Sometimes useful reminder: you may not need PuTTY today. On the one side Windows Terminal does a lot of the classic VT* terminal emulation that old ConHost did not. On the other side Windows ships "real" OpenSSH now as a feature that turns on automatically with Windows "Dev Mode". No built in GUI for the SSH agent, but at this point if you are familiar with SSH then using a CLI SSH agent shouldn't be scary. If you are "upgrading" from PuTTY you just need to export your keys to a different format, but that's about the only big change.
PuTTY was a great tool for many years and a lot of people have good reasons to not want to let it go. As with most software it accretes habits and processes built on top of it that are hard to leave. But also useful to sometimes remind about the new options because you never know who wants to be in the Lucky 10K to learn that Windows Terminal now has deeper, "true" terminal emulation or that Windows has ssh "built-in".
I'm sorry that you need to work around the inability to run a simple Windows service because of some mistakenly bad corporate policy trying to micro-manage which Windows services are allowed to run. I don't think the long term solution should be "shadow IT install an older app just because it pretends to be a GUI rather than a Windows service", but I'm glad it is working for you in the short term.
If you need ammunition to encourage your corporate IT to allow you to run the proper ssh-agent service to do your job instead of increasing your attack surface by installing PuTTY/Pageant, you could collect a list of vulnerabilities such as the one posted here (look at the huge count of affected versions on just this one!). There should be plenty of vulnerability maintenance evidence on the Microsoft-shipped version of an open source tool with a lot of eyeballs because it is "the standard" for almost all platforms over the "single developer" tool that took at least a decade off from active development (and it shows).
> If you need ammunition to encourage your corporate IT to allow you to run the proper ssh-agent service to do your job instead of increasing your attack surface by installing PuTTY/Pageant, you could collect a list of vulnerabilities such as the one posted here...
This made me laugh :-) Grandparent is probably happy to just fly under the radar. The suggested conversation would probably play out thusly:
> IT! You idiots! Your dumb policies are forcing me to use this insecure software! Look how many vulnerabilities it has had over the years!
>> Hold up. Rewind. What's this software that you've installed?
> It's called PuTTY. And if you just change this policy I could...
>> And how insecure is it?
> Just check out all these vulnerabilities! It's probably not worse than the average, but it's unnecessary extra attack surface area that...
>> I'm going to need you to uninstall that. Now. And I'll need confirmation via email that you have done so by EOB, with your boss and the CISO on CC.
> But if you just change this boneheaded policy...
>> Now, please. We have a security incident on our hands. We can discuss policy another time. Is there anything else installed on your laptop that I should be aware of?
That bad part is on the how it is tried to be micro-managed not the idea of allowlisting Windows Services in general. There are good reasons to allowlist things like Windows Services, sure. How you micro-manage that allowlist can be bad.
Specific to this case, `ssh-agent` is a Windows Service shipped with Windows and signed by Microsoft. If your allowlist doesn't include built-in Windows services maybe your allowlist is deficient. Further specifically in this case, if you are using ssh (and/or sftp) as business tools and expecting some users to have those tools in their job workflows and processes, it really doesn't make sense not to allowlist the `ssh-agent` service so that those jobs can be performed, at least for those users doing those tasks. That should be obvious to any IT person that has used SSH ever before that having access to a reliable SSH agent is important. If your micro-management processes don't have good processes for making the right exceptions you teach your users to instead rely on the wrong loopholes, that's bad corporate policy.
(Seriously, why would you encourage users to use an out-of-date program with known vulnerabilities, a tiny bus factor, existing known fakes that are malware vectors in the wild, when you can just quickly allowlist a single Windows service, shipped by Windows, and signed by Microsoft? How can you call any such corporate policy anything but bad in this specific example?)
> On my properties dialog for the OpenSSH authentication agent, all of the buttons under "service status" are disabled.
Change the “Startup type” to either “manual” or “automatic” and some of those buttons should light up, if I am remembering correctly (I may be misremembering; I’ve been primarily a Mac user for over a year, now.)
> I need to stay in this realm.
That’s fine. PuTTygen converts ssh keys to and from OpenSSH format just fine, though, so it’s an option if you ever choose to explore it.
It’s possible to lock this down, don’t misunderstand me. I’m saying it’s unlikely for a security team to make this decision on a system where pageant.exe is allowed to run.
Really helpful. I found challenge in getting a Windows system (no admin) into a state where i can use it productively, and having a functional ssh-agent was one of the remaining pain points.
There are a few different options in Windows that are all measurably superior to PuTTY:
Install WSL2 - you get the Linux SSH of your choice.
As mentioned above, Windows now ships with OpenSSH and windows terminal is good.
My favourite, but now probably obsolete solution was to install MobaXTerm which shipped with an SSH client. It's still great and there is a usable "free" version of it, but WSL2 does everything for me now when I'm forced to use windows.
I have some rhel5 systems where I have compiled PuTTY psftp and plink, because it's the easiest way to get a modern client that can do chacha20-poly1305 with ed25519.
It still is, but Microsoft very quiety released WSLg for Windows 10, something they said they wouldn't do, it would be Windows 11 only. I only found this out by accident on a machine I had installed MobaXTerm on, but didn't start it. Installed / fired up some basic X apps and they worked without it (hello xeyes!)
MobaXTerm is still great for managing SSH login details.
Too few nerds are willing to admit this. I use git all-day-long, but need to check stackoverflow to use the command line for anything more complicated than switching branches...and I'm ok with that. I save my brain space for more useful things.
PuTTY was a great tool for many years and a lot of people have good reasons to not want to let it go. As with most software it accretes habits and processes built on top of it that are hard to leave. But also useful to sometimes remind about the new options because you never know who wants to be in the Lucky 10K to learn that Windows Terminal now has deeper, "true" terminal emulation or that Windows has ssh "built-in".