+++ /dev/null
-.\" -*- nroff -*-
-.\"
-.\" $OpenBSD: RFC.nroff,v 1.2 2000/10/16 09:38:44 djm Exp $
-.\"
-.pl 10.0i
-.po 0
-.ll 7.2i
-.lt 7.2i
-.nr LL 7.2i
-.nr LT 7.2i
-.ds LF Ylonen
-.ds RF FORMFEED[Page %]
-.ds CF
-.ds LH Internet-Draft
-.ds RH 15 November 1995
-.ds CH SSH (Secure Shell) Remote Login Protocol
-.na
-.hy 0
-.in 0
-Network Working Group T. Ylonen
-Internet-Draft Helsinki University of Technology
-draft-ylonen-ssh-protocol-00.txt 15 November 1995
-Expires: 15 May 1996
-
-.in 3
-
-.ce
-The SSH (Secure Shell) Remote Login Protocol
-
-.ti 0
-Status of This Memo
-
-This document is an Internet-Draft. Internet-Drafts are working
-documents of the Internet Engineering Task Force (IETF), its areas,
-and its working groups. Note that other groups may also distribute
-working documents as Internet-Drafts.
-
-Internet-Drafts are draft documents valid for a maximum of six
-months and may be updated, replaced, or obsoleted by other docu-
-ments at any time. It is inappropriate to use Internet-Drafts as
-reference material or to cite them other than as ``work in pro-
-gress.''
-
-To learn the current status of any Internet-Draft, please check the
-``1id-abstracts.txt'' listing contained in the Internet- Drafts Shadow
-Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe),
-munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or
-ftp.isi.edu (US West Coast).
-
-The distribution of this memo is unlimited.
-
-.ti 0
-Introduction
-
-SSH (Secure Shell) is a program to log into another computer over a
-network, to execute commands in a remote machine, and to move files
-from one machine to another. It provides strong authentication and
-secure communications over insecure networks. Its features include
-the following:
-.IP o
-Closes several security holes (e.g., IP, routing, and DNS spoofing).
-New authentication methods: .rhosts together with RSA [RSA] based host
-authentication, and pure RSA authentication.
-.IP o
-All communications are automatically and transparently encrypted.
-Encryption is also used to protect integrity.
-.IP o
-X11 connection forwarding provides secure X11 sessions.
-.IP o
-Arbitrary TCP/IP ports can be redirected over the encrypted channel
-in both directions.
-.IP o
-Client RSA-authenticates the server machine in the beginning of every
-connection to prevent trojan horses (by routing or DNS spoofing) and
-man-in-the-middle attacks, and the server RSA-authenticates the client
-machine before accepting .rhosts or /etc/hosts.equiv authentication
-(to prevent DNS, routing, or IP spoofing).
-.IP o
-An authentication agent, running in the user's local workstation or
-laptop, can be used to hold the user's RSA authentication keys.
-.RT
-
-The goal has been to make the software as easy to use as possible for
-ordinary users. The protocol has been designed to be as secure as
-possible while making it possible to create implementations that
-are easy to use and install. The sample implementation has a number
-of convenient features that are not described in this document as they
-are not relevant for the protocol.
-
-
-.ti 0
-Overview of the Protocol
-
-The software consists of a server program running on a server machine,
-and a client program running on a client machine (plus a few auxiliary
-programs). The machines are connected by an insecure IP [RFC0791]
-network (that can be monitored, tampered with, and spoofed by hostile
-parties).
-
-A connection is always initiated by the client side. The server
-listens on a specific port waiting for connections. Many clients may
-connect to the same server machine.
-
-The client and the server are connected via a TCP/IP [RFC0793] socket
-that is used for bidirectional communication. Other types of
-transport can be used but are currently not defined.
-
-When the client connects the server, the server accepts the connection
-and responds by sending back its version identification string. The
-client parses the server's identification, and sends its own
-identification. The purpose of the identification strings is to
-validate that the connection was to the correct port, declare the
-protocol version number used, and to declare the software version used
-on each side (for debugging purposes). The identification strings are
-human-readable. If either side fails to understand or support the
-other side's version, it closes the connection.
-
-After the protocol identification phase, both sides switch to a packet
-based binary protocol. The server starts by sending its host key
-(every host has an RSA key used to authenticate the host), server key
-(an RSA key regenerated every hour), and other information to the
-client. The client then generates a 256 bit session key, encrypts it
-using both RSA keys (see below for details), and sends the encrypted
-session key and selected cipher type to the server. Both sides then
-turn on encryption using the selected algorithm and key. The server
-sends an encrypted confirmation message to the client.
-
-The client then authenticates itself using any of a number of
-authentication methods. The currently supported authentication
-methods are .rhosts or /etc/hosts.equiv authentication (disabled by
-default), the same with RSA-based host authentication, RSA
-authentication, and password authentication.
-
-After successful authentication, the client makes a number of requests
-to prepare for the session. Typical requests include allocating a
-pseudo tty, starting X11 [X11] or TCP/IP port forwarding, starting
-authentication agent forwarding, and executing the shell or a command.
-
-When a shell or command is executed, the connection enters interactive
-session mode. In this mode, data is passed in both directions,
-new forwarded connections may be opened, etc. The interactive session
-normally terminates when the server sends the exit status of the
-program to the client.
-
-
-The protocol makes several reservations for future extensibility.
-First of all, the initial protocol identification messages include the
-protocol version number. Second, the first packet by both sides
-includes a protocol flags field, which can be used to agree on
-extensions in a compatible manner. Third, the authentication and
-session preparation phases work so that the client sends requests to
-the server, and the server responds with success or failure. If the
-client sends a request that the server does not support, the server
-simply returns failure for it. This permits compatible addition of
-new authentication methods and preparation operations. The
-interactive session phase, on the other hand, works asynchronously and
-does not permit the use of any extensions (because there is no easy
-and reliable way to signal rejection to the other side and problems
-would be hard to debug). Any compatible extensions to this phase must
-be agreed upon during any of the earlier phases.
-
-.ti 0
-The Binary Packet Protocol
-
-After the protocol identification strings, both sides only send
-specially formatted packets. The packet layout is as follows:
-.IP o
-Packet length: 32 bit unsigned integer, coded as four 8-bit bytes, msb
-first. Gives the length of the packet, not including the length field
-and padding. The maximum length of a packet (not including the length
-field and padding) is 262144 bytes.
-.IP o
-Padding: 1-8 bytes of random data (or zeroes if not encrypting). The
-amount of padding is (8 - (length % 8)) bytes (where % stands for the
-modulo operator). The rationale for always having some random padding
-at the beginning of each packet is to make known plaintext attacks
-more difficult.
-.IP o
-Packet type: 8-bit unsigned byte. The value 255 is reserved for
-future extension.
-.IP o
-Data: binary data bytes, depending on the packet type. The number of
-data bytes is the "length" field minus 5.
-.IP o
-Check bytes: 32-bit crc, four 8-bit bytes, msb first. The crc is the
-Cyclic Redundancy Check, with the polynomial 0xedb88320, of the
-Padding, Packet type, and Data fields. The crc is computed before
-any encryption.
-.RT
-
-The packet, except for the length field, may be encrypted using any of
-a number of algorithms. The length of the encrypted part (Padding +
-Type + Data + Check) is always a multiple of 8 bytes. Typically the
-cipher is used in a chained mode, with all packets chained together as
-if it was a single data stream (the length field is never included in
-the encryption process). Details of encryption are described below.
-
-When the session starts, encryption is turned off. Encryption is
-enabled after the client has sent the session key. The encryption
-algorithm to use is selected by the client.
-
-
-.ti 0
-Packet Compression
-
-If compression is supported (it is an optional feature, see
-SSH_CMSG_REQUEST_COMPRESSION below), the packet type and data fields
-of the packet are compressed using the gzip deflate algorithm [GZIP].
-If compression is in effect, the packet length field indicates the
-length of the compressed data, plus 4 for the crc. The amount of
-padding is computed from the compressed data, so that the amount of
-data to be encrypted becomes a multiple of 8 bytes.
-
-When compressing, the packets (type + data portions) in each direction
-are compressed as if they formed a continuous data stream, with only the
-current compression block flushed between packets. This corresponds
-to the GNU ZLIB library Z_PARTIAL_FLUSH option. The compression
-dictionary is not flushed between packets. The two directions are
-compressed independently of each other.
-
-
-.ti 0
-Packet Encryption
-
-The protocol supports several encryption methods. During session
-initialization, the server sends a bitmask of all encryption methods
-that it supports, and the client selects one of these methods. The
-client also generates a 256-bit random session key (32 8-bit bytes) and
-sends it to the server.
-
-The encryption methods supported by the current implementation, and
-their codes are:
-.TS
-center;
-l r l.
-SSH_CIPHER_NONE 0 No encryption
-SSH_CIPHER_IDEA 1 IDEA in CFB mode
-SSH_CIPHER_DES 2 DES in CBC mode
-SSH_CIPHER_3DES 3 Triple-DES in CBC mode
-SSH_CIPHER_TSS 4 An experimental stream cipher
-SSH_CIPHER_RC4 5 RC4
-.TE
-
-All implementations are required to support SSH_CIPHER_DES and
-SSH_CIPHER_3DES. Supporting SSH_CIPHER_IDEA, SSH_CIPHER_RC4, and
-SSH_CIPHER_NONE is recommended. Support for SSH_CIPHER_TSS is
-optional (and it is not described in this document). Other ciphers
-may be added at a later time; support for them is optional.
-
-For encryption, the encrypted portion of the packet is considered a
-linear byte stream. The length of the stream is always a multiple of
-8. The encrypted portions of consecutive packets (in the same
-direction) are encrypted as if they were a continuous buffer (that is,
-any initialization vectors are passed from the previous packet to the
-next packet). Data in each direction is encrypted independently.
-.IP SSH_CIPHER_DES
-The key is taken from the first 8 bytes of the session key. The least
-significant bit of each byte is ignored. This results in 56 bits of
-key data. DES [DES] is used in CBC mode. The iv (initialization vector) is
-initialized to all zeroes.
-.IP SSH_CIPHER_3DES
-The variant of triple-DES used here works as follows: there are three
-independent DES-CBC ciphers, with independent initialization vectors.
-The data (the whole encrypted data stream) is first encrypted with the
-first cipher, then decrypted with the second cipher, and finally
-encrypted with the third cipher. All these operations are performed
-in CBC mode.
-
-The key for the first cipher is taken from the first 8 bytes of the
-session key; the key for the next cipher from the next 8 bytes, and
-the key for the third cipher from the following 8 bytes. All three
-initialization vectors are initialized to zero.
-
-(Note: the variant of 3DES used here differs from some other
-descriptions.)
-.IP SSH_CIPHER_IDEA
-The key is taken from the first 16 bytes of the session key. IDEA
-[IDEA] is used in CFB mode. The initialization vector is initialized
-to all zeroes.
-.IP SSH_CIPHER_TSS
-All 32 bytes of the session key are used as the key.
-
-There is no reference available for the TSS algorithm; it is currently
-only documented in the sample implementation source code. The
-security of this cipher is unknown (but it is quite fast). The cipher
-is basically a stream cipher that uses MD5 as a random number
-generator and takes feedback from the data.
-.IP SSH_CIPHER_RC4
-The first 16 bytes of the session key are used as the key for the
-server to client direction. The remaining 16 bytes are used as the
-key for the client to server direction. This gives independent
-128-bit keys for each direction.
-
-This algorithm is the alleged RC4 cipher posted to the Usenet in 1995.
-It is widely believed to be equivalent with the original RSADSI RC4
-cipher. This is a very fast algorithm.
-.RT
-
-
-.ti 0
-Data Type Encodings
-
-The Data field of each packet contains data encoded as described in
-this section. There may be several data items; each item is coded as
-described here, and their representations are concatenated together
-(without any alignment or padding).
-
-Each data type is stored as follows:
-.IP "8-bit byte"
-The byte is stored directly as a single byte.
-.IP "32-bit unsigned integer"
-Stored in 4 bytes, msb first.
-.IP "Arbitrary length binary string"
-First 4 bytes are the length of the string, msb first (not including
-the length itself). The following "length" bytes are the string
-value. There are no terminating null characters.
-.IP "Multiple-precision integer"
-First 2 bytes are the number of bits in the integer, msb first (for
-example, the value 0x00012345 would have 17 bits). The value zero has
-zero bits. It is permissible that the number of bits be larger than the
-real number of bits.
-
-The number of bits is followed by (bits + 7) / 8 bytes of binary data,
-msb first, giving the value of the integer.
-.RT
-
-
-.ti 0
-TCP/IP Port Number and Other Options
-
-The server listens for connections on TCP/IP port 22.
-
-The client may connect the server from any port. However, if the
-client wishes to use any form of .rhosts or /etc/hosts.equiv
-authentication, it must connect from a privileged port (less than
-1024).
-
-For the IP Type of Service field [RFC0791], it is recommended that
-interactive sessions (those having a user terminal or forwarding X11
-connections) use the IPTOS_LOWDELAY, and non-interactive connections
-use IPTOS_THROUGHPUT.
-
-It is recommended that keepalives are used, because otherwise programs
-on the server may never notice if the other end of the connection is
-rebooted.
-
-
-.ti 0
-Protocol Version Identification
-
-After the socket is opened, the server sends an identification string,
-which is of the form
-"SSH-<protocolmajor>.<protocolminor>-<version>\\n", where
-<protocolmajor> and <protocolminor> are integers and specify the
-protocol version number (not software distribution version).
-<version> is server side software version string (max 40 characters);
-it is not interpreted by the remote side but may be useful for
-debugging.
-
-The client parses the server's string, and sends a corresponding
-string with its own information in response. If the server has lower
-version number, and the client contains special code to emulate it,
-the client responds with the lower number; otherwise it responds with
-its own number. The server then compares the version number the
-client sent with its own, and determines whether they can work
-together. The server either disconnects, or sends the first packet
-using the binary packet protocol and both sides start working
-according to the lower of the protocol versions.
-
-By convention, changes which keep the protocol compatible with
-previous versions keep the same major protocol version; changes that
-are not compatible increment the major version (which will hopefully
-never happen). The version described in this document is 1.3.
-
-The client will
-
-.ti 0
-Key Exchange and Server Host Authentication
-
-The first message sent by the server using the packet protocol is
-SSH_SMSG_PUBLIC_KEY. It declares the server's host key, server public
-key, supported ciphers, supported authentication methods, and flags
-for protocol extensions. It also contains a 64-bit random number
-(cookie) that must be returned in the client's reply (to make IP
-spoofing more difficult). No encryption is used for this message.
-
-Both sides compute a session id as follows. The modulus of the server
-key is interpreted as a byte string (without explicit length field,
-with minimum length able to hold the whole value), most significant
-byte first. This string is concatenated with the server host key
-interpreted the same way. Additionally, the cookie is concatenated
-with this. Both sides compute MD5 of the resulting string. The
-resulting 16 bytes (128 bits) are stored by both parties and are
-called the session id.
-
-The client responds with a SSH_CMSG_SESSION_KEY message, which
-contains the selected cipher type, a copy of the 64-bit cookie sent by
-the server, client's protocol flags, and a session key encrypted
-with both the server's host key and server key. No encryption is used
-for this message.
-
-The session key is 32 8-bit bytes (a total of 256 random bits
-generated by the client). The client first xors the 16 bytes of the
-session id with the first 16 bytes of the session key. The resulting
-string is then encrypted using the smaller key (one with smaller
-modulus), and the result is then encrypted using the other key. The
-number of bits in the public modulus of the two keys must differ by at
-least 128 bits.
-
-At each encryption step, a multiple-precision integer is constructed
-from the data to be encrypted as follows (the integer is here
-interpreted as a sequence of bytes, msb first; the number of bytes is
-the number of bytes needed to represent the modulus).
-
-The most significant byte (which is only partial as the value must be
-less than the public modulus, which is never a power of two) is zero.
-
-The next byte contains the value 2 (which stands for public-key
-encrypted data in the PKCS standard [PKCS#1]). Then, there are
-non-zero random bytes to fill any unused space, a zero byte, and the
-data to be encrypted in the least significant bytes, the last byte of
-the data in the least significant byte.
-
-This algorithm is used twice. First, it is used to encrypt the 32
-random bytes generated by the client to be used as the session key
-(xored by the session id). This value is converted to an integer as
-described above, and encrypted with RSA using the key with the smaller
-modulus. The resulting integer is converted to a byte stream, msb
-first. This byte stream is padded and encrypted identically using the
-key with the larger modulus.
-
-After the client has sent the session key, it starts to use the
-selected algorithm and key for decrypting any received packets, and
-for encrypting any sent packets. Separate ciphers are used for
-different directions (that is, both directions have separate
-initialization vectors or other state for the ciphers).
-
-When the server has received the session key message, and has turned
-on encryption, it sends a SSH_SMSG_SUCCESS message to the client.
-
-The recommended size of the host key is 1024 bits, and 768 bits for
-the server key. The minimum size is 512 bits for the smaller key.
-
-
-.ti 0
-Declaring the User Name
-
-The client then sends a SSH_CMSG_USER message to the server. This
-message specifies the user name to log in as.
-
-The server validates that such a user exists, checks whether
-authentication is needed, and responds with either SSH_SMSG_SUCCESS or
-SSH_SMSG_FAILURE. SSH_SMSG_SUCCESS indicates that no authentication
-is needed for this user (no password), and authentication phase has
-now been completed. SSH_SMSG_FAILURE indicates that authentication is
-needed (or the user does not exist).
-
-If the user does not exist, it is recommended that this returns
-failure, but the server keeps reading messages from the client, and
-responds to any messages (except SSH_MSG_DISCONNECT, SSH_MSG_IGNORE,
-and SSH_MSG_DEBUG) with SSH_SMSG_FAILURE. This way the client cannot
-be certain whether the user exists.
-
-
-.ti 0
-Authentication Phase
-
-Provided the server didn't immediately accept the login, an
-authentication exchange begins. The client sends messages to the
-server requesting different types of authentication in arbitrary order as
-many times as desired (however, the server may close the connection
-after a timeout). The server always responds with SSH_SMSG_SUCCESS if
-it has accepted the authentication, and with SSH_SMSG_FAILURE if it has
-denied authentication with the requested method or it does not
-recognize the message. Some authentication methods cause an exchange
-of further messages before the final result is sent. The
-authentication phase ends when the server responds with success.
-
-The recommended value for the authentication timeout (timeout before
-disconnecting if no successful authentication has been made) is 5
-minutes.
-
-The following authentication methods are currently supported:
-.TS
-center;
-l r l.
-SSH_AUTH_RHOSTS 1 .rhosts or /etc/hosts.equiv
-SSH_AUTH_RSA 2 pure RSA authentication
-SSH_AUTH_PASSWORD 3 password authentication
-SSH_AUTH_RHOSTS_RSA 4 .rhosts with RSA host authentication
-.TE
-.IP SSH_AUTH_RHOSTS
-
-This is the authentication method used by rlogin and rsh [RFC1282].
-
-The client sends SSH_CMSG_AUTH_RHOSTS with the client-side user name
-as an argument.
-
-The server checks whether to permit authentication. On UNIX systems,
-this is usually done by checking /etc/hosts.equiv, and .rhosts in the
-user's home directory. The connection must come from a privileged
-port.
-
-It is recommended that the server checks that there are no IP options
-(such as source routing) specified for the socket before accepting
-this type of authentication. The client host name should be
-reverse-mapped and then forward mapped to ensure that it has the
-proper IP-address.
-
-This authentication method trusts the remote host (root on the remote
-host can pretend to be any other user on that host), the name
-services, and partially the network: anyone who can see packets coming
-out from the server machine can do IP-spoofing and pretend to be any
-machine; however, the protocol prevents blind IP-spoofing (which used
-to be possible with rlogin).
-
-Many sites probably want to disable this authentication method because
-of the fundamental insecurity of conventional .rhosts or
-/etc/hosts.equiv authentication when faced with spoofing. It is
-recommended that this method not be supported by the server by
-default.
-.IP SSH_AUTH_RHOSTS_RSA
-
-In addition to conventional .rhosts and hosts.equiv authentication,
-this method additionally requires that the client host be
-authenticated using RSA.
-
-The client sends SSH_CMSG_AUTH_RHOSTS_RSA specifying the client-side
-user name, and the public host key of the client host.
-
-The server first checks if normal .rhosts or /etc/hosts.equiv
-authentication would be accepted, and if not, responds with
-SSH_SMSG_FAILURE. Otherwise, it checks whether it knows the host key
-for the client machine (using the same name for the host that was used
-for checking the .rhosts and /etc/hosts.equiv files). If it does not
-know the RSA key for the client, access is denied and SSH_SMSG_FAILURE
-is sent.
-
-If the server knows the host key of the client machine, it verifies
-that the given host key matches that known for the client. If not,
-access is denied and SSH_SMSG_FAILURE is sent.
-
-The server then sends a SSH_SMSG_AUTH_RSA_CHALLENGE message containing
-an encrypted challenge for the client. The challenge is 32 8-bit
-random bytes (256 bits). When encrypted, the highest (partial) byte
-is left as zero, the next byte contains the value 2, the following are
-non-zero random bytes, followed by a zero byte, and the challenge put
-in the remaining bytes. This is then encrypted using RSA with the
-client host's public key. (The padding and encryption algorithm is
-the same as that used for the session key.)
-
-The client decrypts the challenge using its private host key,
-concatenates this with the session id, and computes an MD5 checksum
-of the resulting 48 bytes. The MD5 output is returned as 16 bytes in
-a SSH_CMSG_AUTH_RSA_RESPONSE message. (MD5 is used to deter chosen
-plaintext attacks against RSA; the session id binds it to a specific
-session).
-
-The server verifies that the MD5 of the decrypted challenge returned by
-the client matches that of the original value, and sends SSH_SMSG_SUCCESS if
-so. Otherwise it sends SSH_SMSG_FAILURE and refuses the
-authentication attempt.
-
-This authentication method trusts the client side machine in that root
-on that machine can pretend to be any user on that machine.
-Additionally, it trusts the client host key. The name and/or IP
-address of the client host is only used to select the public host key.
-The same host name is used when scanning .rhosts or /etc/hosts.equiv
-and when selecting the host key. It would in principle be possible to
-eliminate the host name entirely and substitute it directly by the
-host key. IP and/or DNS [RFC1034] spoofing can only be used
-to pretend to be a host for which the attacker has the private host
-key.
-.IP SSH_AUTH_RSA
-
-The idea behind RSA authentication is that the server recognizes the
-public key offered by the client, generates a random challenge, and
-encrypts the challenge with the public key. The client must then
-prove that it has the corresponding private key by decrypting the
-challenge.
-
-The client sends SSH_CMSG_AUTH_RSA with public key modulus (n) as an
-argument.
-
-The server may respond immediately with SSH_SMSG_FAILURE if it does
-not permit authentication with this key. Otherwise it generates a
-challenge, encrypts it using the user's public key (stored on the
-server and identified using the modulus), and sends
-SSH_SMSG_AUTH_RSA_CHALLENGE with the challenge (mp-int) as an
-argument.
-
-The challenge is 32 8-bit random bytes (256 bits). When encrypted,
-the highest (partial) byte is left as zero, the next byte contains the
-value 2, the following are non-zero random bytes, followed by a zero
-byte, and the challenge put in the remaining bytes. This is then
-encrypted with the public key. (The padding and encryption algorithm
-is the same as that used for the session key.)
-
-The client decrypts the challenge using its private key, concatenates
-it with the session id, and computes an MD5 checksum of the resulting
-48 bytes. The MD5 output is returned as 16 bytes in a
-SSH_CMSG_AUTH_RSA_RESPONSE message. (Note that the MD5 is necessary
-to avoid chosen plaintext attacks against RSA; the session id binds it
-to a specific session.)
-
-The server verifies that the MD5 of the decrypted challenge returned
-by the client matches that of the original value, and sends
-SSH_SMSG_SUCCESS if so. Otherwise it sends SSH_SMSG_FAILURE and
-refuses the authentication attempt.
-
-This authentication method does not trust the remote host, the
-network, name services, or anything else. Authentication is based
-solely on the possession of the private identification keys. Anyone
-in possession of the private keys can log in, but nobody else.
-
-The server may have additional requirements for a successful
-authentiation. For example, to limit damage due to a compromised RSA
-key, a server might restrict access to a limited set of hosts.
-.IP SSH_AUTH_PASSWORD
-
-The client sends a SSH_CMSG_AUTH_PASSWORD message with the plain text
-password. (Note that even though the password is plain text inside
-the message, it is normally encrypted by the packet mechanism.)
-
-The server verifies the password, and sends SSH_SMSG_SUCCESS if
-authentication was accepted and SSH_SMSG_FAILURE otherwise.
-
-Note that the password is read from the user by the client; the user
-never interacts with a login program.
-
-This authentication method does not trust the remote host, the
-network, name services or anything else. Authentication is based
-solely on the possession of the password. Anyone in possession of the
-password can log in, but nobody else.
-.RT
-
-.ti 0
-Preparatory Operations
-
-After successful authentication, the server waits for a request from
-the client, processes the request, and responds with SSH_SMSG_SUCCESS
-whenever a request has been successfully processed. If it receives a
-message that it does not recognize or it fails to honor a request, it
-returns SSH_SMSG_FAILURE. It is expected that new message types might
-be added to this phase in future.
-
-The following messages are currently defined for this phase.
-.IP SSH_CMSG_REQUEST_COMPRESSION
-Requests that compression be enabled for this session. A
-gzip-compatible compression level (1-9) is passed as an argument.
-.IP SSH_CMSG_REQUEST_PTY
-Requests that a pseudo terminal device be allocated for this session.
-The user terminal type and terminal modes are supplied as arguments.
-.IP SSH_CMSG_X11_REQUEST_FORWARDING
-Requests forwarding of X11 connections from the remote machine to the
-local machine over the secure channel. Causes an internet-domain
-socket to be allocated and the DISPLAY variable to be set on the server.
-X11 authentication data is automatically passed to the server, and the
-client may implement spoofing of authentication data for added
-security. The authentication data is passed as arguments.
-.IP SSH_CMSG_PORT_FORWARD_REQUEST
-Requests forwarding of a TCP/IP port on the server host over the
-secure channel. What happens is that whenever a connection is made to
-the port on the server, a connection will be made from the client end
-to the specified host/port. Any user can forward unprivileged ports;
-only the root can forward privileged ports (as determined by
-authentication done earlier).
-.IP SSH_CMSG_AGENT_REQUEST_FORWARDING
-Requests forwarding of the connection to the authentication agent.
-.IP SSH_CMSG_EXEC_SHELL
-Starts a shell (command interpreter) for the user, and moves into
-interactive session mode.
-.IP SSH_CMSG_EXEC_CMD
-Executes the given command (actually "<shell> -c <command>" or
-equivalent) for the user, and moves into interactive session mode.
-.RT
-
-
-.ti 0
-Interactive Session and Exchange of Data
-
-During the interactive session, any data written by the shell or
-command running on the server machine is forwarded to stdin or
-stderr on the client machine, and any input available from stdin on
-the client machine is forwarded to the program on the server machine.
-
-All exchange is asynchronous; either side can send at any time, and
-there are no acknowledgements (TCP/IP already provides reliable
-transport, and the packet protocol protects against tampering or IP
-spoofing).
-
-When the client receives EOF from its standard input, it will send
-SSH_CMSG_EOF; however, this in no way terminates the exchange. The
-exchange terminates and interactive mode is left when the server sends
-SSH_SMSG_EXITSTATUS to indicate that the client program has
-terminated. Alternatively, either side may disconnect at any time by
-sending SSH_MSG_DISCONNECT or closing the connection.
-
-The server may send any of the following messages:
-.IP SSH_SMSG_STDOUT_DATA
-Data written to stdout by the program running on the server. The data
-is passed as a string argument. The client writes this data to
-stdout.
-.IP SSH_SMSG_STDERR_DATA
-Data written to stderr by the program running on the server. The data
-is passed as a string argument. The client writes this data to
-stderr. (Note that if the program is running on a tty, it is not
-possible to separate stdout and stderr data, and all data will be sent
-as stdout data.)
-.IP SSH_SMSG_EXITSTATUS
-Indicates that the shell or command has exited. Exit status is passed
-as an integer argument. This message causes termination of the
-interactive session.
-.IP SSH_SMSG_AGENT_OPEN
-Indicates that someone on the server side is requesting a connection
-to the authentication agent. The server-side channel number is passed
-as an argument. The client must respond with either
-SSH_CHANNEL_OPEN_CONFIRMATION or SSH_CHANNEL_OPEN_FAILURE.
-.IP SSH_SMSG_X11_OPEN
-Indicates that a connection has been made to the X11 socket on the
-server side and should be forwarded to the real X server. An integer
-argument indicates the channel number allocated for this connection on
-the server side. The client should send back either
-SSH_MSG_CHANNEL_OPEN_CONFIRMATION or SSH_MSG_CHANNEL_OPEN_FAILURE with
-the same server side channel number.
-.IP SSH_MSG_PORT_OPEN
-Indicates that a connection has been made to a port on the server side
-for which forwarding has been requested. Arguments are server side
-channel number, host name to connect to, and port to connect to. The
-client should send back either
-SSH_MSG_CHANNEL_OPEN_CONFIRMATION or SSH_MSG_CHANNEL_OPEN_FAILURE with
-the same server side channel number.
-.IP SSH_MSG_CHANNEL_OPEN_CONFIRMATION
-This is sent by the server to indicate that it has opened a connection
-as requested in a previous message. The first argument indicates the
-client side channel number, and the second argument is the channel number
-that the server has allocated for this connection.
-.IP SSH_MSG_CHANNEL_OPEN_FAILURE
-This is sent by the server to indicate that it failed to open a
-connection as requested in a previous message. The client-side
-channel number is passed as an argument. The client will close the
-descriptor associated with the channel and free the channel.
-.IP SSH_MSG_CHANNEL_DATA
-This packet contains data for a channel from the server. The first
-argument is the client-side channel number, and the second argument (a
-string) is the data.
-.IP SSH_MSG_CHANNEL_CLOSE
-This is sent by the server to indicate that whoever was in the other
-end of the channel has closed it. The argument is the client side channel
-number. The client will let all buffered data in the channel to
-drain, and when ready, will close the socket, free the channel, and
-send the server a SSH_MSG_CHANNEL_CLOSE_CONFIRMATION message for the
-channel.
-.IP SSH_MSG_CHANNEL_CLOSE_CONFIRMATION
-This is send by the server to indicate that a channel previously
-closed by the client has now been closed on the server side as well.
-The argument indicates the client channel number. The client frees
-the channel.
-.RT
-
-The client may send any of the following messages:
-.IP SSH_CMSG_STDIN_DATA
-This is data to be sent as input to the program running on the server.
-The data is passed as a string.
-.IP SSH_CMSG_EOF
-Indicates that the client has encountered EOF while reading standard
-input. The server will allow any buffered input data to drain, and
-will then close the input to the program.
-.IP SSH_CMSG_WINDOW_SIZE
-Indicates that window size on the client has been changed. The server
-updates the window size of the tty and causes SIGWINCH to be sent to
-the program. The new window size is passed as four integer arguments:
-row, col, xpixel, ypixel.
-.IP SSH_MSG_PORT_OPEN
-Indicates that a connection has been made to a port on the client side
-for which forwarding has been requested. Arguments are client side
-channel number, host name to connect to, and port to connect to. The
-server should send back either SSH_MSG_CHANNEL_OPEN_CONFIRMATION or
-SSH_MSG_CHANNEL_OPEN_FAILURE with the same client side channel number.
-.IP SSH_MSG_CHANNEL_OPEN_CONFIRMATION
-This is sent by the client to indicate that it has opened a connection
-as requested in a previous message. The first argument indicates the
-server side channel number, and the second argument is the channel
-number that the client has allocated for this connection.
-.IP SSH_MSG_CHANNEL_OPEN_FAILURE
-This is sent by the client to indicate that it failed to open a
-connection as requested in a previous message. The server side
-channel number is passed as an argument. The server will close the
-descriptor associated with the channel and free the channel.
-.IP SSH_MSG_CHANNEL_DATA
-This packet contains data for a channel from the client. The first
-argument is the server side channel number, and the second argument (a
-string) is the data.
-.IP SSH_MSG_CHANNEL_CLOSE
-This is sent by the client to indicate that whoever was in the other
-end of the channel has closed it. The argument is the server channel
-number. The server will allow buffered data to drain, and when ready,
-will close the socket, free the channel, and send the client a
-SSH_MSG_CHANNEL_CLOSE_CONFIRMATION message for the channel.
-.IP SSH_MSG_CHANNEL_CLOSE_CONFIRMATION
-This is send by the client to indicate that a channel previously
-closed by the server has now been closed on the client side as well.
-The argument indicates the server channel number. The server frees
-the channel.
-.RT
-
-Any unsupported messages during interactive mode cause the connection
-to be terminated with SSH_MSG_DISCONNECT and an error message.
-Compatible protocol upgrades should agree about any extensions during
-the preparation phase or earlier.
-
-
-.ti 0
-Termination of the Connection
-
-Normal termination of the connection is always initiated by the server
-by sending SSH_SMSG_EXITSTATUS after the program has exited. The
-client responds to this message by sending SSH_CMSG_EXIT_CONFIRMATION
-and closes the socket; the server then closes the socket. There are
-two purposes for the confirmation: some systems may lose previously
-sent data when the socket is closed, and closing the client side first
-causes any TCP/IP TIME_WAIT [RFC0793] waits to occur on the client side, not
-consuming server resources.
-
-If the program terminates due to a signal, the server will send
-SSH_MSG_DISCONNECT with an appropriate message. If the connection is
-closed, all file descriptors to the program will be closed and the
-server will exit. If the program runs on a tty, the kernel sends it
-the SIGHUP signal when the pty master side is closed.
-
-.ti 0
-Protocol Flags
-
-Both the server and the client pass 32 bits of protocol flags to the
-other side. The flags are intended for compatible protocol extension;
-the server first announces which added capabilities it supports, and
-the client then sends the capabilities that it supports.
-
-The following flags are currently defined (the values are bit masks):
-.IP "1 SSH_PROTOFLAG_SCREEN_NUMBER"
-This flag can only be sent by the client. It indicates that the X11
-forwarding requests it sends will include the screen number.
-.IP "2 SSH_PROTOFLAG_HOST_IN_FWD_OPEN"
-If both sides specify this flag, SSH_SMSG_X11_OPEN and
-SSH_MSG_PORT_OPEN messages will contain an additional field containing
-a description of the host at the other end of the connection.
-.RT
-
-.ti 0
-Detailed Description of Packet Types and Formats
-
-The supported packet types and the corresponding message numbers are
-given in the following table. Messages with _MSG_ in their name may
-be sent by either side. Messages with _CMSG_ are only sent by the
-client, and messages with _SMSG_ only by the server.
-
-A packet may contain additional data after the arguments specified
-below. Any such data should be ignored by the receiver. However, it
-is recommended that no such data be stored without good reason. (This
-helps build compatible extensions.)
-.IP "0 SSH_MSG_NONE"
-This code is reserved. This message type is never sent.
-.IP "1 SSH_MSG_DISCONNECT"
-.TS
-;
-l l.
-string Cause of disconnection
-.TE
-This message may be sent by either party at any time. It causes the
-immediate disconnection of the connection. The message is intended to
-be displayed to a human, and describes the reason for disconnection.
-.IP "2 SSH_SMSG_PUBLIC_KEY"
-.TS
-;
-l l.
-8 bytes anti_spoofing_cookie
-32-bit int server_key_bits
-mp-int server_key_public_exponent
-mp-int server_key_public_modulus
-32-bit int host_key_bits
-mp-int host_key_public_exponent
-mp-int host_key_public_modulus
-32-bit int protocol_flags
-32-bit int supported_ciphers_mask
-32-bit int supported_authentications_mask
-.TE
-Sent as the first message by the server. This message gives the
-server's host key, server key, protocol flags (intended for compatible
-protocol extension), supported_ciphers_mask (which is the
-bitwise or of (1 << cipher_number), where << is the left shift
-operator, for all supported ciphers), and
-supported_authentications_mask (which is the bitwise or of (1 <<
-authentication_type) for all supported authentication types). The
-anti_spoofing_cookie is 64 random bytes, and must be sent back
-verbatim by the client in its reply. It is used to make IP-spoofing
-more difficult (encryption and host keys are the real defense against
-spoofing).
-.IP "3 SSH_CMSG_SESSION_KEY"
-.TS
-;
-l l.
-1 byte cipher_type (must be one of the supported values)
-8 bytes anti_spoofing_cookie (must match data sent by the server)
-mp-int double-encrypted session key
-32-bit int protocol_flags
-.TE
-Sent by the client as the first message in the session. Selects the
-cipher to use, and sends the encrypted session key to the server. The
-anti_spoofing_cookie must be the same bytes that were sent by the
-server. Protocol_flags is intended for negotiating compatible
-protocol extensions.
-.IP "4 SSH_CMSG_USER"
-.TS
-;
-l l.
-string user login name on server
-.TE
-Sent by the client to begin authentication. Specifies the user name
-on the server to log in as. The server responds with SSH_SMSG_SUCCESS
-if no authentication is needed for this user, or SSH_SMSG_FAILURE if
-authentication is needed (or the user does not exist). [Note to the
-implementator: the user name is of arbitrary size. The implementation
-must be careful not to overflow internal buffers.]
-.IP "5 SSH_CMSG_AUTH_RHOSTS"
-.TS
-;
-l l.
-string client-side user name
-.TE
-Requests authentication using /etc/hosts.equiv and .rhosts (or
-equivalent mechanisms). This authentication method is normally
-disabled in the server because it is not secure (but this is the
-method used by rsh and rlogin). The server responds with
-SSH_SMSG_SUCCESS if authentication was successful, and
-SSH_SMSG_FAILURE if access was not granted. The server should check
-that the client side port number is less than 1024 (a privileged
-port), and immediately reject authentication if it is not. Supporting
-this authentication method is optional. This method should normally
-not be enabled in the server because it is not safe. (However, not
-enabling this only helps if rlogind and rshd are disabled.)
-.IP "6 SSH_CMSG_AUTH_RSA"
-.TS
-;
-l l.
-mp-int identity_public_modulus
-.TE
-Requests authentication using pure RSA authentication. The server
-checks if the given key is permitted to log in, and if so, responds
-with SSH_SMSG_AUTH_RSA_CHALLENGE. Otherwise, it responds with
-SSH_SMSG_FAILURE. The client often tries several different keys in
-sequence until one supported by the server is found. Authentication
-is accepted if the client gives the correct response to the challenge.
-The server is free to add other criteria for authentication, such as a
-requirement that the connection must come from a certain host. Such
-additions are not visible at the protocol level. Supporting this
-authentication method is optional but recommended.
-.IP "7 SSH_SMSG_AUTH_RSA_CHALLENGE"
-.TS
-;
-l l.
-mp-int encrypted challenge
-.TE
-Presents an RSA authentication challenge to the client. The challenge
-is a 256-bit random value encrypted as described elsewhere in this
-document. The client must decrypt the challenge using the RSA private
-key, compute MD5 of the challenge plus session id, and send back the
-resulting 16 bytes using SSH_CMSG_AUTH_RSA_RESPONSE.
-.IP "8 SSH_CMSG_AUTH_RSA_RESPONSE"
-.TS
-;
-l l.
-16 bytes MD5 of decrypted challenge
-.TE
-This message is sent by the client in response to an RSA challenge.
-The MD5 checksum is returned instead of the decrypted challenge to
-deter known-plaintext attacks against the RSA key. The server
-responds to this message with either SSH_SMSG_SUCCESS or
-SSH_SMSG_FAILURE.
-.IP "9 SSH_CMSG_AUTH_PASSWORD"
-.TS
-;
-l l.
-string plain text password
-.TE
-Requests password authentication using the given password. Note that
-even though the password is plain text inside the packet, the whole
-packet is normally encrypted by the packet layer. It would not be
-possible for the client to perform password encryption/hashing,
-because it cannot know which kind of encryption/hashing, if any, the
-server uses. The server responds to this message with
-SSH_SMSG_SUCCESS or SSH_SMSG_FAILURE.
-.IP "10 SSH_CMSG_REQUEST_PTY"
-.TS
-;
-l l.
-string TERM environment variable value (e.g. vt100)
-32-bit int terminal height, rows (e.g., 24)
-32-bit int terminal width, columns (e.g., 80)
-32-bit int terminal width, pixels (0 if no graphics) (e.g., 480)
-32-bit int terminal height, pixels (0 if no graphics) (e.g., 640)
-n bytes tty modes encoded in binary
-.TE
-Requests a pseudo-terminal to be allocated for this command. This
-message can be used regardless of whether the session will later
-execute the shell or a command. If a pty has been requested with this
-message, the shell or command will run on a pty. Otherwise it will
-communicate with the server using pipes, sockets or some other similar
-mechanism.
-
-The terminal type gives the type of the user's terminal. In the UNIX
-environment it is passed to the shell or command in the TERM
-environment variable.
-
-The width and height values give the initial size of the user's
-terminal or window. All values can be zero if not supported by the
-operating system. The server will pass these values to the kernel if
-supported.
-
-Terminal modes are encoded into a byte stream in a portable format.
-The exact format is described later in this document.
-
-The server responds to the request with either SSH_SMSG_SUCCESS or
-SSH_SMSG_FAILURE. If the server does not have the concept of pseudo
-terminals, it should return success if it is possible to execute a
-shell or a command so that it looks to the client as if it was running
-on a pseudo terminal.
-.IP "11 SSH_CMSG_WINDOW_SIZE"
-.TS
-;
-l l.
-32-bit int terminal height, rows
-32-bit int terminal width, columns
-32-bit int terminal width, pixels
-32-bit int terminal height, pixels
-.TE
-This message can only be sent by the client during the interactive
-session. This indicates that the size of the user's window has
-changed, and provides the new size. The server will update the
-kernel's notion of the window size, and a SIGWINCH signal or
-equivalent will be sent to the shell or command (if supported by the
-operating system).
-.IP "12 SSH_CMSG_EXEC_SHELL"
-
-(no arguments)
-
-Starts a shell (command interpreter), and enters interactive session
-mode.
-.IP "13 SSH_CMSG_EXEC_CMD"
-.TS
-;
-l l.
-string command to execute
-.TE
-Starts executing the given command, and enters interactive session
-mode. On UNIX, the command is run as "<shell> -c <command>", where
-<shell> is the user's login shell.
-.IP "14 SSH_SMSG_SUCCESS"
-
-(no arguments)
-
-This message is sent by the server in response to the session key, a
-successful authentication request, and a successfully completed
-preparatory operation.
-.IP "15 SSH_SMSG_FAILURE"
-
-(no arguments)
-
-This message is sent by the server in response to a failed
-authentication operation to indicate that the user has not yet been
-successfully authenticated, and in response to a failed preparatory
-operation. This is also sent in response to an authentication or
-preparatory operation request that is not recognized or supported.
-.IP "16 SSH_CMSG_STDIN_DATA"
-.TS
-;
-l l.
-string data
-.TE
-Delivers data from the client to be supplied as input to the shell or
-program running on the server side. This message can only be used in
-the interactive session mode. No acknowledgement is sent for this
-message.
-.IP "17 SSH_SMSG_STDOUT_DATA"
-.TS
-;
-l l.
-string data
-.TE
-Delivers data from the server that was read from the standard output of
-the shell or program running on the server side. This message can
-only be used in the interactive session mode. No acknowledgement is
-sent for this message.
-.IP "18 SSH_SMSG_STDERR_DATA"
-.TS
-;
-l l.
-string data
-.TE
-Delivers data from the server that was read from the standard error of
-the shell or program running on the server side. This message can
-only be used in the interactive session mode. No acknowledgement is
-sent for this message.
-.IP "19 SSH_CMSG_EOF"
-
-(no arguments)
-
-This message is sent by the client to indicate that EOF has been
-reached on the input. Upon receiving this message, and after all
-buffered input data has been sent to the shell or program, the server
-will close the input file descriptor to the program. This message can
-only be used in the interactive session mode. No acknowledgement is
-sent for this message.
-.IP "20 SSH_SMSG_EXITSTATUS"
-.TS
-;
-l l.
-32-bit int exit status of the command
-.TE
-Returns the exit status of the shell or program after it has exited.
-The client should respond with SSH_CMSG_EXIT_CONFIRMATION when it has
-received this message. This will be the last message sent by the
-server. If the program being executed dies with a signal instead of
-exiting normally, the server should terminate the session with
-SSH_MSG_DISCONNECT (which can be used to pass a human-readable string
-indicating that the program died due to a signal) instead of using
-this message.
-.IP "21 SSH_MSG_CHANNEL_OPEN_CONFIRMATION"
-.TS
-;
-l l.
-32-bit int remote_channel
-32-bit int local_channel
-.TE
-This is sent in response to any channel open request if the channel
-has been successfully opened. Remote_channel is the channel number
-received in the initial open request; local_channel is the channel
-number the side sending this message has allocated for the channel.
-Data can be transmitted on the channel after this message.
-.IP "22 SSH_MSG_CHANNEL_OPEN_FAILURE"
-.TS
-;
-l l.
-32-bit int remote_channel
-.TE
-This message indicates that an earlier channel open request by the
-other side has failed or has been denied. Remote_channel is the
-channel number given in the original request.
-.IP "23 SSH_MSG_CHANNEL_DATA"
-.TS
-;
-l l.
-32-bit int remote_channel
-string data
-.TE
-Data is transmitted in a channel in these messages. A channel is
-bidirectional, and both sides can send these messages. There is no
-acknowledgement for these messages. It is possible that either side
-receives these messages after it has sent SSH_MSG_CHANNEL_CLOSE for
-the channel. These messages cannot be received after the party has
-sent or received SSH_MSG_CHANNEL_CLOSE_CONFIRMATION.
-.IP "24 SSH_MSG_CHANNEL_CLOSE"
-.TS
-;
-l l.
-32-bit int remote_channel
-.TE
-When a channel is closed at one end of the connection, that side sends
-this message. Upon receiving this message, the channel should be
-closed. When this message is received, if the channel is already
-closed (the receiving side has sent this message for the same channel
-earlier), the channel is freed and no further action is taken;
-otherwise the channel is freed and SSH_MSG_CHANNEL_CLOSE_CONFIRMATION
-is sent in response. (It is possible that the channel is closed
-simultaneously at both ends.)
-.IP "25 SSH_MSG_CHANNEL_CLOSE_CONFIRMATION"
-.TS
-;
-l l.
-32-bit int remote_channel
-.TE
-This message is sent in response to SSH_MSG_CHANNEL_CLOSE unless the
-channel was already closed. When this message is sent or received,
-the channel is freed.
-.IP "26 (OBSOLETED; was unix-domain X11 forwarding)
-.IP "27 SSH_SMSG_X11_OPEN"
-.TS
-;
-l l.
-32-bit int local_channel
-string originator_string (see below)
-.TE
-This message can be sent by the server during the interactive session
-mode to indicate that a client has connected the fake X server.
-Local_channel is the channel number that the server has allocated for
-the connection. The client should try to open a connection to the
-real X server, and respond with SSH_MSG_CHANNEL_OPEN_CONFIRMATION or
-SSH_MSG_CHANNEL_OPEN_FAILURE.
-
-The field originator_string is present if both sides
-specified SSH_PROTOFLAG_HOST_IN_FWD_OPEN in the protocol flags. It
-contains a description of the host originating the connection.
-.IP "28 SSH_CMSG_PORT_FORWARD_REQUEST"
-.TS
-;
-l l.
-32-bit int server_port
-string host_to_connect
-32-bit int port_to_connect
-.TE
-Sent by the client in the preparatory phase, this message requests
-that server_port on the server machine be forwarded over the secure
-channel to the client machine, and from there to the specified host
-and port. The server should start listening on the port, and send
-SSH_MSG_PORT_OPEN whenever a connection is made to it. Supporting
-this message is optional, and the server is free to reject any forward
-request. For example, it is highly recommended that unless the user
-has been authenticated as root, forwarding any privileged port numbers
-(below 1024) is denied.
-.IP "29 SSH_MSG_PORT_OPEN"
-.TS
-;
-l l.
-32-bit int local_channel
-string host_name
-32-bit int port
-string originator_string (see below)
-.TE
-Sent by either party in interactive session mode, this message
-indicates that a connection has been opened to a forwarded TCP/IP
-port. Local_channel is the channel number that the sending party has
-allocated for the connection. Host_name is the host the connection
-should be be forwarded to, and the port is the port on that host to
-connect. The receiving party should open the connection, and respond
-with SSH_MSG_CHANNEL_OPEN_CONFIRMATION or
-SSH_MSG_CHANNEL_OPEN_FAILURE. It is recommended that the receiving
-side check the host_name and port for validity to avoid compromising
-local security by compromised remote side software. Particularly, it
-is recommended that the client permit connections only to those ports
-for which it has requested forwarding with SSH_CMSG_PORT_FORWARD_REQUEST.
-
-The field originator_string is present if both sides
-specified SSH_PROTOFLAG_HOST_IN_FWD_OPEN in the protocol flags. It
-contains a description of the host originating the connection.
-.IP "30 SSH_CMSG_AGENT_REQUEST_FORWARDING"
-
-(no arguments)
-
-Requests that the connection to the authentication agent be forwarded
-over the secure channel. The method used by clients to contact the
-authentication agent within each machine is implementation and machine
-dependent. If the server accepts this request, it should arrange that
-any clients run from this session will actually contact the server
-program when they try to contact the authentication agent. The server
-should then send a SSH_SMSG_AGENT_OPEN to open a channel to the agent,
-and the client should forward the connection to the real
-authentication agent. Supporting this message is optional.
-.IP "31 SSH_SMSG_AGENT_OPEN"
-.TS
-;
-l l.
-32-bit int local_channel
-.TE
-Sent by the server in interactive session mode, this message requests
-opening a channel to the authentication agent. The client should open
-a channel, and respond with either SSH_MSG_CHANNEL_OPEN_CONFIRMATION
-or SSH_MSG_CHANNEL_OPEN_FAILURE.
-.IP "32 SSH_MSG_IGNORE"
-.TS
-;
-l l.
-string data
-.TE
-Either party may send this message at any time. This message, and the
-argument string, is silently ignored. This message might be used in
-some implementations to make traffic analysis more difficult. This
-message is not currently sent by the implementation, but all
-implementations are required to recognize and ignore it.
-.IP "33 SSH_CMSG_EXIT_CONFIRMATION"
-
-(no arguments)
-
-Sent by the client in response to SSH_SMSG_EXITSTATUS. This is the
-last message sent by the client.
-.IP "34 SSH_CMSG_X11_REQUEST_FORWARDING"
-.TS
-;
-l l.
-string x11_authentication_protocol
-string x11_authentication_data
-32-bit int screen number (if SSH_PROTOFLAG_SCREEN_NUMBER)
-.TE
-Sent by the client during the preparatory phase, this message requests
-that the server create a fake X11 display and set the DISPLAY
-environment variable accordingly. An internet-domain display is
-preferable. The given authentication protocol and the associated data
-should be recorded by the server so that it is used as authentication
-on connections (e.g., in .Xauthority). The authentication protocol
-must be one of the supported X11 authentication protocols, e.g.,
-"MIT-MAGIC-COOKIE-1". Authentication data must be a lowercase hex
-string of even length. Its interpretation is protocol dependent.
-The data is in a format that can be used with e.g. the xauth program.
-Supporting this message is optional.
-
-The client is permitted (and recommended) to generate fake
-authentication information and send fake information to the server.
-This way, a corrupt server will not have access to the user's terminal
-after the connection has terminated. The correct authorization codes
-will also not be left hanging around in files on the server (many
-users keep the same X session for months, thus protecting the
-authorization data becomes important).
-
-X11 authentication spoofing works by initially sending fake (random)
-authentication data to the server, and interpreting the first packet
-sent by the X11 client after the connection has been opened. The
-first packet contains the client's authentication. If the packet
-contains the correct fake data, it is replaced by the client by the
-correct authentication data, and then sent to the X server.
-.IP "35 SSH_CMSG_AUTH_RHOSTS_RSA"
-.TS
-;
-l l.
-string clint-side user name
-32-bit int client_host_key_bits
-mp-int client_host_key_public_exponent
-mp-int client_host_key_public_modulus
-.TE
-Requests authentication using /etc/hosts.equiv and .rhosts (or
-equivalent) together with RSA host authentication. The server should
-check that the client side port number is less than 1024 (a privileged
-port), and immediately reject authentication if it is not. The server
-responds with SSH_SMSG_FAILURE or SSH_SMSG_AUTH_RSA_CHALLENGE. The
-client must respond to the challenge with the proper
-SSH_CMSG_AUTH_RSA_RESPONSE. The server then responds with success if
-access was granted, or failure if the client gave a wrong response.
-Supporting this authentication method is optional but recommended in
-most environments.
-.IP "36 SSH_MSG_DEBUG"
-.TS
-;
-l l.
-string debugging message sent to the other side
-.TE
-This message may be sent by either party at any time. It is used to
-send debugging messages that may be informative to the user in
-solving various problems. For example, if authentication fails
-because of some configuration error (e.g., incorrect permissions for
-some file), it can be very helpful for the user to make the cause of
-failure available. On the other hand, one should not make too much
-information available for security reasons. It is recommended that
-the client provides an option to display the debugging information
-sent by the sender (the user probably does not want to see it by default).
-The server can log debugging data sent by the client (if any). Either
-party is free to ignore any received debugging data. Every
-implementation must be able to receive this message, but no
-implementation is required to send these.
-.IP "37 SSH_CMSG_REQUEST_COMPRESSION"
-.TS
-;
-l l.
-32-bit int gzip compression level (1-9)
-.TE
-This message can be sent by the client in the preparatory operations
-phase. The server responds with SSH_SMSG_FAILURE if it does not
-support compression or does not want to compress; it responds with
-SSH_SMSG_SUCCESS if it accepted the compression request. In the
-latter case the response to this packet will still be uncompressed,
-but all further packets in either direction will be compressed by gzip.
-.RT
-
-
-.ti 0
-Encoding of Terminal Modes
-
-Terminal modes (as passed in SSH_CMSG_REQUEST_PTY) are encoded into a
-byte stream. It is intended that the coding be portable across
-different environments.
-
-The tty mode description is a stream of bytes. The stream consists of
-opcode-argument pairs. It is terminated by opcode TTY_OP_END (0).
-Opcodes 1-127 have one-byte arguments. Opcodes 128-159 have 32-bit
-integer arguments (stored msb first). Opcodes 160-255 are not yet
-defined, and cause parsing to stop (they should only be used after any
-other data).
-
-The client puts in the stream any modes it knows about, and the server
-ignores any modes it does not know about. This allows some degree of
-machine-independence, at least between systems that use a POSIX-like
-[POSIX] tty interface. The protocol can support other systems as
-well, but the client may need to fill reasonable values for a number
-of parameters so the server pty gets set to a reasonable mode (the
-server leaves all unspecified mode bits in their default values, and
-only some combinations make sense).
-
-The following opcodes have been defined. The naming of opcodes mostly
-follows the POSIX terminal mode flags.
-.IP "0 TTY_OP_END"
-Indicates end of options.
-.IP "1 VINTR"
-Interrupt character; 255 if none. Similarly for the other characters.
-Not all of these characters are supported on all systems.
-.IP "2 VQUIT"
-The quit character (sends SIGQUIT signal on UNIX systems).
-.IP "3 VERASE"
-Erase the character to left of the cursor.
-.IP "4 VKILL"
-Kill the current input line.
-.IP "5 VEOF "
-End-of-file character (sends EOF from the terminal).
-.IP "6 VEOL "
-End-of-line character in addition to carriage return and/or linefeed.
-.IP "7 VEOL2"
-Additional end-of-line character.
-.IP "8 VSTART"
-Continues paused output (normally ^Q).
-.IP "9 VSTOP"
-Pauses output (^S).
-.IP "10 VSUSP"
-Suspends the current program.
-.IP "11 VDSUSP"
-Another suspend character.
-.IP "12 VREPRINT"
-Reprints the current input line.
-.IP "13 VWERASE"
-Erases a word left of cursor.
-.IP "14 VLNEXT"
-More special input characters; these are probably not supported on
-most systems.
-.IP "15 VFLUSH"
-.IP "16 VSWTCH"
-.IP "17 VSTATUS"
-.IP "18 VDISCARD"
-
-.IP "30 IGNPAR"
-The ignore parity flag. The next byte should be 0 if this flag is not
-set, and 1 if it is set.
-.IP "31 PARMRK"
-More flags. The exact definitions can be found in the POSIX standard.
-.IP "32 INPCK"
-.IP "33 ISTRIP"
-.IP "34 INLCR"
-.IP "35 IGNCR"
-.IP "36 ICRNL"
-.IP "37 IUCLC"
-.IP "38 IXON"
-.IP "39 IXANY"
-.IP "40 IXOFF"
-.IP "41 IMAXBEL"
-
-.IP "50 ISIG"
-.IP "51 ICANON"
-.IP "52 XCASE"
-.IP "53 ECHO"
-.IP "54 ECHOE"
-.IP "55 ECHOK"
-.IP "56 ECHONL"
-.IP "57 NOFLSH"
-.IP "58 TOSTOP"
-.IP "59 IEXTEN"
-.IP "60 ECHOCTL"
-.IP "61 ECHOKE"
-.IP "62 PENDIN"
-
-.IP "70 OPOST"
-.IP "71 OLCUC"
-.IP "72 ONLCR"
-.IP "73 OCRNL"
-.IP "74 ONOCR"
-.IP "75 ONLRET"
-
-.IP "90 CS7"
-.IP "91 CS8"
-.IP "92 PARENB"
-.IP "93 PARODD"
-
-.IP "192 TTY_OP_ISPEED"
-Specifies the input baud rate in bits per second.
-.IP "193 TTY_OP_OSPEED"
-Specifies the output baud rate in bits per second.
-.RT
-
-
-.ti 0
-The Authentication Agent Protocol
-
-The authentication agent is a program that can be used to hold RSA
-authentication keys for the user (in future, it might hold data for
-other authentication types as well). An authorized program can send
-requests to the agent to generate a proper response to an RSA
-challenge. How the connection is made to the agent (or its
-representative) inside a host and how access control is done inside a
-host is implementation-dependent; however, how it is forwarded and how
-one interacts with it is specified in this protocol. The connection
-to the agent is normally automatically forwarded over the secure
-channel.
-
-A program that wishes to use the agent first opens a connection to its
-local representative (typically, the agent itself or an SSH server).
-It then writes a request to the connection, and waits for response.
-It is recommended that at least five minutes of timeout are provided
-waiting for the agent to respond to an authentication challenge (this
-gives sufficient time for the user to cut-and-paste the challenge to a
-separate machine, perform the computation there, and cut-and-paste the
-result back if so desired).
-
-Messages sent to and by the agent are in the following format:
-.TS
-;
-l l.
-4 bytes Length, msb first. Does not include length itself.
-1 byte Packet type. The value 255 is reserved for future extensions.
-data Any data, depending on packet type. Encoding as in the ssh packet
-protocol.
-.TE
-
-The following message types are currently defined:
-.IP "1 SSH_AGENTC_REQUEST_RSA_IDENTITIES"
-
-(no arguments)
-
-Requests the agent to send a list of all RSA keys for which it can
-answer a challenge.
-.IP "2 SSH_AGENT_RSA_IDENTITIES_ANSWER"
-.TS
-;
-l l.
-32-bit int howmany
-howmany times:
-32-bit int bits
-mp-int public exponent
-mp-int public modulus
-string comment
-.TE
-The agent sends this message in response to the to
-SSH_AGENTC_REQUEST_RSA_IDENTITIES. The answer lists all RSA keys for
-which the agent can answer a challenge. The comment field is intended
-to help identify each key; it may be printed by an application to
-indicate which key is being used. If the agent is not holding any
-keys, howmany will be zero.
-.IP "3 SSH_AGENTC_RSA_CHALLENGE
-.TS
-;
-l l.
-32-bit int bits
-mp-int public exponent
-mp-int public modulus
-mp-int challenge
-16 bytes session_id
-32-bit int response_type
-.TE
-Requests RSA decryption of random challenge to authenticate the other
-side. The challenge will be decrypted with the RSA private key
-corresponding to the given public key.
-
-The decrypted challenge must contain a zero in the highest (partial)
-byte, 2 in the next byte, followed by non-zero random bytes, a zero
-byte, and then the real challenge value in the lowermost bytes. The
-real challenge must be 32 8-bit bytes (256 bits).
-
-Response_type indicates the format of the response to be returned.
-Currently the only supported value is 1, which means to compute MD5 of
-the real challenge plus session id, and return the resulting 16 bytes
-in a SSH_AGENT_RSA_RESPONSE message.
-.IP "4 SSH_AGENT_RSA_RESPONSE"
-.TS
-;
-l l.
-16 bytes MD5 of decrypted challenge
-.TE
-Answers an RSA authentication challenge. The response is 16 bytes:
-the MD5 checksum of the 32-byte challenge.
-.IP "5 SSH_AGENT_FAILURE"
-
-(no arguments)
-
-This message is sent whenever the agent fails to answer a request
-properly. For example, if the agent cannot answer a challenge (e.g.,
-no longer has the proper key), it can respond with this. The agent
-also responds with this message if it receives a message it does not
-recognize.
-.IP "6 SSH_AGENT_SUCCESS"
-
-(no arguments)
-
-This message is sent by the agent as a response to certain requests
-that do not otherwise cause a message be sent. Currently, this is
-only sent in response to SSH_AGENTC_ADD_RSA_IDENTITY and
-SSH_AGENTC_REMOVE_RSA_IDENTITY.
-.IP "7 SSH_AGENTC_ADD_RSA_IDENTITY"
-.TS
-;
-l l.
-32-bit int bits
-mp-int public modulus
-mp-int public exponent
-mp-int private exponent
-mp-int multiplicative inverse of p mod q
-mp-int p
-mp-int q
-string comment
-.TE
-Registers an RSA key with the agent. After this request, the agent can
-use this RSA key to answer requests. The agent responds with
-SSH_AGENT_SUCCESS or SSH_AGENT_FAILURE.
-.IP "8 SSH_AGENT_REMOVE_RSA_IDENTITY"
-.TS
-;
-l l.
-32-bit int bits
-mp-int public exponent
-mp-int public modulus
-.TE
-Removes an RSA key from the agent. The agent will no longer accept
-challenges for this key and will not list it as a supported identity.
-The agent responds with SSH_AGENT_SUCCESS or SSH_AGENT_FAILURE.
-.RT
-
-If the agent receives a message that it does not understand, it
-responds with SSH_AGENT_FAILURE. This permits compatible future
-extensions.
-
-It is possible that several clients have a connection open to the
-authentication agent simultaneously. Each client will use a separate
-connection (thus, any SSH connection can have multiple agent
-connections active simultaneously).
-
-
-.ti 0
-References
-
-.IP "[DES] "
-FIPS PUB 46-1: Data Encryption Standard. National Bureau of
-Standards, January 1988. FIPS PUB 81: DES Modes of Operation.
-National Bureau of Standards, December 1980. Bruce Schneier: Applied
-Cryptography. John Wiley & Sons, 1994. J. Seberry and J. Pieprzyk:
-Cryptography: An Introduction to Computer Security. Prentice-Hall,
-1989.
-.IP "[GZIP] "
-The GNU GZIP program; available for anonymous ftp at prep.ai.mit.edu.
-Please let me know if you know a paper describing the algorithm.
-.IP "[IDEA] "
-Xuejia Lai: On the Design and Security of Block Ciphers, ETH Series in
-Information Processing, vol. 1, Hartung-Gorre Verlag, Konstanz,
-Switzerland, 1992. Bruce Schneier: Applied Cryptography, John Wiley &
-Sons, 1994. See also the following patents: PCT/CH91/00117, EP 0 482
-154 B1, US Pat. 5,214,703.
-.IP [PKCS#1]
-PKCS #1: RSA Encryption Standard. Version 1.5, RSA Laboratories,
-November 1993. Available for anonymous ftp at ftp.rsa.com.
-.IP [POSIX]
-Portable Operating System Interface (POSIX) - Part 1: Application
-Program Interface (API) [C language], ISO/IEC 9945-1, IEEE Std 1003.1,
-1990.
-.IP [RFC0791]
-J. Postel: Internet Protocol, RFC 791, USC/ISI, September 1981.
-.IP [RFC0793]
-J. Postel: Transmission Control Protocol, RFC 793, USC/ISI, September
-1981.
-.IP [RFC1034]
-P. Mockapetris: Domain Names - Concepts and Facilities, RFC 1034,
-USC/ISI, November 1987.
-.IP [RFC1282]
-B. Kantor: BSD Rlogin, RFC 1258, UCSD, December 1991.
-.IP "[RSA] "
-Bruce Schneier: Applied Cryptography. John Wiley & Sons, 1994. See
-also R. Rivest, A. Shamir, and L. M. Adleman: Cryptographic
-Communications System and Method. US Patent 4,405,829, 1983.
-.IP "[X11] "
-R. Scheifler: X Window System Protocol, X Consortium Standard, Version
-11, Release 6. Massachusetts Institute of Technology, Laboratory of
-Computer Science, 1994.
-.RT
-
-
-.ti 0
-Security Considerations
-
-This protocol deals with the very issue of user authentication and
-security.
-
-First of all, as an implementation issue, the server program will have
-to run as root (or equivalent) on the server machine. This is because
-the server program will need be able to change to an arbitrary user
-id. The server must also be able to create a privileged TCP/IP port.
-
-The client program will need to run as root if any variant of .rhosts
-authentication is to be used. This is because the client program will
-need to create a privileged port. The client host key is also usually
-stored in a file which is readable by root only. The client needs the
-host key in .rhosts authentication only. Root privileges can be
-dropped as soon as the privileged port has been created and the host
-key has been read.
-
-The SSH protocol offers major security advantages over existing telnet
-and rlogin protocols.
-.IP o
-IP spoofing is restricted to closing a connection (by encryption, host
-keys, and the special random cookie). If encryption is not used, IP
-spoofing is possible for those who can hear packets going out from the
-server.
-.IP o
-DNS spoofing is made ineffective (by host keys).
-.IP o
-Routing spoofing is made ineffective (by host keys).
-.IP o
-All data is encrypted with strong algorithms to make eavesdropping as
-difficult as possible. This includes encrypting any authentication
-information such as passwords. The information for decrypting session
-keys is destroyed every hour.
-.IP o
-Strong authentication methods: .rhosts combined with RSA host
-authentication, and pure RSA authentication.
-.IP o
-X11 connections and arbitrary TCP/IP ports can be forwarded securely.
-.IP o
-Man-in-the-middle attacks are deterred by using the server host key to
-encrypt the session key.
-.IP o
-Trojan horses to catch a password by routing manipulation are deterred
-by checking that the host key of the server machine matches that
-stored on the client host.
-.RT
-
-The security of SSH against man-in-the-middle attacks and the security
-of the new form of .rhosts authentication, as well as server host
-validation, depends on the integrity of the host key and the files
-containing known host keys.
-
-The host key is normally stored in a root-readable file. If the host
-key is compromised, it permits attackers to use IP, DNS and routing
-spoofing as with current rlogin and rsh. It should never be any worse
-than the current situation.
-
-The files containing known host keys are not sensitive. However, if an
-attacker gets to modify the known host key files, it has the same
-consequences as a compromised host key, because the attacker can then
-change the recorded host key.
-
-The security improvements obtained by this protocol for X11 are of
-particular significance. Previously, there has been no way to protect
-data communicated between an X server and a client running on a remote
-machine. By creating a fake display on the server, and forwarding all
-X11 requests over the secure channel, SSH can be used to run any X11
-applications securely without any cooperation with the vendors of the
-X server or the application.
-
-Finally, the security of this program relies on the strength of the
-underlying cryptographic algorithms. The RSA algorithm is used for
-authentication key exchange. It is widely believed to be secure. Of
-the algorithms used to encrypt the session, DES has a rather small key
-these days, probably permitting governments and organized criminals to
-break it in very short time with specialized hardware. 3DES is
-probably safe (but slower). IDEA is widely believed to be secure.
-People have varying degrees of confidence in the other algorithms.
-This program is not secure if used with no encryption at all.
-
-
-.ti 0
-Additional Information
-
-Additional information (especially on the implementation and mailing
-lists) is available via WWW at http://www.cs.hut.fi/ssh.
-
-Comments should be sent to Tatu Ylonen <ylo@cs.hut.fi> or the SSH
-Mailing List <ssh@clinet.fi>.
-
-.ti 0
-Author's Address
-
-.TS
-;
-l.
-Tatu Ylonen
-Helsinki University of Technology
-Otakaari 1
-FIN-02150 Espoo, Finland
-
-Phone: +358-0-451-3374
-Fax: +358-0-451-3293
-EMail: ylo@cs.hut.fi
-.TE
andersk / gssapi-openssh.git / commitdiff
