Joint Scientific IT and Technical Services

Personal Homepage

Supporting key usage confirmation in PuTTY's pageant

PuTTY is a ssh client for Windows operation systems. Unfortunately, the corresponding SSH agent tool pageant does not support yet the confirmation feature from OpenSSH's ssh-agent/ssh-add. This confirmation support is a very good security improvement when it comes to agent forwarding. Without this feature, you risk misuse of your loaded keys without your knowledge if the remote host, your are forwarding your agent to, is compromised.

I developed a small patch as a first workaround to add this missing feature to PuTTY's pageant. The patch changes the behaviour of pageant. Whenever it is asked to use a stored key to grant access, it first asks the user with a popup window to confirm the usage of the key. I simplified the corresponding dialog from OpenSSH with a Yes-No-Dialog, with the default answer Yes. Like this the dialog can be acknowledged with one key stroke (Enter) but still allows declining the usage.

The patch was submitted to the PuTTY developers on Thu Mar 8 2012.

I later decided for a slightly sophisticated solution, which does not change the behaviour of pageant in such a strong way: The confirmation prompting is only done if the key's comment contains a specific string ("needs confirm"). This way, most if not all users are not affected by the change unless they change the comment in their key file to activate it. As the condition is handled seperately for different keys, you can load parts of your keys with while the others continue to work without confirmation.

On 2013-01-17 Markus Bräunig fix a bug when compiling pageant with cygwin. The fixes are now integrated in the two patch files above. Thanks to Markus for solving this issue.

On 2013-02-20 Wolfgang Lauffher mentioned, that my patch is missing a license: I hearby grant usage of my code under GPLv3.

On 2015-08-05 I created an updated patch for the latest git repository head.

On 2019-03-19 I created an updated patch for version 0.71.

On 2023-06-15 I discovered, that my patch is now integrated in a forked version of PuTTY called KiTTY.