Differences

This shows you the differences between the selected revisions of the page.

ui_login_ssh 2018-12-05 ui_login_ssh 2023-05-24 (current)
Line 1: Line 1:
-====== SSH Page (Advanced Site Settings dialog) ======+====== The SSH Page (Advanced Site Settings dialog) ======
The //SSH page// on the [[ui_login_advanced|Advanced Site Settings dialog]] allows you to configure options of [[ssh|SSH protocol]] and encryption. The //SSH page// on the [[ui_login_advanced|Advanced Site Settings dialog]] allows you to configure options of [[ssh|SSH protocol]] and encryption.
Line 15: Line 15:
===== [[protocol_options]] Protocol Options ===== ===== [[protocol_options]] Protocol Options =====
The //Enable compression// checkbox enables [[ssh#compression|data compression]] in the SSH connection: data sent by the server is compressed before sending, and decompressed at the client end. The //Enable compression// checkbox enables [[ssh#compression|data compression]] in the SSH connection: data sent by the server is compressed before sending, and decompressed at the client end.
- 
-The //%%SSH%% protocol version// selection allows you to select whether to use SSH protocol version 2 or the older version 1. 
- 
-You should normally leave this at the default of //2//. As well as having fewer features, the older SSH-1 protocol is no longer developed, has many known cryptographic weaknesses, and is generally not considered to be secure. WinSCP's protocol 1 implementation is provided mainly for compatibility, and is no longer being enhanced. 
- 
-If a server offers both versions, prefer //2//. If you have some server or piece of equipment that only talks SSH-1, select //1// here, and do not treat the resulting connection as secure. 
- 
-WinSCP will not automatically fall back to the other version of the protocol if the server turns out not to match your selection here; instead, it will put up an error message and abort the connection. This prevents an active attacker downgrading an intended SSH-2 connection to %%SSH-1%%. ((&puttydoccite)) 
===== [[encryption_options]] Encryption Options ===== ===== [[encryption_options]] Encryption Options =====
Line 29: Line 21:
WinSCP currently supports the following algorithms: WinSCP currently supports the following algorithms:
-  * //AES// (Rijndael) - 256, 192, or 128-bit SDCTR or CBC+  * //AES// (Rijndael) -- 256, 192, or 128-bit SDCTR or CBC, or 256 or 128-bit GCM
  * //ChaCha20-Poly1305//, a combined cipher and MAC   * //ChaCha20-Poly1305//, a combined cipher and MAC
-  * //Blowfish// - 256-bit SDCTR or 128-bit CBC  +  * //Blowfish// -- 256-bit SDCTR or 128-bit CBC  
-  * //Triple-DES// - 168-bit SDCTR or CBC  +  * //Triple-DES// -- 168-bit SDCTR or CBC  
-  * //Arcfour// (RC4) - 256 or 128-bit stream cipher +  * //Arcfour// (RC4) -- 256 or 128-bit stream cipher 
-  * //Single-%%DES%%// - 56-bit CBC (see below for %%SSH-2%%) +  * //Single-%%DES%%// -- 56-bit CBC (see below)
If the algorithm WinSCP finds is below the //warn below here// line, you will see a warning box when you make the connection: If the algorithm WinSCP finds is below the //warn below here// line, you will see a warning box when you make the connection:
Line 44: Line 36:
This warns you that the first available encryption is not a very secure one. Typically you would put the //warn below here// line between the encryptions you consider secure and the ones you consider substandard. By default, WinSCP supplies a preference order intended to reflect a reasonable preference in terms of security and speed. This warns you that the first available encryption is not a very secure one. Typically you would put the //warn below here// line between the encryptions you consider secure and the ones you consider substandard. By default, WinSCP supplies a preference order intended to reflect a reasonable preference in terms of security and speed.
-In SSH-2, the encryption algorithm is negotiated independently for each direction of the connection, although WinSCP does not support separate configuration of the preference orders. As a result you may get two warnings similar to the one above, possibly with different encryptions.+In SSH, the encryption algorithm is negotiated independently for each direction of the connection, although WinSCP does not support separate configuration of the preference orders. As a result you may get two warnings similar to the one above, possibly with different encryptions.
-Single-DES is not recommended in the %%SSH-2%% protocol standards, but one or two server implementations do support it. WinSCP can use single-%%DES%% to interoperate with these servers if you enable the //Enable legacy use of single-%%DES%% in %%SSH-2%%// option; by default this is disabled and WinSCP will stick to recommended ciphers.·((&puttydoccite))+Single-DES is not recommended in the %%SSH%% protocol standards, but one or two server implementations do support it. WinSCP can use single-%%DES%% to interoperate with these servers if you enable the //Enable legacy use of single-%%DES%%// option; by default this is disabled and WinSCP will stick to recommended ciphers.((&puttydoccite))
You can see actually used encryption algorithm on [[ui_fsinfo|Server and Protocol Information Dialog]]. You can see actually used encryption algorithm on [[ui_fsinfo|Server and Protocol Information Dialog]].

Last modified: by martin