Bug 3183 - Replace Windows SSH client (Putty) with OpenSSH
Summary: Replace Windows SSH client (Putty) with OpenSSH
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Client platforms (show other bugs)
Version: 3.0.0
Hardware: PC Unknown
: P2 Normal
Target Milestone: 4.1.0
Assignee: Pierre Ossman
Keywords: derfian_tester
Depends on: 3318 4557
Blocks: 2739 4003
  Show dependency treegraph
Reported: 2009-06-15 13:46 CEST by Peter Åstrand
Modified: 2013-06-17 18:18 CEST (History)
0 users

See Also:
Acceptance Criteria:

openssh-5.9p1-win32.tar.gz (1.12 MB, application/x-gzip)
2012-02-01 10:18 CET, Pierre Ossman

Description Peter Åstrand cendio 2009-06-15 13:46:05 CEST
Currently, we are using Putty on Windows and OpenSSH on all other platforms. Having two implementations causes much work with maintaining and developing the SSH client. It would be much nicer to have one single implementation. Putty/plink is actually available for UNIX, but:

* It's smart card patch is not maintained and not accepted upstream. 
* Putty is difficult to work with, due to it's complicated design. 

So, I guess OpenSSH on Windows is a better path. A binary for Windows is actually available from the MinGW project, in the "MSYS Supplementary Tools" group (although I haven't tested it yet.)

To migrate to OpenSSH, we would need to adapt & build the NSS libraries for Windows, which might be somewhat difficult.
Comment 1 Pierre Ossman cendio 2009-09-09 11:35:21 CEST
Unfortunately the version of OpenSSH in MSYS is ancient and of no use to us. So this will probably have to be a complete porting project.
Comment 2 Pierre Ossman cendio 2009-11-06 11:24:36 CET
Another reason to abandon putty is that the connection handling seems to be very crappy. A single invocation of plink results in three (!!) connections to the ssh server. Two of them are killed before a complete handshake is done, result in sshd filling the logs with "Did not receive identification string from".
Comment 3 Peter Åstrand cendio 2010-04-13 10:00:21 CEST
When fixing this bug, make sure we enable PIN-with-PUK unlocking on the Windows client. Should perhaps document this as well. 
Comment 4 Peter Åstrand cendio 2011-02-14 09:26:02 CET
Discussions are taking place on the TigerVNC mailinglist. A comment about Putty:

"The PuTTY project seems almost dead. "
"Yeah, the PuTTY project has not really released anything since about 2007. "
Comment 5 Pierre Ossman cendio 2012-01-13 10:52:54 CET
We should also move over public key handling to our tlclient agent implementation when we do this and clean out unnecessary messages in the pipe protocol parser.
Comment 6 Pierre Ossman cendio 2012-01-31 12:37:58 CET
Nomachine has apparently already ported OpenSSH:

Comment 7 Pierre Ossman cendio 2012-02-01 10:18:43 CET
Created attachment 421 [details]

A copy of the current version in case they remove it from their web site.
Comment 8 Pierre Ossman cendio 2013-02-22 17:06:45 CET
Works well enough to get a working session now. Still lots left to do though. SSH agent handling needs to be fixed, as well as host key management. And there's a massive amount of work in tlclient that needs to be sorted out.
Comment 9 Pierre Ossman cendio 2013-03-13 13:01:18 CET
Everything is now implemented. What is left is updating documentation, and clearing out everything PuTTY specific.
Comment 10 Pierre Ossman cendio 2013-03-13 16:14:22 CET
All done. Tester should examine all things SSH related. This includes all authentication forms, testing tunnels, etc. Tester should also check the source tree for any remaining occurrences of PuTTY.
Comment 11 Pierre Ossman cendio 2013-03-21 14:53:47 CET
Should attempt to push this upstream as well. Waiting for the Kerberos stuff to be finished first though.
Comment 12 Aaron Sowry cendio 2013-03-22 12:20:05 CET
Fails on Windows 7 (nightly build from 20130320):

PASSWORD: aaron zaphod
tcgetattr: Invalid argument
Last login: blahblahblah
Timeout, server zaphod not responding
Comment 13 Pierre Ossman cendio 2013-03-25 13:30:45 CET
(In reply to comment #12)
> Fails on Windows 7 (nightly build from 20130320):

Fixed in r26850. Did not affect tlclient though, only running ssh.exe by itself.
Comment 14 Pierre Ossman cendio 2013-04-12 10:43:34 CEST
Another select() fix in r27049.
Comment 15 Pierre Ossman cendio 2013-05-15 14:10:47 CEST
Handed off to upstream:

Comment 16 Henrik Andersson cendio 2013-05-31 09:35:43 CEST
When connecting to a ip address that doesn't exists, client reports "Interal SSH error" when i expected to get "Connection timeout".

Reproducable on Win8 TL client build 3966.

2013-05-31T09:28:10: Log file created
2013-05-31T09:28:10: ThinLinc client release 4.0.0post build 3966
2013-05-31T09:28:23: SSH command: "C:\Program Files (x86)\ThinLinc Client\ssh.exe" -N -o GlobalKnownHostsFile=nul -o UserKnownHostsFile=nul -o PubkeyAuthentication=no -o CheckHostIP=no -o NumberOfPasswordPrompts=1 cendio@dhcp-254-196 -p 22 thinlinc-login master
2013-05-31T09:28:44: ssh[E]: CONNECT ERROR: -2147473588
Comment 17 Pierre Ossman cendio 2013-05-31 10:55:26 CEST
(In reply to comment #16)
> When connecting to a ip address that doesn't exists, client reports "Interal
> SSH error" when i expected to get "Connection timeout".

Fixed in r27474.
Comment 18 Karl Mikaelsson cendio 2013-06-17 18:18:54 CEST
- [X] Password authentication
- [X] Public key authentication
- [X] All changes pushed upstream
- [X] Smart card tunneling
- [X] Sound tunneling
- [X] Printing
- [X] No remnants of PuTTY in the source tree.
- [X] Smart card authentication
- [X] Local drive redirection
- [X] Handle locked smart cards
- [X] Unlock smart cards
- [X] Kerberos authentication

  Already tested as part of bug 4003.

- [X] Serial console redirection

  Connecting to /dev/ttyS0 gives you output in the tlclient.log from
  sercd, and that's good enough for me.

Note You need to log in before you can comment on or make changes to this bug.