PuTTY is simple to use in its most basic form. Nevertheless, its clients have many options that are worth trying out. We will cover the ones relating to SSH. Other terminal-related features, like settings for the window, keyboard, and mouse, we encourage you to explore on your own.
If you have a habit of connecting to the same remote machines often, set up a Saved Session, which remembers the settings for that connection so that you can reuse them. This is similar to the OpenSSH and Tectia feature of configuration files, but with a GUI. [7.1.2] Simply configure PuTTY the way you like it, then save that configuration under a name, such as "My Favorite Settings" or "office."
When you create and name a Saved Session, it becomes available not only to PuTTY, but also to the other programs in PuTTY's suite, such as PSCP and Plink. Just provide the saved session's name in place of a hostname. For example, if you created a Saved Session called "office" to stand for employer.example.com, you could run:
C:\> plink office
and it will connect to employer.example.com.
Saved Sessions are stored in the Windows registry under the key
\HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions.
Like other SSH implementations, PuTTY records the host
keys of SSH servers it encounters. They are stored in the
Windows registry under the key \HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys.
We always recommend you use the SSH-2 protocol, since it is more secure and robust than the original SSH-1. Nevertheless, PuTTY does support both protocols, and you can choose your preferred protocol on the PuTTY Configuration dialog, under Connection/SSH. The choices are:
Require SSH-1, or else fail.
Try SSH-1 first, then SSH-2.
Try SSH-2 first, then SSH-1.
Require SSH-2, or else fail (recommended).
With Plink, you can force the protocol version with the -1 (SSH-1 only) and -2 (SSH-2) options:
C:\> plink -2 smith@server.example.com
SSH uses TCP/IP as its transport mechanism, and PuTTY gives you control over some TCP-related settings.
SSH servers almost always run on TCP port 22, but if you encounter a nonstandard server, you can choose a port in the PuTTY Configuration dialog, under Connection. Locate the Port value and fill it in.
With Plink, just specify the -P option to set the port number:
C:\> plink -P 12345 smith@server.example.com
SSH clients can optionally send TCP keepalive messages to an SSH server to recognize when a connection has failed. [7.4.5.4] If the client detects a lack of responses to these messages, it shuts down the connection. You can enable or disable this feature in the PuTTY Configuration dialog, under Connection.
TCP/IP has a feature called the Nagle Algorithm, which is designed to reduce the number of TCP segments sent with very small amounts of data (e.g., 1 byte), usually as part of an interactive terminal session. This can affect performance over wide-area networks. [7.4.5.5] PuTTY lets you enable or disable the Nagle Algorithm in the PuTTY Configuration dialog, under Connection.
SSH clients allocate a pseudo-terminal on the server machine: a software abstraction representing a computer terminal. [7.4.6.5] PuTTY does this by default, but you can prevent this in the PuTTY Configuration dialog, under Connection/SSH.
Because PuTTY is designed as a terminal client, which is interactive, you generally can leave this setting alone. But if you're using PuTTY noninteractively, say, only to set up port forwarding—you don't strictly need a pseudo-terminal. If you're using Plink, you can disable pseudo-terminal allocation with the -T option or leave it enabled with -t.
PuTTY supports SOCKS, an application-layer network proxying system supported by various SSH implementations. [7.4.7] You can enable it in the PuTTY Configuration dialog, under Connection/Proxy.
On the Connection/SSH section of the PuTTY Configuration dialog, you can choose the encryption algorithms (ciphers) acceptable to the client. [7.4.9] Any algorithms appearing below the line "--warn below here--" will cause PuTTY to display a warning before they are used.
For most people, the defaults are fine. But if, say, a security hole were found in one of the algorithms (say, Blowfish), you could move it below the line, and PuTTY will warn before using it.
PuTTY supports the following authentication types: password, public-key, challenge-response (a.k.a. keyboard-interactive), and TIS. [7.4.13] Password authentication works by default. Public-key authentication requires you to set up a key, as we've seen. [2.4] Challenge-response authentication is enabled in the PuTTY Configuration dialog, under Connection/SSH/Auth. [5.4.5]
TIS authentication is uncommon: it authenticates users via the Gauntlet firewall toolkit from Trusted Information Systems. It works only for the SSH-1 protocol so we recommend against using it. That being said, it is enabled in the PuTTY Configuration dialog, under Connection/SSH/Auth.
The data flowing between the SSH client and server may optionally be compressed to save bandwidth. [7.4.14] To enable compression, open the PuTTY Configuration dialog and look under Connection/SSH. If you're using Plink, add the -C option to enable compression:
C:\> plink -C smith@server.example.com
If you're having a connection problem with PuTTY, you can capture the session data in a file. Open the PuTTY Configuration dialog and look under Session/Logging. Here you select the file to receive the data, and four different settings:
As it says, do no logging.
This simply captures the text of your terminal session, and is not very useful for debugging.
This captures not only the text of your session, but also any nonprinting control characters. This is useful for debugging terminal emulation problems, e.g., if your favorite text editor isn't behaving when viewed through PuTTY.
This is the big one: the actual SSH data, unencrypted, that passes over the connection. It appears in hexadecimal and ASCII, annotated with high-level information such as "Doing Diffie-Hellman group exchange" and "Access denied." If you're debugging an SSH problem, this is the logging you need. However, it's not very user-friendly: you'll need substantial knowledge of the SSH protocol to figure out what's going on.
If you select "Log SSH packet data," always select "Omit known password fields" as well. Otherwise, sensitive data like passwords will be captured in the log file, which is a security risk if the log file is read or stolen by a hostile third party.
If you're using Plink, you can display diagnostic information with the -v option:
C:\> plink -v smith@server.example.com
Server version: SSH-1.99-OpenSSH_3.8.1p1
We claim version: SSH-2.0-PuTTY-Release-0.56
Using SSH protocol version 2
Doing Diffie-Hellman group exchange
Doing Diffie-Hellman key exchange
Host key fingerprint is:
ssh-dss 1024 80:de:c6:fa:f7:82:4f:c7:c4:8c:1f:6f:d4:40:4b:0e
Initialised AES-256 client->server encryption
Initialised AES-256 server->client encryption
...SSH can be used within batch jobs to secure their communications. [11.1] With PuTTY, batch jobs are most easily done with Plink and its -batch option:
C:\> plink -batch smith@server.example.com my-job
The -batch option suppresses all user prompts. But wait: just because you've disabled prompts doesn't automatically authenticate you. You'll also need to set up passwordless authentication. Otherwise, you'll simply fail to authenticate, prompts or no.