Introduce a new checkbox and command-line option to inhibit use of

Pageant for local authentication. (This is a `don't use Pageant for
authentication at session startup' button rather than a `pretend
Pageant doesn't exist' button: that is, agent forwarding is
independent of this option.)

git-svn-id: svn://svn.tartarus.org/sgt/putty@6572 cda61777-01e9-0310-a592-d414129be87e

diff --git a/cmdline.c b/cmdline.c
index 112463c..39f57bb 100644 (file)
--- a/cmdline.c
+++ b/cmdline.c
@@ -291,6 +291,19 @@ int cmdline_process_param(char *p, char *value, int need_save, Config *cfg)
        cmdline_password = value;
     }
 
+    if (!strcmp(p, "-agent") || !strcmp(p, "-pagent") ||
+       !strcmp(p, "-pageant")) {
+       RETURN(1);
+       UNAVAILABLE_IN(TOOLTYPE_NONNETWORK);
+       cfg->tryagent = TRUE;
+    }
+    if (!strcmp(p, "-noagent") || !strcmp(p, "-nopagent") ||
+       !strcmp(p, "-nopageant")) {
+       RETURN(1);
+       UNAVAILABLE_IN(TOOLTYPE_NONNETWORK);
+       cfg->tryagent = FALSE;
+    }
+
     if (!strcmp(p, "-A")) {
        RETURN(1);
        UNAVAILABLE_IN(TOOLTYPE_FILETRANSFER | TOOLTYPE_NONNETWORK);

diff --git a/config.c b/config.c
index 39da6c2..c844e05 100644 (file)
--- a/config.c
+++ b/config.c
@@ -1841,6 +1841,10 @@ void setup_config_box(struct controlbox *b, int midsession,
 
            s = ctrl_getset(b, "Connection/SSH/Auth", "methods",
                            "Authentication methods");
+           ctrl_checkbox(s, "Attempt authentication using Pageant", 'p',
+                         HELPCTX(ssh_auth_pageant),
+                         dlg_stdcheckbox_handler,
+                         I(offsetof(Config,tryagent)));
            ctrl_checkbox(s, "Attempt TIS or CryptoCard auth (SSH-1)", 'm',
                          HELPCTX(ssh_auth_tis),
                          dlg_stdcheckbox_handler,

diff --git a/doc/config.but b/doc/config.but
index 4281f6c..d0ec32e 100644 (file)
--- a/doc/config.but
+++ b/doc/config.but
@@ -2310,6 +2310,24 @@ unwanted username prompts, you could try checking this option.
 This option only affects SSH-2 connections. SSH-1 connections always
 require an authentication step.
 
+\S{config-ssh-tryagent} \q{Attempt authentication using Pageant}
+
+\cfg{winhelp-topic}{ssh.auth.pageant}
+
+If this option is enabled, then PuTTY will look for Pageant (the SSH
+private-key storage agent) and attempt to authenticate with any
+suitable public keys Pageant currently holds.
+
+This behaviour is almost always desirable, and is therefore enabled
+by default. In rare cases you might need to turn it off in order to
+force authentication by some non-public-key method such as
+passwords.
+
+This option can also be controlled using the \c{-noagent}
+command-line option. See \k{using-cmdline-agentauth}.
+
+See \k{pageant} for more information about Pageant in general.
+
 \S{config-ssh-tis} \q{Attempt \I{TIS authentication}TIS or
 \i{CryptoCard authentication}}
 

diff --git a/doc/pageant.but b/doc/pageant.but
index 548aa8b..f84fb64 100644 (file)
--- a/doc/pageant.but
+++ b/doc/pageant.but
@@ -42,6 +42,10 @@ automatically from Pageant, and use it to authenticate. You can now
 open as many PuTTY sessions as you like without having to type your
 passphrase again.
 
+(PuTTY can be configured not to try to use Pageant, but it will try
+by default. See \k{config-ssh-tryagent} and
+\k{using-cmdline-agentauth} for more information.)
+
 When you want to shut down Pageant, click the right button on the
 Pageant icon in the System tray, and select \q{Exit} from the menu.
 Closing the Pageant main window does \e{not} shut down Pageant.

diff --git a/doc/using.but b/doc/using.but
index 663aa05..1aa2211 100644 (file)
--- a/doc/using.but
+++ b/doc/using.but
@@ -685,6 +685,22 @@ Note that the \c{-pw} option only works when you are using the SSH
 protocol. Due to fundamental limitations of Telnet and Rlogin, these
 protocols do not support automated password authentication.
 
+\S2{using-cmdline-agentauth} \i\c{-agent} and \i\c{-noagent}:
+control use of Pageant for authentication
+
+The \c{-agent} option turns on SSH authentication using Pageant, and
+\c{-noagent} turns it off. These options are only meaningful if you
+are using SSH.
+
+See \k{pageant} for general information on \i{Pageant}
+
+These options are equivalent to the agent authentication checkbox in
+the Auth panel of the PuTTY configuration box (see
+\k{config-ssh-tryagent}).
+
+These options are not available in the file transfer tools PSCP and
+PSFTP.
+
 \S2{using-cmdline-agent} \I{-A-upper}\c{-A} and \i\c{-a}: control \i{agent
 forwarding}
 

diff --git a/putty.h b/putty.h
index f173340..ae41739 100644 (file)
--- a/putty.h
+++ b/putty.h
@@ -432,6 +432,7 @@ struct config_tag {
     int ssh_kexlist[KEX_MAX];
     int ssh_rekey_time;                       /* in minutes */
     char ssh_rekey_data[16];
+    int tryagent;
     int agentfwd;
     int change_username;              /* allow username switching in SSH-2 */
     int ssh_cipherlist[CIPHER_MAX];

diff --git a/settings.c b/settings.c
index 98eefce..76d02c0 100644 (file)
--- a/settings.c
+++ b/settings.c
@@ -297,6 +297,7 @@ void save_open_settings(void *sesskey, int do_host, Config *cfg)
     write_setting_s(sesskey, "LocalUserName", cfg->localusername);
     write_setting_i(sesskey, "NoPTY", cfg->nopty);
     write_setting_i(sesskey, "Compression", cfg->compression);
+    write_setting_i(sesskey, "TryAgent", cfg->tryagent);
     write_setting_i(sesskey, "AgentFwd", cfg->agentfwd);
     write_setting_i(sesskey, "ChangeUsername", cfg->change_username);
     wprefs(sesskey, "Cipher", ciphernames, CIPHER_MAX,
@@ -556,6 +557,7 @@ void load_open_settings(void *sesskey, int do_host, Config *cfg)
         sizeof(cfg->localusername));
     gppi(sesskey, "NoPTY", 0, &cfg->nopty);
     gppi(sesskey, "Compression", 0, &cfg->compression);
+    gppi(sesskey, "TryAgent", 1, &cfg->tryagent);
     gppi(sesskey, "AgentFwd", 0, &cfg->agentfwd);
     gppi(sesskey, "ChangeUsername", 0, &cfg->change_username);
     gprefs(sesskey, "Cipher", "\0",

diff --git a/ssh.c b/ssh.c
index 7e18388..aa619e3 100644 (file)
--- a/ssh.c
+++ b/ssh.c
@@ -3222,7 +3222,7 @@ static int do_ssh1_login(Ssh ssh, unsigned char *in, int inlen,
     while (pktin->type == SSH1_SMSG_FAILURE) {
        s->pwpkt_type = SSH1_CMSG_AUTH_PASSWORD;
 
-       if (agent_exists() && !s->tried_agent) {
+       if (ssh->cfg.tryagent && agent_exists() && !s->tried_agent) {
            /*
             * Attempt RSA authentication using Pageant.
             */
@@ -6613,7 +6613,7 @@ static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen,
        s->nkeys = 0;
        s->agent_response = NULL;
        s->pkblob_in_agent = NULL;
-       if (agent_exists()) {
+       if (ssh->cfg.tryagent && agent_exists() && ssh->cfg.tryagent) {
 
            void *r;
 

diff --git a/unix/uxplink.c b/unix/uxplink.c
index 90b151f..0e27366 100644 (file)
--- a/unix/uxplink.c
+++ b/unix/uxplink.c
@@ -628,8 +628,6 @@ int main(int argc, char **argv)
            if (!*cfg.host) {
                char *q = p;
 
-                do_defaults(NULL, &cfg);
-
                /*
                 * If the hostname starts with "telnet:", set the
                 * protocol to Telnet and process the string as a

diff --git a/windows/winhelp.h b/windows/winhelp.h
index 750d379..40fcf72 100644 (file)
--- a/windows/winhelp.h
+++ b/windows/winhelp.h
@@ -99,6 +99,7 @@
 #define WINHELP_CTX_ssh_auth_privkey "ssh.auth.privkey"
 #define WINHELP_CTX_ssh_auth_agentfwd "ssh.auth.agentfwd"
 #define WINHELP_CTX_ssh_auth_changeuser "ssh.auth.changeuser"
+#define WINHELP_CTX_ssh_auth_pageant "ssh.auth.pageant"
 #define WINHELP_CTX_ssh_auth_tis "ssh.auth.tis"
 #define WINHELP_CTX_ssh_auth_ki "ssh.auth.ki"
 #define WINHELP_CTX_selection_buttons "selection.buttons"