Differences
This shows you the differences between the selected revisions of the page.
| 2014-07-23 | 2014-08-04 | ||
| 5.5.3 Bug 1091 Occasional RSA public key authentication failure (martin) | american spelling (martin) | ||
| Line 19: | Line 19: | ||
| An ignore message (SSH_MSG_IGNORE) is a message in the SSH protocol which can be sent from the client to the server, or from the server to the client, at any time. Either side is required to ignore the message whenever it receives it. WinSCP uses ignore messages to hide the password packet in SSH-1, so that a listener cannot tell the length of the user's password; it also uses ignore messages for [[ui_login_connection#keepalives|connection keepalives]]. | An ignore message (SSH_MSG_IGNORE) is a message in the SSH protocol which can be sent from the client to the server, or from the server to the client, at any time. Either side is required to ignore the message whenever it receives it. WinSCP uses ignore messages to hide the password packet in SSH-1, so that a listener cannot tell the length of the user's password; it also uses ignore messages for [[ui_login_connection#keepalives|connection keepalives]]. | ||
| - | If this bug is detected, WinSCP will stop using ignore messages. This means that keepalives will stop working, and WinSCP will have to fall back to a secondary defence against [[ui_login_bugs#refuses_all_ssh-1_password_camouflage|SSH-1 password-length eavesdropping]]. If this bug is enabled when talking to a correct server, the session will succeed, but keepalives will not work and the session might be more vulnerable to eavesdroppers than it could be. | + | If this bug is detected, WinSCP will stop using ignore messages. This means that keepalives will stop working, and WinSCP will have to fall back to a secondary defense against [[ui_login_bugs#refuses_all_ssh-1_password_camouflage|SSH-1 password-length eavesdropping]]. If this bug is enabled when talking to a correct server, the session will succeed, but keepalives will not work and the session might be more vulnerable to eavesdroppers than it could be. |
| This is an SSH-1-specific bug. No known SSH-2 server fails to deal with SSH-2 ignore messages. | This is an SSH-1-specific bug. No known SSH-2 server fails to deal with SSH-2 ignore messages. | ||
| Line 40: | Line 40: | ||
| ===== Chokes on SSH-2 ignore messages ===== | ===== Chokes on SSH-2 ignore messages ===== | ||
| - | An ignore message (''SSH_MSG_IGNORE'') is a message in the SSH protocol which can be sent from the client to the server, or from the server to the client, at any time. Either side is required to ignore the message whenever it receives it. WinSCP uses ignore messages in SSH-2 to confuse the encrypted data stream and make it harder to cryptanalyse. It also uses ignore messages for [[ui_login_connection#keepalives|connection keepalives]]. | + | An ignore message (''SSH_MSG_IGNORE'') is a message in the SSH protocol which can be sent from the client to the server, or from the server to the client, at any time. Either side is required to ignore the message whenever it receives it. WinSCP uses ignore messages in SSH-2 to confuse the encrypted data stream and make it harder to cryptanalyze. It also uses ignore messages for [[ui_login_connection#keepalives|connection keepalives]]. |
| If it believes the server to have this bug, WinSCP will stop using ignore messages. If this bug is enabled when talking to a correct server, the session will succeed, but keepalives will not work and the session might be less cryptographically secure than it could be. | If it believes the server to have this bug, WinSCP will stop using ignore messages. If this bug is enabled when talking to a correct server, the session will succeed, but keepalives will not work and the session might be less cryptographically secure than it could be. | ||
| Line 47: | Line 47: | ||
| WinSCP sometimes sends a special request to SSH servers in the middle of channel data, with the name ''winadj@putty.projects.tartarus.org''. The purpose of this request is to measure the round-trip time to the server, which WinSCP uses to tune its flow control. The server does not actually have to understand the message; it is expected to send back a ''SSH_MSG_CHANNEL_FAILURE'' message indicating that it didn't understand it. (All WinSCP needs for its timing calculations is some kind of response.) | WinSCP sometimes sends a special request to SSH servers in the middle of channel data, with the name ''winadj@putty.projects.tartarus.org''. The purpose of this request is to measure the round-trip time to the server, which WinSCP uses to tune its flow control. The server does not actually have to understand the message; it is expected to send back a ''SSH_MSG_CHANNEL_FAILURE'' message indicating that it didn't understand it. (All WinSCP needs for its timing calculations is some kind of response.) | ||
| - | It has been known for some SSH servers to get confused by this message in one way or another – because it has a long name, or because they can't cope with unrecognised request names even to the extent of sending back the correct failure response, or because they handle it sensibly but fill up the server's log file with pointless spam, or whatever. WinSCP therefore supports this bug-compatibility flag: if it believes the server has this bug, it will never send its ''winadj@putty.projects.tartarus.org'' request, and will make do without its timing data. | + | It has been known for some SSH servers to get confused by this message in one way or another – because it has a long name, or because they can't cope with unrecognized request names even to the extent of sending back the correct failure response, or because they handle it sensibly but fill up the server's log file with pointless spam, or whatever. WinSCP therefore supports this bug-compatibility flag: if it believes the server has this bug, it will never send its ''winadj@putty.projects.tartarus.org'' request, and will make do without its timing data. |
| &beta_feature | &beta_feature | ||