PuTTY is one of the oldest and most popular SSH clients originally for Windows but now available on several platforms. It has won corporate support and endorsement and is prepared and bundled within several third-party repositories.

Unfortunately the 0.74 stable PuTTY release does not safely guard plain-text passwords provided to it via the -pw command line option for the psftp pscp and plink utilities as the documentation clearly warns. There is evidence within the source code that the authors are aware of the problem but the exposure is confirmed on Microsoft Windows Oracle Linux and the package prepared by the OpenBSD project.

After discussions with the original author of PuTTY Simon Tatham developed a new -pwfile option which will read an SSH password from a file removing it from the command line. This feature can be backported into the current 0.76 stable release. Full instructions for applying the backport and a .netrc wrapper for psftp are presented also implemented in Windows under Busybox.


Read Full Post

News Link: https://www.linuxjournal.com/content/putty-scripted-passwords-are-exposed-passwords.

Linux Chatter is a news aggregator service that curates some of the best Linux, Cloud, Technical Guides, Hardware and Security news. We display just enough content from the original post to spark your interest. If you like the topic, then click on the 'read full post' button to visit the author's website. Use Linux Chatter to find content from amazing authors!

Note: The content provided has been modified and is not displayed as intended by the author. Any trademarks, copyrights and rights remain with the source.

Disclaimer: Linux Chatter sources content from RSS feeds and personal content submissions. The views and opinions expressed in these articles are those of the authors and do not necessarily reflect those of Linux Chatter.