PuTTY and ProxyCommand - SSH

Hi,

I have a problem with PuTTY 0.59 and the use of the new implemented
local proxying.
I have been using Cygwin/OpenSSH with the following configuration
(ssh_config):

Host pc2
ProxyCommand ssh user@pc1 tcpconnect pc2 22

It works well (a ssh session is created on pc2 through pc1).

I believe PuTTY can now handle that, can't it?


But the problem is that I don't find how to do that in the GUI
And the documentation explains the new « -nc » feature of PLink.
Thus I tried:

plink -nc pc2:22 user@pc1

I authenticate well on pc1. Then I have:
SSH-2.0-OpenSSH_3.8.1p1 Debian-8.sarge.6

And I can't do anything!

Note that as soon as I stop PLink, I have a log on pc2:
Mar 26 18:02:11 pc2 sshd[12087]: Did not receive identification string from [IP]


Do you know what is happening?

Thanks for your help.

--
Iulius

« Tous les matins, j'apporte à ma femme le café au lit.
Elle n'a plus qu'à le moudre. » (Coluche)

Iulius wrote:
> I have a problem with PuTTY 0.59 and the use of the new implemented
> local proxying.

(If you do get this working, be warned that you may find unexpected
crashing unless you upgrade to a development snapshot.)

> Host pc2
> ProxyCommand ssh user@pc1 tcpconnect pc2 22
>
> It works well (a ssh session is created on pc2 through pc1).
>
> I believe PuTTY can now handle that, can't it?
>
> But the problem is that I don't find how to do that in the GUI

In the `Connection > Proxy' config panel, select proxy type `Local',
and enter your command in the `local proxy command' box at the
bottom of the page.

(If you could suggest improvements to the documentation which would
have enabled you to find this more easily, I'd be interested to hear
them.)

> And the documentation explains the new « -nc » feature of PLink.
> Thus I tried:
>
> plink -nc pc2:22 user@pc1
>
> I authenticate well on pc1. Then I have:
> SSH-2.0-OpenSSH_3.8.1p1 Debian-8.sarge.6
>
> And I can't do anything!

That Plink command is functionally equivalent to the command `ssh
user@pc1 tcpconnect pc2 22' you quoted above (assuming that I've
correctly understood what `tcpconnect' does from context). Using it
by itself like this, you would then need to speak the SSH protocol
by hand over the resulting connection. `plink -nc' is designed to be
used _as_ a local proxy command, so that you don't need to worry
about what programs might be installed on pc1 that do the same job
as `tcpconnect'.
--
Simon Tatham "Selfless? I'm so selfless I
don't even know who I am."

En réponse à Simon Tatham :
> (If you do get this working, be warned that you may find unexpected
> crashing unless you upgrade to a development snapshot.)

All right. I have just downloaded the latest snapshot.


> In the `Connection > Proxy' config panel, select proxy type `Local',
> and enter your command in the `local proxy command' box at the
> bottom of the page.

Hmmm...
I don't manage to work it out.

I tried a lot of combinations but I believe not the right one!

Well:
in the main window: user2@pc2 // port 22 // SSH
in the proxy config panel: local // user1@pc1 // 22
local proxy command: tcpconnect pc2 22

What's wrong with that?


> (If you could suggest improvements to the documentation which would
> have enabled you to find this more easily, I'd be interested to hear
> them.)

Sure but when I make it work


> That Plink command is functionally equivalent to the command `ssh
> user@pc1 tcpconnect pc2 22' you quoted above (assuming that I've
> correctly understood what `tcpconnect' does from context).

In package:
tcputils - Utilities for TCP programming in shell-scripts

tcpconnect does the same as netcat, but better (especially the handling
of the end of connections which doesn't remain active in « ps »).

--
Iulius

« Cela fera du bruit dans Landernau. » (Alexandre Duval)

Iulius wrote:
> in the main window: user2@pc2 // port 22 // SSH
> in the proxy config panel: local // user1@pc1 // 22
> local proxy command: tcpconnect pc2 22
>
> What's wrong with that?

You should have:

in the main window: user2@pc2 // port 22 // SSH
in the proxy config panel: local
local proxy command: plink user1@pc1 tcpconnect pc2 22
or: plink user1@pc1 -nc pc2:22
or better still: plink user1@pc1 -nc %host:%port

The thing that goes in the `local proxy command' box is exactly the
text you would have put after `ProxyCommand' in OpenSSH: that is,
not the command you want to run _on_ pc1, but the command you want
to run to connect _to_ pc1.
--
Simon Tatham "I'm going to pull his head off. Ear by ear."
- a games teacher

En réponse à Simon Tatham :
> You should have:
>
> in the main window: user2@pc2 // port 22 // SSH
> in the proxy config panel: local
> local proxy command: plink user1@pc1 tcpconnect pc2 22
> or: plink user1@pc1 -nc pc2:22
> or better still: plink user1@pc1 -nc %host:%port
>
> The thing that goes in the `local proxy command' box is exactly the
> text you would have put after `ProxyCommand' in OpenSSH

All right.
A little problem then... I don't manage to enter my password.

The screen remains black and I can't do anything:

Incoming raw data
00000000 55 73 69 6e 67 20 6b 65 79 62 6f 61 72 64 2d 69 Using keyboard-i
00000010 6e 74 65 72 61 63 74 69 76 65 20 61 75 74 68 65 nteractive authe
00000020 6e 74 69 63 61 74 69 6f 6e 2e ntication.
Incoming raw data
00000000 0a .
Incoming raw data
00000000 50 61 73 73 77 6f 72 64 3a 20 Password:


I tried to put the password in the field and then \n%pass and lots of
other things but it doesn't seem to work.
By the way, a « plink user1@pc1 -nc %host:%port -pw test » doesn't work
with PuTTY while the same command launched in cmd works well.

--
Iulius

« L'homme a imaginé le cercle avant de savoir que la terre était ronde.
Ça prouve quand même une certaine faculté d'invention. » (Jacques Sternberg)

Iulius wrote:
> The screen remains black and I can't do anything:
>
> Incoming raw data
> 00000000 55 73 69 6e 67 20 6b 65 79 62 6f 61 72 64 2d 69 Using keyboard-i
> 00000010 6e 74 65 72 61 63 74 69 76 65 20 61 75 74 68 65 nteractive authe
> 00000020 6e 74 69 63 61 74 69 6f 6e 2e ntication.

That looks as if you don't have an SSH key set up that lets Plink
log in to pc1. You will need that, because there's no way for Plink
to get its authentication data interactively in that situation.
--
Simon Tatham What do we want? ROT13!
When do we want it? ABJ!

En réponse à Simon Tatham :
>> Incoming raw data
>> 00000000 55 73 69 6e 67 20 6b 65 79 62 6f 61 72 64 2d 69 Using keyboard-i
>> 00000010 6e 74 65 72 61 63 74 69 76 65 20 61 75 74 68 65 nteractive authe
>> 00000020 6e 74 69 63 61 74 69 6f 6e 2e ntication.
>
> That looks as if you don't have an SSH key set up that lets Plink
> log in to pc1.

But why
plink -pw password user@pc1 -nc %host:%port
doesn't work?

And by the way, isn't it possible for PuTTY to display the interactive
authentication? Or, if not possible, to have two terminals? (or anything else)


> You will need that, because there's no way for Plink
> to get its authentication data interactively in that situation.

I tried
plink -i key.ppk user@pc1 -nc %host:%port
but the option doesn't seem to be recognized, like « -pw ».
How can I do that? With Pageant? What's the problem without?

--
Iulius

« -- Heureusement, nous aurons bientôt le TGV !
-- C'est quoi le tégévé ?
-- C'est le Transport Gaulois Véloce » (Astérix)

Iulius wrote:
> But why
> plink -pw password user@pc1 -nc %host:%port
> doesn't work?

Because, it looks like, your server isn't sending anything that
Plink can recognise as a password request. Instead of selecting the
"password" authentication method, in response to which Plink could
send the thing you specified with -pw, it's selecting
"keyboard-interactive". In this mode it sends a sequence of some
number of user-readable prompts and expects responses.

Using this mode for a password login seems quite common nowadays,
but it does have the side effect that -pw is less useful, because
Plink can't reliably tell (without being able to read natural
language) that the prompt is a password prompt rather than a prompt
for an S/Key one-time password or some other kind of interactive
authentication.

> And by the way, isn't it possible for PuTTY to display the interactive
> authentication?

No, because it would have to somehow open two separate I/O channels
to Plink, one for the actual session data and one for the
authentication, and there's no useful method for doing that. OpenSSH
gets away with this because the terminal device it's using is
external to _both_ programs.

> plink -i key.ppk user@pc1 -nc %host:%port
> but the option doesn't seem to be recognized, like « -pw ».

That isn't enough information to find out what's going on,
unfortunately. You'd need to use `plink -v' and look at the Event
Log. Does this mode work when run on its own?
--
Simon Tatham What do we want? ROT13!
When do we want it? ABJ!

En réponse à Simon Tatham :

All right. First of all, thanks for all your explanations
regarding how interactive authentication are handled.


>> And by the way, isn't it possible for PuTTY to display the interactive
>> authentication?
>
> No, because it would have to somehow open two separate I/O channels
> to Plink, one for the actual session data and one for the
> authentication, and there's no useful method for doing that. OpenSSH
> gets away with this because the terminal device it's using is
> external to _both_ programs.

I understand.
But for that, couldn't it be possible to add a feature like
the username and the password it is possible to write in
the proxy panel? And Plink would write on the first I/O channel
the password? (the users of that thing would of course do that
at their own risk)


>> plink -i key.ppk user@pc1 -nc %host:%port
>> but the option doesn't seem to be recognized, like « -pw ».
>
> That isn't enough information to find out what's going on,
> unfortunately. You'd need to use `plink -v' and look at the Event
> Log. Does this mode work when run on its own?

Yes it works on its own. And I have just found out what
was going on: the path to my key was "ssh\test-key.ppk" and
it had to be written "ssh\\test-key.ppk" because of the tabulation.

Well, everything works fine now!
Thanks for all your help. I really appreciate it!

--
Iulius

« -- Vous n'avez rien à déclarer ?
-- J'ai faim.
-- Qu'est-ce que vous avez là ?
-- Un creux ! » (Astérix)

En réponse à Simon Tatham :
> (If you could suggest improvements to the documentation which would
> have enabled you to find this more easily, I'd be interested to hear
> them.)

Well:
* 4.15.5: the explanation of Local proxy type is only:
« If you are using the Local proxy type, the local command to run
is specified here. » You can add « for example, you can make
use of Plink with plink -nc ... ». And see section 3.8.3.14
for more information.

* FAQ Appendix A: add a question regarding how to set up a ProxyCommand
as OpenSSH does. And you give an example of that (exactly what
you told me in that thread, for the proxy panel and the main window
with the obligation of using a ssh key [and perhaps also tell
that thing in 3.8.3.14]).


I think that would be very good!

Thanks again for your help.

--
Iulius

« J'aimerais un peu plus d'enthousiasme et un peu moins
de latin quand je demande un volontaire ! » (César)

En réponse à Simon Tatham :
>> I have a problem with PuTTY 0.59 and the use of the new implemented
>> local proxying.
>
> (If you do get this working, be warned that you may find unexpected
> crashing unless you upgrade to a development snapshot.)

By the way, is there a way to use ProxyCommand with PSCP or PSFTP?
If not, is it planned?

--
Iulius

« Avec tous ces crânes, il ne savait plus où donner de la tête ! » (Astérix)