diff --git a/doc/config.but b/doc/config.but index aab5ebca..360b502b 100644 --- a/doc/config.but +++ b/doc/config.but @@ -2268,16 +2268,27 @@ make the most of a low-\i{bandwidth} connection. \cfg{winhelp-topic}{ssh.protocol} -This allows you to select whether you would like to use \i{SSH protocol -version 1} or \I{SSH-2}version 2. \#{FIXME: say something about this elsewhere?} +This allows you to select whether you would prefer to use \i{SSH protocol +version 1} or \I{SSH-2}version 2, and whether to permit falling back +to the other version. -PuTTY will attempt to use protocol 1 if the server you connect to -does not offer protocol 2, and vice versa. +With the settings \q{1} and \q{2}, PuTTY will attempt to use protocol 1 +if the server you connect to does not offer protocol 2, and vice versa. If you select \q{1 only} or \q{2 only} here, PuTTY will only connect if the server you connect to offers the SSH protocol version you have specified. +You should normally leave this at the default, \q{2 only}. The older +SSH-1 protocol is no longer developed, has many known cryptographic +weaknesses, and is generally not considered to be secure. If you +permit use of SSH-1 by selecting \q{2} instead of \q{2 only}, an +active attacker can force downgrade to SSH-1 even if the server +you're connecting to supports SSH-2. + +PuTTY's protocol 1 implementation is provided mainly for +compatibility, and is no longer being enhanced. + \S{config-ssh-sharing} Sharing an SSH connection between PuTTY tools \cfg{winhelp-topic}{ssh.sharing} diff --git a/doc/faq.but b/doc/faq.but index 8bf1f32d..06448cb8 100644 --- a/doc/faq.but +++ b/doc/faq.but @@ -63,6 +63,9 @@ files into PuTTY's format. Yes. SSH-1 support has always been available in PuTTY. +However, the SSH-1 protocol has many weaknesses and is no longer +considered secure; it should be avoided if at all possible. + \S{faq-localecho}{Question} Does PuTTY support \i{local echo}? Yes. Version 0.52 has proper support for local echo. diff --git a/settings.c b/settings.c index 9d2e4140..a8c73ac5 100644 --- a/settings.c +++ b/settings.c @@ -781,7 +781,8 @@ void load_open_settings(void *sesskey, Conf *conf) } gppi(sesskey, "RekeyTime", 60, conf, CONF_ssh_rekey_time); gpps(sesskey, "RekeyBytes", "1G", conf, CONF_ssh_rekey_data); - gppi(sesskey, "SshProt", 2, conf, CONF_sshprot); + /* SSH-2 only by default */ + gppi(sesskey, "SshProt", 3, conf, CONF_sshprot); gpps(sesskey, "LogHost", "", conf, CONF_loghost); gppi(sesskey, "SSH2DES", 0, conf, CONF_ssh2_des_cbc); gppi(sesskey, "SshNoAuth", 0, conf, CONF_ssh_no_userauth); diff --git a/ssh.c b/ssh.c index bc079e91..2dc8a081 100644 --- a/ssh.c +++ b/ssh.c @@ -2966,11 +2966,13 @@ static int do_ssh_init(Ssh ssh, unsigned char c) s->proto2 = ssh_versioncmp(s->version, "1.99") >= 0; if (conf_get_int(ssh->conf, CONF_sshprot) == 0 && !s->proto1) { - bombout(("SSH protocol version 1 required by user but not provided by server")); + bombout(("SSH protocol version 1 required by configuration but " + "not provided by server")); crStop(0); } if (conf_get_int(ssh->conf, CONF_sshprot) == 3 && !s->proto2) { - bombout(("SSH protocol version 2 required by user but not provided by server")); + bombout(("SSH protocol version 2 required by configuration but " + "not provided by server")); crStop(0); }