Bug 3183 - Replace Windows SSH client (Putty) with OpenSSH
: Replace Windows SSH client (Putty) with OpenSSH
: ThinLinc
Client platforms
: 3.0.0
: PC Unknown
: P2 Normal
: 4.1.0
Assigned To:
: 3318 4557
: 2739 4003
  Show dependency treegraph
Reported: 2009-06-15 13:46 by
Modified: 2013-06-17 18:18 (History)
Acceptance Criteria:

openssh-5.9p1-win32.tar.gz (1.12 MB, application/x-gzip)
2012-02-01 10:18, Pierre Ossman


You need to log in before you can comment on or make changes to this bug.

Description From cendio 2009-06-15 13:46:05
Currently, we are using Putty on Windows and OpenSSH on all other platforms.
Having two implementations causes much work with maintaining and developing the
SSH client. It would be much nicer to have one single implementation.
Putty/plink is actually available for UNIX, but:

* It's smart card patch is not maintained and not accepted upstream. 
* Putty is difficult to work with, due to it's complicated design. 

So, I guess OpenSSH on Windows is a better path. A binary for Windows is
actually available from the MinGW project, in the "MSYS Supplementary Tools"
group (although I haven't tested it yet.)

To migrate to OpenSSH, we would need to adapt & build the NSS libraries for
Windows, which might be somewhat difficult.
------- Comment #1 From cendio 2009-09-09 11:35:21 -------
Unfortunately the version of OpenSSH in MSYS is ancient and of no use to us. So
this will probably have to be a complete porting project.
------- Comment #2 From cendio 2009-11-06 11:24:36 -------
Another reason to abandon putty is that the connection handling seems to be
very crappy. A single invocation of plink results in three (!!) connections to
the ssh server. Two of them are killed before a complete handshake is done,
result in sshd filling the logs with "Did not receive identification string
------- Comment #3 From cendio 2010-04-13 10:00:21 -------
When fixing this bug, make sure we enable PIN-with-PUK unlocking on the Windows
client. Should perhaps document this as well. 
------- Comment #4 From cendio 2011-02-14 09:26:02 -------
Discussions are taking place on the TigerVNC mailinglist. A comment about

"The PuTTY project seems almost dead. "
"Yeah, the PuTTY project has not really released anything since about 2007. "
------- Comment #5 From cendio 2012-01-13 10:52:54 -------
We should also move over public key handling to our tlclient agent
implementation when we do this and clean out unnecessary messages in the pipe
protocol parser.
------- Comment #6 From cendio 2012-01-31 12:37:58 -------
Nomachine has apparently already ported OpenSSH:

------- Comment #7 From cendio 2012-02-01 10:18:43 -------
Created an attachment (id=421) [details]

A copy of the current version in case they remove it from their web site.
------- Comment #8 From cendio 2013-02-22 17:06:45 -------
Works well enough to get a working session now. Still lots left to do though.
SSH agent handling needs to be fixed, as well as host key management. And
there's a massive amount of work in tlclient that needs to be sorted out.
------- Comment #9 From cendio 2013-03-13 13:01:18 -------
Everything is now implemented. What is left is updating documentation, and
clearing out everything PuTTY specific.
------- Comment #10 From cendio 2013-03-13 16:14:22 -------
All done. Tester should examine all things SSH related. This includes all
authentication forms, testing tunnels, etc. Tester should also check the source
tree for any remaining occurrences of PuTTY.
------- Comment #11 From cendio 2013-03-21 14:53:47 -------
Should attempt to push this upstream as well. Waiting for the Kerberos stuff to
be finished first though.
------- Comment #12 From cendio 2013-03-22 12:20:05 -------
Fails on Windows 7 (nightly build from 20130320):

PASSWORD: aaron zaphod
tcgetattr: Invalid argument
Last login: blahblahblah
Timeout, server zaphod not responding
------- Comment #13 From cendio 2013-03-25 13:30:45 -------
(In reply to comment #12)
> Fails on Windows 7 (nightly build from 20130320):

Fixed in r26850. Did not affect tlclient though, only running ssh.exe by
------- Comment #14 From cendio 2013-04-12 10:43:34 -------
Another select() fix in r27049.
------- Comment #15 From cendio 2013-05-15 14:10:47 -------
Handed off to upstream:

------- Comment #16 From cendio 2013-05-31 09:35:43 -------
When connecting to a ip address that doesn't exists, client reports "Interal
SSH error" when i expected to get "Connection timeout".

Reproducable on Win8 TL client build 3966.

2013-05-31T09:28:10: Log file created
2013-05-31T09:28:10: ThinLinc client release 4.0.0post build 3966
2013-05-31T09:28:23: SSH command: "C:\Program Files (x86)\ThinLinc
Client\ssh.exe" -N -o GlobalKnownHostsFile=nul -o UserKnownHostsFile=nul -o
PubkeyAuthentication=no -o CheckHostIP=no -o NumberOfPasswordPrompts=1
cendio@dhcp-254-196 -p 22 thinlinc-login master
2013-05-31T09:28:44: ssh[E]: CONNECT ERROR: -2147473588
------- Comment #17 From cendio 2013-05-31 10:55:26 -------
(In reply to comment #16)
> When connecting to a ip address that doesn't exists, client reports "Interal
> SSH error" when i expected to get "Connection timeout".

Fixed in r27474.
------- Comment #18 From cendio 2013-06-17 18:18:54 -------
- [X] Password authentication
- [X] Public key authentication
- [X] All changes pushed upstream
- [X] Smart card tunneling
- [X] Sound tunneling
- [X] Printing
- [X] No remnants of PuTTY in the source tree.
- [X] Smart card authentication
- [X] Local drive redirection
- [X] Handle locked smart cards
- [X] Unlock smart cards
- [X] Kerberos authentication

  Already tested as part of bug 4003.

- [X] Serial console redirection

  Connecting to /dev/ttyS0 gives you output in the tlclient.log from
  sercd, and that's good enough for me.