mirror of
https://git.tartarus.org/simon/putty.git
synced 2025-01-09 17:38:00 +00:00
Move cipher settings into their own config panel.
This makes room in the main SSH panel for new options about connection sharing, which I'm shortly going to add. [originally from svn r10063]
This commit is contained in:
Simon Tatham
parent
5ecb7d7f1d
commit
a37d43069d
33
config.c
33
config.c
@ -2112,19 +2112,6 @@ void setup_config_box(struct controlbox *b, int midsession,
|
||||
"2 only", 'y', I(3), NULL);
|
||||
}
|
||||
|
||||
if (!midsession || protcfginfo != 1) {
|
||||
s = ctrl_getset(b, "Connection/SSH", "encryption", "Encryption options");
|
||||
c = ctrl_draglist(s, "Encryption cipher selection policy:", 's',
|
||||
HELPCTX(ssh_ciphers),
|
||||
cipherlist_handler, P(NULL));
|
||||
c->listbox.height = 6;
|
||||
|
||||
ctrl_checkbox(s, "Enable legacy use of single-DES in SSH-2", 'i',
|
||||
HELPCTX(ssh_ciphers),
|
||||
conf_checkbox_handler,
|
||||
I(CONF_ssh2_des_cbc));
|
||||
}
|
||||
|
||||
/*
|
||||
* The Connection/SSH/Kex panel. (Owing to repeat key
|
||||
* exchange, this is all meaningful in mid-session _if_
|
||||
@ -2158,6 +2145,26 @@ void setup_config_box(struct controlbox *b, int midsession,
|
||||
HELPCTX(ssh_kex_repeat));
|
||||
}
|
||||
|
||||
if (!midsession || protcfginfo != 1) {
|
||||
/*
|
||||
* The Connection/SSH/Cipher panel.
|
||||
*/
|
||||
ctrl_settitle(b, "Connection/SSH/Cipher",
|
||||
"Options controlling SSH encryption");
|
||||
|
||||
s = ctrl_getset(b, "Connection/SSH/Cipher",
|
||||
"encryption", "Encryption options");
|
||||
c = ctrl_draglist(s, "Encryption cipher selection policy:", 's',
|
||||
HELPCTX(ssh_ciphers),
|
||||
cipherlist_handler, P(NULL));
|
||||
c->listbox.height = 6;
|
||||
|
||||
ctrl_checkbox(s, "Enable legacy use of single-DES in SSH-2", 'i',
|
||||
HELPCTX(ssh_ciphers),
|
||||
conf_checkbox_handler,
|
||||
I(CONF_ssh2_des_cbc));
|
||||
}
|
||||
|
||||
if (!midsession) {
|
||||
|
||||
/*
|
||||
|
||||
103
doc/config.but
103
doc/config.but
@ -2274,57 +2274,6 @@ If you select \q{1 only} or \q{2 only} here, PuTTY will only connect
|
||||
if the server you connect to offers the SSH protocol version you
|
||||
have specified.
|
||||
|
||||
\S{config-ssh-encryption} \ii{Encryption} algorithm selection
|
||||
|
||||
\cfg{winhelp-topic}{ssh.ciphers}
|
||||
|
||||
PuTTY supports a variety of different \i{encryption algorithm}s, and
|
||||
allows you to choose which one you prefer to use. You can do this by
|
||||
dragging the algorithms up and down in the list box (or moving them
|
||||
using the Up and Down buttons) to specify a preference order. When
|
||||
you make an SSH connection, PuTTY will search down the list from the
|
||||
top until it finds an algorithm supported by the server, and then
|
||||
use that.
|
||||
|
||||
PuTTY currently supports the following algorithms:
|
||||
|
||||
\b \i{AES} (Rijndael) - 256, 192, or 128-bit SDCTR or CBC (SSH-2 only)
|
||||
|
||||
\b \i{Arcfour} (RC4) - 256 or 128-bit stream cipher (SSH-2 only)
|
||||
|
||||
\b \i{Blowfish} - 256-bit SDCTR (SSH-2 only) or 128-bit CBC
|
||||
|
||||
\b \ii{Triple-DES} - 168-bit SDCTR (SSH-2 only) or CBC
|
||||
|
||||
\b \ii{Single-DES} - 56-bit CBC (see below for SSH-2)
|
||||
|
||||
If the algorithm PuTTY finds is below the \q{warn below here} line,
|
||||
you will see a warning box when you make the connection:
|
||||
|
||||
\c The first cipher supported by the server
|
||||
\c is single-DES, which is below the configured
|
||||
\c warning threshold.
|
||||
\c Do you want to continue with this connection?
|
||||
|
||||
This warns you that the first available encryption is not a very
|
||||
secure one. Typically you would put the \q{warn below here} line
|
||||
between the encryptions you consider secure and the ones you
|
||||
consider substandard. By default, PuTTY supplies a preference order
|
||||
intended to reflect a reasonable preference in terms of security and
|
||||
speed.
|
||||
|
||||
In SSH-2, the encryption algorithm is negotiated independently for
|
||||
each direction of the connection, although PuTTY does not support
|
||||
separate configuration of the preference orders. As a result you may
|
||||
get two warnings similar to the one above, possibly with different
|
||||
encryptions.
|
||||
|
||||
Single-DES is not recommended in the SSH-2 protocol
|
||||
standards, but one or two server implementations do support it.
|
||||
PuTTY can use single-DES to interoperate with
|
||||
these servers if you enable the \q{Enable legacy use of single-DES in
|
||||
SSH-2} option; by default this is disabled and PuTTY will stick to
|
||||
recommended ciphers.
|
||||
|
||||
\H{config-ssh-kex} The Kex panel
|
||||
|
||||
@ -2453,6 +2402,58 @@ when the SSH connection is idle, so they shouldn't cause the same
|
||||
problems. The SSH-1 protocol, incidentally, has even weaker integrity
|
||||
protection than SSH-2 without rekeys.
|
||||
|
||||
\H{config-ssh-encryption} The Cipher panel
|
||||
|
||||
\cfg{winhelp-topic}{ssh.ciphers}
|
||||
|
||||
PuTTY supports a variety of different \i{encryption algorithm}s, and
|
||||
allows you to choose which one you prefer to use. You can do this by
|
||||
dragging the algorithms up and down in the list box (or moving them
|
||||
using the Up and Down buttons) to specify a preference order. When
|
||||
you make an SSH connection, PuTTY will search down the list from the
|
||||
top until it finds an algorithm supported by the server, and then
|
||||
use that.
|
||||
|
||||
PuTTY currently supports the following algorithms:
|
||||
|
||||
\b \i{AES} (Rijndael) - 256, 192, or 128-bit SDCTR or CBC (SSH-2 only)
|
||||
|
||||
\b \i{Arcfour} (RC4) - 256 or 128-bit stream cipher (SSH-2 only)
|
||||
|
||||
\b \i{Blowfish} - 256-bit SDCTR (SSH-2 only) or 128-bit CBC
|
||||
|
||||
\b \ii{Triple-DES} - 168-bit SDCTR (SSH-2 only) or CBC
|
||||
|
||||
\b \ii{Single-DES} - 56-bit CBC (see below for SSH-2)
|
||||
|
||||
If the algorithm PuTTY finds is below the \q{warn below here} line,
|
||||
you will see a warning box when you make the connection:
|
||||
|
||||
\c The first cipher supported by the server
|
||||
\c is single-DES, which is below the configured
|
||||
\c warning threshold.
|
||||
\c Do you want to continue with this connection?
|
||||
|
||||
This warns you that the first available encryption is not a very
|
||||
secure one. Typically you would put the \q{warn below here} line
|
||||
between the encryptions you consider secure and the ones you
|
||||
consider substandard. By default, PuTTY supplies a preference order
|
||||
intended to reflect a reasonable preference in terms of security and
|
||||
speed.
|
||||
|
||||
In SSH-2, the encryption algorithm is negotiated independently for
|
||||
each direction of the connection, although PuTTY does not support
|
||||
separate configuration of the preference orders. As a result you may
|
||||
get two warnings similar to the one above, possibly with different
|
||||
encryptions.
|
||||
|
||||
Single-DES is not recommended in the SSH-2 protocol
|
||||
standards, but one or two server implementations do support it.
|
||||
PuTTY can use single-DES to interoperate with
|
||||
these servers if you enable the \q{Enable legacy use of single-DES in
|
||||
SSH-2} option; by default this is disabled and PuTTY will stick to
|
||||
recommended ciphers.
|
||||
|
||||
\H{config-ssh-auth} The Auth panel
|
||||
|
||||
The Auth panel allows you to configure \i{authentication} options for
|
||||
|
||||
Loading…
Reference in New Issue
Block a user