ctrl_settitle(b, "Connection/SSH/Auth",
"Options controlling SSH authentication");
+ s = ctrl_getset(b, "Connection/SSH/Auth", "main", NULL);
+ ctrl_checkbox(s, "Bypass authentication entirely (SSH-2 only)", 'b',
+ HELPCTX(ssh_auth_bypass),
+ dlg_stdcheckbox_handler,
+ I(offsetof(Config,ssh_no_userauth)));
+
s = ctrl_getset(b, "Connection/SSH/Auth", "methods",
"Authentication methods");
ctrl_checkbox(s, "Attempt TIS or CryptoCard auth (SSH-1)", 'm',
The Auth panel allows you to configure \i{authentication} options for
SSH sessions.
+\S{config-ssh-noauth} \q{Bypass authentication entirely}
+
+\cfg{winhelp-topic}{ssh.auth.bypass}
+
+In SSH-2, it is possible to establish a connection without using SSH's
+mechanisms to identify or authenticate oneself to the server. Some
+servers may prefer to handle authentication in the data channel, for
+instance, or may simply require no authentication whatsoever.
+
+By default, PuTTY assumes the server requires authentication (most
+do), and thus must provide a username. If you find you are getting
+unwanted username prompts, you could try checking this option.
+
+This option only affects SSH-2 connections. SSH-1 connections always
+require an authentication step.
+
\S{config-ssh-tis} \q{Attempt \I{TIS authentication}TIS or
\i{CryptoCard authentication}}
Filename keyfile;
int sshprot; /* use v1 or v2 when both available */
int ssh2_des_cbc; /* "des-cbc" unrecommended SSH-2 cipher */
+ int ssh_no_userauth; /* bypass "ssh-userauth" (SSH-2 only) */
int try_tis_auth;
int try_ki_auth;
int ssh_subsys; /* run a subsystem rather than a command */
wprefs(sesskey, "KEX", kexnames, KEX_MAX, cfg->ssh_kexlist);
write_setting_i(sesskey, "RekeyTime", cfg->ssh_rekey_time);
write_setting_s(sesskey, "RekeyBytes", cfg->ssh_rekey_data);
+ write_setting_i(sesskey, "SshNoAuth", cfg->ssh_no_userauth);
write_setting_i(sesskey, "AuthTIS", cfg->try_tis_auth);
write_setting_i(sesskey, "AuthKI", cfg->try_ki_auth);
write_setting_i(sesskey, "SshNoShell", cfg->ssh_no_shell);
sizeof(cfg->ssh_rekey_data));
gppi(sesskey, "SshProt", 2, &cfg->sshprot);
gppi(sesskey, "SSH2DES", 0, &cfg->ssh2_des_cbc);
+ gppi(sesskey, "SshNoAuth", 0, &cfg->ssh_no_userauth);
gppi(sesskey, "AuthTIS", 0, &cfg->try_tis_auth);
gppi(sesskey, "AuthKI", 1, &cfg->try_ki_auth);
gppi(sesskey, "SshNoShell", 0, &cfg->ssh_no_shell);
AUTH_TYPE_KEYBOARD_INTERACTIVE,
AUTH_TYPE_KEYBOARD_INTERACTIVE_QUIET
} type;
+ int done_service_req;
int gotit, need_pw, can_pubkey, can_passwd, can_keyb_inter;
int tried_pubkey_config, tried_agent;
int kbd_inter_running, kbd_inter_refused;
crBegin(ssh->do_ssh2_authconn_crstate);
- /*
- * Request userauth protocol, and await a response to it.
- */
- s->pktout = ssh2_pkt_init(SSH2_MSG_SERVICE_REQUEST);
- ssh2_pkt_addstring(s->pktout, "ssh-userauth");
- ssh2_pkt_send(ssh, s->pktout);
- crWaitUntilV(pktin);
- if (pktin->type != SSH2_MSG_SERVICE_ACCEPT) {
- bombout(("Server refused user authentication protocol"));
- crStopV;
+ s->done_service_req = FALSE;
+ s->we_are_in = FALSE;
+ if (!ssh->cfg.ssh_no_userauth) {
+ /*
+ * Request userauth protocol, and await a response to it.
+ */
+ s->pktout = ssh2_pkt_init(SSH2_MSG_SERVICE_REQUEST);
+ ssh2_pkt_addstring(s->pktout, "ssh-userauth");
+ ssh2_pkt_send(ssh, s->pktout);
+ crWaitUntilV(pktin);
+ if (pktin->type == SSH2_MSG_SERVICE_ACCEPT)
+ s->done_service_req = TRUE;
+ }
+ if (!s->done_service_req) {
+ /*
+ * Request connection protocol directly, without authentication.
+ */
+ s->pktout = ssh2_pkt_init(SSH2_MSG_SERVICE_REQUEST);
+ ssh2_pkt_addstring(s->pktout, "ssh-connection");
+ ssh2_pkt_send(ssh, s->pktout);
+ crWaitUntilV(pktin);
+ if (pktin->type == SSH2_MSG_SERVICE_ACCEPT) {
+ s->we_are_in = TRUE; /* no auth required */
+ } else {
+ bombout(("Server refused service request"));
+ crStopV;
+ }
}
/*
*/
s->username[0] = '\0';
s->got_username = FALSE;
- do {
+ while (!s->we_are_in) {
/*
* Get a username.
*/
crStopV;
}
}
- } while (!s->we_are_in);
+ }
/*
- * Now we're authenticated for the connection protocol. The
- * connection protocol will automatically have started at this
- * point; there's no need to send SERVICE_REQUEST.
+ * Now the connection protocol has started, one way or another.
*/
ssh->channels = newtree234(ssh_channelcmp);
#define WINHELP_CTX_ssh_compress "ssh.compress"
#define WINHELP_CTX_ssh_kexlist "ssh.kex.order"
#define WINHELP_CTX_ssh_kex_repeat "ssh.kex.repeat"
+#define WINHELP_CTX_ssh_auth_bypass "ssh.auth.bypass"
#define WINHELP_CTX_ssh_auth_privkey "ssh.auth.privkey"
#define WINHELP_CTX_ssh_auth_agentfwd "ssh.auth.agentfwd"
#define WINHELP_CTX_ssh_auth_changeuser "ssh.auth.changeuser"