1
0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-10 01:48:00 +00:00

Docs: talk about SSH-2 before SSH-1.

Because SSH-1 is a very niche interest these days. Mostly this affects
the public key documentation.

Also, a couple of unrelated concessions to modernity.
This commit is contained in:
Jacob Nevins 2019-04-19 15:44:36 +01:00
parent 461844a5ec
commit 5aacd0d98e
3 changed files with 56 additions and 57 deletions

View File

@ -153,16 +153,16 @@ If you see one of these messages, it often indicates that you've tried
to load a key of an inappropriate type into PuTTY, Plink, PSCP, PSFTP, to load a key of an inappropriate type into PuTTY, Plink, PSCP, PSFTP,
or Pageant. or Pageant.
You may have specified a key that's inappropriate for the connection You may have tried to load an SSH-2 key in a \q{foreign}
you're making. The SSH-1 and SSH-2 protocols require different private
key formats, and a SSH-1 key can't be used for a SSH-2 connection (or
vice versa).
Alternatively, you may have tried to load an SSH-2 key in a \q{foreign}
format (OpenSSH or \cw{ssh.com}) directly into one of the PuTTY tools, format (OpenSSH or \cw{ssh.com}) directly into one of the PuTTY tools,
in which case you need to import it into PuTTY's native format in which case you need to import it into PuTTY's native format
(\c{*.PPK}) using PuTTYgen \dash see \k{puttygen-conversions}. (\c{*.PPK}) using PuTTYgen \dash see \k{puttygen-conversions}.
Alternatively, you may have specified a key that's inappropriate for
the connection you're making. The SSH-2 and the old SSH-1 protocols
require different private key formats, and a SSH-1 key can't be used
for a SSH-2 connection (or vice versa).
\H{errors-refused} \q{Server refused our key}, \H{errors-refused} \q{Server refused our key},
\q{Server refused our public key}, \q{Key refused} \q{Server refused our public key}, \q{Key refused}
@ -212,8 +212,8 @@ you to an SSH server. This may be because PuTTY has TIS or
keyboard-interactive authentication disabled, in which case see keyboard-interactive authentication disabled, in which case see
\k{config-ssh-tis} and \k{config-ssh-ki}. \k{config-ssh-tis} and \k{config-ssh-ki}.
\H{errors-crc} \q{Incorrect \i{CRC} received on packet} or \q{Incorrect \H{errors-crc} \q{Incorrect \i{MAC} received on packet} or
\i{MAC} received on packet} \q{Incorrect \i{CRC} received on packet}
This error occurs when PuTTY decrypts an SSH packet and its checksum This error occurs when PuTTY decrypts an SSH packet and its checksum
is not correct. This probably means something has gone wrong in the is not correct. This probably means something has gone wrong in the

View File

@ -65,12 +65,12 @@ something like this:
For each key, the list box will tell you: For each key, the list box will tell you:
\b The type of the key. Currently, this can be \c{ssh1} (an RSA key \b The type of the key. Currently, this can be
for use with the SSH-1 protocol), \c{ssh-rsa} (an RSA key for use \c{ssh-rsa} (an RSA key for use with the SSH-2 protocol),
with the SSH-2 protocol), \c{ssh-dss} (a DSA key for use with \c{ssh-dss} (a DSA key for use with the SSH-2 protocol),
the SSH-2 protocol), \c{ecdsa-sha2-*} (an ECDSA key for use with \c{ecdsa-sha2-*} (an ECDSA key for use with the SSH-2 protocol),
the SSH-2 protocol), or \c{ssh-ed25519} (an Ed25519 key for use with \c{ssh-ed25519} (an Ed25519 key for use with the SSH-2 protocol),
the SSH-2 protocol). or \c{ssh1} (an RSA key for use with the old SSH-1 protocol).
\b The size (in bits) of the key. \b The size (in bits) of the key.
@ -167,9 +167,10 @@ Use \c{-restrict-putty-acl} to change this. (Again, see
Agent forwarding is a mechanism that allows applications on your SSH Agent forwarding is a mechanism that allows applications on your SSH
server machine to talk to the agent on your client machine. server machine to talk to the agent on your client machine.
Note that at present, agent forwarding in SSH-2 is only available Note that at present, whether agent forwarding in SSH-2 is available
when your SSH server is \i{OpenSSH}. The \i\cw{ssh.com} server uses a depends on your server. Pageant's protocol is compatible with the
different agent protocol, which PuTTY does not yet support. \i{OpenSSH} server, but the \i\cw{ssh.com} server uses a different
agent protocol, which PuTTY does not yet support.
To enable agent forwarding, first start Pageant. Then set up a PuTTY To enable agent forwarding, first start Pageant. Then set up a PuTTY
SSH session in which \q{Allow agent forwarding} is enabled (see SSH session in which \q{Allow agent forwarding} is enabled (see

View File

@ -66,7 +66,7 @@ public and private keys to be used with PuTTY, PSCP, and Plink, as well
as the PuTTY authentication agent, Pageant (see \k{pageant}). PuTTYgen as the PuTTY authentication agent, Pageant (see \k{pageant}). PuTTYgen
generates RSA, DSA, ECDSA, and Ed25519 keys. generates RSA, DSA, ECDSA, and Ed25519 keys.
When you run PuTTYgen you will see a window where you have two When you run PuTTYgen you will see a window where you have two main
choices: \q{Generate}, to generate a new public/private key pair, or choices: \q{Generate}, to generate a new public/private key pair, or
\q{Load} to load in an existing private key. \q{Load} to load in an existing private key.
@ -105,12 +105,12 @@ server to accept it.
\S{puttygen-keytype} Selecting the type of key \S{puttygen-keytype} Selecting the type of key
Before generating a key pair using PuTTYgen, you need to select Before generating a key pair using PuTTYgen, you need to select
which type of key you need. PuTTYgen currently supports these types which type of key you need.
of key:
\b An \i{RSA} key for use with the SSH-1 protocol. The current version of the SSH protocol, SSH-2, supports several
different key types. PuTTYgen can generate:
\b An RSA key for use with the SSH-2 protocol. \b An \i{RSA} key for use with the SSH-2 protocol.
\b A \i{DSA} key for use with the SSH-2 protocol. \b A \i{DSA} key for use with the SSH-2 protocol.
@ -120,12 +120,10 @@ SSH-2 protocol.
\b An \i{Ed25519} key (another elliptic curve algorithm) for use \b An \i{Ed25519} key (another elliptic curve algorithm) for use
with the SSH-2 protocol. with the SSH-2 protocol.
The SSH-1 protocol only supports RSA keys; if you will be connecting PuTTYgen can also generate an RSA key suitable for use with the old
using the SSH-1 protocol, you must select the first key type or your SSH-1 protocol (which only supports RSA); for this, you need to select
key will be completely useless. the \q{SSH-1 (RSA)} option. Since the SSH-1 protocol is no longer
considered secure, it's rare to need this option.
The SSH-2 protocol supports more than one key type. The types
supported by PuTTY are RSA, DSA, ECDSA, and Ed25519.
\S{puttygen-strength} Selecting the size (strength) of the key \S{puttygen-strength} Selecting the size (strength) of the key
@ -282,9 +280,9 @@ public keys.
\S{puttygen-pastekey} \q{Public key for pasting into \i{authorized_keys \S{puttygen-pastekey} \q{Public key for pasting into \i{authorized_keys
file}} file}}
All SSH-1 servers require your public key to be given to it in a The \i{OpenSSH} server, among others, requires your public key to be
one-line format before it will accept authentication with your given to it in a one-line format before it will accept authentication
private key. The \i{OpenSSH} server also requires this for SSH-2. with your private key. (SSH-1 servers also used this method.)
The \q{Public key for pasting into authorized_keys file} gives the The \q{Public key for pasting into authorized_keys file} gives the
public-key data in the correct one-line format. Typically you will public-key data in the correct one-line format. Typically you will
@ -315,12 +313,7 @@ for information about importing foreign key formats.
\S{puttygen-conversions} Dealing with private keys in other formats \S{puttygen-conversions} Dealing with private keys in other formats
Most SSH-1 clients use a standard format for storing private keys on SSH-2 private keys have no standard format. \I{OpenSSH private
disk. PuTTY uses this format as well; so if you have generated an
SSH-1 private key using OpenSSH or \cw{ssh.com}'s client, you can use
it with PuTTY, and vice versa.
However, SSH-2 private keys have no standard format. \I{OpenSSH private
key format}OpenSSH and \I{ssh.com private key format}\cw{ssh.com} have key format}OpenSSH and \I{ssh.com private key format}\cw{ssh.com} have
different formats, and PuTTY's is different again. different formats, and PuTTY's is different again.
So a key generated with one client cannot immediately be used with So a key generated with one client cannot immediately be used with
@ -332,8 +325,8 @@ menu, PuTTYgen can load SSH-2 private keys in OpenSSH's format and
can then save it back out as a PuTTY-format key (\c{*.\i{PPK}}) so that can then save it back out as a PuTTY-format key (\c{*.\i{PPK}}) so that
you can use it with the PuTTY suite. The passphrase will be unchanged by this you can use it with the PuTTY suite. The passphrase will be unchanged by this
process (unless you deliberately change it). You may want to change process (unless you deliberately change it). You may want to change
the key comment before you save the key, since OpenSSH's SSH-2 key the key comment before you save the key, since some OpenSSH key
format contains no space for a comment and \cw{ssh.com}'s default formats contained no space for a comment, and \cw{ssh.com}'s default
comment format is long and verbose. comment format is long and verbose.
PuTTYgen can also \i{export private keys} in OpenSSH format and in PuTTYgen can also \i{export private keys} in OpenSSH format and in
@ -353,8 +346,12 @@ reason for wanting to use OpenSSH's newer format even for RSA, DSA,
or ECDSA keys, you can choose \q{Export OpenSSH key (force new file or ECDSA keys, you can choose \q{Export OpenSSH key (force new file
format)}. format)}.
Note that since only SSH-2 keys come in different formats, the export Most clients for the older SSH-1 protocol use a standard format for
options are not available if you have generated an SSH-1 key. storing private keys on disk. PuTTY uses this format as well; so if
you have generated an SSH-1 private key using OpenSSH or
\cw{ssh.com}'s client, you can use it with PuTTY, and vice versa.
Hence, the export options are not available if you have generated an
SSH-1 key.
\H{pubkey-gettingready} Getting ready for public key authentication \H{pubkey-gettingready} Getting ready for public key authentication
@ -363,21 +360,21 @@ connection succeeds you will be prompted for your user name and
password to login. Once logged in, you must configure the server to password to login. Once logged in, you must configure the server to
accept your public key for authentication: accept your public key for authentication:
\b If your server is using the SSH-1 protocol, you should change \b If your server is \i{OpenSSH}, you should change into the
into the \i\c{.ssh} directory and open the file \i\c{authorized_keys} \i\c{.ssh} directory under your home directory, and open the file
with your favourite editor. (You may have to create this file if \i\c{authorized_keys} with your favourite editor. (You may have to
this is the first key you have put in it). Then switch to the create this file, if this is the first key you have put in it.) Then
PuTTYgen window, select all of the text in the \q{Public key for switch to the PuTTYgen window, select all of the text in the \q{Public
pasting into authorized_keys file} box (see \k{puttygen-pastekey}), key for pasting into authorized_keys file} box (see
and copy it to the clipboard (\c{Ctrl+C}). Then, switch back to the \k{puttygen-pastekey}), and copy it to the clipboard (\c{Ctrl+C}).
PuTTY window and insert the data into the open file, making sure it Then, switch back to the PuTTY window and insert the data into the
ends up all on one line. Save the file. open file, making sure it ends up all on one line. Save the file.
\b If your server is \i{OpenSSH} and is using the SSH-2 protocol, you \lcont{
should follow the same instructions, except that in earlier versions (In very old versions of OpenSSH, SSH-2 keys had to be put in a
of OpenSSH 2 the file might be called \c{authorized_keys2}. (In separate file called \c{authorized_keys2}. In all current versions,
modern versions the same \c{authorized_keys} file is used for both the same \c{authorized_keys} file is used for both SSH-1 and SSH-2 keys.)
SSH-1 and SSH-2 keys.) }
\b If your server is \i\cw{ssh.com}'s product and is using SSH-2, you \b If your server is \i\cw{ssh.com}'s product and is using SSH-2, you
need to save a \e{public} key file from PuTTYgen (see need to save a \e{public} key file from PuTTYgen (see
@ -393,8 +390,9 @@ that server.
You may also need to ensure that your home directory, your \c{.ssh} You may also need to ensure that your home directory, your \c{.ssh}
directory, and any other files involved (such as directory, and any other files involved (such as
\c{authorized_keys}, \c{authorized_keys2} or \c{authorization}) are \c{authorized_keys}, \c{authorized_keys2} or \c{authorization}) are
not group-writable or world-writable. You can typically do this by not group-writable or world-writable; servers will typically ignore
using a command such as the keys unless this is done. You can typically do this by using a
command such as
\c chmod go-w $HOME $HOME/.ssh $HOME/.ssh/authorized_keys \c chmod go-w $HOME $HOME/.ssh $HOME/.ssh/authorized_keys