
PuTTY 0.68 has been released - based2
http://www.chiark.greenend.org.uk/~sgtatham/putty/releases/0.68.html
======
based2
Release Notes:

    
    
        Security fix: an integer overflow bug in the agent forwarding code. See vuln-agent-fwd-overflow.
        Security fix: the Windows PuTTY binaries should no longer be vulnerable to hijacking 
          by specially named DLLs in the same directory (on versions of Windows where they previously were). 
          See vuln-indirect-dll-hijack.
        Windows PuTTY no longer sets a restrictive process ACL by default, because this turned out 
          to inconvenience too many legitimate applications such as NVDA and TortoiseGit. 
          You can still manually request a restricted ACL using the command-line option -restrict-acl.
        The Windows PuTTY tools now come in a 64-bit version.
        The Windows PuTTY tools now have Windows's ASLR and DEP security features turned on.
        Support for elliptic-curve cryptography (the NIST curves and 25519), for host keys, 
         user authentication keys, and key exchange.
        Support for importing and exporting OpenSSH's new private key format.
        Host key preference policy change: PuTTY prefers host key formats for which it already knows the key.
        Run-time option (from the system menu / Ctrl-right-click menu) to retrieve other host keys from the same server 
            (which cross-certifies them using the session key established using an already-known key) 
            and add them to the known host-keys database.
    
        The Unix GUI PuTTY tools can now be built against GTK 3.
        There is now a Unix version of Pageant.

~~~
caf
Isn't this "DLL hijacking" thing a bit overblown? The directory an application
runs from on Windows has always been considered part of the security perimeter
of the application.

If you can drop a malicious DLL where putty.exe lives, can't you just drop a
malicious putty.exe?

~~~
__jal
Not a windows person, so I can't speak to how the directory is treated, but
I've watched enough people run applications from the Downloads directory to
wonder about it.

~~~
beachstartup
with putty i would be surprised if most didn't run it straight from the
desktop. i would be a dirty liar if i said i haven't, countless times.

~~~
monk_e_boy
This. Without an installer that puts a link into the start menu, everyone I've
ever worked with just dumps it on the desktop. I used to throw a symlink into
the start menu, but when other devs used my machine they expected it to be on
the desktop. Just one of those quirks of using PUTTY

~~~
marvy
But why not just use the installer?

~~~
hermitdev
For a long time, there wasn't an installer for putty, so a lot of us became
accustomed to just dropping the binary on our desktop or "bin" folder", but
there is an installer now. Also, certain corporate environments that preclude
the installer from working correctly, but won't mind you "installing" a
program to your desktop/local app data.

~~~
marvy
I find the corporate environment thing suspicious. I could imagine that if you
don't have admin access, you can't install to Program Files, but couldn't you
still install to your home directory, and still get those lovely start menu
shortcuts?

~~~
Jaruzel
Not really.

Windows, by default requests elevated rights from the user (the UAC dialog) if
you run any exe that has 'setup' or 'install' in the name, or if the manifest
inside/alongside the exe defines a requirement for elevated rights.

You can spot these files as they have a little Windows 'shield' overlay on
their icons (Windows overlays that itself if it detects a file needing
elevated rights).

So, unless you can elevate your rights (i.e. be admin, or type in admin
credentials), you can't run most installers.

However, prior to Windows 7 your personal start menu folder wasn't locked down
- and as a non-admin you could easily add/remove shortcuts from it. Since
Windows 7 onwards it's now protected, so you need to elevate to be able to
write to it.

Windows allows you to run (by default) software from ANY folder you like, but
you can only (by default, again) write to some of your user folders and the
the %TEMP% location.

So downloading the PuTTY exe and running it from the downloads folder or
desktop is perfectly legitimate, although not good practice.

As an aside: I'm not sure if Chrome still does it, but I recall that if you
try to install it and you don't have admin rights, it just puts an icon on
your desktop, and installs all the chrome files into a folder under
ProgramData which resides in your user hierarchy, instead of the locked down
Program Files area. Which is one way of getting around the lack of admin-
rights.

~~~
marvy
Huh. I think that's a poor design choice on the part of the Windows folks, but
they probably know things I don't.

~~~
Jaruzel
You know in order to secure an old house, you just nail boards over all the
openings? Well, yeah, that's the Windows security model that is. :)

~~~
marvy
ouch

------
mytec
Long time user of Putty, like many here. I liked this quote from their FAQ
(A.3.3 What's the point of the Unix port? Unix has OpenSSH):

"There were development advantages as well; porting PuTTY to Unix was a
valuable path-finding effort for other future ports, and also allowed us to
use the excellent Linux tool Valgrind to help with debugging, which has
already improved PuTTY's stability on all platforms."

~~~
bch
This sort of development is often illuminating. I develop on *BSD, Linux,
Solaris (SPARC), and MacOS X when I can, and even though they're "all UNIX",
interesting insights abound, and dealing w different endianess (SPARC == big,
Intel == small), and library differences, etc is rarely more trouble than it's
worth.

------
jimmcslim
On Windows 10, with Windows Subsystem for Linux installed, I don't find myself
using Putty anymore.

~~~
SebiH
Are you using an insider build or a different shell than Windows' cmd? I find
myself using Putty to connect to a Linux subsystem ssh server just to get a
decent terminal emulator with full colour support!

~~~
Viper007Bond
The latest Insider builds are a lot better, including full color support.

~~~
vesinisa
It's apparently coming to stable in April:
[https://news.ycombinator.com/item?id=13695267](https://news.ycombinator.com/item?id=13695267)

------
hughes
It always makes me sad to see that the PuTTY download page is served over
unsecure HTTP.

~~~
r1ch
At least the binaries are authenticode signed now, so checking they are legit
is just a right click away.

~~~
anderskaseorg
How is that supposed to help? Even if the legitimate binaries are
Authenticode-signed now, a malicious non-Authenticode-signed binary
substituted by an attacker MITMing the insecure HTTP connection will appear to
the downloader to look just like the legitimate non-Authenticode-signed
binaries of previous versions that they’ve been downloading for years.

~~~
Godel_unicode
Because you can add the signing cert to your AppLocker whitelist, and now it
will be checked every time it runs. Then you push that out by GPO, and now
everyone has that same whitelist protection.

Also, as mentioned other places on the thread, the downloads are over HTTPS.

Edit: see the following [https://technet.microsoft.com/en-
us/library/dd723683(v=ws.10...](https://technet.microsoft.com/en-
us/library/dd723683\(v=ws.10\).aspx)

------
wtbob
When I started my career nearly 20 years ago, back before one could convince a
Fortune-100 company to let its peons use Linux on our desktops and Apple
hadn't yet had its renascence, PuTTY was a veritable godsend: it did what was
needed, and did it remarkably well.

It's been years since I was allowed to add a Linux box, and years since I
switched to Linux full-time, and now I honestly think that I'd reject a job
offer which required Windows (and maybe even one which required macOS) — but
for all those years of Just Working™, thanks PuTTY!

------
mpoloton
PuTTY is a good example where the author resisted to turn it into bloatware.
It is minimal and does the thing it is supposed to do.

~~~
sumedh
That may or may not be a good thing. Personally I cannot live without tabs and
bookmarks so I use mRemoteNG.

~~~
lma21
I use PuTTY and connect to a tmux server afterwards.. tabs / sessions /
programmable interactions with the terminal are a life saver that tmux
provides. Give it a try.

------
drzaiusapelord
Pretty happy with the Kitty fork of putty, which is a lot less spartan with
features.

[https://www.fosshub.com/KiTTY.html](https://www.fosshub.com/KiTTY.html)

~~~
snksnk
And I would recommend MobaXterm, definitely also worth to try.

[http://mobaxterm.mobatek.net/](http://mobaxterm.mobatek.net/)

~~~
atomicUpdate
It's definitely very good and has a lot to offer, but I still can't justify
$70 for some reason. The free version offers enough functionality to be a very
good PuTTY alternative though.

~~~
petee
I was about to, until I read the fine print and realized it's $70 to buy, but
you'll only get updates for a year; after that you buy again or stick with
your current version - no bug fixes. Were there a more reasonable price for
non-commercial use, I would have no problem buying sooner.

On the other hand, its has the only windows Mosh implementation...the best
thing since sliced bread and tmux!

~~~
tokenizerrr
For mosh there's a cygwin build and also
[https://chrome.google.com/webstore/detail/mosh/ooiklbnjmhbcg...](https://chrome.google.com/webstore/detail/mosh/ooiklbnjmhbcgemelgfhaeaocllobloj)

------
INTPenis
Since I switched to cygwin for ssh on windows I haven't looked back, putty is
awful for someone coming from Linux normally and only forced to use Windows
for certain things.

~~~
aao
Yeah. I use a modified mintty-solarized-dark theme for cygwin, and symlinked
my windows home dir into the cygwin one.

I never got around on writing a blag about how to do this, but I like it a lot

~~~
INTPenis
Exactly the same for me, mintty with solarized theme because I use solarized
on all my other terminals in Fedora for example.

------
account1984
I used to use PuTTY as my go-to windows SSH client. After some time I decided
to integrate a piece of software with Pageant and I decided to open up the
source to PuTTY. The poor quality of the source code terrified me, it seemed
sort of "all over the place" and there seemed to be little to no concern for
security and defensive programming.

Secure software design and development is what I do for a living, so perhaps I
am a bit more paranoid than the casual user - but this is one of the most
widely deployed security tools in an enterprise, this shouldn't be "okay".
Some defensive efforts are just common sense and are recommended by your
compiler (eg. don't use sprintf and strcpy when you can snprintf and strncpy).
Also, it doesn't hurt to check error conditions consistently.

PS. To echo what a lot of folks have already said, how on earth can the author
implement cryptographic algorithms and simultaneously think there is any value
in publishing a hash of the binary "for security". Using a hash as a means of
integrity validation in the context of security raises huge red flags about
the authors mindset.

------
gcp
Putty used to be _the_ go-to tool for Windows SSH, but nowadays I'm using
Bitvise SSH client. It's worth a try.

~~~
el_duderino
Have you ever tried XShell5?
[https://www.netsarang.com/products/xsh_overview.html](https://www.netsarang.com/products/xsh_overview.html)

It's free for Home/school use. I have tried all Windows SSH clients, and it is
by far the best SSH client I have ever used.

~~~
hujun
+1 for xshell, tons of features and very good GUI, maybe secureCRT is still
the best, but xshell is very close, and it is free for home/school

------
Raticide
I've stopped using PuTTY and now use MinTTY with the Ubuntu subsystem and the
regular old Ubuntu SSH client. Specifically this thing:
[https://github.com/mintty/wsltty](https://github.com/mintty/wsltty)

It's real nice and even supports 24bit colour if you're into that.

~~~
ReverseCold
Another option: SSH inside WSL in windows 10.

~~~
Raticide
The default terminal was a bit limited for me, but I hear they're making big
improvements to it in later builds.

~~~
bubblethink
I tried that briefly too, and I couldn't launch screen. It seems to trigger
some old bug in screen. How far is the WSL terminal from the usual fanfare
(screen, tmux, proper colors in the terminal and text editors, and other edge
cases for scrollback etc.) ?

------
jjcm
Loved putty for years, but these days I've been using mosh over ssh. Having
persistent sessions and text prediction means no more dropped connections, no
more waiting a couple seconds if the wifi is buggy for whatever reason.
Personally I use chrome's mosh extension:
[https://chrome.google.com/webstore/detail/mosh/ooiklbnjmhbcg...](https://chrome.google.com/webstore/detail/mosh/ooiklbnjmhbcgemelgfhaeaocllobloj?hl=en)
Works great and I can pin it to my taskbar.

Relevant recent discussion on mosh:
[https://news.ycombinator.com/item?id=11572146](https://news.ycombinator.com/item?id=11572146)

~~~
JdeBP
The State Synchronization Protocol still does not have specification doco, as
far as I am aware.

------
nkkollaw
Amazing, I used to use it many, many years ago when I started developing, and
it's still a 0.x release...

Is there a reason to not call it 1.0?

~~~
lma21
You moved to another platform or another terminal?

~~~
nkkollaw
Another platform, used to use Windows, then Linux, then Mac.

------
ulkesh
Putty is great and has been for a very long time. Always glad to see it still
in active development.

Though, for Windows, once I found MobaXterm I never looked back. Of course on
the Linux side nothing to me beats tmux or terminator.

~~~
mkj
And the SSH part of MobaXterm is based on PuTTY

~~~
BrandoElFollito
Yes, and unfortunately you have to use the version in there (you can't upgrade
nor use another client). Otherwise I love mobaxterm and bought a few licenses.

------
antidaily
Pfft... not touching it until they get to a version 1.0 beta.

~~~
Pharylon
Lol. I wonder why they're still sub-1.0.

~~~
Aloha
Vanity version numbering is a thing.

------
sengork
I wish they would finally implement file transfers via copy/paste mechanism
inside an active terminal window. As far as I know this feature would be
unique across platforms.

If someone does know of an SSH terminal client that does this, please reply.

~~~
ianmcgowan
Reminds me of the bad old days of kermit and x/y/zmodem.
[http://www.extraputty.com/features/xmodem.html](http://www.extraputty.com/features/xmodem.html)
looks like a throwback to those days, over an ssh session. I wonder what you
have to run on the server side for it to work?

Does uuencode or base64 work for you? I use it a lot to move stuff (aka my
toolkit) to systems where I'm connected via citrix -> rdp -> ssh -> ssh.
Amazingly, it works fine, though it can be slow.

    
    
      $uuencode sheet1.xml sheet1.xml | pbcopy
    

(switch to remote session)

    
    
      $uudecode (paste, which varies depending on how I'm connected)
    
      $ls -l sheet1.xml
    

Ta-da!

~~~
sengork
There is another throwback for me here when one of our clients had disabled
Citrix file transfers and only allowed text based clipboard (due to imposed
security policies).

So we had to:

    
    
      - zip a directory hierarchy or a single file uuencode
    
      - copy to shared clipboard
    
      - paste into a terminal on the other end using a here document
    
      - uudecode the output
    
      - checksum the source/destination copy for file integrity purposes
    

This worked on Windows too (using Notepad and saving the file as .uu for use
with WinZip). Luckily file transfers were not a frequent use case.

------
wst_
Years ago, when I worked on Windows, putty was a great soft. Since that time I
switched to MacOS/Linux with Fish shell at work and running just a simple ssh
command from terminal is a bliss. I still have Windows machine at home and I
am missing terminal every time I must click though to login to my remote
machine. Putty is no fun anymore... User interface has not been improved for
years and, sadly, it's not working for me anymore.

~~~
dingo_bat
Try WSL, I think it is a good putty substitute.

------
chrissnell
Putty is fantastically fast on Linux! I wish there was a way to use it as an
xterm replacement without having to SSH to localhost.

Has anybody figured out how to do this?

~~~
morecoffee
Putty is actually quite slow, due to not implementing AES with the Intel
intrinsics. Trying to transfer files using pscp, or WinSCP (which uses putty)
over a local network link runs into a CPU bottleneck.

------
scandox
Has much changed since this?

[https://noncombatant.org/2014/03/03/downloading-software-
saf...](https://noncombatant.org/2014/03/03/downloading-software-safely-is-
nearly-impossible/)

Related comments:
[https://news.ycombinator.com/item?id=9577861](https://news.ycombinator.com/item?id=9577861)

------
jwatte
I'd like the putty download to be over https and the installer to be signed.
Or, at least, sha512 hashes available on the https download site. As it is,
the download source for putty is one of the weakest chains in internet
security!

~~~
Sunset
The downloaded binary is served over https, it's signed.

------
arca_vorago
Putty always served me well when stuck on a windows boxen, so it's good to
know it hasn't been forgotten.

Two things for those of you who use putty I think would be mosh (chromium if
you have to, cygwin my preffered), and winscp.

------
moftz
When is PuTTY going to support URL highlighting? Even plain old xterm can do
it. Someone made a patch for it once but I'd rather have the support built in.

------
bobsgame
I've got 4 instances open right now. Thanks, Simon and co!

------
CyberMuz
The default colour scheme on Putty is not very good in my opinion. know I can
change it manually but it would be nice if the default for new connections was
better.

------
xeeeeeeeeeeenu
Lack of of Ed25519 support is a deal-breaker for me. It's one of the reasons
why I'm using SecureCRT instead.

~~~
krallja
Isn't Ed25519 support added in this release?

~~~
xeeeeeeeeeeenu
Oops, indeed, I somehow missed that.

------
bananaboy
PuTTY is one of the first things I install when setting up a new Windows
machine!

------
geoffmcc
Now if only I could click a link and have it open in a browser.

~~~
dannysu
I'm currently using a PuTTY fork called KiTTY and it has that feature as well:
[https://www.9bis.net/kitty/?page=URL%20hyperlinks](https://www.9bis.net/kitty/?page=URL%20hyperlinks)

