Putty SSH Client Review - terminal window

PuTTY SSH

PuTTY is one of the oldest SSH clients for Windows. It was first released by Simon Tatham in 1998 and SSH support was added in 2000.

PuTTY is still a fairly popular SSH client. However, it is definitely geared for the system administrator. PuTTY is a very plain terminal window and file transfers must be done from the command line. It is a great tool to do a simple job when needed, such as configuring a router.

After 19 years, the software is still considered a beta version. It is still being maintained, but development has been very slow. The latest version 0.68 added support for elliptic curve cryptography, but the user interface or features have not changed much in 15 years.

Download PuTTY

Past Security Vulnerabilities

Version 0.66 and earlier contain known security vulnerabilities. Anyone using version 0.66 or earlier is recommended to upgrade to the latest version.

  • Buffer overflow in SCP. This a potential stack overflow and remote code execution exploit, allowing a corrupt server to execute code on the client when any file is downloaded.
  • Integer overflow in terminal escape sequence handling. Memory corruption and possible remote code execution if a suitable escape sequence is sent to the terminal (typing malicious files, broadcasting the string on server, or application writing to terminal). In telnet the malicious sequence can be injected on by an attacker on the network (e.g., compromised switch/router or ARP spoofing attack on the local network of the server, client, or any network operator on the route).
  • A trojaned version of PuTTY has also been circulating.

Putty Window

The user interface consists of login and configuration dialogs and a main terminal window. The terminal emulation is pretty good, even if the software looks quite rudimentary and having been written in the 1990s shows. However, its terminal functionality is still solid.

Putty SFTP client PSFTP

Transferring Files with Putty

The software does not include an integrated SFTP file transfer client. However, command-line tools called PSFTP and PSCP are provided. These can be used by technical people for file transfers. However, for example Tectia SSH has offered fully integrated file transfer capability since 2000, and most people these days are reluctant to use a command line.

The WinSCP and FileZilla clients can be used for file transfers in conjunction with PuTTY, but they do not support a terminal window. Having two software packages, switching between them to do operations, and managing profiles and logins for both is extra trouble. WinSCP can now import PuTTY profiles, but separate login is still required for both.

Public Key Authentication and SSH Key Management

PuTTY supports public key authentication and uses its own key format for SSH keys. It stores keys in .ppk files in its own proprietary format. The PuTTYGen tool can be used for manually converting between .ppk files and more widely supported key formats.

It is common for hackers and malware to collect SSH keys when penetrating an organization. This happened, for example, in the infamous Sony Breach.

SSH key based authentication can be very useful, especially for automation, but the keys must be properly managed. As of this writing, Universal SSH Key Manager is the only SSH key management solution that supports .ppk files.

For more information, see the tutorial on PuTTY public key authentication.

PuTTY Telnet

PuTTY grew out of a telnet client, and telnet is still available as a protocol. However, very few devices support telnet these days, and its use is strongly not recommended for security reasons. Telnet sends all user names and passwords in the clear, and already by mid-1990s password sniffing had become the largest security problem on the Internet and that was the problem the SSH protocol was designed to solve. Compromised routers, switches, or ARP proofing attacks can be used to inject arbitrary commands into telnet sessions.

There is a separate version of the terminal called PuTTYtel for countries that do not allow any use of encryption. However, SSH is now used in all countries, officially or unofficially, and most systems can no longer be managed without encryption. Even the most oppressive countries need to secure their systems somehow, and there cannot be cybersecurity in a networked environment without encryption.

Features

  • Windows client. Other operating systems not supported. No server.
  • Supports both 32-bit and 64-bit Windows. MSI installer has been available since 2016.
  • Supports SSH client, telnet client, SFTP client, and rlogin client. Both SSH2 and SSH1 protocols are supported. Note: Use of SSH1 is not recommended for security reasons, and practically all devices support SSH2 these days.
  • Supports public key authentication and Kerberos (GSSAPI) authentication.
  • File transfers are using separate command-line programs. No integrated file transfer support.
  • No scripting support. However, it is possible to use PuTTY together with WinSCP.

A Frequently Asked Questions document (FAQ) can be found here.

Extensions, Branches, and Integrations

Given it's open source, several projects have branched off PuTTY or are based on or utilize PuTTY.

  • PuttyManager is a tabbed user interface, but development appears to have stopped years ago.
  • ExtraPuTTY is a fork that has various extensions, such as Lua programming language integration.
  • WinSCP has some level of integration for file transfer functionality.

Summary

PuTTY is still a robust, functional client. However, its features are quite restricted by modern standards. The lack of integrated file transfers is a major drawback.