diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2015-02-20 22:17:21 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2015-02-21 09:20:28 +1100 |
| commit | 44732de06884238049f285f1455b2181baa7dc82 (patch) | |
| tree | deb3c48176195cfc4028b55d2a1a71607e9f7fb0 /PROTOCOL | |
| parent | 13a39414d25646f93e6d355521d832a03aaaffe2 (diff) | |
upstream commit
UpdateHostKeys fixes:
I accidentally changed the format of the hostkeys@openssh.com messages
last week without changing the extension name, and this has been causing
connection failures for people who are running -current. First reported
by sthen@
s/hostkeys@openssh.com/hostkeys-00@openssh.com/
Change the name of the proof message too, and reorder it a little.
Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY
available to read the response) so disable UpdateHostKeys if it is in
ask mode and ControlPersist is active (and document this)
Diffstat (limited to 'PROTOCOL')
| -rw-r--r-- | PROTOCOL | 12 |
1 files changed, 6 insertions, 6 deletions
| @@ -282,15 +282,15 @@ by the client cancel the forwarding of a Unix domain socket. | |||
| 282 | boolean FALSE | 282 | boolean FALSE |
| 283 | string socket path | 283 | string socket path |
| 284 | 284 | ||
| 285 | 2.5. connection: hostkey update and rotation "hostkeys@openssh.com" | 285 | 2.5. connection: hostkey update and rotation "hostkeys-00@openssh.com" |
| 286 | and "hostkeys-prove@openssh.com" | 286 | and "hostkeys-prove-00@openssh.com" |
| 287 | 287 | ||
| 288 | OpenSSH supports a protocol extension allowing a server to inform | 288 | OpenSSH supports a protocol extension allowing a server to inform |
| 289 | a client of all its protocol v.2 host keys after user-authentication | 289 | a client of all its protocol v.2 host keys after user-authentication |
| 290 | has completed. | 290 | has completed. |
| 291 | 291 | ||
| 292 | byte SSH_MSG_GLOBAL_REQUEST | 292 | byte SSH_MSG_GLOBAL_REQUEST |
| 293 | string "hostkeys@openssh.com" | 293 | string "hostkeys-00@openssh.com" |
| 294 | string[] hostkeys | 294 | string[] hostkeys |
| 295 | 295 | ||
| 296 | Upon receiving this message, a client should check which of the | 296 | Upon receiving this message, a client should check which of the |
| @@ -300,15 +300,15 @@ to request the server prove ownership of the private half of the | |||
| 300 | key. | 300 | key. |
| 301 | 301 | ||
| 302 | byte SSH_MSG_GLOBAL_REQUEST | 302 | byte SSH_MSG_GLOBAL_REQUEST |
| 303 | string "hostkeys-prove@openssh.com" | 303 | string "hostkeys-prove-00@openssh.com" |
| 304 | char 1 /* want-reply */ | 304 | char 1 /* want-reply */ |
| 305 | string[] hostkeys | 305 | string[] hostkeys |
| 306 | 306 | ||
| 307 | When a server receives this message, it should generate a signature | 307 | When a server receives this message, it should generate a signature |
| 308 | using each requested key over the following: | 308 | using each requested key over the following: |
| 309 | 309 | ||
| 310 | string "hostkeys-prove-00@openssh.com" | ||
| 310 | string session identifier | 311 | string session identifier |
| 311 | string "hostkeys-prove@openssh.com" | ||
| 312 | string hostkey | 312 | string hostkey |
| 313 | 313 | ||
| 314 | These signatures should be included in the reply, in the order matching | 314 | These signatures should be included in the reply, in the order matching |
| @@ -453,4 +453,4 @@ respond with a SSH_FXP_STATUS message. | |||
| 453 | This extension is advertised in the SSH_FXP_VERSION hello with version | 453 | This extension is advertised in the SSH_FXP_VERSION hello with version |
| 454 | "1". | 454 | "1". |
| 455 | 455 | ||
| 456 | $OpenBSD: PROTOCOL,v 1.26 2015/02/16 22:13:32 djm Exp $ | 456 | $OpenBSD: PROTOCOL,v 1.27 2015/02/20 22:17:21 djm Exp $ |