Introduce a new checkbox and command-line option to inhibit use of

Pageant for local authentication. (This is a `don't use Pageant for
authentication at session startup' button rather than a `pretend
Pageant doesn't exist' button: that is, agent forwarding is
independent of this option.)

git-svn-id: http://svn.tartarus.org/sgt/putty@6572 cda61777-01e9-0310-a592-d414129be87e

diff --git a/cmdline.c b/cmdline.c
index 112463c38c4fee46793a2f72c36526edab3554ea..39f57bbf6281ee58440c6c901c8cb90fe745f910 100644 (file)
--- a/cmdline.c
+++ b/cmdline.c
@@ -291,6 +291,19 @@ int cmdline_process_param(char *p, char *value, int need_save, Config *cfg)
        cmdline_password = value;
     }
 
        cmdline_password = value;
     }
 

+    if (!strcmp(p, "-agent") || !strcmp(p, "-pagent") ||
+       !strcmp(p, "-pageant")) {
+       RETURN(1);
+       UNAVAILABLE_IN(TOOLTYPE_NONNETWORK);
+       cfg->tryagent = TRUE;
+    }
+    if (!strcmp(p, "-noagent") || !strcmp(p, "-nopagent") ||
+       !strcmp(p, "-nopageant")) {
+       RETURN(1);
+       UNAVAILABLE_IN(TOOLTYPE_NONNETWORK);
+       cfg->tryagent = FALSE;
+    }
+

     if (!strcmp(p, "-A")) {
        RETURN(1);
        UNAVAILABLE_IN(TOOLTYPE_FILETRANSFER | TOOLTYPE_NONNETWORK);
     if (!strcmp(p, "-A")) {
        RETURN(1);
        UNAVAILABLE_IN(TOOLTYPE_FILETRANSFER | TOOLTYPE_NONNETWORK);

diff --git a/config.c b/config.c
index 39da6c2a78b1a3b4f089f140c28c13795cd126e9..c844e05942827abece899de9002569f49cc1d2d3 100644 (file)
--- a/config.c
+++ b/config.c
@@ -1841,6 +1841,10 @@ void setup_config_box(struct controlbox *b, int midsession,
 
            s = ctrl_getset(b, "Connection/SSH/Auth", "methods",
                            "Authentication methods");
 
            s = ctrl_getset(b, "Connection/SSH/Auth", "methods",
                            "Authentication methods");

+           ctrl_checkbox(s, "Attempt authentication using Pageant", 'p',
+                         HELPCTX(ssh_auth_pageant),
+                         dlg_stdcheckbox_handler,
+                         I(offsetof(Config,tryagent)));

            ctrl_checkbox(s, "Attempt TIS or CryptoCard auth (SSH-1)", 'm',
                          HELPCTX(ssh_auth_tis),
                          dlg_stdcheckbox_handler,
            ctrl_checkbox(s, "Attempt TIS or CryptoCard auth (SSH-1)", 'm',
                          HELPCTX(ssh_auth_tis),
                          dlg_stdcheckbox_handler,

diff --git a/doc/config.but b/doc/config.but
index 4281f6c8914cc236d3d1aab86d3c129ad56527cd..d0ec32e5951a25f10ffc4a8c167cd483e05bf984 100644 (file)
--- a/doc/config.but
+++ b/doc/config.but
@@ -2310,6 +2310,24 @@ unwanted username prompts, you could try checking this option.
 This option only affects SSH-2 connections. SSH-1 connections always
 require an authentication step.
 
 This option only affects SSH-2 connections. SSH-1 connections always
 require an authentication step.
 

+\S{config-ssh-tryagent} \q{Attempt authentication using Pageant}
+
+\cfg{winhelp-topic}{ssh.auth.pageant}
+
+If this option is enabled, then PuTTY will look for Pageant (the SSH
+private-key storage agent) and attempt to authenticate with any
+suitable public keys Pageant currently holds.
+
+This behaviour is almost always desirable, and is therefore enabled
+by default. In rare cases you might need to turn it off in order to
+force authentication by some non-public-key method such as
+passwords.
+
+This option can also be controlled using the \c{-noagent}
+command-line option. See \k{using-cmdline-agentauth}.
+
+See \k{pageant} for more information about Pageant in general.
+

 \S{config-ssh-tis} \q{Attempt \I{TIS authentication}TIS or
 \i{CryptoCard authentication}}
 
 \S{config-ssh-tis} \q{Attempt \I{TIS authentication}TIS or
 \i{CryptoCard authentication}}
 

diff --git a/doc/pageant.but b/doc/pageant.but
index 548aa8bf44281262706fe26be315e7f272593462..f84fb64d159a2c44ebf2cb4f7ea7349f2fe98965 100644 (file)
--- a/doc/pageant.but
+++ b/doc/pageant.but
@@ -42,6 +42,10 @@ automatically from Pageant, and use it to authenticate. You can now
 open as many PuTTY sessions as you like without having to type your
 passphrase again.
 
 open as many PuTTY sessions as you like without having to type your
 passphrase again.
 

+(PuTTY can be configured not to try to use Pageant, but it will try
+by default. See \k{config-ssh-tryagent} and
+\k{using-cmdline-agentauth} for more information.)
+

 When you want to shut down Pageant, click the right button on the
 Pageant icon in the System tray, and select \q{Exit} from the menu.
 Closing the Pageant main window does \e{not} shut down Pageant.
 When you want to shut down Pageant, click the right button on the
 Pageant icon in the System tray, and select \q{Exit} from the menu.
 Closing the Pageant main window does \e{not} shut down Pageant.

diff --git a/doc/using.but b/doc/using.but
index 663aa057c724f57555ffe259937abd484b1b3b72..1aa221153b94fd23fe01dc41c1cae20f31b78dc2 100644 (file)
--- a/doc/using.but
+++ b/doc/using.but
@@ -685,6 +685,22 @@ Note that the \c{-pw} option only works when you are using the SSH
 protocol. Due to fundamental limitations of Telnet and Rlogin, these
 protocols do not support automated password authentication.
 
 protocol. Due to fundamental limitations of Telnet and Rlogin, these
 protocols do not support automated password authentication.
 

+\S2{using-cmdline-agentauth} \i\c{-agent} and \i\c{-noagent}:
+control use of Pageant for authentication
+
+The \c{-agent} option turns on SSH authentication using Pageant, and
+\c{-noagent} turns it off. These options are only meaningful if you
+are using SSH.
+
+See \k{pageant} for general information on \i{Pageant}
+
+These options are equivalent to the agent authentication checkbox in
+the Auth panel of the PuTTY configuration box (see
+\k{config-ssh-tryagent}).
+
+These options are not available in the file transfer tools PSCP and
+PSFTP.
+

 \S2{using-cmdline-agent} \I{-A-upper}\c{-A} and \i\c{-a}: control \i{agent
 forwarding}
 
 \S2{using-cmdline-agent} \I{-A-upper}\c{-A} and \i\c{-a}: control \i{agent
 forwarding}
 

diff --git a/putty.h b/putty.h
index f1733407deec007c57113ac771dc6b63705f7c03..ae417391f60aa873bcfcd71ade63d585bbd3f17a 100644 (file)
--- a/putty.h
+++ b/putty.h
@@ -432,6 +432,7 @@ struct config_tag {
     int ssh_kexlist[KEX_MAX];
     int ssh_rekey_time;                       /* in minutes */
     char ssh_rekey_data[16];
     int ssh_kexlist[KEX_MAX];
     int ssh_rekey_time;                       /* in minutes */
     char ssh_rekey_data[16];

+    int tryagent;

     int agentfwd;
     int change_username;              /* allow username switching in SSH-2 */
     int ssh_cipherlist[CIPHER_MAX];
     int agentfwd;
     int change_username;              /* allow username switching in SSH-2 */
     int ssh_cipherlist[CIPHER_MAX];

diff --git a/settings.c b/settings.c
index 98eefce3b3261e2535981a68c2f4648d2afb7bf9..76d02c0f5cd5fc6caf600c4a315e7f01b072ab20 100644 (file)
--- a/settings.c
+++ b/settings.c
@@ -297,6 +297,7 @@ void save_open_settings(void *sesskey, int do_host, Config *cfg)
     write_setting_s(sesskey, "LocalUserName", cfg->localusername);
     write_setting_i(sesskey, "NoPTY", cfg->nopty);
     write_setting_i(sesskey, "Compression", cfg->compression);
     write_setting_s(sesskey, "LocalUserName", cfg->localusername);
     write_setting_i(sesskey, "NoPTY", cfg->nopty);
     write_setting_i(sesskey, "Compression", cfg->compression);

+    write_setting_i(sesskey, "TryAgent", cfg->tryagent);

     write_setting_i(sesskey, "AgentFwd", cfg->agentfwd);
     write_setting_i(sesskey, "ChangeUsername", cfg->change_username);
     wprefs(sesskey, "Cipher", ciphernames, CIPHER_MAX,
     write_setting_i(sesskey, "AgentFwd", cfg->agentfwd);
     write_setting_i(sesskey, "ChangeUsername", cfg->change_username);
     wprefs(sesskey, "Cipher", ciphernames, CIPHER_MAX,


@@ -556,6 +557,7 @@ void load_open_settings(void *sesskey, int do_host, Config *cfg)
         sizeof(cfg->localusername));
     gppi(sesskey, "NoPTY", 0, &cfg->nopty);
     gppi(sesskey, "Compression", 0, &cfg->compression);
         sizeof(cfg->localusername));
     gppi(sesskey, "NoPTY", 0, &cfg->nopty);
     gppi(sesskey, "Compression", 0, &cfg->compression);

+    gppi(sesskey, "TryAgent", 1, &cfg->tryagent);

     gppi(sesskey, "AgentFwd", 0, &cfg->agentfwd);
     gppi(sesskey, "ChangeUsername", 0, &cfg->change_username);
     gprefs(sesskey, "Cipher", "\0",
     gppi(sesskey, "AgentFwd", 0, &cfg->agentfwd);
     gppi(sesskey, "ChangeUsername", 0, &cfg->change_username);
     gprefs(sesskey, "Cipher", "\0",

diff --git a/ssh.c b/ssh.c
index 7e183880bcbb16a7d9756c0755bea738c0c437cc..aa619e3e8e5366a9931f974d764157acdc71dab2 100644 (file)
--- a/ssh.c
+++ b/ssh.c
@@ -3222,7 +3222,7 @@ static int do_ssh1_login(Ssh ssh, unsigned char *in, int inlen,
     while (pktin->type == SSH1_SMSG_FAILURE) {
        s->pwpkt_type = SSH1_CMSG_AUTH_PASSWORD;
 
     while (pktin->type == SSH1_SMSG_FAILURE) {
        s->pwpkt_type = SSH1_CMSG_AUTH_PASSWORD;
 

-       if (agent_exists() && !s->tried_agent) {
+       if (ssh->cfg.tryagent && agent_exists() && !s->tried_agent) {

            /*
             * Attempt RSA authentication using Pageant.
             */
            /*
             * Attempt RSA authentication using Pageant.
             */


@@ -6613,7 +6613,7 @@ static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen,
        s->nkeys = 0;
        s->agent_response = NULL;
        s->pkblob_in_agent = NULL;
        s->nkeys = 0;
        s->agent_response = NULL;
        s->pkblob_in_agent = NULL;

-       if (agent_exists()) {
+       if (ssh->cfg.tryagent && agent_exists() && ssh->cfg.tryagent) {

 
            void *r;
 
 
            void *r;
 

diff --git a/unix/uxplink.c b/unix/uxplink.c
index 90b151f790872c60754456ab4e22b355da9e5bc7..0e27366e8c5ddbf6fe3ed580307f5392780bde43 100644 (file)
--- a/unix/uxplink.c
+++ b/unix/uxplink.c
@@ -628,8 +628,6 @@ int main(int argc, char **argv)
            if (!*cfg.host) {
                char *q = p;
 
            if (!*cfg.host) {
                char *q = p;
 

-                do_defaults(NULL, &cfg);
-

                /*
                 * If the hostname starts with "telnet:", set the
                 * protocol to Telnet and process the string as a
                /*
                 * If the hostname starts with "telnet:", set the
                 * protocol to Telnet and process the string as a

diff --git a/windows/winhelp.h b/windows/winhelp.h
index 750d37943f7fb8e04fc3b78e593aa0aaff14e079..40fcf724fe5d7f7db55ca4b329a7f8f8a11adbc4 100644 (file)
--- a/windows/winhelp.h
+++ b/windows/winhelp.h
@@ -99,6 +99,7 @@
 #define WINHELP_CTX_ssh_auth_privkey "ssh.auth.privkey"
 #define WINHELP_CTX_ssh_auth_agentfwd "ssh.auth.agentfwd"
 #define WINHELP_CTX_ssh_auth_changeuser "ssh.auth.changeuser"
 #define WINHELP_CTX_ssh_auth_privkey "ssh.auth.privkey"
 #define WINHELP_CTX_ssh_auth_agentfwd "ssh.auth.agentfwd"
 #define WINHELP_CTX_ssh_auth_changeuser "ssh.auth.changeuser"

+#define WINHELP_CTX_ssh_auth_pageant "ssh.auth.pageant"

 #define WINHELP_CTX_ssh_auth_tis "ssh.auth.tis"
 #define WINHELP_CTX_ssh_auth_ki "ssh.auth.ki"
 #define WINHELP_CTX_selection_buttons "selection.buttons"
 #define WINHELP_CTX_ssh_auth_tis "ssh.auth.tis"
 #define WINHELP_CTX_ssh_auth_ki "ssh.auth.ki"
 #define WINHELP_CTX_selection_buttons "selection.buttons"