"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "doc/puttydoc.txt" between
putty-0.75.tar.gz and putty-0.76.tar.gz

About: PuTTY is a free implementation of Telnet and SSH for Windows and Unix platforms, along with an xterm terminal emulator.

puttydoc.txt  (putty-0.75):puttydoc.txt  (putty-0.76)
skipping to change at line 1106 skipping to change at line 1106
3.11.3.9 `-agent' and `-noagent': control use of Pageant for authentication 3.11.3.9 `-agent' and `-noagent': control use of Pageant for authentication
The `-agent' option turns on SSH authentication using Pageant, and The `-agent' option turns on SSH authentication using Pageant, and
`-noagent' turns it off. These options are only meaningful if you `-noagent' turns it off. These options are only meaningful if you
are using SSH. are using SSH.
See chapter 9 for general information on Pageant. See chapter 9 for general information on Pageant.
These options are equivalent to the agent authentication checkbox in These options are equivalent to the agent authentication checkbox in
the Auth panel of the PuTTY configuration box (see section 4.21.3). the Auth panel of the PuTTY configuration box (see section 4.21.4).
3.11.3.10 `-A' and `-a': control agent forwarding 3.11.3.10 `-A' and `-a': control agent forwarding
The `-A' option turns on SSH agent forwarding, and `-a' turns it The `-A' option turns on SSH agent forwarding, and `-a' turns it
off. These options are only meaningful if you are using SSH. off. These options are only meaningful if you are using SSH.
See chapter 9 for general information on Pageant, and section 9.4 See chapter 9 for general information on Pageant, and section 9.4
for information on agent forwarding. Note that there is a security for information on agent forwarding. Note that there is a security
risk involved with enabling this option; see section 9.6 for risk involved with enabling this option; see section 9.6 for
details. details.
These options are equivalent to the agent forwarding checkbox in the These options are equivalent to the agent forwarding checkbox in the
Auth panel of the PuTTY configuration box (see section 4.21.6). Auth panel of the PuTTY configuration box (see section 4.21.7).
These options are not available in the file transfer tools PSCP and These options are not available in the file transfer tools PSCP and
PSFTP. PSFTP.
3.11.3.11 `-X' and `-x': control X11 forwarding 3.11.3.11 `-X' and `-x': control X11 forwarding
The `-X' option turns on X11 forwarding in SSH, and `-x' turns it The `-X' option turns on X11 forwarding in SSH, and `-x' turns it
off. These options are only meaningful if you are using SSH. off. These options are only meaningful if you are using SSH.
For information on X11 forwarding, see section 3.4. For information on X11 forwarding, see section 3.4.
skipping to change at line 1246 skipping to change at line 1246
server. This option is only meaningful if you are using SSH. server. This option is only meaningful if you are using SSH.
If you are using Pageant, you can also specify a _public_ key file If you are using Pageant, you can also specify a _public_ key file
(in RFC 4716 or OpenSSH format) to identify a specific key file to (in RFC 4716 or OpenSSH format) to identify a specific key file to
use. (This won't work if you're not running Pageant, of course.) use. (This won't work if you're not running Pageant, of course.)
For general information on public-key authentication, see chapter 8. For general information on public-key authentication, see chapter 8.
This option is equivalent to the `Private key file for This option is equivalent to the `Private key file for
authentication' box in the Auth panel of the PuTTY configuration box authentication' box in the Auth panel of the PuTTY configuration box
(see section 4.21.8). (see section 4.21.9).
3.11.3.19 `-loghost': specify a logical host name 3.11.3.19 `-no-trivial-auth': disconnect if SSH authentication succeeds
trivially
This option causes PuTTY to abandon an SSH session if the server
accepts authentication without ever having asked for any kind of
password or signature or token.
See section 4.21.3 for why you might want this.
3.11.3.20 `-loghost': specify a logical host name
This option overrides PuTTY's normal SSH host key caching policy by This option overrides PuTTY's normal SSH host key caching policy by
telling it the name of the host you expect your connection to end up telling it the name of the host you expect your connection to end up
at (in cases where this differs from the location PuTTY thinks it's at (in cases where this differs from the location PuTTY thinks it's
connecting to). It can be a plain host name, or a host name followed connecting to). It can be a plain host name, or a host name followed
by a colon and a port number. See section 4.14.5 for more detail on by a colon and a port number. See section 4.14.5 for more detail on
this. this.
3.11.3.20 `-hostkey': manually specify an expected host key 3.11.3.21 `-hostkey': manually specify an expected host key
This option overrides PuTTY's normal SSH host key caching policy This option overrides PuTTY's normal SSH host key caching policy
by telling it exactly what host key to expect, which can be by telling it exactly what host key to expect, which can be
useful if the normal automatic host key store in the Registry is useful if the normal automatic host key store in the Registry is
unavailable. The argument to this option should be either a host key unavailable. The argument to this option should be either a host key
fingerprint, or an SSH-2 public key blob. See section 4.19.3 for fingerprint, or an SSH-2 public key blob. See section 4.19.3 for
more information. more information.
You can specify this option more than once if you want to configure You can specify this option more than once if you want to configure
more than one key to be accepted. more than one key to be accepted.
3.11.3.21 `-pgpfp': display PGP key fingerprints 3.11.3.22 `-pgpfp': display PGP key fingerprints
This option causes the PuTTY tools not to run as normal, but instead This option causes the PuTTY tools not to run as normal, but instead
to display the fingerprints of the PuTTY PGP Master Keys, in to display the fingerprints of the PuTTY PGP Master Keys, in
order to aid with verifying new versions. See appendix F for more order to aid with verifying new versions. See appendix F for more
information. information.
3.11.3.22 `-sercfg': specify serial port configuration 3.11.3.23 `-sercfg': specify serial port configuration
This option specifies the configuration parameters for the serial This option specifies the configuration parameters for the serial
port (baud rate, stop bits etc). Its argument is interpreted as port (baud rate, stop bits etc). Its argument is interpreted as
a comma-separated list of configuration options, which can be as a comma-separated list of configuration options, which can be as
follows: follows:
- Any single digit from 5 to 9 sets the number of data bits. - Any single digit from 5 to 9 sets the number of data bits.
- `1', `1.5' or `2' sets the number of stop bits. - `1', `1.5' or `2' sets the number of stop bits.
skipping to change at line 1298 skipping to change at line 1307
- A single lower-case letter specifies the parity: `n' for none, - A single lower-case letter specifies the parity: `n' for none,
`o' for odd, `e' for even, `m' for mark and `s' for space. `o' for odd, `e' for even, `m' for mark and `s' for space.
- A single upper-case letter specifies the flow control: `N' for - A single upper-case letter specifies the flow control: `N' for
none, `X' for XON/XOFF, `R' for RTS/CTS and `D' for DSR/DTR. none, `X' for XON/XOFF, `R' for RTS/CTS and `D' for DSR/DTR.
For example, `-sercfg 19200,8,n,1,N' denotes a baud rate of 19200, 8 For example, `-sercfg 19200,8,n,1,N' denotes a baud rate of 19200, 8
data bits, no parity, 1 stop bit and no flow control. data bits, no parity, 1 stop bit and no flow control.
3.11.3.23 `-sessionlog', `-sshlog', `-sshrawlog': enable session logging 3.11.3.24 `-sessionlog', `-sshlog', `-sshrawlog': enable session logging
These options cause the PuTTY network tools to write out a log These options cause the PuTTY network tools to write out a log
file. Each of them expects a file name as an argument, e.g. `- file. Each of them expects a file name as an argument, e.g. `-
sshlog putty.log' causes an SSH packet log to be written to a file sshlog putty.log' causes an SSH packet log to be written to a file
called `putty.log'. The three different options select different called `putty.log'. The three different options select different
logging modes, all available from the GUI too: logging modes, all available from the GUI too:
- `-sessionlog' selects `All session output' logging mode. - `-sessionlog' selects `All session output' logging mode.
- `-sshlog' selects `SSH packets' logging mode. - `-sshlog' selects `SSH packets' logging mode.
- `-sshrawlog' selects `SSH packets and raw data' logging mode. - `-sshrawlog' selects `SSH packets and raw data' logging mode.
For more information on logging configuration, see section 4.2. For more information on logging configuration, see section 4.2.
3.11.3.24 `-logoverwrite', `-logappend': control behaviour with existing 3.11.3.25 `-logoverwrite', `-logappend': control behaviour with existing
log file log file
If logging has been enabled (in the saved configuration, or by If logging has been enabled (in the saved configuration, or by
another command-line option), and the specified log file already another command-line option), and the specified log file already
exists, these options tell the PuTTY network tools what to do so exists, these options tell the PuTTY network tools what to do so
that they don't have to ask the user. See section 4.2.2 for details. that they don't have to ask the user. See section 4.2.2 for details.
3.11.3.25 `-proxycmd': specify a local proxy command 3.11.3.26 `-proxycmd': specify a local proxy command
This option enables PuTTY's mode for running a command on the local This option enables PuTTY's mode for running a command on the local
machine and using it as a proxy for the network connection. It machine and using it as a proxy for the network connection. It
expects a shell command string as an argument. expects a shell command string as an argument.
See section 4.16.1 for more information on this, and on other proxy See section 4.16.1 for more information on this, and on other proxy
settings. In particular, note that since the special sequences settings. In particular, note that since the special sequences
described there are understood in the argument string, literal described there are understood in the argument string, literal
backslashes must be doubled (if you want `\' in your command, you backslashes must be doubled (if you want `\' in your command, you
must put `\\' on the command line). must put `\\' on the command line).
3.11.3.26 `-restrict-acl': restrict the Windows process ACL 3.11.3.27 `-restrict-acl': restrict the Windows process ACL
This option (on Windows only) causes PuTTY (or another PuTTY tool) This option (on Windows only) causes PuTTY (or another PuTTY tool)
to try to lock down the operating system's access control on its own to try to lock down the operating system's access control on its own
process. If this succeeds, it should present an extra obstacle to process. If this succeeds, it should present an extra obstacle to
malware that has managed to run under the same user id as the PuTTY malware that has managed to run under the same user id as the PuTTY
process, by preventing it from attaching to PuTTY using the same process, by preventing it from attaching to PuTTY using the same
interfaces debuggers use and either reading sensitive information interfaces debuggers use and either reading sensitive information
out of its memory or hijacking its network session. out of its memory or hijacking its network session.
This option is not enabled by default, because this form of This option is not enabled by default, because this form of
skipping to change at line 3294 skipping to change at line 3303
This could be used, for instance, to talk to some kind of This could be used, for instance, to talk to some kind of
network proxy that PuTTY does not natively support; or you could network proxy that PuTTY does not natively support; or you could
tunnel a connection over something other than TCP/IP entirely. tunnel a connection over something other than TCP/IP entirely.
If you want your local proxy command to make a secondary If you want your local proxy command to make a secondary
SSH connection to a proxy host and then tunnel the primary SSH connection to a proxy host and then tunnel the primary
connection over that, you might well want the `-nc' command-line connection over that, you might well want the `-nc' command-line
option in Plink. See section 3.11.3.14 for more information. option in Plink. See section 3.11.3.14 for more information.
You can also enable this mode on the command line; see section You can also enable this mode on the command line; see section
3.11.3.25. 3.11.3.26.
4.16.2 Excluding parts of the network from proxying 4.16.2 Excluding parts of the network from proxying
Typically you will only need to use a proxy to connect to non-local Typically you will only need to use a proxy to connect to non-local
parts of your network; for example, your proxy might be required for parts of your network; for example, your proxy might be required for
connections outside your company's internal network. In the `Exclude connections outside your company's internal network. In the `Exclude
Hosts/IPs' box you can enter ranges of IP addresses, or ranges of Hosts/IPs' box you can enter ranges of IP addresses, or ranges of
DNS names, for which PuTTY will avoid using the proxy and make a DNS names, for which PuTTY will avoid using the proxy and make a
direct connection instead. direct connection instead.
skipping to change at line 3819 skipping to change at line 3828
multiple actual servers, and they all have different host keys. In multiple actual servers, and they all have different host keys. In
that situation, you might need to configure PuTTY to accept any of that situation, you might need to configure PuTTY to accept any of
a list of host keys for the possible servers, while still rejecting a list of host keys for the possible servers, while still rejecting
any key not in that list. any key not in that list.
Another reason is if PuTTY's automated host key management is Another reason is if PuTTY's automated host key management is
completely unavailable, e.g. because PuTTY (or Plink or PSFTP, etc) completely unavailable, e.g. because PuTTY (or Plink or PSFTP, etc)
is running in a Windows environment without access to the Registry. is running in a Windows environment without access to the Registry.
In that situation, you will probably want to use the -hostkey In that situation, you will probably want to use the -hostkey
command-line option to configure the expected host key(s); see command-line option to configure the expected host key(s); see
section 3.11.3.20. section 3.11.3.21.
For situations where PuTTY's automated host key management simply For situations where PuTTY's automated host key management simply
picks the wrong host name to store a key under, you may want to picks the wrong host name to store a key under, you may want to
consider setting a `logical host name' instead; see section 4.14.5. consider setting a `logical host name' instead; see section 4.14.5.
To configure manual host keys via the GUI, enter some text To configure manual host keys via the GUI, enter some text
describing the host key into the edit box in the `Manually configure describing the host key into the edit box in the `Manually configure
host keys for this connection' container, and press the `Add' host keys for this connection' container, and press the `Add'
button. The text will appear in the `Host keys or fingerprints button. The text will appear in the `Host keys or fingerprints
to accept' list box. You can remove keys again with the `Remove' to accept' list box. You can remove keys again with the `Remove'
skipping to change at line 3953 skipping to change at line 3962
want PuTTY to remember it; for that see section 4.15.1. It's want PuTTY to remember it; for that see section 4.15.1. It's
also probably not what if you're trying to set up passwordless also probably not what if you're trying to set up passwordless
login to a mainstream SSH server; depending on the server, you login to a mainstream SSH server; depending on the server, you
probably wanted public-key authentication (chapter 8) or perhaps probably wanted public-key authentication (chapter 8) or perhaps
GSSAPI authentication (section 4.22). (These are still forms of GSSAPI authentication (section 4.22). (These are still forms of
authentication, even if you don't have to interact with them.) authentication, even if you don't have to interact with them.)
This option only affects SSH-2 connections. SSH-1 connections always This option only affects SSH-2 connections. SSH-1 connections always
require an authentication step. require an authentication step.
4.21.3 `Attempt authentication using Pageant' 4.21.3 `Disconnect if authentication succeeds trivially'
This option causes PuTTY to abandon an SSH session and disconnect
from the server, if the server accepted authentication without ever
having asked for any kind of password or signature or token.
This might be used as a security measure. There are some forms
of attack against an SSH client user which work by terminating
the SSH authentication stage early, and then doing something in
the main part of the SSH session which _looks_ like part of the
authentication, but isn't really.
For example, instead of demanding a signature from your public key,
for which PuTTY would ask for your key's passphrase, a compromised
or malicious server might allow you to log in with no signature or
password at all, and then print a message that _imitates_ PuTTY's
request for your passphrase, in the hope that you would type it in.
(In fact, the passphrase for your public key should not be sent to
any server.)
PuTTY's main defence against attacks of this type is the `trust
sigil' system: messages in the PuTTY window that are truly
originated by PuTTY itself are shown next to a small copy of the
PuTTY icon, which the server cannot fake when it tries to imitate
the same message using terminal output.
However, if you think you might be at risk of this kind of thing
anyway (if you don't watch closely for the trust sigils, or if you
think you're at extra risk of one of your servers being malicious),
then you could enable this option as an extra defence. Then, if the
server tries any of these attacks involving letting you through the
authentication stage, PuTTY will disconnect from the server before
it can send a follow-up fake prompt or other type of attack.
On the other hand, some servers _legitimately_ let you through
the SSH authentication phase trivially, either because they are
genuinely public, or because the important authentication step
happens during the terminal session. (An example might be an SSH
server that connects you directly to the terminal login prompt of a
legacy mainframe.) So enabling this option might cause some kinds of
session to stop working. It's up to you.
4.21.4 `Attempt authentication using Pageant'
If this option is enabled, then PuTTY will look for Pageant (the If this option is enabled, then PuTTY will look for Pageant (the
SSH private-key storage agent) and attempt to authenticate with any SSH private-key storage agent) and attempt to authenticate with any
suitable public keys Pageant currently holds. suitable public keys Pageant currently holds.
This behaviour is almost always desirable, and is therefore enabled This behaviour is almost always desirable, and is therefore enabled
by default. In rare cases you might need to turn it off in order by default. In rare cases you might need to turn it off in order
to force authentication by some non-public-key method such as to force authentication by some non-public-key method such as
passwords. passwords.
This option can also be controlled using the `-noagent' command-line This option can also be controlled using the `-noagent' command-line
option. See section 3.11.3.9. option. See section 3.11.3.9.
See chapter 9 for more information about Pageant in general. See chapter 9 for more information about Pageant in general.
4.21.4 `Attempt TIS or CryptoCard authentication' 4.21.5 `Attempt TIS or CryptoCard authentication'
TIS and CryptoCard authentication are (despite their names) generic TIS and CryptoCard authentication are (despite their names) generic
forms of simple challenge/response authentication available in SSH forms of simple challenge/response authentication available in SSH
protocol version 1 only. You might use them if you were using S/Key protocol version 1 only. You might use them if you were using S/Key
one-time passwords, for example, or if you had a physical security one-time passwords, for example, or if you had a physical security
token that generated responses to authentication challenges. They token that generated responses to authentication challenges. They
can even be used to prompt for simple passwords. can even be used to prompt for simple passwords.
With this switch enabled, PuTTY will attempt these forms of With this switch enabled, PuTTY will attempt these forms of
authentication if the server is willing to try them. You will be authentication if the server is willing to try them. You will be
presented with a challenge string (which may be different every presented with a challenge string (which may be different every
time) and must supply the correct response in order to log in. time) and must supply the correct response in order to log in.
If your server supports this, you should talk to your system If your server supports this, you should talk to your system
administrator about precisely what form these challenges and administrator about precisely what form these challenges and
responses take. responses take.
4.21.5 `Attempt keyboard-interactive authentication' 4.21.6 `Attempt keyboard-interactive authentication'
The SSH-2 equivalent of TIS authentication is called `keyboard- The SSH-2 equivalent of TIS authentication is called `keyboard-
interactive'. It is a flexible authentication method using an interactive'. It is a flexible authentication method using an
arbitrary sequence of requests and responses; so it is not only arbitrary sequence of requests and responses; so it is not only
useful for challenge/response mechanisms such as S/Key, but it can useful for challenge/response mechanisms such as S/Key, but it can
also be used for (for example) asking the user for a new password also be used for (for example) asking the user for a new password
when the old one has expired. when the old one has expired.
PuTTY leaves this option enabled by default, but supplies a switch PuTTY leaves this option enabled by default, but supplies a switch
to turn it off in case you should have trouble with it. to turn it off in case you should have trouble with it.
4.21.6 `Allow agent forwarding' 4.21.7 `Allow agent forwarding'
This option allows the SSH server to open forwarded connections back This option allows the SSH server to open forwarded connections back
to your local copy of Pageant. If you are not running Pageant, this to your local copy of Pageant. If you are not running Pageant, this
option will do nothing. option will do nothing.
See chapter 9 for general information on Pageant, and section 9.4 See chapter 9 for general information on Pageant, and section 9.4
for information on agent forwarding. Note that there is a security for information on agent forwarding. Note that there is a security
risk involved with enabling this option; see section 9.6 for risk involved with enabling this option; see section 9.6 for
details. details.
4.21.7 `Allow attempted changes of username in SSH-2' 4.21.8 `Allow attempted changes of username in SSH-2'
In the SSH-1 protocol, it is impossible to change username after In the SSH-1 protocol, it is impossible to change username after
failing to authenticate. So if you mis-type your username at the failing to authenticate. So if you mis-type your username at the
PuTTY `login as:' prompt, you will not be able to change it except PuTTY `login as:' prompt, you will not be able to change it except
by restarting PuTTY. by restarting PuTTY.
The SSH-2 protocol _does_ allow changes of username, in principle, The SSH-2 protocol _does_ allow changes of username, in principle,
but does not make it mandatory for SSH-2 servers to accept them. but does not make it mandatory for SSH-2 servers to accept them.
In particular, OpenSSH does not accept a change of username; once In particular, OpenSSH does not accept a change of username; once
you have sent one username, it will reject attempts to try to you have sent one username, it will reject attempts to try to
authenticate as another user. (Depending on the version of OpenSSH, authenticate as another user. (Depending on the version of OpenSSH,
it may quietly return failure for all login attempts, or it may send it may quietly return failure for all login attempts, or it may send
an error message.) an error message.)
For this reason, PuTTY will by default not prompt you for your For this reason, PuTTY will by default not prompt you for your
username more than once, in case the server complains. If you know username more than once, in case the server complains. If you know
your server can cope with it, you can enable the `Allow attempted your server can cope with it, you can enable the `Allow attempted
changes of username' option to modify PuTTY's behaviour. changes of username' option to modify PuTTY's behaviour.
4.21.8 `Private key file for authentication' 4.21.9 `Private key file for authentication'
This box is where you enter the name of your private key file if you This box is where you enter the name of your private key file if you
are using public key authentication. See chapter 8 for information are using public key authentication. See chapter 8 for information
about public key authentication in SSH. about public key authentication in SSH.
This key must be in PuTTY's native format (`*.PPK'). If you have a This key must be in PuTTY's native format (`*.PPK'). If you have a
private key in another format that you want to use with PuTTY, see private key in another format that you want to use with PuTTY, see
section 8.2.14. section 8.2.14.
You can use the authentication agent Pageant so that you do not need You can use the authentication agent Pageant so that you do not need
skipping to change at line 5062 skipping to change at line 5113
5.2 PSCP Usage 5.2 PSCP Usage
Once you've got a console window to type into, you can just type Once you've got a console window to type into, you can just type
`pscp' on its own to bring up a usage message. This tells you the `pscp' on its own to bring up a usage message. This tells you the
version of PSCP you're using, and gives you a brief summary of how version of PSCP you're using, and gives you a brief summary of how
to use PSCP: to use PSCP:
C:\>pscp C:\>pscp
PuTTY Secure Copy client PuTTY Secure Copy client
Release 0.75 Release 0.76
Usage: pscp [options] [user@]host:source target Usage: pscp [options] [user@]host:source target
pscp [options] source [source...] [user@]host:target pscp [options] source [source...] [user@]host:target
pscp [options] -ls [user@]host:filespec pscp [options] -ls [user@]host:filespec
Options: Options:
-V print version information and exit -V print version information and exit
-pgpfp print PGP key fingerprints and exit -pgpfp print PGP key fingerprints and exit
-p preserve file attributes -p preserve file attributes
-q quiet, don't show statistics -q quiet, don't show statistics
-r copy directories recursively -r copy directories recursively
-v show verbose messages -v show verbose messages
skipping to change at line 5085 skipping to change at line 5136
-l user connect with specified username -l user connect with specified username
-pw passw login with specified password -pw passw login with specified password
-1 -2 force use of particular SSH protocol version -1 -2 force use of particular SSH protocol version
-ssh -ssh-connection -ssh -ssh-connection
force use of particular SSH protocol variant force use of particular SSH protocol variant
-4 -6 force use of IPv4 or IPv6 -4 -6 force use of IPv4 or IPv6
-C enable compression -C enable compression
-i key private key file for user authentication -i key private key file for user authentication
-noagent disable use of Pageant -noagent disable use of Pageant
-agent enable use of Pageant -agent enable use of Pageant
-no-trivial-auth
disconnect if SSH authentication succeeds trivially
-hostkey keyid -hostkey keyid
manually specify a host key (may be repeated) manually specify a host key (may be repeated)
-batch disable all interactive prompts -batch disable all interactive prompts
-no-sanitise-stderr don't strip control chars from standard error -no-sanitise-stderr don't strip control chars from standard error
-proxycmd command -proxycmd command
use 'command' as local proxy use 'command' as local proxy
-unsafe allow server-side wildcards (DANGEROUS) -unsafe allow server-side wildcards (DANGEROUS)
-sftp force use of SFTP protocol -sftp force use of SFTP protocol
-scp force use of SCP protocol -scp force use of SCP protocol
-sshlog file -sshlog file
skipping to change at line 5332 skipping to change at line 5385
5.2.4 Using public key authentication with PSCP 5.2.4 Using public key authentication with PSCP
Like PuTTY, PSCP can authenticate using a public key instead of a Like PuTTY, PSCP can authenticate using a public key instead of a
password. There are three ways you can do this. password. There are three ways you can do this.
Firstly, PSCP can use PuTTY saved sessions in place of hostnames Firstly, PSCP can use PuTTY saved sessions in place of hostnames
(see section 5.2.1.2). So you would do this: (see section 5.2.1.2). So you would do this:
- Run PuTTY, and create a PuTTY saved session (see section 4.1.2) - Run PuTTY, and create a PuTTY saved session (see section 4.1.2)
which specifies your private key file (see section 4.21.8). You which specifies your private key file (see section 4.21.9). You
will probably also want to specify a username to log in as (see will probably also want to specify a username to log in as (see
section 4.15.1). section 4.15.1).
- In PSCP, you can now use the name of the session instead of - In PSCP, you can now use the name of the session instead of
a hostname: type `pscp sessionname:file localfile', where a hostname: type `pscp sessionname:file localfile', where
`sessionname' is replaced by the name of your saved session. `sessionname' is replaced by the name of your saved session.
Secondly, you can supply the name of a private key file on the Secondly, you can supply the name of a private key file on the
command line, with the `-i' option. See section 3.11.3.18 for more command line, with the `-i' option. See section 3.11.3.18 for more
information. information.
skipping to change at line 5914 skipping to change at line 5967
6.3 Using public key authentication with PSFTP 6.3 Using public key authentication with PSFTP
Like PuTTY, PSFTP can authenticate using a public key instead of a Like PuTTY, PSFTP can authenticate using a public key instead of a
password. There are three ways you can do this. password. There are three ways you can do this.
Firstly, PSFTP can use PuTTY saved sessions in place of hostnames. Firstly, PSFTP can use PuTTY saved sessions in place of hostnames.
So you might do this: So you might do this:
- Run PuTTY, and create a PuTTY saved session (see section 4.1.2) - Run PuTTY, and create a PuTTY saved session (see section 4.1.2)
which specifies your private key file (see section 4.21.8). You which specifies your private key file (see section 4.21.9). You
will probably also want to specify a username to log in as (see will probably also want to specify a username to log in as (see
section 4.15.1). section 4.15.1).
- In PSFTP, you can now use the name of the session instead of - In PSFTP, you can now use the name of the session instead of
a hostname: type `psftp sessionname', where `sessionname' is a hostname: type `psftp sessionname', where `sessionname' is
replaced by the name of your saved session. replaced by the name of your saved session.
Secondly, you can supply the name of a private key file on the Secondly, you can supply the name of a private key file on the
command line, with the `-i' option. See section 3.11.3.18 for more command line, with the `-i' option. See section 3.11.3.18 for more
information. information.
skipping to change at line 5982 skipping to change at line 6035
This section describes the basics of how to use Plink for This section describes the basics of how to use Plink for
interactive logins and for automated processes. interactive logins and for automated processes.
Once you've got a console window to type into, you can just type Once you've got a console window to type into, you can just type
`plink' on its own to bring up a usage message. This tells you the `plink' on its own to bring up a usage message. This tells you the
version of Plink you're using, and gives you a brief summary of how version of Plink you're using, and gives you a brief summary of how
to use Plink: to use Plink:
C:\>plink C:\>plink
Plink: command-line connection utility Plink: command-line connection utility
Release 0.75 Release 0.76
Usage: plink [options] [user@]host [command] Usage: plink [options] [user@]host [command]
("host" can also be a PuTTY saved session name) ("host" can also be a PuTTY saved session name)
Options: Options:
-V print version information and exit -V print version information and exit
-pgpfp print PGP key fingerprints and exit -pgpfp print PGP key fingerprints and exit
-v show verbose messages -v show verbose messages
-load sessname Load settings from saved session -load sessname Load settings from saved session
-ssh -telnet -rlogin -raw -serial -ssh -telnet -rlogin -raw -serial
force use of a particular protocol force use of a particular protocol
-ssh-connection -ssh-connection
skipping to change at line 6018 skipping to change at line 6071
Forward remote port to local address Forward remote port to local address
-X -x enable / disable X11 forwarding -X -x enable / disable X11 forwarding
-A -a enable / disable agent forwarding -A -a enable / disable agent forwarding
-t -T enable / disable pty allocation -t -T enable / disable pty allocation
-1 -2 force use of particular SSH protocol version -1 -2 force use of particular SSH protocol version
-4 -6 force use of IPv4 or IPv6 -4 -6 force use of IPv4 or IPv6
-C enable compression -C enable compression
-i key private key file for user authentication -i key private key file for user authentication
-noagent disable use of Pageant -noagent disable use of Pageant
-agent enable use of Pageant -agent enable use of Pageant
-no-trivial-auth
disconnect if SSH authentication succeeds trivially
-noshare disable use of connection sharing -noshare disable use of connection sharing
-share enable use of connection sharing -share enable use of connection sharing
-hostkey keyid -hostkey keyid
manually specify a host key (may be repeated) manually specify a host key (may be repeated)
-sanitise-stderr, -sanitise-stdout, -no-sanitise-stderr, -no-sanitise -stdout -sanitise-stderr, -sanitise-stdout, -no-sanitise-stderr, -no-sanitise -stdout
do/don't strip control chars from standard output/error do/don't strip control chars from standard output/error
-no-antispoof omit anti-spoofing prompt after authentication -no-antispoof omit anti-spoofing prompt after authentication
-m file read remote command(s) from file -m file read remote command(s) from file
-s remote command is an SSH subsystem (SSH-2 only) -s remote command is an SSH subsystem (SSH-2 only)
-N don't start a shell/command (SSH-2 only) -N don't start a shell/command (SSH-2 only)
skipping to change at line 6115 skipping to change at line 6170
enter a password. enter a password.
To avoid being prompted for the server host key when using Plink for To avoid being prompted for the server host key when using Plink for
an automated connection, you can first make a _manual_ connection an automated connection, you can first make a _manual_ connection
(using either of PuTTY or Plink) to the same server, verify the host (using either of PuTTY or Plink) to the same server, verify the host
key (see section 2.2 for more information), and select `Accept' key (see section 2.2 for more information), and select `Accept'
to add the host key to the Registry. After that, Plink commands to add the host key to the Registry. After that, Plink commands
connecting to that server should not give a host key prompt unless connecting to that server should not give a host key prompt unless
the host key changes. Alternatively, you can specify the appropriate the host key changes. Alternatively, you can specify the appropriate
host key(s) on Plink's command line every time you use it; see host key(s) on Plink's command line every time you use it; see
section 3.11.3.20. section 3.11.3.21.
To avoid being prompted for a user name, you can: To avoid being prompted for a user name, you can:
- Use the `-l' option to specify a user name on the command line. - Use the `-l' option to specify a user name on the command line.
For example, `plink login.example.com -l fred'. For example, `plink login.example.com -l fred'.
- Set up a PuTTY saved session that describes the server you are - Set up a PuTTY saved session that describes the server you are
connecting to, and that also specifies the username to log in as connecting to, and that also specifies the username to log in as
(see section 4.15.1). (see section 4.15.1).
To avoid being prompted for a password, you should almost certainly To avoid being prompted for a password, you should almost certainly
set up public-key authentication. (See chapter 8 for a general set up public-key authentication. (See chapter 8 for a general
introduction to public-key authentication.) Again, you can do this introduction to public-key authentication.) Again, you can do this
in two ways: in two ways:
- Set up a PuTTY saved session that describes the server you - Set up a PuTTY saved session that describes the server you
are connecting to, and that also specifies a private key file are connecting to, and that also specifies a private key file
(see section 4.21.8). For this to work without prompting, your (see section 4.21.9). For this to work without prompting, your
private key will need to have no passphrase. private key will need to have no passphrase.
- Store the private key in Pageant. See chapter 9 for further - Store the private key in Pageant. See chapter 9 for further
information. information.
Once you have done all this, you should be able to run a remote Once you have done all this, you should be able to run a remote
command on the SSH server machine and have it execute automatically command on the SSH server machine and have it execute automatically
with no prompting: with no prompting:
C:\>plink login.example.com -l fred echo hello, world C:\>plink login.example.com -l fred echo hello, world
skipping to change at line 6682 skipping to change at line 6737
Once you have generated a key, set a comment field and set a Once you have generated a key, set a comment field and set a
passphrase, you are ready to save your private key to disk. passphrase, you are ready to save your private key to disk.
Press the `Save private key' button. PuTTYgen will put up a dialog Press the `Save private key' button. PuTTYgen will put up a dialog
box asking you where to save the file. Select a directory, type in a box asking you where to save the file. Select a directory, type in a
file name, and press `Save'. file name, and press `Save'.
This file is in PuTTY's native format (`*.PPK'); it is the one you This file is in PuTTY's native format (`*.PPK'); it is the one you
will need to tell PuTTY to use for authentication (see section will need to tell PuTTY to use for authentication (see section
4.21.8) or tell Pageant to load (see section 9.2.2). 4.21.9) or tell Pageant to load (see section 9.2.2).
(You can optionally change some details of the PPK format for your (You can optionally change some details of the PPK format for your
saved key files; see section 8.2.12. But The defaults should be fine saved key files; see section 8.2.12. But The defaults should be fine
for most purposes.) for most purposes.)
8.2.10 Saving your public key to a disk file 8.2.10 Saving your public key to a disk file
RFC 4716 specifies a standard format for storing SSH-2 public keys RFC 4716 specifies a standard format for storing SSH-2 public keys
on disk. Some SSH servers (such as ssh.com's) require a public on disk. Some SSH servers (such as ssh.com's) require a public
key in this format in order to accept authentication with the key in this format in order to accept authentication with the
skipping to change at line 6885 skipping to change at line 6940
is done. You can typically do this by using a command such as is done. You can typically do this by using a command such as
chmod go-w $HOME $HOME/.ssh $HOME/.ssh/authorized_keys chmod go-w $HOME $HOME/.ssh $HOME/.ssh/authorized_keys
Your server should now be configured to accept authentication using Your server should now be configured to accept authentication using
your private key. Now you need to configure PuTTY to _attempt_ your private key. Now you need to configure PuTTY to _attempt_
authentication using your private key. You can do this in any of authentication using your private key. You can do this in any of
three ways: three ways:
- Select the private key in PuTTY's configuration. See section - Select the private key in PuTTY's configuration. See section
4.21.8 for details. 4.21.9 for details.
- Specify the key file on the command line with the `-i' option. - Specify the key file on the command line with the `-i' option.
See section 3.11.3.18 for details. See section 3.11.3.18 for details.
- Load the private key into Pageant (see chapter 9). In this case - Load the private key into Pageant (see chapter 9). In this case
PuTTY will automatically try to use it for authentication if it PuTTY will automatically try to use it for authentication if it
can. can.
Chapter 9: Using Pageant for authentication Chapter 9: Using Pageant for authentication
------------------------------------------- -------------------------------------------
skipping to change at line 6937 skipping to change at line 6992
the key has been loaded, it will appear in the list in the Pageant the key has been loaded, it will appear in the list in the Pageant
window. window.
Now start PuTTY and open an SSH session to a site that accepts your Now start PuTTY and open an SSH session to a site that accepts your
key. PuTTY will notice that Pageant is running, retrieve the key key. PuTTY will notice that Pageant is running, retrieve the key
automatically from Pageant, and use it to authenticate. You can now automatically from Pageant, and use it to authenticate. You can now
open as many PuTTY sessions as you like without having to type your open as many PuTTY sessions as you like without having to type your
passphrase again. passphrase again.
(PuTTY can be configured not to try to use Pageant, but it will (PuTTY can be configured not to try to use Pageant, but it will
try by default. See section 4.21.3 and section 3.11.3.9 for more try by default. See section 4.21.4 and section 3.11.3.9 for more
information.) information.)
When you want to shut down Pageant, click the right button on the When you want to shut down Pageant, click the right button on the
Pageant icon in the System tray, and select `Exit' from the menu. Pageant icon in the System tray, and select `Exit' from the menu.
Closing the Pageant main window does _not_ shut down Pageant. Closing the Pageant main window does _not_ shut down Pageant.
If you want Pageant to stay running but forget all the keys it has If you want Pageant to stay running but forget all the keys it has
acquired, select `Remove All Keys' from the System tray menu. acquired, select `Remove All Keys' from the System tray menu.
9.2 The Pageant main window 9.2 The Pageant main window
skipping to change at line 7073 skipping to change at line 7128
9.3.3 Starting with the key list visible 9.3.3 Starting with the key list visible
Start Pageant with the `--keylist' option to show the main window as Start Pageant with the `--keylist' option to show the main window as
soon as it starts up. soon as it starts up.
9.3.4 Restricting the Windows process ACL 9.3.4 Restricting the Windows process ACL
Pageant supports the same `-restrict-acl' option as the other PuTTY Pageant supports the same `-restrict-acl' option as the other PuTTY
utilities to lock down the Pageant process's access control; see utilities to lock down the Pageant process's access control; see
section 3.11.3.26 for why you might want to do this. section 3.11.3.27 for why you might want to do this.
By default, if Pageant is started with `-restrict-acl', it won't By default, if Pageant is started with `-restrict-acl', it won't
pass this to any PuTTY sessions started from its System Tray pass this to any PuTTY sessions started from its System Tray
submenu. Use `-restrict-putty-acl' to change this. (Again, see submenu. Use `-restrict-putty-acl' to change this. (Again, see
section 3.11.3.26 for details.) section 3.11.3.27 for details.)
9.4 Using agent forwarding 9.4 Using agent forwarding
Agent forwarding is a mechanism that allows applications on your SSH Agent forwarding is a mechanism that allows applications on your SSH
server machine to talk to the agent on your client machine. server machine to talk to the agent on your client machine.
Note that at present, whether agent forwarding in SSH-2 is available Note that at present, whether agent forwarding in SSH-2 is available
depends on your server. Pageant's protocol is compatible with the depends on your server. Pageant's protocol is compatible with the
OpenSSH server, but the ssh.com server uses a different agent OpenSSH server, but the ssh.com server uses a different agent
protocol, which PuTTY does not yet support. protocol, which PuTTY does not yet support.
To enable agent forwarding, first start Pageant. Then set up a To enable agent forwarding, first start Pageant. Then set up a
PuTTY SSH session in which `Allow agent forwarding' is enabled (see PuTTY SSH session in which `Allow agent forwarding' is enabled (see
section 4.21.6). Open the session as normal. (Alternatively, you section 4.21.7). Open the session as normal. (Alternatively, you
can use the `-A' command line option; see section 3.11.3.10 for can use the `-A' command line option; see section 3.11.3.10 for
details.) details.)
If this has worked, your applications on the server should now have If this has worked, your applications on the server should now have
access to a Unix domain socket which the SSH server will forward access to a Unix domain socket which the SSH server will forward
back to PuTTY, and PuTTY will forward on to the agent. To check that back to PuTTY, and PuTTY will forward on to the agent. To check that
this has actually happened, you can try this command on Unix server this has actually happened, you can try this command on Unix server
machines: machines:
unixbox:~$ echo $SSH_AUTH_SOCK unixbox:~$ echo $SSH_AUTH_SOCK
skipping to change at line 7336 skipping to change at line 7391
many authentication failures for root"' many authentication failures for root"'
This message is produced by an OpenSSH (or Sun SSH) server if it This message is produced by an OpenSSH (or Sun SSH) server if it
receives more failed authentication attempts than it is willing to receives more failed authentication attempts than it is willing to
tolerate. tolerate.
This can easily happen if you are using Pageant and have a large This can easily happen if you are using Pageant and have a large
number of keys loaded into it, since these servers count each offer number of keys loaded into it, since these servers count each offer
of a public key as an authentication attempt. This can be worked of a public key as an authentication attempt. This can be worked
around by specifying the key that's required for the authentication around by specifying the key that's required for the authentication
in the PuTTY configuration (see section 4.21.8); PuTTY will ignore in the PuTTY configuration (see section 4.21.9); PuTTY will ignore
any other keys Pageant may have, but will ask Pageant to do the any other keys Pageant may have, but will ask Pageant to do the
authentication, so that you don't have to type your passphrase. authentication, so that you don't have to type your passphrase.
On the server, this can be worked around by disabling public-key On the server, this can be worked around by disabling public-key
authentication or (for Sun SSH only) by increasing `MaxAuthTries' in authentication or (for Sun SSH only) by increasing `MaxAuthTries' in
`sshd_config'. `sshd_config'.
10.6 `Out of memory' 10.6 `Out of memory'
This occurs when PuTTY tries to allocate more memory than the system This occurs when PuTTY tries to allocate more memory than the system
skipping to change at line 7449 skipping to change at line 7504
This error can be caused by buggy SSH-1 servers that fail to cope This error can be caused by buggy SSH-1 servers that fail to cope
with the various strategies we use for camouflaging passwords in with the various strategies we use for camouflaging passwords in
transit. Upgrade your server, or use the workarounds described in transit. Upgrade your server, or use the workarounds described in
section 4.26.11 and possibly section 4.26.12. section 4.26.11 and possibly section 4.26.12.
10.11 `No supported authentication methods available' 10.11 `No supported authentication methods available'
This error indicates that PuTTY has run out of ways to authenticate This error indicates that PuTTY has run out of ways to authenticate
you to an SSH server. This may be because PuTTY has TIS or keyboard- you to an SSH server. This may be because PuTTY has TIS or keyboard-
interactive authentication disabled, in which case see section interactive authentication disabled, in which case see section
4.21.4 and section 4.21.5. 4.21.5 and section 4.21.6.
10.12 `Incorrect MAC received on packet' or `Incorrect CRC received on 10.12 `Incorrect MAC received on packet' or `Incorrect CRC received on
packet' packet'
This error occurs when PuTTY decrypts an SSH packet and its checksum This error occurs when PuTTY decrypts an SSH packet and its checksum
is not correct. This probably means something has gone wrong in the is not correct. This probably means something has gone wrong in the
encryption or decryption process. It's difficult to tell from this encryption or decryption process. It's difficult to tell from this
error message whether the problem is in the client, in the server, error message whether the problem is in the client, in the server,
or in between. or in between.
skipping to change at line 11192 skipping to change at line 11247
If set, key is held with an encrypted form (so that the If set, key is held with an encrypted form (so that the
`reencrypt' extension can do something useful with it). `reencrypt' extension can do something useful with it).
Bit 1 Bit 1
If set, key's cleartext form is not currently held (so the If set, key's cleartext form is not currently held (so the
user will have to supply a passphrase before the key can be user will have to supply a passphrase before the key can be
used). used).
[PuTTY release 0.75] [PuTTY release 0.76]
 End of changes. 36 change blocks. 
33 lines changed or deleted 88 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)