diff options
Diffstat (limited to 'PROTOCOL')
| -rw-r--r-- | PROTOCOL | 53 |
1 files changed, 50 insertions, 3 deletions
| @@ -40,8 +40,8 @@ http://www.openssh.com/txt/draft-miller-secsh-compression-delayed-00.txt | |||
| 40 | "ecdsa-sha2-nistp521-cert-v01@openssh.com" | 40 | "ecdsa-sha2-nistp521-cert-v01@openssh.com" |
| 41 | 41 | ||
| 42 | OpenSSH introduces new public key algorithms to support certificate | 42 | OpenSSH introduces new public key algorithms to support certificate |
| 43 | authentication for users and hostkeys. These methods are documented in | 43 | authentication for users and host keys. These methods are documented |
| 44 | the file PROTOCOL.certkeys | 44 | in the file PROTOCOL.certkeys |
| 45 | 45 | ||
| 46 | 1.4. transport: Elliptic Curve cryptography | 46 | 1.4. transport: Elliptic Curve cryptography |
| 47 | 47 | ||
| @@ -282,6 +282,53 @@ by the client cancel the forwarding of a Unix domain socket. | |||
| 282 | boolean FALSE | 282 | boolean FALSE |
| 283 | string socket path | 283 | string socket path |
| 284 | 284 | ||
| 285 | 2.5. connection: hostkey update and rotation "hostkeys-00@openssh.com" | ||
| 286 | and "hostkeys-prove-00@openssh.com" | ||
| 287 | |||
| 288 | OpenSSH supports a protocol extension allowing a server to inform | ||
| 289 | a client of all its protocol v.2 host keys after user-authentication | ||
| 290 | has completed. | ||
| 291 | |||
| 292 | byte SSH_MSG_GLOBAL_REQUEST | ||
| 293 | string "hostkeys-00@openssh.com" | ||
| 294 | string[] hostkeys | ||
| 295 | |||
| 296 | Upon receiving this message, a client should check which of the | ||
| 297 | supplied host keys are present in known_hosts. For keys that are | ||
| 298 | not present, it should send a "hostkeys-prove@openssh.com" message | ||
| 299 | to request the server prove ownership of the private half of the | ||
| 300 | key. | ||
| 301 | |||
| 302 | byte SSH_MSG_GLOBAL_REQUEST | ||
| 303 | string "hostkeys-prove-00@openssh.com" | ||
| 304 | char 1 /* want-reply */ | ||
| 305 | string[] hostkeys | ||
| 306 | |||
| 307 | When a server receives this message, it should generate a signature | ||
| 308 | using each requested key over the following: | ||
| 309 | |||
| 310 | string "hostkeys-prove-00@openssh.com" | ||
| 311 | string session identifier | ||
| 312 | string hostkey | ||
| 313 | |||
| 314 | These signatures should be included in the reply, in the order matching | ||
| 315 | the hostkeys in the request: | ||
| 316 | |||
| 317 | byte SSH_MSG_REQUEST_SUCCESS | ||
| 318 | string[] signatures | ||
| 319 | |||
| 320 | When the client receives this reply (and not a failure), it should | ||
| 321 | validate the signatures and may update its known_hosts file, adding keys | ||
| 322 | that it has not seen before and deleting keys for the server host that | ||
| 323 | are no longer offered. | ||
| 324 | |||
| 325 | These extensions let a client learn key types that it had not previously | ||
| 326 | encountered, thereby allowing it to potentially upgrade from weaker | ||
| 327 | key algorithms to better ones. It also supports graceful key rotation: | ||
| 328 | a server may offer multiple keys of the same type for a period (to | ||
| 329 | give clients an opportunity to learn them using this extension) before | ||
| 330 | removing the deprecated key from those offered. | ||
| 331 | |||
| 285 | 3. SFTP protocol changes | 332 | 3. SFTP protocol changes |
| 286 | 333 | ||
| 287 | 3.1. sftp: Reversal of arguments to SSH_FXP_SYMLINK | 334 | 3.1. sftp: Reversal of arguments to SSH_FXP_SYMLINK |
| @@ -406,4 +453,4 @@ respond with a SSH_FXP_STATUS message. | |||
| 406 | This extension is advertised in the SSH_FXP_VERSION hello with version | 453 | This extension is advertised in the SSH_FXP_VERSION hello with version |
| 407 | "1". | 454 | "1". |
| 408 | 455 | ||
| 409 | $OpenBSD: PROTOCOL,v 1.24 2014/07/15 15:54:14 millert Exp $ | 456 | $OpenBSD: PROTOCOL,v 1.27 2015/02/20 22:17:21 djm Exp $ |