mirror of
https://git.tartarus.org/simon/putty.git
synced 2025-01-10 01:48:00 +00:00
Merge cosmetic and docs fixes from 'pre-0.78'.
This commit is contained in:
Jacob Nevins
commit
61b3cde507
3
config.c
3
config.c
@ -569,8 +569,7 @@ static void kexlist_handler(dlgcontrol *ctrl, dlgparam *dlg,
|
||||
{ "Diffie-Hellman group exchange", KEX_DHGEX },
|
||||
{ "RSA-based key exchange", KEX_RSA },
|
||||
{ "ECDH key exchange", KEX_ECDH },
|
||||
{ "NTRU Prime / Curve25519 hybrid kex"
|
||||
" (quantum-resistant)", KEX_NTRU_HYBRID },
|
||||
{ "NTRU Prime / Curve25519 hybrid kex", KEX_NTRU_HYBRID },
|
||||
{ "-- warn below here --", KEX_WARN }
|
||||
};
|
||||
|
||||
|
||||
@ -2347,17 +2347,17 @@ cipher selection (see \k{config-ssh-encryption}).
|
||||
|
||||
PuTTY currently supports the following key exchange methods:
|
||||
|
||||
\b \q{NTRU Prime / Curve25519 hybrid}: NTRU Prime is a lattice-based
|
||||
algorithm intended to resist quantum attacks. In this key exchange
|
||||
method, it is run in parallel with a conventional Curve25519-based
|
||||
method (one of those included in \q{ECDH}), in such a way that it
|
||||
should be no \e{less} secure than that commonly-used method, and
|
||||
hopefully also resistant to a new class of attacks.
|
||||
\b \q{NTRU Prime / Curve25519 hybrid}: \q{\i{Streamlined NTRU Prime}}
|
||||
is a lattice-based algorithm intended to resist \i{quantum attacks}.
|
||||
In this key exchange method, it is run in parallel with a conventional
|
||||
Curve25519-based method (one of those included in \q{ECDH}), in such
|
||||
a way that it should be no \e{less} secure than that commonly-used
|
||||
method, and hopefully also resistant to a new class of attacks.
|
||||
|
||||
\b \q{ECDH}: \i{elliptic curve} \i{Diffie-Hellman key exchange},
|
||||
\b \q{\i{ECDH}}: elliptic curve Diffie-Hellman key exchange,
|
||||
with a variety of standard curves and hash algorithms.
|
||||
|
||||
\b The original form of \q{Diffie-Hellman} key exchange, with a
|
||||
\b The original form of \i{Diffie-Hellman key exchange}, with a
|
||||
variety of well-known groups and hashes:
|
||||
|
||||
\lcont{
|
||||
|
||||
@ -39,6 +39,9 @@ the one PuTTY has cached for this server}, means that PuTTY has
|
||||
connected to the SSH server before, knows what its host key
|
||||
\e{should} be, but has found a different one.
|
||||
|
||||
(If the message instead talks about a \q{certified host key}, see
|
||||
instead \k{errors-cert-mismatch}.)
|
||||
|
||||
This may mean that a malicious attacker has replaced your server
|
||||
with a different one, or has redirected your network connection to
|
||||
their own machine. On the other hand, it may simply mean that the
|
||||
@ -60,7 +63,8 @@ If you've configured PuTTY to trust at least one
|
||||
\k{config-ssh-kex-cert}), then it will ask the SSH server to send it
|
||||
any available certified host keys. If the server sends back a
|
||||
certified key signed by a \e{different} certification authority, PuTTY
|
||||
will present this variant of the host key prompt.
|
||||
will present this variant of the host key prompt, preceded by
|
||||
\q{WARNING - POTENTIAL SECURITY BREACH!}
|
||||
|
||||
One reason why this can happen is a deliberate attack. Just like an
|
||||
ordinary man-in-the-middle attack which substitutes a wrong host key,
|
||||
@ -74,16 +78,17 @@ configuration, or if your CA configuration involves two overlapping
|
||||
domains, or something similar.
|
||||
|
||||
So, unfortunately, you'll have to work out what to do about it
|
||||
yourself: install a new CA key (if you're really sure you trust it),
|
||||
or edit your configuration in some other way, or abandon the
|
||||
connection.
|
||||
yourself: make an exception for this specific case, or abandon this
|
||||
connection and install a new CA key before trying again (if you're
|
||||
really sure you trust the CA), or edit your configuration in some
|
||||
other way, or just stop trying to use this server.
|
||||
|
||||
If you're convinced that this particular server is legitimate even
|
||||
though the CA is not one you trust, PuTTY will let you cache the
|
||||
certified host key in the same way as an uncertified one. Then that
|
||||
particular certificate will be accepted on the next connection, even
|
||||
though other certificates signed by the same CA will still be
|
||||
rejected.
|
||||
certified host key, treating it in the same way as an uncertified one.
|
||||
Then that particular certificate will be accepted for future
|
||||
connections to this specific server, even though other certificates
|
||||
signed by the same CA will still be rejected.
|
||||
|
||||
\H{errors-ssh-protocol} \q{SSH protocol version 2 required by our
|
||||
configuration but remote only provides (old, insecure) SSH-1}
|
||||
|
||||
@ -80,10 +80,10 @@ PuTTY \I{host key cache}records the host key for each server you
|
||||
connect to, in the Windows \i{Registry}. Every time you connect to a
|
||||
server, it checks that the host key presented by the server is the
|
||||
same host key as it was the last time you connected. If it is not,
|
||||
you will see a warning, and you will have the chance to abandon your
|
||||
connection before you type any private information (such as a
|
||||
password) into it. (See \k{errors-hostkey-wrong} for what that looks
|
||||
like.)
|
||||
you will see a stronger warning, and you will have the chance to
|
||||
abandon your connection before you type any private information (such
|
||||
as a password) into it. (See \k{errors-hostkey-wrong} for what that
|
||||
looks like.)
|
||||
|
||||
However, when you connect to a server you have not connected to
|
||||
before, PuTTY has no way of telling whether the host key is the
|
||||
|
||||
@ -688,6 +688,16 @@ saved sessions from
|
||||
\IM{group exchange} Diffie-Hellman group exchange
|
||||
\IM{group exchange} group exchange, Diffie-Hellman
|
||||
|
||||
\IM{ECDH} \q{ECDH} (elliptic-curve Diffie-Hellman)
|
||||
\IM{ECDH} elliptic-curve Diffie-Hellman key exchange
|
||||
\IM{ECDH} key exchange, elliptic-curve Diffie-Hellman
|
||||
\IM{ECDH} Diffie-Hellman key exchange, with elliptic curves
|
||||
|
||||
\IM{Streamlined NTRU Prime} Streamlined NTRU Prime
|
||||
\IM{Streamlined NTRU Prime} NTRU Prime
|
||||
|
||||
\IM{quantum attacks} quantum attacks, resistance to
|
||||
|
||||
\IM{repeat key exchange} repeat key exchange
|
||||
\IM{repeat key exchange} key exchange, repeat
|
||||
|
||||
|
||||
@ -3681,6 +3681,7 @@ SeatPromptResult gtk_seat_confirm_ssh_host_key(
|
||||
/* We have to manually wrap the public key, or else the GtkLabel
|
||||
* will resize itself to accommodate the longest word, which will
|
||||
* lead to a hilariously wide message box. */
|
||||
put_byte(moreinfo, ':');
|
||||
for (const char *p = item->text, *q = p + strlen(p); p < q ;) {
|
||||
size_t linelen = q-p;
|
||||
if (linelen > 72)
|
||||
@ -3689,6 +3690,7 @@ SeatPromptResult gtk_seat_confirm_ssh_host_key(
|
||||
put_data(moreinfo, p, linelen);
|
||||
p += linelen;
|
||||
}
|
||||
put_byte(moreinfo, '\n');
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
|
||||
Loading…
Reference in New Issue
Block a user