Serious Security Hole In PuTTY 72
Tim 'gk^' Nilimaa writes "A serious security hole has been found in PuTY, version 0.54 and before. Simon Tatham and his fellows released PuTTY 0.55 on 2004-08-03 which solves this bug. The bug may allow servers to use PuTTY to act as a machine that you trust, even beforce you verify the hosts key while connecting using SSH2. An attack could be a fact before you know that you have connected to the wrong machine. I (and they) say: upgrade to PuTTY 0.55 - now."
PuTTY tip (Score:1, Interesting)
Re:PuTTY tip (Score:5, Informative)
In the port forwarding section, add new forwarded port.
Pick a source port. Any port will work, but 1080 is the standard for socks 5 proxies. Leave Destination blank, and choose Dynamic (instead of Local or Remote). Click the add button, and you should see D1080 listed in the box.
Okay, now you can save your session and start it.
In applications you can go into their connection settings section and set localhost, port 1080 as the SOCKS host. The application will then tunnel everything through your SSH connection.
Re:PuTTY tip (Score:1, Informative)
Yes, but a lot of servers don't restrict outgoing ports, or it may be YOUR remote server, and you can do what you want with it.
Also the only encryption is between you and the box not from the box out to tinternet.
True, but again, you may be more concerned about your connection from A -> B than from B -> C, especially if A -> B is work/wireless/whatever. At work all people would see i
Re:PuTTY tip (Score:1)
Re:PuTTY tip (WinSCP, too?) (Score:3, Informative)
What about WinSCP, which used PuTTY DLLs'?
Nice response time (Score:5, Insightful)
Re:Nice response time (Score:4, Interesting)
so its always assuring that the devs have a quick turn around on fixes (especially with free software), that kind of dedication is appreciated
Not meaning to be nasty to the putty team, but theres no verifiable date of discovery of this bug, and the last release was 2003. This bug could have been known to the team 6 months ago, and only fixed now :).
Re:Nice response time (Score:5, Informative)
We were notified of the problem six days before the 0.55 release went out. I'd have liked to get it turned around faster than that, but it took me a few days of bouncing email back and forth to get a coherent description of one of the two problems (the less important one, as it turned out).
But of course you've only got my word for that...
Re:Nice response time (Score:2)
Re:Nice response time (Score:2)
I did say I didnt want to be nasty, and that included belittling your effort, I was merely pointing out that we couldnt know for sure that the turn around was swift (and I will take your word for the time scale given, and its pretty impressive anyway).
A question, if you will: Are there any plans to include tabbed window sessions in putty? I routinely
Screen (Score:2)
Re:Screen (Score:2)
Clarification (Score:5, Informative)
The writeup is not clear:
The bug may allow servers to use PuTTY to act as a machine that you trust,...
Well, of course you trust your client machine.
Re:Clarification (Score:5, Funny)
THERE IS NOTHING TO FEAR. ALL IS WELL. NOTHING TO SEE HERE. PLEASE KEEP MOVING.
Re:Clarification (Score:4, Funny)
Not if my client machine runs Windows.
Re:Clarification (Score:3, Funny)
Putty Question (Score:1, Offtopic)
Re:Putty Question (Score:2)
Re:Putty Question (Score:3, Informative)
THANK YOU, THANK YOU, THANK YOU!!!
Re:Putty Question (Score:2)
Re:Putty Question (Score:1)
Another Putty Question (Score:2)
Re:Another Putty Question (Score:2)
* set up or get an account on a linux box
* install an X server on your windows box (e.g. cygwin with X)
* use putty to ssh from your windows box to your linux box, with X forwarding
* start an instance of KTerm, running on the linux box but on the X server of your windows box
* enjoy tabbed kterm windows, and use commandline ssh in each tab
Re:Another Putty Question (Score:2)
Recent SSH chatter... (Score:4, Funny)
Or maybe there's Yet More To Come.
Re:Recent SSH chatter... (Score:4, Informative)
Re:Recent SSH chatter... (Score:1)
Re:Recent SSH chatter... (Score:3, Informative)
Re:Recent SSH chatter... (Score:1)
Re:Recent SSH chatter... (Score:1, Troll)
:)
Re:Recent SSH chatter... (Score:1, Informative)
Hint - if you get hacked by this, you probably deserve it.
It's been thoroughly analysed and doesn't use any exploits old or new. Think of it as an automated retard hunter.
Re:Recent SSH chatter... (Score:1)
Re:Recent SSH chatter... (Score:2)
"Never underestimate the power of human stupidity."
Mirrors (Score:3, Informative)
http://putty.obengelb.de/ [obengelb.de]
http://www.puttyssh.org/ [puttyssh.org]
http://putty.activalink.net/ [activalink.net]
And a nice mirrors list. [obengelb.de]
Mike
Seriously though (Score:5, Informative)
Even with strict checking on, most of us are used to blowing records out of known hosts files when they don't match, due to system upgrades causing the old records to be invalid all the time.
Re:Seriously though (Score:2)
Unfortunately, I usually accept it anyway because I have stuff to do and can't verify with the admin immediately.
Re:Seriously though (Score:2)
She wondered why I was even bothering her. Idiot.
And the last time she did a re-do of the system, she actually sent everyone an email telling them to come to her to get their new passwords: idiot, how do i log in to see THAT email if I don't have my new password.
I also caught her when she changed a back-up client and the read-time-stamp on my mail file got touched daily when it NEVER had been before. She's
Re:Seriously though (Score:3, Interesting)
Re:Seriously though (Score:2)
If I know the machine just got wiped out or replaced, I'll hit yes. Otherwise, I'll investigate via outside channels. I've uncovered more than one DNS problem by investigating those messages.
Re:Seriously though (Score:3, Insightful)
First off, I'm a sysadmin, and I save my hostkeys when I upgrade.
Secondly, my client machines have the server key, so user passwords are not required.
Third, I usually check into the reason. If possible, I log in to a place I would have connected from before. There's only 2-3 machines I regularly log into from random places, and I have their bubble-babble digests memorized. And if I
Re:Seriously though (Score:2)
What I want to know... (Score:2, Interesting)
Re:What I want to know... (Score:2)
Sorry... couldn't resist.
Simple answers (Score:1)
Sometimes, version numbers don't mean jack shit. Sometimes, if it's below 1, it doesn't mean anything. Sometimes, if it's 3, it doesn't mean anything. Sometimes, the version numbers are used in a controlled way, based on the roadmap so that given feature will bump version number upwards.
I would prefer the build number as version number :-)
Putty is good... (Score:2)
Why not front page? (Score:4, Interesting)
Keep up the good work Rob. Hey, where are the 503's today? It hardly seems like the dot without them.
Yeah, yeah, -1, flamebait -1 troll. Who gives a crap? Not Rob or OSDTNVHPR
Re:This is a tough one to classify (Score:2, Insightful)
Instead, we have 'Microsoft will try blogging service in Japan', ' ESA To Study Human Hibernation', and 'DEFCON WiFi Shootout Winners Set A Land Record'.
Re:This is a tough one to classify (Score:1)
But the defcon thing is totally applicable to daily life! I mean, now everyone can put 10' satellite dishes up on their houses and get 55 mile links to a non-evil broadband provider.
And the hibernation is good for waiting for the homeowners association to finish suing you for the 10' eyesore on the top of your house.
Re:This is a tough one to classify (Score:2)
I was out on a field visit and my CD wasn't with me, so I hunted down a putty client 'cause they would let me run knoppix on their machines. One that I downloaded let me connect but gave me the wrong key number (I remember the first 4 and the last four digits form seeing it so often) so I gave it a fake password. Downloaded another putty client, gave me the right key, so I put in the right passkey and connected. LAter investigated and re-downloaded the two putt
config files? (Score:2)
Thanks...
Re:config files? (Score:2, Informative)
I mean, it's really not *that* hard.
Config file export (Score:3, Informative)
You can export the settings using RegEdit
Start->Run->regedit
Select the SimonTatham key
File->Export
Save the section on your USB key
On a new machine you can just double click on the
Does anyone see any problems with this? Perhaps, you should be sure to _not_ take the RandomSeed key, since you'd like to have more randomness...
Orn
From the FAQ:
A.5.2 Where does PuTTY store its data?
On Windows, PuTTY stores most of its data (s
Re:Config file export (Score:3, Informative)
http://www.tartarus.org/~simon/puttydoc/Chapter4.
You know ... (Score:2, Funny)
Affects PSCP? (download resume) (Score:2)
I have no idea if this affects pscp too, but I've brought my pscp download resume [gazonk.org] patch up to date anyhow. Grabbed the source snapshot [tartarus.org] which I assume post-dates the 0.55 fixes.