Differences

This shows you the differences between the selected revisions of the page.

ui_login_ssh 2021-12-06 ui_login_ssh 2023-05-24 (current)
Line 15: Line 15:
===== [[protocol_options]] Protocol Options ===== ===== [[protocol_options]] Protocol Options =====
The //Enable compression// checkbox enables [[ssh#compression|data compression]] in the SSH connection: data sent by the server is compressed before sending, and decompressed at the client end. The //Enable compression// checkbox enables [[ssh#compression|data compression]] in the SSH connection: data sent by the server is compressed before sending, and decompressed at the client end.
- 
-The //%%SSH%% protocol version// selection allows you to select whether to use SSH protocol version 2 or the older version 1. 
- 
-You should normally leave this at the default of //2//. As well as having fewer features, the older SSH-1 protocol is no longer developed, has many known cryptographic weaknesses, and is generally not considered to be secure. WinSCP's protocol 1 implementation is provided mainly for compatibility, and is no longer being enhanced. 
- 
-If a server offers both versions, prefer //2//. If you have some server or piece of equipment that only talks SSH-1, select //1// here, and do not treat the resulting connection as secure. 
- 
-WinSCP will not automatically fall back to the other version of the protocol if the server turns out not to match your selection here; instead, it will put up an error message and abort the connection. This prevents an active attacker downgrading an intended SSH-2 connection to %%SSH-1%%. ((&puttydoccite)) 
- 
-//The SSH-1 support has been removed in the latest beta version.// &beta 
===== [[encryption_options]] Encryption Options ===== ===== [[encryption_options]] Encryption Options =====
Line 31: Line 21:
WinSCP currently supports the following algorithms: WinSCP currently supports the following algorithms:
-  * //AES// (Rijndael) -- 256, 192, or 128-bit SDCTR or CBC+  * //AES// (Rijndael) -- 256, 192, or 128-bit SDCTR or CBC, or 256 or 128-bit GCM
  * //ChaCha20-Poly1305//, a combined cipher and MAC   * //ChaCha20-Poly1305//, a combined cipher and MAC
  * //Blowfish// -- 256-bit SDCTR or 128-bit CBC   * //Blowfish// -- 256-bit SDCTR or 128-bit CBC
  * //Triple-DES// -- 168-bit SDCTR or CBC   * //Triple-DES// -- 168-bit SDCTR or CBC
  * //Arcfour// (RC4) -- 256 or 128-bit stream cipher   * //Arcfour// (RC4) -- 256 or 128-bit stream cipher
-  * //Single-%%DES%%// -- 56-bit CBC (see below for %%SSH-2%%) +  * //Single-%%DES%%// -- 56-bit CBC (see below)
If the algorithm WinSCP finds is below the //warn below here// line, you will see a warning box when you make the connection: If the algorithm WinSCP finds is below the //warn below here// line, you will see a warning box when you make the connection:
Line 46: Line 36:
This warns you that the first available encryption is not a very secure one. Typically you would put the //warn below here// line between the encryptions you consider secure and the ones you consider substandard. By default, WinSCP supplies a preference order intended to reflect a reasonable preference in terms of security and speed. This warns you that the first available encryption is not a very secure one. Typically you would put the //warn below here// line between the encryptions you consider secure and the ones you consider substandard. By default, WinSCP supplies a preference order intended to reflect a reasonable preference in terms of security and speed.
-In SSH-2, the encryption algorithm is negotiated independently for each direction of the connection, although WinSCP does not support separate configuration of the preference orders. As a result you may get two warnings similar to the one above, possibly with different encryptions.+In SSH, the encryption algorithm is negotiated independently for each direction of the connection, although WinSCP does not support separate configuration of the preference orders. As a result you may get two warnings similar to the one above, possibly with different encryptions.
-Single-DES is not recommended in the %%SSH-2%% protocol standards, but one or two server implementations do support it. WinSCP can use single-%%DES%% to interoperate with these servers if you enable the //Enable legacy use of single-%%DES%%// option; by default this is disabled and WinSCP will stick to recommended ciphers.((&puttydoccite))+Single-DES is not recommended in the %%SSH%% protocol standards, but one or two server implementations do support it. WinSCP can use single-%%DES%% to interoperate with these servers if you enable the //Enable legacy use of single-%%DES%%// option; by default this is disabled and WinSCP will stick to recommended ciphers.((&puttydoccite))
You can see actually used encryption algorithm on [[ui_fsinfo|Server and Protocol Information Dialog]]. You can see actually used encryption algorithm on [[ui_fsinfo|Server and Protocol Information Dialog]].

Last modified: by martin