nhyatt/putty-source
1
0
Fork 0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-03-22 14:39:24 -05:00
Code Issues Projects Releases Wiki Activity

Move cipher settings into their own config panel.

Browse Source 
This makes room in the main SSH panel for new options about connection
sharing, which I'm shortly going to add.

[originally from svn r10063]
This commit is contained in:
Simon Tatham 2013-11-17 14:03:25 +00:00
parent 5ecb7d7f1d
commit a37d43069d
2 changed files with 72 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
config.c
View File

@ -2112,19 +2112,6 @@ void setup_config_box(struct controlbox *b, int midsession,
"2 only", 'y', I(3), NULL); "2 only", 'y', I(3), NULL);
} }
if (!midsession || protcfginfo != 1) {
s = ctrl_getset(b, "Connection/SSH", "encryption", "Encryption options");
c = ctrl_draglist(s, "Encryption cipher selection policy:", 's',
HELPCTX(ssh_ciphers),
cipherlist_handler, P(NULL));
c->listbox.height = 6;
ctrl_checkbox(s, "Enable legacy use of single-DES in SSH-2", 'i',
HELPCTX(ssh_ciphers),
conf_checkbox_handler,
I(CONF_ssh2_des_cbc));
}
/* /*
* The Connection/SSH/Kex panel. (Owing to repeat key * The Connection/SSH/Kex panel. (Owing to repeat key
* exchange, this is all meaningful in mid-session _if_ * exchange, this is all meaningful in mid-session _if_
@ -2158,6 +2145,26 @@ void setup_config_box(struct controlbox *b, int midsession,
HELPCTX(ssh_kex_repeat)); HELPCTX(ssh_kex_repeat));
} }
if (!midsession || protcfginfo != 1) {
/*
* The Connection/SSH/Cipher panel.
*/
ctrl_settitle(b, "Connection/SSH/Cipher",
"Options controlling SSH encryption");
s = ctrl_getset(b, "Connection/SSH/Cipher",
"encryption", "Encryption options");
c = ctrl_draglist(s, "Encryption cipher selection policy:", 's',
HELPCTX(ssh_ciphers),
cipherlist_handler, P(NULL));
c->listbox.height = 6;
ctrl_checkbox(s, "Enable legacy use of single-DES in SSH-2", 'i',
HELPCTX(ssh_ciphers),
conf_checkbox_handler,
I(CONF_ssh2_des_cbc));
}
if (!midsession) { if (!midsession) {
/* /*

103
doc/config.but
View File

@ -2274,57 +2274,6 @@ If you select \q{1 only} or \q{2 only} here, PuTTY will only connect
if the server you connect to offers the SSH protocol version you if the server you connect to offers the SSH protocol version you
have specified. have specified.
\S{config-ssh-encryption} \ii{Encryption} algorithm selection
\cfg{winhelp-topic}{ssh.ciphers}
PuTTY supports a variety of different \i{encryption algorithm}s, and
allows you to choose which one you prefer to use. You can do this by
dragging the algorithms up and down in the list box (or moving them
using the Up and Down buttons) to specify a preference order. When
you make an SSH connection, PuTTY will search down the list from the
top until it finds an algorithm supported by the server, and then
use that.
PuTTY currently supports the following algorithms:
\b \i{AES} (Rijndael) - 256, 192, or 128-bit SDCTR or CBC (SSH-2 only)
\b \i{Arcfour} (RC4) - 256 or 128-bit stream cipher (SSH-2 only)
\b \i{Blowfish} - 256-bit SDCTR (SSH-2 only) or 128-bit CBC
\b \ii{Triple-DES} - 168-bit SDCTR (SSH-2 only) or CBC
\b \ii{Single-DES} - 56-bit CBC (see below for SSH-2)
If the algorithm PuTTY finds is below the \q{warn below here} line,
you will see a warning box when you make the connection:
\c The first cipher supported by the server
\c is single-DES, which is below the configured
\c warning threshold.
\c Do you want to continue with this connection?
This warns you that the first available encryption is not a very
secure one. Typically you would put the \q{warn below here} line
between the encryptions you consider secure and the ones you
consider substandard. By default, PuTTY supplies a preference order
intended to reflect a reasonable preference in terms of security and
speed.
In SSH-2, the encryption algorithm is negotiated independently for
each direction of the connection, although PuTTY does not support
separate configuration of the preference orders. As a result you may
get two warnings similar to the one above, possibly with different
encryptions.
Single-DES is not recommended in the SSH-2 protocol
standards, but one or two server implementations do support it.
PuTTY can use single-DES to interoperate with
these servers if you enable the \q{Enable legacy use of single-DES in
SSH-2} option; by default this is disabled and PuTTY will stick to
recommended ciphers.
\H{config-ssh-kex} The Kex panel \H{config-ssh-kex} The Kex panel
@ -2453,6 +2402,58 @@ when the SSH connection is idle, so they shouldn't cause the same
problems. The SSH-1 protocol, incidentally, has even weaker integrity problems. The SSH-1 protocol, incidentally, has even weaker integrity
protection than SSH-2 without rekeys. protection than SSH-2 without rekeys.
\H{config-ssh-encryption} The Cipher panel
\cfg{winhelp-topic}{ssh.ciphers}
PuTTY supports a variety of different \i{encryption algorithm}s, and
allows you to choose which one you prefer to use. You can do this by
dragging the algorithms up and down in the list box (or moving them
using the Up and Down buttons) to specify a preference order. When
you make an SSH connection, PuTTY will search down the list from the
top until it finds an algorithm supported by the server, and then
use that.
PuTTY currently supports the following algorithms:
\b \i{AES} (Rijndael) - 256, 192, or 128-bit SDCTR or CBC (SSH-2 only)
\b \i{Arcfour} (RC4) - 256 or 128-bit stream cipher (SSH-2 only)
\b \i{Blowfish} - 256-bit SDCTR (SSH-2 only) or 128-bit CBC
\b \ii{Triple-DES} - 168-bit SDCTR (SSH-2 only) or CBC
\b \ii{Single-DES} - 56-bit CBC (see below for SSH-2)
If the algorithm PuTTY finds is below the \q{warn below here} line,
you will see a warning box when you make the connection:
\c The first cipher supported by the server
\c is single-DES, which is below the configured
\c warning threshold.
\c Do you want to continue with this connection?
This warns you that the first available encryption is not a very
secure one. Typically you would put the \q{warn below here} line
between the encryptions you consider secure and the ones you
consider substandard. By default, PuTTY supplies a preference order
intended to reflect a reasonable preference in terms of security and
speed.
In SSH-2, the encryption algorithm is negotiated independently for
each direction of the connection, although PuTTY does not support
separate configuration of the preference orders. As a result you may
get two warnings similar to the one above, possibly with different
encryptions.
Single-DES is not recommended in the SSH-2 protocol
standards, but one or two server implementations do support it.
PuTTY can use single-DES to interoperate with
these servers if you enable the \q{Enable legacy use of single-DES in
SSH-2} option; by default this is disabled and PuTTY will stick to
recommended ciphers.
\H{config-ssh-auth} The Auth panel \H{config-ssh-auth} The Auth panel
The Auth panel allows you to configure \i{authentication} options for The Auth panel allows you to configure \i{authentication} options for