PuTTY bug puttygen-unix-perms

This is a mirror. The primary PuTTY web site can be found here.

Home | Licence | FAQ | Docs | Download | Keys | Links
Mirrors | Updates | Feedback | Changes | Wishlist | Team

summary: Unix puttygen can create world-readable private keys
class: bug: This is clearly an actual problem we want fixed.
difficulty: fun: Just needs tuits, and not many of them.
priority: medium: This should be fixed one day.
present-in: 0.58
fixed-in: 2007-01-10 r7084 0.59 (0.60) (0.61) (0.62) (0.63) (0.64)
From Debian bug 400804:

When i run puttygen (either to create a new key, or to translate an openssh-style key), the emitted ppk file (the putty private key) is created with the standard umask, which by default in debian leaves things world-readable.

this is in contrast to ssh-keygen from the openssh suite, which creates private keys with group and other permissions all off, no matter what the current umask.

I think that ssh-keygen's approach is what people expect and intend when it comes to public keys, and it's a better idea to make these things safe-by-default.

This issue corresponds to CVE-2006-7162. (Note that some versions of the advisories for this issue incorrectly state that 0.59 is vulnerable. For the avoidance of doubt, this issue only affects 0.58 and prior, and only the Unix version.)

Audit trail for this bug.


If you want to comment on this web site, see the Feedback page.
(last revision of this bug record was at 2007-07-01 12:11:23 +0000)