source: trunk/third/ssh/RFC.nroff @ 11534

Revision 11534, 73.7 KB checked in by danw, 27 years ago (diff)
This commit was generated by cvs2svn to compensate for changes in r11533, which included commits to RCS files with non-trunk default branches.
Line 
1.\" -*- nroff -*-
2.\"
3.\" $Id: RFC.nroff,v 1.1.1.2 1998-05-13 19:11:02 danw Exp $
4.\" $Log: not supported by cvs2svn $
5.\" Revision 1.11  1998/04/30 01:49:48  kivinen
6.\"     Fixed phone numbers.
7.\"
8.\" Revision 1.10  1998/03/27 17:25:27  kivinen
9.\"     Removed TSS.
10.\"
11.\" Revision 1.9  1997/08/21 22:35:33  ylo
12.\"     Clarified session id computation, as reported by Ian Goldberg.
13.\"
14.\" Revision 1.8  1997/03/27 03:39:12  kivinen
15.\"     Fixed typo.
16.\"
17.\" Revision 1.7  1997/03/27 03:08:04  kivinen
18.\"     Added kerberos authentication documentation.
19.\"
20.\" Revision 1.6  1997/03/19 22:06:13  kivinen
21.\"     Fixed typo.
22.\"
23.\" Revision 1.5  1997/03/19 19:24:18  kivinen
24.\"     Documented TIS Authentication.
25.\"
26.\" Revision 1.4  1997/03/19 17:34:30  kivinen
27.\"     Removed des from mandatory ciphers.
28.\"
29.\" Revision 1.3  1996/10/29 22:33:30  kivinen
30.\"     Updated protocol version to 1.5.
31.\"
32.\" Revision 1.2  1996/06/20 23:50:13  ylo
33.\"     Fixed a typo.
34.\"
35.\" Revision 1.1.1.1  1996/02/18 21:38:10  ylo
36.\"     Imported ssh-1.2.13.
37.\"
38.\" Revision 1.7  1995/09/24  23:57:48  ylo
39.\"     Added passing of screen number to server.
40.\"
41.\" Revision 1.6  1995/09/06  19:52:11  ylo
42.\"     Added a note that X11 forwarding with spoofing is optional.
43.\"
44.\" Revision 1.5  1995/07/27  02:15:33  ylo
45.\"     Changes to RC4 keying.
46.\"
47.\" Revision 1.4  1995/07/26  23:31:57  ylo
48.\"     Changes for protocol version 1.1 to deter replay and rsa
49.\"     response forwarding.
50.\"
51.\" Revision 1.3  1995/07/15  22:27:39  ylo
52.\"     Added pointer to the www page.
53.\"
54.\" Revision 1.2  1995/07/13  01:05:52  ylo
55.\"     Added cvs log.
56.\"
57.\" $Endlog$
58.pl 10.0i
59.po 0
60.ll 7.2i
61.lt 7.2i
62.nr LL 7.2i
63.nr LT 7.2i
64.ds LF Ylonen
65.ds RF FORMFEED[Page %]
66.ds CF
67.ds LH Internet-Draft
68.ds RH 15 November 1995
69.ds CH SSH (Secure Shell) Remote Login Protocol
70.na
71.hy 0
72.in 0
73Network Working Group                                          T. Ylonen
74Internet-Draft                         Helsinki University of Technology
75draft-ylonen-ssh-protocol-00.txt                        15 November 1995
76Expires: 15 May 1996
77
78.in 3
79
80.ce
81The SSH (Secure Shell) Remote Login Protocol
82
83.ti 0
84Status of This Memo
85
86This document is an Internet-Draft.   Internet-Drafts  are  working
87documents of the Internet Engineering Task Force (IETF), its areas,
88and its working groups.  Note that other groups may also distribute
89working documents as Internet-Drafts.
90
91Internet-Drafts are draft documents valid  for  a  maximum  of  six
92months  and  may  be updated, replaced, or obsoleted by other docu-
93ments at any time.  It is inappropriate to use  Internet-Drafts  as
94reference  material  or  to  cite them other than as ``work in pro-
95gress.''
96
97To learn the current status of any Internet-Draft, please check the
98``1id-abstracts.txt'' listing contained in the Internet- Drafts Shadow
99Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe),
100munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or
101ftp.isi.edu (US West Coast).
102
103The distribution of  this  memo  is  unlimited.
104
105.ti 0
106Introduction
107
108SSH (Secure Shell) is a program to log into another computer over a
109network, to execute commands in a remote machine, and to move files
110from one machine to another.  It provides strong authentication and
111secure communications over insecure networks.  Its features include
112the following:
113.IP o
114Closes several security holes (e.g., IP, routing, and DNS spoofing).
115New authentication methods: .rhosts together with RSA [RSA] based host
116authentication, and pure RSA authentication.
117.IP o
118All communications are automatically and transparently encrypted.
119Encryption is also used to protect integrity.
120.IP o
121X11 connection forwarding provides secure X11 sessions.
122.IP o
123Arbitrary TCP/IP ports can be redirected over the encrypted channel
124in both directions.
125.IP o
126Client RSA-authenticates the server machine in the beginning of every
127connection to prevent trojan horses (by routing or DNS spoofing) and
128man-in-the-middle attacks, and the server RSA-authenticates the client
129machine before accepting .rhosts or /etc/hosts.equiv authentication
130(to prevent DNS, routing, or IP spoofing).
131.IP o
132An authentication agent, running in the user's local workstation or
133laptop, can be used to hold the user's RSA authentication keys.
134.RT
135
136The goal has been to make the software as easy to use as possible for
137ordinary users.  The protocol has been designed to be as secure as
138possible while making it possible to create implementations that
139are easy to use and install.  The sample implementation has a number
140of convenient features that are not described in this document as they
141are not relevant for the protocol.
142
143
144.ti 0
145Overview of the Protocol
146
147The software consists of a server program running on a server machine,
148and a client program running on a client machine (plus a few auxiliary
149programs).  The machines are connected by an insecure IP [RFC0791]
150network (that can be monitored, tampered with, and spoofed by hostile
151parties).
152
153A connection is always initiated by the client side.  The server
154listens on a specific port waiting for connections.  Many clients may
155connect to the same server machine.
156
157The client and the server are connected via a TCP/IP [RFC0793] socket
158that is used for bidirectional communication.  Other types of
159transport can be used but are currently not defined.
160
161When the client connects the server, the server accepts the connection
162and responds by sending back its version identification string.  The
163client parses the server's identification, and sends its own
164identification.  The purpose of the identification strings is to
165validate that the connection was to the correct port, declare the
166protocol version number used, and to declare the software version used
167on each side (for debugging purposes).  The identification strings are
168human-readable.  If either side fails to understand or support the
169other side's version, it closes the connection.
170
171After the protocol identification phase, both sides switch to a packet
172based binary protocol.  The server starts by sending its host key
173(every host has an RSA key used to authenticate the host), server key
174(an RSA key regenerated every hour), and other information to the
175client.  The client then generates a 256 bit session key, encrypts it
176using both RSA keys (see below for details), and sends the encrypted
177session key and selected cipher type to the server.  Both sides then
178turn on encryption using the selected algorithm and key.  The server
179sends an encrypted confirmation message to the client.
180
181The client then authenticates itself using any of a number of
182authentication methods.  The currently supported authentication
183methods are .rhosts or /etc/hosts.equiv authentication (disabled by
184default), the same with RSA-based host authentication, RSA
185authentication, and password authentication.
186
187After successful authentication, the client makes a number of requests
188to prepare for the session.  Typical requests include allocating a
189pseudo tty, starting X11 [X11] or TCP/IP port forwarding, starting
190authentication agent forwarding, and executing the shell or a command.
191
192When a shell or command is executed, the connection enters interactive
193session mode.  In this mode, data is passed in both directions,
194new forwarded connections may be opened, etc.  The interactive session
195normally terminates when the server sends the exit status of the
196program to the client.
197
198
199The protocol makes several reservations for future extensibility.
200First of all, the initial protocol identification messages include the
201protocol version number.  Second, the first packet by both sides
202includes a protocol flags field, which can be used to agree on
203extensions in a compatible manner.  Third, the authentication and
204session preparation phases work so that the client sends requests to
205the server, and the server responds with success or failure.  If the
206client sends a request that the server does not support, the server
207simply returns failure for it.  This permits compatible addition of
208new authentication methods and preparation operations.  The
209interactive session phase, on the other hand, works asynchronously and
210does not permit the use of any extensions (because there is no easy
211and reliable way to signal rejection to the other side and problems
212would be hard to debug).  Any compatible extensions to this phase must
213be agreed upon during any of the earlier phases.
214
215.ti 0
216The Binary Packet Protocol
217
218After the protocol identification strings, both sides only send
219specially formatted packets.  The packet layout is as follows:
220.IP o
221Packet length: 32 bit unsigned integer, coded as four 8-bit bytes, msb
222first.  Gives the length of the packet, not including the length field
223and padding.  The maximum length of a packet (not including the length
224field and padding) is 262144 bytes.
225.IP o
226Padding: 1-8 bytes of random data (or zeroes if not encrypting).  The
227amount of padding is (8 - (length % 8)) bytes (where % stands for the
228modulo operator).  The rationale for always having some random padding
229at the beginning of each packet is to make known plaintext attacks
230more difficult.
231.IP o
232Packet type: 8-bit unsigned byte.  The value 255 is reserved for
233future extension.
234.IP o
235Data: binary data bytes, depending on the packet type.  The number of
236data bytes is the "length" field minus 5.
237.IP o
238Check bytes: 32-bit crc, four 8-bit bytes, msb first.  The crc is the
239Cyclic Redundancy Check, with the polynomial 0xedb88320, of the
240Padding, Packet type, and Data fields.  The crc is computed before
241any encryption.
242.RT
243
244The packet, except for the length field, may be encrypted using any of
245a number of algorithms.  The length of the encrypted part (Padding +
246Type + Data + Check) is always a multiple of 8 bytes.  Typically the
247cipher is used in a chained mode, with all packets chained together as
248if it was a single data stream (the length field is never included in
249the encryption process).  Details of encryption are described below.
250
251When the session starts, encryption is turned off.  Encryption is
252enabled after the client has sent the session key.  The encryption
253algorithm to use is selected by the client.
254
255
256.ti 0
257Packet Compression
258
259If compression is supported (it is an optional feature, see
260SSH_CMSG_REQUEST_COMPRESSION below), the packet type and data fields
261of the packet are compressed using the gzip deflate algorithm [GZIP].
262If compression is in effect, the packet length field indicates the
263length of the compressed data, plus 4 for the crc.  The amount of
264padding is computed from the compressed data, so that the amount of
265data to be encrypted becomes a multiple of 8 bytes.
266
267When compressing, the packets (type + data portions) in each direction
268are compressed as if they formed a continuous data stream, with only the
269current compression block flushed between packets.  This corresponds
270to the GNU ZLIB library Z_PARTIAL_FLUSH option.  The compression
271dictionary is not flushed between packets.  The two directions are
272compressed independently of each other.
273
274
275.ti 0
276Packet Encryption
277
278The protocol supports several encryption methods.  During session
279initialization, the server sends a bitmask of all encryption methods
280that it supports, and the client selects one of these methods.  The
281client also generates a 256-bit random session key (32 8-bit bytes) and
282sends it to the server.
283
284The encryption methods supported by the current implementation, and
285their codes are:
286.TS
287center;
288l r l.
289SSH_CIPHER_NONE 0          No encryption
290SSH_CIPHER_IDEA 1          IDEA in CFB mode
291SSH_CIPHER_DES  2          DES in CBC mode
292SSH_CIPHER_3DES 3          Triple-DES in CBC mode
293SSH_CIPHER_RC4  5          RC4
294.TE
295
296All implementations are required to support SSH_CIPHER_3DES.
297Supporting SSH_CIPHER_IDEA, SSH_CIPHER_RC4, and
298SSH_CIPHER_NONE is recommended.  Other ciphers
299may be added at a later time; support for them is optional.
300
301For encryption, the encrypted portion of the packet is considered a
302linear byte stream.  The length of the stream is always a multiple of
3038.  The encrypted portions of consecutive packets (in the same
304direction) are encrypted as if they were a continuous buffer (that is,
305any initialization vectors are passed from the previous packet to the
306next packet).  Data in each direction is encrypted independently.
307.IP SSH_CIPHER_DES
308The key is taken from the first 8 bytes of the session key.  The least
309significant bit of each byte is ignored.  This results in 56 bits of
310key data.  DES [DES] is used in CBC mode.  The iv (initialization vector) is
311initialized to all zeroes.
312.IP SSH_CIPHER_3DES
313The variant of triple-DES used here works as follows: there are three
314independent DES-CBC ciphers, with independent initialization vectors.
315The data (the whole encrypted data stream) is first encrypted with the
316first cipher, then decrypted with the second cipher, and finally
317encrypted with the third cipher.  All these operations are performed
318in CBC mode.
319
320The key for the first cipher is taken from the first 8 bytes of the
321session key; the key for the next cipher from the next 8 bytes, and
322the key for the third cipher from the following 8 bytes.  All three
323initialization vectors are initialized to zero.
324
325(Note: the variant of 3DES used here differs from some other
326descriptions.)
327.IP SSH_CIPHER_IDEA
328The key is taken from the first 16 bytes of the session key.  IDEA
329[IDEA] is used in CFB mode.  The initialization vector is initialized
330to all zeroes.
331.IP SSH_CIPHER_RC4
332The first 16 bytes of the session key are used as the key for the
333server to client direction.  The remaining 16 bytes are used as the
334key for the client to server direction.  This gives independent
335128-bit keys for each direction.
336
337This algorithm is the alleged RC4 cipher posted to the Usenet in 1995.
338It is widely believed to be equivalent with the original RSADSI RC4
339cipher.  This is a very fast algorithm.
340.RT
341
342
343.ti 0
344Data Type Encodings
345
346The Data field of each packet contains data encoded as described in
347this section.  There may be several data items; each item is coded as
348described here, and their representations are concatenated together
349(without any alignment or padding).
350
351Each data type is stored as follows:
352.IP "8-bit byte"
353The byte is stored directly as a single byte.
354.IP "32-bit unsigned integer"
355Stored in 4 bytes, msb first.
356.IP "Arbitrary length binary string"
357First 4 bytes are the length of the string, msb first (not including
358the length itself).  The following "length" bytes are the string
359value.  There are no terminating null characters.
360.IP "Multiple-precision integer"
361First 2 bytes are the number of bits in the integer, msb first (for
362example, the value 0x00012345 would have 17 bits).  The value zero has
363zero bits.  It is permissible that the number of bits be larger than the
364real number of bits.
365
366The number of bits is followed by (bits + 7) / 8 bytes of binary data,
367msb first, giving the value of the integer.
368.RT
369
370
371.ti 0
372TCP/IP Port Number and Other Options
373
374The server listens for connections on TCP/IP port 22.
375
376The client may connect the server from any port.  However, if the
377client wishes to use any form of .rhosts or /etc/hosts.equiv
378authentication, it must connect from a privileged port (less than
3791024).
380
381For the IP Type of Service field [RFC0791], it is recommended that
382interactive sessions (those having a user terminal or forwarding X11
383connections) use the IPTOS_LOWDELAY, and non-interactive connections
384use IPTOS_THROUGHPUT.
385
386It is recommended that keepalives are used, because otherwise programs
387on the server may never notice if the other end of the connection is
388rebooted.
389
390
391.ti 0
392Protocol Version Identification
393
394After the socket is opened, the server sends an identification string,
395which is of the form
396"SSH-<protocolmajor>.<protocolminor>-<version>\\n", where
397<protocolmajor> and <protocolminor> are integers and specify the
398protocol version number (not software distribution version).
399<version> is server side software version string (max 40 characters);
400it is not interpreted by the remote side but may be useful for
401debugging.
402
403The client parses the server's string, and sends a corresponding
404string with its own information in response.  If the server has lower
405version number, and the client contains special code to emulate it,
406the client responds with the lower number; otherwise it responds with
407its own number.  The server then compares the version number the
408client sent with its own, and determines whether they can work
409together.  The server either disconnects, or sends the first packet
410using the binary packet protocol and both sides start working
411according to the lower of the protocol versions.
412
413By convention, changes which keep the protocol compatible with
414previous versions keep the same major protocol version; changes that
415are not compatible increment the major version (which will hopefully
416never happen).  The version described in this document is 1.5.
417
418.ti 0
419Key Exchange and Server Host Authentication
420
421The first message sent by the server using the packet protocol is
422SSH_SMSG_PUBLIC_KEY.  It declares the server's host key, server public
423key, supported ciphers, supported authentication methods, and flags
424for protocol extensions.  It also contains a 64-bit random number
425(cookie) that must be returned in the client's reply (to make IP
426spoofing more difficult).  No encryption is used for this message.
427
428Both sides compute a session id as follows.  The modulus of the host
429key is interpreted as a byte string (without explicit length field,
430with minimum length able to hold the whole value), most significant
431byte first.  This string is concatenated with the server key
432interpreted the same way.  Additionally, the cookie is concatenated
433with this.  Both sides compute MD5 of the resulting string.  The
434resulting 16 bytes (128 bits) are stored by both parties and are
435called the session id.
436
437In other words,
438     session_id = MD5(hostkey->n || servkey->n || cookie)
439
440The client responds with a SSH_CMSG_SESSION_KEY message, which
441contains the selected cipher type, a copy of the 64-bit cookie sent by
442the server, client's protocol flags, and a session key encrypted
443with both the server's host key and server key.  No encryption is used
444for this message.
445
446The session key is 32 8-bit bytes (a total of 256 random bits
447generated by the client).  The client first xors the 16 bytes of the
448session id with the first 16 bytes of the session key.  The resulting
449string is then encrypted using the smaller key (one with smaller
450modulus), and the result is then encrypted using the other key.  The
451number of bits in the public modulus of the two keys must differ by at
452least 128 bits.
453
454At each encryption step, a multiple-precision integer is constructed
455from the data to be encrypted as follows (the integer is here
456interpreted as a sequence of bytes, msb first; the number of bytes is
457the number of bytes needed to represent the modulus).
458
459The most significant byte (which is only partial as the value must be
460less than the public modulus, which is never a power of two) is zero.
461
462The next byte contains the value 2 (which stands for public-key
463encrypted data in the PKCS standard [PKCS#1]).  Then, there are
464non-zero random bytes to fill any unused space, a zero byte, and the
465data to be encrypted in the least significant bytes, the last byte of
466the data in the least significant byte.
467
468This algorithm is used twice.  First, it is used to encrypt the 32
469random bytes generated by the client to be used as the session key
470(xored by the session id).  This value is converted to an integer as
471described above, and encrypted with RSA using the key with the smaller
472modulus.  The resulting integer is converted to a byte stream, msb
473first.  This byte stream is padded and encrypted identically using the
474key with the larger modulus.
475
476After the client has sent the session key, it starts to use the
477selected algorithm and key for decrypting any received packets, and
478for encrypting any sent packets.  Separate ciphers are used for
479different directions (that is, both directions have separate
480initialization vectors or other state for the ciphers).
481
482When the server has received the session key message, and has turned
483on encryption, it sends a SSH_SMSG_SUCCESS message to the client.
484
485The recommended size of the host key is 1024 bits, and 768 bits for
486the server key.  The minimum size is 512 bits for the smaller key.
487
488
489.ti 0
490Declaring the User Name
491
492The client then sends a SSH_CMSG_USER message to the server.  This
493message specifies the user name to log in as.
494
495The server validates that such a user exists, checks whether
496authentication is needed, and responds with either SSH_SMSG_SUCCESS or
497SSH_SMSG_FAILURE.  SSH_SMSG_SUCCESS indicates that no authentication
498is needed for this user (no password), and authentication phase has
499now been completed.  SSH_SMSG_FAILURE indicates that authentication is
500needed (or the user does not exist).
501
502If the user does not exist, it is recommended that this returns
503failure, but the server keeps reading messages from the client, and
504responds to any messages (except SSH_MSG_DISCONNECT, SSH_MSG_IGNORE,
505and SSH_MSG_DEBUG) with SSH_SMSG_FAILURE.  This way the client cannot
506be certain whether the user exists.
507
508
509.ti 0
510Authentication Phase
511
512Provided the server didn't immediately accept the login, an
513authentication exchange begins.  The client sends messages to the
514server requesting different types of authentication in arbitrary order as
515many times as desired (however, the server may close the connection
516after a timeout).  The server always responds with SSH_SMSG_SUCCESS if
517it has accepted the authentication, and with SSH_SMSG_FAILURE if it has
518denied authentication with the requested method or it does not
519recognize the message.  Some authentication methods cause an exchange
520of further messages before the final result is sent.  The
521authentication phase ends when the server responds with success.
522
523The recommended value for the authentication timeout (timeout before
524disconnecting if no successful authentication has been made) is 5
525minutes.
526
527The following authentication methods are currently supported:
528.TS
529center;
530l r l.
531SSH_AUTH_RHOSTS 1       .rhosts or /etc/hosts.equiv
532SSH_AUTH_RSA    2       pure RSA authentication
533SSH_AUTH_PASSWORD       3       password authentication
534SSH_AUTH_RHOSTS_RSA     4       .rhosts with RSA host authentication
535.TE
536.IP SSH_AUTH_RHOSTS
537
538This is the authentication method used by rlogin and rsh [RFC1282].
539
540The client sends SSH_CMSG_AUTH_RHOSTS with the client-side user name
541as an argument.
542
543The server checks whether to permit authentication.  On UNIX systems,
544this is usually done by checking /etc/hosts.equiv, and .rhosts in the
545user's home directory.  The connection must come from a privileged
546port.
547
548It is recommended that the server checks that there are no IP options
549(such as source routing) specified for the socket before accepting
550this type of authentication.  The client host name should be
551reverse-mapped and then forward mapped to ensure that it has the
552proper IP-address.
553
554This authentication method trusts the remote host (root on the remote
555host can pretend to be any other user on that host), the name
556services, and partially the network: anyone who can see packets coming
557out from the server machine can do IP-spoofing and pretend to be any
558machine; however, the protocol prevents blind IP-spoofing (which used
559to be possible with rlogin).
560
561Many sites probably want to disable this authentication method because
562of the fundamental insecurity of conventional .rhosts or
563/etc/hosts.equiv authentication when faced with spoofing.  It is
564recommended that this method not be supported by the server by
565default.
566.IP SSH_AUTH_RHOSTS_RSA
567
568In addition to conventional .rhosts and hosts.equiv authentication,
569this method additionally requires that the client host be
570authenticated using RSA.
571
572The client sends SSH_CMSG_AUTH_RHOSTS_RSA specifying the client-side
573user name, and the public host key of the client host.
574
575The server first checks if normal .rhosts or /etc/hosts.equiv
576authentication would be accepted, and if not, responds with
577SSH_SMSG_FAILURE.  Otherwise, it checks whether it knows the host key
578for the client machine (using the same name for the host that was used
579for checking the .rhosts and /etc/hosts.equiv files).  If it does not
580know the RSA key for the client, access is denied and SSH_SMSG_FAILURE
581is sent.
582
583If the server knows the host key of the client machine, it verifies
584that the given host key matches that known for the client.  If not,
585access is denied and SSH_SMSG_FAILURE is sent.
586
587The server then sends a SSH_SMSG_AUTH_RSA_CHALLENGE message containing
588an encrypted challenge for the client.  The challenge is 32 8-bit
589random bytes (256 bits).  When encrypted, the highest (partial) byte
590is left as zero, the next byte contains the value 2, the following are
591non-zero random bytes, followed by a zero byte, and the challenge put
592in the remaining bytes.  This is then encrypted using RSA with the
593client host's public key.  (The padding and encryption algorithm is
594the same as that used for the session key.)
595
596The client decrypts the challenge using its private host key,
597concatenates this with the session id, and computes an MD5 checksum
598of the resulting 48 bytes.  The MD5 output is returned as 16 bytes in
599a SSH_CMSG_AUTH_RSA_RESPONSE message.  (MD5 is used to deter chosen
600plaintext attacks against RSA; the session id binds it to a specific
601session).
602
603The server verifies that the MD5 of the decrypted challenge returned by
604the client matches that of the original value, and sends SSH_SMSG_SUCCESS if
605so.  Otherwise it sends SSH_SMSG_FAILURE and refuses the
606authentication attempt.
607
608This authentication method trusts the client side machine in that root
609on that machine can pretend to be any user on that machine.
610Additionally, it trusts the client host key.  The name and/or IP
611address of the client host is only used to select the public host key.
612The same host name is used when scanning .rhosts or /etc/hosts.equiv
613and when selecting the host key.  It would in principle be possible to
614eliminate the host name entirely and substitute it directly by the
615host key.  IP and/or DNS [RFC1034] spoofing can only be used
616to pretend to be a host for which the attacker has the private host
617key.
618.IP SSH_AUTH_RSA
619
620The idea behind RSA authentication is that the server recognizes the
621public key offered by the client, generates a random challenge, and
622encrypts the challenge with the public key.  The client must then
623prove that it has the corresponding private key by decrypting the
624challenge.
625
626The client sends SSH_CMSG_AUTH_RSA with public key modulus (n) as an
627argument.
628
629The server may respond immediately with SSH_SMSG_FAILURE if it does
630not permit authentication with this key.  Otherwise it generates a
631challenge, encrypts it using the user's public key (stored on the
632server and identified using the modulus), and sends
633SSH_SMSG_AUTH_RSA_CHALLENGE with the challenge (mp-int) as an
634argument.
635
636The challenge is 32 8-bit random bytes (256 bits).  When encrypted,
637the highest (partial) byte is left as zero, the next byte contains the
638value 2, the following are non-zero random bytes, followed by a zero
639byte, and the challenge put in the remaining bytes.  This is then
640encrypted with the public key.  (The padding and encryption algorithm
641is the same as that used for the session key.)
642
643The client decrypts the challenge using its private key, concatenates
644it with the session id, and computes an MD5 checksum of the resulting
64548 bytes.  The MD5 output is returned as 16 bytes in a
646SSH_CMSG_AUTH_RSA_RESPONSE message.  (Note that the MD5 is necessary
647to avoid chosen plaintext attacks against RSA; the session id binds it
648to a specific session.)
649
650The server verifies that the MD5 of the decrypted challenge returned
651by the client matches that of the original value, and sends
652SSH_SMSG_SUCCESS if so.  Otherwise it sends SSH_SMSG_FAILURE and
653refuses the authentication attempt.
654
655This authentication method does not trust the remote host, the
656network, name services, or anything else.  Authentication is based
657solely on the possession of the private identification keys.  Anyone
658in possession of the private keys can log in, but nobody else.
659
660The server may have additional requirements for a successful
661authentiation.  For example, to limit damage due to a compromised RSA
662key, a server might restrict access to a limited set of hosts.
663.IP SSH_AUTH_PASSWORD
664
665The client sends a SSH_CMSG_AUTH_PASSWORD message with the plain text
666password.  (Note that even though the password is plain text inside
667the message, it is normally encrypted by the packet mechanism.)
668
669The server verifies the password, and sends SSH_SMSG_SUCCESS if
670authentication was accepted and SSH_SMSG_FAILURE otherwise.
671
672Note that the password is read from the user by the client; the user
673never interacts with a login program.
674
675This authentication method does not trust the remote host, the
676network, name services or anything else.  Authentication is based
677solely on the possession of the password.  Anyone in possession of the
678password can log in, but nobody else.
679.RT
680
681.ti 0
682Preparatory Operations
683
684After successful authentication, the server waits for a request from
685the client, processes the request, and responds with SSH_SMSG_SUCCESS
686whenever a request has been successfully processed.  If it receives a
687message that it does not recognize or it fails to honor a request, it
688returns SSH_SMSG_FAILURE.  It is expected that new message types might
689be added to this phase in future.
690
691The following messages are currently defined for this phase.
692.IP SSH_CMSG_REQUEST_COMPRESSION
693Requests that compression be enabled for this session.  A
694gzip-compatible compression level (1-9) is passed as an argument.
695.IP SSH_CMSG_REQUEST_PTY
696Requests that a pseudo terminal device be allocated for this session.
697The user terminal type and terminal modes are supplied as arguments.
698.IP SSH_CMSG_X11_REQUEST_FORWARDING
699Requests forwarding of X11 connections from the remote machine to the
700local machine over the secure channel.  Causes an internet-domain
701socket to be allocated and the DISPLAY variable to be set on the server.
702X11 authentication data is automatically passed to the server, and the
703client may implement spoofing of authentication data for added
704security.  The authentication data is passed as arguments.
705.IP SSH_CMSG_PORT_FORWARD_REQUEST
706Requests forwarding of a TCP/IP port on the server host over the
707secure channel.  What happens is that whenever a connection is made to
708the port on the server, a connection will be made from the client end
709to the specified host/port.  Any user can forward unprivileged ports;
710only the root can forward privileged ports (as determined by
711authentication done earlier).
712.IP SSH_CMSG_AGENT_REQUEST_FORWARDING
713Requests forwarding of the connection to the authentication agent.
714.IP SSH_CMSG_EXEC_SHELL
715Starts a shell (command interpreter) for the user, and moves into
716interactive session mode.
717.IP SSH_CMSG_EXEC_CMD
718Executes the given command (actually "<shell> -c <command>" or
719equivalent) for the user, and moves into interactive session mode.
720.RT
721
722
723.ti 0
724Interactive Session and Exchange of Data
725
726During the interactive session, any data written by the shell or
727command running on the server machine is forwarded to stdin or
728stderr on the client machine, and any input available from stdin on
729the client machine is forwarded to the program on the server machine.
730
731All exchange is asynchronous; either side can send at any time, and
732there are no acknowledgements (TCP/IP already provides reliable
733transport, and the packet protocol protects against tampering or IP
734spoofing).
735
736When the client receives EOF from its standard input, it will send
737SSH_CMSG_EOF; however, this in no way terminates the exchange.  The
738exchange terminates and interactive mode is left when the server sends
739SSH_SMSG_EXITSTATUS to indicate that the client program has
740terminated.  Alternatively, either side may disconnect at any time by
741sending SSH_MSG_DISCONNECT or closing the connection.
742
743The server may send any of the following messages:
744.IP SSH_SMSG_STDOUT_DATA
745Data written to stdout by the program running on the server.  The data
746is passed as a string argument.  The client writes this data to
747stdout.
748.IP SSH_SMSG_STDERR_DATA
749Data written to stderr by the program running on the server.  The data
750is passed as a string argument.  The client writes this data to
751stderr.  (Note that if the program is running on a tty, it is not
752possible to separate stdout and stderr data, and all data will be sent
753as stdout data.)
754.IP SSH_SMSG_EXITSTATUS
755Indicates that the shell or command has exited.  Exit status is passed
756as an integer argument.  This message causes termination of the
757interactive session.
758.IP SSH_SMSG_AGENT_OPEN
759Indicates that someone on the server side is requesting a connection
760to the authentication agent.  The server-side channel number is passed
761as an argument.  The client must respond with either
762SSH_CHANNEL_OPEN_CONFIRMATION or SSH_CHANNEL_OPEN_FAILURE.
763.IP SSH_SMSG_X11_OPEN
764Indicates that a connection has been made to the X11 socket on the
765server side and should be forwarded to the real X server.  An integer
766argument indicates the channel number allocated for this connection on
767the server side.  The client should send back either
768SSH_MSG_CHANNEL_OPEN_CONFIRMATION or SSH_MSG_CHANNEL_OPEN_FAILURE with
769the same server side channel number.
770.IP SSH_MSG_PORT_OPEN
771Indicates that a connection has been made to a port on the server side
772for which forwarding has been requested.  Arguments are server side
773channel number, host name to connect to, and port to connect to.  The
774client should send back either
775SSH_MSG_CHANNEL_OPEN_CONFIRMATION or SSH_MSG_CHANNEL_OPEN_FAILURE with
776the same server side channel number.
777.IP SSH_MSG_CHANNEL_OPEN_CONFIRMATION
778This is sent by the server to indicate that it has opened a connection
779as requested in a previous message.  The first argument indicates the
780client side channel number, and the second argument is the channel number
781that the server has allocated for this connection.
782.IP SSH_MSG_CHANNEL_OPEN_FAILURE
783This is sent by the server to indicate that it failed to open a
784connection as requested in a previous message.  The client-side
785channel number is passed as an argument.  The client will close the
786descriptor associated with the channel and free the channel.
787.IP SSH_MSG_CHANNEL_DATA
788This packet contains data for a channel from the server.  The first
789argument is the client-side channel number, and the second argument (a
790string) is the data.
791.IP SSH_MSG_CHANNEL_CLOSE
792This is sent by the server to indicate that whoever was in the other
793end of the channel has closed it.  The argument is the client side channel
794number.  The client will let all buffered data in the channel to
795drain, and when ready, will close the socket, free the channel, and
796send the server a SSH_MSG_CHANNEL_CLOSE_CONFIRMATION message for the
797channel.
798.IP SSH_MSG_CHANNEL_CLOSE_CONFIRMATION
799This is send by the server to indicate that a channel previously
800closed by the client has now been closed on the server side as well.
801The argument indicates the client channel number.  The client frees
802the channel.
803.RT
804
805The client may send any of the following messages:
806.IP SSH_CMSG_STDIN_DATA
807This is data to be sent as input to the program running on the server.
808The data is passed as a string.
809.IP SSH_CMSG_EOF
810Indicates that the client has encountered EOF while reading standard
811input.  The server will allow any buffered input data to drain, and
812will then close the input to the program.
813.IP SSH_CMSG_WINDOW_SIZE
814Indicates that window size on the client has been changed.  The server
815updates the window size of the tty and causes SIGWINCH to be sent to
816the program.  The new window size is passed as four integer arguments:
817row, col, xpixel, ypixel.
818.IP SSH_MSG_PORT_OPEN
819Indicates that a connection has been made to a port on the client side
820for which forwarding has been requested.  Arguments are client side
821channel number, host name to connect to, and port to connect to.  The
822server should send back either SSH_MSG_CHANNEL_OPEN_CONFIRMATION or
823SSH_MSG_CHANNEL_OPEN_FAILURE with the same client side channel number.
824.IP SSH_MSG_CHANNEL_OPEN_CONFIRMATION
825This is sent by the client to indicate that it has opened a connection
826as requested in a previous message.  The first argument indicates the
827server side channel number, and the second argument is the channel
828number that the client has allocated for this connection.
829.IP SSH_MSG_CHANNEL_OPEN_FAILURE
830This is sent by the client to indicate that it failed to open a
831connection as requested in a previous message.  The server side
832channel number is passed as an argument.  The server will close the
833descriptor associated with the channel and free the channel.
834.IP SSH_MSG_CHANNEL_DATA
835This packet contains data for a channel from the client.  The first
836argument is the server side channel number, and the second argument (a
837string) is the data.
838.IP SSH_MSG_CHANNEL_CLOSE
839This is sent by the client to indicate that whoever was in the other
840end of the channel has closed it.  The argument is the server channel
841number.  The server will allow buffered data to drain, and when ready,
842will close the socket, free the channel, and send the client a
843SSH_MSG_CHANNEL_CLOSE_CONFIRMATION message for the channel.
844.IP SSH_MSG_CHANNEL_CLOSE_CONFIRMATION
845This is send by the client to indicate that a channel previously
846closed by the server has now been closed on the client side as well.
847The argument indicates the server channel number.  The server frees
848the channel.
849.RT
850
851Any unsupported messages during interactive mode cause the connection
852to be terminated with SSH_MSG_DISCONNECT and an error message.
853Compatible protocol upgrades should agree about any extensions during
854the preparation phase or earlier.
855
856
857.ti 0
858Termination of the Connection
859
860Normal termination of the connection is always initiated by the server
861by sending SSH_SMSG_EXITSTATUS after the program has exited.  The
862client responds to this message by sending SSH_CMSG_EXIT_CONFIRMATION
863and closes the socket; the server then closes the socket.  There are
864two purposes for the confirmation: some systems may lose previously
865sent data when the socket is closed, and closing the client side first
866causes any TCP/IP TIME_WAIT [RFC0793] waits to occur on the client side, not
867consuming server resources.
868
869If the program terminates due to a signal, the server will send
870SSH_MSG_DISCONNECT with an appropriate message.  If the connection is
871closed, all file descriptors to the program will be closed and the
872server will exit.  If the program runs on a tty, the kernel sends it
873the SIGHUP signal when the pty master side is closed.
874
875.ti 0
876Protocol Flags
877
878Both the server and the client pass 32 bits of protocol flags to the
879other side.  The flags are intended for compatible protocol extension;
880the server first announces which added capabilities it supports, and
881the client then sends the capabilities that it supports.
882
883The following flags are currently defined (the values are bit masks):
884.IP "1 SSH_PROTOFLAG_SCREEN_NUMBER"
885This flag can only be sent by the client.  It indicates that the X11
886forwarding requests it sends will include the screen number.
887.IP "2 SSH_PROTOFLAG_HOST_IN_FWD_OPEN"
888If both sides specify this flag, SSH_SMSG_X11_OPEN and
889SSH_MSG_PORT_OPEN messages will contain an additional field containing
890a description of the host at the other end of the connection.
891.RT
892
893.ti 0
894Detailed Description of Packet Types and Formats
895
896The supported packet types and the corresponding message numbers are
897given in the following table.  Messages with _MSG_ in their name may
898be sent by either side.  Messages with _CMSG_ are only sent by the
899client, and messages with _SMSG_ only by the server.
900
901A packet may contain additional data after the arguments specified
902below.  Any such data should be ignored by the receiver.  However, it
903is recommended that no such data be stored without good reason.  (This
904helps build compatible extensions.)
905.IP "0 SSH_MSG_NONE"
906This code is reserved.  This message type is never sent.
907.IP "1 SSH_MSG_DISCONNECT"
908.TS
909;
910l l.
911string  Cause of disconnection
912.TE
913This message may be sent by either party at any time.  It causes the
914immediate disconnection of the connection.  The message is intended to
915be displayed to a human, and describes the reason for disconnection.
916.IP "2 SSH_SMSG_PUBLIC_KEY"
917.TS
918;
919l l.
9208 bytes anti_spoofing_cookie
92132-bit int      server_key_bits
922mp-int  server_key_public_exponent
923mp-int  server_key_public_modulus
92432-bit int      host_key_bits
925mp-int  host_key_public_exponent
926mp-int  host_key_public_modulus
92732-bit int      protocol_flags
92832-bit int      supported_ciphers_mask
92932-bit int      supported_authentications_mask
930.TE
931Sent as the first message by the server.  This message gives the
932server's host key, server key, protocol flags (intended for compatible
933protocol extension), supported_ciphers_mask (which is the
934bitwise or of (1 << cipher_number), where << is the left shift
935operator, for all supported ciphers), and
936supported_authentications_mask (which is the bitwise or of (1 <<
937authentication_type) for all supported authentication types).  The
938anti_spoofing_cookie is 64 random bits, and must be sent back
939verbatim by the client in its reply.  It is used to make IP-spoofing
940more difficult (encryption and host keys are the real defense against
941spoofing).
942.IP "3 SSH_CMSG_SESSION_KEY"
943.TS
944;
945l l.
9461 byte  cipher_type (must be one of the supported values)
9478 bytes anti_spoofing_cookie (must match data sent by the server)
948mp-int  double-encrypted session key
94932-bit int      protocol_flags
950.TE
951Sent by the client as the first message in the session.  Selects the
952cipher to use, and sends the encrypted session key to the server.  The
953anti_spoofing_cookie must be the same bytes that were sent by the
954server.  Protocol_flags is intended for negotiating compatible
955protocol extensions.
956.IP "4 SSH_CMSG_USER"
957.TS
958;
959l l.
960string  user login name on server
961.TE
962Sent by the client to begin authentication.  Specifies the user name
963on the server to log in as.  The server responds with SSH_SMSG_SUCCESS
964if no authentication is needed for this user, or SSH_SMSG_FAILURE if
965authentication is needed (or the user does not exist).  [Note to the
966implementator: the user name is of arbitrary size.  The implementation
967must be careful not to overflow internal buffers.]
968.IP "5 SSH_CMSG_AUTH_RHOSTS"
969.TS
970;
971l l.
972string  client-side user name
973.TE
974Requests authentication using /etc/hosts.equiv and .rhosts (or
975equivalent mechanisms).  This authentication method is normally
976disabled in the server because it is not secure (but this is the
977method used by rsh and rlogin).  The server responds with
978SSH_SMSG_SUCCESS if authentication was successful, and
979SSH_SMSG_FAILURE if access was not granted.  The server should check
980that the client side port number is less than 1024 (a privileged
981port), and immediately reject authentication if it is not.  Supporting
982this authentication method is optional.  This method should normally
983not be enabled in the server because it is not safe.  (However, not
984enabling this only helps if rlogind and rshd are disabled.)
985.IP "6 SSH_CMSG_AUTH_RSA"
986.TS
987;
988l l.
989mp-int  identity_public_modulus
990.TE
991Requests authentication using pure RSA authentication.  The server
992checks if the given key is permitted to log in, and if so, responds
993with SSH_SMSG_AUTH_RSA_CHALLENGE.  Otherwise, it responds with
994SSH_SMSG_FAILURE.  The client often tries several different keys in
995sequence until one supported by the server is found.  Authentication
996is accepted if the client gives the correct response to the challenge.
997The server is free to add other criteria for authentication, such as a
998requirement that the connection must come from a certain host.  Such
999additions are not visible at the protocol level.  Supporting this
1000authentication method is optional but recommended.
1001.IP "7 SSH_SMSG_AUTH_RSA_CHALLENGE"
1002.TS
1003;
1004l l.
1005mp-int  encrypted challenge
1006.TE
1007Presents an RSA authentication challenge to the client.  The challenge
1008is a 256-bit random value encrypted as described elsewhere in this
1009document.  The client must decrypt the challenge using the RSA private
1010key, compute MD5 of the challenge plus session id, and send back the
1011resulting 16 bytes using SSH_CMSG_AUTH_RSA_RESPONSE.
1012.IP "8 SSH_CMSG_AUTH_RSA_RESPONSE"
1013.TS
1014;
1015l l.
101616 bytes        MD5 of decrypted challenge
1017.TE
1018This message is sent by the client in response to an RSA challenge.
1019The MD5 checksum is returned instead of the decrypted challenge to
1020deter known-plaintext attacks against the RSA key.  The server
1021responds to this message with either SSH_SMSG_SUCCESS or
1022SSH_SMSG_FAILURE.
1023.IP "9 SSH_CMSG_AUTH_PASSWORD"
1024.TS
1025;
1026l l.
1027string  plain text password
1028.TE
1029Requests password authentication using the given password.  Note that
1030even though the password is plain text inside the packet, the whole
1031packet is normally encrypted by the packet layer.  It would not be
1032possible for the client to perform password encryption/hashing,
1033because it cannot know which kind of encryption/hashing, if any, the
1034server uses.  The server responds to this message with
1035SSH_SMSG_SUCCESS or SSH_SMSG_FAILURE.
1036.IP "10 SSH_CMSG_REQUEST_PTY"
1037.TS
1038;
1039l l.
1040string  TERM environment variable value (e.g. vt100)
104132-bit int      terminal height, rows (e.g., 24)
104232-bit int      terminal width, columns (e.g., 80)
104332-bit int      terminal width, pixels (0 if no graphics) (e.g., 480)
104432-bit int      terminal height, pixels (0 if no graphics) (e.g., 640)
1045n bytes tty modes encoded in binary
1046.TE
1047Requests a pseudo-terminal to be allocated for this command.  This
1048message can be used regardless of whether the session will later
1049execute the shell or a command.  If a pty has been requested with this
1050message, the shell or command will run on a pty.  Otherwise it will
1051communicate with the server using pipes, sockets or some other similar
1052mechanism.
1053
1054The terminal type gives the type of the user's terminal.  In the UNIX
1055environment it is passed to the shell or command in the TERM
1056environment variable.
1057
1058The width and height values give the initial size of the user's
1059terminal or window.  All values can be zero if not supported by the
1060operating system.  The server will pass these values to the kernel if
1061supported.
1062
1063Terminal modes are encoded into a byte stream in a portable format.
1064The exact format is described later in this document.
1065
1066The server responds to the request with either SSH_SMSG_SUCCESS or
1067SSH_SMSG_FAILURE.  If the server does not have the concept of pseudo
1068terminals, it should return success if it is possible to execute a
1069shell or a command so that it looks to the client as if it was running
1070on a pseudo terminal.
1071.IP "11 SSH_CMSG_WINDOW_SIZE"
1072.TS
1073;
1074l l.
107532-bit int      terminal height, rows
107632-bit int      terminal width, columns
107732-bit int      terminal width, pixels
107832-bit int      terminal height, pixels
1079.TE
1080This message can only be sent by the client during the interactive
1081session.  This indicates that the size of the user's window has
1082changed, and provides the new size.  The server will update the
1083kernel's notion of the window size, and a SIGWINCH signal or
1084equivalent will be sent to the shell or command (if supported by the
1085operating system).
1086.IP "12 SSH_CMSG_EXEC_SHELL"
1087
1088(no arguments)
1089
1090Starts a shell (command interpreter), and enters interactive session
1091mode.
1092.IP "13 SSH_CMSG_EXEC_CMD"
1093.TS
1094;
1095l l.
1096string  command to execute
1097.TE
1098Starts executing the given command, and enters interactive session
1099mode.  On UNIX, the command is run as "<shell> -c <command>", where
1100<shell> is the user's login shell.
1101.IP "14 SSH_SMSG_SUCCESS"
1102
1103(no arguments)
1104
1105This message is sent by the server in response to the session key, a
1106successful authentication request, and a successfully completed
1107preparatory operation.
1108.IP "15 SSH_SMSG_FAILURE"
1109
1110(no arguments)
1111
1112This message is sent by the server in response to a failed
1113authentication operation to indicate that the user has not yet been
1114successfully authenticated, and in response to a failed preparatory
1115operation.  This is also sent in response to an authentication or
1116preparatory operation request that is not recognized or supported.
1117.IP "16 SSH_CMSG_STDIN_DATA"
1118.TS
1119;
1120l l.
1121string  data
1122.TE
1123Delivers data from the client to be supplied as input to the shell or
1124program running on the server side.  This message can only be used in
1125the interactive session mode.  No acknowledgement is sent for this
1126message.
1127.IP "17 SSH_SMSG_STDOUT_DATA"
1128.TS
1129;
1130l l.
1131string  data
1132.TE
1133Delivers data from the server that was read from the standard output of
1134the shell or program running on the server side.  This message can
1135only be used in the interactive session mode.  No acknowledgement is
1136sent for this message.
1137.IP "18 SSH_SMSG_STDERR_DATA"
1138.TS
1139;
1140l l.
1141string  data
1142.TE
1143Delivers data from the server that was read from the standard error of
1144the shell or program running on the server side.  This message can
1145only be used in the interactive session mode.  No acknowledgement is
1146sent for this message.
1147.IP "19 SSH_CMSG_EOF"
1148
1149(no arguments)
1150
1151This message is sent by the client to indicate that EOF has been
1152reached on the input.  Upon receiving this message, and after all
1153buffered input data has been sent to the shell or program, the server
1154will close the input file descriptor to the program.  This message can
1155only be used in the interactive session mode.  No acknowledgement is
1156sent for this message.
1157.IP "20 SSH_SMSG_EXITSTATUS"
1158.TS
1159;
1160l l.
116132-bit int      exit status of the command
1162.TE
1163Returns the exit status of the shell or program after it has exited.
1164The client should respond with SSH_CMSG_EXIT_CONFIRMATION when it has
1165received this message.  This will be the last message sent by the
1166server.  If the program being executed dies with a signal instead of
1167exiting normally, the server should terminate the session with
1168SSH_MSG_DISCONNECT (which can be used to pass a human-readable string
1169indicating that the program died due to a signal) instead of using
1170this message.
1171.IP "21 SSH_MSG_CHANNEL_OPEN_CONFIRMATION"
1172.TS
1173;
1174l l.
117532-bit int      remote_channel
117632-bit int      local_channel
1177.TE
1178This is sent in response to any channel open request if the channel
1179has been successfully opened.  Remote_channel is the channel number
1180received in the initial open request; local_channel is the channel
1181number the side sending this message has allocated for the channel.
1182Data can be transmitted on the channel after this message.
1183.IP "22 SSH_MSG_CHANNEL_OPEN_FAILURE"
1184.TS
1185;
1186l l.
118732-bit int      remote_channel
1188.TE
1189This message indicates that an earlier channel open request by the
1190other side has failed or has been denied.  Remote_channel is the
1191channel number given in the original request.
1192.IP "23 SSH_MSG_CHANNEL_DATA"
1193.TS
1194;
1195l l.
119632-bit int      remote_channel
1197string  data
1198.TE
1199Data is transmitted in a channel in these messages.  A channel is
1200bidirectional, and both sides can send these messages.  There is no
1201acknowledgement for these messages.  It is possible that either side
1202receives these messages after it has sent SSH_MSG_CHANNEL_CLOSE for
1203the channel.  These messages cannot be received after the party has
1204sent or received SSH_MSG_CHANNEL_CLOSE_CONFIRMATION.
1205.IP "24 SSH_MSG_CHANNEL_CLOSE"
1206.TS
1207;
1208l l.
120932-bit int      remote_channel
1210.TE
1211When a channel is closed at one end of the connection, that side sends
1212this message.  Upon receiving this message, the channel should be
1213closed.  When this message is received, if the channel is already
1214closed (the receiving side has sent this message for the same channel
1215earlier), the channel is freed and no further action is taken;
1216otherwise the channel is freed and SSH_MSG_CHANNEL_CLOSE_CONFIRMATION
1217is sent in response.  (It is possible that the channel is closed
1218simultaneously at both ends.)
1219.IP "25 SSH_MSG_CHANNEL_CLOSE_CONFIRMATION"
1220.TS
1221;
1222l l.
122332-bit int      remote_channel
1224.TE
1225This message is sent in response to SSH_MSG_CHANNEL_CLOSE unless the
1226channel was already closed.  When this message is sent or received,
1227the channel is freed.
1228.IP "26 (OBSOLETED; was unix-domain X11 forwarding)
1229.IP "27 SSH_SMSG_X11_OPEN"
1230.TS
1231;
1232l l.
123332-bit int      local_channel
1234string  originator_string (see below)
1235.TE
1236This message can be sent by the server during the interactive session
1237mode to indicate that a client has connected the fake X server.
1238Local_channel is the channel number that the server has allocated for
1239the connection.  The client should try to open a connection to the
1240real X server, and respond with SSH_MSG_CHANNEL_OPEN_CONFIRMATION or
1241SSH_MSG_CHANNEL_OPEN_FAILURE.
1242
1243The field originator_string is present if both sides
1244specified SSH_PROTOFLAG_HOST_IN_FWD_OPEN in the protocol flags.  It
1245contains a description of the host originating the connection.
1246.IP "28 SSH_CMSG_PORT_FORWARD_REQUEST"
1247.TS
1248;
1249l l.
125032-bit int      server_port
1251string  host_to_connect
125232-bit int      port_to_connect
1253.TE
1254Sent by the client in the preparatory phase, this message requests
1255that server_port on the server machine be forwarded over the secure
1256channel to the client machine, and from there to the specified host
1257and port.  The server should start listening on the port, and send
1258SSH_MSG_PORT_OPEN whenever a connection is made to it.  Supporting
1259this message is optional, and the server is free to reject any forward
1260request.  For example, it is highly recommended that unless the user
1261has been authenticated as root, forwarding any privileged port numbers
1262(below 1024) is denied.
1263.IP "29 SSH_MSG_PORT_OPEN"
1264.TS
1265;
1266l l.
126732-bit int      local_channel
1268string  host_name
126932-bit int      port
1270string  originator_string (see below)
1271.TE
1272Sent by either party in interactive session mode, this message
1273indicates that a connection has been opened to a forwarded TCP/IP
1274port.  Local_channel is the channel number that the sending party has
1275allocated for the connection.  Host_name is the host the connection
1276should be be forwarded to, and the port is the port on that host to
1277connect.  The receiving party should open the connection, and respond
1278with SSH_MSG_CHANNEL_OPEN_CONFIRMATION or
1279SSH_MSG_CHANNEL_OPEN_FAILURE.  It is recommended that the receiving
1280side check the host_name and port for validity to avoid compromising
1281local security by compromised remote side software.  Particularly, it
1282is recommended that the client permit connections only to those ports
1283for which it has requested forwarding with SSH_CMSG_PORT_FORWARD_REQUEST.
1284
1285The field originator_string is present if both sides
1286specified SSH_PROTOFLAG_HOST_IN_FWD_OPEN in the protocol flags.  It
1287contains a description of the host originating the connection.
1288.IP "30 SSH_CMSG_AGENT_REQUEST_FORWARDING"
1289
1290(no arguments)
1291
1292Requests that the connection to the authentication agent be forwarded
1293over the secure channel.  The method used by clients to contact the
1294authentication agent within each machine is implementation and machine
1295dependent.  If the server accepts this request, it should arrange that
1296any clients run from this session will actually contact the server
1297program when they try to contact the authentication agent.  The server
1298should then send a SSH_SMSG_AGENT_OPEN to open a channel to the agent,
1299and the client should forward the connection to the real
1300authentication agent.  Supporting this message is optional.
1301.IP "31 SSH_SMSG_AGENT_OPEN"
1302.TS
1303;
1304l l.
130532-bit int      local_channel
1306.TE
1307Sent by the server in interactive session mode, this message requests
1308opening a channel to the authentication agent.  The client should open
1309a channel, and respond with either SSH_MSG_CHANNEL_OPEN_CONFIRMATION
1310or SSH_MSG_CHANNEL_OPEN_FAILURE.
1311.IP "32 SSH_MSG_IGNORE"
1312.TS
1313;
1314l l.
1315string  data
1316.TE
1317Either party may send this message at any time.  This message, and the
1318argument string, is silently ignored.  This message might be used in
1319some implementations to make traffic analysis more difficult.  This
1320message is not currently sent by the implementation, but all
1321implementations are required to recognize and ignore it.
1322.IP "33 SSH_CMSG_EXIT_CONFIRMATION"
1323
1324(no arguments)
1325
1326Sent by the client in response to SSH_SMSG_EXITSTATUS.  This is the
1327last message sent by the client.
1328.IP "34 SSH_CMSG_X11_REQUEST_FORWARDING"
1329.TS
1330;
1331l l.
1332string  x11_authentication_protocol
1333string  x11_authentication_data
133432-bit int      screen number (if SSH_PROTOFLAG_SCREEN_NUMBER)
1335.TE
1336Sent by the client during the preparatory phase, this message requests
1337that the server create a fake X11 display and set the DISPLAY
1338environment variable accordingly.  An internet-domain display is
1339preferable.  The given authentication protocol and the associated data
1340should be recorded by the server so that it is used as authentication
1341on connections (e.g., in .Xauthority).  The authentication protocol
1342must be one of the supported X11 authentication protocols, e.g.,
1343"MIT-MAGIC-COOKIE-1".  Authentication data must be a lowercase hex
1344string of even length.  Its interpretation is protocol dependent.
1345The data is in a format that can be used with e.g. the xauth program.
1346Supporting this message is optional.
1347
1348The client is permitted (and recommended) to generate fake
1349authentication information and send fake information to the server.
1350This way, a corrupt server will not have access to the user's terminal
1351after the connection has terminated.  The correct authorization codes
1352will also not be left hanging around in files on the server (many
1353users keep the same X session for months, thus protecting the
1354authorization data becomes important).
1355
1356X11 authentication spoofing works by initially sending fake (random)
1357authentication data to the server, and interpreting the first packet
1358sent by the X11 client after the connection has been opened.  The
1359first packet contains the client's authentication.  If the packet
1360contains the correct fake data, it is replaced by the client by the
1361correct authentication data, and then sent to the X server.
1362.IP "35 SSH_CMSG_AUTH_RHOSTS_RSA"
1363.TS
1364;
1365l l.
1366string  clint-side user name
136732-bit int      client_host_key_bits
1368mp-int  client_host_key_public_exponent
1369mp-int  client_host_key_public_modulus
1370.TE
1371Requests authentication using /etc/hosts.equiv and .rhosts (or
1372equivalent) together with RSA host authentication.  The server should
1373check that the client side port number is less than 1024 (a privileged
1374port), and immediately reject authentication if it is not.  The server
1375responds with SSH_SMSG_FAILURE or SSH_SMSG_AUTH_RSA_CHALLENGE.  The
1376client must respond to the challenge with the proper
1377SSH_CMSG_AUTH_RSA_RESPONSE.  The server then responds with success if
1378access was granted, or failure if the client gave a wrong response.
1379Supporting this authentication method is optional but recommended in
1380most environments.
1381.IP "36 SSH_MSG_DEBUG"
1382.TS
1383;
1384l l.
1385string  debugging message sent to the other side
1386.TE
1387This message may be sent by either party at any time.  It is used to
1388send debugging messages that may be informative to the user in
1389solving various problems.  For example, if authentication fails
1390because of some configuration error (e.g., incorrect permissions for
1391some file), it can be very helpful for the user to make the cause of
1392failure available.  On the other hand, one should not make too much
1393information available for security reasons.  It is recommended that
1394the client provides an option to display the debugging information
1395sent by the sender (the user probably does not want to see it by default).
1396The server can log debugging data sent by the client (if any).  Either
1397party is free to ignore any received debugging data.  Every
1398implementation must be able to receive this message, but no
1399implementation is required to send these.
1400.IP "37 SSH_CMSG_REQUEST_COMPRESSION"
1401.TS
1402;
1403l l.
140432-bit int      gzip compression level (1-9)
1405.TE
1406This message can be sent by the client in the preparatory operations
1407phase.  The server responds with SSH_SMSG_FAILURE if it does not
1408support compression or does not want to compress; it responds with
1409SSH_SMSG_SUCCESS if it accepted the compression request.  In the
1410latter case the response to this packet will still be uncompressed,
1411but all further packets in either direction will be compressed by gzip.
1412.IP "38 SSH_CMSG_MAX_PACKET_SIZE"
1413.TS
1414;
1415l l.
141632-bit int      maximum packet size, bytes (4096-1024k)
1417.TE
1418This message can be sent by the client in the preparatory operations
1419phase.  The server responds with SSH_SMSG_FAILURE if it does not
1420support limiting packet size, or with SSH_SMSG_SUCCESS if it has
1421limited the maximum packet size (as determined by the value in the
1422size field) to the specified value.
1423.IP "39 SSH_CMSG_AUTH_TIS"
1424
1425(no arguments)
1426
1427This message starts TIS authentication. The server
1428responds with SSH_SMSG_FAILURE or SSH_SMSG_AUTH_TIS_CHALLENGE.
1429.IP "40 SSH_SMSG_AUTH_TIS_CHALLENGE"
1430.TS
1431;
1432l l.
1433string  tis challenge
1434.TE
1435Server sends TIS challenge to user and client should show it to user
1436and ask for response, which is sent back using
1437SSH_CMSG_AUTH_TIS_RESPONSE message.
1438.IP "41 SSH_CMSG_AUTH_TIS_RESPONSE"
1439.TS
1440;
1441l l.
1442string  user response to tis challenge
1443.TE
1444When client receives SSH_SMSG_AUTH_TIS_CHALLENGE and ask users
1445response to challenge it sends it back this message. The server
1446answers with SSH_SMSG_FAILURE or SSH_SMSG_SUCCESS.
1447.IP "42 SSH_CMSG_AUTH_KERBEROS"
1448.TS
1449;
1450l l.
1451string  authentication info
1452.TE
1453Client sends authentication info to server, which replies with
1454SSH_SMSG_AUTH_KERBEROS_RESPONSE message having correct response data
1455encrypted with the session key.
1456.IP "43 SSH_SMSG_AUTH_KERBEROS_RESPONSE"
1457.TS
1458;
1459l l.
1460string  response data
1461.TE
1462Server replies to SSH_CMSG_AUTH_KERBEROS message with this message so
1463that the response data is encrypted with session key.
1464.IP "44 SSH_CMSG_HAVE_KERBEROS_TGT"
1465.TS
1466;
1467l l.
1468string  kerberos credentials
1469.TE
1470Client sends kerberos credentials to server and the server replies with
1471SSH_SMSG_SUCCESS or SSH_SMSG_FAILURE.
1472.RT
1473
1474
1475.ti 0
1476Encoding of Terminal Modes
1477
1478Terminal modes (as passed in SSH_CMSG_REQUEST_PTY) are encoded into a
1479byte stream.  It is intended that the coding be portable across
1480different environments.
1481
1482The tty mode description is a stream of bytes.  The stream consists of
1483opcode-argument pairs.  It is terminated by opcode TTY_OP_END (0).
1484Opcodes 1-127 have one-byte arguments.  Opcodes 128-159 have 32-bit
1485integer arguments (stored msb first).  Opcodes 160-255 are not yet
1486defined, and cause parsing to stop (they should only be used after any
1487other data).
1488
1489The client puts in the stream any modes it knows about, and the server
1490ignores any modes it does not know about.  This allows some degree of
1491machine-independence, at least between systems that use a POSIX-like
1492[POSIX] tty interface.  The protocol can support other systems as
1493well, but the client may need to fill reasonable values for a number
1494of parameters so the server pty gets set to a reasonable mode (the
1495server leaves all unspecified mode bits in their default values, and
1496only some combinations make sense).
1497
1498The following opcodes have been defined.  The naming of opcodes mostly
1499follows the POSIX terminal mode flags.
1500.IP "0 TTY_OP_END"
1501Indicates end of options.
1502.IP "1 VINTR"
1503Interrupt character; 255 if none.  Similarly for the other characters.
1504Not all of these characters are supported on all systems.
1505.IP "2 VQUIT"
1506The quit character (sends SIGQUIT signal on UNIX systems).
1507.IP "3 VERASE"
1508Erase the character to left of the cursor.
1509.IP "4 VKILL"
1510Kill the current input line.
1511.IP "5 VEOF "
1512End-of-file character (sends EOF from the terminal).
1513.IP "6 VEOL "
1514End-of-line character in addition to carriage return and/or linefeed.
1515.IP "7 VEOL2"
1516Additional end-of-line character.
1517.IP "8 VSTART"
1518Continues paused output (normally ^Q).
1519.IP "9 VSTOP"
1520Pauses output (^S).
1521.IP "10 VSUSP"
1522Suspends the current program.
1523.IP "11 VDSUSP"
1524Another suspend character.
1525.IP "12 VREPRINT"
1526Reprints the current input line.
1527.IP "13 VWERASE"
1528Erases a word left of cursor.
1529.IP "14 VLNEXT"
1530More special input characters; these are probably not supported on
1531most systems.
1532.IP "15 VFLUSH"
1533.IP "16 VSWTCH"
1534.IP "17 VSTATUS"
1535.IP "18 VDISCARD"
1536
1537.IP "30 IGNPAR"
1538The ignore parity flag.  The next byte should be 0 if this flag is not
1539set, and 1 if it is set.
1540.IP "31 PARMRK"
1541More flags.  The exact definitions can be found in the POSIX standard.
1542.IP "32 INPCK"
1543.IP "33 ISTRIP"
1544.IP "34 INLCR"
1545.IP "35 IGNCR"
1546.IP "36 ICRNL"
1547.IP "37 IUCLC"
1548.IP "38 IXON"
1549.IP "39 IXANY"
1550.IP "40 IXOFF"
1551.IP "41 IMAXBEL"
1552
1553.IP "50 ISIG"
1554.IP "51 ICANON"
1555.IP "52 XCASE"
1556.IP "53 ECHO"
1557.IP "54 ECHOE"
1558.IP "55 ECHOK"
1559.IP "56 ECHONL"
1560.IP "57 NOFLSH"
1561.IP "58 TOSTOP"
1562.IP "59 IEXTEN"
1563.IP "60 ECHOCTL"
1564.IP "61 ECHOKE"
1565.IP "62 PENDIN"
1566
1567.IP "70 OPOST"
1568.IP "71 OLCUC"
1569.IP "72 ONLCR"
1570.IP "73 OCRNL"
1571.IP "74 ONOCR"
1572.IP "75 ONLRET"
1573
1574.IP "90 CS7"
1575.IP "91 CS8"
1576.IP "92 PARENB"
1577.IP "93 PARODD"
1578
1579.IP "192 TTY_OP_ISPEED"
1580Specifies the input baud rate in bits per second (as a 32-bit int, msb
1581first).
1582.IP "193 TTY_OP_OSPEED"
1583Specifies the output baud rate in bits per second (as a 32-bt int, msb
1584first).
1585.RT
1586
1587
1588.ti 0
1589The Authentication Agent Protocol
1590
1591The authentication agent is a program that can be used to hold RSA
1592authentication keys for the user (in future, it might hold data for
1593other authentication types as well).  An authorized program can send
1594requests to the agent to generate a proper response to an RSA
1595challenge.  How the connection is made to the agent (or its
1596representative) inside a host and how access control is done inside a
1597host is implementation-dependent; however, how it is forwarded and how
1598one interacts with it is specified in this protocol.  The connection
1599to the agent is normally automatically forwarded over the secure
1600channel.
1601
1602A program that wishes to use the agent first opens a connection to its
1603local representative (typically, the agent itself or an SSH server).
1604It then writes a request to the connection, and waits for response.
1605It is recommended that at least five minutes of timeout are provided
1606waiting for the agent to respond to an authentication challenge (this
1607gives sufficient time for the user to cut-and-paste the challenge to a
1608separate machine, perform the computation there, and cut-and-paste the
1609result back if so desired).
1610
1611Messages sent to and by the agent are in the following format:
1612.TS
1613;
1614l l.
16154 bytes Length, msb first.  Does not include length itself.
16161 byte  Packet type.  The value 255 is reserved for future extensions.
1617data    Any data, depending on packet type.  Encoding as in the ssh packet
1618protocol.
1619.TE
1620
1621The following message types are currently defined:
1622.IP "1 SSH_AGENTC_REQUEST_RSA_IDENTITIES"
1623
1624(no arguments)
1625
1626Requests the agent to send a list of all RSA keys for which it can
1627answer a challenge.
1628.IP "2 SSH_AGENT_RSA_IDENTITIES_ANSWER"
1629.TS
1630;
1631l l.
163232-bit int      howmany
1633howmany times:
163432-bit int      bits
1635mp-int  public exponent
1636mp-int  public modulus
1637string  comment
1638.TE
1639The agent sends this message in response to the to
1640SSH_AGENTC_REQUEST_RSA_IDENTITIES.  The answer lists all RSA keys for
1641which the agent can answer a challenge.  The comment field is intended
1642to help identify each key; it may be printed by an application to
1643indicate which key is being used.  If the agent is not holding any
1644keys, howmany will be zero.
1645.IP "3 SSH_AGENTC_RSA_CHALLENGE
1646.TS
1647;
1648l l.
164932-bit int      bits
1650mp-int  public exponent
1651mp-int  public modulus
1652mp-int  challenge
165316 bytes        session_id
165432-bit int      response_type
1655.TE
1656Requests RSA decryption of random challenge to authenticate the other
1657side.  The challenge will be decrypted with the RSA private key
1658corresponding to the given public key.
1659
1660The decrypted challenge must contain a zero in the highest (partial)
1661byte, 2 in the next byte, followed by non-zero random bytes, a zero
1662byte, and then the real challenge value in the lowermost bytes.  The
1663real challenge must be 32 8-bit bytes (256 bits).
1664
1665Response_type indicates the format of the response to be returned.
1666Currently the only supported value is 1, which means to compute MD5 of
1667the real challenge plus session id, and return the resulting 16 bytes
1668in a SSH_AGENT_RSA_RESPONSE message.
1669.IP "4 SSH_AGENT_RSA_RESPONSE"
1670.TS
1671;
1672l l.
167316 bytes        MD5 of decrypted challenge
1674.TE
1675Answers an RSA authentication challenge.  The response is 16 bytes:
1676the MD5 checksum of the 32-byte challenge.
1677.IP "5 SSH_AGENT_FAILURE"
1678
1679(no arguments)
1680
1681This message is sent whenever the agent fails to answer a request
1682properly.  For example, if the agent cannot answer a challenge (e.g.,
1683no longer has the proper key), it can respond with this.  The agent
1684also responds with this message if it receives a message it does not
1685recognize.
1686.IP "6 SSH_AGENT_SUCCESS"
1687
1688(no arguments)
1689
1690This message is sent by the agent as a response to certain requests
1691that do not otherwise cause a message be sent.  Currently, this is
1692only sent in response to SSH_AGENTC_ADD_RSA_IDENTITY and
1693SSH_AGENTC_REMOVE_RSA_IDENTITY.
1694.IP "7 SSH_AGENTC_ADD_RSA_IDENTITY"
1695.TS
1696;
1697l l.
169832-bit int      bits
1699mp-int  public modulus
1700mp-int  public exponent
1701mp-int  private exponent
1702mp-int  multiplicative inverse of p mod q
1703mp-int  p
1704mp-int  q
1705string  comment
1706.TE
1707Registers an RSA key with the agent.  After this request, the agent can
1708use this RSA key to answer requests.  The agent responds with
1709SSH_AGENT_SUCCESS or SSH_AGENT_FAILURE.
1710.IP "8 SSH_AGENT_REMOVE_RSA_IDENTITY"
1711.TS
1712;
1713l l.
171432-bit int      bits
1715mp-int  public exponent
1716mp-int  public modulus
1717.TE
1718Removes an RSA key from the agent.  The agent will no longer accept
1719challenges for this key and will not list it as a supported identity.
1720The agent responds with SSH_AGENT_SUCCESS or SSH_AGENT_FAILURE.
1721.RT
1722
1723If the agent receives a message that it does not understand, it
1724responds with SSH_AGENT_FAILURE.  This permits compatible future
1725extensions.
1726
1727It is possible that several clients have a connection open to the
1728authentication agent simultaneously.  Each client will use a separate
1729connection (thus, any SSH connection can have multiple agent
1730connections active simultaneously).
1731
1732
1733.ti 0
1734References
1735
1736.IP "[DES] "
1737FIPS PUB 46-1: Data Encryption Standard.  National Bureau of
1738Standards, January 1988.  FIPS PUB 81: DES Modes of Operation.
1739National Bureau of Standards, December 1980.  Bruce Schneier: Applied
1740Cryptography.  John Wiley & Sons, 1994.  J. Seberry and J. Pieprzyk:
1741Cryptography: An Introduction to Computer Security.  Prentice-Hall,
17421989.
1743.IP "[GZIP] "
1744The GNU GZIP program; available for anonymous ftp at prep.ai.mit.edu.
1745Please let me know if you know a paper describing the algorithm.
1746.IP "[IDEA] "
1747Xuejia Lai: On the Design and Security of Block Ciphers, ETH Series in
1748Information Processing, vol. 1, Hartung-Gorre Verlag, Konstanz,
1749Switzerland, 1992.  Bruce Schneier: Applied Cryptography, John Wiley &
1750Sons, 1994.  See also the following patents: PCT/CH91/00117, EP 0 482
1751154 B1, US Pat. 5,214,703.
1752.IP [PKCS#1]
1753PKCS #1: RSA Encryption Standard.  Version 1.5, RSA Laboratories,
1754November 1993.  Available for anonymous ftp at ftp.rsa.com.
1755.IP [POSIX]
1756Portable Operating System Interface (POSIX) - Part 1: Application
1757Program Interface (API) [C language], ISO/IEC 9945-1, IEEE Std 1003.1,
17581990.
1759.IP [RFC0791]
1760J. Postel: Internet Protocol, RFC 791, USC/ISI, September 1981.
1761.IP [RFC0793]
1762J. Postel: Transmission Control Protocol, RFC 793, USC/ISI, September
17631981.
1764.IP [RFC1034]
1765P. Mockapetris: Domain Names - Concepts and Facilities, RFC 1034,
1766USC/ISI, November 1987.
1767.IP [RFC1282]
1768B. Kantor: BSD Rlogin, RFC 1258, UCSD, December 1991.
1769.IP "[RSA] "
1770Bruce Schneier: Applied Cryptography.  John Wiley & Sons, 1994.  See
1771also R. Rivest, A. Shamir, and L. M. Adleman: Cryptographic
1772Communications System and Method.  US Patent 4,405,829, 1983.
1773.IP "[X11] "
1774R. Scheifler: X Window System Protocol, X Consortium Standard, Version
177511, Release 6.  Massachusetts Institute of Technology, Laboratory of
1776Computer Science, 1994.
1777.RT
1778
1779
1780.ti 0
1781Security Considerations
1782
1783This protocol deals with the very issue of user authentication and
1784security.
1785
1786First of all, as an implementation issue, the server program will have
1787to run as root (or equivalent) on the server machine.  This is because
1788the server program will need be able to change to an arbitrary user
1789id.  The server must also be able to create a privileged TCP/IP port.
1790
1791The client program will need to run as root if any variant of .rhosts
1792authentication is to be used.  This is because the client program will
1793need to create a privileged port.  The client host key is also usually
1794stored in a file which is readable by root only.  The client needs the
1795host key in .rhosts authentication only.  Root privileges can be
1796dropped as soon as the privileged port has been created and the host
1797key has been read.
1798
1799The SSH protocol offers major security advantages over existing telnet
1800and rlogin protocols.
1801.IP o
1802IP spoofing is restricted to closing a connection (by encryption, host
1803keys, and the special random cookie).  If encryption is not used, IP
1804spoofing is possible for those who can hear packets going out from the
1805server.
1806.IP o
1807DNS spoofing is made ineffective (by host keys).
1808.IP o
1809Routing spoofing is made ineffective (by host keys).
1810.IP o
1811All data is encrypted with strong algorithms to make eavesdropping as
1812difficult as possible.  This includes encrypting any authentication
1813information such as passwords.  The information for decrypting session
1814keys is destroyed every hour.
1815.IP o
1816Strong authentication methods: .rhosts combined with RSA host
1817authentication, and pure RSA authentication.
1818.IP o
1819X11 connections and arbitrary TCP/IP ports can be forwarded securely.
1820.IP o
1821Man-in-the-middle attacks are deterred by using the server host key to
1822encrypt the session key.
1823.IP o
1824Trojan horses to catch a password by routing manipulation are deterred
1825by checking that the host key of the server machine matches that
1826stored on the client host.
1827.RT
1828
1829The security of SSH against man-in-the-middle attacks and the security
1830of the new form of .rhosts authentication, as well as server host
1831validation, depends on the integrity of the host key and the files
1832containing known host keys.
1833
1834The host key is normally stored in a root-readable file.  If the host
1835key is compromised, it permits attackers to use IP, DNS and routing
1836spoofing as with current rlogin and rsh.  It should never be any worse
1837than the current situation.
1838
1839The files containing known host keys are not sensitive.  However, if an
1840attacker gets to modify the known host key files, it has the same
1841consequences as a compromised host key, because the attacker can then
1842change the recorded host key.
1843
1844The security improvements obtained by this protocol for X11 are of
1845particular significance.  Previously, there has been no way to protect
1846data communicated between an X server and a client running on a remote
1847machine.  By creating a fake display on the server, and forwarding all
1848X11 requests over the secure channel, SSH can be used to run any X11
1849applications securely without any cooperation with the vendors of the
1850X server or the application.
1851
1852Finally, the security of this program relies on the strength of the
1853underlying cryptographic algorithms.  The RSA algorithm is used for
1854authentication key exchange.  It is widely believed to be secure.  Of
1855the algorithms used to encrypt the session, DES has a rather small key
1856these days, probably permitting governments and organized criminals to
1857break it in very short time with specialized hardware.  3DES is
1858probably safe (but slower).  IDEA is widely believed to be secure.
1859People have varying degrees of confidence in the other algorithms.
1860This program is not secure if used with no encryption at all.
1861
1862
1863.ti 0
1864Additional Information
1865
1866Additional information (especially on the implementation and mailing
1867lists) is available via WWW at http://www.cs.hut.fi/ssh.
1868
1869Comments should be sent to Tatu Ylonen <ylo@cs.hut.fi> or the SSH
1870Mailing List <ssh@clinet.fi>.
1871
1872.ti 0
1873Author's Address
1874
1875.TS
1876;
1877l.
1878Tatu Ylonen
1879Helsinki University of Technology
1880Otakaari 1
1881FIN-02150 Espoo, Finland
1882
1883Phone: +358-0-4354-3205
1884Fax: +358-0-4354-3206
1885EMail: ylo@cs.hut.fi
1886.TE
Note: See TracBrowser for help on using the repository browser.