mirror of
https://git.tartarus.org/simon/putty.git
synced 2025-03-22 14:39:24 -05:00
Merge cosmetic and docs fixes from 'pre-0.78'.
This commit is contained in:
Jacob Nevins
commit
61b3cde507
3
config.c
3
config.c
@ -569,8 +569,7 @@ static void kexlist_handler(dlgcontrol *ctrl, dlgparam *dlg,
|
|||||||
{ "Diffie-Hellman group exchange", KEX_DHGEX },
|
{ "Diffie-Hellman group exchange", KEX_DHGEX },
|
||||||
{ "RSA-based key exchange", KEX_RSA },
|
{ "RSA-based key exchange", KEX_RSA },
|
||||||
{ "ECDH key exchange", KEX_ECDH },
|
{ "ECDH key exchange", KEX_ECDH },
|
||||||
{ "NTRU Prime / Curve25519 hybrid kex"
|
{ "NTRU Prime / Curve25519 hybrid kex", KEX_NTRU_HYBRID },
|
||||||
" (quantum-resistant)", KEX_NTRU_HYBRID },
|
|
||||||
{ "-- warn below here --", KEX_WARN }
|
{ "-- warn below here --", KEX_WARN }
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|||||||
@ -2347,17 +2347,17 @@ cipher selection (see \k{config-ssh-encryption}).
|
|||||||
|
|
||||||
PuTTY currently supports the following key exchange methods:
|
PuTTY currently supports the following key exchange methods:
|
||||||
|
|
||||||
\b \q{NTRU Prime / Curve25519 hybrid}: NTRU Prime is a lattice-based
|
\b \q{NTRU Prime / Curve25519 hybrid}: \q{\i{Streamlined NTRU Prime}}
|
||||||
algorithm intended to resist quantum attacks. In this key exchange
|
is a lattice-based algorithm intended to resist \i{quantum attacks}.
|
||||||
method, it is run in parallel with a conventional Curve25519-based
|
In this key exchange method, it is run in parallel with a conventional
|
||||||
method (one of those included in \q{ECDH}), in such a way that it
|
Curve25519-based method (one of those included in \q{ECDH}), in such
|
||||||
should be no \e{less} secure than that commonly-used method, and
|
a way that it should be no \e{less} secure than that commonly-used
|
||||||
hopefully also resistant to a new class of attacks.
|
method, and hopefully also resistant to a new class of attacks.
|
||||||
|
|
||||||
\b \q{ECDH}: \i{elliptic curve} \i{Diffie-Hellman key exchange},
|
\b \q{\i{ECDH}}: elliptic curve Diffie-Hellman key exchange,
|
||||||
with a variety of standard curves and hash algorithms.
|
with a variety of standard curves and hash algorithms.
|
||||||
|
|
||||||
\b The original form of \q{Diffie-Hellman} key exchange, with a
|
\b The original form of \i{Diffie-Hellman key exchange}, with a
|
||||||
variety of well-known groups and hashes:
|
variety of well-known groups and hashes:
|
||||||
|
|
||||||
\lcont{
|
\lcont{
|
||||||
|
|||||||
@ -39,6 +39,9 @@ the one PuTTY has cached for this server}, means that PuTTY has
|
|||||||
connected to the SSH server before, knows what its host key
|
connected to the SSH server before, knows what its host key
|
||||||
\e{should} be, but has found a different one.
|
\e{should} be, but has found a different one.
|
||||||
|
|
||||||
|
(If the message instead talks about a \q{certified host key}, see
|
||||||
|
instead \k{errors-cert-mismatch}.)
|
||||||
|
|
||||||
This may mean that a malicious attacker has replaced your server
|
This may mean that a malicious attacker has replaced your server
|
||||||
with a different one, or has redirected your network connection to
|
with a different one, or has redirected your network connection to
|
||||||
their own machine. On the other hand, it may simply mean that the
|
their own machine. On the other hand, it may simply mean that the
|
||||||
@ -60,7 +63,8 @@ If you've configured PuTTY to trust at least one
|
|||||||
\k{config-ssh-kex-cert}), then it will ask the SSH server to send it
|
\k{config-ssh-kex-cert}), then it will ask the SSH server to send it
|
||||||
any available certified host keys. If the server sends back a
|
any available certified host keys. If the server sends back a
|
||||||
certified key signed by a \e{different} certification authority, PuTTY
|
certified key signed by a \e{different} certification authority, PuTTY
|
||||||
will present this variant of the host key prompt.
|
will present this variant of the host key prompt, preceded by
|
||||||
|
\q{WARNING - POTENTIAL SECURITY BREACH!}
|
||||||
|
|
||||||
One reason why this can happen is a deliberate attack. Just like an
|
One reason why this can happen is a deliberate attack. Just like an
|
||||||
ordinary man-in-the-middle attack which substitutes a wrong host key,
|
ordinary man-in-the-middle attack which substitutes a wrong host key,
|
||||||
@ -74,16 +78,17 @@ configuration, or if your CA configuration involves two overlapping
|
|||||||
domains, or something similar.
|
domains, or something similar.
|
||||||
|
|
||||||
So, unfortunately, you'll have to work out what to do about it
|
So, unfortunately, you'll have to work out what to do about it
|
||||||
yourself: install a new CA key (if you're really sure you trust it),
|
yourself: make an exception for this specific case, or abandon this
|
||||||
or edit your configuration in some other way, or abandon the
|
connection and install a new CA key before trying again (if you're
|
||||||
connection.
|
really sure you trust the CA), or edit your configuration in some
|
||||||
|
other way, or just stop trying to use this server.
|
||||||
|
|
||||||
If you're convinced that this particular server is legitimate even
|
If you're convinced that this particular server is legitimate even
|
||||||
though the CA is not one you trust, PuTTY will let you cache the
|
though the CA is not one you trust, PuTTY will let you cache the
|
||||||
certified host key in the same way as an uncertified one. Then that
|
certified host key, treating it in the same way as an uncertified one.
|
||||||
particular certificate will be accepted on the next connection, even
|
Then that particular certificate will be accepted for future
|
||||||
though other certificates signed by the same CA will still be
|
connections to this specific server, even though other certificates
|
||||||
rejected.
|
signed by the same CA will still be rejected.
|
||||||
|
|
||||||
\H{errors-ssh-protocol} \q{SSH protocol version 2 required by our
|
\H{errors-ssh-protocol} \q{SSH protocol version 2 required by our
|
||||||
configuration but remote only provides (old, insecure) SSH-1}
|
configuration but remote only provides (old, insecure) SSH-1}
|
||||||
|
|||||||
@ -80,10 +80,10 @@ PuTTY \I{host key cache}records the host key for each server you
|
|||||||
connect to, in the Windows \i{Registry}. Every time you connect to a
|
connect to, in the Windows \i{Registry}. Every time you connect to a
|
||||||
server, it checks that the host key presented by the server is the
|
server, it checks that the host key presented by the server is the
|
||||||
same host key as it was the last time you connected. If it is not,
|
same host key as it was the last time you connected. If it is not,
|
||||||
you will see a warning, and you will have the chance to abandon your
|
you will see a stronger warning, and you will have the chance to
|
||||||
connection before you type any private information (such as a
|
abandon your connection before you type any private information (such
|
||||||
password) into it. (See \k{errors-hostkey-wrong} for what that looks
|
as a password) into it. (See \k{errors-hostkey-wrong} for what that
|
||||||
like.)
|
looks like.)
|
||||||
|
|
||||||
However, when you connect to a server you have not connected to
|
However, when you connect to a server you have not connected to
|
||||||
before, PuTTY has no way of telling whether the host key is the
|
before, PuTTY has no way of telling whether the host key is the
|
||||||
|
|||||||
@ -688,6 +688,16 @@ saved sessions from
|
|||||||
\IM{group exchange} Diffie-Hellman group exchange
|
\IM{group exchange} Diffie-Hellman group exchange
|
||||||
\IM{group exchange} group exchange, Diffie-Hellman
|
\IM{group exchange} group exchange, Diffie-Hellman
|
||||||
|
|
||||||
|
\IM{ECDH} \q{ECDH} (elliptic-curve Diffie-Hellman)
|
||||||
|
\IM{ECDH} elliptic-curve Diffie-Hellman key exchange
|
||||||
|
\IM{ECDH} key exchange, elliptic-curve Diffie-Hellman
|
||||||
|
\IM{ECDH} Diffie-Hellman key exchange, with elliptic curves
|
||||||
|
|
||||||
|
\IM{Streamlined NTRU Prime} Streamlined NTRU Prime
|
||||||
|
\IM{Streamlined NTRU Prime} NTRU Prime
|
||||||
|
|
||||||
|
\IM{quantum attacks} quantum attacks, resistance to
|
||||||
|
|
||||||
\IM{repeat key exchange} repeat key exchange
|
\IM{repeat key exchange} repeat key exchange
|
||||||
\IM{repeat key exchange} key exchange, repeat
|
\IM{repeat key exchange} key exchange, repeat
|
||||||
|
|
||||||
|
|||||||
@ -3681,6 +3681,7 @@ SeatPromptResult gtk_seat_confirm_ssh_host_key(
|
|||||||
/* We have to manually wrap the public key, or else the GtkLabel
|
/* We have to manually wrap the public key, or else the GtkLabel
|
||||||
* will resize itself to accommodate the longest word, which will
|
* will resize itself to accommodate the longest word, which will
|
||||||
* lead to a hilariously wide message box. */
|
* lead to a hilariously wide message box. */
|
||||||
|
put_byte(moreinfo, ':');
|
||||||
for (const char *p = item->text, *q = p + strlen(p); p < q ;) {
|
for (const char *p = item->text, *q = p + strlen(p); p < q ;) {
|
||||||
size_t linelen = q-p;
|
size_t linelen = q-p;
|
||||||
if (linelen > 72)
|
if (linelen > 72)
|
||||||
@ -3689,6 +3690,7 @@ SeatPromptResult gtk_seat_confirm_ssh_host_key(
|
|||||||
put_data(moreinfo, p, linelen);
|
put_data(moreinfo, p, linelen);
|
||||||
p += linelen;
|
p += linelen;
|
||||||
}
|
}
|
||||||
|
put_byte(moreinfo, '\n');
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
break;
|
break;
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user