SoylentNews is people
SoylentNews
PuTTY is a free implementation of SSH and Telnet for Windows and Unix platforms, along with an xterm terminal emulator. A new release of Putty was recently announced — it can be downloaded from the PuTTY latest release page.
From the changelog page:
These features are new in 0.68 (released 2017-02-21):
- Security fix: an integer overflow bug in the agent forwarding code. See vuln-agent-fwd-overflow.
- Security fix: the Windows PuTTY binaries should no longer be vulnerable to hijacking by specially named DLLs in the same directory (on versions of Windows where they previously were). See vuln-indirect-dll-hijack.
- Windows PuTTY no longer sets a restrictive process ACL by default, because this turned out to inconvenience too many legitimate applications such as NVDA and TortoiseGit. You can still manually request a restricted ACL using the command-line option -restrict-acl.
- The Windows PuTTY tools now come in a 64-bit version.
- The Windows PuTTY tools now have Windows's ASLR and DEP security features turned on.
- Support for elliptic-curve cryptography (the NIST curves and 25519), for host keys, user authentication keys, and key exchange.
- Support for importing and exporting OpenSSH's new private key format.
- Host key preference policy change: PuTTY prefers host key formats for which it already knows the key.
- Run-time option (from the system menu / Ctrl-right-click menu) to retrieve other host keys from the same server (which cross-certifies them using the session key established using an already-known key) and add them to the known host-keys database.
- The Unix GUI PuTTY tools can now be built against GTK 3.
- There is now a Unix version of Pageant.
When I first started on as staff on SoylentNews, I was running Windows XP and discovered I needed a secure client to gain terminal access to our SoylentNews servers. One of the sysops here suggested PuTTY and guided me in its installation and setup. The UI for this program is, to be kind, different from any other program I have used, yet it seems to be self-consistent in its idiosyncrasies.
Since then, I've moved on to running Windows 7 Pro x64 and have carried over my Putty install. I'll likely install the upgrade in a few days (letting others catch any as-yet unfound bugs) but I am curious what else is out there.
What programs do my fellow Soylentils use for secure terminal access to remote servers from Windows?
[Ed Note - Link from 0.68 fixed. Thanks wonkey_monkey. - Fnord666
(Score: 1) by weregeek on Wednesday February 22 2017, @05:58PM
Call me when PuTTY is distributed in a secure manner. This has been an issue for a long time, and largely undermines all of the hard work put into security fixes. PuTTY may well be the most feature complete and secure SSH client available for Windows, but nobody who downloads a binary has any assurance that they received the binary blob that the developer intended. At least the signature files are finally provided via HTTPS, I guess.
(Score: 3, Informative) by digitalaudiorock on Wednesday February 22 2017, @06:23PM
...and when it uses the same ssh keys as the rest of the world. I've read their explanations as why it has it's own key format and really don't get it. I find those putty format keys to be a blight on mankind frankly.
I don't use Windows much at all, and don't tend to have any need these days to shell from Windows. When I did however I used cygwin, sometimes even via cygwin X where I could use X11 forwarding with urxvt. Granted that's a bit of a pain to get going for many.
(Score: 3, Interesting) by frojack on Wednesday February 22 2017, @07:03PM
This!.
Those damn ppk keys. And that collection of crapware you have to install to get an X11 session if you ever need that.
Its easier and faster to boot a slim linux virtual machine than to deal with the constant fight keeping cygwin 1) operational, and 2) up to date or 3) dealing with puddy.
Many years ago my work required access to remote 'nix servers and I was stuck on windows. The company bought me StarNet's Xwin32 [starnet.com] which solves both the ssh and X11 problem and I've been using it ever since on my sole remaining windows machine. (Not recommending it because its over-priced. - but if someone else is paying...)
No, you are mistaken. I've always had this sig.
(Score: 3, Insightful) by mmh on Wednesday February 22 2017, @09:57PM
Cygwin is about the worst solution for X11 forwarding. You don't need a lot of extra crap for X11 forwarding from Linux to windows. Get putty, get xming https://sourceforge.net/projects/xming/ [sourceforge.net] an X11 server for windows. Run xming, run putty (ensure x11 forwarding is on). run gui stuff.
(Score: 4, Interesting) by bryan on Wednesday February 22 2017, @06:36PM
First part of that quote doesn't seem to agree with the second. Sending signatures over an insecure medium (like email) was one of the original uses of PGP system, was it not?
The official page may not use HTTPS, but all the download links and GPG signatures do. If you really prefer HTTPS for everything, you could also try one of the unofficial mirrors [greenend.org.uk], I'm sure some of them have HTTPS set up correctly (although you would then have to trust them as well.)
(Score: 2, Interesting) by Anonymous Coward on Wednesday February 22 2017, @06:58PM
Well, it's kind of pointless to have HTTPS downloads if the site serving the links is on insecure HTTP, because the man-in-the-middle attacker can simply attack that site and replace all the the links with different ones.
That being said, HTTPS download mirrors provide very little assurance that you are getting an uncompromised file. It will help against man-in-the-middle attackers, and may improve privacy somewhat. But it does not help against compromised web servers, which happens all the time. Developers pretty much never check their old package tarballs for tampering, even if they might notice tampering on the development repository.
So that's why you always need GPG signatures for release archives. Fortunately, putty supplies those, so it is possible to securely verify your downloads.
(Score: 2, Informative) by Anonymous Coward on Wednesday February 22 2017, @08:38PM
If you automatically trust every link on a site just because that site is served over HTTPS then you deserve whatever happens to you. Otherwise, you always look where a file is coming from before you download it. That's the only thing that matters here.
(Score: 0) by Anonymous Coward on Wednesday February 22 2017, @06:53PM
My theory, 'protecting' the download of this tool with HTTPS might be more of a legal hassle than they're willing to deal with. They have a legal disclaimer front and center. You the user of the software do so entirely at your own risk. By NOT using HTTPS it allows other actors that wish to know who has downloaded this tool to track that themselves rather than knock on the team's legal doors asking for logs. Anyone who wants to use it had better know what they're getting into and obtain it somewhere else or from the sneakernet.
(Score: 2) by ledow on Wednesday February 22 2017, @10:57PM
Ask Simon Tatham.
He works for ARM, he's a nice guy, he helped me out (actually discovered that I was using a glibc with an ARM-only bug) when I was porting his puzzle collection to a weird Korean handheld console.
His repository is also available if you want to compile yourself.
The key format? Not sure.
(Score: 0) by Anonymous Coward on Thursday February 23 2017, @02:39PM
Oh, please. HTTPS using the Certificate Authority system in-place is utterly broken when all the gov spies have signed MITM keys from gag-attached National Security Letters (along with other-region equivalents).
Grab the signatures, scan the files for malware, verify the signatures with trusted keys. That's all you can do until the broken system is completely overhauled or replaced. The transport mechanism doesn't matter. (I'll bet you panic about keeping your credit score "safe", too.)