back to article PuTTY in your hands: SSH client gets patched after RSA key exchange memory vuln spotted

Venerable SSH client PuTTY has received a pile of security patches, with its lead maintainer admitting to the The Register that one fixed a "'game over' level vulnerability". The fixes implemented in PuTTY over the weekend include new features plugging a plethora of vulns in the Telnet and SSH client, most of which were …

  1. Anonymous Coward
    Anonymous Coward

    PuTTY's days are numbered

    I seem to recall PuTTY has had a mixed history when it comes to security (e.g IIRC there was a period where they had a trojanised copy hosted on the official website for quite some time before it got noticed).

    Fortunately PuTTY's days are numbered. One of the best reasons to upgrade to the latest version of Windows (server or desktop) is that it now comes with OpenSSH built-in (you just have to activate the option in control panel).

    Linux, OS X and Solaris users of course have no reason to be using PuTTY in the first place. ;-)

    P.S. Yes I know some smart alec will come saying that some people "have to use" old versions of Windows. To that I will say, if you really, really have to, then you really, really should know how to take care of yourself in terms of security and probably source your SSH more carefully than downloading a pre-compiled binary off a random website.

    1. Lee D Silver badge

      Re: PuTTY's days are numbered

      I'm not sure I trust Microsoft to keep the Windows OpenSSH client properly updated any more than I do a random bunch of volunteers to be honest.

      At least you can compile and verify the PuTTY code. God know what's actually in the Windows OpenSSH code.

      1. Anonymous Coward
        Anonymous Coward

        Re: "God know what's actually in the Windows OpenSSH code."

        If you want to do a code audit of their OpenSSH then as per https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_overview, you can look here https://github.com/PowerShell/openssh-portable.

        For any mere mortal who doesn't speak C++, I'd still suggest the built-in version of OpenSSH is something Microsoft ought to be commended for. Late yes, but better late than never !

      2. Robert Helpmann?? Silver badge
        Childcatcher

        Re: PuTTY's days are numbered

        At least you can compile and verify the PuTTY code. God know what's actually in the Windows OpenSSH code.

        Code review is not the only tool in deciding if a given piece of software is secure, so it is best not to overstate the importance of open source vs closed in terms of security. Also, while the pros and cons of each are debated below, I would like to point out the consideration of increasing your attack surface by installing third party tools to do something that is already baked into the OS. In general, this should be avoided though YYMV.

        1. rcxb Bronze badge

          Re: PuTTY's days are numbered

          "I would like to point out the consideration of increasing your attack surface by installing third party tools to do something that is already baked into the OS. In general, this should be avoided though YYMV."

          So YOU'RE guy who is still using Internet Explorer / Edge... keeping the stats hovering above zero.

      3. Dan 55 Silver badge

        Re: PuTTY's days are numbered

        God know what's actually in the Windows OpenSSH code.

        It's probably quite easy to maintain, they probably only added telemetry (check out the recently open-sourced MS calculator).

    2. A Non e-mouse Silver badge

      Re: PuTTY's days are numbered

      One of the best reasons to upgrade to the latest version of Windows (server or desktop) is that it now comes with OpenSSH built-in

      This passed me by. According to this MS article, it's in Windows 10 & Server 2019 as of autumn 2018.

      It would be nice if they back ported it to Server 2016.

      1. stiine Bronze badge
        FAIL

        Re: PuTTY's days are numbered

        It would suit me if they took the developers working on this and move them to removing the existing bugs from Windows.

        1. A Non e-mouse Silver badge

          Re: PuTTY's days are numbered

          I think you're being a little harsh here. The Microsoft of 2019 is not the Microsoft of Balmer's era.

      2. bombastic bob Silver badge
        WTF?

        Re: PuTTY's days are numbered

        this is a pathetic reason to "up" (read: down) grade to Win-10-nic or windows server 2019.

        Whatever happened to compiling OpenSSH (etc.) and just installing it? And put all of the DLLs where other programs can access them?

        Isn't there an open source version of OpenSSH available that compiles on windows?? OK there's a Cygwin version, yeah. I suspect that making that a MinGW version wouldn't be all that difficult...

        So why not just do THAT if you need an open source OpenSSH ??? And it wouldn't have restrictions on it, like "only Win-10-nic" or "only server 2019" or "only if you have a Pro version" yotta yotta.

        1. Orv Silver badge

          Re: PuTTY's days are numbered

          A big issue with command-line SSH on Windows is the Windows console is decidedly NOT xterm-compatible, and most hosts you'd be logging into will expect an xterm or at least a VT-100. So you're going to have to use some kind of terminal emulator anyway. PuTTY just happens to package that with an SSH client.

        2. gerdesj Silver badge
          Paris Hilton

          Re: PuTTY's days are numbered

          "Isn't there an open source version of OpenSSH available that compiles on windows"

          If you are doomed to running Windows 10 and have 1603 or above installed then have a look on your c: drive, in the root and under c:\windows and c:\windows\system32. There will be some directories that look suspiciously Unix related. c:\windows\system32\openssh for example.

    3. simpfeld

      Re: PuTTY's days are numbered

      I had (admittedly quick) look at this and can't see a way to make it do GSSAPI/Kerberos, which PuTTY does well (i.e. no password when going from AD joined Windows to Linux).

      Does this feature work?

      1. Anonymous Coward
        Anonymous Coward

        Re: "can't see a way to make it do GSSAPI/Kerberos"

        Judging by this Github merge (https://github.com/PowerShell/openssh-portable/pull/360) it should be possible ? (Not sure on the time delta between github merge and Windows Update, might depend on the release schedule your Windows system is set to).

    4. phuzz Silver badge

      Re: PuTTY's days are numbered

      "Linux, OS X and Solaris users of course have no reason to be using PuTTY in the first place"

      I had to use a MacBook for a week recently, and Putty was one of the things I missed most. (That and Notepad++. And proper mouse buttons).

      Sure there's programs that do the same thing, but they weren't the ones I was used to damnit!

      1. Anonymous Coward
        Anonymous Coward

        Re: PuTTY's days are numbered

        "Sure there's programs that do the same thing, but they weren't the ones I was used to damnit!"

        OpenSSH is avaiilable on the command line of OS X I'm not entirely sure why you'd want any third-party software when you've got the original already there and waiting ? Or have I misunderstood the point you were making ?

        1. bombastic bob Silver badge
          Devil

          Re: PuTTY's days are numbered

          Ack. He was spoiled by a GUI front-end, I see. "the ones I was used to". Yeah I think I had to spend at least a minute learning the ssh command line when I first used it, too.

          Hint: "man ssh" (this works on OSX as I recall - I don't have a Mac handy to verify it with). I use this (literally) ALL of the time (a remote shell to a VM running Linux, to test stuff - left logged in on one of my desktops on a FreeBSD machine). That and scp also, making backups etc.. And sftp works really well with my web site. Who needs "authoring tools", am I right?

          One thing I _LOVE_ about Mac OSX is that its userland was forked from FreeBSD 5 and so I can just jump in there and do stuff and it WORKS.

          1. katrinab Silver badge
            WTF?

            Re: PuTTY's days are numbered

            People who like GUI front-ends don’t use ssh surely?

            Given you are going to be using the command line anyway, ‘ssh user@server’ is not a big problem.

            1. Pier Reviewer

              Re: PuTTY's days are numbered

              “People who like GUI front-ends don’t use ssh surely?”

              X forwarding. Not sure what liking GUIs has to do with the price of fish. SSH is an amazingly versatile tool. I make extensive use of it every working day. Most of that is simply for a remote terminal. Some of it is not.

          2. phuzz Silver badge

            Re: PuTTY's days are numbered

            man is rarely helpful unless you aready know how to use the program, and what you want to use it for (and what terminology this particular program uses). Would it hurt them to have a single example?

            Anyway, I use ssh quite a lot (from the second hop onwards generally), but, to pick a random example, I can't alter any ssh tunnels (or any other setting) without closing my connection and restarting it.

            1. Hans 1 Silver badge
              Thumb Up

              Re: PuTTY's days are numbered

              I see you have just volunteerd to add a few examples.

              To get you jumpstarted, here are the sources:

              https://github.com/freebsd/freebsd/tree/master/crypto/openssh

              Thanks for your time, we all really appreciate it!

              1. phuzz Silver badge

                Re: PuTTY's days are numbered

                As far as I can tell, examples are not used in man pages for commands anywhere in linux (which is odd because they're recommended in the style guide for man). Many commands don't even include a simple description in the DESCRIPTION part of their man file (for example, less, which proudly informs you that it is similar to more but has 'many more features'. Alas, nowhere does it mention that it's a program for displaying the contents of a file).

                So I suspect that even if I did show up with some new documentation containing lovely examples of how commands should, and can be used, they'd be thrown out as 'not being in the spirit'.

                Compare and contrast when practicality rather than ideology is the driver between writing documentation, eg.

      2. tin 2

        Re: PuTTY's days are numbered

        I've been using a MBP for (by far) my main machine for 3 years, and I still very sorely miss PuTTY.

        1. El Al

          Re: PuTTY's days are numbered

          If you miss it that badly, go out and buy Van Dyke's excellent SecureCRT. I've been using it (mostly on Windows) for nearly 20 years now and always much preferred it to PuTTY.

    5. alain williams Silver badge

      Re: PuTTY's days are numbered

      I seem to recall PuTTY has had a mixed history when it comes to security (e.g IIRC there was a period where they had a trojanised copy hosted on the official website for quite some time before it got noticed).

      PuTTY on MS Windows has a much greater problem than a, now fixed, trojan copy of PuTTY.

      The whole operating system is a trojan, it has an in built key logger. You are supposed to be able to turn key logging off, but you can't completely switch off telemetry, what gets sent is encrypted (from the machine owner) -- so how do you verify that key stroke stealing is really disabled ?

      I will not use PuTTY on a Windows machine - I would just not feel safe.

      1. Roland6 Silver badge

        Re: PuTTY's days are numbered

        >The whole operating system is a trojan, ...

        so how do you verify that key stroke stealing is really disabled ?

        I will not use PuTTY on a Windows machine - I would just not feel safe.

        So you don't use Windows 10 at all for secure communications then, as the key/activity logging problem is an OS problem not a problem specific to PuTTY.

    6. Anonymous Coward
      Anonymous Coward

      Re: PuTTY's days are numbered

      "I seem to recall PuTTY has had a mixed history when it comes to security (e.g IIRC there was a period where they had a trojanised copy hosted on the official website for quite some time before it got noticed)."

      I think that might be two different things. There was a trojanised version of PuTTY reported in the wild but it hadn't come from the official site or the mirrors. And for a while some of the AV vendors were reporting PuTTY binaries as containing malware, but they were always shown to be false positives. I haven't heard of a case where the official site was distributing an actual trojanised version.

    7. bombastic bob Silver badge
      Meh

      Re: PuTTY's days are numbered

      on windows I prefer to use Cygwin's ssh implementation.

      on POSIX systems, I just use the built-in ssh.

      Seriously, PuTTY could have wrapped the existing ssh program with a simple GUI and probably would have avoided most of these problems. If it were to ship with a portable version of ssh, and maybe a handful of patch files to put the magic into it more easily than dealing with Windows' pathetic handling of console applications and stdin/stdout/stderr re-direction, then a lot of these problems wouldn't be problems any more.

      Just a thought - maybe PuTTY could get a re-write to do it this way... [then you just need to maintain the GUI and keep the back-end up to date with all of the relevant patches]

    8. Dazed and Confused
      Flame

      Re: PuTTY's days are numbered

      > P.S. Yes I know some smart alec will come saying that some people "have to use" old versions of Windows.

      Well I have to run an old version of windows because the new one is so totally unstable it means I can't use it! I PuTTY (or other wise SSH) into a system, kick off some command that'll take more than a few minutes to run. Wonder off for a cup of coffee and when I come back some wanker from M$ has decided that since I wasn't fondling the keyboard then now would be a great time to reboot.

      You might argue that rebooting to load updates is good practice. Sure.

      Well down time is still down time whether it's caused by BSOD (with it's pretty new shade of blue) or whether it's caused by planned downtime which was planned by some cretin who has no idea that people actually use their PC's to do some work on.

      1. Dave559

        Re: PuTTY's days are numbered

        @Dazed and Confused: You should look into installing GNU Screen or tmux on the remote host that you are ssh'ing in to. That will let your terminal session continue uninterrupted (and resumable later) even if the local end gets disconnected.

    9. arctic_haze Silver badge
      Holmes

      Re: PuTTY's days are numbered

      Yes, it's days will be over when we all die.

    10. Anonymous Coward
      Anonymous Coward

      Re: PuTTY's days are numbered

      You recall incorrectly: The official site did never host a trojan'd copy of PuTTY. Meanwhile, thousands of popular apps would have a trojan'd version available from an unofficial source.

      The PuTTY changelog shows a pretty good track record of security, actually.

      Your FUD goes both ways: Why trust Microsoft's build of openssh over PuTTY? They might have built any number of security holes into their binary. They definitely have a mixed history when it comes to security.

    11. A.A.Hamilton

      Re: PuTTY's days are numbered

      Don't know why so many people down-voted this. Seems like good advice - tough, but good advice. You need to be tough because those brain damaged individuals out there who create malware don't give a shit about you or the damage they cause.

  2. Lee D Silver badge

    I find it strange that the one piece of software that we ALL rely on for security in IT, and pretty much the only used Windows SSH client, is basically operated by one volunteer in charge of a small team of volunteers. We have far too many of those kinds of things in our ecosystem, even if they are nice guys(*).

    PuTTY is one of those tools that I have installed locally on workstations - because when the mess hits the fan and you need to SSH/telnet into a RAID or network controller or whatever to fix things, you don't want those tools to be sitting on a network storage.

    (* Simon's a nice guy. Helped me when I was porting his puzzle collection and ran across a very mysterious bug that turned out to be a glibc bug when memcpy'ing negative signed char values - he disassembled an ARM binary to find that for me.)

    1. Anonymous Coward
      Anonymous Coward

      "basically operated by one volunteer in charge of a small team of volunteers"

      Isn't that basically the story of Open Source ?

      For example, OpenBSD has the infamous Theo who lords it over his small team of trusted coders ? Or Linus on Linux ?

      I always laugh when people say Open Source is more secure.

      In the end, unless you speak fluent C++ (with a security specialisation to boot), you're still trusting "someone else" to deliver secure and reliable code. Or you're still trusting "someone else" to review the code for you in a timely manner.

      Let's face it, most people don't speak fluent C++ (and even fewer know what to look for in terms of security) and so you just blindly install packages (or blindly compile source) and so in that respect its really not much different to commercial software !

      1. John Robson Silver badge

        Re: "basically operated by one volunteer in charge of a small team of volunteers"

        You don't necessarily have to validate anything yourself - but the availability of the source code means that anyone can.

        Yes, this includes the black hats - but it also includes the white hats (in this case sponsored by the EU).

        With closed source (deliberately not conflating commercial/non-commercial with closed/open source) you can't do this nearly as easily.

        Open source doesn't guarantee security any more than closed source does - but one thing is for sure. If there is an open source program which people rely on, and it has a security bug - it will get fixed.

        If it's closed source and the company has decided that there is more money in the latest shiny thing - then you're completely out of luck.

        It's that OSS is *more* secure than closed source, but then it isn't natively less secure either. Certainly at or around EOL then OSS becomes much more secure-able.

        1. Anonymous Coward
          Anonymous Coward

          "has decided that there is more money in the latest shiny thing"

          There's a lot of old open source code that no longer gets any fix too. Sure, you can still try to fix it yourself - but if the fix isn't trivial, it would require someone with the proper skills - and even if you can find someone, it could still cost $$$$$.

          While often commercial software is more interested in backward compatibility than open source one - after all, it's free...

          But it's true that once a commercial software is no longer updated you have no chance but to switch to something else, and may be costly as well.

          Both "worlds" have advantages and disadvantages - use what fits your real needs, and avoid ideological stances that will only put you in troubles.

        2. devempty

          "but the availability of the source code means that anyone can."

          "but the availability of the source code means that anyone can." is the old excuse trotted out by the open source fanboys.

          Unfortunately it doesn't hold up to any degree of scrutiny:

          • You are assuming "someone(s)" will "always" review the code

          • You are assuming the "someone(s)" who do the code review are suitably qualified to do so and up-to date on their skillset

          • You are assuming same "someone(s)" will review the code in a timely manner

          • You are assuming same "someone(s)" will review the code after each new commit which might introduce new vulnerabilities or re-open old wounds.

          • These "someone(s)" lead a real life with jobs / family / other commitments

          • There are millions of Open Source projects out there and only a limited number of suitably qualified "someone(s)" to do the volunteer code audits for you

          • The lower down the "free publicity" chain the "someone(s)" will get for finding bugs in your Open Source code, the less chance of them "volunteering" their time to audit

          • In this day and age, the "someone(s)" are expecting a payment in return. If you're not offering a bounty, and you're not a high-profile open source project, the chances of a quality "someone" doing a code audit for you is remote !

          Need I go on ?

          1. The Mole

            Re: "but the availability of the source code means that anyone can."

            You don't need to go on, but I'm not actually sure what your point is.

            Open source doesn't automatically mean better security. I think everybody agrees there. But it does lend itself to more opportunities for review, and for highly popular/mission critical projects they are more likely to get review.

            Closed source has all the same problems as open source, except that there is no opportunity for outside people to look at the code and do security audits. Most firms don't have people suitably qualified to do reviews and play mere lip service to secure coding and security - enough to tick whatever boxes they face.

            I also think that code in public view is more likely (but not guaranteed) to be of better quality than closed source code purely because the developers know that everybody (including their next employer) can look at it and psychologically this makes you work better than in a closed source business where your manager is urging you to fix the bug asap. A massive generalisation and there will be plenty of exceptions (some firms do have rigorous code review, some people are just perfectionists etc) but as a trend I think it is probably true.

            1. Anonymous Coward
              Anonymous Coward

              "except that there is no opportunity for outside people to look at the code and do security audits"

              That's not true for commercial code as well. While it is true it is not "open" to everybody, it doesn't mean it is not available to skilled people doing reviews and audits under some form of NDA.

              The quality of code is only proportional to the ones in charge of it. The pressure to release something new is more an issue for the quality of code that other ones, in my experience - and it is true commercial software may feel such pressure more than open source project - but once there is a commercial entity needing money (investments, etc.) behind an open source project, that pressure arise as well. Projects that can be developed at their own pace may be luckier.

            2. bombastic bob Silver badge
              Linux

              Re: "but the availability of the source code means that anyone can."

              With open source, it's also easier to:

              a) apply your own patches

              b) apply patches someone else published to get a fix in right away

              c) get the patched version compiled and installed in your system before a package has been made available

          2. Anonymous Coward
            Anonymous Coward

            "You are assuming "someone(s)" will "always" review the code"

            Not surprisingly, here there is a financial incentive in reviewing the code. As the number of open source lines of code greatly increased, the quality of reviews may decrease - unless someone pays for it. But not all projects may benefit of such incentives.

          3. emullinsabq
            Stop

            Re: "but the availability of the source code means that anyone can."

            None of the assumptions you cite are actually made by the quote you referenced.

      2. MacroRodent Silver badge

        Re: "basically operated by one volunteer in charge of a small team of volunteers"

        Or Linus on Linux ?

        The team Linux is "lording over" isn't exactly small these days, and he is also no more such a critical resource many people think he is. Recall he took a longer leave last year, and his "lieutenants" kept things chugging along.

        1. Anonymous Coward
          Anonymous Coward

          Re: "basically operated by one volunteer in charge of a small team of volunteers"

          The Linux Foundation alone has 150 employee, plus all the people who submit the patches from corporate member and not.

          Those who believe that Linux is still a an effort by a small group of open source idealists is totally wrong - now it's the product of many corporate interests.

          1. A Non e-mouse Silver badge

            Re: "basically operated by one volunteer in charge of a small team of volunteers"

            See the developer statistics for the 5.0 kernel over at lwn.net.

            Intel top the charts as the biggest contributor to the 5.0 kernel. Depending on how you chop the statistics, Facebook, Red Hat, IBM & Google (Among others) appear in the top ten too.

      3. A.P. Veening Silver badge

        Re: "basically operated by one volunteer in charge of a small team of volunteers"

        "In the end, unless you speak fluent C++ (with a security specialisation to boot), you're still trusting "someone else" to deliver secure and reliable code. Or you're still trusting "someone else" to review the code for you in a timely manner."

        Even if that is the case, you still have to trust the compiler (and the compiler's compiler).

        1. Fonant

          Re: "basically operated by one volunteer in charge of a small team of volunteers"

          ...and the operating system...

          ...and the hardware...

          1. Dazed and Confused

            Re: "basically operated by one volunteer in charge of a small team of volunteers"

            > ...and the hardware...

            And now we all know that you can't trust the hardware.

      4. Lee D Silver badge

        Re: "basically operated by one volunteer in charge of a small team of volunteers"

        Think of it like a plane component.

        You can either say "Trust Boeing, they know what they are doing, of course they won't show you the specifications and plans for their kit".

        Or you can say "Hey, look, all the specifications, limits, designs, blueprints and diagrams for this component are available for aviation specialists and security experts to inspect."

        Sure, the latter lets the terrorists find the weaknesses in our aircraft components. But it also lets people *other* than the original creators look and verify if even what Boeing says they are doing is true (how do you even know whether the updates they push out to their planes even changed a single byte of the program?).

        The latter has risks but, in the long run, those risks can be enumerated, identified and eliminated. The former - you can't even tell if there's a risk, let alone how many there might be, if they are ever fixed, or not.

        Of course, Boeing / Microsoft won't give out their blueprints willingly. And those blueprints being freely available doesn't mean we can all check them to see if the plane is safe. But would you rather fly in a plane where engineers, safety experts, the FAA / CAA, other manufacturers etc. can all verify every aspect of the design at any time, even if it's beyond you personally, or one where you have to just "trust Boeing"?

        It's not "more secure". It's "more open about its security/insecurity". There's a difference. In the same way that the lockpicking lawyer can open even mainstream "secure" padlock that people send him in a matter of minutes, you can either buy a black box and trust your security to it... or you can get a design that an expert takes one look at, including every single detail, and goes "Woah... how the hell will I get into this one? It's been designed to counter everything I want to do." or, equally, "They didn't even stop you poking right past the pins and just triggering the release directly? Oh come on, people."

        1. Anonymous Coward
          Anonymous Coward

          "Sure, the latter lets the terrorists"

          No, the latter lets the competition clone your designs without any effort at design themselves, or even at reverse engineering, and sorry, in some industries that's not acceptable at all, you won't stay in the market, and will go bankrupt soon.

          That's why you need a third party like the FAA (should have been...) doing the required reviews and checks - but still under an NDA which forbids the to deliver everything to competition.

          1. DCFusor Silver badge

            Re: "Sure, the latter lets the terrorists"

            If the competition has to clone your design, they won't be competition for all that long. If you really are the goose that lays the golden eggs, just lay another. The customer we did embedded product development for had people (you know which country) cloning their stuff. Usually took 6 months or so, and we rarely even set the bits that make it hard to extract the code from the uP. Because we had a reputation the cloners couldn't match with the real customers (phone companies and architects in this case) - and by the time that other countrie's vendor had a clone - we had a newer better product out, usually cheaper too. We just left them in the dust.

            If you can't compete, GTFO.

            I see why the AC now...

            1. the hatter

              Re: "Sure, the latter lets the terrorists"

              Your argument follows when talking about bespoke products for small markets with ongoing changing needs. It's completely backwards for a company selling volume of a highly regulated/certified product. There's little reason not to have your new 737 be pretty much identical to the current model from 5 years ago, if it costs a lot less from a cloner. And no reason for boeing to spend millions/billions on making substantiative developments just to ship a better model each week, meanwhile cloners could happily keep up for more modular tweaks and fixes made to older models. Both aircrew and maintainence crew benefit from a very standardised product that doesn't have big changes between each plane they touch.

        2. DCFusor Silver badge

          Re: "basically operated by one volunteer in charge of a small team of volunteers"

          Downvote must have been from Boeing or a sub, seeing a ton of that on other forums, where it's just obvious the post doesn't deserve it - and usually wouldn't get one. Nowadays, it seems the PR/Marketing dept of many outfits seems to think they can just censor and keep on doing things wrong profitably.

          Bonus for LPL reference - I've recently been entertained by him myself.

          The choice really is between "no review possible" as NDAs aren't even offered for that most times, and "at least a little" - maybe a lot. I'll pick the latter every time. I think it's really good news that now and then someone sponsors this sort of thing, as most OSS projects can't afford it. And well, I do speak most of the programming languages if I need to scratch an itch, but it's not that common that I fix someone else's code. Bugs are HARD to find by inspection, but when a bug or vuln is found, they're often easy to pinpoint in the source...but only if you have the source.

          Try getting source to Boeing's MCAS code - wanna bet it's not available at any price or with any NDA?

          Even without full design info that would allow you to inspect the whole system for system class errors.

      5. KegRaider

        Re: "basically operated by one volunteer in charge of a small team of volunteers"

        ReiserFS is a stark reminder of the problems having all your developer eggs in one basket.

      6. HieronymusBloggs

        Re: "basically operated by one volunteer in charge of a small team of volunteers"

        "OpenBSD has the infamous Theo who lords it over his small team of trusted coders ? Or Linus on Linux ?"

        "unless you speak fluent C++ (with a security specialisation to boot), you're still trusting "someone else" to deliver secure and reliable code"

        My C++ reading skills aren't what I'd call fluent, but that doesn't stop me reading OpenBSD or Linux source code when I have to. Did you mean C?

    2. Anonymous Coward
      Anonymous Coward

      basically operated by one volunteer in charge of a small team of volunteers

      There are lots like that. OpenSSL being a case in point, where every large company on the planet uses it, but it's maintained by a small team of volunteers who have to beg for sponsorship crumbs from a few big companies (https://www.openssl.org/support/acks.html).

      Maybe the EU would like to fund things like that properly, instead just handing out a few bug bounties to FOSS reviewers?

      1. Korev Silver badge
        Linux

        Why can't it do both?

        1. The Mole

          Why does it need to? What is actually broken if the small team of volunteers are working? You do get issues if one of the key developer suddenly leaves/dies etc but actually that isn't much different to commercial orgs doing the work either (company goes bust, bean counters cancel project, people leave and don't get replaced).

      2. LDS Silver badge

        Who would have said that?

        Developers needs to be paid for their work... and those money has to come from somewhere.

    3. matt 83

      But closed source software often operates like that too

      What makes you think that a company selling closed source software is really anything more that one guy in charge of a small team? OK none of them might be volunteers but they might all be on a short term contract and have nothing to do with the software after it's released.

      When a bug is found 6 months later there might be no one at the software supplier who knows anything about the software other than the marketing and sales team.

      1. Anonymous Coward
        Anonymous Coward

        Re: But closed source software often operates like that too

        > OK none of them might be volunteers but they might all be on a short term contract and have nothing to do with the software after it's released.

        Or of course the big corporation might just chose to fire them all once V1.0 is out of the door, who needs the developers once it's been developed.

        Or the manager moved on to other things and there was no "sponsor" for the developers, so out the door they go.

        First big development project I worked on, the internal customer decided not to fund the development for 1 quarter and was then shocked when they wanted some up dates to find all the key developers had left.

  3. Jim-234

    I use PUTTY pretty much daily for serial port access to configure network & storage devices.

    (Which require serial port setup of the network interfaces / passwords before you can do anything over the network).

    1. bombastic bob Silver badge
      Devil

      yeah it's good for regular serial port too, on windows.

      For Linux etc. I typically use 'cu' or my own program [which is open source and can be searched for if you're interested, also works in windows last I checked]. But for windows there used to be a decent terminal program built in [hyperterminal] but it stopped being included either in XP or Vista. And, of course, there was no ssh support as I recall.

      I can't recall what Cygwin has for a terminal program. Maybe it works, maybe it doesn't. I generally don't do serial port things from windows anyway.

      (using serial comms programatically in windows is unnecessarily painful, and I've been doing it since Win '98 and NT 4, starting with this one customer project that used TAPI to dial into remote devices and download data from them, etc.)

      1. DCFusor Silver badge

        Serial ports on windows

        Boy do you ever nail that one. Back in the day when we were forced to write code to set up my customer's embedded stuff, always via serial, we did that battle..and it was ugly.

        At least linux has /dev/serial/by-id and friends. Glad I moved to linux quite a long time back.

        Now writing serial interfaces that don't require guessing which com port your thing is on is easy, instead of, pinging all the com ports to see if one responds as you wish, and so on, not to mention that other than the VB OLE/activeX object, it was hard to get to a port at all, at least back in the day. It was kind of embarrassing having a VB dependency in a C++ program...

        1. Richard 12 Silver badge

          Re: Serial ports on windows

          Windows serial ports are a lot better than they used to be.

          It's now relatively simple to find the VID/PID of the USB serial adapter, and even an actual name and thus find the device you actually wanted.

          You still have to manually disable serial mice in the registry though. Gods that's irritating!

    2. Rockets

      I mostly use PuTTY on remote PC's for serial access to network gear and it's great for that job - small single exe. Occasionally I need to use Zmodem transfer and PuTTY's no good for that, so use Extra-PuTTY. But once the device is on the network or it's local to me it's SecureCRT all the way.

  4. DerGoat

    Give me a good alternative

    In my situation, I teach lots of kids (loosely defined) how to configure Cisco equipment. Putty is the only solution I know of that handles serial connections and has a GUI for the kids to learn on (Linux only please). I ween them off as soon as possible and get them using SSH from the command line once they understand what they are doing and know how to enable SSH on Cisco equipment, but at the most basic level when they are setting up "fresh" equipment, Putty is the only real choice. Does anyone have a practical Linux alternative?

    1. Rockets

      Re: Give me a good alternative

      Try PACManager. https://sourceforge.net/projects/pacmanager/

      It's basically a clone of the commercial package SecureCRT for Linux but supports some extra features that SecureCRT doesn't eg WOL or RDP. Not sure if it supports Z/X/YModem though which you occasionally need working with Cisco devices. I use SecureCRT on Windows for work and I can't stand going back to basic PuTTY. There's SecureCRT for Linux & Mac but it's not free.

    2. Anonymous Coward
      Anonymous Coward

      Re: Give me a good alternative

      man cu

      man screen

      Teach your kids how to use the built-in tools. Don't force them to download random stuff they don't really need, because one day they might find themselves working in a secure environment where they can't download random stuff and that's not the time to suddenly have to figure out how to use what's available to you.

      1. Roland6 Silver badge

        Re: Give me a good alternative

        >Teach your kids how to use the built-in tools.

        From the few reviews of MS's OpenSSH implementation, it seems it is not installed as default, you need to explicitly install this optional component. Additionally, none of the reviews show MS's OpenSSH being used outside of a pre-existing Powershell session.

        PuTTY being Windows-native provides two benefits, firstly a consistent GUI launcher to various remote devices regardless of the particular connection parameters required by those devices, and secondly, supports the mixed use of command-line and GUI tools.

        I suspect like many 'tools' MS have previously bundled, they implement sufficient of the basics to be able to claim support and thus pass a box ticking exercise, but fail to implement the functionality that make third-party tools people's go-to preference.

        I agree with DerGoat, the focus of the training is the configuration of Cisco kit, ie. getting to grips with the vageries of the Cisco command language, thus a tool that allows them to very simply connect to network devices assists in the learning objective, because without knowing the basics of Cisco configuration, they are unlikely to be working in a secure environment...

  5. Jason Hindle

    Questions about Putty's future are valid enough

    Putty exists to fill a hole that has now been filled by other means. I haven't used it in months (and the same is true for WinSCP). I do SSH via an Ubuntu Virtual Machine, hosted on VirtualBox, or via Ubuntu for Windows, via WSL (useful on my creaking Surface 3). This gives me the advantage of being able to bash locally as well remotely, making automation simpler. Both give me direct access to all or part of my local file system. Yes, it's nice that you can have a nice list of servers to click on, in Putty (or via a Session Manager add on), but I'm just as happy with a well organised /etc/hosts.

  6. smartroad

    I wish Putty would quit back to the main window when you close the window :D

  7. Gonzo_the_Geek

    I find myself using PuTTY less and less, with most of my SSH work now done on MobaXterm (Cygwin wrapper I believe?) or Ubuntu on WSL.

  8. rmstock

    designed and maintained by a single individual

    This is exactly why Putty was, has been and still will be highly successful. A screwup comes with a single persons responsibility, and not some corporate haywire mess, including fake semi-scientific pdf publications "delivering" hazy proof of concept for vulnerabilities.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019