PuTTY bug puttygen-unix-perms

This is a mirror. Follow this link to find the primary PuTTY web site.

Home | FAQ | Feedback | Licence | Updates | Mirrors | Keys | Links | Team
Download: Stable · Snapshot | Docs | Changes | Wishlist

summary: Unix puttygen can create world-readable private keys
class: bug: This is clearly an actual problem we want fixed.
difficulty: fun: Just needs tuits, and not many of them.
priority: medium: This should be fixed one day.
present-in: 0.58
fixed-in: 2007-01-10 r7084 4fa9564c909c589bcccc95d57fae5469063c1759 0.59

From Debian bug 400804:

When i run puttygen (either to create a new key, or to translate an openssh-style key), the emitted ppk file (the putty private key) is created with the standard umask, which by default in debian leaves things world-readable.

this is in contrast to ssh-keygen from the openssh suite, which creates private keys with group and other permissions all off, no matter what the current umask.

I think that ssh-keygen's approach is what people expect and intend when it comes to public keys, and it's a better idea to make these things safe-by-default.

This issue corresponds to CVE-2006-7162. (Note that some versions of the advisories for this issue incorrectly state that 0.59 is vulnerable. For the avoidance of doubt, this issue only affects 0.58 and prior, and only the Unix version.)


If you want to comment on this web site, see the Feedback page.
Audit trail for this bug.
(last revision of this bug record was at 2022-10-30 14:30:13 +0000)