’panelinthe
configurationbox.
Tobeginasessionlog,select‘ChangeSettings’fromthesystemmenu
andgototheLoggingpanel.Enteralogfilename,andselectalogging
mode.(Youcanlogallsessionoutputincludingtheterminalcontrol
sequences,oryoucanjustlogtheprintabletext.Itdependswhatyou
wantthelogfor.)Click‘Apply’andyourlogwillbestarted.Lateron,you
cangobacktotheLoggingpanelandselect‘Loggingturnedoff
completely’tostoplogging;thenPuTTYwillclosethelogfileandyoucan
safelyreadit.
Seesection4.2formoredetailsandoptions.
3.3Alteringyourcharactersetconfiguration
Ifyoufindthatspecialcharacters(accentedcharacters,forexample,or
line-drawingcharacters)arenotbeingdisplayedcorrectlyinyourPuTTY
session,itmaybethatPuTTYisinterpretingthecharacterssentbythe
serveraccordingtothewrongcharacterset.Therearealotofdifferent
charactersetsavailable,andnogoodwayforPuTTYtoknowwhichto
use,soit'sentirelypossibleforthistohappen.
Ifyouclick‘ChangeSettings’andlookatthe‘Translation’panel,you
shouldseealargenumberofcharactersetswhichyoucanselect,and
otherrelatedoptions.Nowallyouneedistofindoutwhichofthemyou
want!(Seesection4.10formoreinformation.)
3.4UsingX11forwardinginSSH
TheSSHprotocolhastheabilitytosecurelyforwardXWindowSystem
graphicalapplicationsoveryourencryptedSSHconnection,sothatyou
canrunanapplicationontheSSHservermachineandhaveitputits
windowsuponyourlocalmachinewithoutsendinganyXnetworktraffic
intheclear.
Inordertousethisfeature,youwillneedanXdisplayserverforyour
Windowsmachine,suchasCygwin/X,X-Win32,orExceed.Thiswill
probablyinstallitselfasdisplaynumber0onyourlocalmachine;ifit
doesn't,themanualfortheXservershouldtellyouwhatitdoesdo.
Youshouldthentickthe‘EnableX11forwarding’boxintheX11panel
(seesection4.25)beforestartingyourSSHsession.The‘Xdisplay
location’boxisblankbydefault,whichmeansthatPuTTYwilltrytousea
sensibledefaultsuchas:0,whichistheusualdisplaylocationwhere
yourXserverwillbeinstalled.Ifthatneedschanging,thenchangeit.
NowyoushouldbeabletologintotheSSHserverasnormal.Tocheck
thatXforwardinghasbeensuccessfullynegotiatedduringconnection
startup,youcancheckthePuTTYEventLog(seesection3.1.3.1).It
shouldsaysomethinglikethis:
2001-12-0517:22:01RequestingX11forwarding
2001-12-0517:22:02X11forwardingenabled
IftheremotesystemisUnixorUnix-like,youshouldalsobeabletosee
thattheDISPLAYenvironmentvariablehasbeensettopointatdisplay10
oraboveontheSSHservermachineitself:
fred@unixbox:~$echo$DISPLAY
unixbox:10.0
Ifthisworks,youshouldthenbeabletorunXapplicationsintheremote
sessionandhavethemdisplaytheirwindowsonyourPC.
FormoreoptionsrelatingtoX11forwarding,seesection4.25.
3.5UsingportforwardinginSSH
TheSSHprotocolhastheabilitytoforwardarbitrarynetwork(TCP)
connectionsoveryourencryptedSSHconnection,toavoidthenetwork
trafficbeingsentinclear.Forexample,youcouldusethistoconnect
fromyourhomecomputertoaPOP-3serveronaremotemachine
withoutyourPOP-3passwordbeingvisibletonetworksniffers.
Inordertouseportforwardingtoconnectfromyourlocalmachinetoa
portonaremoteserver,youneedto:
ChooseaportnumberonyourlocalmachinewherePuTTYshould
listenforincomingconnections.Therearelikelytobeplentyof
unusedportnumbersabove3000.(Youcanalsousealocal
loopbackaddresshere;seebelowformoredetails.)
Now,beforeyoustartyourSSHconnection,gototheTunnelspanel
(seesection4.26).Makesurethe‘Local’radiobuttonisset.Enter
thelocalportnumberintothe‘Sourceport’box.Enterthedestination
hostnameandportnumberintothe‘Destination’box,separatedby
acolon(forexample,popserver.example.com:110toconnecttoa
POP-3server).
Nowclickthe‘Add’button.Thedetailsofyourportforwardingshould
appearinthelistbox.
Nowstartyoursessionandlogin.(Portforwardingwillnotbeenabled
untilafteryouhaveloggedin;otherwiseitwouldbeeasytoperform
completelyanonymousnetworkattacks,andgainaccesstoanyone's
virtualprivatenetwork.)TocheckthatPuTTYhassetuptheport
forwardingcorrectly,youcanlookatthePuTTYEventLog(seesection
3.1.3.1).Itshouldsaysomethinglikethis:
2001-12-0517:22:10Localport3110forwardingto
popserver.example.com:110
NowifyouconnecttothesourceportnumberonyourlocalPC,you
shouldfindthatitanswersyouexactlyasifitweretheservicerunningon
thedestinationmachine.Sointhisexample,youcouldthenconfigurean
e-mailclienttouselocalhost:3110asaPOP-3serverinsteadof
popserver.example.com:110.(Ofcourse,theforwardingwillstop
happeningwhenyourPuTTYsessionclosesdown.)
Youcanalsoforwardportsintheotherdirection:arrangeforaparticular
portnumberontheservermachinetobeforwardedbacktoyourPCasa
connectiontoaserviceonyourPCornearit.Todothis,justselectthe
‘Remote’radiobuttoninsteadofthe‘Local’one.The‘Sourceport’boxwill
nowspecifyaportnumberontheserver(notethatmostserverswillnot
allowyoutouseportnumbersunder1024forthispurpose).
Analternativewaytoforwardlocalconnectionstoremotehostsistouse
dynamicSOCKSproxying.Inthismode,PuTTYactsasaSOCKS
server,whichSOCKS-awareprogramscanconnecttoandopen
forwardedconnectionstothedestinationoftheirchoice,sothiscanbe
analternativetolonglistsofstaticforwardings.Tousethismode,youwill
needtoselectthe‘Dynamic’radiobuttoninsteadof‘Local’,andthenyou
shouldnotenteranythingintothe‘Destination’box(itwillbeignored).
PuTTYwillthenlistenforSOCKSconnectionsontheportyouhave
specified.Mostwebbrowserscanbeconfiguredtoconnecttothis
SOCKSproxyservice;also,youcanforwardotherPuTTYconnections
throughitbysettinguptheProxycontrolpanel(seesection4.15for
details).
Thesourceportforaforwardedconnectionusuallydoesnotaccept
connectionsfromanymachineexcepttheSSHclientorservermachine
itself(forlocalandremoteforwardingsrespectively).Therearecontrols
intheTunnelspaneltochangethis:
The‘Localportsacceptconnectionsfromotherhosts’optionallows
youtosetuplocal-to-remoteportforwardings(includingdynamic
portforwardings)insuchawaythatmachinesotherthanyourclient
PCcanconnecttotheforwardedport.
The‘Remoteportsdothesame’optiondoesthesamethingfor
remote-to-localportforwardings(sothatmachinesotherthanthe
SSHservermachinecanconnecttotheforwardedport.)Notethat
thisfeatureisonlyavailableintheSSH-2protocol,andnotallSSH-2
servershonourit(inOpenSSH,forexample,it'susuallydisabledby
default).
YoucanalsospecifyanIPaddresstolistenon.TypicallyaWindows
machinecanbeaskedtolistenonanysingleIPaddressinthe127.*.*.*
range,andalloftheseareloopbackaddressesavailableonlytothelocal
machine.Soifyouforward(forexample)127.0.0.5:79toaremote
machine'sfingerport,thenyoushouldbeabletoruncommandssuchas
fingerfred@127.0.0.5.Thiscanbeusefuliftheprogramconnectingto
theforwardedportdoesn'tallowyoutochangetheportnumberituses.
Thisfeatureisavailableforlocal-to-remoteforwardedports;SSH-1is
unabletosupportitforremote-to-localports,whileSSH-2cansupportit
intheorybutserverswillnotnecessarilycooperate.
(Notethatifyou'reusingWindowsXPServicePack2,youmayneedto
obtainafixfromMicrosoftinordertouseaddresseslike127.0.0.5-see
questionA.7.17.)
Formoreoptionsrelatingtoportforwarding,seesection4.26.
IftheconnectionyouareforwardingoverSSHisitselfasecondSSH
connectionmadebyanothercopyofPuTTY,youmightfindthe‘logical
hostname’configurationoptionusefultowarnPuTTYofwhichhostkeyit
shouldbeexpecting.Seesection4.13.5fordetailsofthis.
3.6MakingrawTCPconnections
AlotofInternetprotocolsarecomposedofcommandsandresponsesin
plaintext.Forexample,SMTP(theprotocolusedtotransfere-mail),
NNTP(theprotocolusedtotransferUsenetnews),andHTTP(the
protocolusedtoserveWebpages)allconsistofcommandsinreadable
plaintext.
Sometimesitcanbeusefultoconnectdirectlytooneoftheseservices
andspeaktheprotocol‘byhand’,bytypingprotocolcommandsand
watchingtheresponses.OnUnixmachines,youcandothisusingthe
system'stelnetcommandtoconnecttotherightportnumber.For
example,telnetmailserver.example.com25mightenableyoutotalk
directlytotheSMTPservicerunningonamailserver.
AlthoughtheUnixtelnetprogramprovidesthisfunctionality,theprotocol
beingusedisnotreallyTelnet.Reallythereisnoactualprotocolatall;
thebytessentdowntheconnectionareexactlytheonesyoutype,and
thebytesshownonthescreenareexactlytheonessentbytheserver.
Unixtelnetwillattempttodetectorguesswhethertheserviceitis
talkingtoisarealTelnetserviceornot;PuTTYpreferstobetoldfor
certain.
Inordertomakeadebuggingconnectiontoaserviceofthistype,you
simplyselectthefourthprotocolname,‘Raw’,fromthe‘Protocol’buttons
inthe‘Session’configurationpanel.(Seesection4.1.1.)Youcanthen
enterahostnameandaportnumber,andmaketheconnection.
3.7Connectingtoalocalserialline
PuTTYcanconnectdirectlytoalocalseriallineasanalternativeto
makinganetworkconnection.Inthismode,texttypedintothePuTTY
windowwillbesentstraightoutofyourcomputer'sserialport,anddata
receivedthroughthatportwillbedisplayedinthePuTTYwindow.You
mightusethismode,forexample,ifyourserialportisconnectedto
anothercomputerwhichhasaserialconnection.
Tomakeaconnectionofthistype,simplyselect‘Serial’fromthe
‘Connectiontype’radiobuttonsonthe‘Session’configurationpanel(see
section4.1.1).The‘HostName’and‘Port’boxeswilltransforminto‘Serial
line’and‘Speed’,allowingyoutospecifywhichseriallinetouse(ifyour
computerhasmorethanone)andwhatspeed(baudrate)tousewhen
transferringdata.Forfurtherconfigurationoptions(databits,stopbits,
parity,flowcontrol),youcanusethe‘Serial’configurationpanel(see
section4.28).
AfteryoustartupPuTTYinserialmode,youmightfindthatyouhaveto
makethefirstmove,bysendingsomedataoutoftheseriallineinorder
tonotifythedeviceattheotherendthatsomeoneisthereforittotalkto.
Thisprobablydependsonthedevice.IfyoustartupaPuTTYserial
sessionandnothingappearsinthewindow,trypressingReturnafew
timesandseeifthathelps.
Aseriallineprovidesnowelldefinedmeansforoneendofthe
connectiontonotifytheotherthattheconnectionisfinished.Therefore,
PuTTYinserialmodewillremainconnecteduntilyouclosethewindow
usingtheclosebutton.
3.8ThePuTTYcommandline
PuTTYcanbemadetodovariousthingswithoutuserinterventionby
supplyingcommand-linearguments(e.g.,fromacommandprompt
window,oraWindowsshortcut).
3.8.1Startingasessionfromthecommandline
3.8.2-cleanup
3.8.3Standardcommand-lineoptions
3.8.3.1-load:loadasavedsession
3.8.3.2Selectingaprotocol:-ssh,-telnet,-rlogin,-raw-
serial
3.8.3.3-v:increaseverbosity
3.8.3.4-l:specifyaloginname
3.8.3.5-L,-Rand-D:setupportforwardings
3.8.3.6-m:readaremotecommandorscriptfromafile
3.8.3.7-P:specifyaportnumber
3.8.3.8-pw:specifyapassword
3.8.3.9-agentand-noagent:controluseofPageantfor
authentication
3.8.3.10-Aand-a:controlagentforwarding
3.8.3.11-Xand-x:controlX11forwarding
3.8.3.12-tand-T:controlpseudo-terminalallocation
3.8.3.13-N:suppressstartingashellorcommand
3.8.3.14-nc:makearemotenetworkconnectioninplaceofa
remoteshellorcommand
3.8.3.15-C:enablecompression
3.8.3.16-1and-2:specifyanSSHprotocolversion
3.8.3.17-4and-6:specifyanInternetprotocolversion
3.8.3.18-i:specifyanSSHprivatekey
3.8.3.19-loghost:specifyalogicalhostname
3.8.3.20-hostkey:manuallyspecifyanexpectedhostkey
3.8.3.21-pgpfp:displayPGPkeyfingerprints
3.8.3.22-sercfg:specifyserialportconfiguration
3.8.3.23-sessionlog,-sshlog,-sshrawlog:specifysession
logging
3.8.3.24-proxycmd:specifyalocalproxycommand
3.8.3.25-restrict-acl:restricttheWindowsprocessACL
3.8.1Startingasessionfromthecommandline
Theseoptionsallowyoutobypasstheconfigurationwindowandlaunch
straightintoasession.
Tostartaconnectiontoaservercalledhost:
putty.exe[-ssh|-telnet|-rlogin|-raw][user@]host
Ifthissyntaxisused,settingsaretakenfromtheDefaultSettings(see
section4.1.2);useroverridesthesesettingsifsupplied.Also,youcan
specifyaprotocol,whichwilloverridethedefaultprotocol(seesection
3.8.3.2).
Fortelnetsessions,thefollowingalternativesyntaxissupported(this
makesPuTTYsuitableforuseasaURLhandlerfortelnetURLsinweb
browsers):
putty.exetelnet://host[:port]/
Tostartaconnectiontoaserialport,e.g.COM1:
putty.exe-serialcom1
Inordertostartanexistingsavedsessioncalledsessionname,usethe-
loadoption(describedinsection3.8.3.1).
putty.exe-load"sessionname"
3.8.2-cleanup
Ifinvokedwiththe-cleanupoption,ratherthanrunningasnormal,PuTTY
willremoveitsregistryentriesandrandomseedfilefromthelocal
machine(afterconfirmingwiththeuser).Itwillalsoattempttoremove
informationaboutrecentlylaunchedsessionsstoredinthe‘jumplist’on
Windows7andup.
Notethatonmulti-usersystems,-cleanuponlyremovesregistryentries
andfilesassociatedwiththecurrentlylogged-inuser.
3.8.3Standardcommand-lineoptions
PuTTYanditsassociatedtoolssupportarangeofcommand-lineoptions,
mostofwhichareconsistentacrossallthetools.Thissectionliststhe
availableoptionsinalltools.Optionswhicharespecifictoaparticular
toolarecoveredinthechapteraboutthattool.
3.8.3.1-load:loadasavedsession
3.8.3.2Selectingaprotocol:-ssh,-telnet,-rlogin,-raw-serial
3.8.3.3-v:increaseverbosity
3.8.3.4-l:specifyaloginname
3.8.3.5-L,-Rand-D:setupportforwardings
3.8.3.6-m:readaremotecommandorscriptfromafile
3.8.3.7-P:specifyaportnumber
3.8.3.8-pw:specifyapassword
3.8.3.9-agentand-noagent:controluseofPageantfor
authentication
3.8.3.10-Aand-a:controlagentforwarding
3.8.3.11-Xand-x:controlX11forwarding
3.8.3.12-tand-T:controlpseudo-terminalallocation
3.8.3.13-N:suppressstartingashellorcommand
3.8.3.14-nc:makearemotenetworkconnectioninplaceofaremote
shellorcommand
3.8.3.15-C:enablecompression
3.8.3.16-1and-2:specifyanSSHprotocolversion
3.8.3.17-4and-6:specifyanInternetprotocolversion
3.8.3.18-i:specifyanSSHprivatekey
3.8.3.19-loghost:specifyalogicalhostname
3.8.3.20-hostkey:manuallyspecifyanexpectedhostkey
3.8.3.21-pgpfp:displayPGPkeyfingerprints
3.8.3.22-sercfg:specifyserialportconfiguration
3.8.3.23-sessionlog,-sshlog,-sshrawlog:specifysessionlogging
3.8.3.24-proxycmd:specifyalocalproxycommand
3.8.3.25-restrict-acl:restricttheWindowsprocessACL
3.8.3.1-load:loadasavedsession
The-loadoptioncausesPuTTYtoloadconfigurationdetailsoutofa
savedsession.Ifthesedetailsincludeahostname,thenthisoptionisall
youneedtomakePuTTYstartasession.
Youneeddoublequotesaroundthesessionnameifitcontainsspaces.
IfyouwanttocreateaWindowsshortcuttostartaPuTTYsavedsession,
thisistheoptionyoushoulduse:yourshortcutshouldcallsomethinglike
d:\path\to\putty.exe-load"mysession"
(NotethatPuTTYitselfsupportsanalternativeformofthisoption,for
backwardscompatibility.Ifyouexecuteputty@sessionnameitwillhave
thesameeffectasputty-load"sessionname".Withthe@form,no
doublequotesarerequired,andthe@signmustbetheveryfirstthingon
thecommandline.Thisformoftheoptionisdeprecated.)
3.8.3.2Selectingaprotocol:-ssh,-telnet,-
rlogin,-raw-serial
Tochoosewhichprotocolyouwanttoconnectwith,youcanuseoneof
theseoptions:
-sshselectstheSSHprotocol.
-telnetselectstheTelnetprotocol.
-rloginselectstheRloginprotocol.
-rawselectstherawprotocol.
-serialselectsaserialconnection.
TheseoptionsarenotavailableinthefiletransfertoolsPSCPand
PSFTP(whichonlyworkwiththeSSHprotocol).
Theseoptionsareequivalenttotheprotocolselectionbuttonsinthe
SessionpanelofthePuTTYconfigurationbox(seesection4.1.1).
3.8.3.3-v:increaseverbosity
MostofthePuTTYtoolscanbemadetotellyoumoreaboutwhatthey
aredoingbysupplyingthe-voption.Ifyouarehavingtroublewhen
makingaconnection,oryou'resimplycurious,youcanturnthisswitch
onandhopetofindoutmoreaboutwhatishappening.
3.8.3.5-L,-Rand-D:setupportforwardings
AswellassettingupportforwardingsinthePuTTYconfiguration(see
section4.26),youcanalsosetupforwardingsonthecommandline.The
command-lineoptionsworkjustliketheonesinUnixsshprograms.
Toforwardalocalport(say5110)toaremotedestination(say
popserver.example.comport110),youcanwritesomethinglikeoneof
these:
putty-L5110:popserver.example.com:110-loadmysession
plinkmysession-L5110:popserver.example.com:110
Toforwardaremoteporttoalocaldestination,justusethe-Roption
insteadof-L:
putty-R5023:mytelnetserver.myhouse.org:23-loadmysession
plinkmysession-R5023:mytelnetserver.myhouse.org:23
TospecifyanIPaddressforthelisteningendofthetunnel,prependitto
theargument:
plink-L127.0.0.5:23:localhost:23myhost
TosetupSOCKS-baseddynamicportforwardingonalocalport,usethe
-Doption.Forthisoneyouonlyhavetopasstheportnumber:
putty-D4096-loadmysession
Forgeneralinformationonportforwarding,seesection3.5.
TheseoptionsarenotavailableinthefiletransfertoolsPSCPand
PSFTP.
3.8.3.6-m:readaremotecommandorscript
fromafile
The-moptionperformsasimilarfunctiontothe‘Remotecommand’box
intheSSHpanelofthePuTTYconfigurationbox(seesection4.18.1).
However,the-moptionexpectstobegivenalocalfilename,anditwill
readacommandfromthatfile.
Withsomeservers(particularlyUnixsystems),youcanevenputmultiple
linesinthisfileandexecutemorethanonecommandinsequence,ora
wholeshellscript;butthisisarguablyanabuse,andcannotbeexpected
toworkonallservers.Inparticular,itisknownnottoworkwithcertain
‘embedded’servers,suchasCiscorouters.
ThisoptionisnotavailableinthefiletransfertoolsPSCPandPSFTP.
3.8.3.7-P:specifyaportnumber
The-Poptionisusedtospecifytheportnumbertoconnectto.Ifyou
haveaTelnetserverrunningonport9696ofamachineinsteadofport
23,forexample:
putty-telnet-P9696host.name
plink-telnet-P9696host.name
(NotethatthisoptionismoreusefulinPlinkthaninPuTTY,becausein
PuTTYyoucanwriteputty-telnethost.name9696inanycase.)
ThisoptionisequivalenttotheportnumbercontrolintheSessionpanel
ofthePuTTYconfigurationbox(seesection4.1.1).
3.8.3.8-pw:specifyapassword
Asimplewaytoautomatearemoteloginistosupplyyourpasswordon
thecommandline.Thisisnotrecommendedforreasonsofsecurity.If
youpossiblycan,werecommendyousetuppublic-keyauthentication
instead.Seechapter8fordetails.
Notethatthe-pwoptiononlyworkswhenyouareusingtheSSHprotocol.
DuetofundamentallimitationsofTelnetandRlogin,theseprotocolsdo
notsupportautomatedpasswordauthentication.
3.8.3.9-agentand-noagent:controluseof
Pageantforauthentication
The-agentoptionturnsonSSHauthenticationusingPageant,and-
noagentturnsitoff.Theseoptionsareonlymeaningfulifyouareusing
SSH.
Seechapter9forgeneralinformationonPageant.
Theseoptionsareequivalenttotheagentauthenticationcheckboxinthe
AuthpanelofthePuTTYconfigurationbox(seesection4.22.3).
3.8.3.10-Aand-a:controlagentforwarding
The-AoptionturnsonSSHagentforwarding,and-aturnsitoff.These
optionsareonlymeaningfulifyouareusingSSH.
Seechapter9forgeneralinformationonPageant,andsection9.4for
informationonagentforwarding.Notethatthereisasecurityrisk
involvedwithenablingthisoption;seesection9.5fordetails.
Theseoptionsareequivalenttotheagentforwardingcheckboxinthe
AuthpanelofthePuTTYconfigurationbox(seesection4.22.6).
TheseoptionsarenotavailableinthefiletransfertoolsPSCPand
PSFTP.
3.8.3.11-Xand-x:controlX11forwarding
The-XoptionturnsonX11forwardinginSSH,and-xturnsitoff.These
optionsareonlymeaningfulifyouareusingSSH.
ForinformationonX11forwarding,seesection3.4.
TheseoptionsareequivalenttotheX11forwardingcheckboxintheX11
panelofthePuTTYconfigurationbox(seesection4.25).
TheseoptionsarenotavailableinthefiletransfertoolsPSCPand
PSFTP.
3.8.3.12-tand-T:controlpseudo-terminal
allocation
The-toptionensuresPuTTYattemptstoallocateapseudo-terminalat
theserver,and-Tstopsitfromallocatingone.Theseoptionsareonly
meaningfulifyouareusingSSH.
Theseoptionsareequivalenttothe‘Don'tallocateapseudo-terminal’
checkboxintheSSHpanelofthePuTTYconfigurationbox(seesection
4.24.1).
TheseoptionsarenotavailableinthefiletransfertoolsPSCPand
PSFTP.
3.8.3.13-N:suppressstartingashellor
command
The-NoptionpreventsPuTTYfromattemptingtostartashellor
commandontheremoteserver.Youmightwanttousethisoptionifyou
areonlyusingtheSSHconnectionforportforwarding,andyouruser
accountontheserverdoesnothavetheabilitytorunashell.
ThisfeatureisonlyavailableinSSHprotocolversion2(sincetheversion
1protocolassumesyouwillalwayswanttorunashell).
Thisoptionisequivalenttothe‘Don'tstartashellorcommandatall’
checkboxintheSSHpanelofthePuTTYconfigurationbox(seesection
4.18.2).
ThisoptionisnotavailableinthefiletransfertoolsPSCPandPSFTP.
3.8.3.14-nc:makearemotenetworkconnection
inplaceofaremoteshellorcommand
The-ncoptionpreventsPlink(orPuTTY)fromattemptingtostartashell
orcommandontheremoteserver.Instead,itwillinstructtheremote
servertoopenanetworkconnectiontoahostnameandportnumber
specifiedbyyou,andtreatthatnetworkconnectionasifitwerethemain
session.
Youspecifyahostandportasanargumenttothe-ncoption,witha
colonseparatingthehostnamefromtheportnumber,likethis:
plinkhost1.example.com-nchost2.example.com:1234
YoumightwanttousethisfeatureifyouneededtomakeanSSH
connectiontoatargethostwhichyoucanonlyreachbygoingthrougha
proxyhost,andratherthanusingportforwardingyouprefertousethe
localproxyfeature(seesection4.15.1formoreaboutlocalproxies).In
thissituationyoumightselect‘Local’proxytype,setyourlocalproxy
commandtobe‘plink%proxyhost-nc%host:%port’,enterthetargethost
nameontheSessionpanel,andenterthedirectlyreachableproxyhost
nameontheProxypanel.
ThisfeatureisonlyavailableinSSHprotocolversion2(sincetheversion
1protocolassumesyouwillalwayswanttorunashell).Itisnotavailable
inthefiletransfertoolsPSCPandPSFTP.ItisavailableinPuTTYitself,
althoughitisunlikelytobeveryusefulinanytoolotherthanPlink.Also,-
ncusesthesameserverfunctionalityasportforwarding,soitwillnot
workifyourserveradministratorhasdisabledportforwarding.
(Theoptionisnamed-ncaftertheUnixprogramnc,shortfor‘netcat’.The
command‘plinkhost1-nchost2:port’isverysimilarinfunctionalityto
‘plinkhost1nchost2port’,whichinvokesncontheserverandtellsitto
connecttothespecifieddestination.However,Plink'sbuilt-in-ncoption
doesnotdependonthencprogrambeinginstalledontheserver.)
3.8.3.16-1and-2:specifyanSSHprotocol
version
The-1and-2optionsforcePuTTYtouseversion1orversion2ofthe
SSHprotocol.TheseoptionsareonlymeaningfulifyouareusingSSH.
TheseoptionsareequivalenttoselectingtheSSHprotocolversioninthe
SSHpanelofthePuTTYconfigurationbox(seesection4.18.4).
3.8.3.17-4and-6:specifyanInternetprotocol
version
The-4and-6optionsforcePuTTYtousetheolderInternetprotocolIPv4
orthenewerIPv6formostoutgoingconnections.
TheseoptionsareequivalenttoselectingyourpreferredInternetprotocol
versionas‘IPv4’or‘IPv6’intheConnectionpanelofthePuTTY
configurationbox(seesection4.13.4).
3.8.3.18-i:specifyanSSHprivatekey
The-ioptionallowsyoutospecifythenameofaprivatekeyfilein*.PPK
formatwhichPuTTYwillusetoauthenticatewiththeserver.Thisoption
isonlymeaningfulifyouareusingSSH.
IfyouareusingPageant,youcanalsospecifyapublickeyfile(inRFC
4716orOpenSSHformat)toidentifyaspecifickeyfiletouse.(Thiswon't
workifyou'renotrunningPageant,ofcourse.)
Forgeneralinformationonpublic-keyauthentication,seechapter8.
Thisoptionisequivalenttothe‘Privatekeyfileforauthentication’boxin
theAuthpanelofthePuTTYconfigurationbox(seesection4.22.8).
3.8.3.19-loghost:specifyalogicalhostname
ThisoptionoverridesPuTTY'snormalSSHhostkeycachingpolicyby
tellingitthenameofthehostyouexpectyourconnectiontoendupat(in
caseswherethisdiffersfromthelocationPuTTYthinksit'sconnecting
to).Itcanbeaplainhostname,orahostnamefollowedbyacolonanda
portnumber.Seesection4.13.5formoredetailonthis.
3.8.3.20-hostkey:manuallyspecifyanexpected
hostkey
ThisoptionoverridesPuTTY'snormalSSHhostkeycachingpolicyby
tellingitexactlywhathostkeytoexpect,whichcanbeusefulifthe
normalautomatichostkeystoreintheRegistryisunavailable.The
argumenttothisoptionshouldbeeitherahostkeyfingerprint,oran
SSH-2publickeyblob.Seesection4.20.2formoreinformation.
Youcanspecifythisoptionmorethanonceifyouwanttoconfiguremore
thanonekeytobeaccepted.
3.8.3.22-sercfg:specifyserialportconfiguration
Thisoptionspecifiestheconfigurationparametersfortheserialport
(baudrate,stopbitsetc).Itsargumentisinterpretedasacomma-
separatedlistofconfigurationoptions,whichcanbeasfollows:
Anysingledigitfrom5to9setsthenumberofdatabits.
‘1’,‘1.5’or‘2’setsthenumberofstopbits.
Anyothernumericstringisinterpretedasabaudrate.
Asinglelower-caseletterspecifiestheparity:‘n’fornone,‘o’forodd,
‘e’foreven,‘m’formarkand‘s’forspace.
Asingleupper-caseletterspecifiestheflowcontrol:‘N’fornone,‘X’
forXON/XOFF,‘R’forRTS/CTSand‘D’forDSR/DTR.
Forexample,‘-sercfg19200,8,n,1,N’denotesabaudrateof19200,8
databits,noparity,1stopbitandnoflowcontrol.
3.8.3.23-sessionlog,-sshlog,-sshrawlog:specify
sessionlogging
TheseoptionscausethePuTTYnetworktoolstowriteoutalogfile.Each
ofthemexpectsafilenameasanargument,e.g.‘-sshlogputty.log’
causesanSSHpacketlogtobewrittentoafilecalled‘putty.log’.The
threedifferentoptionsselectdifferentloggingmodes,allavailablefrom
theGUItoo:
-sessionlogselects‘Allsessionoutput’loggingmode.
-sshlogselects‘SSHpackets’loggingmode.
-sshrawlogselects‘SSHpacketsandrawdata’loggingmode.
Formoreinformationonloggingconfiguration,seesection4.2.
3.8.3.24-proxycmd:specifyalocalproxy
command
ThisoptionenablesPuTTY'smodeforrunningacommandonthelocal
machineandusingitasaproxyforthenetworkconnection.Itexpectsa
shellcommandstringasanargument.
Seesection4.15.1formoreinformationonthis,andonotherproxy
settings.Inparticular,notethatsincethespecialsequencesdescribed
thereareunderstoodintheargumentstring,literalbackslashesmustbe
doubled(ifyouwant\inyourcommand,youmustput\\onthe
commandline).
3.8.3.25-restrict-acl:restricttheWindows
processACL
Thisoption(onWindowsonly)causesPuTTY(oranotherPuTTYtool)to
trytolockdowntheoperatingsystem'saccesscontrolonitsown
process.Ifthissucceeds,itshouldpresentanextraobstacletomalware
thathasmanagedtorununderthesameuseridasthePuTTYprocess,
bypreventingitfromattachingtoPuTTYusingthesameinterfaces
debuggersuseandeitherreadingsensitiveinformationoutofitsmemory
orhijackingitsnetworksession.
Thisoptionisnotenabledbydefault,becausethisformofinteraction
betweenWindowsprogramshasmanylegitimateuses,including
accessibilitysoftwaresuchasscreenreaders.Also,itcannotprovidefull
securityagainstthisclassofattackinanycase,becausePuTTYcanonly
lockdownitsownACLafterithasstartedup,andmalwarecouldstillget
inifitattackstheprocessbetweenstartupandlockdown.Soittrades
awaynoticeableconvenience,anddeliverslessrealsecuritythanyou
mightwant.However,ifyoudowanttomakethattradeoffanyway,the
optionisavailable.
APuTTYprocessstartedwith-restrict-aclwillpassthatontoany
processesstartedwithDuplicateSession,NewSessionetc.(However,if
you'reinvokingPuTTYtoolsexplicitly,forinstanceasaproxycommand,
you'llneedtoarrangetopassthemthe-restrict-acloptionyourself,if
that'swhatyouwant.)
Chapter4:ConfiguringPuTTY
ThischapterdescribesalltheconfigurationoptionsinPuTTY.
PuTTYisconfiguredusingthecontrolpanelthatcomesupbeforeyou
startasession.Someoptionscanalsobechangedinthemiddleofa
session,byselecting‘ChangeSettings’fromthewindowmenu.
4.1TheSessionpanel
4.1.1Thehostnamesection
4.1.2Loadingandstoringsavedsessions
4.1.3‘CloseWindowonExit’
4.2TheLoggingpanel
4.2.1‘Logfilename’
4.2.2‘Whattodoifthelogfilealreadyexists’
4.2.3‘Flushlogfilefrequently’
4.2.4OptionsspecifictoSSHpacketlogging
4.3TheTerminalpanel
4.3.1‘Autowrapmodeinitiallyon’
4.3.2‘DECOriginModeinitiallyon’
4.3.3‘ImplicitCRineveryLF’
4.3.4‘ImplicitLFineveryCR’
4.3.5‘Usebackgroundcolourtoerasescreen’
4.3.6‘Enableblinkingtext’
4.3.7‘Answerbackto^E’
4.3.8‘Localecho’
4.3.9‘Locallineediting’
4.3.10Remote-controlledprinting
4.4TheKeyboardpanel
4.4.1ChangingtheactionoftheBackspacekey
4.4.2ChangingtheactionoftheHomeandEndkeys
4.4.3Changingtheactionofthefunctionkeysandkeypad
4.4.4ControllingApplicationCursorKeysmode
4.4.5ControllingApplicationKeypadmode
4.4.6UsingNetHackkeypadmode
4.4.7EnablingaDEC-likeComposekey
4.4.8‘Control-AltisdifferentfromAltGr’
4.5TheBellpanel
4.5.1‘Setthestyleofbell’
4.5.2‘Taskbar/captionindicationonbell’
4.5.3‘Controlthebelloverloadbehaviour’
4.6TheFeaturespanel
4.6.1Disablingapplicationkeypadandcursorkeys
4.6.2Disablingxterm-stylemousereporting
4.6.3Disablingremoteterminalresizing
4.6.4Disablingswitchingtothealternatescreen
4.6.5Disablingremotewindowtitlechanging
4.6.6Responsetoremotewindowtitlequerying
4.6.7Disablingremotescrollbackclearing
4.6.8Disablingdestructivebackspace
4.6.9Disablingremotecharactersetconfiguration
4.6.10DisablingArabictextshaping
4.6.11Disablingbidirectionaltextdisplay
4.7TheWindowpanel
4.7.1SettingthesizeofthePuTTYwindow
4.7.2Whattodowhenthewindowisresized
4.7.3Controllingscrollback
4.7.4‘Pusherasedtextintoscrollback’
4.8TheAppearancepanel
4.8.1Controllingtheappearanceofthecursor
4.8.2Controllingthefontusedintheterminalwindow
4.8.3‘Hidemousepointerwhentypinginwindow’
4.8.4Controllingthewindowborder
4.9TheBehaviourpanel
4.9.1Controllingthewindowtitle
4.9.2‘Warnbeforeclosingwindow’
4.9.3‘WindowclosesonALT-F4’
4.9.4‘SystemmenuappearsonALT-Space’
4.9.5‘SystemmenuappearsonAltalone’
4.9.6‘Ensurewindowisalwaysontop’
4.9.7‘FullscreenonAlt-Enter’
4.10TheTranslationpanel
4.10.1Controllingcharactersettranslation
4.10.2‘TreatCJKambiguouscharactersaswide’
4.10.3‘CapsLockactsasCyrillicswitch’
4.10.4Controllingdisplayofline-drawingcharacters
4.10.5Controllingcopyandpasteoflinedrawingcharacters
4.11TheSelectionpanel
4.11.1PastinginRichTextFormat
4.11.2Changingtheactionsofthemousebuttons
4.11.3‘Shiftoverridesapplication'suseofmouse’
4.11.4Defaultselectionmode
4.11.5Configuringword-by-wordselection
4.12TheColourspanel
4.12.1‘AllowterminaltospecifyANSIcolours’
4.12.2‘Allowterminaltousexterm256-colourmode’
4.12.3‘Indicateboldedtextbychanging...’
4.12.4‘Attempttouselogicalpalettes’
4.12.5‘Usesystemcolours’
4.12.6Adjustingthecoloursintheterminalwindow
4.13TheConnectionpanel
4.13.1Usingkeepalivestopreventdisconnection
4.13.2‘DisableNagle'salgorithm’
4.13.3‘EnableTCPkeepalives’
4.13.4‘Internetprotocol’
4.13.5‘Logicalnameofremotehost’
4.14TheDatapanel
4.14.1‘Auto-loginusername’
4.14.2Useofsystemusername
4.14.3‘Terminal-typestring’
4.14.4‘Terminalspeeds’
4.14.5Settingenvironmentvariablesontheserver
4.15TheProxypanel
4.15.1Settingtheproxytype
4.15.2Excludingpartsofthenetworkfromproxying
4.15.3Nameresolutionwhenusingaproxy
4.15.4Usernameandpassword
4.15.5SpecifyingtheTelnetorLocalproxycommand
4.15.6Controllingproxylogging
4.16TheTelnetpanel
4.16.1‘HandlingofOLD_ENVIRONambiguity’
4.16.2PassiveandactiveTelnetnegotiationmodes
4.16.3‘KeyboardsendsTelnetspecialcommands’
4.16.4‘ReturnkeysendsTelnetNewLineinsteadof^M’
4.17TheRloginpanel
4.17.1‘Localusername’
4.18TheSSHpanel
4.18.1Executingaspecificcommandontheserver
4.18.2‘Don'tstartashellorcommandatall’
4.18.3‘Enablecompression’
4.18.4‘SSHprotocolversion’
4.18.5SharinganSSHconnectionbetweenPuTTYtools
4.19TheKexpanel
4.19.1Keyexchangealgorithmselection
4.19.2Repeatkeyexchange
4.20TheHostKeyspanel
4.20.1Hostkeytypeselection
4.20.2Manuallyconfiguringhostkeys
4.21TheCipherpanel
4.22TheAuthpanel
4.22.1‘Displaypre-authenticationbanner’
4.22.2‘Bypassauthenticationentirely’
4.22.3‘AttemptauthenticationusingPageant’
4.22.4‘AttemptTISorCryptoCardauthentication’
4.22.5‘Attemptkeyboard-interactiveauthentication’
4.22.6‘Allowagentforwarding’
4.22.7‘AllowattemptedchangesofusernameinSSH-2’
4.22.8‘Privatekeyfileforauthentication’
4.23TheGSSAPIpanel
4.23.1‘AllowGSSAPIcredentialdelegation’
4.23.2PreferenceorderforGSSAPIlibraries
4.24TheTTYpanel
4.24.1‘Don'tallocateapseudo-terminal’
4.24.2Sendingterminalmodes
4.25TheX11panel
4.25.1RemoteX11authentication
4.25.2Xauthorityfileforlocaldisplay
4.26TheTunnelspanel
4.26.1Controllingthevisibilityofforwardedports
4.26.2SelectingInternetprotocolversionforforwardedports
4.27TheBugsandMoreBugspanels
4.27.1‘ChokesonSSH-1ignoremessages’
4.27.2‘RefusesallSSH-1passwordcamouflage’
4.27.3‘ChokesonSSH-1RSAauthentication’
4.27.4‘ChokesonSSH-2ignoremessages’
4.27.5‘ChokesonPuTTY'sSSH-2‘winadj’requests’
4.27.6‘MiscomputesSSH-2HMACkeys’
4.27.7‘MiscomputesSSH-2encryptionkeys’
4.27.8‘RequirespaddingonSSH-2RSAsignatures’
4.27.9‘MisusesthesessionIDinSSH-2PKauth’
4.27.10‘HandlesSSH-2keyre-exchangebadly’
4.27.11‘IgnoresSSH-2maximumpacketsize’
4.27.12‘Repliestorequestsonclosedchannels’
4.27.13‘Onlysupportspre-RFC4419SSH-2DHGEX’
4.28TheSerialpanel
4.28.1Selectingaseriallinetoconnectto
4.28.2Selectingthespeedofyourserialline
4.28.3Selectingthenumberofdatabits
4.28.4Selectingthenumberofstopbits
4.28.5Selectingtheserialparitycheckingscheme
4.28.6Selectingtheserialflowcontrolscheme
4.29Storingconfigurationinafile
4.1.1Thehostnamesection
ThetopboxontheSessionpanel,labelled‘Specifyyourconnectionby
hostname’,containsthedetailsthatneedtobefilledinbeforePuTTY
canopenasessionatall.
The‘HostName’boxiswhereyoutypethename,ortheIPaddress,
oftheserveryouwanttoconnectto.
The‘Connectiontype’radiobuttonsletyouchoosewhattypeof
connectionyouwanttomake:arawconnection,aTelnetconnection,
anRloginconnection,anSSHconnection,oraconnectiontoalocal
serialline.(Seesection1.2forasummaryofthedifferences
betweenSSH,Telnetandrlogin;seesection3.6foranexplanation
of‘raw’connections;seesection3.7forinformationaboutusinga
serialline.)
The‘Port’boxletsyouspecifywhichportnumberontheserverto
connectto.IfyouselectTelnet,Rlogin,orSSH,thisboxwillbefilled
inautomaticallytotheusualvalue,andyouwillonlyneedtochange
itifyouhaveanunusualserver.IfyouselectRawmode,youwill
almostcertainlyneedtofillinthe‘Port’boxyourself.
Ifyouselect‘Serial’fromthe‘Connectiontype’radiobuttons,the‘Host
Name’and‘Port’boxesarereplacedby‘Serialline’and‘Speed’;see
section4.28formoredetailsofthese.
4.1.2Loadingandstoringsavedsessions
ThenextpartoftheSessionconfigurationpanelallowsyoutosaveyour
preferredPuTTYoptionssotheywillappearautomaticallythenexttime
youstartPuTTY.Italsoallowsyoutocreatesavedsessions,which
containafullsetofconfigurationoptionsplusahostnameandprotocol.
AsavedsessioncontainsalltheinformationPuTTYneedstostartexactly
thesessionyouwant.
Tosaveyourdefaultsettings:firstsetupthesettingsthewayyou
wantthemsaved.ThencomebacktotheSessionpanel.Selectthe
‘DefaultSettings’entryinthesavedsessionslist,withasingleclick.
Thenpressthe‘Save’button.
Ifthereisaspecifichostyouwanttostorethedetailsofhowtoconnect
to,youshouldcreateasavedsession,whichwillbeseparatefromthe
DefaultSettings.
Tosaveasession:firstgothroughtherestoftheconfigurationbox
settingupalltheoptionsyouwant.ThencomebacktotheSession
panel.Enteranameforthesavedsessioninthe‘SavedSessions’
inputbox.(Theservernameisoftenagoodchoiceforasaved
sessionname.)Thenpressthe‘Save’button.Yoursavedsession
nameshouldnowappearinthelistbox.
Youcanalsosavesettingsinmid-session,fromthe‘Change
Settings’dialog.Settingschangedsincethestartofthesessionwill
besavedwiththeircurrentvalues;aswellassettingschanged
throughthedialog,thisincludeschangesinwindowsize,window
titlechangessentbytheserver,andsoon.
Toreloadasavedsession:single-clicktoselectthesessionnamein
thelistbox,andthenpressthe‘Load’button.Yoursavedsettings
shouldallappearintheconfigurationpanel.
Tomodifyasavedsession:firstloaditasdescribedabove.Then
makethechangesyouwant.ComebacktotheSessionpanel,and
pressthe‘Save’button.Thenewsettingswillbesavedoverthetop
oftheoldones.
Tosavethenewsettingsunderadifferentname,youcanenterthe
newnameinthe‘SavedSessions’box,orsingle-clicktoselecta
sessionnameinthelistboxtooverwritethatsession.Tosave
‘DefaultSettings’,youmustsingle-clickthenamebeforesaving.
Tostartasavedsessionimmediately:double-clickonthesession
nameinthelistbox.
Todeleteasavedsession:single-clicktoselectthesessionnamein
thelistbox,andthenpressthe‘Delete’button.
EachsavedsessionisindependentoftheDefaultSettingsconfiguration.
IfyouchangeyourpreferencesandupdateDefaultSettings,youmust
alsoupdateeverysavedsessionseparately.
SavedsessionsarestoredintheRegistry,atthelocation
HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions
Ifyouneedtostoretheminafile,youcouldtrythemethoddescribedin
section4.29.
4.1.3‘CloseWindowonExit’
FinallyintheSessionpanel,thereisanoptionlabelled‘CloseWindowon
Exit’.ThiscontrolswhetherthePuTTYterminalwindowdisappearsas
soonasthesessioninsideitterminates.Ifyouarelikelytowanttocopy
andpastetextoutofthesessionafterithasterminated,orrestartthe
session,youshouldarrangeforthisoptiontobeoff.
‘CloseWindowOnExit’hasthreesettings.‘Always’meansalwaysclose
thewindowonexit;‘Never’meansnevercloseonexit(alwaysleavethe
windowopen,butinactive).Thethirdsetting,andthedefaultone,is‘Only
oncleanexit’.Inthismode,asessionwhichterminatesnormallywill
causeitswindowtoclose,butonewhichisabortedunexpectedlyby
networktroubleoraconfusingmessagefromtheserverwillleavethe
windowup.
4.2TheLoggingpanel
TheLoggingconfigurationpanelallowsyoutosavelogfilesofyour
PuTTYsessions,fordebugging,analysisorfuturereference.
Themainoptionisaradio-buttonsetthatspecifieswhetherPuTTYwill
loganythingatall.Theoptionsare:
‘None’.Thisisthedefaultoption;inthismodePuTTYwillnotcreate
alogfileatall.
‘Printableoutput’.Inthismode,alogfilewillbecreatedandwritten
to,butonlyprintabletextwillbesavedintoit.Thevariousterminal
controlcodesthataretypicallysentdownaninteractivesession
alongsidetheprintabletextwillbeomitted.Thismightbeauseful
modeifyouwanttoreadalogfileinatexteditorandhopetobe
abletomakesenseofit.
‘Allsessionoutput’.Inthismode,everythingsentbytheserverinto
yourterminalsessionislogged.Ifyouviewthelogfileinatext
editor,therefore,youmaywellfinditfullofstrangecontrol
characters.Thisisaparticularlyusefulmodeifyouareexperiencing
problemswithPuTTY'sterminalhandling:youcanrecordeverything
thatwenttotheterminal,sothatsomeoneelsecanreplaythe
sessionlaterinslowmotionandwatchtoseewhatwentwrong.
‘SSHpackets’.Inthismode(whichisonlyusedbySSH
connections),theSSHmessagepacketssentovertheencrypted
connectionarewrittentothelogfile(aswellasEventLogentries).
Youmightneedthistodebuganetwork-levelproblem,ormorelikely
tosendtothePuTTYauthorsaspartofabugreport.BEWARNED
thatifyouloginusingapassword,thepasswordcanappearinthe
logfile;seesection4.2.4foroptionsthatmayhelptoremove
sensitivematerialfromthelogfilebeforeyousendittoanyoneelse.
‘SSHpacketsandrawdata’.Inthismode,aswellasthedecrypted
packets(asinthepreviousmode),theraw(encrypted,compressed,
etc)packetsarealsologged.Thiscouldbeusefultodiagnose
corruptionintransit.(Thesamecaveatsasthepreviousmodeapply,
ofcourse.)
Notethatthenon-SSHloggingoptions(‘Printableoutput’and‘Allsession
output’)onlyworkwithPuTTYproper;inprogramswithoutterminal
emulation(suchasPlink),theywillhavenoeffect,evenifenabledvia
savedsettings.
4.2.1‘Logfilename’
4.2.2‘Whattodoifthelogfilealreadyexists’
4.2.3‘Flushlogfilefrequently’
4.2.4OptionsspecifictoSSHpacketlogging
4.2.4.1‘Omitknownpasswordfields’
4.2.4.2‘Omitsessiondata’
4.2.1‘Logfilename’
Inthiseditboxyouenterthenameofthefileyouwanttologthesession
to.The‘Browse’buttonwillletyoulookaroundyourfilesystemtofindthe
rightplacetoputthefile;orifyoualreadyknowexactlywhereyouwantit
togo,youcanjusttypeapathnameintotheeditbox.
Thereareafewspecialfeaturesinthisbox.Ifyouusethe&characterin
thefilenamebox,PuTTYwillinsertdetailsofthecurrentsessioninthe
nameofthefileitactuallyopens.Theprecisereplacementsitwilldoare:
&Ywillbereplacedbythecurrentyear,asfourdigits.
&Mwillbereplacedbythecurrentmonth,astwodigits.
&Dwillbereplacedbythecurrentdayofthemonth,astwodigits.
&Twillbereplacedbythecurrenttime,assixdigits(HHMMSS)with
nopunctuation.
&Hwillbereplacedbythehostnameyouareconnectingto.
&Pwillbereplacedbytheportnumberyouareconnectingtoonthe
targethost.
Forexample,ifyouenterthehostnamec:\puttylogs\log-&h-&y&m&d-
&t.dat,youwillendupwithfileslookinglike
log-server1.example.com-20010528-110859.dat
log-unixbox.somewhere.org-20010611-221001.dat
4.2.2‘Whattodoifthelogfilealreadyexists’
ThiscontrolallowsyoutospecifywhatPuTTYshoulddoifittriestostart
writingtoalogfileanditfindsthefilealreadyexists.Youmightwantto
automaticallydestroytheexistinglogfileandstartanewonewiththe
samename.Alternatively,youmightwanttoopentheexistinglogfileand
adddatatotheendofit.Finally(thedefaultoption),youmightnotwant
tohaveanyautomaticbehaviour,buttoasktheusereverytimethe
problemcomesup.
4.2.3‘Flushlogfilefrequently’
Thisoptionallowsyoutocontrolhowfrequentlyloggeddataisflushedto
disc.Bydefault,PuTTYwillflushdataassoonasitisdisplayed,sothatif
youviewthelogfilewhileasessionisstillopen,itwillbeuptodate;and
iftheclientsystemcrashes,there'sagreaterchancethatthedatawillbe
preserved.
However,thiscanincuraperformancepenalty.IfPuTTYisrunning
slowlywithloggingenabled,youcouldtryuncheckingthisoption.Be
warnedthatthelogfilemaynotalwaysbeuptodateasaresult
(althoughitwillofcoursebeflushedwhenitisclosed,forinstanceatthe
endofasession).
4.2.4OptionsspecifictoSSHpacketlogging
TheseoptionsonlyapplyifSSHpacketdataisbeinglogged.
Thefollowingoptionsallowparticularlysensitiveportionsofunencrypted
packetstobeautomaticallyleftoutofthelogfile.Theyareonlyintended
todetercasualnosiness;anattackercouldgleanalotofuseful
informationfromeventheseobfuscatedlogs(e.g.,lengthofpassword).
4.2.4.1‘Omitknownpasswordfields’
4.2.4.2‘Omitsessiondata’
4.2.4.1‘Omitknownpasswordfields’
Whenchecked,decryptedpasswordfieldsareremovedfromthelogof
transmittedpackets.(Thisincludesanyuserresponsestochallenge-
responseauthenticationmethodssuchas‘keyboard-interactive’.)This
doesnotincludeX11authenticationdataifusingX11forwarding.
NotethatthiswillonlyomitdatathatPuTTYknowstobeapassword.
However,ifyoustartanotherloginsessionwithinyourPuTTYsession,
forinstance,anypasswordusedwillappearintheclearinthepacketlog.
Thenextoptionmaybeofusetoprotectagainstthis.
Thisoptionisenabledbydefault.
4.2.4.2‘Omitsessiondata’
Whenchecked,alldecrypted‘sessiondata’isomitted;thisisdefinedas
datainterminalsessionsandinforwardedchannels(TCP,X11,and
authenticationagent).Thiswillusuallysubstantiallyreducethesizeofthe
resultinglogfile.
Thisoptionisdisabledbydefault.
4.3TheTerminalpanel
TheTerminalconfigurationpanelallowsyoutocontrolthebehaviourof
PuTTY'sterminalemulation.
4.3.1‘Autowrapmodeinitiallyon’
4.3.2‘DECOriginModeinitiallyon’
4.3.3‘ImplicitCRineveryLF’
4.3.4‘ImplicitLFineveryCR’
4.3.5‘Usebackgroundcolourtoerasescreen’
4.3.6‘Enableblinkingtext’
4.3.7‘Answerbackto^E’
4.3.8‘Localecho’
4.3.9‘Locallineediting’
4.3.10Remote-controlledprinting
4.3.1‘Autowrapmodeinitiallyon’
AutowrapmodecontrolswhathappenswhentextprintedinaPuTTY
windowreachestheright-handedgeofthewindow.
Withautowrapmodeon,ifalonglineoftextreachestheright-hand
edge,itwillwrapoverontothenextlinesoyoucanstillseeallthetext.
Withautowrapmodeoff,thecursorwillstayattheright-handedgeofthe
screen,andallthecharactersinthelinewillbeprintedontopofeach
other.
Ifyouarerunningafull-screenapplicationandyouoccasionallyfindthe
screenscrollingupwhenitlooksasifitshouldn't,youcouldtryturning
thisoptionoff.
Autowrapmodecanbeturnedonandoffbycontrolsequencessentby
theserver.Thisconfigurationoptioncontrolsthedefaultstate,whichwill
berestoredwhenyouresettheterminal(seesection3.1.3.6).However,if
youmodifythisoptioninmid-sessionusing‘ChangeSettings’,itwilltake
effectimmediately.
4.3.2‘DECOriginModeinitiallyon’
DECOriginModeisaminoroptionwhichcontrolshowPuTTYinterprets
cursor-positioncontrolsequencessentbytheserver.
Theservercansendacontrolsequencethatrestrictsthescrollingregion
ofthedisplay.Forexample,inaneditor,theservermightreservealineat
thetopofthescreenandalineatthebottom,andmightsendacontrol
sequencethatcausesscrollingoperationstoaffectonlytheremaining
lines.
WithDECOriginModeon,cursorcoordinatesarecountedfromthetop
ofthescrollingregion.Withitturnedoff,cursorcoordinatesarecounted
fromthetopofthewholescreenregardlessofthescrollingregion.
Itisunlikelyyouwouldneedtochangethisoption,butifyoufindafull-
screenapplicationisdisplayingpiecesoftextinwhatlookslikethewrong
partofthescreen,youcouldtryturningDECOriginModeontosee
whetherthathelps.
DECOriginModecanbeturnedonandoffbycontrolsequencessentby
theserver.Thisconfigurationoptioncontrolsthedefaultstate,whichwill
berestoredwhenyouresettheterminal(seesection3.1.3.6).However,if
youmodifythisoptioninmid-sessionusing‘ChangeSettings’,itwilltake
effectimmediately.
4.3.3‘ImplicitCRineveryLF’
Mostserverssendtwocontrolcharacters,CRandLF,tostartanewline
ofthescreen.TheCRcharactermakesthecursorreturntotheleft-hand
sideofthescreen.TheLFcharactermakesthecursormoveoneline
down(andmightmakethescreenscroll).
SomeserversonlysendLF,andexpecttheterminaltomovethecursor
overtotheleftautomatically.Ifyoucomeacrossaserverthatdoesthis,
youwillseeasteppedeffectonthescreen,likethis:
Firstlineoftext
Secondline
Thirdline
Ifthishappenstoyou,tryenablingthe‘ImplicitCRineveryLF’option,
andthingsmightgobacktonormal:
Firstlineoftext
Secondline
Thirdline
4.3.4‘ImplicitLFineveryCR’
Mostserverssendtwocontrolcharacters,CRandLF,tostartanewline
ofthescreen.TheCRcharactermakesthecursorreturntotheleft-hand
sideofthescreen.TheLFcharactermakesthecursormoveoneline
down(andmightmakethescreenscroll).
SomeserversonlysendCR,andsothenewlywrittenlineisoverwritten
bythefollowingline.Thisoptioncausesalinefeedsothatalllinesare
displayed.
4.3.5‘Usebackgroundcolourtoerasescreen’
Notallterminalsagreeonwhatcolourtoturnthescreenwhentheserver
sendsa‘clearscreen’sequence.Someterminalsbelievethescreen
shouldalwaysbeclearedtothedefaultbackgroundcolour.Others
believethescreenshouldbeclearedtowhatevertheserverhasselected
asabackgroundcolour.
Thereexistapplicationsthatexpectbothkindsofbehaviour.Therefore,
PuTTYcanbeconfiguredtodoeither.
Withthisoptiondisabled,screenclearingisalwaysdoneinthedefault
backgroundcolour.Withthisoptionenabled,itisdoneinthecurrent
backgroundcolour.
Background-colourerasecanbeturnedonandoffbycontrolsequences
sentbytheserver.Thisconfigurationoptioncontrolsthedefaultstate,
whichwillberestoredwhenyouresettheterminal(seesection3.1.3.6).
However,ifyoumodifythisoptioninmid-sessionusing‘Change
Settings’,itwilltakeeffectimmediately.
4.3.6‘Enableblinkingtext’
TheservercanaskPuTTYtodisplaytextthatblinksonandoff.Thisis
verydistracting,soPuTTYallowsyoutoturnblinkingtextoffcompletely.
Whenblinkingtextisdisabledandtheserverattemptstomakesometext
blink,PuTTYwillinsteaddisplaythetextwithaboldedbackground
colour.
Blinkingtextcanbeturnedonandoffbycontrolsequencessentbythe
server.Thisconfigurationoptioncontrolsthedefaultstate,whichwillbe
restoredwhenyouresettheterminal(seesection3.1.3.6).However,if
youmodifythisoptioninmid-sessionusing‘ChangeSettings’,itwilltake
effectimmediately.
4.3.7‘Answerbackto^E’
ThisoptioncontrolswhatPuTTYwillsendbacktotheserveriftheserver
sendsitthe^Eenquirycharacter.Normallyitjustsendsthestring
‘PuTTY’.
Ifyouaccidentallywritethecontentsofabinaryfiletoyourterminal,you
willprobablyfindthatitcontainsmorethanone^Echaracter,andasa
resultyournextcommandlinewillprobablyread‘PuTTYPuTTYPuTTY...’
asifyouhadtypedtheanswerbackstringmultipletimesatthekeyboard.
Ifyousettheanswerbackstringtobeempty,thisproblemshouldgo
away,butdoingsomightcauseotherproblems.
NotethatthisisnotthefeatureofPuTTYwhichtheserverwilltypically
usetodetermineyourterminaltype.Thatfeatureisthe‘Terminal-type
string’intheConnectionpanel;seesection4.14.3fordetails.
Youcanincludecontrolcharactersintheanswerbackstringusing^C
notation.(Use^~togetaliteral^.)
4.3.8‘Localecho’
Withlocalechodisabled,charactersyoutypeintothePuTTYwindoware
notechoedinthewindowbyPuTTY.Theyaresimplysenttotheserver.
(Theservermightchoosetoechothembacktoyou;thiscan'tbe
controlledfromthePuTTYcontrolpanel.)
Sometypesofsessionneedlocalecho,andmanydonot.Initsdefault
mode,PuTTYwillautomaticallyattempttodeducewhetherornotlocal
echoisappropriateforthesessionyouareworkingin.Ifyoufindithas
madethewrongdecision,youcanusethisconfigurationoptionto
overrideitschoice:youcanforcelocalechotobeturnedon,orforceitto
beturnedoff,insteadofrelyingontheautomaticdetection.
4.3.9‘Locallineediting’
Normally,everycharacteryoutypeintothePuTTYwindowissent
immediatelytotheserverthemomentyoutypeit.
Ifyouenablelocallineediting,thischanges.PuTTYwillletyouedita
wholelineatatimelocally,andthelinewillonlybesenttotheserver
whenyoupressReturn.Ifyoumakeamistake,youcanusethe
BackspacekeytocorrectitbeforeyoupressReturn,andtheserverwill
neverseethemistake.
Sinceitishardtoeditalinelocallywithoutbeingabletoseeit,localline
editingismostlyusedinconjunctionwithlocalecho(section4.3.8).This
makesitidealforuseinrawmodeorwhenconnectingtoMUDsor
talkers.(AlthoughsomemoreadvancedMUDsdooccasionallyturnlocal
lineeditingonandturnlocalechooff,inordertoacceptapasswordfrom
theuser.)
Sometypesofsessionneedlocallineediting,andmanydonot.Inits
defaultmode,PuTTYwillautomaticallyattempttodeducewhetherornot
locallineeditingisappropriateforthesessionyouareworkingin.Ifyou
findithasmadethewrongdecision,youcanusethisconfigurationoption
tooverrideitschoice:youcanforcelocallineeditingtobeturnedon,or
forceittobeturnedoff,insteadofrelyingontheautomaticdetection.
4.3.10Remote-controlledprinting
AlotofVT100-compatibleterminalssupportprintingundercontrolofthe
remoteserver(sometimescalled‘passthroughprinting’).PuTTYsupports
thisfeatureaswell,butitisturnedoffbydefault.
Toenableremote-controlledprinting,chooseaprinterfromthe‘Printerto
sendANSIprinteroutputto’drop-downlistbox.Thisshouldallowyouto
selectfromalltheprintersyouhaveinstalleddriversforonyour
computer.Alternatively,youcantypethenetworknameofanetworked
printer(forexample,\\printserver\printer1)evenifyouhaven'talready
installedadriverforitonyourownmachine.
Whentheremoteserverattemptstoprintsomedata,PuTTYwillsend
thatdatatotheprinterraw-withouttranslatingit,attemptingtoformatit,
ordoinganythingelsetoit.Itisuptoyoutoensureyourremoteserver
knowswhattypeofprinteritistalkingto.
SincePuTTYsendsdatatotheprinterraw,itcannotofferoptionssuch
asportraitversuslandscape,printquality,orpapertrayselection.All
thesethingswouldbedonebyyourPCprinterdriver(whichPuTTY
bypasses);ifyouneedthemdone,youwillhavetofindawayto
configureyourremoteservertodothem.
Todisableremoteprintingagain,choose‘None(printingdisabled)’from
theprinterselectionlist.Thisisthedefaultstate.
4.4TheKeyboardpanel
TheKeyboardconfigurationpanelallowsyoutocontrolthebehaviourof
thekeyboardinPuTTY.Thecorrectstateformanyofthesesettings
dependsonwhattheservertowhichPuTTYisconnectingexpects.With
aUnixserver,thisislikelytodependonthetermcaporterminfoentryit
uses,whichinturnislikelytobecontrolledbythe‘Terminal-typestring’
settingintheConnectionpanel;seesection4.14.3fordetails.Ifnoneof
thesettingshereseemstohelp,youmayfindquestionA.7.13tobe
useful.
4.4.1ChangingtheactionoftheBackspacekey
4.4.2ChangingtheactionoftheHomeandEndkeys
4.4.3Changingtheactionofthefunctionkeysandkeypad
4.4.4ControllingApplicationCursorKeysmode
4.4.5ControllingApplicationKeypadmode
4.4.6UsingNetHackkeypadmode
4.4.7EnablingaDEC-likeComposekey
4.4.8‘Control-AltisdifferentfromAltGr’
4.4.1ChangingtheactionoftheBackspacekey
SometerminalsbelievethattheBackspacekeyshouldsendthesame
thingtotheserverasControl-H(ASCIIcode8).Otherterminalsbelieve
thattheBackspacekeyshouldsendASCIIcode127(usuallyknownas
Control-?)sothatitcanbedistinguishedfromControl-H.Thisoption
allowsyoutochoosewhichcodePuTTYgenerateswhenyoupress
Backspace.
IfyouareconnectingoverSSH,PuTTYbydefaulttellstheserverthe
valueofthisoption(seesection4.24.2),soyoumayfindthatthe
Backspacekeydoestherightthingeitherway.Similarly,ifyouare
connectingtoaUnixsystem,youwillprobablyfindthattheUnixstty
commandletsyouconfigurewhichtheserverexpectstosee,soagain
youmightnotneedtochangewhichonePuTTYgenerates.Onother
systems,theserver'sexpectationmightbefixedandyoumighthaveno
choicebuttoconfigurePuTTY.
Ifyoudohavethechoice,werecommendconfiguringPuTTYtogenerate
Control-?andconfiguringtheservertoexpectit,becausethatallows
applicationssuchasemacstouseControl-Hforhelp.
(TypingShift-BackspacewillcausePuTTYtosendwhichevercodeisn't
configuredhereasthedefault.)
4.4.2ChangingtheactionoftheHomeandEnd
keys
TheUnixterminalemulatorrxvtdisagreeswiththerestoftheworld
aboutwhatcharactersequencesshouldbesenttotheserverbythe
HomeandEndkeys.
xterm,andotherterminals,sendESC[1~fortheHomekey,andESC[4~
fortheEndkey.rxvtsendsESC[HfortheHomekeyandESC[Owforthe
Endkey.
IfyoufindanapplicationonwhichtheHomeandEndkeysaren't
working,youcouldtryswitchingthisoptiontoseeifithelps.
4.4.3Changingtheactionofthefunctionkeys
andkeypad
Thisoptionaffectsthefunctionkeys(F1toF12)andthetoprowofthe
numerickeypad.
Inthedefaultmode,labelledESC[n~,thefunctionkeysgenerate
sequenceslikeESC[11~,ESC[12~andsoon.Thismatchesthe
generalbehaviourofDigital'sterminals.
InLinuxmode,F6toF12behavejustlikethedefaultmode,butF1to
F5generateESC[[AthroughtoESC[[E.ThismimicstheLinux
virtualconsole.
InXtermR6mode,F5toF12behavelikethedefaultmode,butF1to
F4generateESCOPthroughtoESCOS,whicharethesequences
producedbythetoprowofthekeypadonDigital'sterminals.
InVT400mode,allthefunctionkeysbehavelikethedefaultmode,
buttheactualtoprowofthenumerickeypadgeneratesESCOP
throughtoESCOS.
InVT100+mode,thefunctionkeysgenerateESCOPthroughtoESC
O[
InSCOmode,thefunctionkeysF1toF12generateESC[Mthrough
toESC[X.Togetherwithshift,theygenerateESC[YthroughtoESC
[j.WithcontroltheygenerateESC[kthroughtoESC[v,andwith
shiftandcontroltogethertheygenerateESC[wthroughtoESC[{.
Ifyoudon'tknowwhatanyofthismeans,youprobablydon'tneedto
fiddlewithit.
4.4.4ControllingApplicationCursorKeysmode
ApplicationCursorKeysmodeisawayfortheservertochangethe
controlsequencessentbythearrowkeys.Innormalmode,thearrow
keyssendESC[AthroughtoESC[D.Inapplicationmode,theysendESC
OAthroughtoESCOD.
ApplicationCursorKeysmodecanbeturnedonandoffbytheserver,
dependingontheapplication.PuTTYallowsyoutoconfiguretheinitial
state.
Youcanalsodisableapplicationcursorkeysmodecompletely,usingthe
‘Features’configurationpanel;seesection4.6.1.
4.4.5ControllingApplicationKeypadmode
ApplicationKeypadmodeisawayfortheservertochangethebehaviour
ofthenumerickeypad.
Innormalmode,thekeypadbehaveslikeanormalWindowskeypad:
withNumLockon,thenumberkeysgeneratenumbers,andwith
NumLockofftheyactlikethearrowkeysandHome,Endetc.
Inapplicationmode,allthekeypadkeyssendspecialcontrolsequences,
includingNumLock.NumLockstopsbehavinglikeNumLockand
becomesanotherfunctionkey.
DependingonwhichversionofWindowsyourun,youmayfindtheNum
LocklightstillflashesonandoffeverytimeyoupressNumLock,even
whenapplicationmodeisactiveandNumLockisactinglikeafunction
key.Thisisunavoidable.
Applicationkeypadmodecanbeturnedonandoffbytheserver,
dependingontheapplication.PuTTYallowsyoutoconfiguretheinitial
state.
Youcanalsodisableapplicationkeypadmodecompletely,usingthe
‘Features’configurationpanel;seesection4.6.1.
4.4.6UsingNetHackkeypadmode
PuTTYhasaspecialmodeforplayingNetHack.Youcanenableitby
selecting‘NetHack’inthe‘Initialstateofnumerickeypad’control.
Inthismode,thenumerickeypadkeys1-9generatetheNetHack
movementcommands(hjklyubn).The5keygeneratesthe.command
(donothing).
Inaddition,pressingShiftorCtrlwiththekeypadkeysgeneratetheShift-
orCtrl-keysyouwouldexpect(e.g.keypad-7generates‘y’,soShift-
keypad-7generates‘Y’andCtrl-keypad-7generatesCtrl-Y);these
commandstellNetHacktokeepmovingyouinthesamedirectionuntil
youencountersomethinginteresting.
Forsomereason,thisfeatureonlyworksproperlywhenNumLockison.
Wedon'tknowwhy.
4.4.7EnablingaDEC-likeComposekey
DECterminalshaveaComposekey,whichprovidesaneasy-to-
rememberwayoftypingaccentedcharacters.YoupressComposeand
thentypetwomorecharacters.Thetwocharactersare‘combined’to
produceanaccentedcharacter.Thechoicesofcharacteraredesignedto
beeasytoremember;forexample,composing‘e’and‘`’producesthe‘è’
character.
IfyourkeyboardhasaWindowsApplicationkey,itactsasaCompose
keyinPuTTY.Alternatively,ifyouenablethe‘AltGractsasComposekey’
option,theAltGrkeywillbecomeaComposekey.
4.4.8‘Control-AltisdifferentfromAltGr’
SomeoldkeyboardsdonothaveanAltGrkey,whichcanmakeitdifficult
totypesomecharacters.PuTTYcanbeconfiguredtotreatthekey
combinationCtrl+LeftAltthesamewayastheAltGrkey.
Bydefault,thischeckboxischecked,andthekeycombinationCtrl+Left
Altdoessomethingcompletelydifferent.PuTTY'susualhandlingofthe
leftAltkeyistoprefixtheEscape(Control-[)charactertowhatever
charactersequencetherestofthekeypresswouldgenerate.For
example,Alt-AgeneratesEscapefollowedbya.SoAlt-Ctrl-Awould
generateEscape,followedbyControl-A.
Ifyouuncheckthisbox,Ctrl-AltwillbecomeasynonymforAltGr,soyou
canuseittotypeextragraphiccharactersifyourkeyboardhasany.
(However,Ctrl-AltwillneveractasaComposekey,regardlessofthe
settingof‘AltGractsasComposekey’describedinsection4.4.7.)
4.5TheBellpanel
TheBellpanelcontrolstheterminalbellfeature:theserver'sabilityto
causePuTTYtobeepatyou.
Inthedefaultconfiguration,whentheserversendsthecharacterwith
ASCIIcode7(Control-G),PuTTYwillplaytheWindowsDefaultBeep
sound.Thisisnotalwayswhatyouwanttheterminalbellfeaturetodo;
theBellpanelallowsyoutoconfigurealternativeactions.
4.5.1‘Setthestyleofbell’
4.5.2‘Taskbar/captionindicationonbell’
4.5.3‘Controlthebelloverloadbehaviour’
4.5.1‘Setthestyleofbell’
Thiscontrolallowsyoutoselectvariousdifferentactionstooccurona
terminalbell:
Selecting‘None’disablesthebellcompletely.Inthismode,the
servercansendasmanyControl-Gcharactersasitlikesand
nothingatallwillhappen.
‘Makedefaultsystemalertsound’isthedefaultsetting.Itcausesthe
Windows‘DefaultBeep’soundtobeplayed.Tochangewhatthis
soundis,ortotestitifnothingseemstobehappening,usethe
SoundconfigurerintheWindowsControlPanel.
‘Visualbell’isasilentalternativetoabeepingcomputer.Inthis
mode,whentheserversendsaControl-G,thewholePuTTYwindow
willflashwhiteforafractionofasecond.
‘BeepusingthePCspeaker’isself-explanatory.
‘Playacustomsoundfile’allowsyoutospecifyaparticularsoundfile
tobeusedbyPuTTYalone,orevenbyaparticularindividualPuTTY
session.ThisallowsyoutodistinguishyourPuTTYbeepsfromany
otherbeepsonthesystem.Ifyouselectthisoption,youwillalso
needtoenterthenameofyoursoundfileintheeditcontrol‘Custom
soundfiletoplayasabell’.
4.5.2‘Taskbar/captionindicationonbell’
ThisfeaturecontrolswhathappenstothePuTTYwindow'sentryinthe
WindowsTaskbarifabelloccurswhilethewindowdoesnothavethe
inputfocus.
Inthedefaultstate(‘Disabled’)nothingunusualhappens.
Ifyouselect‘Steady’,thenwhenabelloccursandthewindowisnotin
focus,thewindow'sTaskbarentryanditstitlebarwillchangecolourtolet
youknowthatPuTTYsessionisaskingforyourattention.Thechangeof
colourwillpersistuntilyouselectthewindow,soyoucanleaveseveral
PuTTYwindowsminimisedinyourterminal,goawayfromyour
keyboard,andbesurenottohavemissedanyimportantbeepswhenyou
getback.
‘Flashing’isevenmoreeye-catching:theTaskbarentrywillcontinuously
flashonandoffuntilyouselectthewindow.
4.5.3‘Controlthebelloverloadbehaviour’
AcommonusererrorinaterminalsessionistoaccidentallyruntheUnix
commandcat(orequivalent)onaninappropriatefiletype,suchasan
executable,imagefile,orZIPfile.Thisproducesahugestreamofnon-
textcharacterssenttotheterminal,whichtypicallyincludesalotofbell
characters.Asaresultofthistheterminaloftendoesn'tstopbeepingfor
tenminutes,andeverybodyelseintheofficegetsannoyed.
Totrytoavoidthisbehaviour,oranyothercauseofexcessivebeeping,
PuTTYincludesabelloverloadmanagementfeature.Inthedefault
configuration,receivingmorethanfivebellcharactersinatwo-second
periodwillcausetheoverloadfeaturetoactivate.Oncetheoverload
featureisactive,furtherbellswillhavenoeffectatall,sotherestofyour
binaryfilewillbesenttothescreeninsilence.Afteraperiodoffive
secondsduringwhichnofurtherbellsarereceived,theoverloadfeature
willturnitselfoffagainandbellswillbere-enabled.
Ifyouwantthisfeaturecompletelydisabled,youcanturnitoffusingthe
checkbox‘Bellistemporarilydisabledwhenover-used’.
Alternatively,ifyoulikethebelloverloadfeaturebutdon'tagreewiththe
settings,youcanconfigurethedetails:howmanybellsconstitutean
overload,howshortatimeperiodtheyhavetoarriveintodoso,andhow
muchsilenttimeisrequiredbeforetheoverloadfeaturewilldeactivate
itself.
Belloverloadmodeisalwaysdeactivatedbyanykeypressinthe
terminal.Thismeansitcanrespondtolargeunexpectedstreamsofdata,
butdoesnotinterferewithordinarycommand-lineactivitiesthatgenerate
beeps(suchasfilenamecompletion).
4.6TheFeaturespanel
PuTTY'sterminalemulationisveryhighlyfeatured,andcandoalotof
thingsunderremoteservercontrol.Someofthesefeaturescancause
problemsduetobuggyorstrangelyconfiguredserverapplications.
TheFeaturesconfigurationpanelallowsyoutodisablesomeofPuTTY's
moreadvancedterminalfeatures,incasetheycausetrouble.
4.6.1Disablingapplicationkeypadandcursorkeys
4.6.2Disablingxterm-stylemousereporting
4.6.3Disablingremoteterminalresizing
4.6.4Disablingswitchingtothealternatescreen
4.6.5Disablingremotewindowtitlechanging
4.6.6Responsetoremotewindowtitlequerying
4.6.7Disablingremotescrollbackclearing
4.6.8Disablingdestructivebackspace
4.6.9Disablingremotecharactersetconfiguration
4.6.10DisablingArabictextshaping
4.6.11Disablingbidirectionaltextdisplay
4.6.1Disablingapplicationkeypadandcursor
keys
Applicationkeypadmode(seesection4.4.5)andapplicationcursorkeys
mode(seesection4.4.4)alterthebehaviourofthekeypadandcursor
keys.Someapplicationsenablethesemodesbutthendonotdeal
correctlywiththemodifiedkeys.Youcanforcethesemodestobe
permanentlydisablednomatterwhattheservertriestodo.
4.6.2Disablingxterm-stylemousereporting
PuTTYallowstheservertosendcontrolcodesthatletittakeoverthe
mouseanduseitforpurposesotherthancopyandpaste.Applications
whichusethisfeatureincludethetext-modewebbrowserlinks,the
Usenetnewsreadertrnversion4,andthefilemanagermc(Midnight
Commander).
Ifyoufindthisfeatureinconvenient,youcandisableitusingthe‘Disable
xterm-stylemousereporting’control.Withthisboxticked,themousewill
alwaysdocopyandpasteinthenormalway.
Notethateveniftheapplicationtakesoverthemouse,youcanstill
managePuTTY'scopyandpastebyholdingdowntheShiftkeywhileyou
selectandpaste,unlessyouhavedeliberatelyturnedthisfeatureoff(see
section4.11.3).
4.6.3Disablingremoteterminalresizing
PuTTYhastheabilitytochangetheterminal'ssizeandpositionin
responsetocommandsfromtheserver.IfyoufindPuTTYisdoingthis
unexpectedlyorinconveniently,youcantellPuTTYnottorespondto
thoseservercommands.
4.6.4Disablingswitchingtothealternatescreen
Manyterminals,includingPuTTY,supportan‘alternatescreen’.Thisis
thesamesizeastheordinaryterminalscreen,butseparate.Typicallya
screen-basedprogramsuchasatexteditormightswitchtheterminalto
thealternatescreenbeforestartingup.Thenattheendoftherun,it
switchesbacktotheprimaryscreen,andyouseethescreencontents
justastheywerebeforestartingtheeditor.
Somepeoplepreferthisnottohappen.Ifyouwantyoureditortorunin
thesamescreenastherestofyourterminalactivity,youcandisablethe
alternatescreenfeaturecompletely.
4.6.5Disablingremotewindowtitlechanging
PuTTYhastheabilitytochangethewindowtitleinresponseto
commandsfromtheserver.IfyoufindPuTTYisdoingthisunexpectedly
orinconveniently,youcantellPuTTYnottorespondtothoseserver
commands.
4.6.6Responsetoremotewindowtitlequerying
PuTTYcanoptionallyprovidethextermserviceofallowingserver
applicationstofindoutthelocalwindowtitle.Thisfeatureisdisabledby
default,butyoucanturnitonifyoureallywantit.
NOTEthatthisfeatureisapotentialsecurityhazard.Ifamalicious
applicationcanwritedatatoyourterminal(forexample,ifyoumerelycat
afileownedbysomeoneelseontheservermachine),itcanchangeyour
windowtitle(unlessyouhavedisabledthisasmentionedinsection4.6.5)
andthenusethisservicetohavethenewwindowtitlesentbacktothe
serverasiftypedatthekeyboard.Thisallowsanattackertofake
keypressesandpotentiallycauseyourserver-sideapplicationstodo
thingsyoudidn'twant.Thereforethisfeatureisdisabledbydefault,and
werecommendyoudonotsetitto‘Windowtitle’unlessyoureallyknow
whatyouaredoing.
Therearethreesettingsforthisoption:
‘None’
PuTTYmakesnoresponsewhatsoevertotherelevantescape
sequence.Thismayupsetserver-sidesoftwarethatisexpecting
somesortofresponse.
‘Emptystring’
PuTTYmakesawell-formedresponse,butleavesitblank.Thus,
server-sidesoftwarethatexpectsaresponseiskepthappy,butan
attackercannotinfluencetheresponsestring.Thisisprobablythe
settingyouwantifyouhavenobetterideas.
‘Windowtitle’
PuTTYrespondswiththeactualwindowtitle.Thisisdangerousfor
thereasonsdescribedabove.
4.6.7Disablingremotescrollbackclearing
PuTTYhastheabilitytocleartheterminal'sscrollbackbufferinresponse
toacommandfromtheserver.IfyoufindPuTTYisdoingthis
unexpectedlyorinconveniently,youcantellPuTTYnottorespondtothat
servercommand.
4.6.8Disablingdestructivebackspace
Normally,whenPuTTYreceivescharacter127(^?)fromtheserver,itwill
performa‘destructivebackspace’:movethecursoronespaceleftand
deletethecharacterunderit.Thiscanapparentlycauseproblemsin
someapplications,soPuTTYprovidestheabilitytoconfigurecharacter
127toperformanormalbackspace(withoutdeletingacharacter)
instead.
4.6.9Disablingremotecharacterset
configuration
PuTTYhastheabilitytochangeitscharactersetconfigurationin
responsetocommandsfromtheserver.Someprogramssendthese
commandsunexpectedlyorinconveniently.Inparticular,BitchX(anIRC
client)seemstohaveahabitofreconfiguringthecharactersetto
somethingotherthantheuserintended.
Ifyoufindthataccentedcharactersarenotshowingupthewayyou
expectthemto,particularlyifyou'rerunningBitchX,youcouldtry
disablingtheremotecharactersetconfigurationcommands.
4.6.10DisablingArabictextshaping
PuTTYsupportsshapingofArabictext,whichmeansthatifyourserver
sendstextwritteninthebasicUnicodeArabicalphabetthenitwillconvert
ittothecorrectdisplayformsbeforeprintingitonthescreen.
Ifyouareusingfull-screensoftwarewhichwasnotexpectingthisto
happen(especiallyifyouarenotanArabicspeakerandyou
unexpectedlyfindyourselfdealingwithArabictextfilesinapplications
whicharenotArabic-aware),youmightfindthatthedisplaybecomes
corrupted.Bytickingthisbox,youcandisableArabictextshapingsothat
PuTTYdisplayspreciselythecharactersitistoldtodisplay.
Youmayalsofindyouneedtodisablebidirectionaltextdisplay;see
section4.6.11.
4.6.11Disablingbidirectionaltextdisplay
PuTTYsupportsbidirectionaltextdisplay,whichmeansthatifyourserver
sendstextwritteninalanguagewhichisusuallydisplayedfromrightto
left(suchasArabicorHebrew)thenPuTTYwillautomaticallyflipitround
sothatitisdisplayedintherightdirectiononthescreen.
Ifyouareusingfull-screensoftwarewhichwasnotexpectingthisto
happen(especiallyifyouarenotanArabicspeakerandyou
unexpectedlyfindyourselfdealingwithArabictextfilesinapplications
whicharenotArabic-aware),youmightfindthatthedisplaybecomes
corrupted.Bytickingthisbox,youcandisablebidirectionaltextdisplay,
sothatPuTTYdisplaystextfromlefttorightinallsituations.
YoumayalsofindyouneedtodisableArabictextshaping;seesection
4.6.10.
4.7.1SettingthesizeofthePuTTYwindow
The‘Columns’and‘Rows’boxesletyousetthePuTTYwindowtoa
precisesize.Ofcourseyoucanalsodragthewindowtoanewsizewhile
asessionisrunning.
4.7.2Whattodowhenthewindowisresized
Theseoptionsallowyoutocontrolwhathappenswhentheusertriesto
resizethePuTTYwindowusingitswindowfurniture.
Therearefouroptionshere:
‘Changethenumberofrowsandcolumns’:thefontsizewillnot
change.(Thisisthedefault.)
‘Changethesizeofthefont’:thenumberofrowsandcolumnsinthe
terminalwillstaythesame,andthefontsizewillchange.
‘Changefontsizewhenmaximised’:whenthewindowisresized,the
numberofrowsandcolumnswillchange,exceptwhenthewindowis
maximised(orrestored),whenthefontsizewillchange.(Inthis
mode,holdingdowntheAltkeywhileresizingwillalsocausethefont
sizetochange.)
‘Forbidresizingcompletely’:theterminalwillrefusetoberesizedat
all.
4.7.3Controllingscrollback
TheseoptionsletyouconfigurethewayPuTTYkeepstextafteritscrolls
offthetopofthescreen(seesection3.1.2).
The‘Linesofscrollback’boxletsyouconfigurehowmanylinesoftext
PuTTYkeeps.The‘Displayscrollbar’optionsallowyoutohidethe
scrollbar(althoughyoucanstillviewthescrollbackusingthekeyboardas
describedinsection3.1.2).Youcanseparatelyconfigurewhetherthe
scrollbarisshowninfull-screenmodeandinnormalmodes.
Ifyouareviewingpartofthescrollbackwhentheserversendsmoretext
toPuTTY,thescreenwillreverttoshowingthecurrentterminalcontents.
Youcandisablethisbehaviourbyturningoff‘Resetscrollbackondisplay
activity’.Youcanalsomakethescreenrevertwhenyoupressakey,by
turningon‘Resetscrollbackonkeypress’.
4.7.4‘Pusherasedtextintoscrollback’
Whenthisoptionisenabled,thecontentsoftheterminalscreenwillbe
pushedintothescrollbackwhenaserver-sideapplicationclearsthe
screen,sothatyourscrollbackwillcontainabetterrecordofwhatwason
yourscreeninthepast.
Iftheapplicationswitchestothealternatescreen(seesection4.6.4for
moreaboutthis),thenthecontentsoftheprimaryscreenwillbevisiblein
thescrollbackuntiltheapplicationswitchesbackagain.
Thisoptionisenabledbydefault.
4.8TheAppearancepanel
TheAppearanceconfigurationpanelallowsyoutocontrolaspectsofthe
appearanceofPuTTY'swindow.
4.8.1Controllingtheappearanceofthecursor
4.8.2Controllingthefontusedintheterminalwindow
4.8.3‘Hidemousepointerwhentypinginwindow’
4.8.4Controllingthewindowborder
4.8.1Controllingtheappearanceofthecursor
The‘Cursorappearance’optionletsyouconfigurethecursortobea
block,anunderline,oraverticalline.Ablockcursorbecomesanempty
boxwhenthewindowlosesfocus;anunderlineoraverticallinebecomes
dotted.
The‘Cursorblinks’optionmakesthecursorblinkonandoff.Thisworks
inanyofthecursormodes.
4.8.2Controllingthefontusedintheterminal
window
Thisoptionallowsyoutochoosewhatfont,inwhatsize,thePuTTY
terminalwindowusestodisplaythetextinthesession.
Bydefault,youwillbeofferedachoicefromallthefixed-widthfonts
installedonthesystem,sinceVT100-styleterminalhandlingexpectsa
fixed-widthfont.Ifyouticktheboxmarked‘Allowselectionofvariable-
pitchfonts’,however,PuTTYwilloffervariable-widthfontsaswell:ifyou
selectoneofthese,thefontwillbecoercedintofixed-sizecharacter
cells,whichwillprobablynotlookverygood(butcanworkOKwithsome
fonts).
4.8.3‘Hidemousepointerwhentypingin
window’
Ifyouenablethisoption,themousepointerwilldisappearifthePuTTY
windowisselectedandyoupressakey.Thisway,itwillnotobscureany
ofthetextinthewindowwhileyouworkinyoursession.Assoonasyou
movethemouse,thepointerwillreappear.
Thisoptionisdisabledbydefault,sothemousepointerremainsvisibleat
alltimes.
4.8.4Controllingthewindowborder
PuTTYallowsyoutoconfiguretheappearanceofthewindowborderto
someextent.
Thecheckboxmarked‘Sunken-edgeborder’changestheappearanceof
thewindowbordertosomethingmorelikeaDOSbox:theinsideedgeof
theborderishighlightedasifitsankdowntomeetthesurfaceinsidethe
window.Thismakestheborderalittlebitthickeraswell.It'shardto
describewell.Tryitandseeifyoulikeit.
Youcanalsoconfigureacompletelyblankgapbetweenthetextinthe
windowandtheborder,usingthe‘Gapbetweentextandwindowedge’
control.Bydefaultthisissetatonepixel.Youcanreduceittozero,or
increaseitfurther.
4.9TheBehaviourpanel
TheBehaviourconfigurationpanelallowsyoutocontrolaspectsofthe
behaviourofPuTTY'swindow.
4.9.1Controllingthewindowtitle
4.9.2‘Warnbeforeclosingwindow’
4.9.3‘WindowclosesonALT-F4’
4.9.4‘SystemmenuappearsonALT-Space’
4.9.5‘SystemmenuappearsonAltalone’
4.9.6‘Ensurewindowisalwaysontop’
4.9.7‘FullscreenonAlt-Enter’
4.9.1Controllingthewindowtitle
The‘Windowtitle’editboxallowsyoutosetthetitleofthePuTTY
window.Bydefaultthewindowtitlewillcontainthehostnamefollowedby
‘PuTTY’,forexampleserver1.example.com-PuTTY.Ifyouwanta
differentwindowtitle,thisiswheretosetit.
PuTTYallowstheservertosendxtermcontrolsequenceswhichmodify
thetitleofthewindowinmid-session(unlessthisisdisabled-see
section4.6.5);thetitlestringsethereisthereforeonlytheinitialwindow
title.
Aswellasthewindowtitle,thereisalsoanxtermsequencetomodifythe
titleofthewindow'sicon.Thismakessenseinawindowingsystem
wherethewindowbecomesaniconwhenminimised,suchasWindows
3.1ormostXWindowSystemsetups;butintheWindows95-likeuser
interfaceitisn'tasapplicable.
Bydefault,PuTTYonlyusestheserver-suppliedwindowtitle,and
ignorestheicontitleentirely.Ifforsomereasonyouwanttoseeboth
titles,checktheboxmarked‘Separatewindowandicontitles’.Ifyoudo
this,PuTTY'swindowtitleandTaskbarcaptionwillchangeintothe
server-suppliedicontitleifyouminimisethePuTTYwindow,andchange
backtotheserver-suppliedwindowtitleifyourestoreit.(Iftheserverhas
notbotheredtosupplyawindoworicontitle,noneofthiswillhappen.)
4.9.2‘Warnbeforeclosingwindow’
IfyoupresstheClosebuttoninaPuTTYwindowthatcontainsarunning
session,PuTTYwillputupawarningwindowaskingifyoureallymeant
toclosethewindow.Awindowwhosesessionhasalreadyterminated
canalwaysbeclosedwithoutawarning.
Ifyouwanttobeabletocloseawindowquickly,youcandisablethe
‘Warnbeforeclosingwindow’option.
4.9.4‘SystemmenuappearsonALT-Space’
Ifthisoptionisenabled,thenpressingALT-SpacewillbringupthePuTTY
window'smenu,likeclickingonthetopleftcorner.Ifitisdisabled,then
pressingALT-SpacewilljustsendESCSPACEtotheserver.
SomeaccessibilityprogramsforWindowsmayneedthisoptionenabling
tobeabletocontrolPuTTY'swindowsuccessfully.Forinstance,Dragon
NaturallySpeakingrequiresitbothtoopenthesystemmenuviavoice,
andtoclose,minimise,maximiseandrestorethewindow.
4.9.5‘SystemmenuappearsonAltalone’
Ifthisoptionisenabled,thenpressingandreleasingALTwillbringupthe
PuTTYwindow'smenu,likeclickingonthetopleftcorner.Ifitisdisabled,
thenpressingandreleasingALTwillhavenoeffect.
4.9.6‘Ensurewindowisalwaysontop’
Ifthisoptionisenabled,thePuTTYwindowwillstayontopofallother
windows.
4.9.7‘FullscreenonAlt-Enter’
Ifthisoptionisenabled,thenpressingAlt-EnterwillcausethePuTTY
windowtobecomefull-screen.PressingAlt-Enteragainwillrestorethe
previouswindowsize.
Thefull-screenfeatureisalsoavailablefromtheSystemmenu,even
whenitisconfigurednottobeavailableontheAlt-Enterkey.Seesection
3.1.3.7.
4.10TheTranslationpanel
TheTranslationconfigurationpanelallowsyoutocontrolthetranslation
betweenthecharactersetunderstoodbytheserverandthecharacterset
understoodbyPuTTY.
4.10.1Controllingcharactersettranslation
4.10.2‘TreatCJKambiguouscharactersaswide’
4.10.3‘CapsLockactsasCyrillicswitch’
4.10.4Controllingdisplayofline-drawingcharacters
4.10.5Controllingcopyandpasteoflinedrawingcharacters
4.10.1Controllingcharactersettranslation
Duringaninteractivesession,PuTTYreceivesastreamof8-bitbytes
fromtheserver,andinordertodisplaythemonthescreenitneedsto
knowwhatcharactersettointerpretthemin.Similarly,PuTTYneedsto
knowhowtotranslateyourkeystrokesintotheencodingtheserver
expects.Unfortunately,thereisnosatisfactorymechanismforPuTTY
andtheservertocommunicatethisinformation,soitmustusuallybe
manuallyconfigured.
Therearealotofcharactersetstochoosefrom.The‘Remotecharacter
set’optionletsyouselectone.
BydefaultPuTTYwillusetheUTF-8encodingofUnicode,whichcan
representprettymuchanycharacter;datacomingfromtheserveris
interpretedasUTF-8,andkeystrokesaresentUTF-8encoded.Thisis
whatmostmoderndistributionsofLinuxwillexpectbydefault.However,
ifthisiswrongforyourserver,youcanselectadifferentcharacterset
usingthiscontrol.
Afewothernotablecharactersetsare:
TheISO-8859seriesareallstandardcharactersetsthatinclude
variousaccentedcharactersappropriatefordifferentsetsof
languages.
TheWin125xseriesaredefinedbyMicrosoft,forsimilarpurposes.In
particularWin1252isalmostequivalenttoISO-8859-1,butcontains
afewextracharacterssuchasmatchedquotesandtheEuro
symbol.
IfyouwanttheoldIBMPCcharactersetwithblockgraphicsand
line-drawingcharacters,youcanselect‘CP437’.
Ifyouneedsupportforanumericcodepagewhichisnotlistedinthe
drop-downlist,suchascodepage866,thenyoucantryenteringits
namemanually(CP866forexample)inthelistbox.Iftheunderlying
versionofWindowshastheappropriatetranslationtableinstalled,PuTTY
willuseit.
4.10.2‘TreatCJKambiguouscharactersaswide’
TherearesomeUnicodecharacterswhosewidthisnotwell-defined.In
mostcontexts,suchcharactersshouldbetreatedassingle-widthforthe
purposesofwrappingandsoon;however,insomeCJKcontexts,they
arebettertreatedasdouble-widthforhistoricalreasons,andsome
server-sideapplicationsmayexpectthemtobedisplayedassuch.
SettingthisoptionwillcausePuTTYtotakethedouble-width
interpretation.
IfyouuselegacyCJKapplications,andyoufindyourlinesarewrapping
inthewrongplaces,oryouarehavingotherdisplayproblems,youmight
wanttoplaywiththissetting.
ThisoptiononlyhasanyeffectinUTF-8mode(seesection4.10.1).
4.10.3‘CapsLockactsasCyrillicswitch’
ThisfeatureallowsyoutoswitchbetweenaUS/UKkeyboardlayoutand
aCyrillickeyboardlayoutbyusingtheCapsLockkey,ifyouneedtotype
(forexample)RussianandEnglishsidebysideinthesamedocument.
Currentlythisfeatureisnotexpectedtoworkproperlyifyournative
keyboardlayoutisnotUSorUK.
4.10.4Controllingdisplayofline-drawing
characters
VT100-seriesterminalsallowtheservertosendcontrolsequencesthat
shifttemporarilyintoaseparatecharactersetfordrawingsimplelines
andboxes.However,thereareavarietyofwaysinwhichPuTTYcan
attempttofindappropriatecharacters,andtherightonetousedepends
onthelocallyconfiguredfont.Ingeneralyoushouldprobablytrylotsof
optionsuntilyoufindonethatyourparticularfontsupports.
‘UseUnicodelinedrawingcodepoints’triestousethebox
charactersthatarepresentinUnicode.ForgoodUnicode-supporting
fontsthisisprobablythemostreliableandfunctionaloption.
‘Poorman'slinedrawing’assumesthatthefontcannotgeneratethe
lineandboxcharactersatall,soitwillusethe+,-and|characters
todrawapproximationstoboxes.Youshouldusethisoptionifnone
oftheotheroptionsworks.
‘FonthasXWindowsencoding’isforusewithfontsthathavea
specialencoding,wherethelowest32characterpositions(belowthe
ASCIIprintablerange)containtheline-drawingcharacters.Thisis
unlikelytobethecasewithanystandardWindowsfont;itwill
probablyonlyapplytocustom-builtfontsorfontsthathavebeen
automaticallyconvertedfromtheXWindowSystem.
‘UsefontinbothANSIandOEMmodes’triestousethesamefontin
twodifferentcharactersets,toobtainawiderrangeofcharacters.
Thisdoesn'talwayswork;somefontsclaimtobeadifferentsize
dependingonwhichcharactersetyoutrytouse.
‘UsefontinOEMmodeonly’ismorereliablethanthat,butcanmiss
outothercharactersfromthemaincharacterset.
4.10.5Controllingcopyandpasteofline
drawingcharacters
Bydefault,whenyoucopyandpasteapieceofthePuTTYscreenthat
containsVT100lineandboxdrawingcharacters,PuTTYwillpastethem
intheformtheyappearonthescreen:eitherUnicodelinedrawingcode
points,orthe‘poorman's’line-drawingcharacters+,-and|.The
checkbox‘CopyandpasteVT100linedrawingcharsaslqqqk’disables
thisfeature,soline-drawingcharacterswillbepastedastheASCII
charactersthatwereprintedtoproducethem.Thiswilltypicallymean
theycomeoutmostlyasqandx,withascatteringofjklmntuvwatthe
corners.Thismightbeusefulifyouweretryingtorecreatethesamebox
layoutinanotherprogram,forexample.
Notethatthisoptiononlyappliestoline-drawingcharacterswhichwere
printedbyusingtheVT100mechanism.Line-drawingcharactersthat
werereceivedasUnicodecodepointswillpasteasUnicodealways.
4.11TheSelectionpanel
TheSelectionpanelallowsyoutocontrolthewaycopyandpasteworkin
thePuTTYwindow.
4.11.1PastinginRichTextFormat
4.11.2Changingtheactionsofthemousebuttons
4.11.3‘Shiftoverridesapplication'suseofmouse’
4.11.4Defaultselectionmode
4.11.5Configuringword-by-wordselection
4.11.1PastinginRichTextFormat
Ifyouenable‘PastetoclipboardinRTFaswellasplaintext’,PuTTYwill
writeformattinginformationtotheclipboardaswellastheactualtextyou
copy.Theeffectofthisisthatifyoupasteinto(say)awordprocessor,the
textwillappearinthewordprocessorinthesamefont,colour,andstyle
(e.g.bold,underline)PuTTYwasusingtodisplayit.
Thisoptioncaneasilybeinconvenient,sobydefaultitisdisabled.
4.11.2Changingtheactionsofthemouse
buttons
PuTTY'scopyandpastemechanismisbydefaultmodelledontheUnix
xtermapplication.TheXWindowSystemusesathree-buttonmouse,and
theconventionisthattheleftbuttonselects,therightbuttonextendsan
existingselection,andthemiddlebuttonpastes.
Windowsoftenonlyhastwomousebuttons,soinPuTTY'sdefault
configuration(‘Compromise’),therightbuttonpastes,andthemiddle
button(ifyouhaveone)extendsaselection.
Ifyouhaveathree-buttonmouseandyouarealreadyusedtothexterm
arrangement,youcanselectitusingthe‘Actionofmousebuttons’
control.
Alternatively,withthe‘Windows’optionselected,themiddlebutton
extends,andtherightbuttonbringsupacontextmenu(onwhichoneof
theoptionsis‘Paste’).(Thiscontextmenuisalwaysavailablebyholding
downCtrlandright-clicking,regardlessofthesettingofthisoption.)
4.11.3‘Shiftoverridesapplication'suseof
mouse’
PuTTYallowstheservertosendcontrolcodesthatletittakeoverthe
mouseanduseitforpurposesotherthancopyandpaste.Applications
whichusethisfeatureincludethetext-modewebbrowserlinks,the
Usenetnewsreadertrnversion4,andthefilemanagermc(Midnight
Commander).
Whenrunningoneoftheseapplications,pressingthemousebuttonsno
longerperformscopyandpaste.Ifyoudoneedtocopyandpaste,you
canstilldosoifyouholddownShiftwhileyoudoyourmouseclicks.
However,itispossibleintheoryforapplicationstoevendetectandmake
useofShift+mouseclicks.Wedon'tknowofanyapplicationsthatdo
this,butincasesomeoneeverwritesone,uncheckingthe‘Shift
overridesapplication'suseofmouse’checkboxwillcauseShift+mouse
clickstogototheserveraswell(sothatmouse-drivencopyandpaste
willbecompletelydisabled).
Ifyouwanttopreventtheapplicationfromtakingoverthemouseatall,
youcandothisusingtheFeaturescontrolpanel;seesection4.6.2.
4.11.4Defaultselectionmode
Asdescribedinsection3.1.1,PuTTYhastwomodesofselectingtextto
becopiedtotheclipboard.Inthedefaultmode(‘Normal’),draggingthe
mousefrompointAtopointBselectstotheendofthelinecontainingA,
allthelinesinbetween,andfromtheverybeginningofthelinecontaining
B.Intheothermode(‘Rectangularblock’),draggingthemousebetween
twopointsdefinesarectangle,andeverythingwithinthatrectangleis
copied.
Normally,youhavetoholddownAltwhiledraggingthemousetoselecta
rectangularblock.Usingthe‘Defaultselectionmode’control,youcanset
rectangularselectionasthedefault,andthenyouhavetoholddownAlt
togetthenormalbehaviour.
4.11.5Configuringword-by-wordselection
PuTTYwillselectawordatatimeintheterminalwindowifyoudouble-
clicktobeginthedrag.Thispanelallowsyoutocontrolpreciselywhatis
consideredtobeaword.
Eachcharacterisgivenaclass,whichisasmallnumber(typically0,1or
2).PuTTYconsidersasinglewordtobeanynumberofadjacent
charactersinthesameclass.Sobymodifyingtheassignmentof
characterstoclasses,youcanmodifytheword-by-wordselection
behaviour.
Inthedefaultconfiguration,thecharacterclassesare:
Class0containswhitespaceandcontrolcharacters.
Class1containsmostpunctuation.
Class2containsletters,numbersandafewpiecesofpunctuation
(thedoublequote,minussign,period,forwardslashand
underscore).
So,forexample,ifyouassignthe@symbolintocharacterclass2,you
willbeabletoselectane-mailaddresswithjustadoubleclick.
Inordertoadjusttheseassignments,youstartbyselectingagroupof
charactersinthelistbox.Thenenteraclassnumberintheeditbox
below,andpressthe‘Set’button.
ThismechanismcurrentlyonlycoversASCIIcharacters,becauseitisn't
feasibletoexpandthelisttocoverthewholeofUnicode.
Characterclassdefinitionscanbemodifiedbycontrolsequencessentby
theserver.Thisconfigurationoptioncontrolsthedefaultstate,whichwill
berestoredwhenyouresettheterminal(seesection3.1.3.6).However,if
youmodifythisoptioninmid-sessionusing‘ChangeSettings’,itwilltake
effectimmediately.
4.12TheColourspanel
TheColourspanelallowsyoutocontrolPuTTY'suseofcolour.
4.12.1‘AllowterminaltospecifyANSIcolours’
4.12.2‘Allowterminaltousexterm256-colourmode’
4.12.3‘Indicateboldedtextbychanging...’
4.12.4‘Attempttouselogicalpalettes’
4.12.5‘Usesystemcolours’
4.12.6Adjustingthecoloursintheterminalwindow
4.12.1‘AllowterminaltospecifyANSIcolours’
Thisoptionisenabledbydefault.Ifitisdisabled,PuTTYwillignoreany
controlsequencessentbytheservertorequestcolouredtext.
Ifyouhaveaparticularlygarishapplication,youmightwanttoturnthis
optionoffandmakePuTTYonlyusethedefaultforegroundand
backgroundcolours.
4.12.2‘Allowterminaltousexterm256-colour
mode’
Thisoptionisenabledbydefault.Ifitisdisabled,PuTTYwillignoreany
controlsequencessentbytheserverwhichusetheextended256-colour
modesupportedbyrecentversionsofxterm.
Ifyouhaveanapplicationwhichissupposedtouse256-colourmodeand
itisn'tworking,youmayfindyouneedtotellyourserverthatyour
terminalsupports256colours.OnUnix,youdothisbyensuringthatthe
settingofTERMdescribesa256-colour-capableterminal.Youcancheck
thisusingacommandsuchasinfocmp:
$infocmp|grepcolors
colors#256,cols#80,it#8,lines#24,pairs#256,
Ifyoudonotsee‘colors#256’intheoutput,youmayneedtochangeyour
terminalsetting.OnmodernLinuxmachines,youcouldtry‘xterm-
256color’.
4.12.3‘Indicateboldedtextbychanging...’
Whentheserversendsacontrolsequenceindicatingthatsometext
shouldbedisplayedinbold,PuTTYcanhandlethisinseveralways.It
caneitherchangethefontforaboldversion,orusethesamefontina
brightercolour,oritcandoboth(brightenthecolourandemboldenthe
font).Thiscontrolletsyouchoosewhich.
Bydefaultboldisindicatedbycolour,sonon-boldtextisdisplayedinlight
greyandboldtextisdisplayedinbrightwhite(andsimilarlyinother
colours).Ifyouchangethesettingto‘Thefont’box,boldandnon-bold
textwillbedisplayedinthesamecolour,andinsteadthefontwillchange
toindicatethedifference.Ifyouselect‘Both’,thefontandthecolourwill
bothchange.
Someapplicationsrelyon‘boldblack’beingdistinguishablefromablack
background;ifyouchoose‘Thefont’,theirtextmaybecomeinvisible.
4.12.4‘Attempttouselogicalpalettes’
LogicalpalettesareamechanismbywhichaWindowsapplication
runningonan8-bitcolourdisplaycanselectpreciselythecoloursit
wantsinsteadofgoingwiththeWindowsstandarddefaults.
Ifyouarenotgettingthecoloursyouaskforonan8-bitdisplay,youcan
tryenablingthisoption.However,bewarnedthatit'sneverworkedvery
well.
4.12.5‘Usesystemcolours’
EnablingthisoptionwillcausePuTTYtoignoretheconfiguredcoloursfor
‘DefaultBackground/Foreground’and‘CursorColour/Text’(seesection
4.12.6),insteadgoingwiththesystem-widedefaults.
Notethatnon-boldandboldtextwillbethesamecolourifthisoptionis
enabled.Youmightwanttochangetoindicatingboldtextbyfont
changes(seesection4.12.3).
4.12.6Adjustingthecoloursintheterminal
window
Themaincolourcontrolallowsyoutospecifyexactlywhatcoloursthings
shouldbedisplayedin.TomodifyoneofthePuTTYcolours,usethelist
boxtoselectwhichcolouryouwanttomodify.TheRGBvaluesforthat
colourwillappearontheright-handsideofthelistbox.Now,ifyoupress
the‘Modify’button,youwillbepresentedwithacolourselector,inwhich
youcanchooseanewcolourtogoinplaceoftheoldone.(Youmayalso
edittheRGBvaluesdirectlyintheeditboxes,ifyouwish;eachvalueis
anintegerfrom0to255.)
PuTTYallowsyoutosetthecursorcolour,thedefaultforegroundand
background,andthepreciseshadesofalltheANSIconfigurablecolours
(black,red,green,yellow,blue,magenta,cyan,andwhite).Youcanalso
modifythepreciseshadesusedfortheboldversionsofthesecolours;
theseareusedtodisplayboldtextifyouhavechosentoindicatethatby
colour(seesection4.12.3),andcanalsobeusediftheserverasks
specificallytousethem.(Notethat‘DefaultBoldBackground’isnotthe
backgroundcolourusedforboldtext;itisonlyusediftheserver
specificallyasksforaboldbackground.)
4.13.1Usingkeepalivestoprevent
disconnection
Ifyoufindyoursessionsareclosingunexpectedly(mostoftenwith
‘Connectionresetbypeer’)aftertheyhavebeenidleforawhile,you
mightwanttotryusingthisoption.
Somenetworkroutersandfirewallsneedtokeeptrackofallconnections
throughthem.Usually,thesefirewallswillassumeaconnectionisdeadif
nodataistransferredineitherdirectionafteracertaintimeinterval.This
cancausePuTTYsessionstobeunexpectedlyclosedbythefirewallifno
trafficisseeninthesessionforsometime.
Thekeepaliveoption(‘Secondsbetweenkeepalives’)allowsyouto
configurePuTTYtosenddatathroughthesessionatregularintervals,in
awaythatdoesnotdisrupttheactualterminalsession.Ifyoufindyour
firewalliscuttingidleconnectionsoff,youcantryenteringanon-zero
valueinthisfield.Thevalueismeasuredinseconds;so,forexample,if
yourfirewallcutsconnectionsoffaftertenminutesthenyoumightwantto
enter300seconds(5minutes)inthebox.
Notethatkeepalivesarenotalwayshelpful.Theyhelpifyouhavea
firewallwhichdropsyourconnectionafteranidleperiod;butifthe
networkbetweenyouandtheserversuffersfrombreaksinconnectivity
thenkeepalivescanactuallymakethingsworse.Ifasessionisidle,and
connectivityistemporarilylostbetweentheendpoints,butthe
connectivityisrestoredbeforeeithersidetriestosendanything,then
therewillbenoproblem-neitherendpointwillnoticethatanythingwas
wrong.However,ifonesidedoessendsomethingduringthebreak,itwill
repeatedlytrytore-send,andeventuallygiveupandabandonthe
connection.Thenwhenconnectivityisrestored,theothersidewillfind
thatthefirstsidedoesn'tbelievethereisanopenconnectionanymore.
Keepalivescanmakethissortofproblemworse,becausetheyincrease
theprobabilitythatPuTTYwillattempttosenddataduringabreakin
connectivity.(Othertypesofperiodicnetworkactivitycancausethis
behaviour;inparticular,SSH-2re-keyscanhavethiseffect.Seesection
4.19.2.)
Therefore,youmightfindthatkeepaliveshelpconnectionloss,oryou
mightfindtheymakeitworse,dependingonwhatkindofnetwork
problemsyouhavebetweenyouandtheserver.
KeepalivesareonlysupportedinTelnetandSSH;theRloginandRaw
protocolsoffernowayofimplementingthem.(Foranalternative,see
section4.13.3.)
NotethatifyouareusingSSH-1andtheserverhasabugthatmakesit
unabletodealwithSSH-1ignoremessages(seesection4.27.1),
enablingkeepaliveswillhavenoeffect.
4.13.2‘DisableNagle'salgorithm’
Nagle'salgorithmisadetailofTCP/IPimplementationsthattriesto
minimisethenumberofsmalldatapacketssentdownanetwork
connection.WithNagle'salgorithmenabled,PuTTY'sbandwidthusage
willbeslightlymoreefficient;withitdisabled,youmayfindyougeta
fasterresponsetoyourkeystrokeswhenconnectingtosometypesof
server.
TheNaglealgorithmisdisabledbydefaultforinteractiveconnections.
4.13.3‘EnableTCPkeepalives’
NOTE:TCPkeepalivesshouldnotbeconfusedwiththeapplication-level
keepalivesdescribedinsection4.13.1.Ifindoubt,youprobablywant
application-levelkeepalives;TCPkeepalivesareprovidedfor
completeness.
TheideaofTCPkeepalivesissimilartoapplication-levelkeepalives,and
thesamecaveatsapply.Themaindifferencesare:
TCPkeepalivesareavailableonallconnectiontypes,includingRaw
andRlogin.
TheintervalbetweenTCPkeepalivesisusuallymuchlonger,
typicallytwohours;thisissetbytheoperatingsystem,andcannot
beconfiguredwithinPuTTY.
Iftheoperatingsystemdoesnotreceivearesponsetoakeepalive,it
maysendoutmoreinquicksuccessionandterminatethe
connectionifnoresponseisreceived.
TCPkeepalivesmaybemoreusefulforensuringthathalf-open
connectionsareterminatedthanforkeepingaconnectionalive.
TCPkeepalivesaredisabledbydefault.
4.13.4‘Internetprotocol’
ThisoptionallowstheusertoselectbetweentheoldandnewInternet
protocolsandaddressingschemes(IPv4andIPv6).Theselected
protocolwillbeusedformostoutgoingnetworkconnections(including
connectionstoproxies);however,tunnelshavetheirownconfiguration,
forwhichseesection4.26.2.
Thedefaultsettingis‘Auto’,whichmeansPuTTYwilldosomething
sensibleandtrytoguesswhichprotocolyouwanted.(Ifyouspecifya
literalInternetaddress,itwillusewhicheverprotocolthataddress
implies.Ifyouprovideahostname,itwillseewhatkindsofaddressexist
forthathostname;itwilluseIPv6ifthereisanIPv6addressavailable,
andfallbacktoIPv4ifnot.)
IfyouneedtoforcePuTTYtouseaparticularprotocol,youcanexplicitly
setthisto‘IPv4’or‘IPv6’.
4.13.5‘Logicalnameofremotehost’
ThisallowsyoutotellPuTTYthatthehostitwillreallyendupconnecting
toisdifferentfromwhereitthinksitismakinganetworkconnection.
Youmightusethis,forinstance,ifyouhadsetupanSSHportforwarding
inonePuTTYsessionsothatconnectionstosomearbitraryport(say,
localhostport10022)wereforwardedtoasecondmachine'sSSHport
(say,foovaxport22),andthenstartedasecondPuTTYconnectingtothe
forwardedport.
Innormalusage,thesecondPuTTYwillaccessthehostkeycacheunder
thehostnameandportitactuallyconnectedto(i.e.localhostport10022
inthisexample).Usingthelogicalhostnameoption,however,youcan
configurethesecondPuTTYtocachethehostkeyunderthenameofthe
hostyouknowthatit'sreallygoingtoenduptalkingto(herefoovax).
Thiscanbeusefulifyouexpecttoconnecttothesameactualserver
throughmanydifferentchannels(perhapsbecauseyourportforwarding
arrangementskeepchanging):byconsistentlysettingthelogicalhost
name,youcanarrangethatPuTTYwillnotkeepaskingyoutoreconfirm
itshostkey.Conversely,ifyouexpecttousethesamelocalportnumber
forportforwardingstolotsofdifferentservers,youprobablydidn'twant
anyparticularserver'shostkeycachedunderthatlocalportnumber.(For
thislattercase,youcouldinsteadexplicitlyconfigurehostkeysinthe
relevantsessions;seesection4.20.2.)
Ifyoujustenterahostnameforthisoption,PuTTYwillcachetheSSH
hostkeyunderthedefaultSSHportforthathost,irrespectiveoftheport
youreallyconnectedto(sincethetypicalscenarioisliketheabove
example:youconnecttoasillyrealportnumberandyourconnection
endsupforwardedtothenormalport-22SSHserverofsomeother
machine).Tooverridethis,youcanappendaportnumbertothelogical
hostname,separatedbyacolon.E.g.entering‘foovax:2200’asthe
logicalhostnamewillcausethehostkeytobecachedasifyouhad
connectedtoport2200offoovax.
Ifyouprovideahostnameusingthisoption,itisalsodisplayedinother
locationswhichcontaintheremotehostname,suchasthedefault
windowtitleandthedefaultSSHpasswordprompt.Thisreflectsthefact
thatthisisthehostyou'rereallyconnectingto,whichismoreimportant
thanthemeremeansyouhappentobeusingtocontactthathost.(This
appliesevenifyou'reusingaprotocolotherthanSSH.)
4.14TheDatapanel
TheDatapanelallowsyoutoconfigurevariouspiecesofdatawhichcan
besenttotheservertoaffectyourconnectionatthefarend.
Eachoptiononthispanelappliestomorethanoneprotocol.Options
whichapplytoonlyoneprotocolappearonthatprotocol'sconfiguration
panels.
4.14.1‘Auto-loginusername’
4.14.2Useofsystemusername
4.14.3‘Terminal-typestring’
4.14.4‘Terminalspeeds’
4.14.5Settingenvironmentvariablesontheserver
4.14.1‘Auto-loginusername’
AllthreeoftheSSH,TelnetandRloginprotocolsallowyoutospecify
whatusernameyouwanttologinas,withouthavingtotypeitexplicitly
everytime.(SomeTelnetserversdon'tsupportthis.)
Inthisboxyoucantypethatusername.
4.14.2Useofsystemusername
Whenthepreviousbox(section4.14.1)isleftblank,bydefault,PuTTY
willpromptforausernameatthetimeyoumakeaconnection.
Insomeenvironments,suchasthenetworksoflargeorganisations
implementingsinglesign-on,amoresensibledefaultmaybetousethe
nameoftheuserloggedintothelocaloperatingsystem(ifany);thisis
particularlylikelytobeusefulwithGSSAPIauthentication(seesection
4.23).Thiscontrolallowsyoutochangethedefaultbehaviour.
Thecurrentsystemusernameisdisplayedinthedialogasa
convenience.Itisnotsavedintheconfiguration;ifasavedsessionis
laterusedbyadifferentuser,thatuser'snamewillbeused.
4.14.3‘Terminal-typestring’
MostserversyoumightconnecttowithPuTTYaredesignedtobe
connectedtofromlotsofdifferenttypesofterminal.Inordertosendthe
rightcontrolsequencestoeachone,theserverwillneedtoknowwhat
typeofterminalitisdealingwith.Therefore,eachoftheSSH,Telnetand
Rloginprotocolsallowatextstringtobesentdowntheconnection
describingtheterminal.OnaUnixserver,thisselectsanentryfromthe
termcaporterminfodatabasethattellsapplicationswhatcontrol
sequencestosendtotheterminal,andwhatcharactersequencesto
expectthekeyboardtogenerate.
PuTTYattemptstoemulatetheUnixxtermprogram,andbydefaultit
reflectsthisbysendingxtermasaterminal-typestring.Ifyoufindthisis
notdoingwhatyouwant-perhapstheremotesystemreports‘Unknown
terminaltype’-youcouldtrysettingthistosomethingdifferent,suchas
vt220.
Ifyou'renotsurewhetheraproblemisduetotheterminaltypesettingor
not,youprobablyneedtoconsultthemanualforyourapplicationoryour
server.
4.14.4‘Terminalspeeds’
TheTelnet,Rlogin,andSSHprotocolsallowtheclienttospecifyterminal
speedstotheserver.
Thisparameterdoesnotaffecttheactualspeedoftheconnection,which
isalways‘asfastaspossible’;itisjustahintthatissometimesusedby
serversoftwaretomodifyitsbehaviour.Forinstance,ifaslowspeedis
indicated,theservermayswitchtoalessbandwidth-hungrydisplay
mode.
Thevalueisusuallymeaninglessinanetworkenvironment,butPuTTY
letsyouconfigureit,incaseyoufindtheserverisreactingbadlytothe
defaultvalue.
Theformatisapairofnumbersseparatedbyacomma,forinstance,
38400,38400.Thefirstnumberrepresentstheoutputspeed(fromthe
server)inbitspersecond,andthesecondistheinputspeed(tothe
server).(OnlythefirstisusedintheRloginprotocol.)
ThisoptionhasnoeffectonRawconnections.
4.14.5Settingenvironmentvariablesonthe
server
TheTelnetprotocolprovidesameansfortheclienttopassenvironment
variablestotheserver.ManyTelnetservershavestoppedsupportingthis
featureduetosecurityflaws,butPuTTYstillsupportsitforthebenefitof
anyserverswhichhavefoundotherwaysaroundthesecurityproblems
thanjustdisablingthewholemechanism.
Version2oftheSSHprotocolalsoprovidesasimilarmechanism,which
iseasiertoimplementwithoutsecurityflaws.NewerSSH-2serversare
morelikelytosupportitthanolderones.
ThisconfigurationdataisnotusedintheSSH-1,rloginorrawprotocols.
Toaddanenvironmentvariabletothelisttransmitteddownthe
connection,youenterthevariablenameinthe‘Variable’box,enterits
valueinthe‘Value’box,andpressthe‘Add’button.Toremoveonefrom
thelist,selectitinthelistboxandpress‘Remove’.
4.15TheProxypanel
TheProxypanelallowsyoutoconfigurePuTTYtousevarioustypesof
proxyinordertomakeitsnetworkconnections.Thesettingsinthispanel
affecttheprimarynetworkconnectionformingyourPuTTYsession,and
alsoanyextraconnectionsmadeasaresultofSSHportforwarding(see
section3.5).
Notethatunlikesomesoftware(suchaswebbrowsers),PuTTYdoesnot
attempttoautomaticallydeterminewhethertouseaproxyand(ifso)
whichonetouseforagivendestination.Ifyouneedtouseaproxy,it
mustalwaysbeexplicitlyconfigured.
4.15.1Settingtheproxytype
4.15.2Excludingpartsofthenetworkfromproxying
4.15.3Nameresolutionwhenusingaproxy
4.15.4Usernameandpassword
4.15.5SpecifyingtheTelnetorLocalproxycommand
4.15.6Controllingproxylogging
4.15.1Settingtheproxytype
The‘Proxytype’radiobuttonsallowyoutoconfigurewhattypeofproxy
youwantPuTTYtouseforitsnetworkconnections.Thedefaultsettingis
‘None’;inthismodenoproxyisusedforanyconnection.
Selecting‘HTTP’allowsyoutoproxyyourconnectionsthrougha
webserversupportingtheHTTPCONNECTcommand,asdocumented
inRFC2817.
Selecting‘SOCKS4’or‘SOCKS5’allowsyoutoproxyyour
connectionsthroughaSOCKSserver.
Manyfirewallsimplementalessformaltypeofproxyinwhichauser
canmakeaTelnetconnectiondirectlytothefirewallmachineand
enteracommandsuchasconnectmyhost.com22toconnectthrough
toanexternalhost.Selecting‘Telnet’allowsyoutotellPuTTYtouse
thistypeofproxy.
Selecting‘Local’allowsyoutospecifyanarbitrarycommandonthe
localmachinetoactasaproxy.Whenthesessionisstarted,instead
ofcreatingaTCPconnection,PuTTYrunsthecommand(specified
insection4.15.5),andusesitsstandardinputandoutputstreams.
Thiscouldbeused,forinstance,totalktosomekindofnetwork
proxythatPuTTYdoesnotnativelysupport;oryoucouldtunnela
connectionoversomethingotherthanTCP/IPentirely.
IfyouwantyourlocalproxycommandtomakeasecondarySSH
connectiontoaproxyhostandthentunneltheprimaryconnection
overthat,youmightwellwantthe-nccommand-lineoptioninPlink.
Seesection3.8.3.14formoreinformation.
Youcanalsoenablethismodeonthecommandline;seesection
3.8.3.24.
4.15.2Excludingpartsofthenetworkfrom
proxying
Typicallyyouwillonlyneedtouseaproxytoconnecttonon-localpartsof
yournetwork;forexample,yourproxymightberequiredforconnections
outsideyourcompany'sinternalnetwork.Inthe‘ExcludeHosts/IPs’box
youcanenterrangesofIPaddresses,orrangesofDNSnames,for
whichPuTTYwillavoidusingtheproxyandmakeadirectconnection
instead.
The‘ExcludeHosts/IPs’boxmaycontainmorethanoneexclusionrange,
separatedbycommas.EachrangecanbeanIPaddressoraDNS
name,witha*characterallowingwildcards.Forexample:
*.example.com
Thisexcludesanyhostwithanameendingin.example.comfrom
proxying.
192.168.88.*
ThisexcludesanyhostwithanIPaddressstartingwith192.168.88from
proxying.
192.168.88.*,*.example.com
Thisexcludesbothoftheaboverangesatonce.
Connectionstothelocalhost(thehostnamelocalhost,andany
loopbackIPaddress)areneverproxied,eveniftheproxyexcludelist
doesnotexplicitlycontainthem.Itisveryunlikelythatthisbehaviour
wouldevercauseproblems,butifitdoesyoucanchangeitbyenabling
‘Considerproxyinglocalhostconnections’.
NotethatifyouaredoingDNSattheproxy(seesection4.15.3),you
shouldmakesurethatyourproxyexclusionsettingsdonotdependon
knowingtheIPaddressofahost.Ifthenameispassedontotheproxy
withoutPuTTYlookingitup,itwillneverknowtheIPaddressandcannot
checkitagainstyourlist.
4.15.3Nameresolutionwhenusingaproxy
Ifyouareusingaproxytoaccessaprivatenetwork,itcanmakea
differencewhetherDNSnameresolutionisperformedbyPuTTYitself
(ontheclientmachine)orperformedbytheproxy.
The‘DoDNSnamelookupatproxyend’configurationoptionallowsyou
tocontrolthis.Ifyousetitto‘No’,PuTTYwillalwaysdoitsownDNS,and
willalwayspassanIPaddresstotheproxy.Ifyousetitto‘Yes’,PuTTY
willalwayspasshostnamesstraighttotheproxywithouttryingtolook
themupfirst.
Ifyousetthisoptionto‘Auto’(thedefault),PuTTYwilldosomethingit
considersappropriateforeachtypeofproxy.Telnet,HTTP,andSOCKS5
proxieswillhavehostnamespassedstraighttothem;SOCKS4proxies
willnot.
NotethatifyouaredoingDNSattheproxy,youshouldmakesurethat
yourproxyexclusionsettings(seesection4.15.2)donotdependon
knowingtheIPaddressofahost.Ifthenameispassedontotheproxy
withoutPuTTYlookingitup,itwillneverknowtheIPaddressandcannot
checkitagainstyourlist.
TheoriginalSOCKS4protocoldoesnotsupportproxy-sideDNS.There
isaprotocolextension(SOCKS4A)whichdoessupportit,butnotall
SOCKS4serversprovidethisextension.IfyouenableproxyDNSand
yourSOCKS4servercannotdealwithit,thismightbewhy.
4.15.4Usernameandpassword
Ifyourproxyrequiresauthentication,youcanenterausernameanda
passwordinthe‘Username’and‘Password’boxes.
Notethatifyousaveyoursession,theproxypasswordwillbesavedin
plaintext,soanyonewhocanaccessyourPuTTYconfigurationdatawill
beabletodiscoverit.
Authenticationisnotfullysupportedforallformsofproxy:
UsernameandpasswordauthenticationissupportedforHTTP
proxiesandSOCKS5proxies.
WithSOCKS5,authenticationisviaCHAPiftheproxysupports
it(thisisnotsupportedinPuTTYtel);otherwisethepasswordis
senttotheproxyinplaintext.
WithHTTPproxying,theonlycurrentlysupportedauthentication
methodis‘basic’,wherethepasswordissenttotheproxyin
plaintext.
SOCKS4canusethe‘Username’field,butdoesnotsupport
passwords.
Youcanspecifyawaytoincludeausernameandpasswordinthe
Telnet/Localproxycommand(seesection4.15.5).
4.15.5SpecifyingtheTelnetorLocalproxy
command
IfyouareusingtheTelnetproxytype,theusualcommandrequiredby
thefirewall'sTelnetserverisconnect,followedbyahostnameandaport
number.Ifyourproxyneedsadifferentcommand,youcanenteran
alternativehere.
IfyouareusingtheLocalproxytype,thelocalcommandtorunis
specifiedhere.
Inthisstring,youcanuse\ntorepresentanew-line,\rtorepresenta
carriagereturn,\ttorepresentatabcharacter,and\xfollowedbytwo
hexdigitstorepresentanyothercharacter.\\isusedtoencodethe\
characteritself.
Also,thespecialstrings%hostand%portwillbereplacedbythehost
nameandportnumberyouwanttoconnectto.Thestrings%userand
%passwillbereplacedbytheproxyusernameandpasswordyouspecify.
Thestrings%proxyhostand%proxyportwillbereplacedbythehost
detailsspecifiedontheProxypanel,ifany(thisismostlikelytobeuseful
fortheLocalproxytype).Togetaliteral%sign,enter%%.
IfaTelnetproxyserverpromptsforausernameandpasswordbefore
commandscanbesent,youcanuseacommandsuchas:
%user\n%pass\nconnect%host%port\n
Thiswillsendyourusernameandpasswordasthefirsttwolinestothe
proxy,followedbyacommandtoconnecttothedesiredhostandport.
Notethatifyoudonotincludethe%useror%passtokensintheTelnet
command,thenthe‘Username’and‘Password’configurationfieldswill
beignored.
4.15.6Controllingproxylogging
Oftentheproxyinteractionhasitsowndiagnosticoutput;thisis
particularlythecaseforlocalproxycommands.
Thesetting‘Printproxydiagnosticsintheterminalwindow’letsyou
controlhowmuchoftheproxy'sdiagnosticsareprintedtothemain
terminalwindow,alongwithoutputfromyourmainsession.
Bydefault(‘No’),proxydiagnosticsareonlysenttotheEventLog;with
‘Yes’theyarealsoprintedtotheterminal,wheretheymaygetmixedup
withyourmainsession.‘Onlyuntilsessionstarts’isacompromise;proxy
messageswillgototheterminalwindowuntilthemainsessionis
deemedtohavestarted(inaprotocol-dependentway),whichiswhen
they'remostlikelytobeinteresting;anyfurtherproxy-relatedmessages
duringthesessionwillonlygototheEventLog.
4.16.1‘HandlingofOLD_ENVIRONambiguity’
TheoriginalTelnetmechanismforpassingenvironmentvariableswas
badlyspecified.Atthetimethestandard(RFC1408)waswritten,BSD
telnetimplementationswerealreadysupportingthefeature,andthe
intentionofthestandardwastodescribethebehaviourtheBSD
implementationswerealreadyusing.
Sadlytherewasatypingerrorinthestandardwhenitwasissued,and
twovitalfunctioncodeswerespecifiedthewrongwayround.BSD
implementationsdidnotchange,andthestandardwasnotcorrected.
Therefore,it'spossibleyoumightfindeitherBSDorRFC-compliant
implementationsoutthere.Thisswitchallowsyoutochoosewhichone
PuTTYclaimstobe.
Theproblemwassolvedbyissuingasecondstandard,defininganew
TelnetmechanismcalledNEW_ENVIRON,whichbehavedexactlylikethe
originalOLD_ENVIRONbutwasnotencumberedbyexisting
implementations.MostTelnetserversnowsupportthis,andit's
unambiguous.Thisfeatureshouldonlybeneededifyouhavetrouble
passingenvironmentvariablestoquiteanoldserver.
4.16.2PassiveandactiveTelnetnegotiation
modes
InaTelnetconnection,therearetwotypesofdatapassedbetweenthe
clientandtheserver:actualtext,andnegotiationsaboutwhichTelnet
extrafeaturestouse.
PuTTYcanusetwodifferentstrategiesfornegotiation:
Inactivemode,PuTTYstartstosendnegotiationsassoonasthe
connectionisopened.
Inpassivemode,PuTTYwillwaittonegotiateuntilitseesa
negotiationfromtheserver.
Theobviousdisadvantageofpassivemodeisthatiftheserverisalso
operatinginapassivemode,thennegotiationwillneverbeginatall.For
thisreasonPuTTYdefaultstoactivemode.
However,sometimespassivemodeisrequiredinordertosuccessfully
getthroughcertaintypesoffirewallandTelnetproxyserver.Ifyouhave
confusingtroublewithafirewall,youcouldtryenablingpassivemodeto
seeifithelps.
4.16.3‘KeyboardsendsTelnetspecial
commands’
Ifthisboxischecked,severalkeysequenceswillhavetheirnormal
actionsmodified:
theBackspacekeyonthekeyboardwillsendtheTelnetspecial
backspacecode;
Control-CwillsendtheTelnetspecialInterruptProcesscode;
Control-ZwillsendtheTelnetspecialSuspendProcesscode.
Youprobablyshouldn'tenablethisunlessyouknowwhatyou'redoing.
4.16.4‘ReturnkeysendsTelnetNewLine
insteadof^M’
Unlikemostotherremoteloginprotocols,theTelnetprotocolhasa
special‘newline’codethatisnotthesameastheusuallineendingsof
Control-MorControl-J.Bydefault,PuTTYsendstheTelnetNewLine
codewhenyoupressReturn,insteadofsendingControl-Masitdoesin
mostotherprotocols.
MostUnix-styleTelnetserversdon'tmindwhethertheyreceiveTelnet
NewLineorControl-M;someserversdoexpectNewLine,andsome
serversprefertosee^M.Ifyouareseeingsurprisingbehaviourwhen
youpressReturninaTelnetsession,youmighttryturningthisoptionoff
toseeifithelps.
4.17.1‘Localusername’
Rloginallowsanautomated(password-free)formofloginbymeansofa
filecalled.rhostsontheserver.Youputalineinyour.rhostsfilesaying
somethinglikejbloggs@pc1.example.com,andthenwhenyoumakean
Rloginconnectiontheclienttransmitstheusernameoftheuserrunning
theRloginclient.Theservercheckstheusernameandhostnameagainst
.rhosts,andiftheymatchitdoesnotaskforapassword.
ThisonlyworksbecauseUnixsystemscontainasafeguardtostopa
userfrompretendingtobeanotheruserinanRloginconnection.Rlogin
connectionshavetocomefromportnumbersbelow1024,andUnix
systemsprohibitthistounprivilegedprocesses;sowhentheserversees
aconnectionfromalow-numberedport,itassumestheclientendofthe
connectionisheldbyaprivileged(andthereforetrusted)process,soit
believestheclaimofwhotheuseris.
Windowsdoesnothavethisrestriction:anyusercaninitiateanoutgoing
connectionfromalow-numberedport.Hence,theRlogin.rhosts
mechanismiscompletelyuselessforsecurelydistinguishingseveral
differentusersonaWindowsmachine.Ifyouhavea.rhostsentry
pointingataWindowsPC,youshouldassumethatanyoneusingthatPC
canspoofyourusernameinanRloginconnectionandaccessyour
accountontheserver.
The‘Localusername’controlallowsyoutospecifywhatusername
PuTTYshouldclaimyouhave,incaseitdoesn'tmatchyourWindows
username(orincaseyoudidn'tbothertosetupaWindowsusername).
4.18.1Executingaspecificcommandonthe
server
InSSH,youdon'thavetorunageneralshellsessionontheserver.
Instead,youcanchoosetorunasinglespecificcommand(suchasa
mailuseragent,forexample).Ifyouwanttodothis,enterthecommand
inthe‘Remotecommand’box.
Notethatmostserverswillclosethesessionafterexecutingthe
command.
4.18.2‘Don'tstartashellorcommandatall’
Ifyoutickthisbox,PuTTYwillnotattempttorunashellorcommand
afterconnectingtotheremoteserver.Youmightwanttousethisoptionif
youareonlyusingtheSSHconnectionforportforwarding,andyouruser
accountontheserverdoesnothavetheabilitytorunashell.
ThisfeatureisonlyavailableinSSHprotocolversion2(sincetheversion
1protocolassumesyouwillalwayswanttorunashell).
Thisfeaturecanalsobeenabledusingthe-Ncommand-lineoption;see
section3.8.3.13.
IfyouusethisfeatureinPlink,youwillnotbeabletoterminatethePlink
processbyanygracefulmeans;theonlywaytokillitwillbebypressing
Control-Corsendingakillsignalfromanotherprogram.
4.18.3‘Enablecompression’
ThisenablesdatacompressionintheSSHconnection:datasentbythe
serveriscompressedbeforesending,anddecompressedattheclient
end.Likewise,datasentbyPuTTYtotheserveriscompressedfirstand
theserverdecompressesitattheotherend.Thiscanhelpmakethe
mostofalow-bandwidthconnection.
4.18.4‘SSHprotocolversion’
ThisallowsyoutoselectwhethertouseSSHprotocolversion2orthe
olderversion1.
Youshouldnormallyleavethisatthedefaultof‘2’.Aswellashaving
fewerfeatures,theolderSSH-1protocolisnolongerdeveloped,has
manyknowncryptographicweaknesses,andisgenerallynotconsidered
tobesecure.PuTTY'sprotocol1implementationisprovidedmainlyfor
compatibility,andisnolongerbeingenhanced.
Ifaserveroffersbothversions,prefer‘2’.Ifyouhavesomeserveror
pieceofequipmentthatonlytalksSSH-1,select‘1’here,anddonottreat
theresultingconnectionassecure.
PuTTYwillnotautomaticallyfallbacktotheotherversionoftheprotocol
iftheserverturnsoutnottomatchyourselectionhere;instead,itwillput
upanerrormessageandaborttheconnection.Thispreventsanactive
attackerdowngradinganintendedSSH-2connectiontoSSH-1.
4.18.5SharinganSSHconnectionbetween
PuTTYtools
ThecontrolsinthisboxallowyoutoconfigurePuTTYtoreusean
existingSSHconnection,wherepossible.
TheSSH-2protocolpermitsyoutorunmultipledatachannelsoverthe
sameSSHconnection,sothatyoucanloginjustonce(anddothe
expensiveencryptionsetupjustonce)andthenhavemorethanone
terminalwindowopen.
EachinstanceofPuTTYcanstillrunatmostoneterminalsession,but
usingthecontrolsinthisbox,youcanconfigurePuTTYtocheckif
anotherinstanceofitselfhasalreadyconnectedtothetargethost,andif
so,sharethatinstance'sSSHconnectioninsteadofstartingaseparate
newone.
Toenablethisfeature,justtickthebox‘ShareSSHconnectionsif
possible’.Then,wheneveryoustartupaPuTTYsessionconnectingtoa
particularhost,itwilltrytoreuseanexistingSSHconnectionifoneis
available.Forexample,selecting‘DuplicateSession’fromthesystem
menuwilllaunchanothersessiononthesamehost,andifsharingis
enabledthenitwillreusetheexistingSSHconnection.
Whenthismodeisinuse,thefirstPuTTYthatconnectedtoagiven
serverbecomesthe‘upstream’,whichmeansthatitistheonemanaging
therealSSHconnection.AllsubsequentPuTTYswhichreusethe
connectionarereferredtoas‘downstreams’:theydonotconnecttothe
realserveratall,butinsteadconnecttotheupstreamPuTTYvialocal
inter-processcommunicationmethods.
Forthissystemtobeactivated,boththeupstreamanddownstream
instancesofPuTTYmusthavethesharingoptionenabled.
TheupstreamPuTTYcanthereforenotterminateuntilallits
downstreamshaveclosed.Thisissimilartotheeffectyougetwithport
forwardingorX11forwarding,inwhichaPuTTYwhoseterminalsession
hasalreadyfinishedwillstillremainopensoastokeepserving
forwardedconnections.
Incaseyouneedtoconfigurethissysteminmoredetail,therearetwo
additionalcheckboxeswhichallowyoutospecifywhetheraparticular
PuTTYcanactasanupstreamoradownstreamorboth.(Theseboxes
onlytakeeffectifthemain‘ShareSSHconnectionsifpossible’boxis
alsoticked.)Bydefaultbothoftheseboxesareticked,sothatmultiple
PuTTYsstartedfromthesameconfigurationwilldesignateoneof
themselvesastheupstreamandshareasingleconnection;butiffor
somereasonyouneedaparticularPuTTYconfigurationnottobean
upstream(e.g.becauseyoudefinitelyneedittoclosepromptly)ornotto
beadownstream(e.g.becauseitneedstodoitsownauthentication
usingaspecialprivatekey)thenyoucanuntickoneortheotherofthese
boxes.
Ihavereferredto‘PuTTY’throughouttheabovediscussion,butallthe
otherPuTTYtoolswhichmakeSSHconnectionscanusethis
mechanismtoo.Forexample,ifPSCPorPSFTPloadsaconfiguration
withsharingenabled,thenitcanactasadownstreamandusean
existingSSHconnectionsetupbyaninstanceofGUIPuTTY.Theone
specialcaseisthatPSCPandPSFTPwillneveractasupstreams.
Itispossibletotestprogrammaticallyfortheexistenceofaliveupstream
usingPlink.Seesection7.2.3.3.
4.19TheKexpanel
TheKexpanel(shortfor‘keyexchange’)allowsyoutoconfigureoptions
relatedtoSSH-2keyexchange.
KeyexchangeoccursatthestartofanSSHconnection(andoccasionally
thereafter);itestablishesasharedsecretthatisusedasthebasisforall
ofSSH'ssecurityfeatures.Itisthereforeveryimportantforthesecurityof
theconnectionthatthekeyexchangeissecure.
Keyexchangeisacryptographicallyintensiveprocess;ifeithertheclient
ortheserverisarelativelyslowmachine,theslowermethodsmaytake
severaltensofsecondstocomplete.
Ifconnectionstartupistooslow,ortheconnectionhangsperiodically,you
maywanttotrychangingthesesettings.
Ifyoudon'tunderstandwhatanyofthismeans,it'ssafetoleavethese
settingsalone.
ThisentirepanelisonlyrelevanttoSSHprotocolversion2;noneof
thesesettingsaffectSSH-1atall.
4.19.1Keyexchangealgorithmselection
4.19.2Repeatkeyexchange
4.19.1Keyexchangealgorithmselection
PuTTYsupportsavarietyofSSH-2keyexchangemethods,andallows
youtochoosewhichoneyouprefertouse;configurationissimilarto
cipherselection(seesection4.21).
PuTTYcurrentlysupportsthefollowingkeyexchangemethods:
‘ECDH’:ellipticcurveDiffie-Hellmankeyexchange.
‘Group14’:Diffie-Hellmankeyexchangewithawell-known2048-bit
group.
‘Group1’:Diffie-Hellmankeyexchangewithawell-known1024-bit
group.Wenolongerrecommendusingthismethod,andit'snotused
bydefaultinnewinstallations;however,itmaybetheonlymethod
supportedbyveryoldserversoftware.
‘Groupexchange’:withthismethod,insteadofusingafixedgroup,
PuTTYrequeststhattheserversuggestagrouptouseforkey
exchange;theservercanavoidgroupsknowntobeweak,and
possiblyinventnewonesovertime,withoutanychangesrequiredto
PuTTY'sconfiguration.Werecommenduseofthismethodinsteadof
thewell-knowngroups,ifpossible.
‘RSAkeyexchange’:thisrequiresmuchlesscomputationalefforton
thepartoftheclient,andsomewhatlessonthepartoftheserver,
thanDiffie-Hellmankeyexchange.
IfthefirstalgorithmPuTTYfindsisbelowthe‘warnbelowhere’line,you
willseeawarningboxwhenyoumaketheconnection,similartothatfor
cipherselection(seesection4.21).
4.19.2Repeatkeyexchange
Ifthesessionkeynegotiatedatconnectionstartupisusedtoomuchor
fortoolong,itmaybecomefeasibletomountattacksagainsttheSSH
connection.Therefore,theSSH-2protocolspecifiesthatanewkey
exchangeshouldtakeplaceeverysooften;thiscanbeinitiatedbyeither
theclientortheserver.
Whilethisrenegotiationistakingplace,nodatacanpassthroughthe
SSHconnection,soitmayappearto‘freeze’.(Theoccurrenceofrepeat
keyexchangeisnotedintheEventLog;seesection3.1.3.1.)Usuallythe
samealgorithmisusedasatthestartoftheconnection,withasimilar
overhead.
TheseoptionscontrolhowoftenPuTTYwillinitiatearepeatkey
exchange(‘rekey’).Youcanalsoforceakeyexchangeatanytimefrom
theSpecialCommandsmenu(seesection3.1.3.2).
‘Maxminutesbeforerekey’specifiestheamountoftimethatis
allowedtoelapsebeforearekeyisinitiated.Ifthisissettozero,
PuTTYwillnotrekeyduetoelapsedtime.TheSSH-2protocol
specificationrecommendsatimeoutofatmost60minutes.
Youmighthaveaneedtodisabletime-basedrekeyscompletelyforthe
samereasonsthatkeepalivesaren'talwayshelpful.Ifyouanticipate
sufferinganetworkdropoutofseveralhoursinthemiddleofanSSH
connection,butwerenotactuallyplanningtosenddatadownthat
connectionduringthosehours,thenanattemptedrekeyinthemiddleof
thedropoutwillprobablycausetheconnectiontobeabandoned,
whereasifrekeysaredisabledthentheconnectionshouldinprinciple
survive(intheabsenceofinterferingfirewalls).Seesection4.13.1for
morediscussionoftheseissues;forthesepurposes,rekeyshavemuch
thesamepropertiesaskeepalives.(Exceptthatrekeyshave
cryptographicvalueinthemselves,soyoushouldbearthatinmindwhen
decidingwhethertoturnthemoff.)Note,however,thetheSSHserver
canstillinitiaterekeys.
‘Maxdatabeforerekey’specifiestheamountofdata(inbytes)thatis
permittedtoflowineitherdirectionbeforearekeyisinitiated.Ifthis
issettozero,PuTTYwillnotrekeyduetotransferreddata.The
SSH-2protocolspecificationrecommendsalimitofatmost1
gigabyte.
Aswellasspecifyingavalueinbytes,thefollowingshorthandcan
beused:
‘1k’specifies1kilobyte(1024bytes).
‘1M’specifies1megabyte(1024kilobytes).
‘1G’specifies1gigabyte(1024megabytes).
Disablingdata-basedrekeysentirelyisabadidea.Theintegrity,andtoa
lesserextent,confidentialityoftheSSH-2protocoldependinparton
rekeysoccurringbeforea32-bitpacketsequencenumberwrapsaround.
Unliketime-basedrekeys,data-basedrekeyswon'toccurwhentheSSH
connectionisidle,sotheyshouldn'tcausethesameproblems.TheSSH-
1protocol,incidentally,hasevenweakerintegrityprotectionthanSSH-2
withoutrekeys.
4.20TheHostKeyspanel
TheHostKeyspanelallowsyoutoconfigureoptionsrelatedtoSSH-2
hostkeymanagement.
Hostkeysareusedtoprovetheserver'sidentity,andassureyouthatthe
serverisnotbeingspoofed(eitherbyaman-in-the-middleattackorby
completelyreplacingitonthenetwork).Seesection2.2forabasic
introductiontohostkeys.
ThisentirepanelisonlyrelevanttoSSHprotocolversion2;noneof
thesesettingsaffectSSH-1atall.
4.20.1Hostkeytypeselection
4.20.2Manuallyconfiguringhostkeys
4.20.1Hostkeytypeselection
PuTTYsupportsavarietyofSSH-2hostkeytypes,andallowsyouto
choosewhichoneyouprefertousetoidentifytheserver.Configurationis
similartocipherselection(seesection4.21).
PuTTYcurrentlysupportsthefollowinghostkeytypes:
‘Ed25519’:Edwards-curveDSAusingatwistedEdwardscurvewith
modulus2^255-19.
‘ECDSA’:ellipticcurveDSAusingoneoftheNIST-standardised
ellipticcurves.
‘DSA’:straightforwardDSAusingmodularexponentiation.
‘RSA’:theordinaryRSAalgorithm.
IfPuTTYalreadyhasoneormorehostkeysstoredfortheserver,itwill
prefertouseoneofthose,eveniftheserverhasakeytypethatishigher
inthepreferenceorder.YoucanaddsuchakeytoPuTTY'scachefrom
withinanexistingsessionusingthe‘SpecialCommands’menu;see
section3.1.3.2.
Otherwise,PuTTYwillchooseakeytypebasedpurelyonthepreference
orderyouspecifyintheconfiguration.
IfthefirstkeytypePuTTYfindsisbelowthe‘warnbelowhere’line,you
willseeawarningboxwhenyoumaketheconnection,similartothatfor
cipherselection(seesection4.21).
4.20.2Manuallyconfiguringhostkeys
Insomesituations,ifPuTTY'sautomatedhostkeymanagementisnot
doingwhatyouneed,youmightneedtomanuallyconfigurePuTTYto
acceptaspecifichostkey,oroneofaspecificsetofhostkeys.
Onereasonwhyyoumightwanttodothisisbecausethehostname
PuTTYisconnectingtoisusinground-robinDNStoreturnoneof
multipleactualservers,andtheyallhavedifferenthostkeys.Inthat
situation,youmightneedtoconfigurePuTTYtoacceptanyofalistof
hostkeysforthepossibleservers,whilestillrejectinganykeynotinthat
list.
AnotherreasonisifPuTTY'sautomatedhostkeymanagementis
completelyunavailable,e.g.becausePuTTY(orPlinkorPSFTP,etc)is
runninginaWindowsenvironmentwithoutaccesstotheRegistry.Inthat
situation,youwillprobablywanttousethe-hostkeycommand-lineoption
toconfiguretheexpectedhostkey(s);seesection3.8.3.20.
ForsituationswherePuTTY'sautomatedhostkeymanagementsimply
picksthewronghostnametostoreakeyunder,youmaywantto
considersettinga‘logicalhostname’instead;seesection4.13.5.
ToconfiguremanualhostkeysviatheGUI,entersometextdescribing
thehostkeyintotheeditboxinthe‘Manuallyconfigurehostkeysforthis
connection’container,andpressthe‘Add’button.Thetextwillappearin
the‘Hostkeysorfingerprintstoaccept’listbox.Youcanremovekeys
againwiththe‘Remove’button.
Thetextdescribingahostkeycanbeinoneofthefollowingformats:
AnMD5-basedhostkeyfingerprintoftheformdisplayedinPuTTY's
EventLogandhostkeydialogboxes,i.e.sixteen2-digithex
numbersseparatedbycolons.
Abase64-encodedblobdescribinganSSH-2publickeyin
OpenSSH'sone-linepublickeyformat.Howyouacquireapublickey
inthisformatisserver-dependent;onanOpenSSHserveritcan
typicallybefoundinalocationlike/etc/ssh/ssh_host_rsa_key.pub.
IfthisboxcontainsatleastonehostkeyorfingerprintwhenPuTTY
makesanSSHconnection,thenPuTTY'sautomatedhostkey
managementiscompletelybypassed:theconnectionwillbepermittedif
andonlyifthehostkeypresentedbytheserverisoneofthekeyslisted
inthisbox,andthehostkeystoreintheRegistrywillbeneitherreadnor
written,unlessyouexplicitlydoso.
Iftheboxisempty(asitusuallyis),thenPuTTY'sautomatedhostkey
managementwillworkasnormal.
4.21TheCipherpanel
PuTTYsupportsavarietyofdifferentencryptionalgorithms,andallows
youtochoosewhichoneyouprefertouse.Youcandothisbydragging
thealgorithmsupanddowninthelistbox(ormovingthemusingtheUp
andDownbuttons)tospecifyapreferenceorder.Whenyoumakean
SSHconnection,PuTTYwillsearchdownthelistfromthetopuntilitfinds
analgorithmsupportedbytheserver,andthenusethat.
PuTTYcurrentlysupportsthefollowingalgorithms:
ChaCha20-Poly1305,acombinedcipherandMAC(SSH-2only)
AES(Rijndael)-256,192,or128-bitSDCTRorCBC(SSH-2only)
Arcfour(RC4)-256or128-bitstreamcipher(SSH-2only)
Blowfish-256-bitSDCTR(SSH-2only)or128-bitCBC
Triple-DES-168-bitSDCTR(SSH-2only)orCBC
Single-DES-56-bitCBC(seebelowforSSH-2)
IfthealgorithmPuTTYfindsisbelowthe‘warnbelowhere’line,youwill
seeawarningboxwhenyoumaketheconnection:
Thefirstciphersupportedbytheserver
issingle-DES,whichisbelowtheconfigured
warningthreshold.
Doyouwanttocontinuewiththisconnection?
Thiswarnsyouthatthefirstavailableencryptionisnotaverysecureone.
Typicallyyouwouldputthe‘warnbelowhere’linebetweenthe
encryptionsyouconsidersecureandtheonesyouconsidersubstandard.
Bydefault,PuTTYsuppliesapreferenceorderintendedtoreflecta
reasonablepreferenceintermsofsecurityandspeed.
InSSH-2,theencryptionalgorithmisnegotiatedindependentlyforeach
directionoftheconnection,althoughPuTTYdoesnotsupportseparate
configurationofthepreferenceorders.Asaresultyoumaygettwo
warningssimilartotheoneabove,possiblywithdifferentencryptions.
Single-DESisnotrecommendedintheSSH-2protocolstandards,but
oneortwoserverimplementationsdosupportit.PuTTYcanusesingle-
DEStointeroperatewiththeseserversifyouenablethe‘Enablelegacy
useofsingle-DESinSSH-2’option;bydefaultthisisdisabledandPuTTY
willsticktorecommendedciphers.
4.22TheAuthpanel
TheAuthpanelallowsyoutoconfigureauthenticationoptionsforSSH
sessions.
4.22.1‘Displaypre-authenticationbanner’
4.22.2‘Bypassauthenticationentirely’
4.22.3‘AttemptauthenticationusingPageant’
4.22.4‘AttemptTISorCryptoCardauthentication’
4.22.5‘Attemptkeyboard-interactiveauthentication’
4.22.6‘Allowagentforwarding’
4.22.7‘AllowattemptedchangesofusernameinSSH-2’
4.22.8‘Privatekeyfileforauthentication’
4.22.1‘Displaypre-authenticationbanner’
SSH-2serverscanprovideamessageforclientstodisplaytothe
prospectiveuserbeforetheuserlogsin;thisissometimesknownasa
pre-authentication‘banner’.Typicallythisisusedtoprovideinformation
abouttheserverandlegalnotices.
Bydefault,PuTTYdisplaysthismessagebeforepromptingfora
passwordorsimilarcredentials(although,unfortunately,notbefore
promptingforaloginname,duetothenatureoftheprotocoldesign).By
uncheckingthisoption,displayofthebannercanbesuppressedentirely.
4.22.2‘Bypassauthenticationentirely’
InSSH-2,itisinprinciplepossibletoestablishaconnectionwithoutusing
SSH'smechanismstoidentifyorprovewhoyouaretotheserver.An
SSHservercouldprefertohandleauthenticationinthedatachannel,for
instance,orsimplyrequirenouserauthenticationwhatsoever.
Bydefault,PuTTYassumestheserverrequiresauthentication(we've
neverheardofonethatdoesn't),andthusmuststartthisprocesswitha
username.Ifyoufindyouaregettingusernamepromptsthatyoucannot
answer,youcouldtryenablingthisoption.However,mostSSHservers
willrejectthis.
Thisisnottheoptionyouwantifyouhaveausernameandjustwant
PuTTYtorememberit;forthatseesection4.14.1.It'salsoprobablynot
whatifyou'retryingtosetuppasswordlesslogintoamainstreamSSH
server;dependingontheserver,youprobablywantedpublic-key
authentication(chapter8)orperhapsGSSAPIauthentication(section
4.23).(Thesearestillformsofauthentication,evenifyoudon'thaveto
interactwiththem.)
ThisoptiononlyaffectsSSH-2connections.SSH-1connectionsalways
requireanauthenticationstep.
4.22.3‘AttemptauthenticationusingPageant’
Ifthisoptionisenabled,thenPuTTYwilllookforPageant(theSSH
private-keystorageagent)andattempttoauthenticatewithanysuitable
publickeysPageantcurrentlyholds.
Thisbehaviourisalmostalwaysdesirable,andisthereforeenabledby
default.Inrarecasesyoumightneedtoturnitoffinordertoforce
authenticationbysomenon-public-keymethodsuchaspasswords.
Thisoptioncanalsobecontrolledusingthe-noagentcommand-line
option.Seesection3.8.3.9.
Seechapter9formoreinformationaboutPageantingeneral.
4.22.4‘AttemptTISorCryptoCard
authentication’
TISandCryptoCardauthenticationare(despitetheirnames)generic
formsofsimplechallenge/responseauthenticationavailableinSSH
protocolversion1only.YoumightusethemifyouwereusingS/Keyone-
timepasswords,forexample,orifyouhadaphysicalsecuritytokenthat
generatedresponsestoauthenticationchallenges.Theycanevenbe
usedtopromptforsimplepasswords.
Withthisswitchenabled,PuTTYwillattempttheseformsof
authenticationiftheserveriswillingtotrythem.Youwillbepresented
withachallengestring(whichmaybedifferenteverytime)andmust
supplythecorrectresponseinordertologin.Ifyourserversupportsthis,
youshouldtalktoyoursystemadministratoraboutpreciselywhatform
thesechallengesandresponsestake.
4.22.5‘Attemptkeyboard-interactive
authentication’
TheSSH-2equivalentofTISauthenticationiscalled‘keyboard-
interactive’.Itisaflexibleauthenticationmethodusinganarbitrary
sequenceofrequestsandresponses;soitisnotonlyusefulfor
challenge/responsemechanismssuchasS/Key,butitcanalsobeused
for(forexample)askingtheuserforanewpasswordwhentheoldone
hasexpired.
PuTTYleavesthisoptionenabledbydefault,butsuppliesaswitchtoturn
itoffincaseyoushouldhavetroublewithit.
4.22.6‘Allowagentforwarding’
ThisoptionallowstheSSHservertoopenforwardedconnectionsbackto
yourlocalcopyofPageant.IfyouarenotrunningPageant,thisoption
willdonothing.
Seechapter9forgeneralinformationonPageant,andsection9.4for
informationonagentforwarding.Notethatthereisasecurityrisk
involvedwithenablingthisoption;seesection9.5fordetails.
4.22.7‘Allowattemptedchangesofusernamein
SSH-2’
IntheSSH-1protocol,itisimpossibletochangeusernameafterfailingto
authenticate.Soifyoumis-typeyourusernameatthePuTTY‘loginas:’
prompt,youwillnotbeabletochangeitexceptbyrestartingPuTTY.
TheSSH-2protocoldoesallowchangesofusername,inprinciple,but
doesnotmakeitmandatoryforSSH-2serverstoacceptthem.In
particular,OpenSSHdoesnotacceptachangeofusername;onceyou
havesentoneusername,itwillrejectattemptstotrytoauthenticateas
anotheruser.(DependingontheversionofOpenSSH,itmayquietly
returnfailureforallloginattempts,oritmaysendanerrormessage.)
Forthisreason,PuTTYwillbydefaultnotpromptyouforyourusername
morethanonce,incasetheservercomplains.Ifyouknowyourserver
cancopewithit,youcanenablethe‘Allowattemptedchangesof
username’optiontomodifyPuTTY'sbehaviour.
4.22.8‘Privatekeyfileforauthentication’
Thisboxiswhereyouenterthenameofyourprivatekeyfileifyouare
usingpublickeyauthentication.Seechapter8forinformationabout
publickeyauthenticationinSSH.
ThiskeymustbeinPuTTY'snativeformat(*.PPK).Ifyouhaveaprivate
keyinanotherformatthatyouwanttousewithPuTTY,seesection
8.2.12.
YoucanusetheauthenticationagentPageantsothatyoudonotneedto
explicitlyconfigureakeyhere;seechapter9.
IfaprivatekeyfileisspecifiedherewithPageantrunning,PuTTYwillfirst
tryaskingPageanttoauthenticatewiththatkey,andignoreanyother
keysPageantmayhave.Ifthatfails,PuTTYwillaskforapassphraseas
normal.Youcanalsospecifyapublickeyfileinthiscase(inRFC4716or
OpenSSHformat),asthat'ssufficienttoidentifythekeytoPageant,but
ofcourseifPageantisn'tpresentPuTTYcan'tfallbacktousingthisfile
itself.
4.23TheGSSAPIpanel
The‘GSSAPI’subpanelofthe‘Auth’panelcontrolstheuseofGSSAPI
authentication.Thisisamechanismwhichdelegatestheauthentication
exchangetoalibraryelsewhereontheclientmachine,whichinprinciple
canauthenticateinmanydifferentwaysbutinpracticeisusuallyused
withtheKerberossinglesign-onprotocoltoimplementpasswordless
login.
GSSAPIisonlyavailableintheSSH-2protocol.
ThetopmostcontrolontheGSSAPIsubpanelisthecheckboxlabelled
‘AttemptGSSAPIauthentication’.Ifthisisdisabled,GSSAPIwillnotbe
attemptedatallandtherestofthispanelisunused.Ifitisenabled,
GSSAPIauthenticationwillbeattempted,and(typically)ifyourclient
machinehasvalidKerberoscredentialsloaded,thenPuTTYshouldbe
abletoauthenticateautomaticallytoserversthatsupportKerberos
logins.
4.23.1‘AllowGSSAPIcredentialdelegation’
4.23.2PreferenceorderforGSSAPIlibraries
4.23.1‘AllowGSSAPIcredentialdelegation’
GSSAPIcredentialdelegationisamechanismforpassingonyour
Kerberos(orother)identitytothesessionontheSSHserver.Ifyou
enablethisoption,thennotonlywillPuTTYbeabletologin
automaticallytoaserverthatacceptsyourKerberoscredentials,butalso
youwillbeabletoconnectoutfromthatservertootherKerberos-
supportingservicesandusethesamecredentialsjustasautomatically.
(ThisoptionistheKerberosanalogueofSSHagentforwarding;see
section9.4forsomeinformationonthat.)
Notethat,likeSSHagentforwarding,thereisasecurityimplicationinthe
useofthisoption:theadministratoroftheserveryouconnectto,or
anyoneelsewhohascrackedtheadministratoraccountonthatserver,
couldfakeyouridentitywhenconnectingtofurtherKerberos-supporting
services.However,Kerberossitesaretypicallyrunbyacentralauthority,
sotheadministratorofoneserverislikelytoalreadyhaveaccesstothe
otherservicestoo;sothiswouldtypicallybelessofariskthanSSH
agentforwarding.
4.23.2PreferenceorderforGSSAPIlibraries
GSSAPIisamechanismwhichallowsmorethanoneauthentication
methodtobeaccessedthroughthesameinterface.Therefore,morethan
oneauthenticationlibrarymayexistonyoursystemwhichcanbe
accessedusingGSSAPI.
PuTTYcontainsnativesupportforafewwell-knownsuchlibraries,and
willlookforallofthemonyoursystemandusewhicheveritfinds.Ifmore
thanoneexistsonyoursystemandyouneedtouseaspecificone,you
canadjusttheorderinwhichitwillsearchusingthispreferencelist
control.
Oneoftheoptionsinthepreferencelististouseauser-specified
GSSAPIlibrary.Ifthelibraryyouwanttouseisnotmentionedbynamein
PuTTY'slistofoptions,youcanenteritsfullpathnameinthe‘User-
suppliedGSSAPIlibrarypath’field,andmovethe‘User-supplied
GSSAPIlibrary’optioninthepreferencelisttomakesureitisselected
beforeanythingelse.
OnWindows,suchlibrariesarefileswitha.dllextension,andmust
havebeenbuiltinthesamewayasthePuTTYexecutableyou're
running;ifyouhavea32-bitDLL,youmustruna32-bitversionof
PuTTY,andthesamewith64-bit(seequestionA.6.10).OnUnix,shared
librariesgenerallyhavea.soextension.
4.24.1‘Don'tallocateapseudo-terminal’
WhenconnectingtoaUnixsystem,mostinteractiveshellsessionsare
runinapseudo-terminal,whichallowstheUnixsystemtopretendit's
talkingtoarealphysicalterminaldevicebutallowstheSSHserverto
catchallthedatacomingfromthatfakedeviceandsenditbacktothe
client.
Occasionallyyoumightfindyouhaveaneedtorunasessionnotina
pseudo-terminal.InPuTTY,thisisgenerallyonlyusefulforveryspecialist
purposes;althoughinPlink(seechapter7)itistheusualwayofworking.
4.24.2Sendingterminalmodes
TheSSHprotocolallowstheclienttosend‘terminalmodes’forthe
remotepseudo-terminal.Theseusuallycontroltheserver'sexpectationof
thelocalterminal'sbehaviour.
Ifyourserverdoesnothavesensibledefaultsforthesemodes,youmay
findthatchangingthemherehelps,althoughtheserverisatlibertyto
ignoreyourchanges.Ifyoudon'tunderstandanyofthis,it'ssafetoleave
thesesettingsalone.
(Noneofthesesettingswillhaveanyeffectifnopseudo-terminalis
requestedorallocated.)
Youcanchangewhathappensforaparticularmodebyselectingitinthe
list,choosingoneoftheoptionsandspecifyingtheexactvalueif
necessary,andhitting‘Set’.Theeffectoftheoptionsisasfollows:
Ifthe‘Auto’optionisselected,thePuTTYtoolswilldecidewhetherto
specifythatmodetotheserver,andifso,willsendasensiblevalue.
PuTTYproperwillsendmodesthatithasanopinionon(currently
onlythecodefortheBackspacekey,ERASE,andwhetherthe
charactersetisUTF-8,IUTF8).PlinkonUnixwillpropagate
appropriatemodesfromthelocalterminal,ifany.
If‘Nothing’isselected,novalueforthemodewillbespecifiedtothe
serverunderanycircumstances.
Ifavalueisspecified,itwillbesenttotheserverunderall
circumstances.Theprecisesyntaxofthevalueboxdependsonthe
mode.
Bydefault,alloftheavailablemodesarelistedas‘Auto’,whichshoulddo
therightthinginmostcircumstances.
Thepreciseeffectofeachsetting,ifany,isuptotheserver.Theirnames
comefromPOSIXandotherUnixsystems,andtheyaremostlikelyto
haveausefuleffectonsuchsystems.(Thesearethesamesettingsthat
canusuallybechangedusingthesttycommandonceloggedintosuch
servers.)
Somenotablemodesaredescribedbelow;forfullerexplanations,see
yourserverdocumentation.
ERASEisthecharacterthatwhentypedbytheuserwilldeleteone
spacetotheleft.Whensetto‘Auto’(thedefaultsetting),thisfollows
thesettingofthelocalBackspacekeyinPuTTY(seesection4.4.1).
Thisandotherspecialcharactersarespecifiedusing^Cnotationfor
Ctrl-C,andsoon.Use^<27>or^<0x1B>tospecifyacharacter
numerically,and^~togetaliteral^.Othernon-controlcharactersare
denotedbythemselves.Leavingtheboxentirelyblankindicatesthat
nocharactershouldbeassignedtothespecifiedfunction,although
thismaynotbesupportedbyallservers.
QUITisaspecialcharacterthatusuallyforcefullyendsthecurrent
processontheserver(SIGQUIT).Onmanyserversitsdefaultsetting
isCtrl-backslash(^\),whichiseasytoaccidentallyinvokeonmany
keyboards.Ifthisisgettinginyourway,youmaywanttochangeitto
anothercharacterorturnitoffentirely.
BooleanmodessuchasECHOandICANONcanbespecifiedinPuTTY
inavarietyofways,suchastrue/false,yes/no,and0/1.(Explicitly
specifyingavalueofnoisdifferentfromnotsendingthemodeatall.)
ThebooleanmodeIUTF8signalstotheserverwhethertheterminal
charactersetisUTF-8ornot,forpurposessuchasbasiclineediting;
ifthisissetincorrectly,thebackspacekeymayerasethewrong
amountoftext,forinstance.However,simplysettingthisisnot
usuallysufficientfortheservertouseUTF-8;POSIXserverswill
generallyalsorequirethelocaletobeset(bysomeserver-
dependentmeans),althoughmanynewerinstallationsdefaultto
UTF-8.Also,sincethismodewasaddedtotheSSHprotocolmuch
laterthantheothers,manyservers(particularlyolderservers)donot
honourthismodesentoverSSH;indeed,afewpoorly-written
serversobjecttoitsmerepresence,soyoumayfindyouneedtoset
ittonotbesentatall.Whensetto‘Auto’,thisfollowsthelocal
configuredcharacterset(seesection4.10.1).
Terminalspeedsareconfiguredelsewhere;seesection4.14.4.
4.25TheX11panel
TheX11panelallowsyoutoconfigureforwardingofX11overanSSH
connection.
IfyourserverletsyourunXWindowSystemgraphicalapplications,X11
forwardingallowsyoutosecurelygivethoseapplicationsaccesstoa
localXdisplayonyourPC.
ToenableX11forwarding,checkthe‘EnableX11forwarding’box.Ifyour
Xdisplayissomewhereunusual,youwillneedtoenteritslocationinthe
‘Xdisplaylocation’box;ifthisisleftblank,PuTTYwilltrytofinda
sensibledefaultintheenvironment,orusetheprimarylocaldisplay(:0)if
thatfails.
Seesection3.4formoreinformationaboutX11forwarding.
4.25.1RemoteX11authentication
4.25.2Xauthorityfileforlocaldisplay
4.25.1RemoteX11authentication
IfyouareusingX11forwarding,thevirtualXservercreatedontheSSH
servermachinewillbeprotectedbyauthorisationdata.Thisdatais
invented,andchecked,byPuTTY.
TheusualauthorisationmethodusedforthisiscalledMIT-MAGIC-COOKIE-
1.Thisisasimplepassword-styleprotocol:theXclientsendssome
cookiedatatotheserver,andtheserverchecksthatitmatchesthereal
cookie.ThecookiedataissentoveranunencryptedX11connection;so
ifyouallowaclientonathirdmachinetoaccessthevirtualXserver,then
thecookiewillbesentintheclear.
PuTTYoffersthealternativeprotocolXDM-AUTHORIZATION-1.Thisisa
cryptographicallyauthenticatedprotocol:thedatasentbytheXclientis
differenteverytime,anditdependsontheIPaddressandportofthe
client'sendoftheconnectionandisalsostampedwiththecurrenttime.
SoaneavesdropperwhocapturesanXDM-AUTHORIZATION-1stringcannot
immediatelyre-useitfortheirownXconnection.
PuTTY'ssupportforXDM-AUTHORIZATION-1isasomewhatexperimental
feature,andmayencounterseveralproblems:
SomeXclientsprobablydonotevensupportXDM-AUTHORIZATION-1,
sotheywillnotknowwhattodowiththedataPuTTYhasprovided.
ThisauthenticationmechanismwillonlyworkinSSH-2.InSSH-1,
theSSHserverdoesnottelltheclientthesourceaddressofa
forwardedconnectioninamachine-readableformat,soit's
impossibletoverifytheXDM-AUTHORIZATION-1data.
YoumayfindthisfeaturecausesproblemswithsomeSSHservers,
whichwillnotcleanupXDM-AUTHORIZATION-1dataafterasession,so
thatifyouthenconnecttothesameserverusingaclientwhichonly
doesMIT-MAGIC-COOKIE-1andareallocatedthesameremotedisplay
number,youmightfindthatout-of-dateauthenticationdataisstill
presentonyourserverandyourXconnectionsfail.
PuTTY'sdefaultisMIT-MAGIC-COOKIE-1.Ifyouchangeit,youshouldbe
sureyouknowwhatyou'redoing.
4.25.2Xauthorityfileforlocaldisplay
IfyouareusingX11forwarding,thelocalXservertowhichyour
forwardedconnectionsareeventuallydirectedmayitselfrequire
authorisation.
SomeWindowsXserversdonotrequirethis:theydoauthorisationby
simplermeans,suchasacceptinganyconnectionfromthelocalmachine
butnotfromanywhereelse.However,ifyourXserverdoesrequire
authorisation,thenPuTTYneedstoknowwhatauthorisationisrequired.
OnewayinwhichthisdatamightbemadeavailableisfortheXserverto
storeitsomewhereinafilewhichhasthesameformatastheUnix
.Xauthorityfile.IfthisishowyourWindowsXserverworks,thenyou
cantellPuTTYwheretofindthisfilebyconfiguringthisoption.By
default,PuTTYwillnotattempttofindanyauthorisationforyourlocal
display.
4.26TheTunnelspanel
TheTunnelspanelallowsyoutoconfiguretunnellingofarbitrary
connectiontypesthroughanSSHconnection.
Portforwardingallowsyoutotunnelothertypesofnetworkconnection
downanSSHsession.Seesection3.5forageneraldiscussionofport
forwardingandhowitworks.
TheportforwardingsectionintheTunnelspanelshowsalistofallthe
portforwardingsthatPuTTYwilltrytosetupwhenitconnectstothe
server.Bydefaultnoportforwardingsaresetup,sothislistisempty.
Toaddaportforwarding:
Setoneofthe‘Local’or‘Remote’radiobuttons,dependingon
whetheryouwanttoforwardalocalporttoaremotedestination
(‘Local’)orforwardaremoteporttoalocaldestination(‘Remote’).
Alternatively,select‘Dynamic’ifyouwantPuTTYtoprovidealocal
SOCKS4/4A/5proxyonalocalport(notethatthisproxyonly
supportsTCPconnections;theSSHprotocoldoesnotsupport
forwardingUDP).
Enterasourceportnumberintothe‘Sourceport’box.Forlocal
forwardings,PuTTYwilllistenonthisportofyourPC.Forremote
forwardings,yourSSHserverwilllistenonthisportoftheremote
machine.Notethatmostserverswillnotallowyoutolistenonport
numberslessthan1024.
Ifyouhaveselected‘Local’or‘Remote’(thisstepisnotneededwith
‘Dynamic’),enterahostnameandportnumberseparatedbyacolon,
inthe‘Destination’box.Connectionsreceivedonthesourceportwill
bedirectedtothisdestination.Forexample,toconnecttoaPOP-3
server,youmightenterpopserver.example.com:110.(Ifyouneedto
enteraliteralIPv6address,encloseitinsquarebrackets,for
instance‘[::1]:2200’.)
Clickthe‘Add’button.Yourforwardingdetailsshouldappearinthe
listbox.
Toremoveaportforwarding,simplyselectitsdetailsinthelistbox,and
clickthe‘Remove’button.
Inthe‘Sourceport’box,youcanalsooptionallyenteranIPaddressto
listenon,byspecifying(forinstance)127.0.0.5:79.Seesection3.5for
moreinformationonhowthisworksanditsrestrictions.
Inplaceofportnumbers,youcanenterservicenames,iftheyareknown
tothelocalsystem.Forinstance,inthe‘Destination’box,youcouldenter
popserver.example.com:pop3.
Youcanmodifythecurrentlyactivesetofportforwardingsinmid-session
using‘ChangeSettings’(seesection3.1.3.4).Ifyoudeletealocalor
dynamicportforwardinginmid-session,PuTTYwillstoplisteningfor
connectionsonthatport,soitcanbere-usedbyanotherprogram.Ifyou
deletearemoteportforwarding,notethat:
TheSSH-1protocolcontainsnomechanismforaskingtheserverto
stoplisteningonaremoteport.
TheSSH-2protocoldoescontainsuchamechanism,butnotall
SSHserverssupportit.(Inparticular,OpenSSHdoesnotsupportit
inanyversionearlierthan3.9.)
IfyouasktodeletearemoteportforwardingandPuTTYcannotmake
theserveractuallystoplisteningontheport,itwillinsteadjuststart
refusingincomingconnectionsonthatport.Therefore,althoughtheport
cannotbereusedbyanotherprogram,youcanatleastbereasonably
surethatserver-sideprogramscannolongeraccesstheserviceatyour
endoftheportforwarding.
Ifyoudeleteaforwarding,anyexistingconnectionsestablishedusing
thatforwardingremainopen.Similarly,changestoglobalsettingssuch
as‘Localportsacceptconnectionsfromotherhosts’onlytakeeffecton
newforwardings.
IftheconnectionyouareforwardingoverSSHisitselfasecondSSH
connectionmadebyanothercopyofPuTTY,youmightfindthe‘logical
hostname’configurationoptionusefultowarnPuTTYofwhichhostkeyit
shouldbeexpecting.Seesection4.13.5fordetailsofthis.
4.26.1Controllingthevisibilityofforwardedports
4.26.1Controllingthevisibilityofforwarded
ports
Thesourceportforaforwardedconnectionusuallydoesnotaccept
connectionsfromanymachineexcepttheSSHclientorservermachine
itself(forlocalandremoteforwardingsrespectively).Therearecontrols
intheTunnelspaneltochangethis:
The‘Localportsacceptconnectionsfromotherhosts’optionallows
youtosetuplocal-to-remoteportforwardingsinsuchawaythat
machinesotherthanyourclientPCcanconnecttotheforwarded
port.(ThisalsoappliestodynamicSOCKSforwarding.)
The‘Remoteportsdothesame’optiondoesthesamethingfor
remote-to-localportforwardings(sothatmachinesotherthanthe
SSHservermachinecanconnecttotheforwardedport.)Notethat
thisfeatureisonlyavailableintheSSH-2protocol,andnotallSSH-2
serverssupportit(OpenSSH3.0doesnot,forexample).
4.26.2SelectingInternetprotocolversionfor
forwardedports
ThisswitchallowsyoutoselectaspecificInternetprotocol(IPv4orIPv6)
forthelocalendofaforwardedport.Bydefault,itisseton‘Auto’,which
meansthat:
foralocal-to-remoteportforwarding,PuTTYwilllistenforincoming
connectionsinbothIPv4and(ifavailable)IPv6
foraremote-to-localportforwarding,PuTTYwillchooseasensible
protocolfortheoutgoingconnection.
ThisoverridesthegeneralInternetprotocolversionpreferenceonthe
Connectionpanel(seesection4.13.4).
Notethatsomeoperatingsystemsmaylistenforincomingconnectionsin
IPv4evenifyouspecificallyaskedforIPv6,becausetheirIPv4andIPv6
protocolstacksarelinkedtogether.ApparentlyLinuxdoesthis,and
Windowsdoesnot.Soifyou'rerunningPuTTYonWindowsandyoutick
‘IPv6’foralocalordynamicportforwarding,itwillonlybeusableby
connectingtoitusingIPv6;whereasifyoudothesameonLinux,you
canalsouseitwithIPv4.However,ticking‘Auto’shouldalwaysgiveyou
aportwhichyoucanconnecttousingeitherprotocol.
4.27TheBugsandMoreBugspanels
NotallSSHserversworkproperly.Variousexistingservershavebugsin
them,whichcanmakeitimpossibleforaclienttotalktothemunlessit
knowsaboutthebugandworksaroundit.
Sincemostserversannouncetheirsoftwareversionnumberatthe
beginningoftheSSHconnection,PuTTYwillattempttodetectwhich
bugsitcanexpecttoseeintheserverandautomaticallyenable
workarounds.However,sometimesitwillmakemistakes;iftheserver
hasbeendeliberatelyconfiguredtoconcealitsversionnumber,orifthe
serverisaversionwhichPuTTY'sbugdatabasedoesnotknowabout,
thenPuTTYwillnotknowwhatbugstoexpect.
TheBugsandMoreBugspanels(therearetwobecausewehaveso
manybugcompatibilitymodes)allowyoutomanuallyconfigurethebugs
PuTTYexpectstoseeintheserver.Eachbugcanbeconfiguredinthree
states:
‘Off’:PuTTYwillassumetheserverdoesnothavethebug.
‘On’:PuTTYwillassumetheserverdoeshavethebug.
‘Auto’:PuTTYwillusetheserver'sversionnumberannouncementto
trytoguesswhetherornottheserverhasthebug.
4.27.1‘ChokesonSSH-1ignoremessages’
4.27.2‘RefusesallSSH-1passwordcamouflage’
4.27.3‘ChokesonSSH-1RSAauthentication’
4.27.4‘ChokesonSSH-2ignoremessages’
4.27.5‘ChokesonPuTTY'sSSH-2‘winadj’requests’
4.27.6‘MiscomputesSSH-2HMACkeys’
4.27.7‘MiscomputesSSH-2encryptionkeys’
4.27.8‘RequirespaddingonSSH-2RSAsignatures’
4.27.9‘MisusesthesessionIDinSSH-2PKauth’
4.27.10‘HandlesSSH-2keyre-exchangebadly’
4.27.11‘IgnoresSSH-2maximumpacketsize’
4.27.12‘Repliestorequestsonclosedchannels’
4.27.13‘Onlysupportspre-RFC4419SSH-2DHGEX’
4.27.1‘ChokesonSSH-1ignoremessages’
Anignoremessage(SSH_MSG_IGNORE)isamessageintheSSH
protocolwhichcanbesentfromtheclienttotheserver,orfromthe
servertotheclient,atanytime.Eithersideisrequiredtoignorethe
messagewheneveritreceivesit.PuTTYusesignoremessagestohide
thepasswordpacketinSSH-1,sothatalistenercannottellthelengthof
theuser'spassword;italsousesignoremessagesforconnection
keepalives(seesection4.13.1).
Ifthisbugisdetected,PuTTYwillstopusingignoremessages.This
meansthatkeepaliveswillstopworking,andPuTTYwillhavetofallback
toasecondarydefenceagainstSSH-1password-lengtheavesdropping.
Seesection4.27.2.Ifthisbugisenabledwhentalkingtoacorrectserver,
thesessionwillsucceed,butkeepaliveswillnotworkandthesession
mightbemorevulnerabletoeavesdroppersthanitcouldbe.
4.27.2‘RefusesallSSH-1passwordcamouflage’
WhentalkingtoanSSH-1serverwhichcannotdealwithignore
messages(seesection4.27.1),PuTTYwillattempttodisguisethelength
oftheuser'spasswordbysendingadditionalpaddingwithinthe
passwordpacket.ThisistechnicallyaviolationoftheSSH-1
specification,andsoPuTTYwillonlydoitwhenitcannotusestandards-
compliantignoremessagesascamouflage.Inthissense,foraserverto
refusetoacceptapaddedpasswordpacketisnotreallyabug,butit
doesmakelifeinconvenientiftheservercanalsonothandleignore
messages.
Ifthis‘bug’isdetected,PuTTYwillassumethatneitherignoremessages
norpaddingareacceptable,andthatitthushasnochoicebuttosend
theuser'spasswordwithnoformofcamouflage,sothatan
eavesdroppinguserwillbeeasilyabletofindouttheexactlengthofthe
password.Ifthisbugisenabledwhentalkingtoacorrectserver,the
sessionwillsucceed,butwillbemorevulnerabletoeavesdroppersthanit
couldbe.
ThisisanSSH-1-specificbug.SSH-2issecureagainstthistypeof
attack.
4.27.3‘ChokesonSSH-1RSAauthentication’
SomeSSH-1serverscannotdealwithRSAauthenticationmessagesat
all.IfPageantisrunningandcontainsanySSH-1keys,PuTTYwill
normallyautomaticallytryRSAauthenticationbeforefallingbackto
passwords,sotheseserverswillcrashwhentheyseetheRSAattempt.
Ifthisbugisdetected,PuTTYwillgostraighttopasswordauthentication.
Ifthisbugisenabledwhentalkingtoacorrectserver,thesessionwill
succeed,butofcourseRSAauthenticationwillbeimpossible.
ThisisanSSH-1-specificbug.
4.27.4‘ChokesonSSH-2ignoremessages’
Anignoremessage(SSH_MSG_IGNORE)isamessageintheSSH
protocolwhichcanbesentfromtheclienttotheserver,orfromthe
servertotheclient,atanytime.Eithersideisrequiredtoignorethe
messagewheneveritreceivesit.PuTTYusesignoremessagesinSSH-2
toconfusetheencrypteddatastreamandmakeithardertocryptanalyse.
Italsousesignoremessagesforconnectionkeepalives(seesection
4.13.1).
Ifitbelievestheservertohavethisbug,PuTTYwillstopusingignore
messages.Ifthisbugisenabledwhentalkingtoacorrectserver,the
sessionwillsucceed,butkeepaliveswillnotworkandthesessionmight
belesscryptographicallysecurethanitcouldbe.
4.27.5‘ChokesonPuTTY'sSSH-2‘winadj’
requests’
PuTTYsometimessendsaspecialrequesttoSSHserversinthemiddle
ofchanneldata,withthenamewinadj@putty.projects.tartarus.org(see
sectionF.1).Thepurposeofthisrequestistomeasuretheround-triptime
totheserver,whichPuTTYusestotuneitsflowcontrol.Theserverdoes
notactuallyhavetounderstandthemessage;itisexpectedtosendback
aSSH_MSG_CHANNEL_FAILUREmessageindicatingthatitdidn'tunderstandit.
(AllPuTTYneedsforitstimingcalculationsissomekindofresponse.)
IthasbeenknownforsomeSSHserverstogetconfusedbythis
messageinonewayoranother–becauseithasalongname,or
becausetheycan'tcopewithunrecognisedrequestnameseventothe
extentofsendingbackthecorrectfailureresponse,orbecausethey
handleitsensiblybutfilluptheserver'slogfilewithpointlessspam,or
whatever.PuTTYthereforesupportsthisbug-compatibilityflag:ifit
believestheserverhasthisbug,itwillneversendits
‘winadj@putty.projects.tartarus.org’request,andwillmakedowithout
itstimingdata.
4.27.6‘MiscomputesSSH-2HMACkeys’
Versions2.3.0andbelowoftheSSHserversoftwarefromssh.com
computethekeysfortheirHMACmessageauthenticationcodes
incorrectly.AtypicalsymptomofthisproblemisthatPuTTYdies
unexpectedlyatthebeginningofthesession,saying‘IncorrectMAC
receivedonpacket’.
Ifthisbugisdetected,PuTTYwillcomputeitsHMACkeysinthesame
wayasthebuggyserver,sothatcommunicationwillstillbepossible.If
thisbugisenabledwhentalkingtoacorrectserver,communicationwill
fail.
ThisisanSSH-2-specificbug.
4.27.7‘MiscomputesSSH-2encryptionkeys’
Versionsbelow2.0.11oftheSSHserversoftwarefromssh.comcompute
thekeysforthesessionencryptionincorrectly.Thisproblemcancause
variouserrormessages,suchas‘Incomingpacketwasgarbledon
decryption’,orpossiblyeven‘Outofmemory’.
Ifthisbugisdetected,PuTTYwillcomputeitsencryptionkeysinthe
samewayasthebuggyserver,sothatcommunicationwillstillbe
possible.Ifthisbugisenabledwhentalkingtoacorrectserver,
communicationwillfail.
ThisisanSSH-2-specificbug.
4.27.8‘RequirespaddingonSSH-2RSA
signatures’
Versionsbelow3.3ofOpenSSHrequireSSH-2RSAsignaturestobe
paddedwithzerobytestothesamelengthastheRSAkeymodulus.The
SSH-2specificationsaysthatanunpaddedsignatureMUSTbe
accepted,sothisisabug.Atypicalsymptomofthisproblemisthat
PuTTYmysteriouslyfailsRSAauthenticationonceineveryfewhundred
attempts,andfallsbacktopasswords.
Ifthisbugisdetected,PuTTYwillpaditssignaturesinthewayOpenSSH
expects.Ifthisbugisenabledwhentalkingtoacorrectserver,itislikely
thatnodamagewillbedone,sincecorrectserversusuallystillaccept
paddedsignaturesbecausethey'reusedtotalkingtoOpenSSH.
ThisisanSSH-2-specificbug.
4.27.9‘MisusesthesessionIDinSSH-2PKauth’
Versionsbelow2.3ofOpenSSHrequireSSH-2public-keyauthentication
tobedoneslightlydifferently:thedatatobesignedbytheclientcontains
thesessionIDformattedinadifferentway.Ifpublic-keyauthentication
mysteriouslydoesnotworkbuttheEventLog(seesection3.1.3.1)thinks
ithassuccessfullysentasignature,itmightbeworthenablingthe
workaroundforthisbugtoseeifithelps.
Ifthisbugisdetected,PuTTYwillsigndatainthewayOpenSSH
expects.Ifthisbugisenabledwhentalkingtoacorrectserver,SSH-2
public-keyauthenticationwillfail.
ThisisanSSH-2-specificbug.
4.27.10‘HandlesSSH-2keyre-exchangebadly’
SomeSSHserverscannotcopewithrepeatkeyexchangeatall,andwill
ignoreattemptsbytheclienttostartone.SincePuTTYpausesthe
sessionwhileperformingarepeatkeyexchange,theeffectofthiswould
betocausethesessiontohangafteranhour(unlessyouhaveyour
rekeytimeoutsetdifferently;seesection4.19.2formoreaboutrekeys).
Other,veryold,SSHservershandlerepeatkeyexchangeevenmore
badly,anddisconnectuponreceivingarepeatkeyexchangerequest.
Ifthisbugisdetected,PuTTYwillneverinitiatearepeatkeyexchange.If
thisbugisenabledwhentalkingtoacorrectserver,thesessionshould
stillfunction,butmaybelesssecurethanyouwouldexpect.
ThisisanSSH-2-specificbug.
4.27.11‘IgnoresSSH-2maximumpacketsize’
WhenanSSH-2channelissetup,eachendannouncesthemaximum
sizeofdatapacketthatitiswillingtoreceiveforthatchannel.Some
serversignorePuTTY'sannouncementandsendpacketslargerthan
PuTTYiswillingtoaccept,causingittoreport‘Incomingpacketwas
garbledondecryption’.
Ifthisbugisdetected,PuTTYneverallowsthechannel'sflow-control
windowtogrowlargeenoughtoallowtheservertosendanover-sized
packet.Ifthisbugisenabledwhentalkingtoacorrectserver,thesession
willworkcorrectly,butdownloadperformancewillbelessthanitcould
be.
4.27.12‘Repliestorequestsonclosedchannels’
TheSSHprotocolaspublishedinRFC4254hasanambiguitywhich
arisesifonesideofaconnectiontriestocloseachannel,whiletheother
sidesimultaneouslysendsarequestwithinthechannelandasksfora
reply.RFC4254leavesitunclearwhethertheclosingsideshouldreplyto
thechannelrequestafterhavingannounceditsintentiontoclosethe
channel.
Discussionontheietf-sshmailinglistinApril2014formedaclear
consensusthattherightanswerisno.However,becauseofthe
ambiguityinthespecification,someSSHservershaveimplementedthe
otherpolicy;forexample,OpenSSHusedtountilitwasfixed.
BecausePuTTYsendschannelrequestswiththe‘wantreply’flag
throughoutchannels'lifetime(seesection4.27.5),it'spossiblethatwhen
connectingtosuchaserveritmightreceiveareplytoarequestafterit
thinksthechannelhasentirelyclosed,andterminatewithanerroralong
thelinesof‘ReceivedSSH2_MSG_CHANNEL_FAILUREfornonexistentchannel
256’.
4.27.13‘Onlysupportspre-RFC4419SSH-2DH
GEX’
TheSSHkeyexchangemethodthatusesDiffie-Hellmangroupexchange
wasredesignedafteritsoriginalrelease,touseaslightlymore
sophisticatedsetupmessage.AlmostallSSHimplementationsswitched
overtothenewversion.(PuTTYwasoneofthelast.)Afewoldservers
stillonlysupporttheoldone.
Ifthisbugisdetected,andtheclientandservernegotiateDiffie-Hellman
groupexchange,thenPuTTYwillsendtheoldmessagenowknownas
SSH2_MSG_KEX_DH_GEX_REQUEST_OLDinplaceofthenew
SSH2_MSG_KEX_DH_GEX_REQUEST.
ThisisanSSH-2-specificbug.
4.28TheSerialpanel
TheSerialpanelallowsyoutoconfigureoptionsthatonlyapplywhen
PuTTYisconnectingtoalocalserialline.
4.28.1Selectingaseriallinetoconnectto
4.28.2Selectingthespeedofyourserialline
4.28.3Selectingthenumberofdatabits
4.28.4Selectingthenumberofstopbits
4.28.5Selectingtheserialparitycheckingscheme
4.28.6Selectingtheserialflowcontrolscheme
4.28.1Selectingaseriallinetoconnectto
The‘Seriallinetoconnectto’boxallowsyoutochoosewhichserialline
youwantPuTTYtotalkto,ifyourcomputerhasmorethanoneserial
port.
OnWindows,thefirstseriallineiscalledCOM1,andifthereisasecondit
iscalledCOM2,andsoon.
ThisconfigurationsettingisalsovisibleontheSessionpanel,whereit
replacesthe‘HostName’box(seesection4.1.1)iftheconnectiontypeis
setto‘Serial’.
4.28.2Selectingthespeedofyourserialline
The‘Speed’boxallowsyoutochoosethespeed(or‘baudrate’)atwhich
totalktotheserialline.Typicalvaluesmightbe9600,19200,38400or
57600.Whichoneyouneedwilldependonthedeviceattheotherendof
theserialcable;consultthemanualforthatdeviceifyouareindoubt.
ThisconfigurationsettingisalsovisibleontheSessionpanel,whereit
replacesthe‘Port’box(seesection4.1.1)iftheconnectiontypeissetto
‘Serial’.
4.28.3Selectingthenumberofdatabits
The‘Databits’boxallowsyoutochoosehowmanydatabitsare
transmittedineachbytesentorreceivedthroughtheserialline.Typical
valuesare7or8.
4.28.4Selectingthenumberofstopbits
The‘Stopbits’boxallowsyoutochoosehowmanystopbitsareusedin
theseriallineprotocol.Typicalvaluesare1,1.5or2.
4.28.5Selectingtheserialparitychecking
scheme
The‘Parity’boxallowsyoutochoosewhattypeofparitycheckingisused
ontheserialline.Thesettingsare:
‘None’:noparitybitissentatall.
‘Odd’:anextraparitybitissentalongsideeachbyte,andarranged
sothatthetotalnumberof1bitsisodd.
‘Even’:anextraparitybitissentalongsideeachbyte,andarranged
sothatthetotalnumberof1bitsiseven.
‘Mark’:anextraparitybitissentalongsideeachbyte,andalwaysset
to1.
‘Space’:anextraparitybitissentalongsideeachbyte,andalways
setto0.
4.28.6Selectingtheserialflowcontrolscheme
The‘Flowcontrol’boxallowsyoutochoosewhattypeofflowcontrol
checkingisusedontheserialline.Thesettingsare:
‘None’:noflowcontrolisdone.Datamaybelostifeitherside
attemptstosendfasterthantheseriallinepermits.
‘XON/XOFF’:flowcontrolisdonebysendingXONandXOFF
characterswithinthedatastream.
‘RTS/CTS’:flowcontrolisdoneusingtheRTSandCTSwiresonthe
serialline.
‘DSR/DTR’:flowcontrolisdoneusingtheDSRandDTRwireson
theserialline.
4.29Storingconfigurationinafile
PuTTYdoesnotcurrentlysupportstoringitsconfigurationinafileinstead
oftheRegistry.However,youcanworkaroundthiswithacoupleofbatch
files.
Youwillneedafilecalled(say)PUTTY.BATwhichimportsthecontentsofa
fileintotheRegistry,thenrunsPuTTY,exportsthecontentsofthe
Registrybackintothefile,anddeletestheRegistryentries.Thiscanall
bedoneusingtheRegeditcommandlineoptions,soit'sallautomatic.
HereiswhatyouneedinPUTTY.BAT:
@ECHOOFF
regedit/sputty.reg
regedit/sputtyrnd.reg
start/wputty.exe
regedit/eanew.regHKEY_CURRENT_USER\Software\SimonTatham\PuTTY
copynew.regputty.reg
delnew.reg
regedit/sputtydel.reg
Thisbatchfileneedstwoauxiliaryfiles:PUTTYRND.REGwhichsetsupan
initialsafelocationforthePUTTY.RNDrandomseedfile,andPUTTYDEL.REG
whichdestroyseverythingintheRegistryonceit'sbeensuccessfully
savedbacktothefile.
HereisPUTTYDEL.REG:
REGEDIT4
[-HKEY_CURRENT_USER\Software\SimonTatham\PuTTY]
HereisanexamplePUTTYRND.REGfile:
REGEDIT4
[HKEY_CURRENT_USER\Software\SimonTatham\PuTTY]
"RandSeedFile"="a:\\putty.rnd"
Youshouldreplacea:\putty.rndwiththelocationwhereyouwantto
storeyourrandomnumberdata.IftheaimistocarryaroundPuTTYand
itssettingsononeUSBstick,youprobablywanttostoreitontheUSB
stick.
Chapter5:UsingPSCPtotransferfilessecurely
PSCP,thePuTTYSecureCopyclient,isatoolfortransferringfiles
securelybetweencomputersusinganSSHconnection.
IfyouhaveanSSH-2server,youmightpreferPSFTP(seechapter6)for
interactiveuse.PSFTPdoesnotingeneralworkwithSSH-1servers,
however.
5.1StartingPSCP
5.2PSCPUsage
5.2.1Thebasics
5.2.2Options
5.2.3Returnvalue
5.2.4UsingpublickeyauthenticationwithPSCP
5.1StartingPSCP
PSCPisacommandlineapplication.Thismeansthatyoucannotjust
double-clickonitsicontorunitandinsteadyouhavetobringupa
consolewindow.WithWindows95,98,andME,thisiscalledan‘MS-
DOSPrompt’andwithWindowsNT,2000,andXP,itiscalleda
‘CommandPrompt’.ItshouldbeavailablefromtheProgramssectionof
yourStartMenu.
TostartPSCPitwillneedeithertobeonyourPATHorinyourcurrent
directory.ToaddthedirectorycontainingPSCPtoyourPATHenvironment
variable,typeintotheconsolewindow:
setPATH=C:\path\to\putty\directory;%PATH%
Thiswillonlyworkforthelifetimeofthatparticularconsolewindow.To
setyourPATHmorepermanentlyonWindowsNT,2000,andXP,usethe
EnvironmenttaboftheSystemControlPanel.OnWindows95,98,and
ME,youwillneedtoedityourAUTOEXEC.BATtoincludeasetcommand
liketheoneabove.
5.2PSCPUsage
Onceyou'vegotaconsolewindowtotypeinto,youcanjusttypepscpon
itsowntobringupausagemessage.ThistellsyoutheversionofPSCP
you'reusing,andgivesyouabriefsummaryofhowtousePSCP:
Z:\owendadmin>pscp
PuTTYSecureCopyclient
Release0.70
Usage:pscp[options][user@]host:sourcetarget
pscp[options]source[source...][user@]host:target
pscp[options]-ls[user@]host:filespec
Options:
-Vprintversioninformationandexit
-pgpfpprintPGPkeyfingerprintsandexit
-ppreservefileattributes
-qquiet,don'tshowstatistics
-rcopydirectoriesrecursively
-vshowverbosemessages
-loadsessnameLoadsettingsfromsavedsession
-Pportconnecttospecifiedport
-luserconnectwithspecifiedusername
-pwpasswloginwithspecifiedpassword
-1-2forceuseofparticularSSHprotocolversion
-4-6forceuseofIPv4orIPv6
-Cenablecompression
-ikeyprivatekeyfileforuserauthentication
-noagentdisableuseofPageant
-agentenableuseofPageant
-hostkeyaa:bb:cc:...
manuallyspecifyahostkey(mayberepeated)
-batchdisableallinteractiveprompts
-proxycmdcommand
use'command'aslocalproxy
-unsafeallowserver-sidewildcards(DANGEROUS)
-sftpforceuseofSFTPprotocol
-scpforceuseofSCPprotocol
-sshlogfile
-sshrawlogfile
logprotocoldetailstoafile
(PSCP'sinterfaceismuchliketheUnixscpcommand,ifyou'refamiliar
withthat.)
5.2.1Thebasics
5.2.1.1user
5.2.1.2host
5.2.1.3source
5.2.1.4target
5.2.2Options
5.2.2.1-lslistremotefiles
5.2.2.2-ppreservefileattributes
5.2.2.3-qquiet,don'tshowstatistics
5.2.2.4-rcopiesdirectoriesrecursively
5.2.2.5-batchavoidinteractiveprompts
5.2.2.6-sftp,-scpforceuseofparticularprotocol
5.2.3Returnvalue
5.2.4UsingpublickeyauthenticationwithPSCP
5.2.1Thebasics
Toreceive(a)file(s)fromaremoteserver:
pscp[options][user@]host:sourcetarget
Sotocopythefile/etc/hostsfromtheserverexample.comasuserfredto
thefilec:\temp\example-hosts.txt,youwouldtype:
pscpfred@example.com:/etc/hostsc:\temp\example-hosts.txt
Tosend(a)file(s)toaremoteserver:
pscp[options]source[source...][user@]host:target
Sotocopythelocalfilec:\documents\foo.txttotheserverexample.com
asuserfredtothefile/tmp/fooyouwouldtype:
pscpc:\documents\foo.txtfred@example.com:/tmp/foo
Youcanusewildcardstotransfermultiplefilesineitherdirection,likethis:
pscpc:\documents\*.docfred@example.com:docfiles
pscpfred@example.com:source/*.cc:\source
However,inthesecondcase(usingawildcardformultipleremotefiles)
youmayseeawarningsayingsomethinglike‘warning:remotehosttried
towritetoafilecalled‘terminal.c’whenwerequestedafilecalled‘*.c’.
Ifthisisawildcard,considerupgradingtoSSH-2orusingthe‘-unsafe’
option.Renamingofthisfilehasbeendisallowed’.
Thisisduetoafundamentalinsecurityintheold-styleSCPprotocol:the
clientsendsthewildcardstring(*.c)totheserver,andtheserversends
backasequenceoffilenamesthatmatchthewildcardpattern.However,
thereisnothingtostoptheserversendingbackadifferentpatternand
writingoveroneofyourotherfiles:ifyourequest*.c,theservermight
sendbackthefilenameAUTOEXEC.BATandinstallavirusforyou.Since
thewildcardmatchingrulesaredecidedbytheserver,theclientcannot
reliablyverifythatthefilenamessentbackmatchthepattern.
PSCPwillattempttousethenewerSFTPprotocol(partofSSH-2)where
possible,whichdoesnotsufferfromthissecurityflaw.Ifyouaretalkingto
anSSH-2serverwhichsupportsSFTP,youwillneverseethiswarning.
(YoucanforceuseoftheSFTPprotocol,ifavailable,with-sftp-see
section5.2.2.6.)
Ifyoureallyneedtouseaserver-sidewildcardwithanSSH-1server,you
canusethe-unsafecommandlineoptionwithPSCP:
pscp-unsafefred@example.com:source/*.cc:\source
Thiswillsuppressthewarningmessageandthefiletransferwillhappen.
However,youshouldbeawarethatbyusingthisoptionyouaregiving
theservertheabilitytowritetoanyfileinthetargetdirectory,soyou
shouldonlyusethisoptionifyoutrusttheserveradministratornottobe
malicious(andnottolettheservermachinebecrackedbymalicious
people).Alternatively,doanysuchdownloadinanewlycreatedempty
directory.(Evenin‘unsafe’mode,PSCPwillstillprotectyouagainstthe
servertryingtogetoutofthatdirectoryusingpathnamesincluding‘..’.)
5.2.1.1user
5.2.1.2host
5.2.1.3source
5.2.1.4target
5.2.1.1user
Theloginnameontheremoteserver.Ifthisisomitted,andhostisa
PuTTYsavedsession,PSCPwilluseanyusernamespecifiedbythat
savedsession.Otherwise,PSCPwillattempttousethelocalWindows
username.
5.2.1.2host
Thenameoftheremoteserver,orthenameofanexistingPuTTYsaved
session.Inthelattercase,thesession'ssettingsforhostname,port
number,ciphertypeandusernamewillbeused.
5.2.1.3source
Oneormoresourcefiles.Wildcardsareallowed.Thesyntaxofwildcards
dependsonthesystemtowhichtheyapply,soifyouarecopyingfroma
WindowssystemtoaUNIXsystem,youshoulduseWindowswildcard
syntax(e.g.*.*),butifyouarecopyingfromaUNIXsystemtoa
Windowssystem,youwouldusethewildcardsyntaxallowedbyyour
UNIXshell(e.g.*).
Ifthesourceisaremoteserverandyoudonotspecifyafullpathname
(inUNIX,apathnamebeginningwitha/(slash)character),whatyou
specifyasasourcewillbeinterpretedrelativetoyourhomedirectoryon
theremoteserver.
5.2.1.4target
Thefilenameordirectorytoputthefile(s).Whencopyingfromaremote
servertoalocalhost,youmaywishsimplytoplacethefile(s)inthe
currentdirectory.Todothis,youshouldspecifyatargetof..For
example:
pscpfred@example.com:/home/tom/.emacs.
...wouldcopy/home/tom/.emacsontheremoteservertothecurrent
directory.
Aswiththesourceparameter,ifthetargetisonaremoteserverandis
notafullpathname,itisinterpretedrelativetoyourhomedirectoryon
theremoteserver.
5.2.2Options
PSCPacceptsallthegeneralcommandlineoptionssupportedbythe
PuTTYtools,excepttheoneswhichmakenosenseinafiletransfer
utility.Seesection3.8.3foradescriptionoftheseoptions.(Theonesnot
supportedbyPSCPareclearlymarked.)
PSCPalsosupportssomeofitsownoptions.Thefollowingsections
describePSCP'sspecificcommand-lineoptions.
5.2.2.1-lslistremotefiles
5.2.2.2-ppreservefileattributes
5.2.2.3-qquiet,don'tshowstatistics
5.2.2.4-rcopiesdirectoriesrecursively
5.2.2.5-batchavoidinteractiveprompts
5.2.2.6-sftp,-scpforceuseofparticularprotocol
5.2.2.1-lslistremotefiles
Ifthe-lsoptionisgiven,nofilesaretransferred;instead,remotefilesare
listed.Onlyahostnamespecificationandoptionalremotefile
specificationneedbegiven.Forexample:
pscp-lsfred@example.com:dir1
TheSCPprotocoldoesnotcontainwithinitselfameansoflistingfiles.If
SCPisinuse,thisoptionthereforeassumesthattheserverresponds
appropriatelytothecommandls-la;thismaynotworkwithallservers.
IfSFTPisinuse,thisoptionshouldworkwithallservers.
5.2.2.2-ppreservefileattributes
Bydefault,filescopiedwithPSCParetimestampedwiththedateand
timetheywerecopied.The-poptionpreservestheoriginaltimestampon
copiedfiles.
5.2.2.3-qquiet,don'tshowstatistics
Bydefault,PSCPdisplaysameterdisplayingtheprogressofthecurrent
transfer:
mibs.tar|168kB|84.0kB/s|ETA:00:00:13|13%
Thefieldsinthisdisplayare(fromlefttoright),filename,size(in
kilobytes)offiletransferredsofar,estimateofhowfastthefileisbeing
transferred(inkilobytespersecond),estimatedtimethatthetransferwill
becomplete,andpercentageofthefilesofartransferred.The-qoption
toPSCPsuppressestheprintingofthesestatistics.
5.2.2.4-rcopiesdirectoriesrecursively
Bydefault,PSCPwillonlycopyfiles.Anydirectoriesyouspecifytocopy
willbeskipped,aswilltheircontents.The-roptiontellsPSCPto
descendintoanydirectoriesyouspecify,andtocopythemandtheir
contents.ThisallowsyoutousePSCPtotransferwholedirectory
structuresbetweenmachines.
5.2.2.5-batchavoidinteractiveprompts
Ifyouusethe-batchoption,PSCPwillnevergiveaninteractiveprompt
whileestablishingtheconnection.Iftheserver'shostkeyisinvalid,for
example(seesection2.2),thentheconnectionwillsimplybeabandoned
insteadofaskingyouwhattodonext.
ThismayhelpPSCP'sbehaviourwhenitisusedinautomatedscripts:
using-batch,ifsomethinggoeswrongatconnectiontime,thebatchjob
willfailratherthanhang.
5.2.2.6-sftp,-scpforceuseofparticular
protocol
Asmentionedinsection5.2.1,therearetwodifferentfiletransfer
protocolsinusewithSSH.Despiteitsname,PSCP(likemanyother
ostensiblescpclients)canuseeitheroftheseprotocols.
TheolderSCPprotocoldoesnothaveawrittenspecificationandleaves
alotofdetailtotheserverplatform.Wildcardsareexpandedonthe
server.Thesimpledesignmeansthatanywildcardspecification
supportedbytheserverplatform(suchasbraceexpansion)canbeused,
butalsoleadstointeroperabilityissuessuchaswithfilenamequoting(for
instance,wherefilenamescontainspaces),andalsothesecurityissue
describedinsection5.2.1.
ThenewerSFTPprotocol,whichisusuallyassociatedwithSSH-2
servers,isspecifiedinamoreplatformindependentway,andleaves
issuessuchaswildcardsyntaxuptotheclient.(PuTTY'sSFTPwildcard
syntaxisdescribedinsection6.2.2.)Thismakesitmoreconsistent
acrossplatforms,moresuitableforscriptingandautomation,andavoids
securityissueswithwildcardmatching.
NormallyPSCPwillattempttousetheSFTPprotocol,andonlyfallback
totheSCPprotocolifSFTPisnotavailableontheserver.
The-scpoptionforcesPSCPtousetheSCPprotocolorquit.
The-sftpoptionforcesPSCPtousetheSFTPprotocolorquit.When
thisoptionisspecified,PSCPlooksharderforanSFTPserver,which
mayallowuseofSFTPwithSSH-1dependingonserversetup.
5.2.3Returnvalue
PSCPreturnsanERRORLEVELofzero(success)onlyifthefileswere
correctlytransferred.Youcantestforthisinabatchfile,usingcodesuch
asthis:
pscpfile*.*user@hostname:
iferrorlevel1echoTherewasanerror
5.2.4UsingpublickeyauthenticationwithPSCP
LikePuTTY,PSCPcanauthenticateusingapublickeyinsteadofa
password.Therearethreewaysyoucandothis.
Firstly,PSCPcanusePuTTYsavedsessionsinplaceofhostnames(see
section5.2.1.2).Soyouwoulddothis:
RunPuTTY,andcreateaPuTTYsavedsession(seesection4.1.2)
whichspecifiesyourprivatekeyfile(seesection4.22.8).Youwill
probablyalsowanttospecifyausernametologinas(seesection
4.14.1).
InPSCP,youcannowusethenameofthesessioninsteadofa
hostname:typepscpsessionname:filelocalfile,where
sessionnameisreplacedbythenameofyoursavedsession.
Secondly,youcansupplythenameofaprivatekeyfileonthecommand
line,withthe-ioption.Seesection3.8.3.18formoreinformation.
Thirdly,PSCPwillattempttoauthenticateusingPageantifPageantis
running(seechapter9).Soyouwoulddothis:
EnsurePageantisrunning,andhasyourprivatekeystoredinit.
SpecifyauserandhostnametoPSCPasnormal.PSCPwill
automaticallydetectPageantandtrytousethekeyswithinit.
Formoregeneralinformationonpublic-keyauthentication,seechapter8.
Chapter6:UsingPSFTPtotransferfiles
securely
PSFTP,thePuTTYSFTPclient,isatoolfortransferringfilessecurely
betweencomputersusinganSSHconnection.
PSFTPdiffersfromPSCPinthefollowingways:
PSCPshouldworkonvirtuallyeverySSHserver.PSFTPusesthe
newSFTPprotocol,whichisafeatureofSSH-2only.(PSCPwill
alsousethisprotocolifitcan,butthereisanSSH-1equivalentitcan
fallbacktoifitcannot.)
PSFTPallowsyoutorunaninteractivefiletransfersession,much
liketheWindowsftpprogram.Youcanlistthecontentsof
directories,browsearoundthefilesystem,issuemultiplegetandput
commands,andeventuallylogout.Bycontrast,PSCPisdesignedto
doasinglefiletransferoperationandimmediatelyterminate.
6.1StartingPSFTP
6.1.1-b:specifyafilecontainingbatchcommands
6.1.2-bc:displaybatchcommandsastheyarerun
6.1.3-be:continuebatchprocessingonerrors
6.1.4-batch:avoidinteractiveprompts
6.2RunningPSFTP
6.2.1GeneralquotingrulesforPSFTPcommands
6.2.2WildcardsinPSFTP
6.2.3Theopencommand:startasession
6.2.4Thequitcommand:endyoursession
6.2.5Theclosecommand:closeyourconnection
6.2.6Thehelpcommand:getquickonlinehelp
6.2.7Thecdandpwdcommands:changingtheremoteworking
directory
6.2.8Thelcdandlpwdcommands:changingthelocalworking
directory
6.2.9Thegetcommand:fetchafilefromtheserver
6.2.10Theputcommand:sendafiletotheserver
6.2.11Themgetandmputcommands:fetchorsendmultiplefiles
6.2.12Theregetandreputcommands:resumingfiletransfers
6.2.13Thedircommand:listremotefiles
6.2.14Thechmodcommand:changepermissionsonremotefiles
6.2.15Thedelcommand:deleteremotefiles
6.2.16Themkdircommand:createremotedirectories
6.2.17Thermdircommand:removeremotedirectories
6.2.18Themvcommand:moveandrenameremotefiles
6.2.19The!command:runalocalWindowscommand
6.3UsingpublickeyauthenticationwithPSFTP
6.1StartingPSFTP
TheusualwaytostartPSFTPisfromacommandprompt,muchlike
PSCP.Todothis,itwillneedeithertobeonyourPATHorinyourcurrent
directory.ToaddthedirectorycontainingPSFTPtoyourPATH
environmentvariable,typeintotheconsolewindow:
setPATH=C:\path\to\putty\directory;%PATH%
UnlikePSCP,however,PSFTPhasnocomplexcommand-linesyntax;
youjustspecifyahostnameandperhapsausername:
psftpserver.example.com
orperhaps
psftpfred@server.example.com
Alternatively,ifyoujusttypepsftponitsown(ordouble-clickthePSFTP
iconintheWindowsGUI),youwillseethePSFTPprompt,anda
messagetellingyouPSFTPhasnotconnectedtoanyserver:
C:\>psftp
psftp:nohostnamespecified;use"openhost.name"toconnect
psftp>
Atthispointyoucantypeopenserver.example.comoropen
fred@server.example.comtostartasession.
PSFTPacceptsallthegeneralcommandlineoptionssupportedbythe
PuTTYtools,excepttheoneswhichmakenosenseinafiletransfer
utility.Seesection3.8.3foradescriptionoftheseoptions.(Theonesnot
supportedbyPSFTPareclearlymarked.)
PSFTPalsosupportssomeofitsownoptions.Thefollowingsections
describePSFTP'sspecificcommand-lineoptions.
6.1.1-b:specifyafilecontainingbatchcommands
6.1.2-bc:displaybatchcommandsastheyarerun
6.1.3-be:continuebatchprocessingonerrors
6.1.1-b:specifyafilecontainingbatch
commands
Innormaloperation,PSFTPisaninteractiveprogramwhichdisplaysa
commandlineandacceptscommandsfromthekeyboard.
IfyouneedtodoautomatedtaskswithPSFTP,youwouldprobably
prefertospecifyasetofcommandsinadvanceandhavethemexecuted
automatically.The-boptionallowsyoutodothis.Youuseitwithafile
namecontainingbatchcommands.Forexample,youmightcreateafile
calledmyscript.scrcontaininglineslikethis:
cd/home/ftp/users/jeff
deljam-old.tar.gz
renjam.tar.gzjam-old.tar.gz
putjam.tar.gz
chmoda+rjam.tar.gz
andthenyoucouldrunthescriptbytyping
psftpuser@hostname-bmyscript.scr
Whenyourunabatchscriptinthisway,PSFTPwillabortthescriptifany
commandfailstocompletesuccessfully.Tochangethisbehaviour,you
canaddthe-beoption(section6.1.3).
PSFTPwillterminateafteritfinishesexecutingthebatchscript.
6.1.2-bc:displaybatchcommandsastheyare
run
The-bcoptionalterswhatPSFTPdisplayswhileprocessingabatch
scriptspecifiedwith-b.Withthe-bcoption,PSFTPwilldisplayprompts
andcommandsjustasifthecommandshadbeentypedatthekeyboard.
Soinsteadofseeingthis:
C:\>psftpfred@hostname-bbatchfile
Sentusername"fred"
Remoteworkingdirectoryis/home/fred
Listingdirectory/home/fred/lib
drwxrwsr-x4fredfred1024Sep610:42.
drwxr-sr-x25fredfred2048Dec1409:36..
drwxrwsr-x3fredfred1024Apr172000jed
lrwxrwxrwx1fredfred24Apr172000timber
drwxrwsr-x2fredfred1024Mar132000trn
youmightseethis:
C:\>psftpfred@hostname-bc-bbatchfile
Sentusername"fred"
Remoteworkingdirectoryis/home/fred
psftp>dirlib
Listingdirectory/home/fred/lib
drwxrwsr-x4fredfred1024Sep610:42.
drwxr-sr-x25fredfred2048Dec1409:36..
drwxrwsr-x3fredfred1024Apr172000jed
lrwxrwxrwx1fredfred24Apr172000timber
drwxrwsr-x2fredfred1024Mar132000trn
psftp>quit
6.1.3-be:continuebatchprocessingonerrors
Whenrunningabatchfile,thisadditionaloptioncausesPSFTPto
continueprocessingevenifacommandfailstocompletesuccessfully.
Youmightwantthistohappenifyouwantedtodeleteafileanddidn't
careifitwasalreadynotpresent,forexample.
6.1.4-batch:avoidinteractiveprompts
Ifyouusethe-batchoption,PSFTPwillnevergiveaninteractiveprompt
whileestablishingtheconnection.Iftheserver'shostkeyisinvalid,for
example(seesection2.2),thentheconnectionwillsimplybeabandoned
insteadofaskingyouwhattodonext.
ThismayhelpPSFTP'sbehaviourwhenitisusedinautomatedscripts:
using-batch,ifsomethinggoeswrongatconnectiontime,thebatchjob
willfailratherthanhang.
6.2RunningPSFTP
OnceyouhavestartedyourPSFTPsession,youwillseeapsftp>
prompt.Youcannowtypecommandstoperformfile-transferfunctions.
Thissectionlistsalltheavailablecommands.
Anylinestartingwitha#willbetreatedasacommentandignored.
6.2.1GeneralquotingrulesforPSFTPcommands
6.2.2WildcardsinPSFTP
6.2.3Theopencommand:startasession
6.2.4Thequitcommand:endyoursession
6.2.5Theclosecommand:closeyourconnection
6.2.6Thehelpcommand:getquickonlinehelp
6.2.7Thecdandpwdcommands:changingtheremoteworking
directory
6.2.8Thelcdandlpwdcommands:changingthelocalworking
directory
6.2.9Thegetcommand:fetchafilefromtheserver
6.2.10Theputcommand:sendafiletotheserver
6.2.11Themgetandmputcommands:fetchorsendmultiplefiles
6.2.12Theregetandreputcommands:resumingfiletransfers
6.2.13Thedircommand:listremotefiles
6.2.14Thechmodcommand:changepermissionsonremotefiles
6.2.15Thedelcommand:deleteremotefiles
6.2.16Themkdircommand:createremotedirectories
6.2.17Thermdircommand:removeremotedirectories
6.2.18Themvcommand:moveandrenameremotefiles
6.2.19The!command:runalocalWindowscommand
6.2.1GeneralquotingrulesforPSFTP
commands
MostPSFTPcommandsareconsideredbythePSFTPcommand
interpreterasasequenceofwords,separatedbyspaces.Forexample,
thecommandrenoldfilenamenewfilenamesplitsupintothreewords:
ren(thecommandname),oldfilename(thenameofthefiletobe
renamed),andnewfilename(thenewnametogivethefile).
Sometimesyouwillneedtospecifyfilenamesthatcontainspaces.In
ordertodothis,youcansurroundthefilenamewithdoublequotes.This
worksequallywellforlocalfilenamesandremotefilenames:
psftp>get"spaceyfilename.txt""saveitunderthisname.txt"
Thedoublequotesthemselveswillnotappearaspartofthefilenames;
theyareremovedbyPSFTPandtheironlyeffectistostopthespaces
insidethemfromactingaswordseparators.
Ifyouneedtouseadoublequote(onsometypesofremotesystem,
suchasUnix,youareallowedtousedoublequotesinfilenames),you
candothisbydoublingit.Thisworksbothinsideandoutsidedouble
quotes.Forexample,thiscommand
psftp>ren""this"""afilewith""quotes""init"
willtakeafilewhosecurrentnameis"this"(withadoublequote
characteratthebeginningandtheend)andrenameittoafilewhose
nameisafilewith"quotes"init.
(TheoneexceptiontothePSFTPquotingrulesisthe!command,which
passesitscommandlinestraighttoWindowswithoutsplittingitupinto
wordsatall.Seesection6.2.19.)
6.2.2WildcardsinPSFTP
SeveralcommandsinPSFTPsupport‘wildcards’toselectmultiplefiles.
Forlocalfilespecifications(suchasthefirstargumenttoput),wildcard
rulesforthelocaloperatingsystemareused.Forinstance,PSFTP
runningonWindowsmightrequiretheuseof*.*wherePSFTPonUnix
wouldneed*.
Forremotefilespecifications(suchasthefirstargumenttoget),PSFTP
usesastandardwildcardsyntax(similartoPOSIXwildcards):
*matchesanysequenceofcharacters(includingazero-length
sequence).
?matchesexactlyonecharacter.
[abc]matchesexactlyonecharacterwhichcanbea,b,orc.
[a-z]matchesanycharacterintherangeatoz.
[^abc]matchesasinglecharacterthatisnota,b,orc.
Specialcases:[-a]matchesaliteralhyphen(-)ora;[^-a]matches
allothercharacters.[a^]matchesaliteralcaret(^)ora.
\(backslash)beforeanyoftheabovecharacters(oritself)removes
thatcharacter'sspecialmeaning.
Aleadingperiod(.)onafilenameisnottreatedspecially,unlikeinsome
Unixcontexts;get*willfetchallfiles,whetherornottheystartwitha
leadingperiod.
6.2.3Theopencommand:startasession
IfyoustartedPSFTPbydouble-clickingintheGUI,orjustbytypingpsftp
atthecommandline,youwillneedtoopenaconnectiontoanSFTP
serverbeforeyoucanissueanyothercommands(excepthelpandquit).
Tocreateaconnection,typeopenhost.name,orifyouneedtospecifya
usernameaswellyoucantypeopenuser@host.name.Youcanoptionally
specifyaportaswell:openuser@host.name22.
Onceyouhaveissuedthiscommand,youwillnotbeabletoissueit
again,evenifthecommandfails(forexample,ifyoumistypethehost
nameortheconnectiontimesout).Soiftheconnectionisnotopened
successfully,PSFTPwillterminateimmediately.
6.2.4Thequitcommand:endyoursession
Whenyouhavefinishedyoursession,typethecommandquittoclose
theconnection,terminatePSFTPandreturntothecommandline(orjust
closethePSFTPconsolewindowifyoustarteditfromtheGUI).
Youcanalsousethebyeandexitcommands,whichhaveexactlythe
sameeffect.
6.2.5Theclosecommand:closeyour
connection
IfyoujustwanttoclosethenetworkconnectionbutkeepPSFTPrunning,
youcanusetheclosecommand.Youcanthenusetheopencommandto
openanewconnection.
6.2.6Thehelpcommand:getquickonlinehelp
Ifyoutypehelp,PSFTPwillgiveashortlistoftheavailablecommands.
Ifyoutypehelpwithacommandname-forexample,helpget-then
PSFTPwillgiveashortpieceofhelponthatparticularcommand.
6.2.7Thecdandpwdcommands:changingthe
remoteworkingdirectory
PSFTPmaintainsanotionofyour‘workingdirectory’ontheserver.This
isthedefaultdirectorythatothercommandswilloperateon.For
example,ifyoutypegetfilename.datthenPSFTPwilllookfor
filename.datinyourremoteworkingdirectoryontheserver.
Tochangeyourremoteworkingdirectory,usethecdcommand.Ifyou
don'tprovideanargument,cdwillreturnyoutoyourhomedirectoryon
theserver(moreprecisely,theremotedirectoryyouwereinatthestartof
theconnection).
Todisplayyourcurrentremoteworkingdirectory,typepwd.
6.2.8Thelcdandlpwdcommands:changingthe
localworkingdirectory
Aswellashavingaworkingdirectoryontheremoteserver,PSFTPalso
hasaworkingdirectoryonyourlocalmachine(justlikeanyother
Windowsprocess).Thisisthedefaultlocaldirectorythatother
commandswilloperateon.Forexample,ifyoutypegetfilename.dat
thenPSFTPwillsavetheresultingfileasfilename.datinyourlocal
workingdirectory.
Tochangeyourlocalworkingdirectory,usethelcdcommand.Todisplay
yourcurrentlocalworkingdirectory,typelpwd.
6.2.9Thegetcommand:fetchafilefromthe
server
TodownloadafilefromtheserverandstoreitonyourlocalPC,youuse
thegetcommand.
Initssimplestform,youjustusethiswithafilename:
getmyfile.dat
Ifyouwanttostorethefilelocallyunderadifferentname,specifythe
localfilenameaftertheremoteone:
getmyfile.datnewname.dat
Thiswillfetchthefileontheservercalledmyfile.dat,butwillsaveitto
yourlocalmachineunderthenamenewname.dat.
Tofetchanentiredirectoryrecursively,youcanusethe-roption:
get-rmydir
get-rmydirnewname
(Ifyouwanttofetchafilewhosenamestartswithahyphen,youmay
havetousethe--specialargument,whichstopsgetfrominterpreting
anythingasaswitchafterit.Forexample,‘get---silly-name-’.)
6.2.10Theputcommand:sendafiletothe
server
TouploadafiletotheserverfromyourlocalPC,youusetheput
command.
Initssimplestform,youjustusethiswithafilename:
putmyfile.dat
Ifyouwanttostorethefileremotelyunderadifferentname,specifythe
remotefilenameafterthelocalone:
putmyfile.datnewname.dat
Thiswillsendthelocalfilecalledmyfile.dat,butwillstoreitontheserver
underthenamenewname.dat.
Tosendanentiredirectoryrecursively,youcanusethe-roption:
put-rmydir
put-rmydirnewname
(Ifyouwanttosendafilewhosenamestartswithahyphen,youmay
havetousethe--specialargument,whichstopsputfrominterpreting
anythingasaswitchafterit.Forexample,‘put---silly-name-’.)
6.2.11Themgetandmputcommands:fetchor
sendmultiplefiles
mgetworksalmostexactlylikeget,exceptthatitallowsyoutospecify
morethanonefiletofetchatonce.Youcandothisintwoways:
bygivingtwoormoreexplicitfilenames(‘mgetfile1.txt
file2.txt’)
byusingawildcard(‘mget*.txt’).
Everyargumenttomgetistreatedasthenameofafiletofetch(unlike
get,whichwillinterpretatmostoneargumentlikethat,andasecond
argumentwillbetreatedasanalternativenameunderwhichtostorethe
retrievedfile),orawildcardexpressionmatchingmorethanonefile.
The-rand--optionsfromgetarealsoavailablewithmget.
mputissimilartoput,withthesamedifferences.
6.2.12Theregetandreputcommands:resuming
filetransfers
Ifafiletransferfailshalfwaythrough,andyouendupwithhalfthefile
storedonyourdisk,youcanresumethefiletransferusingtheregetand
reputcommands.Theseworkexactlylikethegetandputcommands,
buttheycheckforthepresenceofthehalf-writtendestinationfileand
starttransferringfromwherethelastattemptleftoff.
Thesyntaxofregetandreputisexactlythesameasthesyntaxofget
andput:
regetmyfile.dat
regetmyfile.datnewname.dat
reget-rmydir
Thesecommandsareintendedmainlyforresuminginterruptedtransfers.
Theyassumethattheremotefileordirectorystructurehasnotchanged
inanyway;iftherehavebeenchanges,youmayendupwithcorrupted
files.Inparticular,the-roptionwillnotpickupchangestofilesor
directoriesalreadytransferredinfull.
6.2.13Thedircommand:listremotefiles
Tolistthefilesinyourremoteworkingdirectory,justtypedir.
Youcanalsolistthecontentsofadifferentdirectorybytypingdir
followedbythedirectoryname:
dir/home/fred
dirsources
Andyoucanlistasubsetofthecontentsofadirectorybyprovidinga
wildcard:
dir/home/fred/*.txt
dirsources/*.c
Thelscommandworksexactlythesamewayasdir.
6.2.14Thechmodcommand:changepermissions
onremotefiles
PSFTPallowsyoutomodifythefilepermissionsonfilesanddirectories
ontheserver.Youdothisusingthechmodcommand,whichworksvery
muchliketheUnixchmodcommand.
Thebasicsyntaxischmodmodesfile,wheremodesrepresentsa
modificationtothefilepermissions,andfileisthefilenametomodify.
Youcanspecifymultiplefilesorwildcards.Forexample:
chmodgo-rwx,u+wprivatefile
chmoda+rpublic*
chmod640groupfile1groupfile2
ThemodesparametercanbeasetofoctaldigitsintheUnixstyle.(Ifyou
don'tknowwhatthismeans,youprobablydon'twanttobeusingit!)
Alternatively,itcanbealistofpermissionmodifications,separatedby
commas.Eachmodificationconsistsof:
Thepeopleaffectedbythemodification.Thiscanbeu(theowning
user),g(membersoftheowninggroup),oro(everybodyelse-
‘others’),orsomecombinationofthose.Itcanalsobea(‘all’)to
affecteverybodyatonce.
A+or-sign,indicatingwhetherpermissionsaretobeaddedor
removed.
Theactualpermissionsbeingaddedorremoved.Thesecanber
(permissiontoreadthefile),w(permissiontowritetothefile),andx
(permissiontoexecutethefile,orinthecaseofadirectory,
permissiontoaccessfileswithinthedirectory).
Sotheaboveexampleswoulddo:
Thefirstexample:go-rwxremovesread,writeandexecute
permissionsformembersoftheowninggroupandeverybodyelse
(sotheonlypermissionsleftaretheonesforthefileowner).u+w
addswritepermissionforthefileowner.
Thesecondexample:a+raddsreadpermissionforeverybodytoall
filesanddirectoriesstartingwith‘public’.
Inadditiontoallthis,thereareafewextraspecialcasesforUnix
systems.Onnon-Unixsystemstheseareunlikelytobeuseful:
Youcanspecifyu+sandu-stoaddorremovetheUnixset-user-ID
bit.Thisistypicallyonlyusefulforspecialpurposes;refertoyour
Unixdocumentationifyou'renotsureaboutit.
Youcanspecifyg+sandg-stoaddorremovetheUnixset-group-ID
bit.Onafile,thisworkssimilarlytotheset-user-IDbit(seeyourUnix
documentationagain);onadirectoryitensuresthatfilescreatedin
thedirectoryareaccessiblebymembersofthegroupthatownsthe
directory.
Youcanspecify+tand-ttoaddorremovetheUnix‘stickybit’.
Whenappliedtoadirectory,thismeansthattheownerofafilein
thatdirectorycandeletethefile(whereasnormallyonlytheownerof
thedirectorywouldbeallowedto).
6.2.15Thedelcommand:deleteremotefiles
Todeleteafileontheserver,typedelandthenthefilenameor
filenames:
deloldfile.dat
delfile1.txtfile2.txt
del*.o
Fileswillbedeletedwithoutfurtherprompting,evenifmultiplefilesare
specified.
delwillonlydeletefiles.Youcannotuseittodeletedirectories;usermdir
forthat.
Thermcommandworksexactlythesamewayasdel.
6.2.16Themkdircommand:createremote
directories
Tocreateadirectoryontheserver,typemkdirandthenthedirectory
name:
mkdirnewstuff
Youcanspecifymultipledirectoriestocreateatonce:
mkdirdir1dir2dir3
6.2.17Thermdircommand:removeremote
directories
Toremoveadirectoryontheserver,typermdirandthenthedirectory
nameornames:
rmdiroldstuff
rmdir*.oldancient
Directorieswillbedeletedwithoutfurtherprompting,evenifmultiple
directoriesarespecified.
MostSFTPserverswillprobablyrefusetoremoveadirectoryifthe
directoryhasanythinginit,soyouwillneedtodeletethecontentsfirst.
6.2.18Themvcommand:moveandrename
remotefiles
Torenameasinglefileontheserver,typemv,thenthecurrentfilename,
andthenthenewfilename:
mvoldfilenewname
Youcanalsomovethefileintoadifferentdirectoryandchangethe
name:
mvoldfiledir/newname
Tomoveoneormorefilesintoanexistingsubdirectory,specifythefiles
(usingwildcardsifdesired),andthenthedestinationdirectory:
mvfiledir
mvfile1dir1/file2dir2
mv*.c*.h..
Therenameandrencommandsworkexactlythesamewayasmv.
6.2.19The!command:runalocalWindows
command
YoucanrunlocalWindowscommandsusingthe!command.Thisisthe
onlyPSFTPcommandthatisnotsubjecttothecommandquotingrules
giveninsection6.2.1.Ifanycommandlinebeginswiththe!character,
thentherestofthelinewillbepassedstraighttoWindowswithoutfurther
translation.
Forexample,ifyouwanttomoveanexistingcopyofafileoutoftheway
beforedownloadinganupdatedversion,youmighttype:
psftp>!renmyfile.datmyfile.bak
psftp>getmyfile.dat
usingtheWindowsrencommandtorenamefilesonyourlocalPC.
6.3UsingpublickeyauthenticationwithPSFTP
LikePuTTY,PSFTPcanauthenticateusingapublickeyinsteadofa
password.Therearethreewaysyoucandothis.
Firstly,PSFTPcanusePuTTYsavedsessionsinplaceofhostnames.So
youmightdothis:
RunPuTTY,andcreateaPuTTYsavedsession(seesection4.1.2)
whichspecifiesyourprivatekeyfile(seesection4.22.8).Youwill
probablyalsowanttospecifyausernametologinas(seesection
4.14.1).
InPSFTP,youcannowusethenameofthesessioninsteadofa
hostname:typepsftpsessionname,wheresessionnameisreplaced
bythenameofyoursavedsession.
Secondly,youcansupplythenameofaprivatekeyfileonthecommand
line,withthe-ioption.Seesection3.8.3.18formoreinformation.
Thirdly,PSFTPwillattempttoauthenticateusingPageantifPageantis
running(seechapter9).Soyouwoulddothis:
EnsurePageantisrunning,andhasyourprivatekeystoredinit.
SpecifyauserandhostnametoPSFTPasnormal.PSFTPwill
automaticallydetectPageantandtrytousethekeyswithinit.
Formoregeneralinformationonpublic-keyauthentication,seechapter8.
Chapter7:Usingthecommand-lineconnection
toolPlink
Plinkisacommand-lineconnectiontoolsimilartoUNIXssh.Itismostly
usedforautomatedoperations,suchasmakingCVSaccessarepository
onaremoteserver.
Plinkisprobablynotwhatyouwantifyouwanttorunaninteractive
sessioninaconsolewindow.
7.1StartingPlink
7.2UsingPlink
7.2.1UsingPlinkforinteractivelogins
7.2.2UsingPlinkforautomatedconnections
7.2.3Plinkcommandlineoptions
7.3UsingPlinkinbatchfilesandscripts
7.4UsingPlinkwithCVS
7.5UsingPlinkwithWinCVS
7.1StartingPlink
Plinkisacommandlineapplication.Thismeansthatyoucannotjust
double-clickonitsicontorunitandinsteadyouhavetobringupa
consolewindow.InWindows95,98,andME,thisiscalledan‘MS-DOS
Prompt’,andinWindowsNT,2000,andXP,itiscalleda‘Command
Prompt’.ItshouldbeavailablefromtheProgramssectionofyourStart
Menu.
InordertousePlink,thefileplink.exewillneedeithertobeonyourPATH
orinyourcurrentdirectory.ToaddthedirectorycontainingPlinktoyour
PATHenvironmentvariable,typeintotheconsolewindow:
setPATH=C:\path\to\putty\directory;%PATH%
Thiswillonlyworkforthelifetimeofthatparticularconsolewindow.To
setyourPATHmorepermanentlyonWindowsNT,2000,andXP,usethe
EnvironmenttaboftheSystemControlPanel.OnWindows95,98,and
ME,youwillneedtoedityourAUTOEXEC.BATtoincludeasetcommand
liketheoneabove.
7.2UsingPlink
ThissectiondescribesthebasicsofhowtousePlinkforinteractivelogins
andforautomatedprocesses.
Onceyou'vegotaconsolewindowtotypeinto,youcanjusttypeplink
onitsowntobringupausagemessage.Thistellsyoutheversionof
Plinkyou'reusing,andgivesyouabriefsummaryofhowtousePlink:
Z:\sysosd>plink
Plink:command-lineconnectionutility
Release0.70
Usage:plink[options][user@]host[command]
("host"canalsobeaPuTTYsavedsessionname)
Options:
-Vprintversioninformationandexit
-pgpfpprintPGPkeyfingerprintsandexit
-vshowverbosemessages
-loadsessnameLoadsettingsfromsavedsession
-ssh-telnet-rlogin-raw-serial
forceuseofaparticularprotocol
-Pportconnecttospecifiedport
-luserconnectwithspecifiedusername
-batchdisableallinteractiveprompts
-proxycmdcommand
use'command'aslocalproxy
-sercfgconfiguration-string(e.g.19200,8,n,1,X)
Specifytheserialconfiguration(serialonly)
ThefollowingoptionsonlyapplytoSSHconnections:
-pwpasswloginwithspecifiedpassword
-D[listen-IP:]listen-port
DynamicSOCKS-basedportforwarding
-L[listen-IP:]listen-port:host:port
Forwardlocalporttoremoteaddress
-R[listen-IP:]listen-port:host:port
Forwardremoteporttolocaladdress
-X-xenable/disableX11forwarding
-A-aenable/disableagentforwarding
-t-Tenable/disableptyallocation
-1-2forceuseofparticularprotocolversion
-4-6forceuseofIPv4orIPv6
-Cenablecompression
-ikeyprivatekeyfileforuserauthentication
-noagentdisableuseofPageant
-agentenableuseofPageant
-hostkeyaa:bb:cc:...
manuallyspecifyahostkey(mayberepeated)
-mfilereadremotecommand(s)fromfile
-sremotecommandisanSSHsubsystem(SSH-2only)
-Ndon'tstartashell/command(SSH-2only)
-nchost:port
opentunnelinplaceofsession(SSH-2only)
-sshlogfile
-sshrawlogfile
logprotocoldetailstoafile
-shareexists
testwhetheraconnection-sharingupstreamexists
Oncethisworks,youarereadytousePlink.
7.2.1UsingPlinkforinteractivelogins
7.2.2UsingPlinkforautomatedconnections
7.2.3Plinkcommandlineoptions
7.2.3.1-batch:disableallinteractiveprompts
7.2.3.2-s:remotecommandisSSHsubsystem
7.2.3.3-shareexists:testforconnection-sharingupstream
7.2.1UsingPlinkforinteractivelogins
Tomakeasimpleinteractiveconnectiontoaremoteserver,justtype
plinkandthenthehostname:
Z:\sysosd>plinklogin.example.com
DebianGNU/Linux2.2flunky.example.com
flunkylogin:
Youshouldthenbeabletologinasnormalandrunasession.The
outputsentbytheserverwillbewrittenstraighttoyourcommandprompt
window,whichwillmostlikelynotinterpretterminalcontrolcodesinthe
waytheserverexpectsitto.Soifyourunanyfull-screenapplications,for
example,youcanexpecttoseestrangecharactersappearinginyour
window.InteractiveconnectionslikethisarenotthemainpointofPlink.
Inordertoconnectwithadifferentprotocol,youcangivethecommand
lineoptions-ssh,-telnet,-rloginor-raw.TomakeanSSHconnection,
forexample:
Z:\sysosd>plink-sshlogin.example.com
loginas:
IfyouhavealreadysetupaPuTTYsavedsession,theninsteadof
supplyingahostname,youcangivethesavedsessionname.This
allowsyoutousepublic-keyauthentication,specifyausername,and
usemostoftheotherfeaturesofPuTTY:
Z:\sysosd>plinkmy-ssh-session
Sentusername"fred"
Authenticatingwithpublickey"fred@winbox"
Lastlogin:ThuDec619:25:332001from:0.0
fred@flunky:~$
(Youcanalsousethe-loadcommand-lineoptiontoloadasaved
session;seesection3.8.3.1.Ifyouuse-load,thesavedsessionexists,
anditspecifiesahostname,youcannotalsospecifyahostoruser@host
argument-itwillbetreatedaspartoftheremotecommand.)
7.2.2UsingPlinkforautomatedconnections
MoretypicallyPlinkisusedwiththeSSHprotocol,toenableyoutotalk
directlytoaprogramrunningontheserver.Todothisyouhavetoensure
PlinkisusingtheSSHprotocol.Youcandothisinseveralways:
Usethe-sshoptionasdescribedinsection7.2.1.
SetupaPuTTYsavedsessionthatdescribestheserveryouare
connectingto,andthatalsospecifiestheprotocolasSSH.
SettheWindowsenvironmentvariablePLINK_PROTOCOLtotheword
ssh.
UsuallyPlinkisnotinvokeddirectlybyauser,butrunautomaticallyby
anotherprocess.ThereforeyoutypicallydonotwantPlinktopromptyou
forausernameorapassword.
Next,youarelikelytoneedtoavoidthevariousinteractivepromptsPlink
canproduce.Youmightbepromptedtoverifythehostkeyoftheserver
you'reconnectingto,toenterausername,ortoenterapassword.
ToavoidbeingpromptedfortheserverhostkeywhenusingPlinkforan
automatedconnection,youshouldfirstmakeamanualconnection(using
eitherofPuTTYorPlink)tothesameserver,verifythehostkey(see
section2.2formoreinformation),andselectYestoaddthehostkeyto
theRegistry.Afterthat,Plinkcommandsconnectingtothatservershould
notgiveahostkeypromptunlessthehostkeychanges.
Toavoidbeingpromptedforausername,youcan:
Usethe-loptiontospecifyausernameonthecommandline.For
example,plinklogin.example.com-lfred.
SetupaPuTTYsavedsessionthatdescribestheserveryouare
connectingto,andthatalsospecifiestheusernametologinas(see
section4.14.1).
Toavoidbeingpromptedforapassword,youshouldalmostcertainlyset
uppublic-keyauthentication.(Seechapter8forageneralintroductionto
public-keyauthentication.)Again,youcandothisintwoways:
SetupaPuTTYsavedsessionthatdescribestheserveryouare
connectingto,andthatalsospecifiesaprivatekeyfile(seesection
4.22.8).Forthistoworkwithoutprompting,yourprivatekeywillneed
tohavenopassphrase.
StoretheprivatekeyinPageant.Seechapter9forfurther
information.
Onceyouhavedoneallthis,youshouldbeabletorunaremote
commandontheSSHservermachineandhaveitexecuteautomatically
withnoprompting:
Z:\sysosd>plinklogin.example.com-lfredechohello,world
hello,world
Z:\sysosd>
Or,ifyouhavesetupasavedsessionwithalltheconnectiondetails:
Z:\sysosd>plinkmysessionechohello,world
hello,world
Z:\sysosd>
ThenyoucansetupotherprogramstorunthisPlinkcommandandtalk
toitasifitwereaprocessontheservermachine.
7.2.3Plinkcommandlineoptions
Plinkacceptsallthegeneralcommandlineoptionssupportedbythe
PuTTYtools.Seesection3.8.3foradescriptionoftheseoptions.
Plinkalsosupportssomeofitsownoptions.Thefollowingsections
describePlink'sspecificcommand-lineoptions.
7.2.3.1-batch:disableallinteractiveprompts
7.2.3.2-s:remotecommandisSSHsubsystem
7.2.3.3-shareexists:testforconnection-sharingupstream
7.2.3.1-batch:disableallinteractiveprompts
Ifyouusethe-batchoption,Plinkwillnevergiveaninteractiveprompt
whileestablishingtheconnection.Iftheserver'shostkeyisinvalid,for
example(seesection2.2),thentheconnectionwillsimplybeabandoned
insteadofaskingyouwhattodonext.
ThismayhelpPlink'sbehaviourwhenitisusedinautomatedscripts:
using-batch,ifsomethinggoeswrongatconnectiontime,thebatchjob
willfailratherthanhang.
7.2.3.2-s:remotecommandisSSHsubsystem
Ifyouspecifythe-soption,Plinkpassesthespecifiedcommandasthe
nameofanSSH‘subsystem’ratherthananordinarycommandline.
(ThisoptionisonlymeaningfulwiththeSSH-2protocol.)
7.2.3.3-shareexists:testforconnection-sharing
upstream
Thisoptiondoesnotmakeanewconnection;insteaditallowstestingfor
thepresenceofanexistingconnectionthatcanbeshared.(Seesection
4.18.5formoreinformationaboutSSHconnectionsharing.)
APlinkinvocationoftheform:
plink-shareexists<session>
willtestwhetherthereiscurrentlyaviable‘upstream’forthesessionin
question,whichcanbespecifiedusinganysyntaxyou'dnormallyuse
withPlinktomakeanactualconnection(ahost/portnumber,abare
savedsessionname,-load,etc).Itreturnsazeroexitstatusifausable
‘upstream’exists,nonzerootherwise.
(ThisoptionisonlymeaningfulwiththeSSH-2protocol.)
7.3UsingPlinkinbatchfilesandscripts
OnceyouhavesetupPlinktobeabletologintoaremoteserverwithout
anyinteractiveprompting(seesection7.2.2),youcanuseitforlotsof
scriptingandbatchpurposes.Forexample,tostartabackuponaremote
machine,youmightuseacommandlike:
plinkroot@myserver/etc/backups/do-backup.sh
Orperhapsyouwanttofetchallsystemloglinesrelatingtoaparticular
webarea:
plinkmysessiongrep/~fred//var/log/httpd/access.log>fredlog
Anynon-interactivecommandyoucouldusefullyrunontheserver
commandline,youcanruninabatchfileusingPlinkinthisway.
7.4UsingPlinkwithCVS
TousePlinkwithCVS,youneedtosettheenvironmentvariableCVS_RSH
topointtoPlink:
setCVS_RSH=\path\to\plink.exe
Youalsoneedtoarrangetobeabletoconnecttoaremotehostwithout
anyinteractiveprompts,asdescribedinsection7.2.2.
YoushouldthenbeabletorunCVSasfollows:
cvs-d:ext:user@sessionname:/path/to/repositorycomodule
Ifyouspecifiedausernameinyoursavedsession,youdon'tevenneed
tospecifythe‘user’partofthis,andyoucanjustsay:
cvs-d:ext:sessionname:/path/to/repositorycomodule
7.5UsingPlinkwithWinCVS
PlinkcanalsobeusedwithWinCVS.Firstly,arrangeforPlinktobeable
toconnecttoaremotehostnon-interactively,asdescribedinsection
7.2.2.
Then,inWinCVS,bringupthe‘Preferences’dialogueboxfromthe
Adminmenu,andswitchtothe‘Ports’tab.Ticktheboxtherelabelled
‘Checkforanalternatershname’andinthetextentryfieldtotheright
enterthefullpathtoplink.exe.Select‘OK’onthe‘Preferences’dialogue
box.
Next,select‘CommandLine’fromtheWinCVS‘Admin’menu,andtypea
CVScommandasinsection7.4,forexample:
cvs-d:ext:user@hostname:/path/to/repositorycomodule
or(ifyou'reusingasavedsession):
cvs-d:ext:user@sessionname:/path/to/repositorycomodule
Selectthefolderyouwanttocheckouttowiththe‘ChangeFolder’
button,andclick‘OK’tocheckoutyourmodule.Onceyou'vegot
modulescheckedout,WinCVSwillhappilyinvokeplinkfromtheGUIfor
CVSoperations.
Chapter8:UsingpublickeysforSSH
authentication
8.1Publickeyauthentication-anintroduction
8.2UsingPuTTYgen,thePuTTYkeygenerator
8.2.1Generatinganewkey
8.2.2Selectingthetypeofkey
8.2.3Selectingthesize(strength)ofthekey
8.2.4The‘Generate’button
8.2.5The‘Keyfingerprint’box
8.2.6Settingacommentforyourkey
8.2.7Settingapassphraseforyourkey
8.2.8Savingyourprivatekeytoadiskfile
8.2.9Savingyourpublickeytoadiskfile
8.2.10‘Publickeyforpastingintoauthorized_keysfile’
8.2.11Reloadingaprivatekey
8.2.12Dealingwithprivatekeysinotherformats
8.3Gettingreadyforpublickeyauthentication
8.1Publickeyauthentication-anintroduction
Publickeyauthenticationisanalternativemeansofidentifyingyourselfto
aloginserver,insteadoftypingapassword.Itismoresecureandmore
flexible,butmoredifficulttosetup.
Inconventionalpasswordauthentication,youproveyouarewhoyou
claimtobebyprovingthatyouknowthecorrectpassword.Theonlyway
toproveyouknowthepasswordistotelltheserverwhatyouthinkthe
passwordis.Thismeansthatiftheserverhasbeenhacked,orspoofed
(seesection2.2),anattackercanlearnyourpassword.
Publickeyauthenticationsolvesthisproblem.Yougenerateakeypair,
consistingofapublickey(whicheverybodyisallowedtoknow)anda
privatekey(whichyoukeepsecretanddonotgivetoanybody).The
privatekeyisabletogeneratesignatures.Asignaturecreatedusingyour
privatekeycannotbeforgedbyanybodywhodoesnothavethatkey;but
anybodywhohasyourpublickeycanverifythataparticularsignatureis
genuine.
Soyougenerateakeypaironyourowncomputer,andyoucopythe
publickeytotheserver.Then,whentheserverasksyoutoprovewho
youare,PuTTYcangenerateasignatureusingyourprivatekey.The
servercanverifythatsignature(sinceithasyourpublickey)andallow
youtologin.Nowiftheserverishackedorspoofed,theattackerdoes
notgainyourprivatekeyorpassword;theyonlygainonesignature.And
signaturescannotbere-used,sotheyhavegainednothing.
Thereisaproblemwiththis:ifyourprivatekeyisstoredunprotectedon
yourowncomputer,thenanybodywhogainsaccesstothatwillbeable
togeneratesignaturesasiftheywereyou.Sotheywillbeabletologin
toyourserverunderyouraccount.Forthisreason,yourprivatekeyis
usuallyencryptedwhenitisstoredonyourlocalmachine,usinga
passphraseofyourchoice.Inordertogenerateasignature,PuTTYmust
decryptthekey,soyouhavetotypeyourpassphrase.
Thiscanmakepublic-keyauthenticationlessconvenientthanpassword
authentication:everytimeyoulogintotheserver,insteadoftypinga
shortpassword,youhavetotypealongerpassphrase.Onesolutionto
thisistouseanauthenticationagent,aseparateprogramwhichholds
decryptedprivatekeysandgeneratessignaturesonrequest.PuTTY's
authenticationagentiscalledPageant.WhenyoubeginaWindows
session,youstartPageantandloadyourprivatekeyintoit(typingyour
passphraseonce).Fortherestofyoursession,youcanstartPuTTYany
numberoftimesandPageantwillautomaticallygeneratesignatures
withoutyouhavingtodoanything.WhenyoucloseyourWindows
session,Pageantshutsdown,withouteverhavingstoredyourdecrypted
privatekeyondisk.Manypeoplefeelthisisagoodcompromisebetween
securityandconvenience.Seechapter9forfurtherdetails.
Thereismorethanonepublic-keyalgorithmavailable.Themost
commonareRSAandECDSA,butothersexist,notablyDSA(otherwise
knownasDSS),theUSA'sfederalDigitalSignatureStandard.Thekey
typessupportedbyPuTTYaredescribedinsection8.2.2.
8.2UsingPuTTYgen,thePuTTYkeygenerator
PuTTYgenisakeygenerator.Itgeneratespairsofpublicandprivate
keystobeusedwithPuTTY,PSCP,andPlink,aswellasthePuTTY
authenticationagent,Pageant(seechapter9).PuTTYgengenerates
RSA,DSA,ECDSA,andEd25519keys.
WhenyourunPuTTYgenyouwillseeawindowwhereyouhavetwo
choices:‘Generate’,togenerateanewpublic/privatekeypair,or‘Load’to
loadinanexistingprivatekey.
8.2.1Generatinganewkey
8.2.2Selectingthetypeofkey
8.2.3Selectingthesize(strength)ofthekey
8.2.4The‘Generate’button
8.2.5The‘Keyfingerprint’box
8.2.6Settingacommentforyourkey
8.2.7Settingapassphraseforyourkey
8.2.8Savingyourprivatekeytoadiskfile
8.2.9Savingyourpublickeytoadiskfile
8.2.10‘Publickeyforpastingintoauthorized_keysfile’
8.2.11Reloadingaprivatekey
8.2.12Dealingwithprivatekeysinotherformats
8.2.1Generatinganewkey
Thisisageneraloutlineoftheprocedureforgeneratinganewkeypair.
Thefollowingsectionsdescribetheprocessinmoredetail.
First,youneedtoselectwhichtypeofkeyyouwanttogenerate,and
alsoselectthestrengthofthekey.Thisisdescribedinmoredetailin
section8.2.2andsection8.2.3.
Thenpressthe‘Generate’button,toactuallygeneratethekey.
Section8.2.4describesthisstep.
Onceyouhavegeneratedthekey,selectacommentfield(section
8.2.6)andapassphrase(section8.2.7).
Nowyou'rereadytosavetheprivatekeytodisk;pressthe‘Save
privatekey’button.(Seesection8.2.8).
Yourkeypairisnowreadyforuse.Youmayalsowanttocopythepublic
keytoyourserver,eitherbycopyingitoutofthe‘Publickeyforpasting
intoauthorized_keysfile’box(seesection8.2.10),orbyusingthe‘Save
publickey’button(section8.2.9).However,youdon'tneedtodothis
immediately;ifyouwant,youcanloadtheprivatekeybackinto
PuTTYgenlater(seesection8.2.11)andthepublickeywillbeavailable
forcopyingandpastingagain.
Section8.3describesthetypicalprocessofconfiguringPuTTYtoattempt
public-keyauthentication,andconfiguringyourSSHservertoacceptit.
8.2.2Selectingthetypeofkey
BeforegeneratingakeypairusingPuTTYgen,youneedtoselectwhich
typeofkeyyouneed.PuTTYgencurrentlysupportsthesetypesofkey:
AnRSAkeyforusewiththeSSH-1protocol.
AnRSAkeyforusewiththeSSH-2protocol.
ADSAkeyforusewiththeSSH-2protocol.
AnECDSA(ellipticcurveDSA)keyforusewiththeSSH-2protocol.
AnEd25519key(anotherellipticcurvealgorithm)forusewiththe
SSH-2protocol.
TheSSH-1protocolonlysupportsRSAkeys;ifyouwillbeconnecting
usingtheSSH-1protocol,youmustselectthefirstkeytypeoryourkey
willbecompletelyuseless.
TheSSH-2protocolsupportsmorethanonekeytype.Thetypes
supportedbyPuTTYareRSA,DSA,ECDSA,andEd25519.
8.2.3Selectingthesize(strength)ofthekey
The‘Numberofbits’inputboxallowsyoutochoosethestrengthofthe
keyPuTTYgenwillgenerate.
ForRSA,2048bitsshouldcurrentlybesufficientformostpurposes.
ForECDSA,only256,384,and521bitsaresupported.(ECDSA
offersequivalentsecuritytoRSAwithsmallerkeysizes.)
ForEd25519,theonlyvalidsizeis256bits.
8.2.4The‘Generate’button
Onceyouhavechosenthetypeofkeyyouwant,andthestrengthofthe
key,pressthe‘Generate’buttonandPuTTYgenwillbegintheprocessof
actuallygeneratingthekey.
First,aprogressbarwillappearandPuTTYgenwillaskyoutomovethe
mousearoundtogeneraterandomness.Wavethemouseincirclesover
theblankareainthePuTTYgenwindow,andtheprogressbarwill
graduallyfillupasPuTTYgencollectsenoughrandomness.Youdon't
needtowavethemouseinparticularlyimaginativepatterns(althoughit
can'thurt);PuTTYgenwillcollectenoughrandomnessjustfromthefine
detailofexactlyhowfarthemousehasmovedeachtimeWindows
samplesitsposition.
Whentheprogressbarreachestheend,PuTTYgenwillbegincreating
thekey.Theprogressbarwillresettothestart,andgraduallymoveup
againtotracktheprogressofthekeygeneration.Itwillnotmoveevenly,
andmayoccasionallyslowdowntoastop;thisisunfortunately
unavoidable,becausekeygenerationisarandomprocessanditis
impossibletoreliablypredicthowlongitwilltake.
Whenthekeygenerationiscomplete,anewsetofcontrolswillappearin
thewindowtoindicatethis.
8.2.5The‘Keyfingerprint’box
The‘Keyfingerprint’boxshowsyouafingerprintvalueforthegenerated
key.Thisisderivedcryptographicallyfromthepublickeyvalue,soit
doesn'tneedtobekeptsecret;itissupposedtobemoremanageablefor
humanbeingsthanthepublickeyitself.
Thefingerprintvalueisintendedtobecryptographicallysecure,inthe
sensethatitiscomputationallyinfeasibleforsomeonetoinventasecond
keywiththesamefingerprint,ortofindakeywithaparticularfingerprint.
Sosomeutilities,suchasthePageantkeylistbox(seesection9.2.1)
andtheUnixssh-addutility,willlistkeyfingerprintsratherthanthewhole
publickey.
8.2.6Settingacommentforyourkey
Ifyouhavemorethanonekeyandusethemfordifferentpurposes,you
don'tneedtomemorisethekeyfingerprintsinordertotellthemapart.
PuTTYgenallowsyoutoenteracommentforyourkey,whichwillbe
displayedwheneverPuTTYorPageantasksyouforthepassphrase.
Thedefaultcommentformat,ifyoudon'tspecifyone,containsthekey
typeandthedateofgeneration,suchasrsa-key-20011212.Another
commonlyusedapproachistouseyournameandthenameofthe
computerthekeywillbeusedon,suchassimon@simons-pc.
Toalterthekeycomment,justtypeyourcommenttextintothe‘Key
comment’boxbeforesavingtheprivatekey.Ifyouwanttochangethe
commentlater,youcanloadtheprivatekeybackintoPuTTYgen,change
thecomment,andsaveitagain.
8.2.7Settingapassphraseforyourkey
The‘Keypassphrase’and‘Confirmpassphrase’boxesallowyouto
chooseapassphraseforyourkey.Thepassphrasewillbeusedto
encryptthekeyondisk,soyouwillnotbeabletousethekeywithoutfirst
enteringthepassphrase.
Whenyousavethekey,PuTTYgenwillcheckthatthe‘Keypassphrase’
and‘Confirmpassphrase’boxesbothcontainexactlythesame
passphrase,andwillrefusetosavethekeyotherwise.
Ifyouleavethepassphrasefieldsblank,thekeywillbesaved
unencrypted.Youshouldnotdothiswithoutgoodreason;ifyoudo,your
privatekeyfileondiskwillbeallanattackerneedstogainaccesstoany
machineconfiguredtoacceptthatkey.Ifyouwanttobeabletologin
withouthavingtotypeapassphraseeverytime,youshouldconsider
usingPageant(chapter9)sothatyourdecryptedkeyisonlyheldin
memoryratherthanondisk.
Underspecialcircumstancesyoumaygenuinelyneedtouseakeywith
nopassphrase;forexample,ifyouneedtorunanautomatedbatchscript
thatneedstomakeanSSHconnection,youcan'tbetheretotypethe
passphrase.Inthiscasewerecommendyougenerateaspecialkeyfor
eachspecificbatchscript(orwhatever)thatneedsone,andonthe
serversideyoushouldarrangethateachkeyisrestrictedsothatitcan
onlybeusedforthatspecificpurpose.ThedocumentationforyourSSH
servershouldexplainhowtodothis(itwillprobablyvarybetween
servers).
Choosingagoodpassphraseisdifficult.Justasyoushouldn'tusea
dictionarywordasapasswordbecauseit'seasyforanattackertorun
throughawholedictionary,youshouldnotuseasonglyric,quotationor
otherwell-knownsentenceasapassphrase.DiceWare
(www.diceware.com)recommendsusingatleastfivewordseach
generatedrandomlybyrollingfivedice,whichgivesover2^64possible
passphrasesandisprobablynotabadscheme.Ifyouwantyour
passphrasetomakegrammaticalsense,thiscutsdownthepossibilitiesa
lotandyoushouldusealongeroneasaresult.
Donotforgetyourpassphrase.Thereisnowaytorecoverit.
8.2.8Savingyourprivatekeytoadiskfile
Onceyouhavegeneratedakey,setacommentfieldandseta
passphrase,youarereadytosaveyourprivatekeytodisk.
Pressthe‘Saveprivatekey’button.PuTTYgenwillputupadialogbox
askingyouwheretosavethefile.Selectadirectory,typeinafilename,
andpress‘Save’.
ThisfileisinPuTTY'snativeformat(*.PPK);itistheoneyouwillneedto
tellPuTTYtouseforauthentication(seesection4.22.8)ortellPageantto
load(seesection9.2.2).
8.2.9Savingyourpublickeytoadiskfile
RFC4716specifiesastandardformatforstoringSSH-2publickeyson
disk.SomeSSHservers(suchasssh.com's)requireapublickeyinthis
formatinordertoacceptauthenticationwiththecorrespondingprivate
key.(Others,suchasOpenSSH,useadifferentformat;seesection
8.2.10.)
TosaveyourpublickeyintheSSH-2standardformat,pressthe‘Save
publickey’buttoninPuTTYgen.PuTTYgenwillputupadialogbox
askingyouwheretosavethefile.Selectadirectory,typeinafilename,
andpress‘Save’.
YouwillthenprobablywanttocopythepublickeyfiletoyourSSHserver
machine.Seesection8.3forgeneralinstructionsonconfiguringpublic-
keyauthenticationonceyouhavegeneratedakey.
IfyouusethisoptionwithanSSH-1key,thefilePuTTYgensaveswill
containexactlythesametextthatappearsinthe‘Publickeyforpasting’
box.ThisistheonlyexistingstandardforSSH-1publickeys.
8.2.10‘Publickeyforpastinginto
authorized_keysfile’
AllSSH-1serversrequireyourpublickeytobegiventoitinaone-line
formatbeforeitwillacceptauthenticationwithyourprivatekey.The
OpenSSHserveralsorequiresthisforSSH-2.
The‘Publickeyforpastingintoauthorized_keysfile’givesthepublic-key
datainthecorrectone-lineformat.Typicallyyouwillwanttoselectthe
entirecontentsoftheboxusingthemouse,pressCtrl+Ctocopyittothe
clipboard,andthenpastethedataintoaPuTTYsessionwhichisalready
connectedtotheserver.
Seesection8.3forgeneralinstructionsonconfiguringpublic-key
authenticationonceyouhavegeneratedakey.
8.2.11Reloadingaprivatekey
PuTTYgenallowsyoutoloadanexistingprivatekeyfileintomemory.If
youdothis,youcanthenchangethepassphraseandcommentbefore
savingitagain;youcanalsomakeextracopiesofthepublickey.
Toloadanexistingkey,pressthe‘Load’button.PuTTYgenwillputupa
dialogboxwhereyoucanbrowsearoundthefilesystemandfindyour
keyfile.Onceyouselectthefile,PuTTYgenwillaskyouforapassphrase
(ifnecessary)andwillthendisplaythekeydetailsinthesamewayasifit
hadjustgeneratedthekey.
IfyouusetheLoadcommandtoloadaforeignkeyformat,itwillwork,
butyouwillseeamessageboxwarningyouthatthekeyyouhave
loadedisnotaPuTTYnativekey.Seesection8.2.12forinformation
aboutimportingforeignkeyformats.
8.2.12Dealingwithprivatekeysinotherformats
MostSSH-1clientsuseastandardformatforstoringprivatekeyson
disk.PuTTYusesthisformataswell;soifyouhavegeneratedanSSH-1
privatekeyusingOpenSSHorssh.com'sclient,youcanuseitwith
PuTTY,andviceversa.
However,SSH-2privatekeyshavenostandardformat.OpenSSHand
ssh.comhavedifferentformats,andPuTTY'sisdifferentagain.Soakey
generatedwithoneclientcannotimmediatelybeusedwithanother.
Usingthe‘Import’commandfromthe‘Conversions’menu,PuTTYgen
canloadSSH-2privatekeysinOpenSSH'sformatandssh.com'sformat.
Onceyouhaveloadedoneofthesekeytypes,youcanthensaveitback
outasaPuTTY-formatkey(*.PPK)sothatyoucanuseitwiththePuTTY
suite.Thepassphrasewillbeunchangedbythisprocess(unlessyou
deliberatelychangeit).Youmaywanttochangethekeycommentbefore
yousavethekey,sinceOpenSSH'sSSH-2keyformatcontainsnospace
foracommentandssh.com'sdefaultcommentformatislongand
verbose.
PuTTYgencanalsoexportprivatekeysinOpenSSHformatandin
ssh.comformat.Todoso,selectoneofthe‘Export’optionsfromthe
‘Conversions’menu.Exportingakeyworksexactlylikesavingit(see
section8.2.8)-youneedtohavetypedyourpassphraseinbeforehand,
andyouwillbewarnedifyouareabouttosaveakeywithouta
passphrase.
ForOpenSSHtherearetwooptions.ModernOpenSSHactuallyhastwo
formatsitusesforstoringprivatekeys.‘ExportOpenSSHkey’will
automaticallychoosetheoldestformatsupportedforthekeytype,for
maximumbackwardcompatibilitywitholderversionsofOpenSSH;for
newerkeytypeslikeEd25519,itwillusethenewerformatasthatisthe
onlylegaloption.Ifyouhavesomespecificreasonforwantingtouse
OpenSSH'snewerformatevenforRSA,DSA,orECDSAkeys,youcan
choose‘ExportOpenSSHkey(forcenewfileformat)’.
NotethatsinceonlySSH-2keyscomeindifferentformats,theexport
optionsarenotavailableifyouhavegeneratedanSSH-1key.
8.3Gettingreadyforpublickeyauthentication
ConnecttoyourSSHserverusingPuTTYwiththeSSHprotocol.When
theconnectionsucceedsyouwillbepromptedforyourusernameand
passwordtologin.Onceloggedin,youmustconfiguretheserverto
acceptyourpublickeyforauthentication:
IfyourserverisusingtheSSH-1protocol,youshouldchangeinto
the.sshdirectoryandopenthefileauthorized_keyswithyour
favouriteeditor.(Youmayhavetocreatethisfileifthisisthefirstkey
youhaveputinit).ThenswitchtothePuTTYgenwindow,selectall
ofthetextinthe‘Publickeyforpastingintoauthorized_keysfile’box
(seesection8.2.10),andcopyittotheclipboard(Ctrl+C).Then,
switchbacktothePuTTYwindowandinsertthedataintotheopen
file,makingsureitendsupallononeline.Savethefile.
IfyourserverisOpenSSHandisusingtheSSH-2protocol,you
shouldfollowthesameinstructions,exceptthatinearlierversionsof
OpenSSH2thefilemightbecalledauthorized_keys2.(Inmodern
versionsthesameauthorized_keysfileisusedforbothSSH-1and
SSH-2keys.)
Ifyourserverisssh.com'sproductandisusingSSH-2,youneedto
saveapublickeyfilefromPuTTYgen(seesection8.2.9),andcopy
thatintothe.ssh2directoryontheserver.Thenyoushouldgointo
that.ssh2directory,andedit(orcreate)afilecalledauthorization.
InthisfileyoushouldputalinelikeKeymykey.pub,withmykey.pub
replacedbythenameofyourkeyfile.
ForotherSSHserversoftware,youshouldrefertothemanualfor
thatserver.
Youmayalsoneedtoensurethatyourhomedirectory,your.ssh
directory,andanyotherfilesinvolved(suchasauthorized_keys,
authorized_keys2orauthorization)arenotgroup-writableorworld-
writable.Youcantypicallydothisbyusingacommandsuchas
chmodgo-w$HOME$HOME/.ssh$HOME/.ssh/authorized_keys
Yourservershouldnowbeconfiguredtoacceptauthenticationusingyour
privatekey.NowyouneedtoconfigurePuTTYtoattemptauthentication
usingyourprivatekey.Youcandothisinanyofthreeways:
SelecttheprivatekeyinPuTTY'sconfiguration.Seesection4.22.8
fordetails.
Specifythekeyfileonthecommandlinewiththe-ioption.See
section3.8.3.18fordetails.
LoadtheprivatekeyintoPageant(seechapter9).Inthiscase
PuTTYwillautomaticallytrytouseitforauthenticationifitcan.
Chapter9:UsingPageantforauthentication
PageantisanSSHauthenticationagent.Itholdsyourprivatekeysin
memory,alreadydecoded,sothatyoucanusethemoftenwithout
needingtotypeapassphrase.
9.1GettingstartedwithPageant
9.2ThePageantmainwindow
9.2.1Thekeylistbox
9.2.2The‘AddKey’button
9.2.3The‘RemoveKey’button
9.3ThePageantcommandline
9.3.1MakingPageantautomaticallyloadkeysonstartup
9.3.2MakingPageantrunanotherprogram
9.4Usingagentforwarding
9.5Securityconsiderations
9.1GettingstartedwithPageant
BeforeyourunPageant,youneedtohaveaprivatekeyin*.PPKformat.
Seechapter8tofindouthowtogenerateanduseone.
WhenyourunPageant,itwillputaniconofacomputerwearingahat
intotheSystemtray.Itwillthensitanddonothing,untilyouloadaprivate
keyintoit.
IfyouclickthePageanticonwiththerightmousebutton,youwillseea
menu.Select‘ViewKeys’fromthismenu.ThePageantmainwindowwill
appear.(Youcanalsobringthiswindowupbydouble-clickingonthe
Pageanticon.)
ThePageantwindowcontainsalistbox.Thisshowstheprivatekeys
Pageantisholding.WhenyoustartPageant,ithasnokeys,sothelist
boxwillbeempty.Afteryouaddoneormorekeys,theywillshowupin
thelistbox.
ToaddakeytoPageant,pressthe‘AddKey’button.Pageantwillbring
upafiledialog,labelled‘SelectPrivateKeyFile’.Findyourprivatekey
fileinthisdialog,andpress‘Open’.
Pageantwillnowloadtheprivatekey.Ifthekeyisprotectedbya
passphrase,Pageantwillaskyoutotypethepassphrase.Whenthekey
hasbeenloaded,itwillappearinthelistinthePageantwindow.
NowstartPuTTYandopenanSSHsessiontoasitethatacceptsyour
key.PuTTYwillnoticethatPageantisrunning,retrievethekey
automaticallyfromPageant,anduseittoauthenticate.Youcannow
openasmanyPuTTYsessionsasyoulikewithouthavingtotypeyour
passphraseagain.
(PuTTYcanbeconfigurednottotrytousePageant,butitwilltryby
default.Seesection4.22.3andsection3.8.3.9formoreinformation.)
WhenyouwanttoshutdownPageant,clicktherightbuttononthe
PageanticonintheSystemtray,andselect‘Exit’fromthemenu.Closing
thePageantmainwindowdoesnotshutdownPageant.
9.2ThePageantmainwindow
ThePageantmainwindowappearswhenyouleft-clickonthePageant
systemtrayicon,oralternativelyright-clickandselect‘ViewKeys’from
themenu.Youcanuseittokeeptrackofwhatkeysarecurrentlyloaded
intoPageant,andtoaddnewonesorremovetheexistingkeys.
9.2.1Thekeylistbox
9.2.2The‘AddKey’button
9.2.3The‘RemoveKey’button
9.2.1Thekeylistbox
ThelargelistboxinthePageantmainwindowliststheprivatekeysthat
arecurrentlyloadedintoPageant.Thelistmightlooksomethinglikethis:
ssh-rsa204822:d6:69:c9:22:51:ac:cb:b9:15:67:47:f7:65:6d:d7k1
ssh-dss2048e4:6c:69:f3:4f:fc:cf:fc:96:c0:88:34:a7:1e:59:d7k2
Foreachkey,thelistboxwilltellyou:
Thetypeofthekey.Currently,thiscanbessh1(anRSAkeyforuse
withtheSSH-1protocol),ssh-rsa(anRSAkeyforusewiththeSSH-
2protocol),ssh-dss(aDSAkeyforusewiththeSSH-2protocol),
ecdsa-sha2-*(anECDSAkeyforusewiththeSSH-2protocol),or
ssh-ed25519(anEd25519keyforusewiththeSSH-2protocol).
Thesize(inbits)ofthekey.
Thefingerprintforthepublickey.Thisshouldbethesamefingerprint
givenbyPuTTYgen,and(hopefully)alsothesamefingerprintshown
byremoteutilitiessuchasssh-keygenwhenappliedtoyour
authorized_keysfile.
Thecommentattachedtothekey.
9.2.2The‘AddKey’button
ToaddakeytoPageantbyreadingitoutofalocaldiskfile,pressthe
‘AddKey’buttoninthePageantmainwindow,oralternativelyright-click
onthePageanticoninthesystemtrayandselect‘AddKey’fromthere.
Pageantwillbringupafiledialog,labelled‘SelectPrivateKeyFile’.Find
yourprivatekeyfileinthisdialog,andpress‘Open’.Ifyouwanttoadd
morethanonekeyatonce,youcanselectmultiplefilesusingShift-click
(toselectseveraladjacentfiles)orCtrl-click(toselectnon-adjacentfiles).
Pageantwillnowloadtheprivatekey(s).Ifakeyisprotectedbya
passphrase,Pageantwillaskyoutotypethepassphrase.
(ThisisnottheonlywaytoaddaprivatekeytoPageant.Youcanalso
addonefromaremotesystembyusingagentforwarding;seesection
9.4fordetails.)
9.2.3The‘RemoveKey’button
IfyouneedtoremoveakeyfromPageant,selectthatkeyinthelistbox,
andpressthe‘RemoveKey’button.Pageantwillremovethekeyfromits
memory.
Youcanapplythistokeysyouaddedusingthe‘AddKey’button,orto
keysyouaddedremotelyusingagentforwarding(seesection9.4);it
makesnodifference.
9.3ThePageantcommandline
Pageantcanbemadetodothingsautomaticallywhenitstartsup,by
specifyinginstructionsonitscommandline.Ifyou'restartingPageant
fromtheWindowsGUI,youcanarrangethisbyeditingthepropertiesof
theWindowsshortcutthatitwasstartedfrom.
IfPageantisalreadyrunning,invokingitagainwiththeoptionsbelow
causesactionstobeperformedwiththeexistinginstance,notanewone.
9.3.1MakingPageantautomaticallyloadkeysonstartup
9.3.2MakingPageantrunanotherprogram
9.3.1MakingPageantautomaticallyloadkeyson
startup
Pageantcanautomaticallyloadoneormoreprivatekeyswhenitstarts
up,ifyouprovidethemonthePageantcommandline.Yourcommand
linemightthenlooklike:
C:\PuTTY\pageant.exed:\main.ppkd:\secondary.ppk
Ifthekeysarestoredencrypted,Pageantwillrequestthepassphrases
onstartup.
IfPageantisalreadyrunning,thissyntaxloadskeysintotheexisting
Pageant.
9.3.2MakingPageantrunanotherprogram
YoucanarrangeforPageanttostartanotherprogramonceithas
initialiseditselfandloadedanykeysspecifiedonitscommandline.This
program(perhapsaPuTTY,oraWinCVSmakinguseofPlink,or
whatever)willthenbeabletousethekeysPageanthasloaded.
Youdothisbyspecifyingthe-coptionfollowedbythecommand,like
this:
C:\PuTTY\pageant.exed:\main.ppk-cC:\PuTTY\putty.exe
9.4Usingagentforwarding
AgentforwardingisamechanismthatallowsapplicationsonyourSSH
servermachinetotalktotheagentonyourclientmachine.
Notethatatpresent,agentforwardinginSSH-2isonlyavailablewhen
yourSSHserverisOpenSSH.Thessh.comserverusesadifferentagent
protocol,whichPuTTYdoesnotyetsupport.
Toenableagentforwarding,firststartPageant.ThensetupaPuTTY
SSHsessioninwhich‘Allowagentforwarding’isenabled(seesection
4.22.6).Openthesessionasnormal.(Alternatively,youcanusethe-A
commandlineoption;seesection3.8.3.10fordetails.)
Ifthishasworked,yourapplicationsontheservershouldnowhave
accesstoaUnixdomainsocketwhichtheSSHserverwillforwardback
toPuTTY,andPuTTYwillforwardontotheagent.Tocheckthatthishas
actuallyhappened,youcantrythiscommandonUnixservermachines:
unixbox:~$echo$SSH_AUTH_SOCK
/tmp/ssh-XXNP18Jz/agent.28794
unixbox:~$
Iftheresultlinecomesupblank,agentforwardinghasnotbeenenabled
atall.
Nowifyourunsshontheserveranduseittoconnectthroughtoanother
serverthatacceptsoneofthekeysinPageant,youshouldbeabletolog
inwithoutapassword:
unixbox:~$ssh-votherunixbox
[...]
debug:nextauthmethodtotryispublickey
debug:userauth_pubkey_agent:tryingagentkeymy-putty-key
debug:ssh-userauth2successful:methodpublickey
[...]
IfyouenableagentforwardingonthatSSHconnectionaswell(seethe
manualforyourserver-sideSSHclienttofindouthowtodothis),your
authenticationkeyswillstillbeavailableonthenextmachineyouconnect
to-twoSSHconnectionsawayfromwherethey'reactuallystored.
Inaddition,ifyouhaveaprivatekeyononeoftheSSHservers,youcan
senditallthewaybacktoPageantusingthelocalssh-addcommand:
unixbox:~$ssh-add~/.ssh/id_rsa
Needpassphrasefor/home/fred/.ssh/id_rsa
Enterpassphrasefor/home/fred/.ssh/id_rsa:
Identityadded:/home/fred/.ssh/id_rsa(/home/simon/.ssh/id_rsa)
unixbox:~$
andthenit'savailabletoeverymachinethathasagentforwarding
available(notjusttheonesdownstreamoftheplaceyouaddedit).
9.5Securityconsiderations
UsingPageantforpublic-keyauthenticationgivesyoutheconvenienceof
beingabletoopenmultipleSSHsessionswithouthavingtotypea
passphraseeverytime,butalsogivesyouthesecuritybenefitofnever
storingadecryptedprivatekeyondisk.Manypeoplefeelthisisagood
compromisebetweensecurityandconvenience.
Itisacompromise,however.Holdingyourdecryptedprivatekeysin
Pageantisbetterthanstoringthemineasy-to-finddiskfiles,butstillless
securethannotstoringthemanywhereatall.Thisisfortworeasons:
Windowsunfortunatelyprovidesnowaytoprotectpiecesofmemory
frombeingwrittentothesystemswapfile.SoifPageantisholding
yourprivatekeysforalongperiodoftime,it'spossiblethat
decryptedprivatekeydatamaybewrittentothesystemswapfile,
andanattackerwhogainedaccesstoyourharddisklateronmight
beabletorecoverthatdata.(However,ifyoustoredanunencrypted
keyinadiskfiletheywouldcertainlybeabletorecoverit.)
Although,likemostmodernoperatingsystems,Windowsprevents
programsfromaccidentallyaccessingoneanother'smemoryspace,
itdoesallowprogramstoaccessoneanother'smemoryspace
deliberately,forspecialpurposessuchasdebugging.Thismeans
thatifyouallowavirus,trojan,orothermaliciousprogramontoyour
WindowssystemwhilePageantisrunning,itcouldaccessthe
memoryofthePageantprocess,extractyourdecrypted
authenticationkeys,andsendthembacktoitsmaster.
Similarly,useofagentforwardingisasecurityimprovementonother
methodsofone-touchauthentication,butnotperfect.Holdingyourkeys
inPageantonyourWindowsboxhasasecurityadvantageoverholding
themontheremoteservermachineitself(eitherinanagentorjust
unencryptedondisk),becauseiftheservermachineeverseesyour
unencryptedprivatekeythenthesysadminoranyonewhocracksthe
machinecanstealthekeysandpretendtobeyouforaslongasthey
want.
However,thesysadminoftheservermachinecanalwayspretendtobe
youonthatmachine.Soifyouforwardyouragenttoaservermachine,
thenthesysadminofthatmachinecanaccesstheforwardedagent
connectionandrequestsignaturesfromanyofyourprivatekeys,andcan
thereforelogintoothermachinesasyou.Theycanonlydothistoa
limitedextent-whentheagentforwardingdisappearstheylosetheability
-butusingPageantdoesn'tactuallypreventthesysadmin(orhackers)
ontheserverfromdoingthis.
Therefore,ifyoudon'ttrustthesysadminofaservermachine,you
shouldneveruseagentforwardingtothatmachine.(Ofcourseyoualso
shouldn'tstoreprivatekeysonthatmachine,typepassphrasesintoit,or
logintoothermachinesfromitinanywayatall;Pageantishardlyunique
inthisrespect.)
Chapter10:Commonerrormessages
ThischapterlistsanumberofcommonerrormessageswhichPuTTY
anditsassociatedtoolscanproduce,andexplainswhattheymeanin
moredetail.
Wedonotattempttolistallerrormessageshere:therearemanywhich
shouldneveroccur,andsomewhichshouldbeself-explanatory.Ifyou
getanerrormessagewhichisnotlistedinthischapterandwhichyou
don'tunderstand,reportittousasabug(seeappendixB)andwewill
adddocumentationforit.
10.1‘Theserver'shostkeyisnotcachedintheregistry’
10.2‘WARNING-POTENTIALSECURITYBREACH!’
10.3‘SSHprotocolversion2requiredbyourconfigurationbutserver
onlyprovides(old,insecure)SSH-1’
10.4‘Thefirstciphersupportedbytheserveris...belowthe
configuredwarningthreshold’
10.5‘Serversentdisconnectmessagetype2(protocolerror):"Too
manyauthenticationfailuresforroot"’
10.6‘Outofmemory’
10.7‘Internalerror’,‘Internalfault’,‘Assertionfailed’
10.8‘Unabletousethisprivatekeyfile’,‘Couldn'tloadprivatekey’,
‘Keyisofwrongtype’
10.9‘Serverrefusedourpublickey’or‘Keyrefused’
10.10‘Accessdenied’,‘Authenticationrefused’
10.11‘Nosupportedauthenticationmethodsavailable’
10.12‘IncorrectCRCreceivedonpacket’or‘IncorrectMACreceived
onpacket’
10.13‘Incomingpacketwasgarbledondecryption’
10.14‘PuTTYX11proxy:variouserrors’
10.15‘Networkerror:Softwarecausedconnectionabort’
10.16‘Networkerror:Connectionresetbypeer’
10.17‘Networkerror:Connectionrefused’
10.18‘Networkerror:Connectiontimedout’
10.19‘Networkerror:Cannotassignrequestedaddress’
10.1‘Theserver'shostkeyisnotcachedinthe
registry’
ThiserrormessageoccurswhenPuTTYconnectstoanewSSHserver.
Everyserveridentifiesitselfbymeansofahostkey;oncePuTTYknows
thehostkeyforaserver,itwillbeabletodetectifamaliciousattacker
redirectsyourconnectiontoanothermachine.
Ifyouseethismessage,itmeansthatPuTTYhasnotseenthishostkey
before,andhasnowayofknowingwhetheritiscorrectornot.You
shouldattempttoverifythehostkeybyothermeans,suchasaskingthe
machine'sadministrator.
IfyouseethismessageandyouknowthatyourinstallationofPuTTYhas
connectedtothesameserverbefore,itmayhavebeenrecently
upgradedtoSSHprotocolversion2.SSHprotocols1and2useseparate
hostkeys,sowhenyoufirstuseSSH-2withaserveryouhaveonlyused
SSH-1withbefore,youwillseethismessageagain.Youshouldverify
thecorrectnessofthekeyasbefore.
Seesection2.2formoreinformationonhostkeys.
10.2‘WARNING-POTENTIALSECURITY
BREACH!’
Thismessage,followedby‘Theserver'shostkeydoesnotmatchtheone
PuTTYhascachedintheregistry’,meansthatPuTTYhasconnectedto
theSSHserverbefore,knowswhatitshostkeyshouldbe,buthasfound
adifferentone.
Thismaymeanthatamaliciousattackerhasreplacedyourserverwitha
differentone,orhasredirectedyournetworkconnectiontotheirown
machine.Ontheotherhand,itmaysimplymeanthattheadministratorof
yourserverhasaccidentallychangedthekeywhileupgradingtheSSH
software;thisshouldn'thappenbutitisunfortunatelypossible.
Youshouldcontactyourserver'sadministratorandseewhetherthey
expectthehostkeytohavechanged.Ifso,verifythenewhostkeyinthe
samewayasyouwouldifitwasnew.
Seesection2.2formoreinformationonhostkeys.
10.3‘SSHprotocolversion2requiredbyour
configurationbutserveronlyprovides(old,
insecure)SSH-1’
Bydefault,PuTTYonlysupportsconnectingtoSSHserversthat
implementSSHprotocolversion2.Ifyouseethismessage,theserver
you'retryingtoconnecttoonlysupportstheolderSSH-1protocol.
IftheservergenuinelyonlysupportsSSH-1,thenyouneedtoeither
changethe‘SSHprotocolversion’setting(seesection4.18.4),orusethe
-1command-lineoption;inanycase,youshouldnottreattheresulting
connectionassecure.
YoumightstartseeingthismessagewithnewversionsofPuTTY(from
0.68onwards)whereyoudidn'tbefore,becauseitusedtobepossibleto
configurePuTTYtoautomaticallyfallbackfromSSH-2toSSH-1.Thisis
nolongersupported,topreventthepossibilityofadowngradeattack.
10.4‘Thefirstciphersupportedbytheserveris
...belowtheconfiguredwarningthreshold’
ThisoccurswhentheSSHserverdoesnotofferanycipherswhichyou
haveconfiguredPuTTYtoconsiderstrongenough.Bydefault,PuTTY
putsupthiswarningonlyforsingle-DESandArcfourencryption.
Seesection4.21formoreinformationonthismessage.
10.5‘Serversentdisconnectmessagetype2
(protocolerror):"Toomanyauthentication
failuresforroot"’
ThismessageisproducedbyanOpenSSH(orSunSSH)serverifit
receivesmorefailedauthenticationattemptsthanitiswillingtotolerate.
ThiscaneasilyhappenifyouareusingPageantandhavealarge
numberofkeysloadedintoit,sincetheseserverscounteachofferofa
publickeyasanauthenticationattempt.Thiscanbeworkedaroundby
specifyingthekeythat'srequiredfortheauthenticationinthePuTTY
configuration(seesection4.22.8);PuTTYwillignoreanyotherkeys
Pageantmayhave,butwillaskPageanttodotheauthentication,sothat
youdon'thavetotypeyourpassphrase.
Ontheserver,thiscanbeworkedaroundbydisablingpublic-key
authenticationor(forSunSSHonly)byincreasingMaxAuthTriesin
sshd_config.
10.6‘Outofmemory’
ThisoccurswhenPuTTYtriestoallocatemorememorythanthesystem
cangiveit.Thismayhappenforgenuinereasons:ifthecomputerreally
hasrunoutofmemory,orifyouhaveconfiguredanextremelylarge
numberoflinesofscrollbackinyourterminal.PuTTYisnotableto
recoverfromrunningoutofmemory;itwillterminateimmediatelyafter
givingthiserror.
However,thiserrorcanalsooccurwhenmemoryisnotrunningoutatall,
becausePuTTYreceivesdatainthewrongformat.InSSH-2andalsoin
SFTP,theserversendsthelengthofeachmessagebeforethemessage
itself;soPuTTYwillreceivethelength,trytoallocatespaceforthe
message,andthenreceivetherestofthemessage.IfthelengthPuTTY
receivesisgarbage,itwilltrytoallocatearidiculousamountofmemory,
andwillterminatewithan‘Outofmemory’error.
ThiscanhappeninSSH-2,ifPuTTYandtheserverhavenotenabled
encryptioninthesameway(seequestionA.7.3intheFAQ).
ThiscanalsohappeninPSCPorPSFTP,ifyourloginscriptsonthe
servergenerateoutput:theclientprogramwillbeexpectinganSFTP
messagestartingwithalength,andifitreceivessometextfromyour
loginscriptsinsteaditwilltrytointerpretthemasamessagelength.See
questionA.7.4fordetailsofthis.
10.7‘Internalerror’,‘Internalfault’,‘Assertion
failed’
Anyerrorbeginningwiththeword‘Internal’shouldneveroccur.Ifitdoes,
thereisabuginPuTTYbydefinition;pleaseseeappendixBandreportit
tous.
Similarly,anyerrormessagestartingwith‘Assertionfailed’isabugin
PuTTY.Pleasereportittous,andincludetheexacttextfromtheerror
messagebox.
10.8‘Unabletousethisprivatekeyfile’,
‘Couldn'tloadprivatekey’,‘Keyisofwrong
type’
VariousformsofthiserrorareprintedinthePuTTYwindow,orwrittento
thePuTTYEventLog(seesection3.1.3.1)whentryingpublic-key
authentication,orgivenbyPageantwhentryingtoloadaprivatekey.
Ifyouseeoneofthesemessages,itoftenindicatesthatyou'vetriedto
loadakeyofaninappropriatetypeintoPuTTY,Plink,PSCP,PSFTP,or
Pageant.
Youmayhavespecifiedakeythat'sinappropriatefortheconnection
you'remaking.TheSSH-1andSSH-2protocolsrequiredifferentprivate
keyformats,andaSSH-1keycan'tbeusedforaSSH-2connection(or
viceversa).
Alternatively,youmayhavetriedtoloadanSSH-2keyina‘foreign’
format(OpenSSHorssh.com)directlyintooneofthePuTTYtools,in
whichcaseyouneedtoimportitintoPuTTY'snativeformat(*.PPK)using
PuTTYgen-seesection8.2.12.
10.9‘Serverrefusedourpublickey’or‘Key
refused’
VariousformsofthiserrorareprintedinthePuTTYwindow,orwrittento
thePuTTYEventLog(seesection3.1.3.1)whentryingpublic-key
authentication.
Ifyouseeoneofthesemessages,itmeansthatPuTTYhassentapublic
keytotheserverandofferedtoauthenticatewithit,andtheserverhas
refusedtoacceptauthentication.Thisusuallymeansthattheserveris
notconfiguredtoacceptthiskeytoauthenticatethisuser.
ThisisalmostcertainlynotaproblemwithPuTTY.Ifyouseethistypeof
message,thefirstthingyoushoulddoischeckyourserverconfiguration
carefully.Commonerrorsincludehavingthewrongpermissionsor
ownershipsetonthepublickeyortheuser'shomedirectoryonthe
server.Also,readthePuTTYEventLog;theservermayhavesent
diagnosticmessagesexplainingexactlywhatproblemithadwithyour
setup.
Section8.3hassomehintsonserver-sidepublickeysetup.
10.10‘Accessdenied’,‘Authenticationrefused’
VariousformsofthiserrorareprintedinthePuTTYwindow,orwrittento
thePuTTYEventLog(seesection3.1.3.1)duringauthentication.
Ifyouseeoneofthesemessages,itmeansthattheserverhasrefused
alltheformsofauthenticationPuTTYhastriedandithasnofurther
ideas.
ItmaybeworthcheckingtheEventLogfordiagnosticmessagesfromthe
servergivingmoredetail.
ThiserrorcanbecausedbybuggySSH-1serversthatfailtocopewith
thevariousstrategiesweuseforcamouflagingpasswordsintransit.
Upgradeyourserver,orusetheworkaroundsdescribedinsection4.27.1
andpossiblysection4.27.2.
10.12‘IncorrectCRCreceivedonpacket’or
‘IncorrectMACreceivedonpacket’
ThiserroroccurswhenPuTTYdecryptsanSSHpacketandits
checksumisnotcorrect.Thisprobablymeanssomethinghasgone
wrongintheencryptionordecryptionprocess.It'sdifficulttotellfromthis
errormessagewhethertheproblemisintheclient,intheserver,orin
between.
Inparticular,ifthenetworkiscorruptingdataattheTCPlevel,itmayonly
beobviouswithcryptographicprotocolssuchasSSH,whichexplicitly
checktheintegrityofthetransferreddataandcomplainloudlyifthe
checksfail.Corruptionofprotocolswithoutintegrityprotection(suchas
HTTP)willmanifestinmoresubtlefailures(suchasmisdisplayedtextor
imagesinawebbrowser)whichmaynotbenoticed.
Occasionallythishasbeencausedbyserverbugs.Anexampleisthe
bugdescribedatsection4.27.6,althoughyou'reveryunlikelyto
encounterthatonethesedays.
InthiscontextMACstandsforMessageAuthenticationCode.It'sa
cryptographicterm,andithasnothingatalltodowithEthernetMAC
(MediaAccessControl)addresses,orwiththeApplecomputer.
10.13‘Incomingpacketwasgarbledon
decryption’
ThiserroroccurswhenPuTTYdecryptsanSSHpacketandthe
decrypteddatamakesnosense.Thisprobablymeanssomethinghas
gonewrongintheencryptionordecryptionprocess.It'sdifficulttotell
fromthiserrormessagewhethertheproblemisintheclient,inthe
server,orinbetween.
Ifyougetthiserror,onethingyoucouldtrywouldbetofiddlewiththe
settingof‘MiscomputesSSH-2encryptionkeys’(seesection4.27.7)or
‘IgnoresSSH-2maximumpacketsize’(seesection4.27.11)ontheBugs
panel.
10.14‘PuTTYX11proxy:variouserrors’
ThisfamilyoferrorsarereportedwhenPuTTYisdoingXforwarding.
TheyaresentbacktotheXapplicationrunningontheSSHserver,which
willusuallyreporttheerrortotheuser.
WhenPuTTYenablesXforwarding(seesection3.4)itcreatesavirtualX
displayrunningontheSSHserver.Thisdisplayrequiresauthenticationto
connecttoit(thisishowPuTTYpreventsotherusersonyourserver
machinefromconnectingthroughthePuTTYproxytoyourrealX
display).PuTTYalsosendstheserverthedetailsitneedstoenable
clientstoconnect,andtheservershouldputthismechanisminplace
automatically,soyourXapplicationsshouldjustwork.
Acommonreasonwhypeopleseeoneofthesemessagesisbecause
theyusedSSHtologinasoneuser(let'ssay‘fred’),andthenusedthe
Unixsucommandtobecomeanotheruser(typically‘root’).Theoriginal
user,‘fred’,hasaccesstotheXauthenticationdataprovidedbytheSSH
server,andcanrunXapplicationswhichareforwardedovertheSSH
connection.However,theseconduser(‘root’)doesnotautomatically
havetheauthenticationdatapassedontoit,soattemptingtorunanX
applicationasthatuseroftenfailswiththiserror.
Ifthishappens,itisnotaproblemwithPuTTY.Youneedtoarrangefor
yourXauthenticationdatatobepassedfromtheuseryouloggedinasto
theuseryouusedsutobecome.Howyoudothisdependsonyour
particularsystem;infactmanymodernversionsofsudoitautomatically.
10.15‘Networkerror:Softwarecaused
connectionabort’
ThisisagenericerrorproducedbytheWindowsnetworkcodewhenit
killsanestablishedconnectionforsomereason.Forexample,itmight
happenifyoupullthenetworkcableoutofthebackofanEthernet-
connectedcomputer,orifWindowshasanyothersimilarreasonto
believetheentirenetworkhasbecomeunreachable.
Windowsalsogeneratesthiserrorifithasgivenuponthemachineatthe
otherendoftheconnectioneverrespondingtoit.Ifthenetworkbetween
yourclientandservergoesdownandyourclientthentriestosendsome
data,Windowswillmakeseveralattemptstosendthedataandwillthen
giveupandkilltheconnection.Inparticular,thiscanoccurevenifyou
didn'ttypeanything,ifyouareusingSSH-2andPuTTYattemptsakey
re-exchange.(Seesection4.19.2formoreaboutkeyre-exchange.)
(Itcanalsooccurifyouareusingkeepalivesinyourconnection.Other
peoplehavereportedthatkeepalivesfixthiserrorforthem.Seesection
4.13.1foradiscussionoftheprosandconsofkeepalives.)
Wearenotawareofanyreasonwhythiserrormightoccurthatwould
representabuginPuTTY.Theproblemisbetweenyou,yourWindows
system,yournetworkandtheremotesystem.
10.16‘Networkerror:Connectionresetbypeer’
Thiserroroccurswhenthemachinesateachendofanetwork
connectionlosetrackofthestateoftheconnectionbetweenthem.For
example,youmightseeitifyourSSHservercrashes,andmanagesto
rebootfullybeforeyounextattempttosenddatatoit.
However,themostcommonreasontoseethismessageisifyouare
connectingthroughafirewalloraNATrouterwhichhastimedthe
connectionout.SeequestionA.7.8intheFAQformoredetails.Youmay
beabletoimprovethesituationbyusingkeepalives;seesection4.13.1
fordetailsonthis.
NotethatWindowscanproducethiserrorinsomecircumstanceswithout
seeingaconnectionresetfromtheserver,forinstanceiftheconnection
tothenetworkislost.
10.17‘Networkerror:Connectionrefused’
ThiserrormeansthatthenetworkconnectionPuTTYtriedtomaketo
yourserverwasrejectedbytheserver.Usuallythishappensbecausethe
serverdoesnotprovidetheservicewhichPuTTYistryingtoaccess.
Checkthatyouareconnectingwiththecorrectprotocol(SSH,Telnetor
Rlogin),andcheckthattheportnumberiscorrect.Ifthatfails,consultthe
administratorofyourserver.
10.18‘Networkerror:Connectiontimedout’
ThiserrormeansthatthenetworkconnectionPuTTYtriedtomaketo
yourserverreceivednoresponseatallfromtheserver.Usuallythis
happensbecausetheservermachineiscompletelyisolatedfromthe
network,orbecauseitisturnedoff.
CheckthatyouhavecorrectlyenteredthehostnameorIPaddressof
yourservermachine.Ifthatfails,consulttheadministratorofyourserver.
Unixalsogeneratesthiserrorwhenittriestosenddatadowna
connectionandcontactwiththeserverhasbeencompletelylostduringa
connection.(ThereisadelayofminutesbeforeUnixgivesupon
receivingareplyfromtheserver.)Thiscanoccurifyoutypethingsinto
PuTTYwhilethenetworkisdown,butitcanalsooccurifPuTTYdecides
ofitsownaccordtosenddata:duetoarepeatkeyexchangeinSSH-2
(seesection4.19.2)orduetokeepalives(section4.13.1).
10.19‘Networkerror:Cannotassignrequested
address’
Thismeansthattheoperatingsystemrejectedtheparametersofthe
networkconnectionPuTTYtriedtomake,usuallywithoutactuallytrying
toconnecttoanything,becausetheyweresimplyinvalid.
Acommonwaytoprovokethiserroristoaccidentallytrytoconnectto
port0,whichisnotavalidportnumber.
AppendixA:PuTTYFAQ
ThisFAQispublishedonthePuTTYwebsite,andalsoprovidedasan
appendixinthemanual.
A.1Introduction
A.1.1WhatisPuTTY?
A.2FeaturessupportedinPuTTY
A.2.1DoesPuTTYsupportSSH-2?
A.2.2DoesPuTTYsupportreadingOpenSSHorssh.comSSH-2
privatekeyfiles?
A.2.3DoesPuTTYsupportSSH-1?
A.2.4DoesPuTTYsupportlocalecho?
A.2.5DoesPuTTYsupportstoringsettings,soIdon'thaveto
changethemeverytime?
A.2.6DoesPuTTYsupportstoringitssettingsinadiskfile?
A.2.7DoesPuTTYsupportfull-screenmode,likeaDOSbox?
A.2.8DoesPuTTYhavetheabilitytoremembermypassword
soIdon'thavetotypeiteverytime?
A.2.9Isthereanoptiontoturnofftheannoyinghostkey
prompts?
A.2.10WillyouwriteanSSHserverforthePuTTYsuite,togo
withtheclient?
A.2.11CanPSCPorPSFTPtransferfilesinASCIImode?
A.3Portstootheroperatingsystems
A.3.1WhatportsofPuTTYexist?
A.3.2IsthereaporttoUnix?
A.3.3What'sthepointoftheUnixport?UnixhasOpenSSH.
A.3.4WilltherebeaporttoWindowsCEorPocketPC?
A.3.5IsthereaporttoWindows3.1?
A.3.6WilltherebeaporttotheMac?
A.3.7WilltherebeaporttoEPOC?
A.3.8WilltherebeaporttotheiPhone?
A.4EmbeddingPuTTYinotherprograms
A.4.1IstheSSHorTelnetcodeavailableasaDLL?
A.4.2IstheSSHorTelnetcodeavailableasaVisualBasic
component?
A.4.3HowcanIusePuTTYtomakeanSSHconnectionfrom
withinanotherprogram?
A.5DetailsofPuTTY'soperation
A.5.1WhatterminaltypedoesPuTTYuse?
A.5.2WheredoesPuTTYstoreitsdata?
A.6HOWTOquestions
A.6.1Whatloginname/passwordshouldIuse?
A.6.2WhatcommandscanItypeintomyPuTTYterminal
window?
A.6.3HowcanImakePuTTYstartupmaximised?
A.6.4HowcanIcreateaWindowsshortcuttostartaparticular
savedsessiondirectly?
A.6.5HowcanIstartanSSHsessionstraightfromthe
commandline?
A.6.6HowdoIcopyandpastebetweenPuTTYandother
Windowsapplications?
A.6.7HowdoIuseallPuTTY'sfeatures(publickeys,proxying,
cipherselection,etc.)inPSCP,PSFTPandPlink?
A.6.8HowdoIusePSCP.EXE?WhenIdouble-clickitgivesme
acommandpromptwindowwhichthenclosesinstantly.
A.6.9HowdoIusePSCPtocopyafilewhosenamehas
spacesin?
A.6.10ShouldIrunthe32-bitorthe64-bitversion?
A.7Troubleshooting
A.7.1WhydoIsee‘Fatal:Protocolerror:Expectedcontrol
record’inPSCP?
A.7.2IclickedonacolourintheColourspanel,andthecolour
didn'tchangeinmyterminal.
A.7.3AftertryingtoestablishanSSH-2connection,PuTTYsays
‘Outofmemory’anddies.
A.7.4Whenattemptingafiletransfer,eitherPSCPorPSFTP
says‘Outofmemory’anddies.
A.7.5PSFTPtransfersfilesmuchslowerthanPSCP.
A.7.6WhenIrunfull-colourapplications,Iseeareasofblack
spacewherecolouroughttobe,orviceversa.
A.7.7WhenIchangesometerminalsettings,nothinghappens.
A.7.8MyPuTTYsessionsunexpectedlycloseaftertheyareidle
forawhile.
A.7.9PuTTY'snetworkconnectionstimeouttooquicklywhen
networkconnectivityistemporarilylost.
A.7.10WhenIcatabinaryfile,Iget‘PuTTYPuTTYPuTTY’on
mycommandline.
A.7.11WhenIcatabinaryfile,mywindowtitlechangestoa
nonsensestring.
A.7.12MykeyboardstopsworkingoncePuTTYdisplaysthe
passwordprompt.
A.7.13Oneormorefunctionkeysdon'tdowhatIexpectedina
server-sideapplication.
A.7.14WhydoIsee‘Couldn'tloadprivatekeyfrom...’?Why
canPuTTYgenloadmykeybutnotPuTTY?
A.7.15WhenI'mconnectedtoaRedHatLinux8.0system,
somecharactersdon'tdisplayproperly.
A.7.16SinceIupgradedtoPuTTY0.54,thescrollbackhas
stoppedworkingwhenIrunscreen.
A.7.17SinceIupgradedWindowsXPtoServicePack2,Ican't
useaddresseslike127.0.0.2.
A.7.18PSFTPcommandsseemtobemissingadirectory
separator(slash).
A.7.19Doyouwanttohearabout‘Softwarecausedconnection
abort’?
A.7.20MySSH-2sessionlocksupforafewsecondseveryso
often.
A.7.21PuTTYfailstostartup.Windowsclaimsthat‘the
applicationconfigurationisincorrect’.
A.7.22WhenIput32-bitPuTTYinC:\WINDOWS\SYSTEM32onmy
64-bitWindowssystem,‘DuplicateSession’doesn'twork.
A.8Securityquestions
A.8.1IsitsafeformetodownloadPuTTYanduseitonapublic
PC?
A.8.2WhatdoesPuTTYleaveonasystem?HowcanIcleanup
afterit?
A.8.3HowcomePuTTYnowsupportsDSA,whenthewebsite
usedtosayhowinsecureitwas?
A.8.4Couldn'tPageantuseVirtualLock()tostopprivatekeys
beingwrittentodisk?
A.9Administrativequestions
A.9.1Wouldyoulikemetoregisteryouanicerdomainname?
A.9.2WouldyoulikefreewebhostingforthePuTTYwebsite?
A.9.3WouldyoulinktomywebsitefromthePuTTYwebsite?
A.9.4Whydon'tyoumovePuTTYtoSourceForge?
A.9.5Whycan'tIsubscribetotheputty-bugsmailinglist?
A.9.6Ifputty-bugsisn'tageneral-subscriptionmailinglist,what
is?
A.9.7HowcanIdonatetoPuTTYdevelopment?
A.9.8CanIhavepermissiontoputPuTTYonacoverdisk/
distributeitwithothersoftware/etc?
A.9.9Canyousignanagreementindemnifyingusagainst
securityproblemsinPuTTY?
A.9.10Canyousignthisformgrantinguspermissionto
use/distributePuTTY?
A.9.11Canyouwriteusaformalnoticeofpermissiontouse
PuTTY?
A.9.12Canyousignanythingforus?
A.9.13Ifyouwon'tsignanything,canyougiveussomesortof
assurancethatyouwon'tmakePuTTYclosed-sourceinfuture?
A.9.14Canyouprovideuswithexportcontrolinformation/FIPS
certificationforPuTTY?
A.9.15Asoneofourexistingsoftwarevendors,canyoujustfill
inthisquestionnaireforus?
A.9.16Thesha1sums/sha256sums/etcfilesonyourdownload
pagedon'tmatchthebinaries.
A.10Miscellaneousquestions
A.10.1IsPuTTYaportofOpenSSH,orbasedonOpenSSHor
OpenSSL?
A.10.2WherecanIbuysillyputty?
A.10.3Whatdoes‘PuTTY’mean?
A.10.4HowdoIpronounce‘PuTTY’?
A.1.1WhatisPuTTY?
PuTTYisaclientprogramfortheSSH,TelnetandRloginnetwork
protocols.
Theseprotocolsareallusedtorunaremotesessiononacomputer,over
anetwork.PuTTYimplementstheclientendofthatsession:theendat
whichthesessionisdisplayed,ratherthantheendatwhichitruns.
Inreallysimpleterms:yourunPuTTYonaWindowsmachine,andtellit
toconnectto(forexample)aUnixmachine.PuTTYopensawindow.
Then,anythingyoutypeintothatwindowissentstraighttotheUnix
machine,andeverythingtheUnixmachinesendsbackisdisplayedinthe
window.SoyoucanworkontheUnixmachineasifyouweresittingatits
console,whileactuallysittingsomewhereelse.
A.2FeaturessupportedinPuTTY
Ingeneral,ifyouwanttoknowifPuTTYsupportsaparticularfeature,
youshouldlookforitonthePuTTYwebsite.Inparticular:
trythechangespage,andseeifyoucanfindthefeatureonthere.If
afeatureislistedthere,it'sbeenimplemented.Ifit'slistedasa
changemadesincethelatestversion,itshouldbeavailableinthe
developmentsnapshots,inwhichcasetestingwillbeverywelcome.
trytheWishlistpage,andseeifyoucanfindthefeaturethere.Ifit's
onthere,andnotinthe‘Recentlyfixed’section,itprobablyhasn't
beenimplemented.
A.2.1DoesPuTTYsupportSSH-2?
A.2.2DoesPuTTYsupportreadingOpenSSHorssh.comSSH-2
privatekeyfiles?
A.2.3DoesPuTTYsupportSSH-1?
A.2.4DoesPuTTYsupportlocalecho?
A.2.5DoesPuTTYsupportstoringsettings,soIdon'thaveto
changethemeverytime?
A.2.6DoesPuTTYsupportstoringitssettingsinadiskfile?
A.2.7DoesPuTTYsupportfull-screenmode,likeaDOSbox?
A.2.8DoesPuTTYhavetheabilitytoremembermypasswordsoI
don'thavetotypeiteverytime?
A.2.9Isthereanoptiontoturnofftheannoyinghostkeyprompts?
A.2.10WillyouwriteanSSHserverforthePuTTYsuite,togowith
theclient?
A.2.11CanPSCPorPSFTPtransferfilesinASCIImode?
A.2.1DoesPuTTYsupportSSH-2?
Yes.SSH-2supporthasbeenavailableinPuTTYsinceversion0.50.
Publickeyauthentication(bothRSAandDSA)inSSH-2isnewinversion
0.52.
A.2.3DoesPuTTYsupportSSH-1?
Yes.SSH-1supporthasalwaysbeenavailableinPuTTY.
However,theSSH-1protocolhasmanyweaknessesandisnolonger
consideredsecure;youshoulduseSSH-2insteadifatallpossible.
Asof0.68,PuTTYwillnolongerfallbacktoSSH-1iftheserverdoesn't
appeartosupportSSH-2;youmustexplicitlyaskforSSH-1.
A.2.4DoesPuTTYsupportlocalecho?
Yes.Version0.52haspropersupportforlocalecho.
Inversion0.51andbefore,localechocouldnotbeseparatedfromlocal
lineediting(whereyoutypealineoftextlocally,anditisnotsenttothe
serveruntilyoupressReturn,soyouhavethechancetoedititand
correctmistakesbeforetheserverseesit).Newinversion0.52,local
echoandlocallineeditingareseparateoptions,andbydefaultPuTTY
willtrytodetermineautomaticallywhethertoenablethemornot,based
onwhichprotocolyouhaveselectedandalsobasedonhintsfromthe
server.IfyouhaveaproblemwithPuTTY'sdefaultchoice,youcanforce
eachoptiontobeenabledordisabledasyouchoose.Thecontrolsarein
theTerminalpanel,inthesectionmarked‘Linedisciplineoptions’.
A.2.7DoesPuTTYsupportfull-screenmode,like
aDOSbox?
Yes;thisisanewfeatureinversion0.52.
A.2.8DoesPuTTYhavetheabilitytoremember
mypasswordsoIdon'thavetotypeitevery
time?
No,itdoesn't.
Rememberingyourpasswordisabadplanforobvioussecurityreasons:
anyonewhogainsaccesstoyourmachinewhileyou'reawayfromyour
deskcanfindouttherememberedpassword,anduseit,abuseitor
changeit.
Inaddition,it'snotevenpossibleforPuTTYtoautomaticallysendyour
passwordinaTelnetsession,becauseTelnetdoesn'tgivetheclient
softwareanyindicationofwhichpartoftheloginprocessisthepassword
prompt.PuTTYwouldhavetoguess,bylookingforwordslike‘password’
inthesessiondata;andifyourloginprogramiswritteninsomething
otherthanEnglish,thiswon'twork.
InSSH,rememberingyourpasswordwouldbepossibleintheory,but
theredoesn'tseemtobemuchpointsinceSSHsupportspublickey
authentication,whichismoreflexibleandmoresecure.Seechapter8in
thedocumentationforafulldiscussionofpublickeyauthentication.
A.2.9Isthereanoptiontoturnofftheannoying
hostkeyprompts?
No,thereisn't.Andtherewon'tbe.Evenifyouwriteityourselfandsend
usthepatch,wewon'tacceptit.
ThoseannoyinghostkeypromptsarethewholepointofSSH.Without
them,allthecryptographictechnologySSHusestosecureyoursession
isdoingnothingmorethanmakinganattacker'sjobslightlyharder;
insteadofsittingbetweenyouandtheserverwithapacketsniffer,the
attackermustactuallysubvertarouterandstartmodifyingthepackets
goingbackandforth.Butthat'snotallthatmuchharderthanjustsniffing;
andwithouthostkeychecking,itwillgocompletelyundetectedbyclient
orserver.
Hostkeycheckingisyourguaranteethattheencryptionyouputonyour
dataattheclientendisthesameencryptiontakenoffthedataatthe
serverend;it'syourguaranteethatithasn'tbeenremovedandreplaced
somewhereontheway.Hostkeycheckingmakestheattacker'sjob
astronomicallyhard,comparedtopacketsniffing,andevencomparedto
subvertingarouter.Insteadofapplyingalittleintelligenceandkeepingan
eyeonBugtraq,theattackermustnowperformabrute-forceattack
againstatleastonemilitary-strengthcipher.Thatinsignificanthostkey
promptreallydoesmakethatmuchdifference.
Ifyou'rehavingaspecificproblemwithhostkeychecking-perhapsyou
wantanautomatedbatchjobtomakeuseofPSCPorPlink,andthe
interactivehostkeypromptishangingthebatchprocess-thentheright
waytofixitistoaddthecorrecthostkeytotheRegistryinadvance,orif
theRegistryisnotavailable,tousethe-hostkeycommand-lineoption.
Thatway,youretaintheimportantfeatureofhostkeychecking:theright
keywillbeacceptedandthewrongoneswillnot.Addinganoptiontoturn
hostkeycheckingoffcompletelyisthewrongsolutionandwewillnotdo
it.
Ifyouhavehostkeysavailableinthecommonknown_hostsformat,we
haveascriptcalledkh2reg.pytoconvertthemtoaWindows.REGfile,
whichcanbeinstalledaheadoftimebydouble-clickingorusingREGEDIT.
A.2.10WillyouwriteanSSHserverforthe
PuTTYsuite,togowiththeclient?
No.Theonlyreasonwemightwanttowouldbeifwecouldeasilyre-use
existingcodeandsignificantlycutdowntheeffort.Wedon'tbelievethisis
thecase;therejustisn'tenoughcommongroundbetweenanSSHclient
andservertomakeitworthwhile.
IfsomeoneelsewantstousebitsofPuTTYintheprocessofwritinga
WindowsSSHserver,they'dbeperfectlywelcometoofcourse,butI
reallycan'tseeitbeingalotlesseffortforustodothatthanitwouldbe
forustowriteaserverfromthegroundup.Wedon'thavetime,andwe
don'thavemotivation.Thecodeisavailableifanyoneelsewantstotryit.
A.2.11CanPSCPorPSFTPtransferfilesinASCII
mode?
Unfortunatelynot.
Untilrecently,thiswasalimitationofthefiletransferprotocols:theSCP
andSFTPprotocolshadnonotionoftransferringafileinanythingother
thanbinarymode.(ThisisstilltrueofSCP.)
ThecurrentdraftprotocolspecofSFTPproposesameansof
implementingASCIItransfer.AtsomepointPSCP/PSFTPmay
implementthisproposal.
A.3Portstootheroperatingsystems
TheeventualgoalisforPuTTYtobeamulti-platformprogram,ableto
runonatleastWindows,MacOSandUnix.
PortingwillbecomeeasieroncePuTTYhasageneralisedportinglayer,
drawingaclearlinebetweenplatform-dependentandplatform-
independentcode.Thegeneralintentionwasforthisportinglayerto
evolvenaturallyaspartoftheprocessofdoingthefirstport;aUnixport
hasnowbeenreleasedandtheplanseemstobeworkingsofar.
A.3.1WhatportsofPuTTYexist?
A.3.2IsthereaporttoUnix?
A.3.3What'sthepointoftheUnixport?UnixhasOpenSSH.
A.3.4WilltherebeaporttoWindowsCEorPocketPC?
A.3.5IsthereaporttoWindows3.1?
A.3.6WilltherebeaporttotheMac?
A.3.7WilltherebeaporttoEPOC?
A.3.8WilltherebeaporttotheiPhone?
A.3.1WhatportsofPuTTYexist?
Currently,releaseversionsofPuTTYtoolsonlyrunonWindowssystems
andUnix.
Asof0.68,thesuppliedPuTTYexecutablesrunonversionsofWindows
fromXPonwards,uptoandincludingWindows10;andweknowofno
reasonwhyPuTTYshouldnotcontinuetoworkonfutureversionsof
Windows.Weprovide32-bitand64-bitWindowsexecutables;see
questionA.6.10fordiscussionofthecompatibilityissuesaroundthat.
(WeusedtoalsoprovideexecutablesforWindowsfortheAlpha
processor,butstoppedafter0.58duetolackofinterest.)
Inthedevelopmentcode,apartialporttoMacOSexists(seequestion
A.3.6).
CurrentlyPuTTYdoesnotrunonWindowsCE(seequestionA.3.4).
Wedonothaverelease-qualityportsforanyothersystemsatthepresent
time.IfanyonetoldyouwehadanAndroidport,oraniOSport,orany
otherportofPuTTY,theyweremistaken.Wedon't.
Therearesomethird-partyportstovariousplatforms,mentionedonthe
Linkspageofourwebsite.
A.3.2IsthereaporttoUnix?
Asof0.54,thereareUnixportsofmostofthetraditionalPuTTYtools,
andalsooneentirelynewapplication.
Ifyoulookatthesourcerelease,youshouldfindaunixsubdirectory.
Thereareacoupleofwaysofbuildingit,includingtheusual
configure/make;seethefileREADMEinthesourcedistribution.Thisshould
buildyouUnixportsofPlink,PuTTYitself,PuTTYgen,PSCP,PSFTP,
Pageant,andalsopterm-anxterm-typeprogramwhichsupportsthe
sameterminalemulationasPuTTY.
Ifyoudon'thaveGtk,youshouldstillbeabletobuildthecommand-line
tools.
A.3.3What'sthepointoftheUnixport?Unixhas
OpenSSH.
Allsortsoflittlethings.ptermisdirectlyusefultoanyonewhoprefers
PuTTY'sterminalemulationtoxterm's,whichatleastsomepeopledo.
UnixPlinkhasapparentlyfoundanicheamongpeoplewhofindthe
complexityofOpenSSLmakesOpenSSHhardtoinstall(andwhodon't
mindPlinknothavingasmanyfeatures).Someuserswanttogeneratea
largenumberofSSHkeysonUnixandthencopythemallintoPuTTY,
andtheUnixPuTTYgenshouldallowthemtoautomatethatconversion
process.
Thereweredevelopmentadvantagesaswell;portingPuTTYtoUnixwas
avaluablepath-findingeffortforotherfutureports,andalsoallowedusto
usetheexcellentLinuxtoolValgrindtohelpwithdebugging,whichhas
alreadyimprovedPuTTY'sstabilityonallplatforms.
However,ifyou'reaUnixuserandyoucanseenoreasontoswitchfrom
OpenSSHtoPuTTY/Plink,thenyou'reprobablyright.Wedon'texpect
ourUnixporttobetherightthingforeverybody.
A.3.4WilltherebeaporttoWindowsCEor
PocketPC?
Weoncedidsomeworkonsuchaport,butitonlyreachedanearly
stage,andcertainlynotausefulone.It'snolongerbeingactivelyworked
on.
A.3.5IsthereaporttoWindows3.1?
PuTTYisa32-bitapplicationfromthegroundup,soitwon'trunon
Windows3.1asanative16-bitprogram;anditwouldbeveryhardtoport
ittodoso,becauseofWindows3.1'svilememoryallocation
mechanisms.
However,itispossibleintheorytocompiletheexistingPuTTYsourcein
suchawaythatitwillrununderWin32s(anextensiontoWindows3.1to
letyourun32-bitprograms).Inordertodothisyou'llneedtherightkind
ofCcompiler-modernversionsofVisualCatleasthavestoppedbeing
backwardscompatibletoWin32s.Also,thelasttimewetriedthisitdidn't
workverywell.
A.3.6WilltherebeaporttotheMac?
Wehopeso!
Weattemptedonearound2005,writtenasanativeCocoaapplication,
butitturnedouttobeveryslowtoredrawitswindowforsomereasonwe
nevergottothebottomof.
In2015,afterportingtheGTKfrontendtoworkwithGTK3,webegan
anotherattemptbasedonmakingsmallchangestotheGTKcodeand
buildingitagainsttheOSXQuartzversionofGTK3.Thisdoesn'tseem
tohavethewindowredrawingproblemanymore,soit'salreadygot
furtherthanthelasteffort,butitisstillsubstantiallyunfinished.
IfanyOSXand/orGTKprogrammingexpertsarekeentohavea
finishedversionofthis,weurgethemtohelpoutwithsomeofthe
remainingproblems!
A.3.7WilltherebeaporttoEPOC?
Ihopeso,butgiventhatportsaren'treallyprogressingveryfastevenon
systemsthedevelopersdoalreadyknowhowtoprogramfor,itmightbe
alongtimebeforeanyofusgetroundtolearninganewsystemand
doingtheportforthat.
However,someoftheworkhasbeendonebyotherpeople;seethe
Linkspageofourwebsiteforvariousthird-partyports.
A.3.8WilltherebeaporttotheiPhone?
Wehavenoplanstowritesuchaportourselves;noneofushasan
iPhone,anddevelopingandpublishingapplicationsforitlooksawkward
andexpensive.
However,thereisathird-partySSHclientfortheiPhoneandiPodTouch
calledpTerm,whichisapparentlybasedonPuTTY.(Thisisnothingtodo
withoursimilarly-namedpterm,whichisastandaloneterminalemulator
forUnixsystems;seequestionA.3.2.)
A.4.1IstheSSHorTelnetcodeavailableasa
DLL?
No,itisn't.Itwouldtakeareasonableamountofrewritingforthistobe
possible,andsincethePuTTYprojectitselfdoesn'tbelieveinDLLs(they
makeinstallationmoreerror-prone)noneofushastakenthetimetodo
it.
Mostofthecodecleanupworkwouldbeagoodthingtohappenin
general,soifanyonefeelslikehelping,wewouldn'tsayno.
Seealsothewishlistentry.
A.4.2IstheSSHorTelnetcodeavailableasa
VisualBasiccomponent?
No,itisn't.NoneofthePuTTYteamusesVisualBasic,andnoneofus
hasanyparticularneedtomakeSSHconnectionsfromaVisualBasic
application.Inaddition,allthepreliminaryworktoturnitintoaDLLwould
benecessaryfirst;andfurthermore,wedon'tevenknowhowtowriteVB
components.
Ifsomeoneofferstodosomeofthisworkforus,wemightconsiderit,but
unlessthathappensIcan'tseeVBintegrationbeinganywhereotherthan
theverybottomofourprioritylist.
A.4.3HowcanIusePuTTYtomakeanSSH
connectionfromwithinanotherprogram?
ProbablyyourbestbetistousePlink,thecommand-lineconnectiontool.
IfyoucanstartPlinkasasecondWindowsprocess,andarrangeforyour
primaryprocesstobeabletosenddatatothePlinkprocess,andreceive
datafromit,throughpipes,thenyoushouldbeabletomakeSSH
connectionsfromyourprogram.
ThisiswhatCVSforWindowsdoes,forexample.
A.5.1WhatterminaltypedoesPuTTYuse?
Formostpurposes,PuTTYcanbeconsideredtobeanxtermterminal.
PuTTYalsosupportssometerminalcontrolsequencesnotsupportedby
therealxterm:notablytheLinuxconsolesequencesthatreconfigurethe
colourpalette,andthetitlebarcontrolsequencesusedbyDECterm(which
aredifferentfromthextermones;PuTTYsupportsboth).
Bydefault,PuTTYannouncesitsterminaltypetotheserverasxterm.If
youhaveaproblemwiththis,youcanreconfigureittosaysomething
else;vt220mighthelpifyouhavetrouble.
A.5.2WheredoesPuTTYstoreitsdata?
OnWindows,PuTTYstoresmostofitsdata(savedsessions,SSHhost
keys)intheRegistry.Thepreciselocationis
HKEY_CURRENT_USER\Software\SimonTatham\PuTTY
andwithinthatarea,savedsessionsarestoredunderSessionswhile
hostkeysarestoredunderSshHostKeys.
PuTTYalsorequiresarandomnumberseedfile,toimprovethe
unpredictabilityofrandomlychosendataneededaspartoftheSSH
cryptography.ThisisstoredbydefaultinafilecalledPUTTY.RND;thisis
storedbydefaultinthe‘ApplicationData’directory,orfailingthat,oneof
anumberoffallbacklocations.Ifyouwanttochangethelocationofthe
randomnumberseedfile,youcanputyourchosenpathnameinthe
Registry,at
HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\RandSeedFile
YoucanaskPuTTYtodeleteallthisdata;seequestionA.8.2.
OnUnix,PuTTYstoresallofthisdatainadirectory~/.puttybydefault.
A.6HOWTOquestions
A.6.1Whatloginname/passwordshouldIuse?
A.6.2WhatcommandscanItypeintomyPuTTYterminalwindow?
A.6.3HowcanImakePuTTYstartupmaximised?
A.6.4HowcanIcreateaWindowsshortcuttostartaparticular
savedsessiondirectly?
A.6.5HowcanIstartanSSHsessionstraightfromthecommand
line?
A.6.6HowdoIcopyandpastebetweenPuTTYandotherWindows
applications?
A.6.7HowdoIuseallPuTTY'sfeatures(publickeys,proxying,
cipherselection,etc.)inPSCP,PSFTPandPlink?
A.6.8HowdoIusePSCP.EXE?WhenIdouble-clickitgivesmea
commandpromptwindowwhichthenclosesinstantly.
A.6.9HowdoIusePSCPtocopyafilewhosenamehasspacesin?
A.6.10ShouldIrunthe32-bitorthe64-bitversion?
A.6.1Whatloginname/passwordshouldIuse?
Thisisnotaquestionyoushouldbeaskingus.
PuTTYisacommunicationstool,formakingconnectionstoother
computers.Wemaintainthetool;wedon'tadministeranycomputersthat
you'relikelytobeabletouse,inthesamewaythatthepeoplewhomake
webbrowsersaren'tresponsibleformostofthecontentyoucanviewin
them.Wecannothelpwithquestionsofthissort.
Ifyouknowthenameofthecomputeryouwanttoconnectto,butdon't
knowwhatloginnameorpasswordtouse,youshouldtalktowhoever
administersthatcomputer.Ifyoudon'tknowwhothatis,seethenext
questionforsomepossiblewaystofindout.
A.6.2WhatcommandscanItypeintomyPuTTY
terminalwindow?
Again,thisisnotaquestionyoushouldbeaskingus.Youneedtoread
themanuals,orasktheadministrator,ofthecomputeryouhave
connectedto.
PuTTYdoesnotprocessthecommandsyoutypeintoit.It'sonlya
communicationstool.Itmakesaconnectiontoanothercomputer;it
passesthecommandsyoutypetothatothercomputer;anditpassesthe
othercomputer'sresponsesbacktoyou.Therefore,thepreciserangeof
commandsyoucanusewillnotdependonPuTTY,butonwhatkindof
computeryouhaveconnectedtoandwhatsoftwareisrunningonit.The
PuTTYteamcannothelpyouwiththat.
(ThinkofPuTTYasbeingabitlikeatelephone.Ifyouphonesomebody
upandyoudon'tknowwhatlanguagetospeaktomakethemunderstand
you,itisn'tthetelephonecompany'sjobtofindthatoutforyou.Wejust
providethemeansforyoutogetintouch;makingyourselfunderstoodis
somebodyelse'sproblem.)
Ifyouareunsureofwheretostartlookingfortheadministratorofyour
server,agoodplacetostartmightbetorememberhowyoufoundoutthe
hostnameinthePuTTYconfiguration.Ifyouweregiventhathostname
bye-mail,forexample,youcouldtryaskingthepersonwhosentyouthat
e-mail.Ifyourcompany'sITdepartmentprovidedyouwithready-made
PuTTYsavedsessions,thenthatITdepartmentcanprobablyalsotell
yousomethingaboutwhatcommandsyoucantypeduringthose
sessions.ButthePuTTYmaintainerteamdoesnotadministeranyserver
youarelikelytobeconnectingto,andcannothelpyouwithquestionsof
thistype.
A.6.3HowcanImakePuTTYstartup
maximised?
CreateaWindowsshortcuttostartPuTTYfrom,andsetitas‘Run
Maximized’.
A.6.4HowcanIcreateaWindowsshortcutto
startaparticularsavedsessiondirectly?
TorunaPuTTYsessionsavedunderthename‘mysession’,createa
WindowsshortcutthatinvokesPuTTYwithacommandlinelike
\path\name\to\putty.exe-load"mysession"
(Note:priorto0.53,thesyntaxwas@session.Thisisnowdeprecatedand
mayberemovedatsomepoint.)
A.6.6HowdoIcopyandpastebetweenPuTTY
andotherWindowsapplications?
CopyandpasteworkssimilarlytotheXWindowSystem.Youusetheleft
mousebuttontoselecttextinthePuTTYwindow.Theactofselection
automaticallycopiesthetexttotheclipboard:thereisnoneedtopress
Ctrl-InsorCtrl-Coranythingelse.Infact,pressingCtrl-CwillsendaCtrl-
Ccharactertotheotherendofyourconnection(justlikeitdoestherest
ofthetime),whichmayhaveunpleasanteffects.Theonlythingyouneed
todo,tocopytexttotheclipboard,istoselectit.
TopastetheclipboardcontentsintoaPuTTYwindow,bydefaultyouclick
therightmousebutton.Ifyouhaveathree-buttonmouseandareusedto
Xapplications,youcanconfigurepastingtobedonebythemiddlebutton
instead,butthisisnotthedefaultbecausemostWindowsusersdon't
haveamiddlebuttonatall.
YoucanalsopastebypressingShift-Ins.
A.6.7HowdoIuseallPuTTY'sfeatures(public
keys,proxying,cipherselection,etc.)inPSCP,
PSFTPandPlink?
Mostmajorfeatures(e.g.,publickeys,portforwarding)areavailable
throughcommandlineoptions.Seethedocumentation.
Notallfeaturesareaccessiblefromthecommandlineyet,althoughwe'd
liketofixthis.Inthemeantime,youcanusemostofPuTTY'sfeaturesif
youcreateaPuTTYsavedsession,andthenusethenameofthesaved
sessiononthecommandlineinplaceofahostname.Thisworksfor
PSCP,PSFTPandPlink(butdon'texpectportforwardinginthefile
transferapplications!).
A.6.8HowdoIusePSCP.EXE?WhenIdouble-
clickitgivesmeacommandpromptwindow
whichthenclosesinstantly.
PSCPisacommand-lineapplication,notaGUIapplication.Ifyourunit
withoutarguments,itwillsimplyprintahelpmessageandterminate.
TousePSCPproperly,runitfromaCommandPromptwindow.See
chapter5inthedocumentationformoredetails.
A.6.9HowdoIusePSCPtocopyafilewhose
namehasspacesin?
IfPSCPisusingthetraditionalSCPprotocol,thisisconfusing.Ifyou're
specifyingafileatthelocalend,youjustuseonesetofquotesasyou
wouldnormallydo:
pscp"localfilenamewithspaces"user@host:
pscpuser@host:myfile"localfilenamewithspaces"
Butifthefilenameyou'respecifyingisontheremoteside,youhaveto
usebackslashesandtwosetsofquotes:
pscpuser@host:"\"remotefilenamewithspaces\""local_filename
pscplocal_filenameuser@host:"\"remotefilenamewithspaces\""
Worsestill,inaremote-to-localcopyyouhavetospecifythelocalfile
nameexplicitly,otherwisePSCPwillcomplainthattheydon'tmatch
(unlessyouspecifiedthe-unsafeoption).Thefollowingcommandwill
giveanerrormessage:
c:\>pscpuser@host:"\"ooer\"".
warning:remotehosttriedtowritetoafilecalled'ooer'
whenwerequestedafilecalled'"ooer"'.
Instead,youneedtospecifythelocalfilenameinfull:
c:\>pscpuser@host:"\"ooer\"""ooer"
IfPSCPisusingthenewerSFTPprotocol,noneofthisisaproblem,and
allfilenameswithspacesinarespecifiedusingasinglepairofquotesin
theobviousway:
pscp"localfile"user@host:
pscpuser@host:"remotefile".
A.6.10ShouldIrunthe32-bitorthe64-bit
version?
Ifyou'renotsure,the32-bitversionisgenerallythesafeoption.Itwillrun
perfectlywellonallprocessorsandonallversionsofWindowsthat
PuTTYsupports.PuTTYdoesn'trequiretorunasa64-bitapplicationto
workwell,andhavinga32-bitPuTTYona64-bitsystemisn'tlikelyto
causeyouanytrouble.
The64-bitversion(firstreleasedin0.68)willonlyrunifyouhavea64-bit
processoranda64-biteditionofWindows(bothofthesethingsarelikely
tobetrueofanyrecentWindowsPC).Itwillrunsomewhatfaster(in
particular,thecryptographywillbefaster,especiallyduringlinksetup),
butitwillconsumeslightlymorememory.
IfyouneedtouseanexternalDLLforGSSAPIauthentication,thatDLL
mayonlybeavailableina32-bitor64-bitform,andthatwilldictatethe
versionofPuTTYyouneedtouse.(Youwillprobablyknowifyou're
doingthis;seesection4.23.2inthedocumentation.)
A.7Troubleshooting
A.7.1WhydoIsee‘Fatal:Protocolerror:Expectedcontrolrecord’in
PSCP?
A.7.2IclickedonacolourintheColourspanel,andthecolourdidn't
changeinmyterminal.
A.7.3AftertryingtoestablishanSSH-2connection,PuTTYsays
‘Outofmemory’anddies.
A.7.4Whenattemptingafiletransfer,eitherPSCPorPSFTPsays
‘Outofmemory’anddies.
A.7.5PSFTPtransfersfilesmuchslowerthanPSCP.
A.7.6WhenIrunfull-colourapplications,Iseeareasofblackspace
wherecolouroughttobe,orviceversa.
A.7.7WhenIchangesometerminalsettings,nothinghappens.
A.7.8MyPuTTYsessionsunexpectedlycloseaftertheyareidlefor
awhile.
A.7.9PuTTY'snetworkconnectionstimeouttooquicklywhen
networkconnectivityistemporarilylost.
A.7.10WhenIcatabinaryfile,Iget‘PuTTYPuTTYPuTTY’onmy
commandline.
A.7.11WhenIcatabinaryfile,mywindowtitlechangestoa
nonsensestring.
A.7.12MykeyboardstopsworkingoncePuTTYdisplaysthe
passwordprompt.
A.7.13Oneormorefunctionkeysdon'tdowhatIexpectedina
server-sideapplication.
A.7.14WhydoIsee‘Couldn'tloadprivatekeyfrom...’?Whycan
PuTTYgenloadmykeybutnotPuTTY?
A.7.15WhenI'mconnectedtoaRedHatLinux8.0system,some
charactersdon'tdisplayproperly.
A.7.16SinceIupgradedtoPuTTY0.54,thescrollbackhasstopped
workingwhenIrunscreen.
A.7.17SinceIupgradedWindowsXPtoServicePack2,Ican'tuse
addresseslike127.0.0.2.
A.7.18PSFTPcommandsseemtobemissingadirectoryseparator
(slash).
A.7.19Doyouwanttohearabout‘Softwarecausedconnection
abort’?
A.7.1WhydoIsee‘Fatal:Protocolerror:
Expectedcontrolrecord’inPSCP?
ThishappensbecausePSCPwasexpectingtoseedatafromtheserver
thatwaspartofthePSCPprotocolexchange,andinsteaditsawdata
thatitcouldn'tmakeanysenseofatall.
Thisalmostalwayshappensbecausethestartupscriptsinyouraccount
ontheservermachinearegeneratingoutput.Thisisimpossiblefor
PSCP,oranyotherSCPclient,toworkaround.Youshouldneveruse
startupfiles(.bashrc,.cshrcandsoon)whichgenerateoutputinnon-
interactivesessions.
ThisisnotactuallyaPuTTYproblem.IfPSCPfailsinthisway,thenall
otherSCPclientsarelikelytofailinexactlythesameway.Theproblem
isattheserverend.
A.7.2IclickedonacolourintheColourspanel,
andthecolourdidn'tchangeinmyterminal.
Thatisn'thowyou'resupposedtousetheColourspanel.
Duringthecourseofasession,PuTTYpotentiallyusesallthecolours
listedintheColourspanel.It'snotaquestionofusingonlyoneofthem
andyouchoosingwhichone;PuTTYwillusethemall.Thepurposeof
theColourspanelistoletyouadjusttheappearanceofallthecolours.
Sotochangethecolourofthecursor,forexample,youwouldselect
‘CursorColour’,pressthe‘Modify’button,andselectanewcolourfrom
thedialogboxthatappeared.Similarly,ifyouwantyoursessionto
appearingreen,youshouldselect‘DefaultForeground’andpress
‘Modify’.Clickingon‘ANSIGreen’won'tturnyoursessiongreen;itwill
onlyallowyoutoadjusttheshadeofgreenusedwhenPuTTYis
instructedbytheservertodisplaygreentext.
A.7.3AftertryingtoestablishanSSH-2
connection,PuTTYsays‘Outofmemory’and
dies.
Ifthishappensjustwhiletheconnectionisstartingup,thisoftenindicates
thatforsomereasontheclientandserverhavefailedtoestablisha
sessionencryptionkey.Somehow,theyhaveperformedcalculationsthat
shouldhavegiveneachofthemthesamekey,buthaveendedupwith
differentkeys;sodataencryptedbyoneanddecryptedbytheotherlooks
likerandomgarbage.
Thiscausesan‘outofmemory’errorbecausethefirstencrypteddata
PuTTYexpectstoseeisthelengthofanSSHmessage.Normallythis
willbesomethingwellunder100bytes.Ifthedecryptionhasfailed,
PuTTYwillseeacompletelyrandomlengthintheregionoftwo
gigabytes,andwilltrytoallocateenoughmemorytostorethisnon-
existentmessage.Thiswillimmediatelyleadtoitthinkingitdoesn'thave
enoughmemory,andpanicking.
Ifthishappenstoyou,itisquitelikelytostillbeaPuTTYbugandyou
shouldreportit(althoughitmightbeabuginyourSSHserverinstead);
butitdoesn'tnecessarilymeanyou'veactuallyrunoutofmemory.
A.7.4Whenattemptingafiletransfer,either
PSCPorPSFTPsays‘Outofmemory’anddies.
Thisisalmostalwayscausedbyyourloginscriptsontheserver
generatingoutput.PSCPorPSFTPwillreceivethatoutputwhenthey
wereexpectingtoseethestartofafiletransferprotocol,andtheywill
attempttointerprettheoutputasfile-transferprotocol.Thiswillusually
leadtoan‘outofmemory’errorformuchthesamereasonsasgivenin
questionA.7.3.
Thisisasetupprobleminyouraccountonyourserver,nota
PSCP/PSFTPbug.Yourloginscriptsshouldnevergenerateoutput
duringnon-interactivesessions;securefiletransferisnottheonlyformof
remoteaccessthatwillbreakiftheydo.
OnUnix,asimplefixistoensurethatallthepartsofyourloginscriptthat
mightgenerateoutputarein.profile(ifyouuseaBourneshell
derivative)or.login(ifyouuseaCshell).Puttingtheminmoregeneral
filessuchas.bashrcor.cshrcisliabletoleadtoproblems.
A.7.5PSFTPtransfersfilesmuchslowerthan
PSCP.
ThethroughputofPSFTP0.54shouldbemuchbetterthan0.53band
prior;we'veaddedcodetotheSFTPbackendtoqueueseveralblocksof
dataratherthanwaitingforanacknowledgementforeach.(TheSCP
backenddidnotsufferfromthisperformanceissuebecauseSCPisa
muchsimplerprotocol.)
A.7.6WhenIrunfull-colourapplications,Isee
areasofblackspacewherecolouroughttobe,
orviceversa.
Youalmostcertainlyneedtochangethe‘Usebackgroundcolourtoerase
screen’settingintheTerminalpanel.Ifthereistoomuchblackspace(the
commonersituation),youshouldenableit,whileifthereistoomuch
colour,youshoulddisableit.(Seesection4.3.5.)
InoldversionsofPuTTY,thiswasdisabledbydefault,andwouldnot
takeeffectuntilyouresettheterminal(seequestionA.7.7).Since0.54,it
isenabledbydefault,andchangestakeeffectimmediately.
A.7.7WhenIchangesometerminalsettings,
nothinghappens.
Someoftheterminaloptions(notablyAutoWrapandbackground-colour
screenerase)actuallyrepresentthedefaultsetting,ratherthanthe
currentlyactivesetting.Theservercansendsequencesthatmodify
theseoptionsinmid-session,butwhentheterminalisreset(byserver
action,orbyyouchoosing‘ResetTerminal’fromtheSystemmenu)the
defaultsarerestored.
Inversions0.53bandprior,ifyouchangeoneoftheseoptionsinthe
middleofasession,youwillfindthatthechangedoesnotimmediately
takeeffect.Itwillonlytakeeffectonceyouresettheterminal.
Inversion0.54,thebehaviourhaschanged-changestothesesettings
takeeffectimmediately.
A.7.8MyPuTTYsessionsunexpectedlyclose
aftertheyareidleforawhile.
Sometypesoffirewall,andalmostanyrouterdoingNetworkAddress
Translation(NAT,alsoknownasIPmasquerading),willforgetabouta
connectionthroughthemiftheconnectiondoesnothingfortoolong.This
willcausetheconnectiontoberudelycutoffwhencontactisresumed.
YoucantrytocombatthisbytellingPuTTYtosendkeepalives:packets
ofdatawhichhavenoeffectontheactualsession,butwhichreassure
therouterorfirewallthatthenetworkconnectionisstillactiveandworth
rememberingabout.
Keepalivesdon'tsolveeverything,unfortunately;althoughtheycause
greaterrobustnessagainstthissortofrouter,theycanalsocausealoss
ofrobustnessagainstnetworkdropouts.Seesection4.13.1inthe
documentationformorediscussionofthis.
A.7.9PuTTY'snetworkconnectionstimeouttoo
quicklywhennetworkconnectivityis
temporarilylost.
ThisisaWindowsproblem,notaPuTTYproblem.Thetimeoutvalue
can'tbesetonperapplicationorpersessionbasis.ToincreasetheTCP
timeoutglobally,youneedtotinkerwiththeRegistry.
OnWindows95,98orME,theregistrykeyyouneedtocreateorchange
is
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\
MSTCP\MaxDataRetries
(itmustbeoftypeDWORDinWin95,orStringinWin98/ME).(SeeMS
KnowledgeBasearticle158474formoreinformation.)
OnWindowsNT,2000,orXP,theregistrykeytocreateorchangeis
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\
Parameters\TcpMaxDataRetransmissions
anditmustbeoftypeDWORD.(SeeMSKnowledgeBasearticles
120642and314053formoreinformation.)
Setthekey'svaluetosomethinglike10.ThiswillcauseWindowstotry
hardertokeepconnectionsaliveinsteadofabandoningthem.
A.7.10WhenIcatabinaryfile,Iget
‘PuTTYPuTTYPuTTY’onmycommandline.
Don'tdothat,then.
Thisisdesignedbehaviour;whenPuTTYreceivesthecharacterControl-
Efromtheremoteserver,itinterpretsitasarequesttoidentifyitself,and
soitsendsbackthestring‘PuTTY’asifthatstringhadbeenenteredatthe
keyboard.Control-Eshouldonlybesentbyprogramsthatareprepared
todealwiththeresponse.Writingabinaryfiletoyourterminalislikelyto
outputmanyControl-Echaracters,andcausethisbehaviour.Don'tdoit.
It'sabadplan.
Tomitigatetheeffects,youcouldconfiguretheanswerbackstringtobe
empty(seesection4.3.7);butwritingbinaryfilestoyourterminalislikely
tocausevariousotherunpleasantbehaviour,sothisisonlyasmall
remedy.
A.7.11WhenIcatabinaryfile,mywindowtitle
changestoanonsensestring.
Don'tdothat,then.
ItisdesignedbehaviourthatPuTTYshouldhavetheabilitytoadjustthe
windowtitleoninstructionsfromtheserver.Normallythecontrol
sequencethatdoesthisshouldonlybesentdeliberately,byprograms
thatknowwhattheyaredoingandintendtoputmeaningfultextinthe
windowtitle.Writingabinaryfiletoyourterminalrunstheriskofsending
thesamecontrolsequencebyaccident,andcauseunexpectedchanges
inthewindowtitle.Don'tdoit.
A.7.12MykeyboardstopsworkingoncePuTTY
displaysthepasswordprompt.
No,itdoesn't.PuTTYjustdoesn'tdisplaythepasswordyoutype,sothat
someonelookingatyourscreencan'tseewhatitis.
UnliketheWindowsloginprompts,PuTTYdoesn'tdisplaythepassword
asarowofasteriskseither.Thisissothatsomeonelookingatyour
screencan'teventellhowlongyourpasswordis,whichmightbe
valuableinformation.
A.7.13Oneormorefunctionkeysdon'tdowhatI
expectedinaserver-sideapplication.
Ifyou'vealreadytriedalltherelevantoptionsinthePuTTYKeyboard
panel,youmayneedtomailthePuTTYmaintainersandask.
Itisnotusuallyhelpfuljusttotelluswhichapplication,whichserver
operatingsystem,andwhichkeyisn'tworking;inordertoreplicatethe
problemwewouldneedtohaveacopyofeveryoperatingsystem,and
everyapplication,thatanyonehasevercomplainedabout.
PuTTYrespondstofunctionkeypressesbysendingasequenceof
controlcharacterstotheserver.Ifafunctionkeyisn'tdoingwhatyou
expect,it'slikelythatthecharactersequenceyourapplicationis
expectingtoreceiveisnotthesameastheonePuTTYissending.
Thereforewhatwereallyneedtoknowiswhatsequencetheapplication
isexpecting.
Thesimplestwaytoinvestigatethisistofindsomeotherterminal
environment,inwhichthatfunctionkeydoeswork;andtheninvestigate
whatsequencethefunctionkeyissendinginthatsituation.One
reasonablyeasywaytodothisonaUnixsystemistotypethecommand
cat,andthenpressthefunctionkey.Thisislikelytoproduceoutputof
theform^[[11~.YoucanalsodothisinPuTTY,tofindoutwhat
sequencethefunctionkeyisproducinginthat.Thenyoucanmailthe
PuTTYmaintainersandtellus‘IwantedtheF1keytosend^[[11~,but
insteadit'ssending^[OP,canthisbedone?’,orsomethingsimilar.
YoushouldstillreadtheFeedbackpageonthePuTTYwebsite(also
providedasappendixBinthemanual),andfollowtheguidelines
containedinthat.
A.7.14WhydoIsee‘Couldn'tloadprivatekey
from...’?WhycanPuTTYgenloadmykeybut
notPuTTY?
It'slikelythatyou'vegeneratedanSSHprotocol2keywithPuTTYgen,
butyou'retryingtouseitinanSSH-1connection.SSH-1andSSH-2
keyshavedifferentformats,and(atleastin0.52)PuTTY'sreportingofa
keyinthewrongformatisn'toptimal.
ToconnectusingSSH-2toaserverthatsupportsbothversions,you
needtochangetheconfigurationfromthedefault(seequestionA.2.1).
A.7.15WhenI'mconnectedtoaRedHatLinux
8.0system,somecharactersdon'tdisplay
properly.
Acommoncomplaintisthathyphensinmanpagesshowupasa-acute.
Withrelease8.0,RedHatappeartohavemadeUTF-8thedefault
characterset.Thereappearstobenowayforterminalemulatorssuchas
PuTTYtoknowthis(asfarasweknow,theappropriateescape
sequencetoswitchintoUTF-8modeisn'tsent).
AfixistoconfiguresessionstoRH8systemstouseUTF-8translation-
seesection4.10.1inthedocumentation.(Notethatifyouuse‘Change
Settings’,changesmaynottakeplaceimmediately-seequestionA.7.7.)
Ifyoureallywanttochangethecharactersetusedbytheserver,theright
placeis/etc/sysconfig/i18n,butthisshouldn'tbenecessary.
A.7.16SinceIupgradedtoPuTTY0.54,the
scrollbackhasstoppedworkingwhenIrun
screen.
PuTTY'sterminalemulatorhasalwayshadthepolicythatwhenthe
‘alternatescreen’isinuse,nothingisaddedtothescrollback.Thisis
becausetheusualsortsofprogramswhichusethealternatescreenare
thingsliketexteditors,whichtendtoscrollbackandforthinthesame
documentalot;so(a)theywouldfillupthescrollbackwithalarge
amountofunhelpfullydisorderedtext,and(b)theycontaintheirown
methodfortheusertoscrollbacktothebittheywereinterestedin.We
havegenerallyfoundthispolicytodotheRightThinginalmostall
situations.
Unfortunately,screenisoneexception:itusesthealternatescreen,but
it'sstillusuallyhelpfultohavePuTTY'sscrollbackcontinueworking.The
simplestsolutionistogototheFeaturescontrolpanelandtick‘Disable
switchingtoalternateterminalscreen’.(Seesection4.6.4formore
details.)Alternatively,youcantellscreenitselfnottousethealternate
screen:thescreenFAQsuggestsaddingtheline‘termcapinfoxterm
ti@:te@’toyour.screenrcfile.
Thereasonwhythisonlystartedtobeaproblemin0.54isbecause
screentypicallyusesanunusualcontrolsequencetoswitchtothe
alternatescreen,andpreviousversionsofPuTTYdidnotsupportthis
sequence.
A.7.17SinceIupgradedWindowsXPtoService
Pack2,Ican'tuseaddresseslike127.0.0.2.
SomepeoplewhoaskPuTTYtolistenonlocalhostaddressesotherthan
127.0.0.1toforwardservicessuchasSMBandWindowsTerminal
Serviceshavefoundthatdoingsonolongerworkssincetheyupgraded
toWinXPSP2.
ThisisapparentlyanissuewithSP2thatisacknowledgedbyMicrosoftin
MSKnowledgeBasearticle884020.Thearticlelinkstoafixyoucan
download.
(However,we'vebeentoldthatSP2alsofixesthebugthatmeansyou
needtousenon-127.0.0.1addressestoforwardTerminalServicesinthe
firstplace.)
A.7.18PSFTPcommandsseemtobemissinga
directoryseparator(slash).
Somepeoplehavereportedthefollowingincorrectbehaviourwith
PSFTP:
psftp>pwd
Remotedirectoryis/dir1/dir2
psftp>getfilename.ext
/dir1/dir2filename.ext:nosuchfileordirectory
ThisisnotabuginPSFTP.Thereisaknownbuginsomeversionsof
portableOpenSSH(bug697)thatcausesthesesymptoms;itappearsto
havebeenintroducedaround3.7.x.Itmanifestsonlyoncertainplatforms
(AIXiswhathasbeenreportedtous).
ThereisapatchforOpenSSHattachedtothatbug;it'salsofixedin
recentversionsofportableOpenSSH(fromaround3.8).
A.7.19Doyouwanttohearabout‘Software
causedconnectionabort’?
InthedocumentationforPuTTY0.53and0.53b,wementionedthatwe'd
liketohearaboutanyoccurrencesofthiserror.Sincethereleaseof
PuTTY0.54,however,we'vebeenconvincedthatthiserrordoesn't
indicatethatPuTTY'sdoinganythingwrong,andwedon'tneedtohear
aboutfurtheroccurrences.Seesection10.15forourcurrent
documentationofthiserror.
A.7.20MySSH-2sessionlocksupforafew
secondseverysooften.
RecentversionsofPuTTYautomaticallyinitiaterepeatkeyexchange
onceperhour,toimprovesessionsecurity.Ifyourclientorserver
machineisslow,youmayexperiencethisasadelayofanythingupto
thirtysecondsorso.
Thesedelaysareinconvenient,buttheyarethereforyourprotection.If
theyreallycauseyouaproblem,youcanchoosetoturnoffperiodic
rekeyingusingthe‘Kex’configurationpanel(seesection4.19),butbe
awarethatyouwillbesacrificingsecurityforthis.(FallingbacktoSSH-1
wouldalsoremovethedelays,butwouldlosealotmoresecuritystill.We
donotrecommendit.)
A.7.22WhenIput32-bitPuTTYin
C:\WINDOWS\SYSTEM32onmy64-bitWindows
system,‘DuplicateSession’doesn'twork.
TheshortanswerisnottoputthePuTTYexecutablesinthatlocation.
On64-bitsystems,C:\WINDOWS\SYSTEM32isintendedtocontainonly64-bit
binaries;Windows'32-bitbinariesliveinC:\WINDOWS\SYSWOW64.Whena
32-bitPuTTYexecutablerunsona64-bitsystem,itcannotbydefaultsee
the‘real’C:\WINDOWS\SYSTEM32atall,becausetheFileSystemRedirector
arrangesthattherunningprogramseestheappropriatekindofbinaries
inSYSTEM32.Thus,operationsinthePuTTYsuitethatinvolveitaccessing
itsownexecutables,suchas‘NewSession’and‘DuplicateSession’,will
notwork.
A.8Securityquestions
A.8.1IsitsafeformetodownloadPuTTYanduseitonapublicPC?
A.8.2WhatdoesPuTTYleaveonasystem?HowcanIcleanup
afterit?
A.8.3HowcomePuTTYnowsupportsDSA,whenthewebsiteused
tosayhowinsecureitwas?
A.8.4Couldn'tPageantuseVirtualLock()tostopprivatekeysbeing
writtentodisk?
A.8.1IsitsafeformetodownloadPuTTYand
useitonapublicPC?
ItdependsonwhetheryoutrustthatPC.Ifyoudon'ttrustthepublicPC,
don'tusePuTTYonit,anddon'tuseanyothersoftwareyouplantotype
passwordsintoeither.Itmightbewatchingyourkeystrokes,oritmight
tamperwiththePuTTYbinaryyoudownload.Thereisnoprogramsafe
enoughthatyoucanrunitonanactivelymaliciousPCandgetawaywith
typingpasswordsintoit.
IfyoudotrustthePC,thenit'sprobablyOKtousePuTTYonit(butifyou
don'ttrustthenetwork,thenthePuTTYdownloadmightbetampered
with,soitwouldbebettertocarryPuTTYwithyouonaUSBstick).
A.8.2WhatdoesPuTTYleaveonasystem?How
canIcleanupafterit?
PuTTYwillleavesomeRegistryentries,andarandomseedfile,onthe
PC(seequestionA.5.2).Windows7andupalsoremembersome
informationaboutrecentlylaunchedsessionsforthe‘jumplist’feature.
IfyouareusingPuTTYonapublicPC,orsomebodyelse'sPC,you
mightwanttocleanthisinformationupwhenyouleave.Youcandothat
automatically,byrunningthecommandputty-cleanup.Seesection
3.8.2inthedocumentationformoredetail.(Notethatthisonlyremoves
settingsforthecurrentlylogged-inuseronmulti-usersystems.)
IfPuTTYwasinstalledfromtheinstallerpackage,itwillalsoappearin
‘Add/RemovePrograms’.Currentversionsoftheinstallerdonotofferto
removetheabove-mentioneditems,soifyouwantthemremovedyou
shouldrunputty-cleanupbeforeuninstalling.
A.8.3HowcomePuTTYnowsupportsDSA,
whenthewebsiteusedtosayhowinsecureit
was?
DSAhasamajorweaknessifbadlyimplemented:itreliesonarandom
numbergeneratortofartoogreatanextent.Iftherandomnumber
generatorproducesanumberanattackercanpredict,theDSAprivate
keyisexposed-meaningthattheattackercanloginasyouonall
systemsthatacceptthatkey.
ThePuTTYpolicychangedbecausethedeveloperswereinformedof
waystoimplementDSAwhichdonotsuffernearlyasbadlyfromthis
weakness,andindeedwhichdon'tneedtorelyonrandomnumbersat
all.ForthisreasonwenowbelievePuTTY'sDSAimplementationis
probablyOK.
Therecentlyaddedelliptic-curvesignaturemethodsarealsoDSA-style
algorithms,sotheyhavethissameweaknessinprinciple.OurECDSA
implementationusesthesamedefenceasDSA,whileourEd25519
implementationusesthesimilarsystem(butdifferentindetails)thatthe
Ed25519specmandates.
A.8.4Couldn'tPageantuseVirtualLock()tostop
privatekeysbeingwrittentodisk?
Unfortunatelynot.TheVirtualLock()functionintheWindowsAPI
doesn'tdoaproperjob:itmaypreventsmallpiecesofaprocess's
memoryfrombeingpagedtodiskwhiletheprocessisrunning,butit
doesn'tstoptheprocess'smemoryasawholefrombeingswapped
completelyouttodiskwhentheprocessislong-terminactive.And
Pageantspendsmostofitstimeinactive.
A.9Administrativequestions
A.9.1Wouldyoulikemetoregisteryouanicerdomainname?
A.9.2WouldyoulikefreewebhostingforthePuTTYwebsite?
A.9.3WouldyoulinktomywebsitefromthePuTTYwebsite?
A.9.4Whydon'tyoumovePuTTYtoSourceForge?
A.9.5Whycan'tIsubscribetotheputty-bugsmailinglist?
A.9.6Ifputty-bugsisn'tageneral-subscriptionmailinglist,whatis?
A.9.7HowcanIdonatetoPuTTYdevelopment?
A.9.8CanIhavepermissiontoputPuTTYonacoverdisk/
distributeitwithothersoftware/etc?
A.9.9Canyousignanagreementindemnifyingusagainstsecurity
problemsinPuTTY?
A.9.10Canyousignthisformgrantinguspermissionto
use/distributePuTTY?
A.9.11Canyouwriteusaformalnoticeofpermissiontouse
PuTTY?
A.9.12Canyousignanythingforus?
A.9.13Ifyouwon'tsignanything,canyougiveussomesortof
assurancethatyouwon'tmakePuTTYclosed-sourceinfuture?
A.9.14Canyouprovideuswithexportcontrolinformation/FIPS
certificationforPuTTY?
A.9.15Asoneofourexistingsoftwarevendors,canyoujustfillin
thisquestionnaireforus?
A.9.16Thesha1sums/sha256sums/etcfilesonyourdownloadpage
don'tmatchthebinaries.
A.9.1Wouldyoulikemetoregisteryouanicer
domainname?
No,thankyou.Evenifyoucanfindone(mostofthemseemtohave
beenregisteredalready,bypeoplewhodidn'taskwhetherweactually
wanteditbeforetheyapplied),we'rehappywiththePuTTYwebsite
beingexactlywhereitis.It'snothardtofind(justtype‘putty’into
google.comandwe'rethefirstlinkreturned),andwedon'tbelievethe
administrativehassleofmovingthesitewouldbeworththebenefit.
Inaddition,ifwedidwantacustomdomainname,wewouldwanttorun
itourselves,soweknewforcertainthatitwouldcontinuetopointwhere
wewantedit,andwouldn'tsuddenlychangeordostrangethings.Having
itregisteredforusbyathirdpartywhowedon'tevenknowisnotthe
bestwaytoachievethis.
A.9.2Wouldyoulikefreewebhostingforthe
PuTTYwebsite?
Wealreadyhavesome,thanks.
A.9.3Wouldyoulinktomywebsitefromthe
PuTTYwebsite?
OnlyifthecontentofyourwebpageisofdefinitedirectinteresttoPuTTY
users.Ifyourcontentisunrelated,oronlytangentiallyrelated,toPuTTY,
thenthelinkwouldsimplybeadvertisingforyou.
OneveryniceeffectoftheGooglerankingmechanismisthatbyand
large,themostpopularwebsitesgetthehighestrankings.Thismeans
thatwhenanordinarypersondoesasearch,thetopiteminthesearchis
verylikelytobeahigh-qualitysiteorthesitetheyactuallywanted,rather
thanthesitewhichpaidthemostmoneyforitsranking.
ThePuTTYwebsiteisheldinhighesteembyGoogle,forpreciselythis
reason:lotsofpeoplehavelinkedtoitsimplybecausetheylikePuTTY,
withoutuseverhavingtoaskanyonetolinktous.Wefeelthatitwould
beanabuseofthisesteemtouseittoboosttherankingofrandom
advertisers'websites.IfyouwantyourwebsitetohaveahighGoogle
ranking,we'dpreferthatyouachievethisthewaywedid-bybeinggood
enoughatwhatyoudothatpeoplewilllinktoyousimplybecausethey
likeyou.
Inparticular,wearen'tinterestedintradinglinksformoney(seeabove),
andwecertainlyaren'tinterestedintradinglinksforotherlinks(sincewe
havenoadvertisingonourwebsite,ourGooglerankingisnoteven
directlyworthanythingtous).Ifwedon'twanttolinktoyouforfree,then
weprobablywon'twanttolinktoyouatall.
IfyouhavesoftwarebasedonPuTTY,orspecificallydesignedto
interoperatewithPuTTY,orinsomeotherwayofgenuineinterestto
PuTTYusers,thenwewillprobablybehappytoaddalinktoyouonour
Linkspage.Andifyou'rerunningaparticularlyvaluablemirrorofthe
PuTTYwebsite,wemightbeinterestedinlinkingtoyoufromourMirrors
page.
A.9.4Whydon'tyoumovePuTTYto
SourceForge?
Partly,becausewedon'twanttomovethewebsitelocation(see
questionA.9.1).
Also,securityreasons.PuTTYisasecurityproduct,andassuchitis
particularlyimportanttoguardthecodeandthewebsiteagainst
unauthorisedmodificationswhichmightintroducesubtlesecurityflaws.
Therefore,wepreferthattheGitrepository,websiteandFTPsiteremain
wheretheyare,underthedirectcontrolofsystemadministratorswe
knowandtrustpersonally,ratherthanbeingrunbyalargeorganisation
fullofpeoplewe'venevermetandwhichisknowntohavehadbreakins
inthepast.
NooffencetoSourceForge;Ithinktheydoawonderfuljob.Butthey're
notidealforeveryone,andinparticularthey'renotidealforus.
A.9.5Whycan'tIsubscribetotheputty-bugs
mailinglist?
Becauseyou'renotamemberofthePuTTYcoredevelopmentteam.The
putty-bugsmailinglistisnotageneralnewsgroup-likediscussionforum;
it'sacontactaddressforthecoredevelopers,andaninternalmailinglist
forustodiscussthingsamongourselves.Ifweopeneditupfor
everybodytosubscribeto,itwouldturnintosomethingmorelikea
newsgroupandwewouldbecompletelyoverwhelmedbythevolumeof
traffic.It'shardenoughtokeepupwiththelistasitis.
A.9.6Ifputty-bugsisn'tageneral-subscription
mailinglist,whatis?
Thereisn'tone,thatweknowof.
IfsomeoneelsewantstosetupamailinglistorotherforumforPuTTY
userstohelpeachotherwithcommonproblems,thatwouldbefinewith
us,thoughthePuTTYteamwouldalmostcertainlynothavethetimeto
readit.It'sprobablybettertouseoneoftheestablishednewsgroupsfor
thispurpose(seesectionB.1.2).
A.9.7HowcanIdonatetoPuTTYdevelopment?
Please,pleasedon'tfeelyouhaveto.PuTTYiscompletelyfreesoftware,
andnotshareware.Wethinkit'sveryimportantthateverybodywho
wantstousePuTTYshouldbeableto,whethertheyhaveanymoneyor
not;sothelastthingwewouldwantisforaPuTTYusertofeelguilty
becausetheyhaven'tpaidusanymoney.Ifyouwanttokeepyour
money,pleasedokeepit.Wewouldn'tdreamofaskingforany.
Havingsaidallthat,ifyoustillreallywanttogiveusmoney,wewon't
argue:-)Theeasiestwayforustoacceptdonationsisifyousendmoney
to<anakin@pobox.com>usingPayPal(www.paypal.com).Ifyoudon'tlike
PayPal,talktous;wecanprobablyarrangesomealternativemeans.
Smalldonations(tensofdollarsortensofeuros)willprobablybespent
onbeerorcurry,whichhelpsmotivateourvolunteerteamtocontinue
doingthisfortheworld.Largerdonationswillbespentonsomethingthat
actuallyhelpsdevelopment,ifwecanfindanything(perhapsnew
hardware,oracopyofWindowsXP),butifwecan'tfindanythingthen
we'lljustdistributethemoneyamongthedevelopers.Ifyouwanttobe
sureyourdonationisgoingtowardssomethingworthwhile,askusfirst.If
youdon'tliketheseterms,feelperfectlyfreenottodonate.Wedon't
mind.
A.9.9Canyousignanagreementindemnifying
usagainstsecurityproblemsinPuTTY?
No!
Avendorofphysicalsecurityproducts(e.g.locks)mightplausiblybe
willingtoacceptfinancialliabilityforaproductthatfailedtoperformas
advertisedandresultedindamage(e.g.valuablesbeingstolen).The
reasontheycanaffordtodothisisbecausetheysellalotofunits,and
onlyasmallproportionofthemwillfail;sotheycanmeettheirfinancial
liabilityoutoftheincomefromalltherestoftheirsales,andstillhave
enoughleftovertomakeaprofit.Financialliabilityisintrinsicallylinkedto
sellingyourproductformoney.
TherearetworeasonswhyPuTTYisnotanalogoustoaphysicallockin
thiscontext.Oneisthatsoftwareproductsdon'texhibitrandomvariation:
ifPuTTYhasasecurityhole(whichdoeshappen,althoughwedoour
utmosttopreventitandtorespondquicklywhenitdoes),everycopyof
PuTTYwillhavethesamehole,soit'slikelytoaffectalltheusersatthe
sametime.SoevenifouruserswereallpayingustousePuTTY,we
wouldn'tbeabletosimultaneouslypayeveryaffectedusercompensation
inexcessoftheamounttheyhadpaidusinthefirstplace.Itjustwouldn't
work.
Thesecond,muchmoreimportant,reasonisthatPuTTYusersdon'tpay
us.ThePuTTYteamdoesnothaveanincome;it'savolunteereffort
composedofpeoplespendingtheirsparetimetotrytowriteuseful
software.Wearen'tevenacompanyoranykindoflegallyrecognised
organisation.We'rejustabunchofpeoplewhohappentodosomestuff
inoursparetime.
Therefore,toaskustoassumefinancialliabilityistoaskustoassumea
riskofhavingtopayitoutofourownpersonalpockets:outofthesame
budgetfromwhichwebuyfoodandclothesandpayourrent.That's
morethanwe'rewillingtogive.We'realreadygivingalotofourspare
timetodevelopingsoftwareforfree;ifwehadtopayourownmoneyto
doitaswell,we'dstarttowonderwhywewerebothering.
Freesoftwarefundamentallydoesnotworkonthebasisoffinancial
guarantees.Yourguaranteeofthesoftwarefunctioningcorrectlyissimply
thatyouhavethesourcecodeandcancheckitbeforeyouuseit.Ifyou
wanttobesuretherearen'tanysecurityholes,doasecurityauditofthe
PuTTYcode,orhireasecurityengineerifyoudon'thavethenecessary
skillsyourself:insteadoftryingtoensureyoucangetcompensationin
theeventofadisaster,trytoensurethereisn'tadisasterinthefirst
place.
Ifyoureallywantfinancialsecurity,seeifyoucanfindasecurityengineer
whowilltakefinancialresponsibilityforthecorrectnessoftheirreview.
(Thismightbelesslikelytosufferfromtheeverything-failing-at-once
problemmentionedabove,becausesuchanengineerwouldprobablybe
reviewingalotofdifferentproductswhichwouldtendtofail
independently.)Failingthat,seeifyoucanpersuadeaninsurance
companytoinsureyouagainstsecurityincidents,andiftheinsurer
demandsitasaconditionthengetourcodereviewedbyasecurity
engineerthey'rehappywith.
A.9.10Canyousignthisformgrantingus
permissiontouse/distributePuTTY?
Ifyourformcontainsanyclausealongthelinesof‘theundersigned
representsandwarrants’,we'renotgoingtosignit.Thisisparticularly
trueifitasksustowarrantthatPuTTYissecure;seequestionA.9.9for
morediscussionofthis.Butitdoesn'treallymatterwhatwe'resupposed
tobewarranting:evenifit'ssomethingwealreadybelieveistrue,such
asthatwedon'tinfringeanythird-partycopyright,wewillnotsigna
documentacceptinganylegalorfinancialliability.Thisissimplybecause
thePuTTYdevelopmentprojecthasnoincomeoutofwhichtosatisfy
thatliability,orpaylegalcosts,shoulditbecomenecessary.Wecannot
affordtobesued.Weareassuringyouthatwehavedoneourbest;if
thatisn'tgoodenoughforyou,tough.
TheexistingPuTTYlicencedocumentalreadygivesyoupermissionto
useordistributePuTTYinprettymuchanywaywhichdoesnotinvolve
pretendingyouwroteitorsuingusifitgoeswrong.Wethinkthatreally
oughttobeenoughforanybody.
SeealsoquestionA.9.12foranotherreasonwhywedon'twanttodothis
sortofthing.
A.9.11Canyouwriteusaformalnoticeof
permissiontousePuTTY?
Wecould,inprinciple,butitisn'tclearwhatuseitwouldbe.Ifyouthink
there'saseriouschanceofoneofthePuTTYcopyrightholderssuingyou
(whichwedon't!),youwouldpresumablywantasignednoticefromallof
them;andwecouldn'tprovidethatevenifwewantedto,becausemany
ofthecopyrightholdersarepeoplewhocontributedsomecodeinthe
pastandwithwhomwesubsequentlylostcontact.Thereforethebestwe
wouldbeabletodoevenintheorywouldbetohavethecore
developmentteamsignthedocument,whichwouldn'tguaranteeyouthat
someothercopyrightholdermightnotsue.
SeealsoquestionA.9.12foranotherreasonwhywedon'twanttodothis
sortofthing.
A.9.12Canyousignanythingforus?
Notunlessthere'sanincrediblygoodreason.
Wearegenerallyunwillingtosetaprecedentthatinvolvesushavingto
enterintoindividualagreementswithPuTTYusers.Weestimatethatwe
haveliterallymillionsofusers,andweabsolutelywouldnothavetimeto
goroundsigningspecificagreementswitheveryoneofthem.Soifyou
wantustosignsomethingspecificforyou,youmightusefullystopto
considerwhetherthere'sanythingspecialthatdistinguishesyoufrom
999,999otherusers,andthereforeanyreasonweshouldbewillingto
signsomethingforyouwithoutitsettingsuchaprecedent.
Ifyourcompanypolicyrequiresyoutohaveanindividualagreementwith
thesupplierofanysoftwareyouuse,thenyourcompanypolicyissimply
notwellsuitedtousingpopularfreesoftware,andweurgeyouto
considerthisasaflawinyourpolicy.
A.9.13Ifyouwon'tsignanything,canyougive
ussomesortofassurancethatyouwon'tmake
PuTTYclosed-sourceinfuture?
Yesandno.
IfwhatyouwantisanassurancethatsomecurrentversionofPuTTY
whichyou'vealreadydownloadedwillremainfree,thenyoualreadyhave
thatassurance:it'scalledthePuTTYLicence.Itgrantsyoupermissionto
use,distributeandcopythesoftwaretowhichitapplies;oncewe've
grantedthatpermission(whichwehave),wecan'tjustrevokeit.
Ontheotherhand,ifyouwantanassurancethatfutureversionsof
PuTTYwon'tbeclosed-source,that'smoredifficult.Wecouldinprinciple
signadocumentstatingthatwewouldneverreleaseaclosed-source
PuTTY,butthatwouldn'tassureyouthatwewouldkeepreleasingopen-
sourcePuTTYs:wewouldstillhavetheoptionofceasingtodevelop
PuTTYatall,whichwouldsurelybeevenworseforyouthanmakingit
closed-source!(Andwealmostcertainlywouldn'twanttosigna
documentguaranteeingthatwewouldactuallycontinuetodo
developmentworkonPuTTY;wecertainlywouldn'tsignitforfree.
Documentslikethatarecalledcontractsofemployment,andare
generallynotsignedexceptinreturnforasizeablesalary.)
IfweweretostopdevelopingPuTTY,ortodecidetomakeallfuture
releasesclosed-source,thenyouwouldstillbefreetocopythelastopen
releaseinaccordancewiththecurrentlicence,andinparticularyoucould
startyourownforkoftheprojectfromthatrelease.Ifthishappened,I
confidentlypredictthatsomebodywoulddothat,andthatsomekindofa
freePuTTYwouldcontinuetobedeveloped.There'salreadyprecedent
forthatsortofthinghappeninginfreesoftware.Wecan'tguaranteethat
somebodyotherthanyouwoulddoit,ofcourse;youmighthavetodoit
yourself.Butwecanassureyouthattherewouldbenothingpreventing
anyonefromcontinuingfreedevelopmentifwestopped.
(Finally,wecanalsoconfidentlypredictthatifwemadePuTTYclosed-
sourceandsomeonemadeanopen-sourcefork,mostpeoplewould
switchtothelatter.Therefore,itwouldbeprettystupidofustotryit.)
A.9.14Canyouprovideuswithexportcontrol
information/FIPScertificationforPuTTY?
SomepeoplehaveaskedusforanExportControlClassificationNumber
(ECCN)forPuTTY.Wedon'tknowwhetherwehaveone,andasateam
offreesoftwaredevelopersbasedintheUKwedon'thavethetime,
money,orefforttodealwithUSbureaucracytoinvestigateanyfurther.
WebelievethatPuTTYfallsunder5D002ontheUSCommerceControl
List,butthatshouldn'tbetakenasdefinitive.Ifyouneedtoknowmore
youshouldseekprofessionallegaladvice.Thesameappliestoanyother
country'slegalrequirementsandrestrictions.
Similarly,somepeoplehaveaskedusforFIPScertificationofthePuTTY
tools.Unlesssomeoneelseispreparedtodothenecessaryworkand
payanycosts,wecan'tprovidethis.
A.9.15Asoneofourexistingsoftwarevendors,
canyoujustfillinthisquestionnaireforus?
Weperiodicallyreceiverequestslikethis,fromorganisationswhichhave
apparentlysentoutaformlettertoeveryonelistedintheirbig
spreadsheetof‘softwarevendors’requiringthemalltoanswersomelong
listofquestionsaboutsupportedOSversions,paidsupport
arrangements,compliancewithassortedlocalregulationswehaven't
heardof,contactphonenumbers,andothersuchadministrivia.Manyof
thequestionsareobviouslymeaninglesswhenappliedtoPuTTY(we
don'tprovideanypaidsupportinthefirstplace!),mostoftherestcould
havebeenansweredwithonlyaveryquicklookatourwebsite,and
someweareactivelyunwillingtoanswer(weareprivateindividuals,why
wouldwewanttogiveoutourhomephonenumberstolarge
corporations?).
Wedon'tmakeahabitofrespondinginfulltothesequestionnaires,
becausewearenotasoftwarevendor.
Asoftwarevendorisacompanytowhichyouarepayinglotsofmoneyin
returnforsomesoftware.Theyknowwhoyouare,andtheyknowyou're
payingthemmoney;sotheyhaveanincentivetofillinyourformsand
questionnaires,toresearchanylocalregulationsyouciteiftheydon't
alreadyknowaboutthem,andgenerallytoprovideeveryscrapof
informationyoumightpossiblyneedinthemostconvenientmannerfor
you,becausetheywanttokeepbeingpaid.
Butweareateamoffreesoftwaredevelopers,andthatmeansyour
relationshipwithusisnothinglikethatatall.Ifyouoncedownloadedour
softwarefromourwebsite,that'sgreatandwehopeyoufoundituseful,
butitdoesn'tmeanwehavetheleastideawhoyouare,oranyincentive
todolotsofunpaidworktosupportour‘relationship’withyou.
It'snotthatweareunwillingtoprovideinformation.Weputasmuchofit
aswecanonourwebsiteforyourconvenience,andifyouactuallyneed
toknowsomefactaboutPuTTYwhichyouhaven'tbeenabletofindon
thewebsite(andwhichisnotobviouslyinapplicabletofreesoftwarein
thefirstplace)thenpleasedoaskus,andwe'lltrytoanswerasbestwe
can.ButweputupthewebsiteandthisFAQpreciselysothatwedon't
havetokeepansweringthesamequestionsoverandoveragain,sowe
aren'tpreparedtofillincompletelygenericform-letterquestionnairesfor
peoplewhohaven'tdonetheirbesttofindtheanswersherefirst.
Ifyouworkforanorganisationwhichyouthinkmightbeatriskofmaking
thismistake,weurgeyoutoreorganiseyourlistofsoftwaresuppliersso
thatitclearlydistinguishespaidvendorswhoknowaboutyoufromfree
softwaredeveloperswhodon'thaveanyideawhoyouare.Then,only
sendoutthesemassmailingstotheformer.
A.9.16Thesha1sums/sha256sums/etcfileson
yourdownloadpagedon'tmatchthebinaries.
Peoplereportthiseverysooften,andusuallythereasonturnsouttobe
thatthey'vematchedupthewrongchecksumsfilewiththewrong
binaries.
ThePuTTYdownloadpagecontainsmorethanoneversionofthe
software.There'salatestreleaseversion;therearethedevelopment
snapshots;andwhenwe'reintherun-uptomakingarelease,thereare
alsopre-releasebuildsoftheupcomingnewversion.Eachonehasits
owncollectionofbinaries,anditsowncollectionofchecksumsfilestogo
withthem.
Soifyou'vedownloadedthereleaseversionoftheactualprogram,you
needthereleaseversionofthechecksumstoo,otherwiseyouwillseea
mismatch.Similarly,thedevelopmentsnapshotbinariesgowiththe
developmentsnapshotchecksums,andsoon.(We'vecolour-codedthe
downloadpageinanefforttoreducethisconfusionabit.)
Ifyouhavedouble-checkedthat,andyoustillthinkthere'sareal
mismatch,thenpleasesendusareportcarefullyquotingeverything
relevant:
theexactURLyougotyourbinaryfrom
thechecksumofthebinaryafteryoudownloaded
theexactURLyougotyourchecksumsfilefrom
thechecksumthatfilesaysthebinaryshouldhave.
A.10.1IsPuTTYaportofOpenSSH,orbasedon
OpenSSHorOpenSSL?
No,itisn't.PuTTYisalmostcompletelycomposedofcodewrittenfrom
scratchforPuTTY.TheonlycodewesharewithOpenSSHisthedetector
forSSH-1CRCcompensationattacks,writtenbyCORESDIS.A;we
sharenocodeatallwithOpenSSL.
A.10.2WherecanIbuysillyputty?
You'relookingatthewrongwebsite;theonlyPuTTYweknowabout
hereisthenameofacomputerprogram.
Ifyouwantthekindofputtyyoucanbuyasanexecutivetoy,thePuTTY
teamcanpersonallyrecommendThinkingPutty,whichyoucanbuyfrom
CrazyAaron'sPuttyWorld,atwww.puttyworld.com.
A.10.3Whatdoes‘PuTTY’mean?
It'sthenameofapopularSSHandTelnetclient.Anyothermeaningisin
theeyeofthebeholder.It'sbeenrumouredthat‘PuTTY’istheantonym
of‘getty’,orthatit'sthestuffthatmakesyourWindowsuseful,orthatit's
akindofplutoniumTeletype.Wecouldn'tpossiblycommentonsuch
allegations.
A.10.4HowdoIpronounce‘PuTTY’?
ExactlyliketheEnglishword‘putty’,whichwepronounce/ˈpʌti/.
AppendixB:Feedbackandbugreporting
ThisisaguidetoprovidingfeedbacktothePuTTYdevelopmentteam.It
isprovidedasbothawebpageonthePuTTYsite,andanappendixin
thePuTTYmanual.
SectionB.1givessomegeneralguidelinesforsendinganykindofe-mail
tothedevelopmentteam.Followingsectionsgivemorespecific
guidelinesforparticulartypesofe-mail,suchasbugreportsandfeature
requests.
B.1Generalguidelines
B.1.1Sendinglargeattachments
B.1.2Otherplacestoaskforhelp
B.2Reportingbugs
B.3Reportingsecurityvulnerabilities
B.4Requestingextrafeatures
B.5Requestingfeaturesthathavealreadybeenrequested
B.6Supportrequests
B.7Webserveradministration
B.8Askingpermissionforthings
B.9MirroringthePuTTYwebsite
B.10Praiseandcompliments
B.11E-mailaddress
B.1Generalguidelines
ThePuTTYdevelopmentteamgetsalotofmail.Ifyoucanpossibly
solveyourownproblembyreadingthemanual,readingtheFAQ,reading
thewebsite,askingafellowuser,perhapspostingtoanewsgroup(see
sectionB.1.2),orsomeothermeans,thenitwouldmakeourlivesmuch
easier.
Wegetsomuche-mailthatweliterallydonothavetimetoansweritall.
Weregretthis,butthere'snothingwecandoaboutit.Soifyoucan
possiblyavoidsendingmailtothePuTTYteam,werecommendyoudo
so.Inparticular,supportrequests(sectionB.6)areprobablybettersent
tonewsgroups,orpassedtoalocalexpertifpossible.
ThePuTTYcontactemailaddressisaprivatemailinglistcontainingfour
orfivecoredevelopers.Don'tbeputoffbyitbeingamailinglist:ifyou
needtosendconfidentialdataaspartofabugreport,youcantrustthe
peopleonthelisttorespectthatconfidence.Also,thearchivesaren't
publiclyavailable,soyoushouldn'tbelettingyourselfinforanyspamby
sendingusmail.
Pleaseuseameaningfulsubjectlineonyourmessage.Wegetalotof
mail,andit'shardtofindthemessagewe'relookingforiftheyallhave
subjectlineslike‘PuTTYbug’.
B.1.1Sendinglargeattachments
B.1.2Otherplacestoaskforhelp
B.1.1Sendinglargeattachments
SincethePuTTYcontactaddressisamailinglist,e-mailslargerthan
40Kbwillbeheldforinspectionbythelistadministrator,andwillnotbe
allowedthroughunlesstheyreallyappeartobeworththeirlargesize.
IfyouareconsideringsendinganykindoflargedatafiletothePuTTY
team,it'salmostalwaysabadidea,orattheveryleastitwouldbebetter
toaskusfirstwhetherweactuallyneedthefile.Alternatively,youcould
putthefileonawebsiteandjustsendustheURL;thatway,wedon't
havetodownloaditunlesswedecideweactuallyneedit,andonlyoneof
usneedstodownloaditinsteadofitbeingautomaticallycopiedtoallthe
developers.
(Ifthefilecontainsconfidentialinformation,thenyoucouldencryptitwith
ourSecureContactKey;seesectionE.1fordetails.)
SomepeopleliketosendmailinMSWordformat.Pleasedon'tsendus
bugreports,oranyothermail,asaWorddocument.Worddocuments
areroughlyfiftytimeslargerthanwritingthesamereportinplaintext.In
addition,mostofthePuTTYteamreadtheire-mailonUnixmachines,so
copyingthefiletoaWindowsboxtorunWordisveryinconvenient.Not
onlythat,butseveralofusdon'tevenhaveacopyofWord!
Somepeopleliketosendusscreenshotswhendemonstratinga
problem.Pleasedon'tdothiswithoutcheckingwithusfirst-wealmost
neveractuallyneedtheinformationinthescreenshot.Sendingascreen
shotofanerrorboxisalmostcertainlyunnecessarywhenyoucouldjust
tellusinplaintextwhattheerrorwas.(OnsomeversionsofWindows,
pressingCtrl-Cwhentheerrorboxisdisplayedwillcopythetextofthe
messagetotheclipboard.)Sendingafull-screenshotisoccasionally
useful,butit'sprobablystillwisetocheckwhetherweneeditbefore
sendingit.
Ifyoumustmailascreenshot,don'tsenditasa.BMPfile.BMPshaveno
compressionandtheyaremuchlargerthanotherimageformatssuchas
PNG,TIFFandGIF.Convertthefiletoaproperlycompressedimage
formatbeforesendingit.
Pleasedon'tmailusexecutables,atall.Ourmailserverblocksall
incominge-mailcontainingexecutables,asadefenceagainstthevast
numbersofe-mailviruseswereceiveeveryday.Ifyoumailusan
executable,itwilljustbounce.
IfyouhavemadeatinymodificationtothePuTTYcode,pleasesendus
apatchtothesourcecodeifpossible,ratherthansendingusahuge
.ZIPfilecontainingthecompletesourcesplusyourmodification.Ifyou've
onlychanged10lines,we'dprefertoreceiveamailthat's30lineslong
thanonecontainingmultiplemegabytesofdatawealreadyhave.
B.1.2Otherplacestoaskforhelp
TherearetwoUsenetnewsgroupsthatareparticularlyrelevanttothe
PuTTYtools:
comp.security.ssh,forquestionsspecifictousingtheSSHprotocol;
comp.terminals,forissuesrelatingtoterminalemulation(for
instance,keyboardproblems).
Pleaseusethenewsgroupmostappropriatetoyourquery,and
rememberthatthesearegeneralnewsgroups,notspecificallyabout
PuTTY.
Ifyoudon'thavedirectaccesstoUsenet,youcanaccessthese
newsgroupsthroughGoogleGroups(groups.google.com).
B.2Reportingbugs
IfyouthinkyouhavefoundabuginPuTTY,yourfirststepsshouldbe:
ChecktheWishlistpageonthePuTTYwebsite,andseeifwe
alreadyknowabouttheproblem.Ifwedo,itisalmostcertainlynot
necessarytomailusaboutit,unlessyouthinkyouhaveextra
informationthatmightbehelpfultousinfixingit.(Ofcourse,ifwe
actuallyneedspecificextrainformationaboutaparticularbug,the
Wishlistpagewillsayso.)
ChecktheChangeLogonthePuTTYwebsite,andseeifwehave
alreadyfixedthebuginthedevelopmentsnapshots.
ChecktheFAQonthePuTTYwebsite(alsoprovidedasappendixA
inthemanual),andseeifitanswersyourquestion.TheFAQliststhe
mostcommonthingswhichpeoplethinkarebugs,butwhicharen't
bugs.
Downloadthelatestdevelopmentsnapshotandseeiftheproblem
stillhappenswiththat.Thisreallyisworthdoing.Asageneralrule
wearen'tveryinterestedinbugsthatappearinthereleaseversion
butnotinthedevelopmentversion,becausethatusuallymeansthey
arebugswehavealreadyfixed.Ontheotherhand,ifyoucanfinda
buginthedevelopmentversionthatdoesn'tappearintherelease,
that'slikelytobeanewbugwe'veintroducedsincethereleaseand
we'redefinitelyinterestedinit.
Ifnoneofthoseoptionssolvedyourproblem,andyoustillneedtoreport
abugtous,itisusefulifyouincludesomegeneralinformation:
TelluswhatversionofPuTTYyouarerunning.Tofindthisout,use
the‘AboutPuTTY’optionfromtheSystemmenu.Pleasedonotjust
tellus‘I'mrunningthelatestversion’;e-mailcanbedelayedandit
maynotbeobviouswhichversionwasthelatestatthetimeyousent
themessage.
PuTTYisamulti-platformapplication;telluswhatversionofwhat
OSyouarerunningPuTTYon.(Ifyou'rerunningonUnix,or
WindowsforAlpha,tellus,orwe'llassumeyou'rerunningon
WindowsforIntelasthisisoverwhelminglythecase.)
Telluswhatprotocolyouareconnectingwith:SSH,Telnet,Rloginor
Rawmode.
Telluswhatkindofserveryouareconnectingto;whatOS,andif
possiblewhatSSHserver(ifyou'reusingSSH).Youcangetsomeof
thisinformationfromthePuTTYEventLog(seesection3.1.3.1in
themanual).
SendusthecontentsofthePuTTYEventLog,unlessyouhavea
specificreasonnotto(forexample,ifitcontainsconfidential
informationthatyouthinkweshouldbeabletosolveyourproblem
withoutneedingtoknow).
Trytogiveusasmuchinformationasyoucantohelpusseethe
problemforourselves.Ifpossible,giveusastep-by-stepsequence
ofpreciseinstructionsforreproducingthefault.
Don'tjusttellusthatPuTTY‘doesthewrongthing’;tellusexactly
andpreciselywhatitdid,andalsotellusexactlyandpreciselywhat
youthinkitshouldhavedoneinstead.SomepeopletellusPuTTY
doesthewrongthing,anditturnsoutthatitwasdoingtherightthing
andtheirexpectationswerewrong.Helptoavoidthisproblemby
tellingusexactlywhatyouthinkitshouldhavedone,andexactly
whatitdiddo.
Ifyouthinkyoucan,you'rewelcometotrytofixtheproblem
yourself.Apatchtothecodewhichfixesabugisanexcellent
additiontoabugreport.However,apatchisneverasubstitutefora
goodbugreport;ifyourpatchiswrongorinappropriate,andyou
haven'tsupplieduswithfullinformationabouttheactualbug,then
wewon'tbeabletofindabettersolution.
https://www.chiark.greenend.org.uk/~sgtatham/bugs.htmlisan
articleonhowtoreportbugseffectivelyingeneral.Ifyourbugreport
isparticularlyunclear,wemayaskyoutogoaway,readthisarticle,
andthenreportthebugagain.
ItisreasonabletoreportbugsinPuTTY'sdocumentation,ifyouthinkthe
documentationisunclearorunhelpful.Butwedoneedtobegivenexact
detailsofwhatyouthinkthedocumentationhasfailedtotellyou,orhow
youthinkitcouldbemadeclearer.Ifyourproblemissimplythatyoudon't
understandthedocumentation,wesuggestpostingtoanewsgroup(see
sectionB.1.2)andseeingifsomeonewillexplainwhatyouneedtoknow.
Then,ifyouthinkthedocumentationcouldusefullyhavetoldyouthat,
sendusabugreportandexplainhowyouthinkweshouldchangeit.
B.3Reportingsecurityvulnerabilities
Ifyou'vefoundasecurityvulnerabilityinPuTTY,youmightwellwantto
notifyususinganencryptedcommunicationschannel,toavoiddisclosing
informationaboutthevulnerabilitybeforeafixedreleaseisavailable.
Forthispurpose,weprovideaGPGkeysuitableforencryption:the
SecureContactKey.SeesectionE.1fordetailsofthis.
(Ofcourse,vulnerabilitiesarealsobugs,sopleasedoincludeasmuch
informationaspossibleaboutthem,thesamewayyouwouldwithany
otherbugreport.)
B.4Requestingextrafeatures
IfyouwanttorequestanewfeatureinPuTTY,theveryfirstthingsyou
shoulddoare:
ChecktheWishlistpageonthePuTTYwebsite,andseeifyour
featureisalreadyonthelist.Ifitis,itprobablywon'tachievevery
muchtorepeattherequest.(ButseesectionB.5ifyouwantto
persuadeustogiveyourparticularfeaturehigherpriority.)
ChecktheWishlistandChangeLogonthePuTTYwebsite,andsee
ifwehavealreadyaddedyourfeatureinthedevelopment
snapshots.Ifitisn'tclear,downloadthelatestdevelopmentsnapshot
andseeifthefeatureispresent.Ifitis,thenitwillalsobeinthenext
releaseandthereisnoneedtomailusatall.
Ifyoucan'tfindyourfeatureineitherthedevelopmentsnapshotsorthe
Wishlist,thenyouprobablydoneedtosubmitafeaturerequest.Since
thePuTTYauthorsareverybusy,ithelpsifyoutrytodosomeofthe
workforus:
Doasmuchofthedesignasyoucan.Thinkabout‘cornercases’;
thinkabouthowyourfeatureinteractswithotherexistingfeatures.
Thinkabouttheuserinterface;ifyoucan'tcomeupwithasimple
andintuitiveinterfacetoyourfeature,youshouldn'tbesurprisedif
wecan'teither.Alwaysimaginewhetherit'spossiblefortheretobe
morethanone,orlessthanone,ofsomethingyou'dassumedthere
wouldbeoneof.(Forexample,ifyouweretowantPuTTYtoputan
iconintheSystemtrayratherthantheTaskbar,youshouldthink
aboutwhathappensifthere'smorethanonePuTTYactive;how
wouldtheusertellwhichwaswhich?)
Ifyoucanprogram,itmaybeworthofferingtowritethefeature
yourselfandsendusapatch.However,itislikelytobehelpfulifyou
conferwithusfirst;theremaybedesignissuesyouhaven'tthought
of,orwemaybeabouttomakebigchangestothecodewhichyour
patchwouldclashwith,orsomething.Ifyoucheckwiththe
maintainersfirst,thereisabetterchanceofyourcodeactuallybeing
usable.Also,readthedesignprincipleslistedinappendixD:ifyou
donotconformtothem,wewillprobablynotbeabletoacceptyour
patch.
B.5Requestingfeaturesthathavealreadybeen
requested
IfafeatureisalreadylistedontheWishlist,thenitusuallymeanswe
wouldliketoaddittoPuTTYatsomepoint.However,thismaynotbein
thenearfuture.Ifthere'safeatureontheWishlistwhichyouwouldliketo
seeinthenearfuture,thereareseveralthingsyoucandototryto
increaseitsprioritylevel:
Mailusandvoteforit.(Besuretomentionthatyou'veseenitonthe
Wishlist,orwemightthinkyouhaven'tevenreadtheWishlist).This
probablywon'thaveverymucheffect;ifahugenumberofpeople
voteforsomethingthenitmaymakeadifference,butoneortwo
extravotesforaparticularfeatureareunlikelytochangeourpriority
listimmediately.Offeringanewandcompellingjustificationmight
help.Also,don'texpectareply.
Offerusmoneyifwedotheworksoonerratherthanlater.This
sometimesworks,butnotalways.ThePuTTYteamallhavefull-time
jobsandwe'redoingallofthisworkinourfreetime;wemay
sometimesbewillingtogiveupsomemoreofourfreetimein
exchangeforsomemoney,butifyoutrytobribeusforabigfeature
it'sentirelypossiblethatwesimplywon'thavethetimetospare-
whetheryoupayusornot.(Also,wedon'tacceptbribestoaddbad
featurestotheWishlist,becauseourdesiretoprovidehigh-quality
softwaretotheuserscomesfirst.)
Offertohelpuswritethecode.Thisisprobablytheonlywaytogeta
featureimplementedquickly,ifit'sabigonethatwedon'thavetime
todoourselves.
B.6Supportrequests
Ifyou'retryingtomakePuTTYdosomethingforyouanditisn'tworking,
butyou'renotsurewhetherit'sabugornot,thenpleaseconsiderlooking
forhelpsomewhereelse.Thisisoneofthemostcommontypesofmail
thePuTTYteamreceives,andwesimplydon'thavetimetoanswerall
thequestions.Questionsofthistypeinclude:
IfyouwanttodosomethingwithPuTTYbuthavenoideawhereto
start,andreadingthemanualhasn'thelped,trypostingtoa
newsgroup(seesectionB.1.2)andseeifsomeonecanexplainitto
you.
IfyouhavetriedtodosomethingwithPuTTYbutithasn'tworked,
andyouaren'tsurewhetherit'sabuginPuTTYorabuginyour
SSHserverorsimplythatyou'renotdoingitright,thentrypostingto
anewsgroup(seesectionB.1.2)andseeifsomeonecansolveyour
problem.OrtrydoingthesamethingwithadifferentSSHclientand
seeifitworkswiththat.PleasedonotreportitasaPuTTYbug
unlessyouarereallysureitisabuginPuTTY.
IfsomeoneelseinstalledPuTTYforyou,oryou'reusingPuTTYon
someoneelse'scomputer,tryaskingthemforhelpfirst.They're
morelikelytounderstandhowtheyinstalleditandwhatthey
expectedyoutouseitforthanweare.
Ifyouhavesuccessfullymadeaconnectiontoyourserverandnow
needtoknowwhattotypeattheserver'scommandprompt,orother
detailsofhowtousetheserver-endsoftware,talktoyourserver's
systemadministrator.ThisisnotthePuTTYteam'sproblem.PuTTY
isonlyacommunicationstool,likeatelephone;ifyoucan'tspeak
thesamelanguageasthepersonattheotherendofthephone,it
isn'tthetelephonecompany'sjobtoteachittoyou.
Ifyouabsolutelycannotgetasupportquestionansweredanyotherway,
youcantrymailingittous,butwecan'tguaranteetohavetimeto
answerit.
B.7Webserveradministration
IfthePuTTYwebsiteisdown(ConnectionTimedOut),pleasedon't
bothermailingustotellusaboutit.Mostofusreadoure-mailonthe
samemachinesthathostthewebsite,soifthosemachinesaredown
thenwewillnoticebeforewereadoure-mail.Sothere'snopointtelling
usourserversaredown.
Ofcourse,ifthewebsitehassomeothererror(ConnectionRefused,404
NotFound,403Forbidden,orsomethingelse)thenwemightnothave
noticedanditmightstillbeworthtellingusaboutit.
Ifyouwanttoreportaproblemwithourwebsite,checkthatyou're
lookingatourrealwebsiteandnotamirror.Therealwebsiteisat
https://www.chiark.greenend.org.uk/~sgtatham/putty/;ifthat'snot
whereyou'rereadingthis,thendon'treporttheproblemtousuntilyou've
checkedthatit'sreallyaproblemwiththemainsite.Ifit'sonlyaproblem
withthemirror,youshouldtrytocontacttheadministratorofthatmirror
sitefirst,andonlycontactusifthatdoesn'tsolvetheproblem(incasewe
needtoremovethemirrorfromourlist).
B.8Askingpermissionforthings
PuTTYisdistributedundertheMITLicence(seeappendixCfordetails).
Thismeansyoucandoalmostanythingyoulikewithoursoftware,our
sourcecode,andourdocumentation.Theonlythingsyouaren'tallowed
todoaretoremoveourcopyrightnoticesorthelicencetextitself,orto
holduslegallyresponsibleifsomethinggoeswrong.
SoifyouwantpermissiontoincludePuTTYonamagazinecoverdisk,or
aspartofacollectionofusefulsoftwareonaCDorawebsite,then
permissionisalreadygranted.Youdon'thavetomailusandask.Justgo
aheadanddoit.Wedon'tmind.
(IfyouwanttodistributePuTTYalongsideyourownapplicationforuse
withthatapplication,orifyouwanttodistributePuTTYwithinyourown
organisation,thenwerecommend,butdonotinsist,thatyouofferyour
ownfirst-linetechnicalsupport,toanswerquestionsabouttheinteraction
ofPuTTYwithyourenvironment.Ifyourusersmailusdirectly,wewon't
beabletotellthemanythingusefulaboutyourspecificsetup.)
IfyouwanttousepartsofthePuTTYsourcecodeinanotherprogram,
thenitmightbeworthmailingustotalkabouttechnicaldetails,butifall
youwantistoaskpermissionthenyoudon'tneedtobother.Youalready
havepermission.
Ifyoujustwanttolinktoourwebsite,justgoahead.(It'snotclearthat
wecouldstopyoudoingthis,evenifwewantedto!)
B.9MirroringthePuTTYwebsite
IfyouwanttosetupamirrorofthePuTTYwebsite,goaheadandset
oneup.Pleasedon'tbotheraskingusforpermissionbeforesettingupa
mirror.Youalreadyhavepermission.
Ifthemirrorisinacountrywherewedon'talreadyhaveplentyofmirrors,
wemaybewillingtoaddittothelistonourmirrorspage.Readthe
guidelinesonthatpage,makesureyourmirrorworks,andemailusthe
informationlistedatthebottomofthepage.
Notethatwedonotpromisetolistyourmirror:wegetalotofmirror
notificationsandyoursmaynothappentofinditswaytothetopofthe
list.
Alsonotethatwelinktoallourmirrorsitesusingtherel="nofollow"
attribute.RunningaPuTTYmirrorisnotintendedtobeacheapwayto
gainsearchrankings.
Ifyouhavetechnicalquestionsabouttheprocessofmirroring,thenyou
mightwanttomailusbeforesettingupthemirror(seealsotheguidelines
ontheMirrorspage);butifyoujustwanttoaskforpermission,youdon't
needto.Youalreadyhavepermission.
B.10Praiseandcompliments
Oneofthemostrewardingthingsaboutmaintainingfreesoftwareis
gettinge-mailsthatjustsay‘thanks’.Wearealwayshappytoreceivee-
mailsofthistype.
Regrettablywedon'thavetimetoanswerthemallinperson.Ifyoumail
usacomplimentanddon'treceiveareply,pleasedon'tthinkwe've
ignoredyou.Wedidreceiveitandwewerehappyaboutit;wejustdidn't
havetimetotellyousopersonally.
Toeveryonewho'seversentuspraiseandcompliments,inthepastand
thefuture:you'rewelcome!
AppendixC:PuTTYLicence
PuTTYiscopyright1997-2017SimonTatham.
PortionscopyrightRobertdeBath,JorisvanRantwijk,DelianDelchev,
AndreasSchultz,JeroenMassar,WezFurlong,NicolasBarry,Justin
Bradford,BenHarris,MalcolmSmith,AhmadKhalifa,MarkusKuhn,
ColinWatson,ChristopherStaite,andCORESDIS.A.
Permissionisherebygranted,freeofcharge,toanypersonobtaininga
copyofthissoftwareandassociateddocumentationfiles(the‘Software’),
todealintheSoftwarewithoutrestriction,includingwithoutlimitationthe
rightstouse,copy,modify,merge,publish,distribute,sublicense,and/or
sellcopiesoftheSoftware,andtopermitpersonstowhomtheSoftware
isfurnishedtodoso,subjecttothefollowingconditions:
Theabovecopyrightnoticeandthispermissionnoticeshallbeincluded
inallcopiesorsubstantialportionsoftheSoftware.
THESOFTWAREISPROVIDED‘ASIS’,WITHOUTWARRANTYOF
ANYKIND,EXPRESSORIMPLIED,INCLUDINGBUTNOTLIMITED
TOTHEWARRANTIESOFMERCHANTABILITY,FITNESSFORA
PARTICULARPURPOSEANDNONINFRINGEMENT.INNOEVENT
SHALLTHECOPYRIGHTHOLDERSBELIABLEFORANYCLAIM,
DAMAGESOROTHERLIABILITY,WHETHERINANACTIONOF
CONTRACT,TORTOROTHERWISE,ARISINGFROM,OUTOFORIN
CONNECTIONWITHTHESOFTWAREORTHEUSEOROTHER
DEALINGSINTHESOFTWARE.
AppendixD:PuTTYhackingguide
Thisappendixlistsaselectionofthedesignprinciplesapplyingtothe
PuTTYsourcecode.Ifyouareplanningtosendcodecontributions,you
shouldreadthisfirst.
D.1Cross-OSportability
D.2Multiplebackendstreatedequally
D.3Multiplesessionsperprocessonsomeplatforms
D.4C,notC++
D.5Security-consciouscoding
D.6Independenceofspecificcompiler
D.7Smallcodesize
D.8Single-threadedcode
D.9Keystrokessenttotheserverwhereverpossible
D.10640×480friendlinessinconfigurationpanels
D.11AutomaticallygeneratedMakefiles
D.12Coroutinesinssh.c
D.13Singlecompilationofeachsourcefile
D.14Doaswesay,notaswedo
D.1Cross-OSportability
DespiteWindowsbeingitsmainareaoffame,PuTTYisnolongera
Windows-onlyapplicationsuite.IthasaworkingUnixport;aMacportis
inprogress;moreportsmayormaynothappenatalaterdate.
Therefore,embeddingWindows-specificcodeincoremodulessuchas
ssh.cisnotacceptable.Wewenttogreatlengthstoremoveallthe
Windows-specificstufffromourcoremodules,andtoshiftitoutinto
Windows-specificmodules.AddinglargeamountsofWindows-specific
stuffinpartsofthecodethatshouldbeportableisalmostguaranteedto
makeusrejectacontribution.
ThePuTTYsourcebaseisdividedintoplatform-specificmodulesand
platform-genericmodules.TheUnix-specificmodulesareallintheunix
subdirectory;theMac-specificmodulesareinthemacsubdirectory;the
Windows-specificmodulesareinthewindowssubdirectory.
Allthemodulesinthemainsourcedirectory-notablyallofthecodefor
thevariousbackends-areplatform-generic.Wewanttokeepthemthat
way.
Thisalsomeansyoushouldsticktowhatyouareguaranteedby
ANSI/ISOC(thatis,theoriginalC89/C90standard,notC99).Trynotto
makeassumptionsabouttheprecisesizeofbasictypessuchasintand
longint;don'tusepointercaststodoendianness-dependent
operations,andsoon.
(ThereareoneortwoaspectsofANSICportabilitywhichwedon'tcare
about.Inparticular,weexpectPuTTYtobecompiledon32-bit
architecturesorbigger;soit'ssafetoassumethatintisatleast32bits
wide,notjustthe16youareguaranteedbyANSIC.Similarly,we
assumethattheexecutioncharacterencodingisasupersetofthe
printablecharactersofASCII,thoughwedon'tassumethenumeric
valuesofcontrolcharacters,particularly'\n'and'\r'.Also,theX
forwardingcodeassumesthattime_thastheUnixformatandsemantics,
i.e.anintegergivingthenumberofsecondssince1970.)
D.2Multiplebackendstreatedequally
PuTTYisnotanSSHclientwithsomeotherstufftackedontheside.
PuTTYisageneric,multiple-backend,remoteVT-terminalclientwhich
happenstosupportonebackendwhichislarger,morepopularandmore
usefulthantherest.Anyextrafeaturewhichcanpossiblybegeneral
acrossallbackendsshouldbeso:localisingfeaturesunnecessarilyinto
theSSHbackendisadesignerror.(Forexample,wehadseveralcode
submissionsforproxysupportwhichworkedbyhackingssh.c.Clearly
thisiscompletelywrong:thenetwork.habstractionistheplacetoputit,
sothatitwillapplytoallbackendsequally,andindeedweeventuallyput
itthereafteranothercontributorsentabetterpatch.)
TherestofPuTTYshouldtrytoavoidknowinganythingaboutspecific
backendsifatallpossible.Tosupportafeaturewhichisonlyavailablein
onenetworkprotocol,forexample,thebackendinterfaceshouldbe
extendedinageneralmannersuchthatanybackendwhichisableto
providethatfeaturecandoso.Ifitsohappensthatonlyonebackend
actuallydoes,that'sjustthewayitis,butitshouldn'tberelieduponby
anycode.
D.3Multiplesessionsperprocessonsome
platforms
SomeportsofPuTTY-notablythein-progressMacport-are
constrainedbytheoperatingsystemtorunasasingleprocesspotentially
managingmultiplesessions.
Therefore,theplatform-independentpartsofPuTTYneveruseglobal
variablestostoreper-sessiondata.Theglobalvariablesthatdoexistare
toleratedbecausetheyarenotspecifictoaparticularloginsession:flags
definespropertiesthatareexpectedtoapplyequallytoallthesessions
runbyasinglePuTTYprocess,therandomnumberstateinsshrand.c
andthetimerlistintiming.cserveallsessionsequally,andsoon.But
mostdataisspecifictoaparticularnetworksession,andistherefore
storedindynamicallyallocateddatastructures,andpointerstothese
structuresarepassedaroundbetweenfunctions.
Platform-specificcodecanreversethisdecisionifitlikes.TheWindows
code,forhistoricalreasons,storesmostofitsdataasglobalvariables.
That'sOK,becauseonWindowsweknowthereisonlyonesessionper
PuTTYprocess,soit'ssafetodothat.Butchangestotheplatform-
independentcodeshouldavoidintroducingglobalvariables,unlessthey
aregenuinelycross-session.
D.4C,notC++
PuTTYiswrittenentirelyinC,notinC++.
Wehavemadesomeefforttomakeiteasytocompileourcodeusinga
C++compiler:notably,oursnew,snewnandsresizemacrosexplicitlycast
thereturnvaluesofmallocandrealloctothetargettype.(Thishastype
checkingadvantageseveninC:itmeansyouneveraccidentallyallocate
thewrongsizepieceofmemoryforthepointertypeyou'reassigningitto.
C++friendlinessisreallyasidebenefit.)
WewantPuTTYtocontinuebeingpureC,atleastintheplatform-
independentpartsandthecurrentlyexistingports.Patcheswhichswitch
theMakefilestocompileitasC++andstartusingclasseswillnotbe
accepted.Also,inparticular,wedisapproveof//comments,atleastfor
themoment.(PerhapsonceC99becomesgenuinelywidespreadwe
mightbemorelenient.)
Theoneexception:aporttoanewplatformmayuselanguagesother
thanCiftheyarenecessarytocodeonthatplatform.Ifyourfavourite
PDAhasaGUIwithaC++API,thenthere'snowayyoucandoaportof
PuTTYwithoutusingC++,sogoaheadanduseit.ButkeeptheC++
restrictedtothatplatform'ssubdirectory;ifyourchangesforcetheUnixor
WindowsportstobecompiledasC++,theywillbeunacceptabletous.
D.5Security-consciouscoding
PuTTYisanetworkapplicationandasecurityapplication.Assumeyour
codewillendupbeingfeddeliberatelymaliciousdatabyattackers,and
trytocodeinawaythatmakesitunlikelytobeasecurityrisk.
Inparticular,trynottousefixed-sizebuffersforvariable-sizedatasuch
asstringsreceivedfromthenetwork(oreventheuser).Weprovide
functionssuchasdupcatanddupprintf,whichdynamicallyallocate
buffersoftherightsizeforthestringtheyconstruct.Usethesewherever
possible.
D.6Independenceofspecificcompiler
WindowsPuTTYcancurrentlybecompiledwithanyoffourWindows
compilers:MSVisualC,Borland'sfreelydownloadableCcompiler,the
Cygwin/mingw32GNUtools,andlcc-win32.
ThisisareallyusefulpropertyofPuTTY,becauseitmeanspeoplewho
wanttocontributetothecodingdon'tdependonhavingaspecific
compiler;sotheydon'thavetoforkoutmoneyforMSVCiftheydon't
alreadyhaveit,butontheotherhandiftheydohaveittheyalsodon't
havetospendeffortinstallinggccalongsideit.Theycanusewhichever
compilertheyhappentohaveavailable,orinstallwhicheverischeapest
andeasiestiftheydon'thaveone.
Therefore,wedon'twantPuTTYtostartdependingonwhichcompiler
you'reusing.UsingGNUextensionstotheClanguage,forexample,
wouldruinthisusefulproperty(notthatanyone'severtriedit!);andmore
realistically,dependingonanMS-specificlibraryfunctionsuppliedbythe
MSVCClibrary(_snprintf,forexample)isamistake,becausethat
functionwon'tbeavailableundertheothercompilers.Anyfunction
suppliedinanofficialWindowsDLLaspartoftheWindowsAPIisfine,
andanythingdefinedintheClibrarystandardisalsofine,becausethose
shouldbeavailableirrespectiveofcompilationenvironment.Butthingsin
between,availableasnon-standardlibraryandlanguageextensionsin
onlyonecompiler,aredisallowed.
(_snprintfinparticularshouldbeunnecessary,sinceweprovide
dupprintf;seesectionD.5.)
Compilerindependenceshouldapplyonallplatforms,ofcourse,notjust
onWindows.
D.7Smallcodesize
PuTTYistiny,comparedtomanyotherWindowsapplications.Andit's
easytoinstall:itdependsonnoDLLs,nootherapplications,noservice
packsorsystemupgrades.It'sjustoneexecutable.Youinstallthat
executablewhereveryouwantto,andrunit.
Wewanttokeepboththeseproperties-thesmallsize,andtheeaseof
installation-ifatallpossible.Socodecontributionsthatdependcritically
onexternalDLLs,orthataddahugeamounttothecodesizefora
featurewhichisonlyusefultoasmallminorityofusers,arelikelytobe
thrownoutimmediately.
WedovaguelyintendtointroduceaDLLplugininterfaceforPuTTY,
wherebyseriouslylargeextrafeaturescanbeimplementedinplugin
modules.Theimportantthing,though,isthatthoseDLLswillbeoptional;
ifPuTTYcan'tfindthemonstartup,itshouldrunperfectlyhappilyand
justwon'tprovidethoseparticularfeatures.AfullinstallationofPuTTY
mightonedaycontaintenortwentylittleDLLplugins,whichwouldcut
downalittleontheeaseofinstallation-butifyoureallyneededeaseof
installationyoucouldstilljustinstalltheonePuTTYbinary,orjustthe
DLLsyoureallyneeded,anditwouldstillworkfine.
DependingonexternalDLLsissomethingwe'dliketoavoidifatall
possible(thoughforsomepurposes,suchascomplexSSH
authenticationmechanisms,itmaybeunavoidable).Ifitcan'tbeavoided,
theimportantthingistofollowthesameprincipleofgracefuldegradation:
ifaDLLcan'tbefound,thenPuTTYshouldrunhappilyandjustnot
supplythefeaturethatdependedonit.
D.8Single-threadedcode
PuTTYanditssupportingtools,oratleastthevastmajorityofthem,run
inonlyoneOSthread.
Thismeansthatifyou'redevisingsomepieceofinternalmechanism,
there'snoneedtouselockstomakesureitdoesn'tgetcalledbytwo
threadsatonce.Theonlywaycodecanbecalledre-entrantlyisby
recursion.
Thatsaid,mostofWindowsPuTTY'snetworkhandlingistriggeredoff
WindowsmessagesrequestedbyWSAAsyncSelect(),soifyoucall
MessageBox()deepwithinsomenetworkeventhandlingcodeyoushould
beawarethatyoumightbere-enteredifanetworkeventcomesinandis
passedontoourwindowprocedurebytheMessageBox()messageloop.
Also,thefrontends(inparticularWindowsPlink)canusemultiple
threadsiftheylike.However,WindowsPlinkkeepsverytightcontrolofits
auxiliarythreads,andusesthemprettymuchexclusivelyasaformof
select().Prettymuchallthecodeoutsidewindows/winplink.cisonly
evercalledfromtheoneprimarythread;theothersjustloopround
blockingonfilehandlesandsendmessagestothemainthreadwhen
somerealworkneedsdoing.Thisisnotconsideredaportabilityhazard
becausethatbitofwindows/winplink.cwillneedrewritingonother
platformsinanycase.
Oneimportantconsequenceofthis:PuTTYhasonlyonethreadinwhich
todoeverything.That‘everything’mayincludemanagingmorethanone
loginsession(sectionD.3),managingmultipledatachannelswithinan
SSHsession,respondingtoGUIeventsevenwhennothingishappening
onthenetwork,andrespondingtonetworkrequestsfromtheserver
(suchasrepeatkeyexchange)evenwhentheprogramisdealingwith
complexuserinteractionsuchasthere-configurationdialogbox.This
meansthatalmostnoneofthePuTTYcodecansafelyblock.
D.9Keystrokessenttotheserverwherever
possible
Inalmostallcases,PuTTYsendskeystrokestotheserver.Evenweird
keystrokesthatyouthinkshouldbehotkeyscontrollingPuTTY.EvenAlt-
F4orAlt-Space,forexample.Ifakeystrokehasawell-definedescape
sequencethatitcouldusefullybesendingtotheserver,thenitshoulddo
so,orattheveryleastitshouldbeconfigurablyabletodoso.
TounconditionallyturnakeycombinationintoahotkeytocontrolPuTTY
isalmostalwaysadesignerror.Ifahotkeyisreallytrulyrequired,then
trytofindakeycombinationforitwhichisn'talreadyusedinexisting
PuTTYs(eitheritsendsnothingtotheserver,oritsendsthesamething
assomeothercombination).Eventhen,bepreparedforthepossibility
thatonedaythatkeycombinationmightendupbeingneededtosend
somethingtotheserver-somakesurethatthere'sanalternativewayto
invokewhateverPuTTYfeatureitcontrols.
D.10640×480friendlinessinconfiguration
panels
There'sareasonwehavelotsoftinyconfigurationpanelsinsteadofa
fewhugeones,andthatreasonisthatnoteveryonehasa1600×1200
desktop.640×480isstillaviableresolutionforrunningWindows(and
indeedit'sstillthedefaultifyoustartupinsafemode),soit'sstilla
resolutionwecareabout.
Accordingly,thePuTTYconfigurationbox,andthePuTTYgencontrol
window,aredeliberatelykeptjustsmallenoughtofitcomfortablyona
640×480display.Ifyou'readdingcontrolstoeitheroftheseboxesand
youfindyourselfwantingtoincreasethesizeofthewholebox,don't.
Splititintomorepanelsinstead.
D.11AutomaticallygeneratedMakefiles
PuTTYisintendedtocompileonmultipleplatforms,andwithmultiple
compilers.ItwouldbehorrifyingtotrytomaintainasingleMakefilewhich
handledallpossiblesituations,andjustaspainfultotrytodirectly
maintainasetofmatchingMakefilesforeachdifferentcompilation
environment.
Therefore,wehavemovedtheproblemupbyonelevel.InthePuTTY
sourcearchiveisafilecalledRecipe,whichlistswhichsourcefiles
combinetoproducewhichbinaries;andthereisalsoascriptcalled
mkfiles.pl,whichreadsRecipeandwritesouttherealMakefiles.(The
scriptalsoreadsallthesourcefilesandanalysestheirdependencieson
headerfiles,sowegetanextrabenefitfromdoingitthisway,whichis
thatwecansupplycorrectdependencyinformationeveninenvironments
whereit'sdifficulttosetupanautomatedmakedependphase.)
YoushouldnevereditanyofthePuTTYMakefilesdirectly.Theyarenot
storedinoursourcerepositoryatall.Theyareautomaticallygenerated
bymkfiles.plfromthefileRecipe.
Ifyouneedtoaddanewobjectfiletoaparticularbinary,therightthingto
doistoeditRecipeandre-runmkfiles.pl.Thiswillcausethenewobject
filetobeaddedineverytoolthatrequiresit,oneveryplatformwhereit
matters,ineveryMakefiletowhichitisrelevant,andtogetallthe
dependencydataright.
IfyousendusapatchthatmodifiesoneoftheMakefiles,youjustwaste
ourtime,becausewewillhavetoconvertitintoachangetoRecipe.If
yousendusapatchthatmodifiesalloftheMakefiles,youwillhave
wastedalotofyourtimeaswell!
(ThereisacommentatthetopofeveryMakefileinthePuTTYsource
archivesayingthis,butmanypeopledon'tseemtoreadit,soit'sworth
repeatinghere.)
D.12Coroutinesinssh.c
Largepartsofthecodeinssh.carestructuredusingasetofmacrosthat
implement(somethingcloseto)DonaldKnuth's‘coroutines’conceptinC.
Essentially,thepurposeofthesemacrosaretoarrangethatafunction
cancallcrReturn()toreturntoitscaller,andthenexttimeitiscalled
controlwillresumefromjustafterthatcrReturnstatement.
Thismeansthatanylocal(automatic)variablesdeclaredinsucha
functionwillbecorruptedeverytimeyoucallcrReturn.Ifyouneeda
variabletopersistforlongerthanthat,youmustmakeitafieldinoneof
thepersistentstatestructures:eitherthelocalstatestructuressorstin
eachfunction,orthebackend-widestructuressh.
Seehttps://www.chiark.greenend.org.uk/~sgtatham/coroutines.htmlfor
amorein-depthdiscussionofwhatthesemacrosareforandhowthey
work.
D.13Singlecompilationofeachsourcefile
ThePuTTYbuildsystemforanygivenplatformworksonthefollowing
verysimplemodel:
Eachsourcefileiscompiledpreciselyonce,toproduceasingle
objectfile.
Eachbinaryiscreatedbylinkingtogethersomecombinationofthose
objectfiles.
Therefore,ifyouneedtointroducefunctionalitytoaparticularmodule
whichisonlyavailableinsomeofthetoolbinaries(forexample,a
cryptographicproxyauthenticationmechanismwhichneedstobeleftout
ofPuTTYteltomaintainitsusabilityincrypto-hostilejurisdictions),the
wrongwaytodoitisbyadding#ifdefsin(say)proxy.c.Thiswould
requireseparatecompilationofproxy.cforPuTTYandPuTTYtel,which
meansthattheentireMakefile-generationarchitecture(seesectionD.11)
wouldhavetobesignificantlyredesigned.Unlessyouarepreparedtodo
thatredesignyourself,andguaranteethatitwillstillporttoanyfuture
platformswemightdecidetorunon,youshouldnotattemptthis!
Therightwaytointroduceafeaturelikethisistoputthenewcodeina
separatesourcefile,and(ifnecessary)introduceasecondnewsource
filedefiningthesamesetoffunctions,butdefiningthemasstubswhich
don'tprovidethefeature.Thenthemodulewhosebehaviourneedsto
vary(proxy.cinthisexample)cancallthefunctionsdefinedinthesetwo
modules,anditwilleitherprovidethenewfeatureornotprovideit
accordingtowhichofyournewmodulesitislinkedwith.
Ofcourse,objectfilesareneversharedbetweenplatforms;soitis
allowabletouse#ifdeftoselectbetweenplatforms.Thishappensin
puttyps.h(choosingwhichoftheplatform-specificincludefilestouse),
andalsoinmisc.c(theWindows-specific‘Minefield’memorydiagnostic
system).Itshouldbeusedsparingly,though,ifatall.
D.14Doaswesay,notaswedo
ThecurrentPuTTYcodeprobablydoesnotconformstrictlytoallofthe
principleslistedabove.TheremaybetheoccasionalSSH-specificpiece
ofcodeinwhatshouldbeabackend-independentmodule,orthe
occasionaldependenceonanon-standardXlibraryfunctionunderUnix.
Thisshouldnotbetakenasalicencetogoaheadandviolatetherules.
Whereweviolatethemourselves,we'renothappyaboutit,andwe
wouldwelcomepatchesthatfixanyexistingproblems.Pleasetrytohelp
usmakeourcodebetter,notworse!
AppendixE:PuTTYdownloadkeysand
signatures
WecreateGPGsignaturesforallthePuTTYfilesdistributedfromour
website,sothatuserscanbeconfidentthatthefileshavenotbeen
tamperedwith.Hereweidentifyourpublickeys,andexplainour
signaturepolicysoyoucanhaveanaccurateideaofwhateachsignature
guarantees.Thisdescriptionisprovidedasbothawebpageonthe
PuTTYsite,andanappendixinthePuTTYmanual.
Asofrelease0.58,allofthePuTTYexecutablescontainfingerprint
material(usuallyaccessedviathe-pgpfpcommand-lineoption),such
thatifyouhaveanexecutableyoutrust,youcanuseittoestablishatrust
path,forinstancetoanewerversiondownloadedfromtheInternet.
(Notethatnoneofthekeys,signatures,etcmentionedherehave
anythingtodowithkeysusedwithSSH-theyarepurelyforverifyingthe
originoffilesdistributedbythePuTTYteam.)
E.1Publickeys
E.2Securitydetails
E.2.1TheDevelopmentSnapshotskey
E.2.2TheReleaseskey
E.2.3TheSecureContactKey
E.2.4TheMasterKeys
E.3Keyrollover
E.1Publickeys
Wemaintainmultiplekeys,storedwithdifferentlevelsofsecuritydueto
beingusedindifferentways.SeesectionE.2belowfordetails.
Thekeysweprovideare:
SnapshotKey
UsedtosignroutinedevelopmentbuildsofPuTTY:nightly
snapshots,pre-releases,andsometimesalsocustomdiagnostic
buildswesendtoparticularusers.
ReleaseKey
UsedtosignmanuallyreleasedversionsofPuTTY.
SecureContactKey
Anencryption-capablekeysuitableforpeopletosendconfidential
messagestothePuTTYteam,e.g.reportsofvulnerabilities.
MasterKey
UsedtotiealltheabovekeysintotheGPGweboftrust.TheMaster
Keysignsalltheotherkeys,andotherGPGusershavesigneditin
turn.
Thecurrentissueofthosekeysareavailablefordownloadfromthe
PuTTYwebsite,andarealsoavailableonPGPkeyserversusingthekey
IDslistedbelow.
MasterKey
RSA,4096-bit.KeyID:4096R/04676F7C(longversion:
4096R/AB585DC604676F7C).Fingerprint:
440DE3B5B7A1CA85B3CC1718AB585DC604676F7C
ReleaseKey
RSA,2048-bit.KeyID:2048R/B43434E4(longversion:
2048R/9DFE2648B43434E4).Fingerprint:
0054DDAA8ADA15D2768A6DE79DFE2648B43434E4
SecureContactKey
RSA,2048-bit.MainkeyID:2048R/8A0AF00B(longversion:
2048R/C4FCAAD08A0AF00B).EncryptionsubkeyID:2048R/50C2CF5C
(longversion:2048R/9EB39CC150C2CF5C).Fingerprint:
8A26250E763FE35975F3118FC4FCAAD08A0AF00B
SnapshotKey
RSA,2048-bit.KeyID:2048R/D15F7E8A(longversion:
2048R/EEF20295D15F7E8A).Fingerprint:
0A3B0048FE499B67A234FEB6EEF20295D15F7E8A
E.2.1TheDevelopmentSnapshotskey
TheDevelopmentSnapshotsprivatekeyisstoredwithoutapassphrase.
Thisisnecessary,becausethesnapshotsaregeneratedeverynight
withouthumanintervention,sonobodywouldbeabletotypea
passphrase.
Thesnapshotsarebuiltandsignedonateammember'shome
computers,beforebeinguploadedtothewebserverfromwhichyou
downloadthem.
Therefore,asignaturefromtheDevelopmentSnapshotskeyDOES
protectyouagainst:
PeopletamperingwiththePuTTYbinariesbetweenthePuTTYweb
siteandyou.
Themaintainersofourwebserverattemptingtoabusetheirroot
privilegetotamperwiththebinaries.
ButitDOESNOTprotectyouagainst:
Peopletamperingwiththebinariesbeforetheyareuploadedtoour
downloadservers.
Peopletamperingwiththebuildmachinessothatthenextsetof
binariestheybuildwillbemaliciousinsomeway.
Peoplestealingtheunencryptedprivatekeyfromthebuildmachine
itliveson.
Ofcourse,wetakeallreasonableprecautionstoguardthebuild
machines.Butwhenyouseeasignature,youshouldalwaysbecertainof
preciselywhatitguaranteesandpreciselywhatitdoesnot.
E.2.2TheReleaseskey
TheReleaseskeyismoresecure:becauseitisonlyusedatrelease
time,tosigneachreleasebyhand,wecanstoreitencrypted.
TheReleasesprivatekeyiskeptencryptedonthedevelopers'ownlocal
machines.Soanattackerwantingtostealitwouldhavetoalsostealthe
passphrase.
E.2.3TheSecureContactKey
TheSecureContactKeyisstoredwithasimilarlevelofsecuritytothe
ReleaseKey:itisstoredwithapassphrase,andnoautomatedscripthas
accesstoit.
E.2.4TheMasterKeys
TheMasterKeysignsalmostnothing.Itspurposeistobindtheother
keystogetherandcertifythattheyareallownedbythesamepeopleand
partofthesameintegratedsetup.Theonlysignaturesproducedbythe
MasterKey,ever,shouldbethesignaturesontheotherkeys.
TheMasterKeyisespeciallylong,anditsprivatekeyandpassphrase
arestoredwithspecialcare.
Wehavecollectedsomethird-partysignaturesontheMasterKey,in
ordertoincreasethechancesthatyoucanfindasuitabletrustpathto
them.
Wehaveuploadedourvariouskeystopublickeyservers,sothatevenif
youdon'tknowanyofthepeoplewhohavesignedourkeys,youcanstill
bereasonablyconfidentthatanattackerwouldfindithardtosubstitute
fakekeysonallthepublickeyserversatonce.
E.3Keyrollover
OurcurrentkeysweregeneratedinSeptember2015,exceptforthe
SecureContactKeywhichwasgeneratedinFebruary2016(wedidn't
thinkofituntillater).
Priortothat,wehadamucholdersetofkeysgeneratedin2000.For
eachofthekeytypesabove(otherthantheSecureContactKey),we
providedbothanRSAkeyandaDSAkey(becauseatthetimewe
generatedthem,RSAwasnotinpracticeavailabletoeveryone,dueto
exportrestrictions).
ThenewMasterKeyissignedwithbothoftheoldones,toshowthatit
reallyisownedbythesamepeopleandnotsubstitutedbyanattacker.
Also,wehaveretrospectivelysignedtheoldReleaseKeyswiththenew
MasterKey,incaseyou'retryingtoverifythesignaturesonarelease
priortotherolloverandcanfindachainoftrusttothosekeysfromanyof
thepeoplewhohavesignedournewMasterKey.
Futurereleaseswillbesignedwiththeup-to-datekeysshownabove.
ReleasespriortotherolloveraresignedwiththeoldReleaseKeys.
Forcompleteness,thoseoldkeysaregivenhere:
MasterKey(originalRSA)
RSA,1024-bit.KeyID:1024R/1E34AC41(longversion:
1024R/9D5877BF1E34AC41).Fingerprint:
8F1597DA2530AB0D88D1925411CF0C4C
MasterKey(originalDSA)
DSA,1024-bit.KeyID:1024D/6A93B34E(longversion:
1024D/4F5E6DF56A93B34E).Fingerprint:
313C3E764B74C2C5F2AE83A84F5E6DF56A93B34E
ReleaseKey(originalRSA)
RSA,1024-bit.KeyID:1024R/B41CAE29(longversion:
1024R/EF39CCC0B41CAE29).Fingerprint:
AE65D3F785D318E03B0C9B02FF3A81FE
ReleaseKey(originalDSA)
DSA,1024-bit.KeyID:1024D/08B0A90B(longversion:
1024D/FECD6F3F08B0A90B).Fingerprint:
00B1100938E698006518F0ABFECD6F3F08B0A90B
SnapshotKey(originalRSA)
RSA,1024-bit.KeyID:1024R/32B903A9(longversion:
1024R/FAAED21532B903A9).Fingerprint:
868B1F799CF47FBD8B1BD78EC64E4C03
SnapshotKey(originalDSA)
DSA,1024-bit.KeyID:1024D/7D3E4A00(longversion:
1024D/165E56F77D3E4A00).Fingerprint:
63DD8EF832F5D7779FF02947165E56F77D3E4A00
AppendixF:SSH-2namesspecifiedforPuTTY
TherearevariouspartsoftheSSH-2protocolwherethingsarespecified
usingatextualname.Namesendingin@putty.projects.tartarus.org
arereservedforallocationbythePuTTYteam.Allocatednamesare
documentedhere.
F.1Connectionprotocolchannelrequestnames
F.2Keyexchangemethodnames
F.3Encryptionalgorithmnames
F.1Connectionprotocolchannelrequestnames
ThesenamescanbesentinaSSH_MSG_CHANNEL_REQUESTmessage.
simple@putty.projects.tartarus.org
Thisissentbyaclienttoannouncethatitwillnothavemorethan
onechannelopenatatimeinthecurrentconnection(thatonebeing
theonetherequestissenton).Theintentionisthattheserver,
knowingthis,cansetthewindowonthatonechanneltosomething
verylarge,andleaveflowcontroltoTCP.Thereisnomessage-
specificdata.
winadj@putty.projects.tartarus.org
PuTTYsendsthisrequestalongwithsome
SSH_MSG_CHANNEL_WINDOW_ADJUSTmessagesaspartofitswindow-size
tuning.Itcanbesentonanytypeofchannel.Thereisnomessage-
specificdata.ServersMUSTtreatitasanunrecognisedrequestand
respondwithSSH_MSG_CHANNEL_FAILURE.
(SomeSSHserversgetconfusedbythismessage,sothereisa
bug-compatibilitymodefordisablingit.Seesection4.27.5.)
F.2Keyexchangemethodnames
rsa-sha1-draft-00@putty.projects.tartarus.org
rsa-sha256-draft-00@putty.projects.tartarus.org
rsa1024-sha1-draft-01@putty.projects.tartarus.org
rsa1024-sha256-draft-01@putty.projects.tartarus.org
rsa2048-sha256-draft-01@putty.projects.tartarus.org
rsa1024-sha1-draft-02@putty.projects.tartarus.org
rsa2048-sha512-draft-02@putty.projects.tartarus.org
rsa1024-sha1-draft-03@putty.projects.tartarus.org
rsa2048-sha256-draft-03@putty.projects.tartarus.org
rsa1024-sha1-draft-04@putty.projects.tartarus.org
rsa2048-sha256-draft-04@putty.projects.tartarus.org
Theseappearedinvariousdraftsofwhateventuallybecame
RFC4432.Theyhavebeensupersededbyrsa1024-sha1and
rsa2048-sha256.
F.3Encryptionalgorithmnames
arcfour128-draft-00@putty.projects.tartarus.org
arcfour256-draft-00@putty.projects.tartarus.org
ThesewereusedindraftsofwhateventuallybecameRFC4345.
Theyhavebeensupersededbyarcfour128andarcfour256.