X-Git-Url: https://git.distorted.org.uk/u/mdw/putty/blobdiff_plain/9711106bffb115afdc60e0ebd48251a094874596..b7f084e522d403c1a4d3b77b02733fac67833c4f:/doc/config.but diff --git a/doc/config.but b/doc/config.but index 327775d4..b08d6dde 100644 --- a/doc/config.but +++ b/doc/config.but @@ -2200,7 +2200,7 @@ separate configuration of the preference orders. As a result you may get two warnings similar to the one above, possibly with different encryptions. -Single-DES is not recommended in the SSH-2 draft protocol +Single-DES is not recommended in the SSH-2 protocol standards, but one or two server implementations do support it. PuTTY can use single-DES to interoperate with these servers if you enable the \q{Enable legacy use of single-DES in @@ -2281,7 +2281,7 @@ These options control how often PuTTY will initiate a repeat key exchange (\q{rekey}). You can also force a key exchange at any time from the Special Commands menu (see \k{using-specials}). -\# FIXME: do we have any additions to the SSH-2 drafts' advice on +\# FIXME: do we have any additions to the SSH-2 specs' advice on these values? Do we want to enforce any limits? \b \q{Max minutes before rekey} specifies the amount of time that is @@ -2652,7 +2652,9 @@ on whether you want to \I{local port forwarding}forward a local port to a remote destination (\q{Local}) or \I{remote port forwarding}forward a remote port to a local destination (\q{Remote}). Alternatively, select \q{Dynamic} if you want PuTTY to \I{dynamic port forwarding}provide -a local SOCKS 4/4A/5 proxy on a local port. +a local SOCKS 4/4A/5 proxy on a local port (note that this proxy only +supports TCP connections; the SSH protocol does not support forwarding +\i{UDP}). \b Enter a source \i{port number} into the \q{Source port} box. For local forwardings, PuTTY will listen on this port of your PC. For @@ -2787,10 +2789,11 @@ to try to guess whether or not the server has the bug. An ignore message (SSH_MSG_IGNORE) is a message in the SSH protocol which can be sent from the client to the server, or from the server to the client, at any time. Either side is required to ignore the -message whenever it receives it. PuTTY uses ignore messages to hide -the password packet in SSH-1, so that a listener cannot tell the -length of the user's password; it also uses ignore messages for -connection keepalives (see \k{config-keepalive}). +message whenever it receives it. PuTTY uses ignore messages to +\I{password camouflage}hide the password packet in SSH-1, so that +a listener cannot tell the length of the user's password; it also +uses ignore messages for connection \i{keepalives} (see +\k{config-keepalive}). If this bug is detected, PuTTY will stop using ignore messages. This means that keepalives will stop working, and PuTTY will have to fall @@ -2817,9 +2820,10 @@ camouflage. In this sense, for a server to refuse to accept a padded password packet is not really a bug, but it does make life inconvenient if the server can also not handle ignore messages. -If this \q{bug} is detected, PuTTY will have no choice but to send -the user's password with no form of camouflage, so that an -eavesdropping user will be easily able to find out the exact length +If this \q{bug} is detected, PuTTY will assume that neither ignore +messages nor padding are acceptable, and that it thus has no choice +but to send the user's password with no form of camouflage, so that +an eavesdropping user will be easily able to find out the exact length of the password. If this bug is enabled when talking to a correct server, the session will succeed, but will be more vulnerable to eavesdroppers than it could be. @@ -2882,7 +2886,7 @@ This is an SSH-2-specific bug. Versions below 3.3 of \i{OpenSSH} require SSH-2 RSA signatures to be padded with zero bytes to the same length as the RSA key modulus. -The SSH-2 draft specification says that an unpadded signature MUST be +The SSH-2 specification says that an unpadded signature MUST be accepted, so this is a bug. A typical symptom of this problem is that PuTTY mysteriously fails RSA authentication once in every few hundred attempts, and falls back to passwords.