Showing posts with label ssh client. Show all posts
Showing posts with label ssh client. Show all posts

Monday, February 8, 2016

PuTTY hack keeps SSH session data out of Windows registry

A lot of people connect to Linux machines from a Windows desktop computer. Despite the number of people that have to do this for one reason or another, there are hardly any SSH clients for Windows. Basically there's three - Bitvise, Dameware and PuTTY. I've almost always used PuTTY.

There are problems with all of these clients, including PuTTY. One of the smaller issues with PuTTY that I've nonetheless always found annoying is that it is not quite as portable as it appears to be. Installing the client is usually as simple as downloading and running the EXE file, but vital information about saved sessions as well as seed data gets stored in the Windows registry, where it can be forgotten about. Or where someone else can grab it.

That's not really the fault of the developer; if I was making PuTTY today I doubt I would do anything differently. Its a garbage collection thing. The problem is that PuTTY information can be valuable to attackers. Just about everyone who uses an SSH client saves sessions on it; especially if they have to contend with multiple machines, all with different passwords and certificate files. It would be nice to store that sort of valuable information in a more secure medium - like a separate encrypted disk. PuTTY doesn't let you do that, but there is a hack from PuTTY's documentation that let's you do it. I've published that hack on GitHub - its very bare-bones right now, but as time permits I will make it a bit fancier and more useful.

The hack start of as three files - a .BAT file and two registry keys, but grows to five files once it pulls your session & seed data from the registry. It will export all your existing session information and random seed data to files and delete their corresponding registry information. The hack part is that whenever you use PuTTY, the script will reload your session information into the registry until PuTTY is closed. This approach doesn't resolve all of the security issues - for example, if you are using PuTTY on a computer that is part of an Active Directory domain, or that has the Remote Registry service enabled, then someone can probably record the registry modifications when PuTTY is run and grab the session data that way (-cough- use LDAP -cough). Its not perfect, but its a step in the right direction toward keeping your SSH session data away from prying eyes.

RAT Bastard

Earlier this week, several servers I maintain were targeted by automated attempts to upload a remote access trojan (RAT). The RAT is a simpl...