+\cfg{winhelp-topic}{ssh.command}
+
+In SSH, you don't have to run a general shell session on the server.
+Instead, you can choose to run a single specific command (such as a
+mail user agent, for example). If you want to do this, enter the
+command in the \q{Remote command} box.
+
+\S{config-ssh-pty} \q{Don't allocate a pseudo-terminal}
+
+\cfg{winhelp-topic}{ssh.nopty}
+
+When connecting to a Unix system, most interactive shell sessions
+are run in a \e{pseudo-terminal}, which allows the Unix system to
+pretend it's talking to a real physical terminal device but allows
+the SSH server to catch all the data coming from that fake device
+and send it back to the client.
+
+Occasionally you might find you have a need to run a session \e{not}
+in a pseudo-terminal. In PuTTY, this is generally only useful for
+very specialist purposes; although in Plink (see \k{plink}) it is
+the usual way of working.
+
+\S{config-ssh-comp} \q{Enable compression}
+
+\cfg{winhelp-topic}{ssh.compress}
+
+This enables data compression in the SSH connection: data sent by
+the server is compressed before sending, and decompressed at the
+client end. Likewise, data sent by PuTTY to the server is compressed
+first and the server decompresses it at the other end. This can help
+make the most of a low-bandwidth connection.
+
+\S{config-ssh-prot} \q{Preferred SSH protocol version}
+
+\cfg{winhelp-topic}{ssh.protocol}
+
+This allows you to select whether you would like to use SSH protocol
+version 1 or version 2. \#{FIXME: say something about this elsewhere?}
+
+PuTTY will attempt to use protocol 1 if the server you connect to
+does not offer protocol 2, and vice versa.
+
+\S{config-ssh-macbug} \q{Imitate SSH 2 MAC bug}
+
+\cfg{winhelp-topic}{ssh.buggymac}
+
+This option \e{should} now be unnecessary. It existed in order to
+work around a bug in early versions (2.3.0 and below) of the SSH
+server software from \cw{ssh.com}. The symptom of this problem would
+be that PuTTY would die unexpectedly at the beginning of the
+session, saying \q{Incorrect MAC received on packet}.
+
+Current versions of PuTTY attempt to detect these faulty servers and
+enable the bug compatibility automatically, so you should never need
+to use this option any more.
+
+\S{config-ssh-encryption} Encryption algorithm selection
+
+\cfg{winhelp-topic}{ssh.ciphers}
+
+PuTTY supports a variety of different encryption algorithms, and
+allows you to choose which one you prefer to use. You can do this by
+dragging the algorithms up and down in the list box (or moving them
+using the Up and Down buttons) to specify a preference order. When
+you make an SSH connection, PuTTY will search down the list from the
+top until it finds an algorithm supported by the server, and then
+use that.
+
+If the algorithm PuTTY finds is below the \q{warn below here} line,
+you will see a warning box when you make the connection:
+
+\c The first cipher supported by the server
+\c is single-DES, which is below the configured
+\c warning threshold.
+\c Do you want to continue with this connection?
+
+This warns you that the first available encryption is not a very
+secure one. Typically you would put the \q{warn below here} line
+between the encryptions you consider secure and the ones you
+consider substandard. By default, PuTTY supplies a preference order
+intended to reflect a reasonable preference in terms of security and
+speed.
+
+Single-DES is not supported natively in the SSH 2 draft protocol
+standards. One or two server implementations do support it, by a
+non-standard name. PuTTY can use single-DES to interoperate with
+these servers if you enable the \q{Enable non-standard single-DES in
+SSH 2} option; by default this is disabled and PuTTY will stick to
+the standard.
+
+\H{config-ssh-auth} The Auth panel
+
+The Auth panel allows you to configure authentication options for
+SSH sessions.
+
+\S{config-ssh-tis} \q{Attempt TIS or CryptoCard authentication}
+
+\cfg{winhelp-topic}{ssh.auth.tis}
+
+TIS and CryptoCard authentication are simple challenge/response
+forms of authentication available in SSH protocol version 1 only.
+You might use them if you were using S/Key one-time passwords, for
+example, or if you had a physical security token that generated
+responses to authentication challenges.
+
+With this switch enabled, PuTTY will attempt these forms of
+authentication if the server is willing to try them. You will be
+presented with a challenge string (which will be different every
+time) and must supply the correct response in order to log in. If
+your server supports this, you should talk to your system
+administrator about precisely what form these challenges and
+responses take.
+
+\S{config-ssh-ki} \q{Attempt keyboard-interactive authentication}
+
+\cfg{winhelp-topic}{ssh.auth.ki}
+
+The SSH 2 equivalent of TIS authentication is called
+\q{keyboard-interactive}. It is a flexible authentication method
+using an arbitrary sequence of requests and responses; so it is not
+only useful for challenge/response mechanisms such as S/Key, but it
+can also be used for (for example) asking the user for a new
+password when the old one has expired.
+
+PuTTY leaves this option enabled by default, but supplies a switch
+to turn it off in case you should have trouble with it.
+
+\S{config-ssh-agentfwd} \q{Allow agent forwarding}
+
+\cfg{winhelp-topic}{ssh.auth.agentfwd}
+
+This option allows the SSH server to open forwarded connections back
+to your local copy of Pageant. If you are not running Pageant, this
+option will do nothing.
+
+See \k{pageant} for general information on Pageant, and
+\k{pageant-forward} for information on agent forwarding. Note that
+there is a security risk involved with enabling this option; see
+\k{pageant-security} for details.
+
+\S{config-ssh-changeuser} \q{Allow attempted changes of username in SSH2}
+
+\cfg{winhelp-topic}{ssh.auth.changeuser}
+
+In the SSH 1 protocol, it is impossible to change username after
+failing to authenticate. So if you mis-type your username at the
+PuTTY \q{login as:} prompt, you will not be able to change it except
+by restarting PuTTY.
+
+The SSH 2 protocol \e{does} allow changes of username, in principle,
+but does not make it mandatory for SSH 2 servers to accept them. In
+particular, OpenSSH does not accept a change of username; once you
+have sent one username, it will reject attempts to try to
+authenticate as another user. (Depending on the version of OpenSSH,
+it may quietly return failure for all login attempts, or it may send
+an error message.)
+
+For this reason, PuTTY will by default not prompt you for your
+username more than once, in case the server complains. If you know
+your server can cope with it, you can enable the \q{Allow attempted
+changes of username} option to modify PuTTY's behaviour.
+
+\S{config-ssh-privkey} \q{Private key file for authentication}
+
+\cfg{winhelp-topic}{ssh.auth.privkey}
+
+This box is where you enter the name of your private key file if you
+are using public key authentication. See \k{pubkey} for information
+about public key authentication in SSH.
+
+\H{config-ssh-tunnels} The Tunnels panel
+
+The Tunnels panel allows you to configure tunnelling of other
+connection types through an SSH connection.
+
+\S{config-ssh-x11} X11 forwarding
+
+\cfg{winhelp-topic}{ssh.tunnels.x11}
+
+If your server lets you run X Window System applications, X11
+forwarding allows you to securely give those applications access to
+a local X display on your PC.
+
+To enable X11 forwarding, check the \q{Enable X11 forwarding} box.
+If your X display is not the primary display on your local machine
+(which it almost certainly will be unless you have deliberately
+arranged otherwise), you need to enter its location in the \q{X
+display location} box.
+
+See \k{using-x-forwarding} for more information about X11
+forwarding.
+
+\S{config-ssh-portfwd} Port forwarding
+
+\cfg{winhelp-topic}{ssh.tunnels.portfwd}
+
+Port forwarding allows you to tunnel other types of network
+connection down an SSH session. See \k{using-port-forwarding} for a
+general discussion of port forwarding and how it works.
+
+The port forwarding section in the Tunnels panel shows a list of all
+the port forwardings that PuTTY will try to set up when it connects
+to the server. By default no port forwardings are set up, so this
+list is empty.
+
+To add a port forwarding:
+
+\b Set one of the \q{Local} or \q{Remote} radio buttons, depending
+on whether you want to forward a local port to a remote destination
+(\q{Local}) or forward a remote port to a local destination
+(\q{Remote}).
+
+\b Enter a source port number into the \q{Source port} box. For
+local forwardings, PuTTY will listen on this port of your PC. For
+remote forwardings, your SSH server will listen on this port of the
+remote machine. Note that most servers will not allow you to listen
+on port numbers less than 1024.
+
+\b Enter a hostname and port number separated by a colon, in the
+\q{Destination} box. Connections received on the source port will be
+directed to this destination. For example, to connect to a POP-3
+server, you might enter \c{popserver.example.com:110}.
+
+\b Click the \q{Add} button. Your forwarding details should appear
+in the list box.
+
+To remove a port forwarding, simply select its details in the list
+box, and click the \q{Remove} button.
+
+\S{config-ssh-portfwd-localhost} Controlling the visibility of
+forwarded ports
+
+\cfg{winhelp-topic}{ssh.tunnels.portfwd.localhost}
+
+The source port for a forwarded connection usually does not accept
+connections from any machine except the SSH client or server machine
+itself (for local and remote forwardings respectively). There are
+controls in the Tunnels panel to change this:
+
+\b The \q{Local ports accept connections from other hosts} option
+allows you to set up local-to-remote port forwardings in such a way
+that machines other than your client PC can connect to the forwarded
+port.
+
+\b The \q{Remote ports do the same} option does the same thing for
+remote-to-local port forwardings (so that machines other than the
+SSH server machine can connect to the forwarded port.) Note that
+this feature is only available in the SSH 2 protocol, and not all
+SSH 2 servers support it (OpenSSH 3.0 does not, for example).
+
+\H{config-file} Storing configuration in a file
+
+PuTTY does not currently support storing its configuration in a file
+instead of the Registry. However, you can work around this with a
+couple of batch files.
+
+You will need a file called (say) \c{PUTTY.BAT} which imports the
+contents of a file into the Registry, then runs PuTTY, exports the
+contents of the Registry back into the file, and deletes the
+Registry entries. This can all be done using the Regedit command
+line options, so it's all automatic. Here is what you need in
+\c{PUTTY.BAT}:
+
+\c @ECHO OFF
+\c regedit /s putty.reg
+\c regedit /s puttyrnd.reg
+\c start /w putty.exe
+\c regedit /e puttynew.reg HKEY_CURRENT_USER\Software\SimonTatham\PuTTY
+\c copy puttynew.reg putty.reg
+\c del puttynew.reg
+\c regedit /s puttydel.reg
+
+This batch file needs two auxiliary files: \c{PUTTYRND.REG} which
+sets up an initial safe location for the \c{PUTTY.RND} random seed
+file, and \c{PUTTYDEL.REG} which destroys everything in the Registry
+once it's been successfully saved back to the file.