Differences
This shows you the differences between the selected revisions of the page.
| ui_login_ssh 2019-03-28 | ui_login_ssh 2023-05-24 (current) | ||
| Line 1: | Line 1: | ||
| - | ====== SSH Page (Advanced Site Settings dialog) ====== | + | ====== The SSH Page (Advanced Site Settings dialog) ====== |
| The //SSH page// on the [[ui_login_advanced|Advanced Site Settings dialog]] allows you to configure options of [[ssh|SSH protocol]] and encryption. | The //SSH page// on the [[ui_login_advanced|Advanced Site Settings dialog]] allows you to configure options of [[ssh|SSH protocol]] and encryption. | ||
| Line 15: | Line 15: | ||
| ===== [[protocol_options]] Protocol Options ===== | ===== [[protocol_options]] Protocol Options ===== | ||
| The //Enable compression// checkbox enables [[ssh#compression|data compression]] in the SSH connection: data sent by the server is compressed before sending, and decompressed at the client end. | The //Enable compression// checkbox enables [[ssh#compression|data compression]] in the SSH connection: data sent by the server is compressed before sending, and decompressed at the client end. | ||
| - | |||
| - | The //%%SSH%% protocol version// selection allows you to select whether to use SSH protocol version 2 or the older version 1. | ||
| - | |||
| - | You should normally leave this at the default of //2//. As well as having fewer features, the older SSH-1 protocol is no longer developed, has many known cryptographic weaknesses, and is generally not considered to be secure. WinSCP's protocol 1 implementation is provided mainly for compatibility, and is no longer being enhanced. | ||
| - | |||
| - | If a server offers both versions, prefer //2//. If you have some server or piece of equipment that only talks SSH-1, select //1// here, and do not treat the resulting connection as secure. | ||
| - | |||
| - | WinSCP will not automatically fall back to the other version of the protocol if the server turns out not to match your selection here; instead, it will put up an error message and abort the connection. This prevents an active attacker downgrading an intended SSH-2 connection to %%SSH-1%%. ((&puttydoccite)) | ||
| ===== [[encryption_options]] Encryption Options ===== | ===== [[encryption_options]] Encryption Options ===== | ||
| Line 29: | Line 21: | ||
| WinSCP currently supports the following algorithms: | WinSCP currently supports the following algorithms: | ||
| - | * //AES// (Rijndael) -- 256, 192, or 128-bit SDCTR or CBC | + | * //AES// (Rijndael) -- 256, 192, or 128-bit SDCTR or CBC, or 256 or 128-bit GCM |
| * //ChaCha20-Poly1305//, a combined cipher and MAC | * //ChaCha20-Poly1305//, a combined cipher and MAC | ||
| * //Blowfish// -- 256-bit SDCTR or 128-bit CBC | * //Blowfish// -- 256-bit SDCTR or 128-bit CBC | ||
| * //Triple-DES// -- 168-bit SDCTR or CBC | * //Triple-DES// -- 168-bit SDCTR or CBC | ||
| * //Arcfour// (RC4) -- 256 or 128-bit stream cipher | * //Arcfour// (RC4) -- 256 or 128-bit stream cipher | ||
| - | * //Single-%%DES%%// -- 56-bit CBC (see below for %%SSH-2%%) | + | * //Single-%%DES%%// -- 56-bit CBC (see below) |
| If the algorithm WinSCP finds is below the //warn below here// line, you will see a warning box when you make the connection: | If the algorithm WinSCP finds is below the //warn below here// line, you will see a warning box when you make the connection: | ||
| Line 44: | Line 36: | ||
| This warns you that the first available encryption is not a very secure one. Typically you would put the //warn below here// line between the encryptions you consider secure and the ones you consider substandard. By default, WinSCP supplies a preference order intended to reflect a reasonable preference in terms of security and speed. | This warns you that the first available encryption is not a very secure one. Typically you would put the //warn below here// line between the encryptions you consider secure and the ones you consider substandard. By default, WinSCP supplies a preference order intended to reflect a reasonable preference in terms of security and speed. | ||
| - | In SSH-2, the encryption algorithm is negotiated independently for each direction of the connection, although WinSCP does not support separate configuration of the preference orders. As a result you may get two warnings similar to the one above, possibly with different encryptions. | + | In SSH, the encryption algorithm is negotiated independently for each direction of the connection, although WinSCP does not support separate configuration of the preference orders. As a result you may get two warnings similar to the one above, possibly with different encryptions. |
| - | Single-DES is not recommended in the %%SSH-2%% protocol standards, but one or two server implementations do support it. WinSCP can use single-%%DES%% to interoperate with these servers if you enable the //Enable legacy use of single-%%DES%% in %%SSH-2%%// option; by default this is disabled and WinSCP will stick to recommended ciphers.·((&puttydoccite)) | + | Single-DES is not recommended in the %%SSH%% protocol standards, but one or two server implementations do support it. WinSCP can use single-%%DES%% to interoperate with these servers if you enable the //Enable legacy use of single-%%DES%%// option; by default this is disabled and WinSCP will stick to recommended ciphers.((&puttydoccite)) |
| You can see actually used encryption algorithm on [[ui_fsinfo|Server and Protocol Information Dialog]]. | You can see actually used encryption algorithm on [[ui_fsinfo|Server and Protocol Information Dialog]]. | ||