ssh » Revisions »

Differences

This shows you the differences between the selected revisions of the page.

ssh 2015-02-19 ssh 2023-06-05 (current)
Line 6: Line 6:
The %%SSH%% employs a public key cryptography that uses [[ssh_keys|two keys pairs, for host and user]]. The %%SSH%% employs a public key cryptography that uses [[ssh_keys|two keys pairs, for host and user]].
-===== Authentication in SSH =====+===== [[authentication]] Authentication in SSH =====
SSH servers offer the client a selection of authentication SSH servers offer the client a selection of authentication
methods. The server advertises what it supports, and the client methods. The server advertises what it supports, and the client
Line 14: Line 14:
the option to choose which methods can be used. In WinSCP, you can configure this on //[[ui_login_authentication|SSH > Authentication page]]// of Advanced Site Settings dialog. the option to choose which methods can be used. In WinSCP, you can configure this on //[[ui_login_authentication|SSH > Authentication page]]// of Advanced Site Settings dialog.
-The actual order of authentication methods is as follows: [[ui_login_authentication#gssapi|GSSAPI]] (SSH-2 only), [[public key]] (using [[ui_pageant|Pageant]]), public key (using [[ui_login_authentication|configured file]]), keyboard-interactive (%%SSH-2%% only), TIS or Cryptocard (SSH-1 only), password.+The actual order of authentication methods is as follows: [[ui_login_authentication#gssapi|GSSAPI]], [[public key]] (using [[ui_pageant|Pageant]]), public key (using [[ui_login_authentication|configured file]]), keyboard-interactive, password.
-===== Verifying the Host Key ===== +===== [[verifying_host_key]] Verifying the Host Key ===== 
-To prevent [[wp>Man-in-the-middle_attack|man-in-the-middle attacks]], each SSH server has a unique identifying code, called a host key. These keys prevent a server from forging another server's key. If you connect to a server for the first time or if the server presets a different key then previously, WinSCP will prompt you to [[ssh_verifying_the_host_key|verify the key]].+To prevent [[wp>Man-in-the-middle_attack|man-in-the-middle attacks]], each SSH server has a unique identifying code, called a host key. These keys prevent a server from forging another server's key. If you connect to a server for the first time or if the server presets a different key than previously, WinSCP will prompt you to [[ssh_verifying_the_host_key|verify the key]].
===== Encryption in SSH ===== ===== Encryption in SSH =====
-SSH clients and servers can use a number of encryption methods. In the older SSH-1 protocol, 3DES and DES are typically used. +SSH clients and servers can use a number of encryption methods.  
-SSH-2 adds support for additional encryption methods including AES and +Most widely used encryption methods in SSH are AES and 
-Blowfish. By default, Blowfish is used if supported by the server. While %%AES%% is+Blowfish. By default, %%AES%% is used if supported by the server. While %%AES%% is
considered to be highly secure, %%AES%% encryption requires substantial processor overhead. Blowfish is also considered considered to be highly secure, %%AES%% encryption requires substantial processor overhead. Blowfish is also considered
secure, but with less computational overhead, it's also theoretically secure, but with less computational overhead, it's also theoretically
easier to perform a brute-force attack. Depending on your security and easier to perform a brute-force attack. Depending on your security and
performance requirements, you may wish to configure WinSCP to prefer performance requirements, you may wish to configure WinSCP to prefer
-the %%AES%% algorithm. %%3DES%% and %%DES%% are used with %%SSH-1%% servers. %%DES%%+the %%Blowfish%% algorithm. %%3DES%% and %%DES%% are used with %%SSH-1%% servers. %%DES%%
is widely regarded as insecure, as the resources to perform an is widely regarded as insecure, as the resources to perform an
exhaustive brute-force attack have been well within the realm of exhaustive brute-force attack have been well within the realm of
Line 33: Line 33:
===== SSH Protocols ===== ===== SSH Protocols =====
-Two major versions of the SSH protocol exist, SSH-2 and SSH-1. Most %%SSH%% servers nowadays allow modern and secure %%SSH-2%% only.+Two major versions of the SSH protocol exist, SSH-2 and SSH-1. Most %%SSH%% servers nowadays allow modern and secure %%SSH-2%% only, which is also WinSCP's default.
-WinSCP's default setting is to prefer %%SSH-2%% and negotiate down to %%SSH-1%%, if %%SSH-2%% is not available. If you want WinSCP not to allow deprecated and insecure %%SSH-1%% at all, you can configure this in [[ui_login_ssh|SSH preferences]]+===== [[compression]] Compression =====
- +
-===== Compression =====+
SSH supports data stream compression between the client SSH supports data stream compression between the client
and the server. On slow links, this may increase throughput, while in faster connections the added CPU overhead may actually result in and the server. On slow links, this may increase throughput, while in faster connections the added CPU overhead may actually result in
Line 46: Line 44:
attacks more difficult and by providing less data for attacks more difficult and by providing less data for
cryptanalysis. cryptanalysis.
 +
 +===== Supported Algorithms =====
 +
 +See list of [[ssh_algorithms|supported SSH algorithms]].

Last modified: by martin