PROTOCOL revision 221420
123353SdfrThis documents OpenSSH's deviations and extensions to the published SSH 223353Sdfrprotocol. 323353Sdfr 423353SdfrNote that OpenSSH's sftp and sftp-server implement revision 3 of the SSH 523353Sdfrfilexfer protocol described in: 623353Sdfr 723353Sdfrhttp://www.openssh.com/txt/draft-ietf-secsh-filexfer-02.txt 823353Sdfr 923353SdfrNewer versions of the draft will not be supported, though some features 1023353Sdfrare individually implemented as extensions described below. 1123353Sdfr 1223353SdfrThe protocol used by OpenSSH's ssh-agent is described in the file 1323353SdfrPROTOCOL.agent 1423353Sdfr 1523353Sdfr1. Transport protocol changes 1623353Sdfr 1723353Sdfr1.1. transport: Protocol 2 MAC algorithm "umac-64@openssh.com" 1823353Sdfr 1923353SdfrThis is a new transport-layer MAC method using the UMAC algorithm 2023353Sdfr(rfc4418). This method is identical to the "umac-64" method documented 2123353Sdfrin: 2223353Sdfr 2323353Sdfrhttp://www.openssh.com/txt/draft-miller-secsh-umac-01.txt 2423353Sdfr 2523353Sdfr1.2. transport: Protocol 2 compression algorithm "zlib@openssh.com" 2623353Sdfr 2723353SdfrThis transport-layer compression method uses the zlib compression 2823353Sdfralgorithm (identical to the "zlib" method in rfc4253), but delays the 2950476Speterstart of compression until after authentication has completed. This 3023353Sdfravoids exposing compression code to attacks from unauthenticated users. 3123353Sdfr 32206622SuqsThe method is documented in: 3323353Sdfr 3423353Sdfrhttp://www.openssh.com/txt/draft-miller-secsh-compression-delayed-00.txt 3523353Sdfr 3623353Sdfr1.3. transport: New public key algorithms "ssh-rsa-cert-v00@openssh.com", 3723353Sdfr "ssh-dsa-cert-v00@openssh.com", 3884306Sru "ecdsa-sha2-nistp256-cert-v01@openssh.com", 3984306Sru "ecdsa-sha2-nistp384-cert-v01@openssh.com" and 4023353Sdfr "ecdsa-sha2-nistp521-cert-v01@openssh.com" 4186691Sarr 4223353SdfrOpenSSH introduces new public key algorithms to support certificate 4323367Smppauthentication for users and hostkeys. These methods are documented in 4423353Sdfrthe file PROTOCOL.certkeys 4523353Sdfr 4623353Sdfr1.4. transport: Elliptic Curve cryptography 47115440Shmp 48140931SruOpenSSH supports ECC key exchange and public key authentication as 49115440Shmpspecified in RFC5656. Only the ecdsa-sha2-nistp256, ecdsa-sha2-nistp384 50140931Sruand ecdsa-sha2-nistp521 curves over GF(p) are supported. Elliptic 51146567Shmpcurve points encoded using point compression are NOT accepted or 52140931Srugenerated. 53115440Shmp 54140931Sru2. Connection protocol changes 55115440Shmp 56140931Sru2.1. connection: Channel write close extension "eow@openssh.com" 57115440Shmp 58140931SruThe SSH connection protocol (rfc4254) provides the SSH_MSG_CHANNEL_EOF 5923353Sdfrmessage to allow an endpoint to signal its peer that it will send no 6023353Sdfrmore data over a channel. Unfortunately, there is no symmetric way for 61107788Sruan endpoint to request that its peer should cease sending data to it 6223353Sdfrwhile still keeping the channel open for the endpoint to send data to 6323353Sdfrthe peer. 6423353Sdfr 6523353SdfrThis is desirable, since it saves the transmission of data that would 66104006Sphkotherwise need to be discarded and it allows an endpoint to signal local 67107383Sruprocesses of the condition, e.g. by closing the corresponding file 68107383Srudescriptor. 69107383Sru 7023353SdfrOpenSSH implements a channel extension message to perform this 7123353Sdfrsignalling: "eow@openssh.com" (End Of Write). This message is sent by 7223353Sdfran endpoint when the local output of a session channel is closed or 73147647Shmpexperiences a write error. The message is formatted as follows: 7434504Scharnier 75 byte SSH_MSG_CHANNEL_REQUEST 76 uint32 recipient channel 77 string "eow@openssh.com" 78 boolean FALSE 79 80On receiving this message, the peer SHOULD cease sending data of 81the channel and MAY signal the process from which the channel data 82originates (e.g. by closing its read file descriptor). 83 84As with the symmetric SSH_MSG_CHANNEL_EOF message, the channel does 85remain open after a "eow@openssh.com" has been sent and more data may 86still be sent in the other direction. This message does not consume 87window space and may be sent even if no window space is available. 88 89NB. due to certain broken SSH implementations aborting upon receipt 90of this message (in contravention of RFC4254 section 5.4), this 91message is only sent to OpenSSH peers (identified by banner). 92Other SSH implementations may be whitelisted to receive this message 93upon request. 94 952.2. connection: disallow additional sessions extension 96 "no-more-sessions@openssh.com" 97 98Most SSH connections will only ever request a single session, but a 99attacker may abuse a running ssh client to surreptitiously open 100additional sessions under their control. OpenSSH provides a global 101request "no-more-sessions@openssh.com" to mitigate this attack. 102 103When an OpenSSH client expects that it will never open another session 104(i.e. it has been started with connection multiplexing disabled), it 105will send the following global request: 106 107 byte SSH_MSG_GLOBAL_REQUEST 108 string "no-more-sessions@openssh.com" 109 char want-reply 110 111On receipt of such a message, an OpenSSH server will refuse to open 112future channels of type "session" and instead immediately abort the 113connection. 114 115Note that this is not a general defence against compromised clients 116(that is impossible), but it thwarts a simple attack. 117 118NB. due to certain broken SSH implementations aborting upon receipt 119of this message, the no-more-sessions request is only sent to OpenSSH 120servers (identified by banner). Other SSH implementations may be 121whitelisted to receive this message upon request. 122 1232.3. connection: Tunnel forward extension "tun@openssh.com" 124 125OpenSSH supports layer 2 and layer 3 tunnelling via the "tun@openssh.com" 126channel type. This channel type supports forwarding of network packets 127with datagram boundaries intact between endpoints equipped with 128interfaces like the BSD tun(4) device. Tunnel forwarding channels are 129requested by the client with the following packet: 130 131 byte SSH_MSG_CHANNEL_OPEN 132 string "tun@openssh.com" 133 uint32 sender channel 134 uint32 initial window size 135 uint32 maximum packet size 136 uint32 tunnel mode 137 uint32 remote unit number 138 139The "tunnel mode" parameter specifies whether the tunnel should forward 140layer 2 frames or layer 3 packets. It may take one of the following values: 141 142 SSH_TUNMODE_POINTOPOINT 1 /* layer 3 packets */ 143 SSH_TUNMODE_ETHERNET 2 /* layer 2 frames */ 144 145The "tunnel unit number" specifies the remote interface number, or may 146be 0x7fffffff to allow the server to automatically chose an interface. A 147server that is not willing to open a client-specified unit should refuse 148the request with a SSH_MSG_CHANNEL_OPEN_FAILURE error. On successful 149open, the server should reply with SSH_MSG_CHANNEL_OPEN_SUCCESS. 150 151Once established the client and server may exchange packet or frames 152over the tunnel channel by encapsulating them in SSH protocol strings 153and sending them as channel data. This ensures that packet boundaries 154are kept intact. Specifically, packets are transmitted using normal 155SSH_MSG_CHANNEL_DATA packets: 156 157 byte SSH_MSG_CHANNEL_DATA 158 uint32 recipient channel 159 string data 160 161The contents of the "data" field for layer 3 packets is: 162 163 uint32 packet length 164 uint32 address family 165 byte[packet length - 4] packet data 166 167The "address family" field identifies the type of packet in the message. 168It may be one of: 169 170 SSH_TUN_AF_INET 2 /* IPv4 */ 171 SSH_TUN_AF_INET6 24 /* IPv6 */ 172 173The "packet data" field consists of the IPv4/IPv6 datagram itself 174without any link layer header. 175 176The contents of the "data" field for layer 2 packets is: 177 178 uint32 packet length 179 byte[packet length] frame 180 181The "frame" field contains an IEEE 802.3 Ethernet frame, including 182header. 183 1843. SFTP protocol changes 185 1863.1. sftp: Reversal of arguments to SSH_FXP_SYMLINK 187 188When OpenSSH's sftp-server was implemented, the order of the arguments 189to the SSH_FXP_SYMLINK method was inadvertently reversed. Unfortunately, 190the reversal was not noticed until the server was widely deployed. Since 191fixing this to follow the specification would cause incompatibility, the 192current order was retained. For correct operation, clients should send 193SSH_FXP_SYMLINK as follows: 194 195 uint32 id 196 string targetpath 197 string linkpath 198 1993.2. sftp: Server extension announcement in SSH_FXP_VERSION 200 201OpenSSH's sftp-server lists the extensions it supports using the 202standard extension announcement mechanism in the SSH_FXP_VERSION server 203hello packet: 204 205 uint32 3 /* protocol version */ 206 string ext1-name 207 string ext1-version 208 string ext2-name 209 string ext2-version 210 ... 211 string extN-name 212 string extN-version 213 214Each extension reports its integer version number as an ASCII encoded 215string, e.g. "1". The version will be incremented if the extension is 216ever changed in an incompatible way. The server MAY advertise the same 217extension with multiple versions (though this is unlikely). Clients MUST 218check the version number before attempting to use the extension. 219 2203.3. sftp: Extension request "posix-rename@openssh.com" 221 222This operation provides a rename operation with POSIX semantics, which 223are different to those provided by the standard SSH_FXP_RENAME in 224draft-ietf-secsh-filexfer-02.txt. This request is implemented as a 225SSH_FXP_EXTENDED request with the following format: 226 227 uint32 id 228 string "posix-rename@openssh.com" 229 string oldpath 230 string newpath 231 232On receiving this request the server will perform the POSIX operation 233rename(oldpath, newpath) and will respond with a SSH_FXP_STATUS message. 234This extension is advertised in the SSH_FXP_VERSION hello with version 235"1". 236 2373.4. sftp: Extension requests "statvfs@openssh.com" and 238 "fstatvfs@openssh.com" 239 240These requests correspond to the statvfs and fstatvfs POSIX system 241interfaces. The "statvfs@openssh.com" request operates on an explicit 242pathname, and is formatted as follows: 243 244 uint32 id 245 string "statvfs@openssh.com" 246 string path 247 248The "fstatvfs@openssh.com" operates on an open file handle: 249 250 uint32 id 251 string "fstatvfs@openssh.com" 252 string handle 253 254These requests return a SSH_FXP_STATUS reply on failure. On success they 255return the following SSH_FXP_EXTENDED_REPLY reply: 256 257 uint32 id 258 uint64 f_bsize /* file system block size */ 259 uint64 f_frsize /* fundamental fs block size */ 260 uint64 f_blocks /* number of blocks (unit f_frsize) */ 261 uint64 f_bfree /* free blocks in file system */ 262 uint64 f_bavail /* free blocks for non-root */ 263 uint64 f_files /* total file inodes */ 264 uint64 f_ffree /* free file inodes */ 265 uint64 f_favail /* free file inodes for to non-root */ 266 uint64 f_fsid /* file system id */ 267 uint64 f_flag /* bit mask of f_flag values */ 268 uint64 f_namemax /* maximum filename length */ 269 270The values of the f_flag bitmask are as follows: 271 272 #define SSH_FXE_STATVFS_ST_RDONLY 0x1 /* read-only */ 273 #define SSH_FXE_STATVFS_ST_NOSUID 0x2 /* no setuid */ 274 275Both the "statvfs@openssh.com" and "fstatvfs@openssh.com" extensions are 276advertised in the SSH_FXP_VERSION hello with version "2". 277 27810. sftp: Extension request "hardlink@openssh.com" 279 280This request is for creating a hard link to a regular file. This 281request is implemented as a SSH_FXP_EXTENDED request with the 282following format: 283 284 uint32 id 285 string "hardlink@openssh.com" 286 string oldpath 287 string newpath 288 289On receiving this request the server will perform the operation 290link(oldpath, newpath) and will respond with a SSH_FXP_STATUS message. 291This extension is advertised in the SSH_FXP_VERSION hello with version 292"1". 293 294$OpenBSD: PROTOCOL,v 1.17 2010/12/04 00:18:01 djm Exp $ 295