diff options
author | djm@openbsd.org <djm@openbsd.org> | 2015-01-26 03:04:45 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2015-01-27 00:00:57 +1100 |
commit | 8d4f87258f31cb6def9b3b55b6a7321d84728ff2 (patch) | |
tree | c98e66c1c0824f0b0e312d7b44d8eeac46265362 /PROTOCOL | |
parent | 60b1825262b1f1e24fc72050b907189c92daf18e (diff) |
upstream commit
Host key rotation support.
Add a hostkeys@openssh.com protocol extension (global request) for
a server to inform a client of all its available host key after
authentication has completed. The client may record the keys in
known_hosts, allowing it to upgrade to better host key algorithms
and a server to gracefully rotate its keys.
The client side of this is controlled by a UpdateHostkeys config
option (default on).
ok markus@
Diffstat (limited to 'PROTOCOL')
-rw-r--r-- | PROTOCOL | 24 |
1 files changed, 23 insertions, 1 deletions
@@ -282,6 +282,28 @@ by the client cancel the forwarding of a Unix domain socket. | |||
282 | boolean FALSE | 282 | boolean FALSE |
283 | string socket path | 283 | string socket path |
284 | 284 | ||
285 | 2.5. connection: hostkey update and rotation "hostkeys@openssh.com" | ||
286 | |||
287 | OpenSSH supports a protocol extension allowing a server to inform | ||
288 | a client of all its protocol v.2 hostkeys after user-authentication | ||
289 | has completed. | ||
290 | |||
291 | byte SSH_MSG_GLOBAL_REQUEST | ||
292 | string "hostkeys@openssh.com" | ||
293 | string[] hostkeys | ||
294 | |||
295 | Upon receiving this message, a client may update its known_hosts | ||
296 | file, adding keys that it has not seen before and deleting keys | ||
297 | for the server host that are no longer offered. | ||
298 | |||
299 | This extension allows a client to learn key types that it had | ||
300 | not previously encountered, thereby allowing it to potentially | ||
301 | upgrade from weaker key algorithms to better ones. It also | ||
302 | supports graceful key rotation: a server may offer multiple keys | ||
303 | of the same type for a period (to give clients an opportunity to | ||
304 | learn them using this extension) before removing the deprecated | ||
305 | key from those offered. | ||
306 | |||
285 | 3. SFTP protocol changes | 307 | 3. SFTP protocol changes |
286 | 308 | ||
287 | 3.1. sftp: Reversal of arguments to SSH_FXP_SYMLINK | 309 | 3.1. sftp: Reversal of arguments to SSH_FXP_SYMLINK |
@@ -406,4 +428,4 @@ respond with a SSH_FXP_STATUS message. | |||
406 | This extension is advertised in the SSH_FXP_VERSION hello with version | 428 | This extension is advertised in the SSH_FXP_VERSION hello with version |
407 | "1". | 429 | "1". |
408 | 430 | ||
409 | $OpenBSD: PROTOCOL,v 1.24 2014/07/15 15:54:14 millert Exp $ | 431 | $OpenBSD: PROTOCOL,v 1.25 2015/01/26 03:04:45 djm Exp $ |