Putty 0.76

Putty is basically the de-facto standard SSH client on Windows. The latest version at this time is Putty 0.76 which was released on 2021-07-17. See [1] for the official download page.

This version comes with several bugfixes of which quite a few fix (non-security relevant) regressions introduced in the previous version (0.75). See [2] for the full changelog.

Disconnect if authentication succeeds trivially

One new feature this version ships is a new option to control how Putty acts if the server allows you to authenticate in a trivial manner [3]. A malicious server might use this in different attack scenarios; f.e. to attempt to retrieve otherwise confidential information. For instance, one idea might be a server which pops up a dialog which looks like the dialog Putty brings up for you to enter the passphrase for your own key. While this dialog would look slightly different from Putty’s, you might not spot the issue directly, since you’d expect the dialog to show up at this time (aka: if you’d connected to the legitimate server). In the end you’d then have compromised the security of your key, since you passed along the passphrase to the attacker.

The new option is located under Connection -> SSH -> Auth. To enable it, tick the box: “Disconnect if authentication succeeds trivially”. Be aware that in order to save the option as a default setting, you must then go back to the Session tab entry, select “Default Settings” and press “Save”. Obviously, if you have other stored sessions there, you need to save/adjust the option for any of these.

If you don’t need to connect to a server using trivial authentication, it’s a good idea to enable this setting so to reduce the likelihood of running into this or related attack scenarios.

References

[1] https://www.chiark.greenend.org.uk/~sgtatham/putty/releases/0.76.html
[2] https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html
[3] https://the.earth.li/~sgtatham/putty/0.76/htmldoc/Chapter4.html#config-ssh-notrivialauth