diff --git a/doc/config.but b/doc/config.but index c8e68113..aa2f5272 100644 --- a/doc/config.but +++ b/doc/config.but @@ -2486,11 +2486,12 @@ protection than SSH-2 without rekeys. \H{config-ssh-hostkey} The Host Keys panel The Host Keys panel allows you to configure options related to SSH-2 -host key management. +\i{host key management}. Host keys are used to prove the server's identity, and assure you that the server is not being spoofed (either by a man-in-the-middle attack -or by completely replacing it on the network). +or by completely replacing it on the network). See \k{gs-hostkey} for +a basic introduction to host keys. This entire panel is only relevant to SSH protocol version 2; none of these settings affect SSH-1 at all. @@ -2516,11 +2517,16 @@ NIST-standardised elliptic curves. \b \q{RSA}: the ordinary \i{RSA} algorithm. -If PuTTY already has a host key stored for the server, it will prefer -to use the one it already has. If not, it will choose an algorithm -based on the preference order you specify in the configuration. +If PuTTY already has one or more host keys stored for the server, +it will prefer to use one of those, even if the server has a key +type that is higher in the preference order. You can add such a +key to PuTTY's cache from within an existing session using the +\q{Special Commands} menu; see \k{using-specials}. -If the first algorithm PuTTY finds is below the \q{warn below here} +Otherwise, PuTTY will choose a key type based purely on the +preference order you specify in the configuration. + +If the first key type PuTTY finds is below the \q{warn below here} line, you will see a warning box when you make the connection, similar to that for cipher selection (see \k{config-ssh-encryption}). diff --git a/doc/gs.but b/doc/gs.but index c0401fdb..56ab282a 100644 --- a/doc/gs.but +++ b/doc/gs.but @@ -102,6 +102,8 @@ host key. If the system administrator sends you more than one \I{host key fingerprint}fingerprint, you should make sure the one PuTTY shows you is on the list, but it doesn't matter which one it is.) +See \k{config-ssh-hostkey} for advanced options for managing host keys. + \# FIXME: this is all very fine but of course in practice the world doesn't work that way. Ask the team if they have any good ideas for changes to this section! diff --git a/doc/index.but b/doc/index.but index e11c60ba..5f497bbf 100644 --- a/doc/index.but +++ b/doc/index.but @@ -851,7 +851,8 @@ saved sessions from \IM{logical host name} logical host name \IM{logical host name} host name, logical -\IM{host key cache}{host key caching policy} host key caching policy +\IM{host key cache}{host key management} host key management +\IM{host key cache}{host key management} cache, of SSH host keys \IM{web browsers} web browser diff --git a/doc/using.but b/doc/using.but index 343612b0..dc0d6b9b 100644 --- a/doc/using.but +++ b/doc/using.but @@ -934,22 +934,22 @@ authentication} box in the Auth panel of the PuTTY configuration box \S2{using-cmdline-loghost} \i\c{-loghost}: specify a \i{logical host name} -This option overrides PuTTY's normal SSH \i{host key caching policy} by -telling it the name of the host you expect your connection to end up -at (in cases where this differs from the location PuTTY thinks it's -connecting to). It can be a plain host name, or a host name followed -by a colon and a port number. See \k{config-loghost} for more detail -on this. +This option overrides PuTTY's normal SSH \I{host key cache}host key +caching policy by telling it the name of the host you expect your +connection to end up at (in cases where this differs from the location +PuTTY thinks it's connecting to). It can be a plain host name, or a +host name followed by a colon and a port number. See +\k{config-loghost} for more detail on this. \S2{using-cmdline-hostkey} \i\c{-hostkey}: \I{manually configuring host keys}manually specify an expected host key -This option overrides PuTTY's normal SSH \i{host key caching policy} by -telling it exactly what host key to expect, which can be useful if the -normal automatic host key store in the Registry is unavailable. The -argument to this option should be either a host key fingerprint, or an -SSH-2 public key blob. See \k{config-ssh-kex-manual-hostkeys} for more -information. +This option overrides PuTTY's normal SSH \I{host key cache}host key +caching policy by telling it exactly what host key to expect, which +can be useful if the normal automatic host key store in the Registry +is unavailable. The argument to this option should be either a host key +fingerprint, or an SSH-2 public key blob. See +\k{config-ssh-kex-manual-hostkeys} for more information. You can specify this option more than once if you want to configure more than one key to be accepted.