Import openssh_6.8p1.orig.tar.gz

author: Colin Watson <cjwatson@debian.org> 2015-08-19 14:23:50 +0100
committer: Colin Watson <cjwatson@debian.org> 2015-08-19 14:23:50 +0100
commit: baccdb349b31c47cd76fb63211f754ed33a9707e (patch)
tree: d03653f975fd4eb8bf71bb0c9d168614401202fa /PROTOCOL
parent: 487bdb3a5ef6075887b830ccb8a0b14f6da78e93 (diff)
parent: 9f82e5a9042f2d872e98f48a876fcab3e25dd9bb (diff)
1 files changed, 50 insertions, 3 deletions
diff --git a/PROTOCOL b/PROTOCOL
index aa59f584e..91bfe270d 100644
--- a/PROTOCOL
+++ b/PROTOCOL
@@ -40,8 +40,8 @@ http://www.openssh.com/txt/draft-miller-secsh-compression-delayed-00.txt
     "ecdsa-sha2-nistp521-cert-v01@openssh.com"
 OpenSSH introduces new public key algorithms to support certificate
-authentication for users and hostkeys. These methods are documented in
+authentication for users and host keys. These methods are documented
-the file PROTOCOL.certkeys
+in the file PROTOCOL.certkeys
 1.4. transport: Elliptic Curve cryptography
@@ -282,6 +282,53 @@ by the client cancel the forwarding of a Unix domain socket.
        boolean         FALSE
        string          socket path
+2.5. connection: hostkey update and rotation "hostkeys-00@openssh.com"
+and "hostkeys-prove-00@openssh.com"
+OpenSSH supports a protocol extension allowing a server to inform
+a client of all its protocol v.2 host keys after user-authentication
+has completed.
+        byte            SSH_MSG_GLOBAL_REQUEST
+        string          "hostkeys-00@openssh.com"
+        string[]        hostkeys
+Upon receiving this message, a client should check which of the
+supplied host keys are present in known_hosts. For keys that are
+not present, it should send a "hostkeys-prove@openssh.com" message
+to request the server prove ownership of the private half of the
+key.
+        byte            SSH_MSG_GLOBAL_REQUEST
+        string          "hostkeys-prove-00@openssh.com"
+        char            1 /* want-reply */
+        string[]        hostkeys
+When a server receives this message, it should generate a signature
+using each requested key over the following:
+        string          "hostkeys-prove-00@openssh.com"
+        string          session identifier
+        string          hostkey
+These signatures should be included in the reply, in the order matching
+the hostkeys in the request:
+        byte            SSH_MSG_REQUEST_SUCCESS
+        string[]        signatures
+When the client receives this reply (and not a failure), it should
+validate the signatures and may update its known_hosts file, adding keys
+that it has not seen before and deleting keys for the server host that
+are no longer offered.
+These extensions let a client learn key types that it had not previously
+encountered, thereby allowing it to potentially upgrade from weaker
+key algorithms to better ones. It also supports graceful key rotation:
+a server may offer multiple keys of the same type for a period (to
+give clients an opportunity to learn them using this extension) before
+removing the deprecated key from those offered.
 3. SFTP protocol changes
 3.1. sftp: Reversal of arguments to SSH_FXP_SYMLINK
@@ -406,4 +453,4 @@ respond with a SSH_FXP_STATUS message.
 This extension is advertised in the SSH_FXP_VERSION hello with version
 "1".
-$OpenBSD: PROTOCOL,v 1.24 2014/07/15 15:54:14 millert Exp $
+$OpenBSD: PROTOCOL,v 1.27 2015/02/20 22:17:21 djm Exp $
author	Colin Watson <cjwatson@debian.org>	2015-08-19 14:23:50 +0100
committer	Colin Watson <cjwatson@debian.org>	2015-08-19 14:23:50 +0100
commit	baccdb349b31c47cd76fb63211f754ed33a9707e (patch)
tree	d03653f975fd4eb8bf71bb0c9d168614401202fa /PROTOCOL
parent	487bdb3a5ef6075887b830ccb8a0b14f6da78e93 (diff)
parent	9f82e5a9042f2d872e98f48a876fcab3e25dd9bb (diff)

diff --git a/PROTOCOL b/PROTOCOL index aa59f584e..91bfe270d 100644 --- a/PROTOCOL +++ b/PROTOCOL
@@ -40,8 +40,8 @@ http://www.openssh.com/txt/draft-miller-secsh-compression-delayed-00.txt
40	"ecdsa-sha2-nistp521-cert-v01@openssh.com"	40	"ecdsa-sha2-nistp521-cert-v01@openssh.com"
41		41
42	OpenSSH introduces new public key algorithms to support certificate	42	OpenSSH introduces new public key algorithms to support certificate
43	authentication for users and hostkeys. These methods are documented in	43	authentication for users and host keys. These methods are documented
44	the file PROTOCOL.certkeys	44	in the file PROTOCOL.certkeys
45		45
46	1.4. transport: Elliptic Curve cryptography	46	1.4. transport: Elliptic Curve cryptography
47		47
@@ -282,6 +282,53 @@ by the client cancel the forwarding of a Unix domain socket.
282	boolean FALSE	282	boolean FALSE
283	string socket path	283	string socket path
284		284
		285	2.5. connection: hostkey update and rotation "hostkeys-00@openssh.com"
		286	and "hostkeys-prove-00@openssh.com"
		287
		288	OpenSSH supports a protocol extension allowing a server to inform
		289	a client of all its protocol v.2 host keys after user-authentication
		290	has completed.
		291
		292	byte SSH_MSG_GLOBAL_REQUEST
		293	string "hostkeys-00@openssh.com"
		294	string[] hostkeys
		295
		296	Upon receiving this message, a client should check which of the
		297	supplied host keys are present in known_hosts. For keys that are
		298	not present, it should send a "hostkeys-prove@openssh.com" message
		299	to request the server prove ownership of the private half of the
		300	key.
		301
		302	byte SSH_MSG_GLOBAL_REQUEST
		303	string "hostkeys-prove-00@openssh.com"
		304	char 1 /* want-reply */
		305	string[] hostkeys
		306
		307	When a server receives this message, it should generate a signature
		308	using each requested key over the following:
		309
		310	string "hostkeys-prove-00@openssh.com"
		311	string session identifier
		312	string hostkey
		313
		314	These signatures should be included in the reply, in the order matching
		315	the hostkeys in the request:
		316
		317	byte SSH_MSG_REQUEST_SUCCESS
		318	string[] signatures
		319
		320	When the client receives this reply (and not a failure), it should
		321	validate the signatures and may update its known_hosts file, adding keys
		322	that it has not seen before and deleting keys for the server host that
		323	are no longer offered.
		324
		325	These extensions let a client learn key types that it had not previously
		326	encountered, thereby allowing it to potentially upgrade from weaker
		327	key algorithms to better ones. It also supports graceful key rotation:
		328	a server may offer multiple keys of the same type for a period (to
		329	give clients an opportunity to learn them using this extension) before
		330	removing the deprecated key from those offered.
		331
285	3. SFTP protocol changes	332	3. SFTP protocol changes
286		333
287	3.1. sftp: Reversal of arguments to SSH_FXP_SYMLINK	334	3.1. sftp: Reversal of arguments to SSH_FXP_SYMLINK
@@ -406,4 +453,4 @@ respond with a SSH_FXP_STATUS message.
406	This extension is advertised in the SSH_FXP_VERSION hello with version	453	This extension is advertised in the SSH_FXP_VERSION hello with version
407	"1".	454	"1".
408		455
409	$OpenBSD: PROTOCOL,v 1.24 2014/07/15 15:54:14 millert Exp $	456	$OpenBSD: PROTOCOL,v 1.27 2015/02/20 22:17:21 djm Exp $