Differences
This shows you the differences between the selected revisions of the page.
ssh 2015-02-19 | ssh 2023-06-05 (current) | ||
Line 6: | Line 6: | ||
The %%SSH%% employs a public key cryptography that uses [[ssh_keys|two keys pairs, for host and user]]. | The %%SSH%% employs a public key cryptography that uses [[ssh_keys|two keys pairs, for host and user]]. | ||
- | ===== Authentication in SSH ===== | + | ===== [[authentication]] Authentication in SSH ===== |
SSH servers offer the client a selection of authentication | SSH servers offer the client a selection of authentication | ||
methods. The server advertises what it supports, and the client | methods. The server advertises what it supports, and the client | ||
Line 14: | Line 14: | ||
the option to choose which methods can be used. In WinSCP, you can configure this on //[[ui_login_authentication|SSH > Authentication page]]// of Advanced Site Settings dialog. | the option to choose which methods can be used. In WinSCP, you can configure this on //[[ui_login_authentication|SSH > Authentication page]]// of Advanced Site Settings dialog. | ||
- | The actual order of authentication methods is as follows: [[ui_login_authentication#gssapi|GSSAPI]] (SSH-2 only), [[public key]] (using [[ui_pageant|Pageant]]), public key (using [[ui_login_authentication|configured file]]), keyboard-interactive (%%SSH-2%% only), TIS or Cryptocard (SSH-1 only), password. | + | The actual order of authentication methods is as follows: [[ui_login_authentication#gssapi|GSSAPI]], [[public key]] (using [[ui_pageant|Pageant]]), public key (using [[ui_login_authentication|configured file]]), keyboard-interactive, password. |
- | ===== Verifying the Host Key ===== | + | ===== [[verifying_host_key]] Verifying the Host Key ===== |
- | To prevent [[wp>Man-in-the-middle_attack|man-in-the-middle attacks]], each SSH server has a unique identifying code, called a host key. These keys prevent a server from forging another server's key. If you connect to a server for the first time or if the server presets a different key then previously, WinSCP will prompt you to [[ssh_verifying_the_host_key|verify the key]]. | + | To prevent [[wp>Man-in-the-middle_attack|man-in-the-middle attacks]], each SSH server has a unique identifying code, called a host key. These keys prevent a server from forging another server's key. If you connect to a server for the first time or if the server presets a different key than previously, WinSCP will prompt you to [[ssh_verifying_the_host_key|verify the key]]. |
===== Encryption in SSH ===== | ===== Encryption in SSH ===== | ||
- | SSH clients and servers can use a number of encryption methods. In the older SSH-1 protocol, 3DES and DES are typically used. | + | SSH clients and servers can use a number of encryption methods. |
- | SSH-2 adds support for additional encryption methods including AES and | + | Most widely used encryption methods in SSH are AES and |
- | Blowfish. By default, Blowfish is used if supported by the server. While %%AES%% is | + | Blowfish. By default, %%AES%% is used if supported by the server. While %%AES%% is |
considered to be highly secure, %%AES%% encryption requires substantial processor overhead. Blowfish is also considered | considered to be highly secure, %%AES%% encryption requires substantial processor overhead. Blowfish is also considered | ||
secure, but with less computational overhead, it's also theoretically | secure, but with less computational overhead, it's also theoretically | ||
easier to perform a brute-force attack. Depending on your security and | easier to perform a brute-force attack. Depending on your security and | ||
performance requirements, you may wish to configure WinSCP to prefer | performance requirements, you may wish to configure WinSCP to prefer | ||
- | the %%AES%% algorithm. %%3DES%% and %%DES%% are used with %%SSH-1%% servers. %%DES%% | + | the %%Blowfish%% algorithm. %%3DES%% and %%DES%% are used with %%SSH-1%% servers. %%DES%% |
is widely regarded as insecure, as the resources to perform an | is widely regarded as insecure, as the resources to perform an | ||
exhaustive brute-force attack have been well within the realm of | exhaustive brute-force attack have been well within the realm of | ||
Line 33: | Line 33: | ||
===== SSH Protocols ===== | ===== SSH Protocols ===== | ||
- | Two major versions of the SSH protocol exist, SSH-2 and SSH-1. Most %%SSH%% servers nowadays allow modern and secure %%SSH-2%% only. | + | Two major versions of the SSH protocol exist, SSH-2 and SSH-1. Most %%SSH%% servers nowadays allow modern and secure %%SSH-2%% only, which is also WinSCP's default. |
- | WinSCP's default setting is to prefer %%SSH-2%% and negotiate down to %%SSH-1%%, if %%SSH-2%% is not available. If you want WinSCP not to allow deprecated and insecure %%SSH-1%% at all, you can configure this in [[ui_login_ssh|SSH preferences]]. | + | ===== [[compression]] Compression ===== |
- | + | ||
- | ===== Compression ===== | + | |
SSH supports data stream compression between the client | SSH supports data stream compression between the client | ||
and the server. On slow links, this may increase throughput, while in faster connections the added CPU overhead may actually result in | and the server. On slow links, this may increase throughput, while in faster connections the added CPU overhead may actually result in | ||
Line 46: | Line 44: | ||
attacks more difficult and by providing less data for | attacks more difficult and by providing less data for | ||
cryptanalysis. | cryptanalysis. | ||
+ | |||
+ | ===== Supported Algorithms ===== | ||
+ | |||
+ | See list of [[ssh_algorithms|supported SSH algorithms]]. |