aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssh/doc/standard/draft-ietf-secsh-architecture-15.2.ps
diff options
context:
space:
mode:
authorErlang/OTP <[email protected]>2009-11-20 14:54:40 +0000
committerErlang/OTP <[email protected]>2009-11-20 14:54:40 +0000
commit84adefa331c4159d432d22840663c38f155cd4c1 (patch)
treebff9a9c66adda4df2106dfd0e5c053ab182a12bd /lib/ssh/doc/standard/draft-ietf-secsh-architecture-15.2.ps
downloadotp-84adefa331c4159d432d22840663c38f155cd4c1.tar.gz
otp-84adefa331c4159d432d22840663c38f155cd4c1.tar.bz2
otp-84adefa331c4159d432d22840663c38f155cd4c1.zip
The R13B03 release.OTP_R13B03
Diffstat (limited to 'lib/ssh/doc/standard/draft-ietf-secsh-architecture-15.2.ps')
-rw-r--r--lib/ssh/doc/standard/draft-ietf-secsh-architecture-15.2.ps3315
1 files changed, 3315 insertions, 0 deletions
diff --git a/lib/ssh/doc/standard/draft-ietf-secsh-architecture-15.2.ps b/lib/ssh/doc/standard/draft-ietf-secsh-architecture-15.2.ps
new file mode 100644
index 0000000000..d766a933b4
--- /dev/null
+++ b/lib/ssh/doc/standard/draft-ietf-secsh-architecture-15.2.ps
@@ -0,0 +1,3315 @@
+%!PS-Adobe-3.0
+%%BoundingBox: 75 0 595 747
+%%Title: Enscript Output
+%%For: Magnus Thoang
+%%Creator: GNU enscript 1.6.1
+%%CreationDate: Fri Oct 31 13:31:26 2003
+%%Orientation: Portrait
+%%Pages: 15 0
+%%DocumentMedia: A4 595 842 0 () ()
+%%DocumentNeededResources: (atend)
+%%EndComments
+%%BeginProlog
+%%BeginProcSet: PStoPS 1 15
+userdict begin
+[/showpage/erasepage/copypage]{dup where{pop dup load
+ type/operatortype eq{1 array cvx dup 0 3 index cvx put
+ bind def}{pop}ifelse}{pop}ifelse}forall
+[/letter/legal/executivepage/a4/a4small/b5/com10envelope
+ /monarchenvelope/c5envelope/dlenvelope/lettersmall/note
+ /folio/quarto/a5]{dup where{dup wcheck{exch{}put}
+ {pop{}def}ifelse}{pop}ifelse}forall
+/setpagedevice {pop}bind 1 index where{dup wcheck{3 1 roll put}
+ {pop def}ifelse}{def}ifelse
+/PStoPSmatrix matrix currentmatrix def
+/PStoPSxform matrix def/PStoPSclip{clippath}def
+/defaultmatrix{PStoPSmatrix exch PStoPSxform exch concatmatrix}bind def
+/initmatrix{matrix defaultmatrix setmatrix}bind def
+/initclip[{matrix currentmatrix PStoPSmatrix setmatrix
+ [{currentpoint}stopped{$error/newerror false put{newpath}}
+ {/newpath cvx 3 1 roll/moveto cvx 4 array astore cvx}ifelse]
+ {[/newpath cvx{/moveto cvx}{/lineto cvx}
+ {/curveto cvx}{/closepath cvx}pathforall]cvx exch pop}
+ stopped{$error/errorname get/invalidaccess eq{cleartomark
+ $error/newerror false put cvx exec}{stop}ifelse}if}bind aload pop
+ /initclip dup load dup type dup/operatortype eq{pop exch pop}
+ {dup/arraytype eq exch/packedarraytype eq or
+ {dup xcheck{exch pop aload pop}{pop cvx}ifelse}
+ {pop cvx}ifelse}ifelse
+ {newpath PStoPSclip clip newpath exec setmatrix} bind aload pop]cvx def
+/initgraphics{initmatrix newpath initclip 1 setlinewidth
+ 0 setlinecap 0 setlinejoin []0 setdash 0 setgray
+ 10 setmiterlimit}bind def
+end
+%%EndProcSet
+%%BeginResource: procset Enscript-Prolog 1.6 1
+%
+% Procedures.
+%
+
+/_S { % save current state
+ /_s save def
+} def
+/_R { % restore from saved state
+ _s restore
+} def
+
+/S { % showpage protecting gstate
+ gsave
+ showpage
+ grestore
+} bind def
+
+/MF { % fontname newfontname -> - make a new encoded font
+ /newfontname exch def
+ /fontname exch def
+
+ /fontdict fontname findfont def
+ /newfont fontdict maxlength dict def
+
+ fontdict {
+ exch
+ dup /FID eq {
+ % skip FID pair
+ pop pop
+ } {
+ % copy to the new font dictionary
+ exch newfont 3 1 roll put
+ } ifelse
+ } forall
+
+ newfont /FontName newfontname put
+
+ % insert only valid encoding vectors
+ encoding_vector length 256 eq {
+ newfont /Encoding encoding_vector put
+ } if
+
+ newfontname newfont definefont pop
+} def
+
+/SF { % fontname width height -> - set a new font
+ /height exch def
+ /width exch def
+
+ findfont
+ [width 0 0 height 0 0] makefont setfont
+} def
+
+/SUF { % fontname width height -> - set a new user font
+ /height exch def
+ /width exch def
+
+ /F-gs-user-font MF
+ /F-gs-user-font width height SF
+} def
+
+/M {moveto} bind def
+/s {show} bind def
+
+/Box { % x y w h -> - define box path
+ /d_h exch def /d_w exch def /d_y exch def /d_x exch def
+ d_x d_y moveto
+ d_w 0 rlineto
+ 0 d_h rlineto
+ d_w neg 0 rlineto
+ closepath
+} def
+
+/bgs { % x y height blskip gray str -> - show string with bg color
+ /str exch def
+ /gray exch def
+ /blskip exch def
+ /height exch def
+ /y exch def
+ /x exch def
+
+ gsave
+ x y blskip sub str stringwidth pop height Box
+ gray setgray
+ fill
+ grestore
+ x y M str s
+} def
+
+% Highlight bars.
+/highlight_bars { % nlines lineheight output_y_margin gray -> -
+ gsave
+ setgray
+ /ymarg exch def
+ /lineheight exch def
+ /nlines exch def
+
+ % This 2 is just a magic number to sync highlight lines to text.
+ 0 d_header_y ymarg sub 2 sub translate
+
+ /cw d_output_w cols div def
+ /nrows d_output_h ymarg 2 mul sub lineheight div cvi def
+
+ % for each column
+ 0 1 cols 1 sub {
+ cw mul /xp exch def
+
+ % for each rows
+ 0 1 nrows 1 sub {
+ /rn exch def
+ rn lineheight mul neg /yp exch def
+ rn nlines idiv 2 mod 0 eq {
+ % Draw highlight bar. 4 is just a magic indentation.
+ xp 4 add yp cw 8 sub lineheight neg Box fill
+ } if
+ } for
+ } for
+
+ grestore
+} def
+
+% Line highlight bar.
+/line_highlight { % x y width height gray -> -
+ gsave
+ /gray exch def
+ Box gray setgray fill
+ grestore
+} def
+
+% Column separator lines.
+/column_lines {
+ gsave
+ .1 setlinewidth
+ 0 d_footer_h translate
+ /cw d_output_w cols div def
+ 1 1 cols 1 sub {
+ cw mul 0 moveto
+ 0 d_output_h rlineto stroke
+ } for
+ grestore
+} def
+
+% Column borders.
+/column_borders {
+ gsave
+ .1 setlinewidth
+ 0 d_footer_h moveto
+ 0 d_output_h rlineto
+ d_output_w 0 rlineto
+ 0 d_output_h neg rlineto
+ closepath stroke
+ grestore
+} def
+
+% Do the actual underlay drawing
+/draw_underlay {
+ ul_style 0 eq {
+ ul_str true charpath stroke
+ } {
+ ul_str show
+ } ifelse
+} def
+
+% Underlay
+/underlay { % - -> -
+ gsave
+ 0 d_page_h translate
+ d_page_h neg d_page_w atan rotate
+
+ ul_gray setgray
+ ul_font setfont
+ /dw d_page_h dup mul d_page_w dup mul add sqrt def
+ ul_str stringwidth pop dw exch sub 2 div ul_h_ptsize -2 div moveto
+ draw_underlay
+ grestore
+} def
+
+/user_underlay { % - -> -
+ gsave
+ ul_x ul_y translate
+ ul_angle rotate
+ ul_gray setgray
+ ul_font setfont
+ 0 0 ul_h_ptsize 2 div sub moveto
+ draw_underlay
+ grestore
+} def
+
+% Page prefeed
+/page_prefeed { % bool -> -
+ statusdict /prefeed known {
+ statusdict exch /prefeed exch put
+ } {
+ pop
+ } ifelse
+} def
+
+% Wrapped line markers
+/wrapped_line_mark { % x y charwith charheight type -> -
+ /type exch def
+ /h exch def
+ /w exch def
+ /y exch def
+ /x exch def
+
+ type 2 eq {
+ % Black boxes (like TeX does)
+ gsave
+ 0 setlinewidth
+ x w 4 div add y M
+ 0 h rlineto w 2 div 0 rlineto 0 h neg rlineto
+ closepath fill
+ grestore
+ } {
+ type 3 eq {
+ % Small arrows
+ gsave
+ .2 setlinewidth
+ x w 2 div add y h 2 div add M
+ w 4 div 0 rlineto
+ x w 4 div add y lineto stroke
+
+ x w 4 div add w 8 div add y h 4 div add M
+ x w 4 div add y lineto
+ w 4 div h 8 div rlineto stroke
+ grestore
+ } {
+ % do nothing
+ } ifelse
+ } ifelse
+} def
+
+% EPSF import.
+
+/BeginEPSF {
+ /b4_Inc_state save def % Save state for cleanup
+ /dict_count countdictstack def % Count objects on dict stack
+ /op_count count 1 sub def % Count objects on operand stack
+ userdict begin
+ /showpage { } def
+ 0 setgray 0 setlinecap
+ 1 setlinewidth 0 setlinejoin
+ 10 setmiterlimit [ ] 0 setdash newpath
+ /languagelevel where {
+ pop languagelevel
+ 1 ne {
+ false setstrokeadjust false setoverprint
+ } if
+ } if
+} bind def
+
+/EndEPSF {
+ count op_count sub { pos } repeat % Clean up stacks
+ countdictstack dict_count sub { end } repeat
+ b4_Inc_state restore
+} bind def
+
+% Check PostScript language level.
+/languagelevel where {
+ pop /gs_languagelevel languagelevel def
+} {
+ /gs_languagelevel 1 def
+} ifelse
+%%EndResource
+%%BeginResource: procset Enscript-Encoding-88591 1.6 1
+/encoding_vector [
+/.notdef /.notdef /.notdef /.notdef
+/.notdef /.notdef /.notdef /.notdef
+/.notdef /.notdef /.notdef /.notdef
+/.notdef /.notdef /.notdef /.notdef
+/.notdef /.notdef /.notdef /.notdef
+/.notdef /.notdef /.notdef /.notdef
+/.notdef /.notdef /.notdef /.notdef
+/.notdef /.notdef /.notdef /.notdef
+/space /exclam /quotedbl /numbersign
+/dollar /percent /ampersand /quoteright
+/parenleft /parenright /asterisk /plus
+/comma /hyphen /period /slash
+/zero /one /two /three
+/four /five /six /seven
+/eight /nine /colon /semicolon
+/less /equal /greater /question
+/at /A /B /C
+/D /E /F /G
+/H /I /J /K
+/L /M /N /O
+/P /Q /R /S
+/T /U /V /W
+/X /Y /Z /bracketleft
+/backslash /bracketright /asciicircum /underscore
+/quoteleft /a /b /c
+/d /e /f /g
+/h /i /j /k
+/l /m /n /o
+/p /q /r /s
+/t /u /v /w
+/x /y /z /braceleft
+/bar /braceright /tilde /.notdef
+/.notdef /.notdef /.notdef /.notdef
+/.notdef /.notdef /.notdef /.notdef
+/.notdef /.notdef /.notdef /.notdef
+/.notdef /.notdef /.notdef /.notdef
+/.notdef /.notdef /.notdef /.notdef
+/.notdef /.notdef /.notdef /.notdef
+/.notdef /.notdef /.notdef /.notdef
+/.notdef /.notdef /.notdef /.notdef
+/space /exclamdown /cent /sterling
+/currency /yen /brokenbar /section
+/dieresis /copyright /ordfeminine /guillemotleft
+/logicalnot /hyphen /registered /macron
+/degree /plusminus /twosuperior /threesuperior
+/acute /mu /paragraph /bullet
+/cedilla /onesuperior /ordmasculine /guillemotright
+/onequarter /onehalf /threequarters /questiondown
+/Agrave /Aacute /Acircumflex /Atilde
+/Adieresis /Aring /AE /Ccedilla
+/Egrave /Eacute /Ecircumflex /Edieresis
+/Igrave /Iacute /Icircumflex /Idieresis
+/Eth /Ntilde /Ograve /Oacute
+/Ocircumflex /Otilde /Odieresis /multiply
+/Oslash /Ugrave /Uacute /Ucircumflex
+/Udieresis /Yacute /Thorn /germandbls
+/agrave /aacute /acircumflex /atilde
+/adieresis /aring /ae /ccedilla
+/egrave /eacute /ecircumflex /edieresis
+/igrave /iacute /icircumflex /idieresis
+/eth /ntilde /ograve /oacute
+/ocircumflex /otilde /odieresis /divide
+/oslash /ugrave /uacute /ucircumflex
+/udieresis /yacute /thorn /ydieresis
+] def
+%%EndResource
+%%EndProlog
+%%BeginSetup
+%%IncludeResource: font Courier-Bold
+%%IncludeResource: font Courier
+/HFpt_w 10 def
+/HFpt_h 10 def
+/Courier-Bold /HF-gs-font MF
+/HF /HF-gs-font findfont [HFpt_w 0 0 HFpt_h 0 0] makefont def
+/Courier /F-gs-font MF
+/F-gs-font 10 10 SF
+/#copies 1 def
+/d_page_w 520 def
+/d_page_h 747 def
+/d_header_x 0 def
+/d_header_y 747 def
+/d_header_w 520 def
+/d_header_h 0 def
+/d_footer_x 0 def
+/d_footer_y 0 def
+/d_footer_w 520 def
+/d_footer_h 0 def
+/d_output_w 520 def
+/d_output_h 747 def
+/cols 1 def
+userdict/PStoPSxform PStoPSmatrix matrix currentmatrix
+ matrix invertmatrix matrix concatmatrix
+ matrix invertmatrix put
+%%EndSetup
+%%Page: (0,1) 1
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 0.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+/showpage{}def/copypage{}def/erasepage{}def
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 1 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 701 M
+(Network Working Group T. Ylonen) s
+5 690 M
+(Internet-Draft SSH Communications Security Corp) s
+5 679 M
+(Expires: March 31, 2004 D. Moffat, Ed.) s
+5 668 M
+( Sun Microsystems, Inc) s
+5 657 M
+( Oct 2003) s
+5 624 M
+( SSH Protocol Architecture) s
+5 613 M
+( draft-ietf-secsh-architecture-15.txt) s
+5 591 M
+(Status of this Memo) s
+5 569 M
+( This document is an Internet-Draft and is in full conformance with) s
+5 558 M
+( all provisions of Section 10 of RFC2026.) s
+5 536 M
+( Internet-Drafts are working documents of the Internet Engineering) s
+5 525 M
+( Task Force \(IETF\), its areas, and its working groups. Note that other) s
+5 514 M
+( groups may also distribute working documents as Internet-Drafts.) s
+5 492 M
+( Internet-Drafts are draft documents valid for a maximum of six months) s
+5 481 M
+( and may be updated, replaced, or obsoleted by other documents at any) s
+5 470 M
+( time. It is inappropriate to use Internet-Drafts as reference) s
+5 459 M
+( material or to cite them other than as "work in progress.") s
+5 437 M
+( The list of current Internet-Drafts can be accessed at http://) s
+5 426 M
+( www.ietf.org/ietf/1id-abstracts.txt.) s
+5 404 M
+( The list of Internet-Draft Shadow Directories can be accessed at) s
+5 393 M
+( http://www.ietf.org/shadow.html.) s
+5 371 M
+( This Internet-Draft will expire on March 31, 2004.) s
+5 349 M
+(Copyright Notice) s
+5 327 M
+( Copyright \(C\) The Internet Society \(2003\). All Rights Reserved.) s
+5 305 M
+(Abstract) s
+5 283 M
+( SSH is a protocol for secure remote login and other secure network) s
+5 272 M
+( services over an insecure network. This document describes the) s
+5 261 M
+( architecture of the SSH protocol, as well as the notation and) s
+5 250 M
+( terminology used in SSH protocol documents. It also discusses the SSH) s
+5 239 M
+( algorithm naming system that allows local extensions. The SSH) s
+5 228 M
+( protocol consists of three major components: The Transport Layer) s
+5 217 M
+( Protocol provides server authentication, confidentiality, and) s
+5 206 M
+( integrity with perfect forward secrecy. The User Authentication) s
+5 195 M
+( Protocol authenticates the client to the server. The Connection) s
+5 184 M
+( Protocol multiplexes the encrypted tunnel into several logical) s
+5 173 M
+( channels. Details of these protocols are described in separate) s
+5 129 M
+(Ylonen & Moffat Expires March 31, 2004 [Page 1]) s
+_R
+S
+PStoPSsaved restore
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 421.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 2 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Protocol Architecture Oct 2003) s
+5 690 M
+( documents.) s
+5 668 M
+(Table of Contents) s
+5 646 M
+( 1. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 3) s
+5 635 M
+( 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3) s
+5 624 M
+( 3. Specification of Requirements . . . . . . . . . . . . . . . 3) s
+5 613 M
+( 4. Architecture . . . . . . . . . . . . . . . . . . . . . . . . 3) s
+5 602 M
+( 4.1 Host Keys . . . . . . . . . . . . . . . . . . . . . . . . . 4) s
+5 591 M
+( 4.2 Extensibility . . . . . . . . . . . . . . . . . . . . . . . 5) s
+5 580 M
+( 4.3 Policy Issues . . . . . . . . . . . . . . . . . . . . . . . 5) s
+5 569 M
+( 4.4 Security Properties . . . . . . . . . . . . . . . . . . . . 6) s
+5 558 M
+( 4.5 Packet Size and Overhead . . . . . . . . . . . . . . . . . . 6) s
+5 547 M
+( 4.6 Localization and Character Set Support . . . . . . . . . . . 7) s
+5 536 M
+( 5. Data Type Representations Used in the SSH Protocols . . . . 8) s
+5 525 M
+( 6. Algorithm Naming . . . . . . . . . . . . . . . . . . . . . . 10) s
+5 514 M
+( 7. Message Numbers . . . . . . . . . . . . . . . . . . . . . . 11) s
+5 503 M
+( 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . 11) s
+5 492 M
+( 9. Security Considerations . . . . . . . . . . . . . . . . . . 12) s
+5 481 M
+( 9.1 Pseudo-Random Number Generation . . . . . . . . . . . . . . 12) s
+5 470 M
+( 9.2 Transport . . . . . . . . . . . . . . . . . . . . . . . . . 13) s
+5 459 M
+( 9.2.1 Confidentiality . . . . . . . . . . . . . . . . . . . . . . 13) s
+5 448 M
+( 9.2.2 Data Integrity . . . . . . . . . . . . . . . . . . . . . . . 16) s
+5 437 M
+( 9.2.3 Replay . . . . . . . . . . . . . . . . . . . . . . . . . . . 16) s
+5 426 M
+( 9.2.4 Man-in-the-middle . . . . . . . . . . . . . . . . . . . . . 17) s
+5 415 M
+( 9.2.5 Denial-of-service . . . . . . . . . . . . . . . . . . . . . 19) s
+5 404 M
+( 9.2.6 Covert Channels . . . . . . . . . . . . . . . . . . . . . . 19) s
+5 393 M
+( 9.2.7 Forward Secrecy . . . . . . . . . . . . . . . . . . . . . . 20) s
+5 382 M
+( 9.3 Authentication Protocol . . . . . . . . . . . . . . . . . . 20) s
+5 371 M
+( 9.3.1 Weak Transport . . . . . . . . . . . . . . . . . . . . . . . 21) s
+5 360 M
+( 9.3.2 Debug messages . . . . . . . . . . . . . . . . . . . . . . . 21) s
+5 349 M
+( 9.3.3 Local security policy . . . . . . . . . . . . . . . . . . . 21) s
+5 338 M
+( 9.3.4 Public key authentication . . . . . . . . . . . . . . . . . 22) s
+5 327 M
+( 9.3.5 Password authentication . . . . . . . . . . . . . . . . . . 22) s
+5 316 M
+( 9.3.6 Host based authentication . . . . . . . . . . . . . . . . . 23) s
+5 305 M
+( 9.4 Connection protocol . . . . . . . . . . . . . . . . . . . . 23) s
+5 294 M
+( 9.4.1 End point security . . . . . . . . . . . . . . . . . . . . . 23) s
+5 283 M
+( 9.4.2 Proxy forwarding . . . . . . . . . . . . . . . . . . . . . . 23) s
+5 272 M
+( 9.4.3 X11 forwarding . . . . . . . . . . . . . . . . . . . . . . . 24) s
+5 261 M
+( Normative References . . . . . . . . . . . . . . . . . . . . 24) s
+5 250 M
+( Informative References . . . . . . . . . . . . . . . . . . . 25) s
+5 239 M
+( Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 27) s
+5 228 M
+( Intellectual Property and Copyright Statements . . . . . . . 28) s
+5 129 M
+(Ylonen & Moffat Expires March 31, 2004 [Page 2]) s
+_R
+S
+PStoPSsaved restore
+%%Page: (2,3) 2
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 0.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+/showpage{}def/copypage{}def/erasepage{}def
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 3 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Protocol Architecture Oct 2003) s
+5 690 M
+(1. Contributors) s
+5 668 M
+( The major original contributors of this document were: Tatu Ylonen,) s
+5 657 M
+( Tero Kivinen, Timo J. Rinne, Sami Lehtinen \(all of SSH Communications) s
+5 646 M
+( Security Corp\), and Markku-Juhani O. Saarinen \(University of) s
+5 635 M
+( Jyvaskyla\)) s
+5 613 M
+( The document editor is: [email protected]. Comments on this) s
+5 602 M
+( internet draft should be sent to the IETF SECSH working group,) s
+5 591 M
+( details at: http://ietf.org/html.charters/secsh-charter.html) s
+5 569 M
+(2. Introduction) s
+5 547 M
+( SSH is a protocol for secure remote login and other secure network) s
+5 536 M
+( services over an insecure network. It consists of three major) s
+5 525 M
+( components:) s
+5 514 M
+( o The Transport Layer Protocol [SSH-TRANS] provides server) s
+5 503 M
+( authentication, confidentiality, and integrity. It may optionally) s
+5 492 M
+( also provide compression. The transport layer will typically be) s
+5 481 M
+( run over a TCP/IP connection, but might also be used on top of any) s
+5 470 M
+( other reliable data stream.) s
+5 459 M
+( o The User Authentication Protocol [SSH-USERAUTH] authenticates the) s
+5 448 M
+( client-side user to the server. It runs over the transport layer) s
+5 437 M
+( protocol.) s
+5 426 M
+( o The Connection Protocol [SSH-CONNECT] multiplexes the encrypted) s
+5 415 M
+( tunnel into several logical channels. It runs over the user) s
+5 404 M
+( authentication protocol.) s
+5 382 M
+( The client sends a service request once a secure transport layer) s
+5 371 M
+( connection has been established. A second service request is sent) s
+5 360 M
+( after user authentication is complete. This allows new protocols to) s
+5 349 M
+( be defined and coexist with the protocols listed above.) s
+5 327 M
+( The connection protocol provides channels that can be used for a wide) s
+5 316 M
+( range of purposes. Standard methods are provided for setting up) s
+5 305 M
+( secure interactive shell sessions and for forwarding \("tunneling"\)) s
+5 294 M
+( arbitrary TCP/IP ports and X11 connections.) s
+5 272 M
+(3. Specification of Requirements) s
+5 250 M
+( All documents related to the SSH protocols shall use the keywords) s
+5 239 M
+( "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD",) s
+5 228 M
+( "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" to describe) s
+5 217 M
+( requirements. They are to be interpreted as described in [RFC2119].) s
+5 195 M
+(4. Architecture) s
+5 129 M
+(Ylonen & Moffat Expires March 31, 2004 [Page 3]) s
+_R
+S
+PStoPSsaved restore
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 421.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 4 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Protocol Architecture Oct 2003) s
+5 690 M
+(4.1 Host Keys) s
+5 668 M
+( Each server host SHOULD have a host key. Hosts MAY have multiple) s
+5 657 M
+( host keys using multiple different algorithms. Multiple hosts MAY) s
+5 646 M
+( share the same host key. If a host has keys at all, it MUST have at) s
+5 635 M
+( least one key using each REQUIRED public key algorithm \(DSS) s
+5 624 M
+( [FIPS-186]\).) s
+5 602 M
+( The server host key is used during key exchange to verify that the) s
+5 591 M
+( client is really talking to the correct server. For this to be) s
+5 580 M
+( possible, the client must have a priori knowledge of the server's) s
+5 569 M
+( public host key.) s
+5 547 M
+( Two different trust models can be used:) s
+5 536 M
+( o The client has a local database that associates each host name \(as) s
+5 525 M
+( typed by the user\) with the corresponding public host key. This) s
+5 514 M
+( method requires no centrally administered infrastructure, and no) s
+5 503 M
+( third-party coordination. The downside is that the database of) s
+5 492 M
+( name-to-key associations may become burdensome to maintain.) s
+5 481 M
+( o The host name-to-key association is certified by some trusted) s
+5 470 M
+( certification authority. The client only knows the CA root key,) s
+5 459 M
+( and can verify the validity of all host keys certified by accepted) s
+5 448 M
+( CAs.) s
+5 426 M
+( The second alternative eases the maintenance problem, since) s
+5 415 M
+( ideally only a single CA key needs to be securely stored on the) s
+5 404 M
+( client. On the other hand, each host key must be appropriately) s
+5 393 M
+( certified by a central authority before authorization is possible.) s
+5 382 M
+( Also, a lot of trust is placed on the central infrastructure.) s
+5 360 M
+( The protocol provides the option that the server name - host key) s
+5 349 M
+( association is not checked when connecting to the host for the first) s
+5 338 M
+( time. This allows communication without prior communication of host) s
+5 327 M
+( keys or certification. The connection still provides protection) s
+5 316 M
+( against passive listening; however, it becomes vulnerable to active) s
+5 305 M
+( man-in-the-middle attacks. Implementations SHOULD NOT normally allow) s
+5 294 M
+( such connections by default, as they pose a potential security) s
+5 283 M
+( problem. However, as there is no widely deployed key infrastructure) s
+5 272 M
+( available on the Internet yet, this option makes the protocol much) s
+5 261 M
+( more usable during the transition time until such an infrastructure) s
+5 250 M
+( emerges, while still providing a much higher level of security than) s
+5 239 M
+( that offered by older solutions \(e.g. telnet [RFC-854] and rlogin) s
+5 228 M
+( [RFC-1282]\).) s
+5 206 M
+( Implementations SHOULD try to make the best effort to check host) s
+5 195 M
+( keys. An example of a possible strategy is to only accept a host key) s
+5 184 M
+( without checking the first time a host is connected, save the key in) s
+5 173 M
+( a local database, and compare against that key on all future) s
+5 129 M
+(Ylonen & Moffat Expires March 31, 2004 [Page 4]) s
+_R
+S
+PStoPSsaved restore
+%%Page: (4,5) 3
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 0.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+/showpage{}def/copypage{}def/erasepage{}def
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 5 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Protocol Architecture Oct 2003) s
+5 690 M
+( connections to that host.) s
+5 668 M
+( Implementations MAY provide additional methods for verifying the) s
+5 657 M
+( correctness of host keys, e.g. a hexadecimal fingerprint derived from) s
+5 646 M
+( the SHA-1 hash of the public key. Such fingerprints can easily be) s
+5 635 M
+( verified by using telephone or other external communication channels.) s
+5 613 M
+( All implementations SHOULD provide an option to not accept host keys) s
+5 602 M
+( that cannot be verified.) s
+5 580 M
+( We believe that ease of use is critical to end-user acceptance of) s
+5 569 M
+( security solutions, and no improvement in security is gained if the) s
+5 558 M
+( new solutions are not used. Thus, providing the option not to check) s
+5 547 M
+( the server host key is believed to improve the overall security of) s
+5 536 M
+( the Internet, even though it reduces the security of the protocol in) s
+5 525 M
+( configurations where it is allowed.) s
+5 503 M
+(4.2 Extensibility) s
+5 481 M
+( We believe that the protocol will evolve over time, and some) s
+5 470 M
+( organizations will want to use their own encryption, authentication) s
+5 459 M
+( and/or key exchange methods. Central registration of all extensions) s
+5 448 M
+( is cumbersome, especially for experimental or classified features.) s
+5 437 M
+( On the other hand, having no central registration leads to conflicts) s
+5 426 M
+( in method identifiers, making interoperability difficult.) s
+5 404 M
+( We have chosen to identify algorithms, methods, formats, and) s
+5 393 M
+( extension protocols with textual names that are of a specific format.) s
+5 382 M
+( DNS names are used to create local namespaces where experimental or) s
+5 371 M
+( classified extensions can be defined without fear of conflicts with) s
+5 360 M
+( other implementations.) s
+5 338 M
+( One design goal has been to keep the base protocol as simple as) s
+5 327 M
+( possible, and to require as few algorithms as possible. However, all) s
+5 316 M
+( implementations MUST support a minimal set of algorithms to ensure) s
+5 305 M
+( interoperability \(this does not imply that the local policy on all) s
+5 294 M
+( hosts would necessary allow these algorithms\). The mandatory) s
+5 283 M
+( algorithms are specified in the relevant protocol documents.) s
+5 261 M
+( Additional algorithms, methods, formats, and extension protocols can) s
+5 250 M
+( be defined in separate drafts. See Section Algorithm Naming \(Section) s
+5 239 M
+( 6\) for more information.) s
+5 217 M
+(4.3 Policy Issues) s
+5 195 M
+( The protocol allows full negotiation of encryption, integrity, key) s
+5 184 M
+( exchange, compression, and public key algorithms and formats.) s
+5 173 M
+( Encryption, integrity, public key, and compression algorithms can be) s
+5 129 M
+(Ylonen & Moffat Expires March 31, 2004 [Page 5]) s
+_R
+S
+PStoPSsaved restore
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 421.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 6 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Protocol Architecture Oct 2003) s
+5 690 M
+( different for each direction.) s
+5 668 M
+( The following policy issues SHOULD be addressed in the configuration) s
+5 657 M
+( mechanisms of each implementation:) s
+5 646 M
+( o Encryption, integrity, and compression algorithms, separately for) s
+5 635 M
+( each direction. The policy MUST specify which is the preferred) s
+5 624 M
+( algorithm \(e.g. the first algorithm listed in each category\).) s
+5 613 M
+( o Public key algorithms and key exchange method to be used for host) s
+5 602 M
+( authentication. The existence of trusted host keys for different) s
+5 591 M
+( public key algorithms also affects this choice.) s
+5 580 M
+( o The authentication methods that are to be required by the server) s
+5 569 M
+( for each user. The server's policy MAY require multiple) s
+5 558 M
+( authentication for some or all users. The required algorithms MAY) s
+5 547 M
+( depend on the location where the user is trying to log in from.) s
+5 536 M
+( o The operations that the user is allowed to perform using the) s
+5 525 M
+( connection protocol. Some issues are related to security; for) s
+5 514 M
+( example, the policy SHOULD NOT allow the server to start sessions) s
+5 503 M
+( or run commands on the client machine, and MUST NOT allow) s
+5 492 M
+( connections to the authentication agent unless forwarding such) s
+5 481 M
+( connections has been requested. Other issues, such as which TCP/) s
+5 470 M
+( IP ports can be forwarded and by whom, are clearly issues of local) s
+5 459 M
+( policy. Many of these issues may involve traversing or bypassing) s
+5 448 M
+( firewalls, and are interrelated with the local security policy.) s
+5 426 M
+(4.4 Security Properties) s
+5 404 M
+( The primary goal of the SSH protocol is improved security on the) s
+5 393 M
+( Internet. It attempts to do this in a way that is easy to deploy,) s
+5 382 M
+( even at the cost of absolute security.) s
+5 371 M
+( o All encryption, integrity, and public key algorithms used are) s
+5 360 M
+( well-known, well-established algorithms.) s
+5 349 M
+( o All algorithms are used with cryptographically sound key sizes) s
+5 338 M
+( that are believed to provide protection against even the strongest) s
+5 327 M
+( cryptanalytic attacks for decades.) s
+5 316 M
+( o All algorithms are negotiated, and in case some algorithm is) s
+5 305 M
+( broken, it is easy to switch to some other algorithm without) s
+5 294 M
+( modifying the base protocol.) s
+5 272 M
+( Specific concessions were made to make wide-spread fast deployment) s
+5 261 M
+( easier. The particular case where this comes up is verifying that) s
+5 250 M
+( the server host key really belongs to the desired host; the protocol) s
+5 239 M
+( allows the verification to be left out \(but this is NOT RECOMMENDED\).) s
+5 228 M
+( This is believed to significantly improve usability in the short) s
+5 217 M
+( term, until widespread Internet public key infrastructures emerge.) s
+5 195 M
+(4.5 Packet Size and Overhead) s
+5 173 M
+( Some readers will worry about the increase in packet size due to new) s
+5 129 M
+(Ylonen & Moffat Expires March 31, 2004 [Page 6]) s
+_R
+S
+PStoPSsaved restore
+%%Page: (6,7) 4
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 0.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+/showpage{}def/copypage{}def/erasepage{}def
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 7 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Protocol Architecture Oct 2003) s
+5 690 M
+( headers, padding, and MAC. The minimum packet size is in the order) s
+5 679 M
+( of 28 bytes \(depending on negotiated algorithms\). The increase is) s
+5 668 M
+( negligible for large packets, but very significant for one-byte) s
+5 657 M
+( packets \(telnet-type sessions\). There are, however, several factors) s
+5 646 M
+( that make this a non-issue in almost all cases:) s
+5 635 M
+( o The minimum size of a TCP/IP header is 32 bytes. Thus, the) s
+5 624 M
+( increase is actually from 33 to 51 bytes \(roughly\).) s
+5 613 M
+( o The minimum size of the data field of an Ethernet packet is 46) s
+5 602 M
+( bytes [RFC-894]. Thus, the increase is no more than 5 bytes. When) s
+5 591 M
+( Ethernet headers are considered, the increase is less than 10) s
+5 580 M
+( percent.) s
+5 569 M
+( o The total fraction of telnet-type data in the Internet is) s
+5 558 M
+( negligible, even with increased packet sizes.) s
+5 536 M
+( The only environment where the packet size increase is likely to have) s
+5 525 M
+( a significant effect is PPP [RFC-1134] over slow modem lines \(PPP) s
+5 514 M
+( compresses the TCP/IP headers, emphasizing the increase in packet) s
+5 503 M
+( size\). However, with modern modems, the time needed to transfer is in) s
+5 492 M
+( the order of 2 milliseconds, which is a lot faster than people can) s
+5 481 M
+( type.) s
+5 459 M
+( There are also issues related to the maximum packet size. To) s
+5 448 M
+( minimize delays in screen updates, one does not want excessively) s
+5 437 M
+( large packets for interactive sessions. The maximum packet size is) s
+5 426 M
+( negotiated separately for each channel.) s
+5 404 M
+(4.6 Localization and Character Set Support) s
+5 382 M
+( For the most part, the SSH protocols do not directly pass text that) s
+5 371 M
+( would be displayed to the user. However, there are some places where) s
+5 360 M
+( such data might be passed. When applicable, the character set for the) s
+5 349 M
+( data MUST be explicitly specified. In most places, ISO 10646 with) s
+5 338 M
+( UTF-8 encoding is used [RFC-2279]. When applicable, a field is also) s
+5 327 M
+( provided for a language tag [RFC-3066].) s
+5 305 M
+( One big issue is the character set of the interactive session. There) s
+5 294 M
+( is no clear solution, as different applications may display data in) s
+5 283 M
+( different formats. Different types of terminal emulation may also be) s
+5 272 M
+( employed in the client, and the character set to be used is) s
+5 261 M
+( effectively determined by the terminal emulation. Thus, no place is) s
+5 250 M
+( provided for directly specifying the character set or encoding for) s
+5 239 M
+( terminal session data. However, the terminal emulation type \(e.g.) s
+5 228 M
+( "vt100"\) is transmitted to the remote site, and it implicitly) s
+5 217 M
+( specifies the character set and encoding. Applications typically use) s
+5 206 M
+( the terminal type to determine what character set they use, or the) s
+5 195 M
+( character set is determined using some external means. The terminal) s
+5 184 M
+( emulation may also allow configuring the default character set. In) s
+5 173 M
+( any case, the character set for the terminal session is considered) s
+5 129 M
+(Ylonen & Moffat Expires March 31, 2004 [Page 7]) s
+_R
+S
+PStoPSsaved restore
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 421.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 8 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Protocol Architecture Oct 2003) s
+5 690 M
+( primarily a client local issue.) s
+5 668 M
+( Internal names used to identify algorithms or protocols are normally) s
+5 657 M
+( never displayed to users, and must be in US-ASCII.) s
+5 635 M
+( The client and server user names are inherently constrained by what) s
+5 624 M
+( the server is prepared to accept. They might, however, occasionally) s
+5 613 M
+( be displayed in logs, reports, etc. They MUST be encoded using ISO) s
+5 602 M
+( 10646 UTF-8, but other encodings may be required in some cases. It) s
+5 591 M
+( is up to the server to decide how to map user names to accepted user) s
+5 580 M
+( names. Straight bit-wise binary comparison is RECOMMENDED.) s
+5 558 M
+( For localization purposes, the protocol attempts to minimize the) s
+5 547 M
+( number of textual messages transmitted. When present, such messages) s
+5 536 M
+( typically relate to errors, debugging information, or some externally) s
+5 525 M
+( configured data. For data that is normally displayed, it SHOULD be) s
+5 514 M
+( possible to fetch a localized message instead of the transmitted) s
+5 503 M
+( message by using a numerical code. The remaining messages SHOULD be) s
+5 492 M
+( configurable.) s
+5 470 M
+(5. Data Type Representations Used in the SSH Protocols) s
+5 459 M
+( byte) s
+5 437 M
+( A byte represents an arbitrary 8-bit value \(octet\) [RFC-1700].) s
+5 426 M
+( Fixed length data is sometimes represented as an array of bytes,) s
+5 415 M
+( written byte[n], where n is the number of bytes in the array.) s
+5 393 M
+( boolean) s
+5 371 M
+( A boolean value is stored as a single byte. The value 0) s
+5 360 M
+( represents FALSE, and the value 1 represents TRUE. All non-zero) s
+5 349 M
+( values MUST be interpreted as TRUE; however, applications MUST NOT) s
+5 338 M
+( store values other than 0 and 1.) s
+5 316 M
+( uint32) s
+5 294 M
+( Represents a 32-bit unsigned integer. Stored as four bytes in the) s
+5 283 M
+( order of decreasing significance \(network byte order\). For) s
+5 272 M
+( example, the value 699921578 \(0x29b7f4aa\) is stored as 29 b7 f4) s
+5 261 M
+( aa.) s
+5 239 M
+( uint64) s
+5 217 M
+( Represents a 64-bit unsigned integer. Stored as eight bytes in) s
+5 206 M
+( the order of decreasing significance \(network byte order\).) s
+5 129 M
+(Ylonen & Moffat Expires March 31, 2004 [Page 8]) s
+_R
+S
+PStoPSsaved restore
+%%Page: (8,9) 5
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 0.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+/showpage{}def/copypage{}def/erasepage{}def
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 9 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Protocol Architecture Oct 2003) s
+5 690 M
+( string) s
+5 668 M
+( Arbitrary length binary string. Strings are allowed to contain) s
+5 657 M
+( arbitrary binary data, including null characters and 8-bit) s
+5 646 M
+( characters. They are stored as a uint32 containing its length) s
+5 635 M
+( \(number of bytes that follow\) and zero \(= empty string\) or more) s
+5 624 M
+( bytes that are the value of the string. Terminating null) s
+5 613 M
+( characters are not used.) s
+5 591 M
+( Strings are also used to store text. In that case, US-ASCII is) s
+5 580 M
+( used for internal names, and ISO-10646 UTF-8 for text that might) s
+5 569 M
+( be displayed to the user. The terminating null character SHOULD) s
+5 558 M
+( NOT normally be stored in the string.) s
+5 536 M
+( For example, the US-ASCII string "testing" is represented as 00 00) s
+5 525 M
+( 00 07 t e s t i n g. The UTF8 mapping does not alter the encoding) s
+5 514 M
+( of US-ASCII characters.) s
+5 492 M
+( mpint) s
+5 470 M
+( Represents multiple precision integers in two's complement format,) s
+5 459 M
+( stored as a string, 8 bits per byte, MSB first. Negative numbers) s
+5 448 M
+( have the value 1 as the most significant bit of the first byte of) s
+5 437 M
+( the data partition. If the most significant bit would be set for a) s
+5 426 M
+( positive number, the number MUST be preceded by a zero byte.) s
+5 415 M
+( Unnecessary leading bytes with the value 0 or 255 MUST NOT be) s
+5 404 M
+( included. The value zero MUST be stored as a string with zero) s
+5 393 M
+( bytes of data.) s
+5 371 M
+( By convention, a number that is used in modular computations in) s
+5 360 M
+( Z_n SHOULD be represented in the range 0 <= x < n.) s
+5 338 M
+( Examples:) s
+5 327 M
+( value \(hex\) representation \(hex\)) s
+5 316 M
+( ---------------------------------------------------------------) s
+5 305 M
+( 0 00 00 00 00) s
+5 294 M
+( 9a378f9b2e332a7 00 00 00 08 09 a3 78 f9 b2 e3 32 a7) s
+5 283 M
+( 80 00 00 00 02 00 80) s
+5 272 M
+( -1234 00 00 00 02 ed cc) s
+5 261 M
+( -deadbeef 00 00 00 05 ff 21 52 41 11) s
+5 217 M
+( name-list) s
+5 195 M
+( A string containing a comma separated list of names. A name list) s
+5 184 M
+( is represented as a uint32 containing its length \(number of bytes) s
+5 173 M
+( that follow\) followed by a comma-separated list of zero or more) s
+5 129 M
+(Ylonen & Moffat Expires March 31, 2004 [Page 9]) s
+_R
+S
+PStoPSsaved restore
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 421.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 10 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Protocol Architecture Oct 2003) s
+5 690 M
+( names. A name MUST be non-zero length, and it MUST NOT contain a) s
+5 679 M
+( comma \(','\). Context may impose additional restrictions on the) s
+5 668 M
+( names; for example, the names in a list may have to be valid) s
+5 657 M
+( algorithm identifier \(see Algorithm Naming below\), or [RFC-3066]) s
+5 646 M
+( language tags. The order of the names in a list may or may not be) s
+5 635 M
+( significant, also depending on the context where the list is is) s
+5 624 M
+( used. Terminating NUL characters are not used, neither for the) s
+5 613 M
+( individual names, nor for the list as a whole.) s
+5 591 M
+( Examples:) s
+5 580 M
+( value representation \(hex\)) s
+5 569 M
+( ---------------------------------------) s
+5 558 M
+( \(\), the empty list 00 00 00 00) s
+5 547 M
+( \("zlib"\) 00 00 00 04 7a 6c 69 62) s
+5 536 M
+( \("zlib", "none"\) 00 00 00 09 7a 6c 69 62 2c 6e 6f 6e 65) s
+5 481 M
+(6. Algorithm Naming) s
+5 459 M
+( The SSH protocols refer to particular hash, encryption, integrity,) s
+5 448 M
+( compression, and key exchange algorithms or protocols by names.) s
+5 437 M
+( There are some standard algorithms that all implementations MUST) s
+5 426 M
+( support. There are also algorithms that are defined in the protocol) s
+5 415 M
+( specification but are OPTIONAL. Furthermore, it is expected that) s
+5 404 M
+( some organizations will want to use their own algorithms.) s
+5 382 M
+( In this protocol, all algorithm identifiers MUST be printable) s
+5 371 M
+( US-ASCII non-empty strings no longer than 64 characters. Names MUST) s
+5 360 M
+( be case-sensitive.) s
+5 338 M
+( There are two formats for algorithm names:) s
+5 327 M
+( o Names that do not contain an at-sign \(@\) are reserved to be) s
+5 316 M
+( assigned by IETF consensus \(RFCs\). Examples include `3des-cbc',) s
+5 305 M
+( `sha-1', `hmac-sha1', and `zlib' \(the quotes are not part of the) s
+5 294 M
+( name\). Names of this format MUST NOT be used without first) s
+5 283 M
+( registering them. Registered names MUST NOT contain an at-sign) s
+5 272 M
+( \(@\) or a comma \(,\).) s
+5 261 M
+( o Anyone can define additional algorithms by using names in the) s
+5 250 M
+( format name@domainname, e.g. "[email protected]". The) s
+5 239 M
+( format of the part preceding the at sign is not specified; it MUST) s
+5 228 M
+( consist of US-ASCII characters except at-sign and comma. The part) s
+5 217 M
+( following the at-sign MUST be a valid fully qualified internet) s
+5 206 M
+( domain name [RFC-1034] controlled by the person or organization) s
+5 195 M
+( defining the name. It is up to each domain how it manages its) s
+5 184 M
+( local namespace.) s
+5 129 M
+(Ylonen & Moffat Expires March 31, 2004 [Page 10]) s
+_R
+S
+PStoPSsaved restore
+%%Page: (10,11) 6
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 0.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+/showpage{}def/copypage{}def/erasepage{}def
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 11 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Protocol Architecture Oct 2003) s
+5 690 M
+(7. Message Numbers) s
+5 668 M
+( SSH packets have message numbers in the range 1 to 255. These numbers) s
+5 657 M
+( have been allocated as follows:) s
+5 624 M
+( Transport layer protocol:) s
+5 602 M
+( 1 to 19 Transport layer generic \(e.g. disconnect, ignore, debug,) s
+5 591 M
+( etc.\)) s
+5 580 M
+( 20 to 29 Algorithm negotiation) s
+5 569 M
+( 30 to 49 Key exchange method specific \(numbers can be reused for) s
+5 558 M
+( different authentication methods\)) s
+5 536 M
+( User authentication protocol:) s
+5 514 M
+( 50 to 59 User authentication generic) s
+5 503 M
+( 60 to 79 User authentication method specific \(numbers can be) s
+5 492 M
+( reused for different authentication methods\)) s
+5 470 M
+( Connection protocol:) s
+5 448 M
+( 80 to 89 Connection protocol generic) s
+5 437 M
+( 90 to 127 Channel related messages) s
+5 415 M
+( Reserved for client protocols:) s
+5 393 M
+( 128 to 191 Reserved) s
+5 371 M
+( Local extensions:) s
+5 349 M
+( 192 to 255 Local extensions) s
+5 305 M
+(8. IANA Considerations) s
+5 283 M
+( The initial state of the IANA registry is detailed in [SSH-NUMBERS].) s
+5 261 M
+( Allocation of the following types of names in the SSH protocols is) s
+5 250 M
+( assigned by IETF consensus:) s
+5 239 M
+( o SSH encryption algorithm names,) s
+5 228 M
+( o SSH MAC algorithm names,) s
+5 217 M
+( o SSH public key algorithm names \(public key algorithm also implies) s
+5 206 M
+( encoding and signature/encryption capability\),) s
+5 195 M
+( o SSH key exchange method names, and) s
+5 184 M
+( o SSH protocol \(service\) names.) s
+5 129 M
+(Ylonen & Moffat Expires March 31, 2004 [Page 11]) s
+_R
+S
+PStoPSsaved restore
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 421.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 12 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Protocol Architecture Oct 2003) s
+5 690 M
+( These names MUST be printable US-ASCII strings, and MUST NOT contain) s
+5 679 M
+( the characters at-sign \('@'\), comma \(','\), or whitespace or control) s
+5 668 M
+( characters \(ASCII codes 32 or less\). Names are case-sensitive, and) s
+5 657 M
+( MUST NOT be longer than 64 characters.) s
+5 635 M
+( Names with the at-sign \('@'\) in them are allocated by the owner of) s
+5 624 M
+( DNS name after the at-sign \(hierarchical allocation in [RFC-2343]\),) s
+5 613 M
+( otherwise the same restrictions as above.) s
+5 591 M
+( Each category of names listed above has a separate namespace.) s
+5 580 M
+( However, using the same name in multiple categories SHOULD be avoided) s
+5 569 M
+( to minimize confusion.) s
+5 547 M
+( Message numbers \(see Section Message Numbers \(Section 7\)\) in the) s
+5 536 M
+( range of 0..191 are allocated via IETF consensus; message numbers in) s
+5 525 M
+( the 192..255 range \(the "Local extensions" set\) are reserved for) s
+5 514 M
+( private use.) s
+5 492 M
+(9. Security Considerations) s
+5 470 M
+( In order to make the entire body of Security Considerations more) s
+5 459 M
+( accessible, Security Considerations for the transport,) s
+5 448 M
+( authentication, and connection documents have been gathered here.) s
+5 426 M
+( The transport protocol [1] provides a confidential channel over an) s
+5 415 M
+( insecure network. It performs server host authentication, key) s
+5 404 M
+( exchange, encryption, and integrity protection. It also derives a) s
+5 393 M
+( unique session id that may be used by higher-level protocols.) s
+5 371 M
+( The authentication protocol [2] provides a suite of mechanisms which) s
+5 360 M
+( can be used to authenticate the client user to the server.) s
+5 349 M
+( Individual mechanisms specified in the in authentication protocol use) s
+5 338 M
+( the session id provided by the transport protocol and/or depend on) s
+5 327 M
+( the security and integrity guarantees of the transport protocol.) s
+5 305 M
+( The connection protocol [3] specifies a mechanism to multiplex) s
+5 294 M
+( multiple streams [channels] of data over the confidential and) s
+5 283 M
+( authenticated transport. It also specifies channels for accessing an) s
+5 272 M
+( interactive shell, for 'proxy-forwarding' various external protocols) s
+5 261 M
+( over the secure transport \(including arbitrary TCP/IP protocols\), and) s
+5 250 M
+( for accessing secure 'subsystems' on the server host.) s
+5 228 M
+(9.1 Pseudo-Random Number Generation) s
+5 206 M
+( This protocol binds each session key to the session by including) s
+5 195 M
+( random, session specific data in the hash used to produce session) s
+5 184 M
+( keys. Special care should be taken to ensure that all of the random) s
+5 173 M
+( numbers are of good quality. If the random data here \(e.g., DH) s
+5 129 M
+(Ylonen & Moffat Expires March 31, 2004 [Page 12]) s
+_R
+S
+PStoPSsaved restore
+%%Page: (12,13) 7
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 0.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+/showpage{}def/copypage{}def/erasepage{}def
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 13 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Protocol Architecture Oct 2003) s
+5 690 M
+( parameters\) are pseudo-random then the pseudo-random number generator) s
+5 679 M
+( should be cryptographically secure \(i.e., its next output not easily) s
+5 668 M
+( guessed even when knowing all previous outputs\) and, furthermore,) s
+5 657 M
+( proper entropy needs to be added to the pseudo-random number) s
+5 646 M
+( generator. RFC 1750 [1750] offers suggestions for sources of random) s
+5 635 M
+( numbers and entropy. Implementors should note the importance of) s
+5 624 M
+( entropy and the well-meant, anecdotal warning about the difficulty in) s
+5 613 M
+( properly implementing pseudo-random number generating functions.) s
+5 591 M
+( The amount of entropy available to a given client or server may) s
+5 580 M
+( sometimes be less than what is required. In this case one must) s
+5 569 M
+( either resort to pseudo-random number generation regardless of) s
+5 558 M
+( insufficient entropy or refuse to run the protocol. The latter is) s
+5 547 M
+( preferable.) s
+5 525 M
+(9.2 Transport) s
+5 503 M
+(9.2.1 Confidentiality) s
+5 481 M
+( It is beyond the scope of this document and the Secure Shell Working) s
+5 470 M
+( Group to analyze or recommend specific ciphers other than the ones) s
+5 459 M
+( which have been established and accepted within the industry. At the) s
+5 448 M
+( time of this writing, ciphers commonly in use include 3DES, ARCFOUR,) s
+5 437 M
+( twofish, serpent and blowfish. AES has been accepted by The) s
+5 426 M
+( published as a US Federal Information Processing Standards [FIPS-197]) s
+5 415 M
+( and the cryptographic community as being acceptable for this purpose) s
+5 404 M
+( as well has accepted AES. As always, implementors and users should) s
+5 393 M
+( check current literature to ensure that no recent vulnerabilities) s
+5 382 M
+( have been found in ciphers used within products. Implementors should) s
+5 371 M
+( also check to see which ciphers are considered to be relatively) s
+5 360 M
+( stronger than others and should recommend their use to users over) s
+5 349 M
+( relatively weaker ciphers. It would be considered good form for an) s
+5 338 M
+( implementation to politely and unobtrusively notify a user that a) s
+5 327 M
+( stronger cipher is available and should be used when a weaker one is) s
+5 316 M
+( actively chosen.) s
+5 294 M
+( The "none" cipher is provided for debugging and SHOULD NOT be used) s
+5 283 M
+( except for that purpose. It's cryptographic properties are) s
+5 272 M
+( sufficiently described in RFC 2410, which will show that its use does) s
+5 261 M
+( not meet the intent of this protocol.) s
+5 239 M
+( The relative merits of these and other ciphers may also be found in) s
+5 228 M
+( current literature. Two references that may provide information on) s
+5 217 M
+( the subject are [SCHNEIER] and [KAUFMAN,PERLMAN,SPECINER]. Both of) s
+5 206 M
+( these describe the CBC mode of operation of certain ciphers and the) s
+5 195 M
+( weakness of this scheme. Essentially, this mode is theoretically) s
+5 184 M
+( vulnerable to chosen cipher-text attacks because of the high) s
+5 173 M
+( predictability of the start of packet sequence. However, this attack) s
+5 129 M
+(Ylonen & Moffat Expires March 31, 2004 [Page 13]) s
+_R
+S
+PStoPSsaved restore
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 421.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 14 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Protocol Architecture Oct 2003) s
+5 690 M
+( is still deemed difficult and not considered fully practicable) s
+5 679 M
+( especially if relatively longer block sizes are used.) s
+5 657 M
+( Additionally, another CBC mode attack may be mitigated through the) s
+5 646 M
+( insertion of packets containing SSH_MSG_IGNORE. Without this) s
+5 635 M
+( technique, a specific attack may be successful. For this attack) s
+5 624 M
+( \(commonly known as the Rogaway attack) s
+5 613 M
+( [ROGAWAY],[DAI],[BELLARE,KOHNO,NAMPREMPRE]\) to work, the attacker) s
+5 602 M
+( would need to know the IV of the next block that is going to be) s
+5 591 M
+( encrypted. In CBC mode that is the output of the encryption of the) s
+5 580 M
+( previous block. If the attacker does not have any way to see the) s
+5 569 M
+( packet yet \(i.e it is in the internal buffers of the ssh) s
+5 558 M
+( implementation or even in the kernel\) then this attack will not work.) s
+5 547 M
+( If the last packet has been sent out to the network \(i.e the attacker) s
+5 536 M
+( has access to it\) then he can use the attack.) s
+5 514 M
+( In the optimal case an implementor would need to add an extra packet) s
+5 503 M
+( only if the packet has been sent out onto the network and there are) s
+5 492 M
+( no other packets waiting for transmission. Implementors may wish to) s
+5 481 M
+( check to see if there are any unsent packets awaiting transmission,) s
+5 470 M
+( but unfortunately it is not normally easy to obtain this information) s
+5 459 M
+( from the kernel or buffers. If there are not, then a packet) s
+5 448 M
+( containing SSH_MSG_IGNORE SHOULD be sent. If a new packet is added) s
+5 437 M
+( to the stream every time the attacker knows the IV that is supposed) s
+5 426 M
+( to be used for the next packet, then the attacker will not be able to) s
+5 415 M
+( guess the correct IV, thus the attack will never be successfull.) s
+5 393 M
+( As an example, consider the following case:) s
+5 360 M
+( Client Server) s
+5 349 M
+( ------ ------) s
+5 338 M
+( TCP\(seq=x, len=500\) ->) s
+5 327 M
+( contains Record 1) s
+5 305 M
+( [500 ms passes, no ACK]) s
+5 283 M
+( TCP\(seq=x, len=1000\) ->) s
+5 272 M
+( contains Records 1,2) s
+5 250 M
+( ACK) s
+5 217 M
+( 1. The Nagle algorithm + TCP retransmits mean that the two records) s
+5 206 M
+( get coalesced into a single TCP segment) s
+5 195 M
+( 2. Record 2 is *not* at the beginning of the TCP segment and never) s
+5 184 M
+( will be, since it gets ACKed.) s
+5 129 M
+(Ylonen & Moffat Expires March 31, 2004 [Page 14]) s
+_R
+S
+PStoPSsaved restore
+%%Page: (14,15) 8
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 0.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+/showpage{}def/copypage{}def/erasepage{}def
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 15 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Protocol Architecture Oct 2003) s
+5 690 M
+( 3. Yet, the attack is possible because Record 1 has already been) s
+5 679 M
+( seen.) s
+5 657 M
+( As this example indicates, it's totally unsafe to use the existence) s
+5 646 M
+( of unflushed data in the TCP buffers proper as a guide to whether you) s
+5 635 M
+( need an empty packet, since when you do the second write\(\), the) s
+5 624 M
+( buffers will contain the un-ACKed Record 1.) s
+5 129 M
+(Ylonen & Moffat Expires March 31, 2004 [Page 15]) s
+_R
+S
+PStoPSsaved restore
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 421.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 16 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Protocol Architecture Oct 2003) s
+5 690 M
+( On the other hand, it's perfectly safe to have the following) s
+5 679 M
+( situation:) s
+5 646 M
+( Client Server) s
+5 635 M
+( ------ ------) s
+5 624 M
+( TCP\(seq=x, len=500\) ->) s
+5 613 M
+( contains SSH_MSG_IGNORE) s
+5 591 M
+( TCP\(seq=y, len=500\) ->) s
+5 580 M
+( contains Data) s
+5 558 M
+( Provided that the IV for second SSH Record is fixed after the data for) s
+5 547 M
+( the Data packet is determined -i.e. you do:) s
+5 536 M
+( read from user) s
+5 525 M
+( encrypt null packet) s
+5 514 M
+( encrypt data packet) s
+5 481 M
+(9.2.2 Data Integrity) s
+5 459 M
+( This protocol does allow the Data Integrity mechanism to be disabled.) s
+5 448 M
+( Implementors SHOULD be wary of exposing this feature for any purpose) s
+5 437 M
+( other than debugging. Users and administrators SHOULD be explicitly) s
+5 426 M
+( warned anytime the "none" MAC is enabled.) s
+5 404 M
+( So long as the "none" MAC is not used, this protocol provides data) s
+5 393 M
+( integrity.) s
+5 371 M
+( Because MACs use a 32 bit sequence number, they might start to leak) s
+5 360 M
+( information after 2**32 packets have been sent. However, following) s
+5 349 M
+( the rekeying recommendations should prevent this attack. The) s
+5 338 M
+( transport protocol [1] recommends rekeying after one gigabyte of) s
+5 327 M
+( data, and the smallest possible packet is 16 bytes. Therefore,) s
+5 316 M
+( rekeying SHOULD happen after 2**28 packets at the very most.) s
+5 294 M
+(9.2.3 Replay) s
+5 272 M
+( The use of a MAC other than 'none' provides integrity and) s
+5 261 M
+( authentication. In addition, the transport protocol provides a) s
+5 250 M
+( unique session identifier \(bound in part to pseudo-random data that) s
+5 239 M
+( is part of the algorithm and key exchange process\) that can be used) s
+5 228 M
+( by higher level protocols to bind data to a given session and prevent) s
+5 217 M
+( replay of data from prior sessions. For example, the authentication) s
+5 206 M
+( protocol uses this to prevent replay of signatures from previous) s
+5 195 M
+( sessions. Because public key authentication exchanges are) s
+5 184 M
+( cryptographically bound to the session \(i.e., to the initial key) s
+5 173 M
+( exchange\) they cannot be successfully replayed in other sessions.) s
+5 129 M
+(Ylonen & Moffat Expires March 31, 2004 [Page 16]) s
+_R
+S
+PStoPSsaved restore
+%%Page: (16,17) 9
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 0.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+/showpage{}def/copypage{}def/erasepage{}def
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 17 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Protocol Architecture Oct 2003) s
+5 690 M
+( Note that the session ID can be made public without harming the) s
+5 679 M
+( security of the protocol.) s
+5 657 M
+( If two session happen to have the same session ID [hash of key) s
+5 646 M
+( exchanges] then packets from one can be replayed against the other.) s
+5 635 M
+( It must be stressed that the chances of such an occurrence are,) s
+5 624 M
+( needless to say, minimal when using modern cryptographic methods.) s
+5 613 M
+( This is all the more so true when specifying larger hash function) s
+5 602 M
+( outputs and DH parameters.) s
+5 580 M
+( Replay detection using monotonically increasing sequence numbers as) s
+5 569 M
+( input to the MAC, or HMAC in some cases, is described in [RFC2085] />) s
+5 558 M
+( [RFC2246], [RFC2743], [RFC1964], [RFC2025], and [RFC1510]. The) s
+5 547 M
+( underlying construct is discussed in [RFC2104]. Essentially a) s
+5 536 M
+( different sequence number in each packet ensures that at least this) s
+5 525 M
+( one input to the MAC function will be unique and will provide a) s
+5 514 M
+( nonrecurring MAC output that is not predictable to an attacker. If) s
+5 503 M
+( the session stays active long enough, however, this sequence number) s
+5 492 M
+( will wrap. This event may provide an attacker an opportunity to) s
+5 481 M
+( replay a previously recorded packet with an identical sequence number) s
+5 470 M
+( but only if the peers have not rekeyed since the transmission of the) s
+5 459 M
+( first packet with that sequence number. If the peers have rekeyed,) s
+5 448 M
+( then the replay will be detected as the MAC check will fail. For) s
+5 437 M
+( this reason, it must be emphasized that peers MUST rekey before a) s
+5 426 M
+( wrap of the sequence numbers. Naturally, if an attacker does attempt) s
+5 415 M
+( to replay a captured packet before the peers have rekeyed, then the) s
+5 404 M
+( receiver of the duplicate packet will not be able to validate the MAC) s
+5 393 M
+( and it will be discarded. The reason that the MAC will fail is) s
+5 382 M
+( because the receiver will formulate a MAC based upon the packet) s
+5 371 M
+( contents, the shared secret, and the expected sequence number. Since) s
+5 360 M
+( the replayed packet will not be using that expected sequence number) s
+5 349 M
+( \(the sequence number of the replayed packet will have already been) s
+5 338 M
+( passed by the receiver\) then the calculated MAC will not match the) s
+5 327 M
+( MAC received with the packet.) s
+5 305 M
+(9.2.4 Man-in-the-middle) s
+5 283 M
+( This protocol makes no assumptions nor provisions for an) s
+5 272 M
+( infrastructure or means for distributing the public keys of hosts. It) s
+5 261 M
+( is expected that this protocol will sometimes be used without first) s
+5 250 M
+( verifying the association between the server host key and the server) s
+5 239 M
+( host name. Such usage is vulnerable to man-in-the-middle attacks.) s
+5 228 M
+( This section describes this and encourages administrators and users) s
+5 217 M
+( to understand the importance of verifying this association before any) s
+5 206 M
+( session is initiated.) s
+5 184 M
+( There are three cases of man-in-the-middle attacks to consider. The) s
+5 173 M
+( first is where an attacker places a device between the client and the) s
+5 129 M
+(Ylonen & Moffat Expires March 31, 2004 [Page 17]) s
+_R
+S
+PStoPSsaved restore
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 421.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 18 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Protocol Architecture Oct 2003) s
+5 690 M
+( server before the session is initiated. In this case, the attack) s
+5 679 M
+( device is trying to mimic the legitimate server and will offer its) s
+5 668 M
+( public key to the client when the client initiates a session. If it) s
+5 657 M
+( were to offer the public key of the server, then it would not be able) s
+5 646 M
+( to decrypt or sign the transmissions between the legitimate server) s
+5 635 M
+( and the client unless it also had access to the private-key of the) s
+5 624 M
+( host. The attack device will also, simultaneously to this, initiate) s
+5 613 M
+( a session to the legitimate server masquerading itself as the client.) s
+5 602 M
+( If the public key of the server had been securely distributed to the) s
+5 591 M
+( client prior to that session initiation, the key offered to the) s
+5 580 M
+( client by the attack device will not match the key stored on the) s
+5 569 M
+( client. In that case, the user SHOULD be given a warning that the) s
+5 558 M
+( offered host key does not match the host key cached on the client.) s
+5 547 M
+( As described in Section 3.1 of [ARCH], the user may be free to accept) s
+5 536 M
+( the new key and continue the session. It is RECOMMENDED that the) s
+5 525 M
+( warning provide sufficient information to the user of the client) s
+5 514 M
+( device so they may make an informed decision. If the user chooses to) s
+5 503 M
+( continue the session with the stored public-key of the server \(not) s
+5 492 M
+( the public-key offered at the start of the session\), then the session) s
+5 481 M
+( specific data between the attacker and server will be different) s
+5 470 M
+( between the client-to-attacker session and the attacker-to-server) s
+5 459 M
+( sessions due to the randomness discussed above. From this, the) s
+5 448 M
+( attacker will not be able to make this attack work since the attacker) s
+5 437 M
+( will not be able to correctly sign packets containing this session) s
+5 426 M
+( specific data from the server since he does not have the private key) s
+5 415 M
+( of that server.) s
+5 393 M
+( The second case that should be considered is similar to the first) s
+5 382 M
+( case in that it also happens at the time of connection but this case) s
+5 371 M
+( points out the need for the secure distribution of server public) s
+5 360 M
+( keys. If the server public keys are not securely distributed then) s
+5 349 M
+( the client cannot know if it is talking to the intended server. An) s
+5 338 M
+( attacker may use social engineering techniques to pass off server) s
+5 327 M
+( keys to unsuspecting users and may then place a man-in-the-middle) s
+5 316 M
+( attack device between the legitimate server and the clients. If this) s
+5 305 M
+( is allowed to happen then the clients will form client-to-attacker) s
+5 294 M
+( sessions and the attacker will form attacker-to-server sessions and) s
+5 283 M
+( will be able to monitor and manipulate all of the traffic between the) s
+5 272 M
+( clients and the legitimate servers. Server administrators are) s
+5 261 M
+( encouraged to make host key fingerprints available for checking by) s
+5 250 M
+( some means whose security does not rely on the integrity of the) s
+5 239 M
+( actual host keys. Possible mechanisms are discussed in Section 3.1) s
+5 228 M
+( of [SSH-ARCH] and may also include secured Web pages, physical pieces) s
+5 217 M
+( of paper, etc. Implementors SHOULD provide recommendations on how) s
+5 206 M
+( best to do this with their implementation. Because the protocol is) s
+5 195 M
+( extensible, future extensions to the protocol may provide better) s
+5 184 M
+( mechanisms for dealing with the need to know the server's host key) s
+5 173 M
+( before connecting. For example, making the host key fingerprint) s
+5 129 M
+(Ylonen & Moffat Expires March 31, 2004 [Page 18]) s
+_R
+S
+PStoPSsaved restore
+%%Page: (18,19) 10
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 0.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+/showpage{}def/copypage{}def/erasepage{}def
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 19 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Protocol Architecture Oct 2003) s
+5 690 M
+( available through a secure DNS lookup, or using kerberos over gssapi) s
+5 679 M
+( during key exchange to authenticate the server are possibilities.) s
+5 657 M
+( In the third man-in-the-middle case, attackers may attempt to) s
+5 646 M
+( manipulate packets in transit between peers after the session has) s
+5 635 M
+( been established. As described in the Replay part of this section, a) s
+5 624 M
+( successful attack of this nature is very improbable. As in the) s
+5 613 M
+( Replay section, this reasoning does assume that the MAC is secure and) s
+5 602 M
+( that it is infeasible to construct inputs to a MAC algorithm to give) s
+5 591 M
+( a known output. This is discussed in much greater detail in Section) s
+5 580 M
+( 6 of RFC 2104. If the MAC algorithm has a vulnerability or is weak) s
+5 569 M
+( enough, then the attacker may be able to specify certain inputs to) s
+5 558 M
+( yield a known MAC. With that they may be able to alter the contents) s
+5 547 M
+( of a packet in transit. Alternatively the attacker may be able to) s
+5 536 M
+( exploit the algorithm vulnerability or weakness to find the shared) s
+5 525 M
+( secret by reviewing the MACs from captured packets. In either of) s
+5 514 M
+( those cases, an attacker could construct a packet or packets that) s
+5 503 M
+( could be inserted into an SSH stream. To prevent that, implementors) s
+5 492 M
+( are encouraged to utilize commonly accepted MAC algorithms and) s
+5 481 M
+( administrators are encouraged to watch current literature and) s
+5 470 M
+( discussions of cryptography to ensure that they are not using a MAC) s
+5 459 M
+( algorithm that has a recently found vulnerability or weakness.) s
+5 437 M
+( In summary, the use of this protocol without a reliable association) s
+5 426 M
+( of the binding between a host and its host keys is inherently) s
+5 415 M
+( insecure and is NOT RECOMMENDED. It may however be necessary in) s
+5 404 M
+( non-security critical environments, and will still provide protection) s
+5 393 M
+( against passive attacks. Implementors of protocols and applications) s
+5 382 M
+( running on top of this protocol should keep this possibility in mind.) s
+5 360 M
+(9.2.5 Denial-of-service) s
+5 338 M
+( This protocol is designed to be used over a reliable transport. If) s
+5 327 M
+( transmission errors or message manipulation occur, the connection is) s
+5 316 M
+( closed. The connection SHOULD be re-established if this occurs.) s
+5 305 M
+( Denial of service attacks of this type \("wire cutter"\) are almost) s
+5 294 M
+( impossible to avoid.) s
+5 272 M
+( In addition, this protocol is vulnerable to Denial of Service attacks) s
+5 261 M
+( because an attacker can force the server to go through the CPU and) s
+5 250 M
+( memory intensive tasks of connection setup and key exchange without) s
+5 239 M
+( authenticating. Implementors SHOULD provide features that make this) s
+5 228 M
+( more difficult. For example, only allowing connections from a subset) s
+5 217 M
+( of IPs known to have valid users.) s
+5 195 M
+(9.2.6 Covert Channels) s
+5 173 M
+( The protocol was not designed to eliminate covert channels. For) s
+5 129 M
+(Ylonen & Moffat Expires March 31, 2004 [Page 19]) s
+_R
+S
+PStoPSsaved restore
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 421.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 20 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Protocol Architecture Oct 2003) s
+5 690 M
+( example, the padding, SSH_MSG_IGNORE messages, and several other) s
+5 679 M
+( places in the protocol can be used to pass covert information, and) s
+5 668 M
+( the recipient has no reliable way to verify whether such information) s
+5 657 M
+( is being sent.) s
+5 635 M
+(9.2.7 Forward Secrecy) s
+5 613 M
+( It should be noted that the Diffie-Hellman key exchanges may provide) s
+5 602 M
+( perfect forward secrecy \(PFS\). PFS is essentially defined as the) s
+5 591 M
+( cryptographic property of a key-establishment protocol in which the) s
+5 580 M
+( compromise of a session key or long-term private key after a given) s
+5 569 M
+( session does not cause the compromise of any earlier session. [ANSI) s
+5 558 M
+( T1.523-2001] SSHv2 sessions resulting from a key exchange using) s
+5 547 M
+( diffie-hellman-group1-sha1 are secure even if private keying/) s
+5 536 M
+( authentication material is later revealed, but not if the session) s
+5 525 M
+( keys are revealed. So, given this definition of PFS, SSHv2 does have) s
+5 514 M
+( PFS. It is hoped that all other key exchange mechanisms proposed and) s
+5 503 M
+( used in the future will also provide PFS. This property is not) s
+5 492 M
+( commuted to any of the applications or protocols using SSH as a) s
+5 481 M
+( transport however. The transport layer of SSH provides) s
+5 470 M
+( confidentiality for password authentication and other methods that) s
+5 459 M
+( rely on secret data.) s
+5 437 M
+( Of course, if the DH private parameters for the client and server are) s
+5 426 M
+( revealed then the session key is revealed, but these items can be) s
+5 415 M
+( thrown away after the key exchange completes. It's worth pointing) s
+5 404 M
+( out that these items should not be allowed to end up on swap space) s
+5 393 M
+( and that they should be erased from memory as soon as the key) s
+5 382 M
+( exchange completes.) s
+5 360 M
+(9.3 Authentication Protocol) s
+5 338 M
+( The purpose of this protocol is to perform client user) s
+5 327 M
+( authentication. It assumes that this run over a secure transport) s
+5 316 M
+( layer protocol, which has already authenticated the server machine,) s
+5 305 M
+( established an encrypted communications channel, and computed a) s
+5 294 M
+( unique session identifier for this session.) s
+5 272 M
+( Several authentication methods with different security) s
+5 261 M
+( characteristics are allowed. It is up to the server's local policy) s
+5 250 M
+( to decide which methods \(or combinations of methods\) it is willing to) s
+5 239 M
+( accept for each user. Authentication is no stronger than the weakest) s
+5 228 M
+( combination allowed.) s
+5 206 M
+( The server may go into a "sleep" period after repeated unsuccessful) s
+5 195 M
+( authentication attempts to make key search more difficult for) s
+5 184 M
+( attackers. Care should be taken so that this doesn't become a) s
+5 173 M
+( self-denial of service vector.) s
+5 129 M
+(Ylonen & Moffat Expires March 31, 2004 [Page 20]) s
+_R
+S
+PStoPSsaved restore
+%%Page: (20,21) 11
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 0.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+/showpage{}def/copypage{}def/erasepage{}def
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 21 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Protocol Architecture Oct 2003) s
+5 690 M
+(9.3.1 Weak Transport) s
+5 668 M
+( If the transport layer does not provide confidentiality,) s
+5 657 M
+( authentication methods that rely on secret data SHOULD be disabled.) s
+5 646 M
+( If it does not provide strong integrity protection, requests to) s
+5 635 M
+( change authentication data \(e.g. a password change\) SHOULD be) s
+5 624 M
+( disabled to prevent an attacker from modifying the ciphertext) s
+5 613 M
+( without being noticed, or rendering the new authentication data) s
+5 602 M
+( unusable \(denial of service\).) s
+5 580 M
+( The assumption as stated above that the Authentication Protocol only) s
+5 569 M
+( run over a secure transport that has previously authenticated the) s
+5 558 M
+( server is very important to note. People deploying SSH are reminded) s
+5 547 M
+( of the consequences of man-in-the-middle attacks if the client does) s
+5 536 M
+( not have a very strong a priori association of the server with the) s
+5 525 M
+( host key of that server. Specifically for the case of the) s
+5 514 M
+( Authentication Protocol the client may form a session to a) s
+5 503 M
+( man-in-the-middle attack device and divulge user credentials such as) s
+5 492 M
+( their username and password. Even in the cases of authentication) s
+5 481 M
+( where no user credentials are divulged, an attacker may still gain) s
+5 470 M
+( information they shouldn't have by capturing key-strokes in much the) s
+5 459 M
+( same way that a honeypot works.) s
+5 437 M
+(9.3.2 Debug messages) s
+5 415 M
+( Special care should be taken when designing debug messages. These) s
+5 404 M
+( messages may reveal surprising amounts of information about the host) s
+5 393 M
+( if not properly designed. Debug messages can be disabled \(during) s
+5 382 M
+( user authentication phase\) if high security is required.) s
+5 371 M
+( Administrators of host machines should make all attempts to) s
+5 360 M
+( compartmentalize all event notification messages and protect them) s
+5 349 M
+( from unwarranted observation. Developers should be aware of the) s
+5 338 M
+( sensitive nature of some of the normal event messages and debug) s
+5 327 M
+( messages and may want to provide guidance to administrators on ways) s
+5 316 M
+( to keep this information away from unauthorized people. Developers) s
+5 305 M
+( should consider minimizing the amount of sensitive information) s
+5 294 M
+( obtainable by users during the authentication phase in accordance) s
+5 283 M
+( with the local policies. For this reason, it is RECOMMENDED that) s
+5 272 M
+( debug messages be initially disabled at the time of deployment and) s
+5 261 M
+( require an active decision by an administrator to allow them to be) s
+5 250 M
+( enabled. It is also RECOMMENDED that a message expressing this) s
+5 239 M
+( concern be presented to the administrator of a system when the action) s
+5 228 M
+( is taken to enable debugging messages.) s
+5 206 M
+(9.3.3 Local security policy) s
+5 184 M
+( Implementer MUST ensure that the credentials provided validate the) s
+5 173 M
+( professed user and also MUST ensure that the local policy of the) s
+5 129 M
+(Ylonen & Moffat Expires March 31, 2004 [Page 21]) s
+_R
+S
+PStoPSsaved restore
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 421.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 22 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Protocol Architecture Oct 2003) s
+5 690 M
+( server permits the user the access requested. In particular, because) s
+5 679 M
+( of the flexible nature of the SSH connection protocol, it may not be) s
+5 668 M
+( possible to determine the local security policy, if any, that should) s
+5 657 M
+( apply at the time of authentication because the kind of service being) s
+5 646 M
+( requested is not clear at that instant. For example, local policy) s
+5 635 M
+( might allow a user to access files on the server, but not start an) s
+5 624 M
+( interactive shell. However, during the authentication protocol, it is) s
+5 613 M
+( not known whether the user will be accessing files or attempting to) s
+5 602 M
+( use an interactive shell, or even both. In any event, where local) s
+5 591 M
+( security policy for the server host exists, it MUST be applied and) s
+5 580 M
+( enforced correctly.) s
+5 558 M
+( Implementors are encouraged to provide a default local policy and) s
+5 547 M
+( make its parameters known to administrators and users. At the) s
+5 536 M
+( discretion of the implementors, this default policy may be along the) s
+5 525 M
+( lines of 'anything goes' where there are no restrictions placed upon) s
+5 514 M
+( users, or it may be along the lines of 'excessively restrictive' in) s
+5 503 M
+( which case the administrators will have to actively make changes to) s
+5 492 M
+( this policy to meet their needs. Alternatively, it may be some) s
+5 481 M
+( attempt at providing something practical and immediately useful to) s
+5 470 M
+( the administrators of the system so they don't have to put in much) s
+5 459 M
+( effort to get SSH working. Whatever choice is made MUST be applied) s
+5 448 M
+( and enforced as required above.) s
+5 426 M
+(9.3.4 Public key authentication) s
+5 404 M
+( The use of public-key authentication assumes that the client host has) s
+5 393 M
+( not been compromised. It also assumes that the private-key of the) s
+5 382 M
+( server host has not been compromised.) s
+5 360 M
+( This risk can be mitigated by the use of passphrases on private keys;) s
+5 349 M
+( however, this is not an enforceable policy. The use of smartcards,) s
+5 338 M
+( or other technology to make passphrases an enforceable policy is) s
+5 327 M
+( suggested.) s
+5 305 M
+( The server could require both password and public-key authentication,) s
+5 294 M
+( however, this requires the client to expose its password to the) s
+5 283 M
+( server \(see section on password authentication below.\)) s
+5 261 M
+(9.3.5 Password authentication) s
+5 239 M
+( The password mechanism as specified in the authentication protocol) s
+5 228 M
+( assumes that the server has not been compromised. If the server has) s
+5 217 M
+( been compromised, using password authentication will reveal a valid) s
+5 206 M
+( username / password combination to the attacker, which may lead to) s
+5 195 M
+( further compromises.) s
+5 173 M
+( This vulnerability can be mitigated by using an alternative form of) s
+5 129 M
+(Ylonen & Moffat Expires March 31, 2004 [Page 22]) s
+_R
+S
+PStoPSsaved restore
+%%Page: (22,23) 12
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 0.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+/showpage{}def/copypage{}def/erasepage{}def
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 23 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Protocol Architecture Oct 2003) s
+5 690 M
+( authentication. For example, public-key authentication makes no) s
+5 679 M
+( assumptions about security on the server.) s
+5 657 M
+(9.3.6 Host based authentication) s
+5 635 M
+( Host based authentication assumes that the client has not been) s
+5 624 M
+( compromised. There are no mitigating strategies, other than to use) s
+5 613 M
+( host based authentication in combination with another authentication) s
+5 602 M
+( method.) s
+5 580 M
+(9.4 Connection protocol) s
+5 558 M
+(9.4.1 End point security) s
+5 536 M
+( End point security is assumed by the connection protocol. If the) s
+5 525 M
+( server has been compromised, any terminal sessions, port forwarding,) s
+5 514 M
+( or systems accessed on the host are compromised. There are no) s
+5 503 M
+( mitigating factors for this.) s
+5 481 M
+( If the client end point has been compromised, and the server fails to) s
+5 470 M
+( stop the attacker at the authentication protocol, all services) s
+5 459 M
+( exposed \(either as subsystems or through forwarding\) will be) s
+5 448 M
+( vulnerable to attack. Implementors SHOULD provide mechanisms for) s
+5 437 M
+( administrators to control which services are exposed to limit the) s
+5 426 M
+( vulnerability of other services.) s
+5 404 M
+( These controls might include controlling which machines and ports can) s
+5 393 M
+( be target in 'port-forwarding' operations, which users are allowed to) s
+5 382 M
+( use interactive shell facilities, or which users are allowed to use) s
+5 371 M
+( exposed subsystems.) s
+5 349 M
+(9.4.2 Proxy forwarding) s
+5 327 M
+( The SSH connection protocol allows for proxy forwarding of other) s
+5 316 M
+( protocols such as SNMP, POP3, and HTTP. This may be a concern for) s
+5 305 M
+( network administrators who wish to control the access of certain) s
+5 294 M
+( applications by users located outside of their physical location.) s
+5 283 M
+( Essentially, the forwarding of these protocols may violate site) s
+5 272 M
+( specific security policies as they may be undetectably tunneled) s
+5 261 M
+( through a firewall. Implementors SHOULD provide an administrative) s
+5 250 M
+( mechanism to control the proxy forwarding functionality so that site) s
+5 239 M
+( specific security policies may be upheld.) s
+5 217 M
+( In addition, a reverse proxy forwarding functionality is available,) s
+5 206 M
+( which again can be used to bypass firewall controls.) s
+5 184 M
+( As indicated above, end-point security is assumed during proxy) s
+5 173 M
+( forwarding operations. Failure of end-point security will compromise) s
+5 129 M
+(Ylonen & Moffat Expires March 31, 2004 [Page 23]) s
+_R
+S
+PStoPSsaved restore
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 421.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 24 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Protocol Architecture Oct 2003) s
+5 690 M
+( all data passed over proxy forwarding.) s
+5 668 M
+(9.4.3 X11 forwarding) s
+5 646 M
+( Another form of proxy forwarding provided by the ssh connection) s
+5 635 M
+( protocol is the forwarding of the X11 protocol. If end-point) s
+5 624 M
+( security has been compromised, X11 forwarding may allow attacks) s
+5 613 M
+( against the X11 server. Users and administrators should, as a matter) s
+5 602 M
+( of course, use appropriate X11 security mechanisms to prevent) s
+5 591 M
+( unauthorized use of the X11 server. Implementors, administrators and) s
+5 580 M
+( users who wish to further explore the security mechanisms of X11 are) s
+5 569 M
+( invited to read [SCHEIFLER] and analyze previously reported problems) s
+5 558 M
+( with the interactions between SSH forwarding and X11 in CERT) s
+5 547 M
+( vulnerabilities VU#363181 and VU#118892 [CERT].) s
+5 525 M
+( X11 display forwarding with SSH, by itself, is not sufficient to) s
+5 514 M
+( correct well known problems with X11 security [VENEMA]. However, X11) s
+5 503 M
+( display forwarding in SSHv2 \(or other, secure protocols\), combined) s
+5 492 M
+( with actual and pseudo-displays which accept connections only over) s
+5 481 M
+( local IPC mechanisms authorized by permissions or ACLs, does correct) s
+5 470 M
+( many X11 security problems as long as the "none" MAC is not used. It) s
+5 459 M
+( is RECOMMENDED that X11 display implementations default to allowing) s
+5 448 M
+( display opens only over local IPC. It is RECOMMENDED that SSHv2) s
+5 437 M
+( server implementations that support X11 forwarding default to) s
+5 426 M
+( allowing display opens only over local IPC. On single-user systems) s
+5 415 M
+( it might be reasonable to default to allowing local display opens) s
+5 404 M
+( over TCP/IP.) s
+5 382 M
+( Implementors of the X11 forwarding protocol SHOULD implement the) s
+5 371 M
+( magic cookie access checking spoofing mechanism as described in) s
+5 360 M
+( [ssh-connect] as an additional mechanism to prevent unauthorized use) s
+5 349 M
+( of the proxy.) s
+5 327 M
+(Normative References) s
+5 305 M
+( [SSH-ARCH]) s
+5 294 M
+( Ylonen, T., "SSH Protocol Architecture", I-D) s
+5 283 M
+( draft-ietf-architecture-15.txt, Oct 2003.) s
+5 261 M
+( [SSH-TRANS]) s
+5 250 M
+( Ylonen, T., "SSH Transport Layer Protocol", I-D) s
+5 239 M
+( draft-ietf-transport-17.txt, Oct 2003.) s
+5 217 M
+( [SSH-USERAUTH]) s
+5 206 M
+( Ylonen, T., "SSH Authentication Protocol", I-D) s
+5 195 M
+( draft-ietf-userauth-18.txt, Oct 2003.) s
+5 173 M
+( [SSH-CONNECT]) s
+5 129 M
+(Ylonen & Moffat Expires March 31, 2004 [Page 24]) s
+_R
+S
+PStoPSsaved restore
+%%Page: (24,25) 13
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 0.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+/showpage{}def/copypage{}def/erasepage{}def
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 25 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Protocol Architecture Oct 2003) s
+5 690 M
+( Ylonen, T., "SSH Connection Protocol", I-D) s
+5 679 M
+( draft-ietf-connect-18.txt, Oct 2003.) s
+5 657 M
+( [SSH-NUMBERS]) s
+5 646 M
+( Lehtinen, S. and D. Moffat, "SSH Protocol Assigned) s
+5 635 M
+( Numbers", I-D draft-ietf-secsh-assignednumbers-05.txt, Oct) s
+5 624 M
+( 2003.) s
+5 602 M
+( [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate) s
+5 591 M
+( Requirement Levels", BCP 14, RFC 2119, March 1997.) s
+5 569 M
+(Informative References) s
+5 547 M
+( [FIPS-186]) s
+5 536 M
+( Federal Information Processing Standards Publication,) s
+5 525 M
+( "FIPS PUB 186, Digital Signature Standard", May 1994.) s
+5 503 M
+( [FIPS-197]) s
+5 492 M
+( National Institue of Standards and Technology, "FIPS 197,) s
+5 481 M
+( Specification for the Advanced Encryption Standard",) s
+5 470 M
+( November 2001.) s
+5 448 M
+( [ANSI T1.523-2001]) s
+5 437 M
+( American National Standards Insitute, Inc., "Telecom) s
+5 426 M
+( Glossary 2000", February 2001.) s
+5 404 M
+( [SCHEIFLER]) s
+5 393 M
+( Scheifler, R., "X Window System : The Complete Reference) s
+5 382 M
+( to Xlib, X Protocol, Icccm, Xlfd, 3rd edition.", Digital) s
+5 371 M
+( Press ISBN 1555580882, Feburary 1992.) s
+5 349 M
+( [RFC0854] Postel, J. and J. Reynolds, "Telnet Protocol) s
+5 338 M
+( Specification", STD 8, RFC 854, May 1983.) s
+5 316 M
+( [RFC0894] Hornig, C., "Standard for the transmission of IP datagrams) s
+5 305 M
+( over Ethernet networks", STD 41, RFC 894, April 1984.) s
+5 283 M
+( [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",) s
+5 272 M
+( STD 13, RFC 1034, November 1987.) s
+5 250 M
+( [RFC1134] Perkins, D., "Point-to-Point Protocol: A proposal for) s
+5 239 M
+( multi-protocol transmission of datagrams over) s
+5 228 M
+( Point-to-Point links", RFC 1134, November 1989.) s
+5 206 M
+( [RFC1282] Kantor, B., "BSD Rlogin", RFC 1282, December 1991.) s
+5 184 M
+( [RFC1510] Kohl, J. and B. Neuman, "The Kerberos Network) s
+5 173 M
+( Authentication Service \(V5\)", RFC 1510, September 1993.) s
+5 129 M
+(Ylonen & Moffat Expires March 31, 2004 [Page 25]) s
+_R
+S
+PStoPSsaved restore
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 421.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 26 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Protocol Architecture Oct 2003) s
+5 690 M
+( [RFC1700] Reynolds, J. and J. Postel, "Assigned Numbers", RFC 1700,) s
+5 679 M
+( October 1994.) s
+5 657 M
+( [RFC1750] Eastlake, D., Crocker, S. and J. Schiller, "Randomness) s
+5 646 M
+( Recommendations for Security", RFC 1750, December 1994.) s
+5 624 M
+( [RFC3066] Alvestrand, H., "Tags for the Identification of) s
+5 613 M
+( Languages", BCP 47, RFC 3066, January 2001.) s
+5 591 M
+( [RFC1964] Linn, J., "The Kerberos Version 5 GSS-API Mechanism", RFC) s
+5 580 M
+( 1964, June 1996.) s
+5 558 M
+( [RFC2025] Adams, C., "The Simple Public-Key GSS-API Mechanism) s
+5 547 M
+( \(SPKM\)", RFC 2025, October 1996.) s
+5 525 M
+( [RFC2085] Oehler, M. and R. Glenn, "HMAC-MD5 IP Authentication with) s
+5 514 M
+( Replay Prevention", RFC 2085, February 1997.) s
+5 492 M
+( [RFC2104] Krawczyk, H., Bellare, M. and R. Canetti, "HMAC:) s
+5 481 M
+( Keyed-Hashing for Message Authentication", RFC 2104,) s
+5 470 M
+( February 1997.) s
+5 448 M
+( [RFC2246] Dierks, T., Allen, C., Treese, W., Karlton, P., Freier, A.) s
+5 437 M
+( and P. Kocher, "The TLS Protocol Version 1.0", RFC 2246,) s
+5 426 M
+( January 1999.) s
+5 404 M
+( [RFC2279] Yergeau, F., "UTF-8, a transformation format of ISO) s
+5 393 M
+( 10646", RFC 2279, January 1998.) s
+5 371 M
+( [RFC2410] Glenn, R. and S. Kent, "The NULL Encryption Algorithm and) s
+5 360 M
+( Its Use With IPsec", RFC 2410, November 1998.) s
+5 338 M
+( [RFC2434] Narten, T. and H. Alvestrand, "Guidelines for Writing an) s
+5 327 M
+( IANA Considerations Section in RFCs", BCP 26, RFC 2434,) s
+5 316 M
+( October 1998.) s
+5 294 M
+( [RFC2743] Linn, J., "Generic Security Service Application Program) s
+5 283 M
+( Interface Version 2, Update 1", RFC 2743, January 2000.) s
+5 261 M
+( [SCHNEIER]) s
+5 250 M
+( Schneier, B., "Applied Cryptography Second Edition:) s
+5 239 M
+( protocols algorithms and source in code in C", 1996.) s
+5 217 M
+( [KAUFMAN,PERLMAN,SPECINER]) s
+5 206 M
+( Kaufman, C., Perlman, R. and M. Speciner, "Network) s
+5 195 M
+( Security: PRIVATE Communication in a PUBLIC World", 1995.) s
+5 173 M
+( [CERT] CERT Coordination Center, The., "http://www.cert.org/nav/) s
+5 129 M
+(Ylonen & Moffat Expires March 31, 2004 [Page 26]) s
+_R
+S
+PStoPSsaved restore
+%%Page: (26,27) 14
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 0.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+/showpage{}def/copypage{}def/erasepage{}def
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 27 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Protocol Architecture Oct 2003) s
+5 690 M
+( index_red.html".) s
+5 668 M
+( [VENEMA] Venema, W., "Murphy's Law and Computer Security",) s
+5 657 M
+( Proceedings of 6th USENIX Security Symposium, San Jose CA) s
+5 646 M
+( http://www.usenix.org/publications/library/proceedings/) s
+5 635 M
+( sec96/venema.html, July 1996.) s
+5 613 M
+( [ROGAWAY] Rogaway, P., "Problems with Proposed IP Cryptography",) s
+5 602 M
+( Unpublished paper http://www.cs.ucdavis.edu/~rogaway/) s
+5 591 M
+( papers/draft-rogaway-ipsec-comments-00.txt, 1996.) s
+5 569 M
+( [DAI] Dai, W., "An attack against SSH2 protocol", Email to the) s
+5 558 M
+( SECSH Working Group [email protected] ftp://) s
+5 547 M
+( ftp.ietf.org/ietf-mail-archive/secsh/2002-02.mail, Feb) s
+5 536 M
+( 2002.) s
+5 514 M
+( [BELLARE,KOHNO,NAMPREMPRE]) s
+5 503 M
+( Bellaire, M., Kohno, T. and C. Namprempre, "Authenticated) s
+5 492 M
+( Encryption in SSH: Fixing the SSH Binary Packet Protocol",) s
+5 481 M
+( , Sept 2002.) s
+5 448 M
+(Authors' Addresses) s
+5 426 M
+( Tatu Ylonen) s
+5 415 M
+( SSH Communications Security Corp) s
+5 404 M
+( Fredrikinkatu 42) s
+5 393 M
+( HELSINKI FIN-00100) s
+5 382 M
+( Finland) s
+5 360 M
+( EMail: [email protected]) s
+5 327 M
+( Darren J. Moffat \(editor\)) s
+5 316 M
+( Sun Microsystems, Inc) s
+5 305 M
+( 17 Network Circle) s
+5 294 M
+( Menlo Park CA 94025) s
+5 283 M
+( USA) s
+5 261 M
+( EMail: [email protected]) s
+5 129 M
+(Ylonen & Moffat Expires March 31, 2004 [Page 27]) s
+_R
+S
+PStoPSsaved restore
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 421.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 28 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Protocol Architecture Oct 2003) s
+5 690 M
+(Intellectual Property Statement) s
+5 668 M
+( The IETF takes no position regarding the validity or scope of any) s
+5 657 M
+( intellectual property or other rights that might be claimed to) s
+5 646 M
+( pertain to the implementation or use of the technology described in) s
+5 635 M
+( this document or the extent to which any license under such rights) s
+5 624 M
+( might or might not be available; neither does it represent that it) s
+5 613 M
+( has made any effort to identify any such rights. Information on the) s
+5 602 M
+( IETF's procedures with respect to rights in standards-track and) s
+5 591 M
+( standards-related documentation can be found in BCP-11. Copies of) s
+5 580 M
+( claims of rights made available for publication and any assurances of) s
+5 569 M
+( licenses to be made available, or the result of an attempt made to) s
+5 558 M
+( obtain a general license or permission for the use of such) s
+5 547 M
+( proprietary rights by implementors or users of this specification can) s
+5 536 M
+( be obtained from the IETF Secretariat.) s
+5 514 M
+( The IETF invites any interested party to bring to its attention any) s
+5 503 M
+( copyrights, patents or patent applications, or other proprietary) s
+5 492 M
+( rights which may cover technology that may be required to practice) s
+5 481 M
+( this standard. Please address the information to the IETF Executive) s
+5 470 M
+( Director.) s
+5 448 M
+( The IETF has been notified of intellectual property rights claimed in) s
+5 437 M
+( regard to some or all of the specification contained in this) s
+5 426 M
+( document. For more information consult the online list of claimed) s
+5 415 M
+( rights.) s
+5 382 M
+(Full Copyright Statement) s
+5 360 M
+( Copyright \(C\) The Internet Society \(2003\). All Rights Reserved.) s
+5 338 M
+( This document and translations of it may be copied and furnished to) s
+5 327 M
+( others, and derivative works that comment on or otherwise explain it) s
+5 316 M
+( or assist in its implementation may be prepared, copied, published) s
+5 305 M
+( and distributed, in whole or in part, without restriction of any) s
+5 294 M
+( kind, provided that the above copyright notice and this paragraph are) s
+5 283 M
+( included on all such copies and derivative works. However, this) s
+5 272 M
+( document itself may not be modified in any way, such as by removing) s
+5 261 M
+( the copyright notice or references to the Internet Society or other) s
+5 250 M
+( Internet organizations, except as needed for the purpose of) s
+5 239 M
+( developing Internet standards in which case the procedures for) s
+5 228 M
+( copyrights defined in the Internet Standards process must be) s
+5 217 M
+( followed, or as required to translate it into languages other than) s
+5 206 M
+( English.) s
+5 184 M
+( The limited permissions granted above are perpetual and will not be) s
+5 173 M
+( revoked by the Internet Society or its successors or assignees.) s
+5 129 M
+(Ylonen & Moffat Expires March 31, 2004 [Page 28]) s
+_R
+S
+PStoPSsaved restore
+%%Page: (28,29) 15
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 0.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+/showpage{}def/copypage{}def/erasepage{}def
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 29 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Protocol Architecture Oct 2003) s
+5 690 M
+( This document and the information contained herein is provided on an) s
+5 679 M
+( "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING) s
+5 668 M
+( TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING) s
+5 657 M
+( BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION) s
+5 646 M
+( HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF) s
+5 635 M
+( MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.) s
+5 602 M
+(Acknowledgment) s
+5 580 M
+( Funding for the RFC Editor function is currently provided by the) s
+5 569 M
+( Internet Society.) s
+5 129 M
+(Ylonen & Moffat Expires March 31, 2004 [Page 29]) s
+_R
+S
+PStoPSsaved restore
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 421.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+PStoPSxform concat
+showpage
+PStoPSsaved restore
+%%Trailer
+%%Pages: 29
+%%DocumentNeededResources: font Courier-Bold Courier
+%%EOF