Putty Proxy Problems

It seems as though there’s quite a few posts out there on how to configure Putty to proxy SSH connections through a bastion host, however, I haven’t found one that suggests that you’ll need to connect to the proxy server directly first in order to add that host key to your registry! If you don’t do this, you’ll end up seeing this rather unhelpful error:

Incoming packet was garbled on decryption error dialog

If you Google that message, you find loads of suggestions to mess around with the Putty cipher preferences, or how it handles bugs, but I found all I had to do was connect to the bastion box first so that you get the dialog box appearing asking if you trust the host key and whether to add it to the registry. I figured this out when troubleshooting the above error and I found these messages in the Putty log:

Event Log: Writing new session log (SSH raw data mode) to file: C:\Users\Pete\Desktop\putty.log
Event Log: Starting local proxy command: plink ec2-user@<redacted_IP> -nc <redacted_IP>:22
Event Log: We claim version: SSH-2.0-PuTTY_Release_0.68
Event Log: proxy: The server's host key is not cached in the registry. You
Event Log: proxy: have no guarantee that the server is the computer you
Event Log: proxy: think it is.
Event Log: proxy: The server's ssh-ed25519 key fingerprint is:
Event Log: proxy: ssh-ed25519 256 <redacted_key_fingerprint>
Event Log: proxy: If you trust this host, enter "y" to add the key to
Event Log: proxy: PuTTY's cache and carry on connecting.
Event Log: proxy: If you want to carry on connecting just once, without
Event Log: proxy: adding the key to the cache, enter "n".
Event Log: proxy: If you do not trust this host, press Return to abandon the
Event Log: proxy: connection.

Seems as though the plink command is asking the usual “do you trust this host” question, but as it’s executed in the background, the user doesn’t get to see this request, nor respond to it.

So, for completeness, here’s my guide to emulating the *nix SSH proxycommand with Putty (this assumes your public key is on both the bastion and destination host):

  1. You’ll need to install Putty, Puttygen, Plink and Pagent. I found it easiest to simply install the entire suite (from the “Package files” section of the Putty downloads page).
  2. Convert your OpenSSH private key from it’s pem format by loading the key in Puttygen and saving a ppk file (optional).
  3. Run Pagent (if it’s not already running) and add the private key to it (right click the little system tray icon and “add key”.
  4. Run Putty and configure a connection to the bastion host.
  5. “Open” the connection and accept the host’s key when prompted.
  6. Log out of the bastion host.
  7. Run Putty again, this time to connect to a server in the private network accessible via the bastion host.
  8. In the session window, input the private IP/hostname.
  9. Under Connection->Data, input the username for the destination host.
  10. Under Connection->Proxy, update the following:
    • Select the “Local” option from the “Proxy type” radio button selection.
    • The “Proxy hostname” field with the IP/hostname of your bastion host.
    • The “Username” field with the user ID you’re connecting to the bastion host with.
    • The “Telnet command, or the local proxy command” field should read: plink %user@%proxyhost -nc %host:%port

Putty proxy configuration.