summaryrefslogtreecommitdiff
path: root/PROTOCOL
diff options
context:
space:
mode:
Diffstat (limited to 'PROTOCOL')
-rw-r--r--PROTOCOL53
1 files changed, 50 insertions, 3 deletions
diff --git a/PROTOCOL b/PROTOCOL
index aa59f584e..91bfe270d 100644
--- a/PROTOCOL
+++ b/PROTOCOL
@@ -40,8 +40,8 @@ http://www.openssh.com/txt/draft-miller-secsh-compression-delayed-00.txt
40 "ecdsa-sha2-nistp521-cert-v01@openssh.com" 40 "ecdsa-sha2-nistp521-cert-v01@openssh.com"
41 41
42OpenSSH introduces new public key algorithms to support certificate 42OpenSSH introduces new public key algorithms to support certificate
43authentication for users and hostkeys. These methods are documented in 43authentication for users and host keys. These methods are documented
44the file PROTOCOL.certkeys 44in the file PROTOCOL.certkeys
45 45
461.4. transport: Elliptic Curve cryptography 461.4. transport: Elliptic Curve cryptography
47 47
@@ -282,6 +282,53 @@ by the client cancel the forwarding of a Unix domain socket.
282 boolean FALSE 282 boolean FALSE
283 string socket path 283 string socket path
284 284
2852.5. connection: hostkey update and rotation "hostkeys-00@openssh.com"
286and "hostkeys-prove-00@openssh.com"
287
288OpenSSH supports a protocol extension allowing a server to inform
289a client of all its protocol v.2 host keys after user-authentication
290has completed.
291
292 byte SSH_MSG_GLOBAL_REQUEST
293 string "hostkeys-00@openssh.com"
294 string[] hostkeys
295
296Upon receiving this message, a client should check which of the
297supplied host keys are present in known_hosts. For keys that are
298not present, it should send a "hostkeys-prove@openssh.com" message
299to request the server prove ownership of the private half of the
300key.
301
302 byte SSH_MSG_GLOBAL_REQUEST
303 string "hostkeys-prove-00@openssh.com"
304 char 1 /* want-reply */
305 string[] hostkeys
306
307When a server receives this message, it should generate a signature
308using each requested key over the following:
309
310 string "hostkeys-prove-00@openssh.com"
311 string session identifier
312 string hostkey
313
314These signatures should be included in the reply, in the order matching
315the hostkeys in the request:
316
317 byte SSH_MSG_REQUEST_SUCCESS
318 string[] signatures
319
320When the client receives this reply (and not a failure), it should
321validate the signatures and may update its known_hosts file, adding keys
322that it has not seen before and deleting keys for the server host that
323are no longer offered.
324
325These extensions let a client learn key types that it had not previously
326encountered, thereby allowing it to potentially upgrade from weaker
327key algorithms to better ones. It also supports graceful key rotation:
328a server may offer multiple keys of the same type for a period (to
329give clients an opportunity to learn them using this extension) before
330removing the deprecated key from those offered.
331
2853. SFTP protocol changes 3323. SFTP protocol changes
286 333
2873.1. sftp: Reversal of arguments to SSH_FXP_SYMLINK 3343.1. sftp: Reversal of arguments to SSH_FXP_SYMLINK
@@ -406,4 +453,4 @@ respond with a SSH_FXP_STATUS message.
406This extension is advertised in the SSH_FXP_VERSION hello with version 453This extension is advertised in the SSH_FXP_VERSION hello with version
407"1". 454"1".
408 455
409$OpenBSD: PROTOCOL,v 1.24 2014/07/15 15:54:14 millert Exp $ 456$OpenBSD: PROTOCOL,v 1.27 2015/02/20 22:17:21 djm Exp $