aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssh/doc/standard/draft-ietf-secsh-userauth-18.2.ps
diff options
context:
space:
mode:
authorErlang/OTP <[email protected]>2009-11-20 14:54:40 +0000
committerErlang/OTP <[email protected]>2009-11-20 14:54:40 +0000
commit84adefa331c4159d432d22840663c38f155cd4c1 (patch)
treebff9a9c66adda4df2106dfd0e5c053ab182a12bd /lib/ssh/doc/standard/draft-ietf-secsh-userauth-18.2.ps
downloadotp-84adefa331c4159d432d22840663c38f155cd4c1.tar.gz
otp-84adefa331c4159d432d22840663c38f155cd4c1.tar.bz2
otp-84adefa331c4159d432d22840663c38f155cd4c1.zip
The R13B03 release.OTP_R13B03
Diffstat (limited to 'lib/ssh/doc/standard/draft-ietf-secsh-userauth-18.2.ps')
-rw-r--r--lib/ssh/doc/standard/draft-ietf-secsh-userauth-18.2.ps1881
1 files changed, 1881 insertions, 0 deletions
diff --git a/lib/ssh/doc/standard/draft-ietf-secsh-userauth-18.2.ps b/lib/ssh/doc/standard/draft-ietf-secsh-userauth-18.2.ps
new file mode 100644
index 0000000000..be5799dbce
--- /dev/null
+++ b/lib/ssh/doc/standard/draft-ietf-secsh-userauth-18.2.ps
@@ -0,0 +1,1881 @@
+%!PS-Adobe-3.0
+%%BoundingBox: 75 0 595 747
+%%Title: Enscript Output
+%%For: Magnus Thoang
+%%Creator: GNU enscript 1.6.1
+%%CreationDate: Fri Oct 31 13:35:32 2003
+%%Orientation: Portrait
+%%Pages: 8 0
+%%DocumentMedia: A4 595 842 0 () ()
+%%DocumentNeededResources: (atend)
+%%EndComments
+%%BeginProlog
+%%BeginProcSet: PStoPS 1 15
+userdict begin
+[/showpage/erasepage/copypage]{dup where{pop dup load
+ type/operatortype eq{1 array cvx dup 0 3 index cvx put
+ bind def}{pop}ifelse}{pop}ifelse}forall
+[/letter/legal/executivepage/a4/a4small/b5/com10envelope
+ /monarchenvelope/c5envelope/dlenvelope/lettersmall/note
+ /folio/quarto/a5]{dup where{dup wcheck{exch{}put}
+ {pop{}def}ifelse}{pop}ifelse}forall
+/setpagedevice {pop}bind 1 index where{dup wcheck{3 1 roll put}
+ {pop def}ifelse}{def}ifelse
+/PStoPSmatrix matrix currentmatrix def
+/PStoPSxform matrix def/PStoPSclip{clippath}def
+/defaultmatrix{PStoPSmatrix exch PStoPSxform exch concatmatrix}bind def
+/initmatrix{matrix defaultmatrix setmatrix}bind def
+/initclip[{matrix currentmatrix PStoPSmatrix setmatrix
+ [{currentpoint}stopped{$error/newerror false put{newpath}}
+ {/newpath cvx 3 1 roll/moveto cvx 4 array astore cvx}ifelse]
+ {[/newpath cvx{/moveto cvx}{/lineto cvx}
+ {/curveto cvx}{/closepath cvx}pathforall]cvx exch pop}
+ stopped{$error/errorname get/invalidaccess eq{cleartomark
+ $error/newerror false put cvx exec}{stop}ifelse}if}bind aload pop
+ /initclip dup load dup type dup/operatortype eq{pop exch pop}
+ {dup/arraytype eq exch/packedarraytype eq or
+ {dup xcheck{exch pop aload pop}{pop cvx}ifelse}
+ {pop cvx}ifelse}ifelse
+ {newpath PStoPSclip clip newpath exec setmatrix} bind aload pop]cvx def
+/initgraphics{initmatrix newpath initclip 1 setlinewidth
+ 0 setlinecap 0 setlinejoin []0 setdash 0 setgray
+ 10 setmiterlimit}bind def
+end
+%%EndProcSet
+%%BeginResource: procset Enscript-Prolog 1.6 1
+%
+% Procedures.
+%
+
+/_S { % save current state
+ /_s save def
+} def
+/_R { % restore from saved state
+ _s restore
+} def
+
+/S { % showpage protecting gstate
+ gsave
+ showpage
+ grestore
+} bind def
+
+/MF { % fontname newfontname -> - make a new encoded font
+ /newfontname exch def
+ /fontname exch def
+
+ /fontdict fontname findfont def
+ /newfont fontdict maxlength dict def
+
+ fontdict {
+ exch
+ dup /FID eq {
+ % skip FID pair
+ pop pop
+ } {
+ % copy to the new font dictionary
+ exch newfont 3 1 roll put
+ } ifelse
+ } forall
+
+ newfont /FontName newfontname put
+
+ % insert only valid encoding vectors
+ encoding_vector length 256 eq {
+ newfont /Encoding encoding_vector put
+ } if
+
+ newfontname newfont definefont pop
+} def
+
+/SF { % fontname width height -> - set a new font
+ /height exch def
+ /width exch def
+
+ findfont
+ [width 0 0 height 0 0] makefont setfont
+} def
+
+/SUF { % fontname width height -> - set a new user font
+ /height exch def
+ /width exch def
+
+ /F-gs-user-font MF
+ /F-gs-user-font width height SF
+} def
+
+/M {moveto} bind def
+/s {show} bind def
+
+/Box { % x y w h -> - define box path
+ /d_h exch def /d_w exch def /d_y exch def /d_x exch def
+ d_x d_y moveto
+ d_w 0 rlineto
+ 0 d_h rlineto
+ d_w neg 0 rlineto
+ closepath
+} def
+
+/bgs { % x y height blskip gray str -> - show string with bg color
+ /str exch def
+ /gray exch def
+ /blskip exch def
+ /height exch def
+ /y exch def
+ /x exch def
+
+ gsave
+ x y blskip sub str stringwidth pop height Box
+ gray setgray
+ fill
+ grestore
+ x y M str s
+} def
+
+% Highlight bars.
+/highlight_bars { % nlines lineheight output_y_margin gray -> -
+ gsave
+ setgray
+ /ymarg exch def
+ /lineheight exch def
+ /nlines exch def
+
+ % This 2 is just a magic number to sync highlight lines to text.
+ 0 d_header_y ymarg sub 2 sub translate
+
+ /cw d_output_w cols div def
+ /nrows d_output_h ymarg 2 mul sub lineheight div cvi def
+
+ % for each column
+ 0 1 cols 1 sub {
+ cw mul /xp exch def
+
+ % for each rows
+ 0 1 nrows 1 sub {
+ /rn exch def
+ rn lineheight mul neg /yp exch def
+ rn nlines idiv 2 mod 0 eq {
+ % Draw highlight bar. 4 is just a magic indentation.
+ xp 4 add yp cw 8 sub lineheight neg Box fill
+ } if
+ } for
+ } for
+
+ grestore
+} def
+
+% Line highlight bar.
+/line_highlight { % x y width height gray -> -
+ gsave
+ /gray exch def
+ Box gray setgray fill
+ grestore
+} def
+
+% Column separator lines.
+/column_lines {
+ gsave
+ .1 setlinewidth
+ 0 d_footer_h translate
+ /cw d_output_w cols div def
+ 1 1 cols 1 sub {
+ cw mul 0 moveto
+ 0 d_output_h rlineto stroke
+ } for
+ grestore
+} def
+
+% Column borders.
+/column_borders {
+ gsave
+ .1 setlinewidth
+ 0 d_footer_h moveto
+ 0 d_output_h rlineto
+ d_output_w 0 rlineto
+ 0 d_output_h neg rlineto
+ closepath stroke
+ grestore
+} def
+
+% Do the actual underlay drawing
+/draw_underlay {
+ ul_style 0 eq {
+ ul_str true charpath stroke
+ } {
+ ul_str show
+ } ifelse
+} def
+
+% Underlay
+/underlay { % - -> -
+ gsave
+ 0 d_page_h translate
+ d_page_h neg d_page_w atan rotate
+
+ ul_gray setgray
+ ul_font setfont
+ /dw d_page_h dup mul d_page_w dup mul add sqrt def
+ ul_str stringwidth pop dw exch sub 2 div ul_h_ptsize -2 div moveto
+ draw_underlay
+ grestore
+} def
+
+/user_underlay { % - -> -
+ gsave
+ ul_x ul_y translate
+ ul_angle rotate
+ ul_gray setgray
+ ul_font setfont
+ 0 0 ul_h_ptsize 2 div sub moveto
+ draw_underlay
+ grestore
+} def
+
+% Page prefeed
+/page_prefeed { % bool -> -
+ statusdict /prefeed known {
+ statusdict exch /prefeed exch put
+ } {
+ pop
+ } ifelse
+} def
+
+% Wrapped line markers
+/wrapped_line_mark { % x y charwith charheight type -> -
+ /type exch def
+ /h exch def
+ /w exch def
+ /y exch def
+ /x exch def
+
+ type 2 eq {
+ % Black boxes (like TeX does)
+ gsave
+ 0 setlinewidth
+ x w 4 div add y M
+ 0 h rlineto w 2 div 0 rlineto 0 h neg rlineto
+ closepath fill
+ grestore
+ } {
+ type 3 eq {
+ % Small arrows
+ gsave
+ .2 setlinewidth
+ x w 2 div add y h 2 div add M
+ w 4 div 0 rlineto
+ x w 4 div add y lineto stroke
+
+ x w 4 div add w 8 div add y h 4 div add M
+ x w 4 div add y lineto
+ w 4 div h 8 div rlineto stroke
+ grestore
+ } {
+ % do nothing
+ } ifelse
+ } ifelse
+} def
+
+% EPSF import.
+
+/BeginEPSF {
+ /b4_Inc_state save def % Save state for cleanup
+ /dict_count countdictstack def % Count objects on dict stack
+ /op_count count 1 sub def % Count objects on operand stack
+ userdict begin
+ /showpage { } def
+ 0 setgray 0 setlinecap
+ 1 setlinewidth 0 setlinejoin
+ 10 setmiterlimit [ ] 0 setdash newpath
+ /languagelevel where {
+ pop languagelevel
+ 1 ne {
+ false setstrokeadjust false setoverprint
+ } if
+ } if
+} bind def
+
+/EndEPSF {
+ count op_count sub { pos } repeat % Clean up stacks
+ countdictstack dict_count sub { end } repeat
+ b4_Inc_state restore
+} bind def
+
+% Check PostScript language level.
+/languagelevel where {
+ pop /gs_languagelevel languagelevel def
+} {
+ /gs_languagelevel 1 def
+} ifelse
+%%EndResource
+%%BeginResource: procset Enscript-Encoding-88591 1.6 1
+/encoding_vector [
+/.notdef /.notdef /.notdef /.notdef
+/.notdef /.notdef /.notdef /.notdef
+/.notdef /.notdef /.notdef /.notdef
+/.notdef /.notdef /.notdef /.notdef
+/.notdef /.notdef /.notdef /.notdef
+/.notdef /.notdef /.notdef /.notdef
+/.notdef /.notdef /.notdef /.notdef
+/.notdef /.notdef /.notdef /.notdef
+/space /exclam /quotedbl /numbersign
+/dollar /percent /ampersand /quoteright
+/parenleft /parenright /asterisk /plus
+/comma /hyphen /period /slash
+/zero /one /two /three
+/four /five /six /seven
+/eight /nine /colon /semicolon
+/less /equal /greater /question
+/at /A /B /C
+/D /E /F /G
+/H /I /J /K
+/L /M /N /O
+/P /Q /R /S
+/T /U /V /W
+/X /Y /Z /bracketleft
+/backslash /bracketright /asciicircum /underscore
+/quoteleft /a /b /c
+/d /e /f /g
+/h /i /j /k
+/l /m /n /o
+/p /q /r /s
+/t /u /v /w
+/x /y /z /braceleft
+/bar /braceright /tilde /.notdef
+/.notdef /.notdef /.notdef /.notdef
+/.notdef /.notdef /.notdef /.notdef
+/.notdef /.notdef /.notdef /.notdef
+/.notdef /.notdef /.notdef /.notdef
+/.notdef /.notdef /.notdef /.notdef
+/.notdef /.notdef /.notdef /.notdef
+/.notdef /.notdef /.notdef /.notdef
+/.notdef /.notdef /.notdef /.notdef
+/space /exclamdown /cent /sterling
+/currency /yen /brokenbar /section
+/dieresis /copyright /ordfeminine /guillemotleft
+/logicalnot /hyphen /registered /macron
+/degree /plusminus /twosuperior /threesuperior
+/acute /mu /paragraph /bullet
+/cedilla /onesuperior /ordmasculine /guillemotright
+/onequarter /onehalf /threequarters /questiondown
+/Agrave /Aacute /Acircumflex /Atilde
+/Adieresis /Aring /AE /Ccedilla
+/Egrave /Eacute /Ecircumflex /Edieresis
+/Igrave /Iacute /Icircumflex /Idieresis
+/Eth /Ntilde /Ograve /Oacute
+/Ocircumflex /Otilde /Odieresis /multiply
+/Oslash /Ugrave /Uacute /Ucircumflex
+/Udieresis /Yacute /Thorn /germandbls
+/agrave /aacute /acircumflex /atilde
+/adieresis /aring /ae /ccedilla
+/egrave /eacute /ecircumflex /edieresis
+/igrave /iacute /icircumflex /idieresis
+/eth /ntilde /ograve /oacute
+/ocircumflex /otilde /odieresis /divide
+/oslash /ugrave /uacute /ucircumflex
+/udieresis /yacute /thorn /ydieresis
+] def
+%%EndResource
+%%EndProlog
+%%BeginSetup
+%%IncludeResource: font Courier-Bold
+%%IncludeResource: font Courier
+/HFpt_w 10 def
+/HFpt_h 10 def
+/Courier-Bold /HF-gs-font MF
+/HF /HF-gs-font findfont [HFpt_w 0 0 HFpt_h 0 0] makefont def
+/Courier /F-gs-font MF
+/F-gs-font 10 10 SF
+/#copies 1 def
+/d_page_w 520 def
+/d_page_h 747 def
+/d_header_x 0 def
+/d_header_y 747 def
+/d_header_w 520 def
+/d_header_h 0 def
+/d_footer_x 0 def
+/d_footer_y 0 def
+/d_footer_w 520 def
+/d_footer_h 0 def
+/d_output_w 520 def
+/d_output_h 747 def
+/cols 1 def
+userdict/PStoPSxform PStoPSmatrix matrix currentmatrix
+ matrix invertmatrix matrix concatmatrix
+ matrix invertmatrix put
+%%EndSetup
+%%Page: (0,1) 1
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 0.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+/showpage{}def/copypage{}def/erasepage{}def
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 1 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 701 M
+(Network Working Group T. Ylonen) s
+5 690 M
+(Internet-Draft SSH Communications Security Corp) s
+5 679 M
+(Expires: March 2, 2003 D. Moffat, Ed.) s
+5 668 M
+( Sun Microsystems, Inc) s
+5 657 M
+( September 2002) s
+5 624 M
+( SSH Authentication Protocol) s
+5 613 M
+( draft-ietf-secsh-userauth-18.txt) s
+5 591 M
+(Status of this Memo) s
+5 569 M
+( This document is an Internet-Draft and is in full conformance with) s
+5 558 M
+( all provisions of Section 10 of RFC2026.) s
+5 536 M
+( Internet-Drafts are working documents of the Internet Engineering) s
+5 525 M
+( Task Force \(IETF\), its areas, and its working groups. Note that other) s
+5 514 M
+( groups may also distribute working documents as Internet-Drafts.) s
+5 492 M
+( Internet-Drafts are draft documents valid for a maximum of six months) s
+5 481 M
+( and may be updated, replaced, or obsoleted by other documents at any) s
+5 470 M
+( time. It is inappropriate to use Internet-Drafts as reference) s
+5 459 M
+( material or to cite them other than as "work in progress.") s
+5 437 M
+( The list of current Internet-Drafts can be accessed at http://) s
+5 426 M
+( www.ietf.org/ietf/1id-abstracts.txt.) s
+5 404 M
+( The list of Internet-Draft Shadow Directories can be accessed at) s
+5 393 M
+( http://www.ietf.org/shadow.html.) s
+5 371 M
+( This Internet-Draft will expire on March 2, 2003.) s
+5 349 M
+(Copyright Notice) s
+5 327 M
+( Copyright \(C\) The Internet Society \(2002\). All Rights Reserved.) s
+5 305 M
+(Abstract) s
+5 283 M
+( SSH is a protocol for secure remote login and other secure network) s
+5 272 M
+( services over an insecure network. This document describes the SSH) s
+5 261 M
+( authentication protocol framework and public key, password, and) s
+5 250 M
+( host-based client authentication methods. Additional authentication) s
+5 239 M
+( methods are described in separate documents. The SSH authentication) s
+5 228 M
+( protocol runs on top of the SSH transport layer protocol and provides) s
+5 217 M
+( a single authenticated tunnel for the SSH connection protocol.) s
+5 129 M
+(Ylonen & Moffat Expires March 2, 2003 [Page 1]) s
+_R
+S
+PStoPSsaved restore
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 421.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 2 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Authentication Protocol September 2002) s
+5 690 M
+(Table of Contents) s
+5 668 M
+( 1. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 3) s
+5 657 M
+( 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3) s
+5 646 M
+( 3. Conventions Used in This Document . . . . . . . . . . . . . 3) s
+5 635 M
+( 3.1 The Authentication Protocol Framework . . . . . . . . . . . 3) s
+5 624 M
+( 3.1.1 Authentication Requests . . . . . . . . . . . . . . . . . . 4) s
+5 613 M
+( 3.1.2 Responses to Authentication Requests . . . . . . . . . . . . 5) s
+5 602 M
+( 3.1.3 The "none" Authentication Request . . . . . . . . . . . . . 6) s
+5 591 M
+( 3.1.4 Completion of User Authentication . . . . . . . . . . . . . 6) s
+5 580 M
+( 3.1.5 Banner Message . . . . . . . . . . . . . . . . . . . . . . . 7) s
+5 569 M
+( 3.2 Authentication Protocol Message Numbers . . . . . . . . . . 7) s
+5 558 M
+( 3.3 Public Key Authentication Method: publickey . . . . . . . . 8) s
+5 547 M
+( 3.4 Password Authentication Method: password . . . . . . . . . . 10) s
+5 536 M
+( 3.5 Host-Based Authentication: hostbased . . . . . . . . . . . . 11) s
+5 525 M
+( 4. Security Considerations . . . . . . . . . . . . . . . . . . 12) s
+5 514 M
+( Normative . . . . . . . . . . . . . . . . . . . . . . . . . 13) s
+5 503 M
+( Informative . . . . . . . . . . . . . . . . . . . . . . . . 13) s
+5 492 M
+( Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 14) s
+5 481 M
+( Intellectual Property and Copyright Statements . . . . . . . 15) s
+5 129 M
+(Ylonen & Moffat Expires March 2, 2003 [Page 2]) s
+_R
+S
+PStoPSsaved restore
+%%Page: (2,3) 2
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 0.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+/showpage{}def/copypage{}def/erasepage{}def
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 3 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Authentication Protocol September 2002) s
+5 690 M
+(1. Contributors) s
+5 668 M
+( The major original contributors of this document were: Tatu Ylonen,) s
+5 657 M
+( Tero Kivinen, Timo J. Rinne, Sami Lehtinen \(all of SSH Communications) s
+5 646 M
+( Security Corp\), and Markku-Juhani O. Saarinen \(University of) s
+5 635 M
+( Jyvaskyla\)) s
+5 613 M
+( The document editor is: [email protected]. Comments on this) s
+5 602 M
+( internet draft should be sent to the IETF SECSH working group,) s
+5 591 M
+( details at: http://ietf.org/html.charters/secsh-charter.html) s
+5 569 M
+(2. Introduction) s
+5 547 M
+( The SSH authentication protocol is a general-purpose user) s
+5 536 M
+( authentication protocol. It is intended to be run over the SSH) s
+5 525 M
+( transport layer protocol [SSH-TRANS]. This protocol assumes that the) s
+5 514 M
+( underlying protocols provide integrity and confidentiality) s
+5 503 M
+( protection.) s
+5 481 M
+( This document should be read only after reading the SSH architecture) s
+5 470 M
+( document [SSH-ARCH]. This document freely uses terminology and) s
+5 459 M
+( notation from the architecture document without reference or further) s
+5 448 M
+( explanation.) s
+5 426 M
+( The service name for this protocol is "ssh-userauth".) s
+5 404 M
+( When this protocol starts, it receives the session identifier from) s
+5 393 M
+( the lower-level protocol \(this is the exchange hash H from the first) s
+5 382 M
+( key exchange\). The session identifier uniquely identifies this) s
+5 371 M
+( session and is suitable for signing in order to prove ownership of a) s
+5 360 M
+( private key. This protocol also needs to know whether the lower-level) s
+5 349 M
+( protocol provides confidentiality protection.) s
+5 327 M
+(3. Conventions Used in This Document) s
+5 305 M
+( The keywords "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT",) s
+5 294 M
+( and "MAY" that appear in this document are to be interpreted as) s
+5 283 M
+( described in [RFC2119]) s
+5 261 M
+( The used data types and terminology are specified in the architecture) s
+5 250 M
+( document [SSH-ARCH]) s
+5 228 M
+( The architecture document also discusses the algorithm naming) s
+5 217 M
+( conventions that MUST be used with the SSH protocols.) s
+5 195 M
+(3.1 The Authentication Protocol Framework) s
+5 173 M
+( The server drives the authentication by telling the client which) s
+5 129 M
+(Ylonen & Moffat Expires March 2, 2003 [Page 3]) s
+_R
+S
+PStoPSsaved restore
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 421.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 4 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Authentication Protocol September 2002) s
+5 690 M
+( authentication methods can be used to continue the exchange at any) s
+5 679 M
+( given time. The client has the freedom to try the methods listed by) s
+5 668 M
+( the server in any order. This gives the server complete control over) s
+5 657 M
+( the authentication process if desired, but also gives enough) s
+5 646 M
+( flexibility for the client to use the methods it supports or that are) s
+5 635 M
+( most convenient for the user, when multiple methods are offered by) s
+5 624 M
+( the server.) s
+5 602 M
+( Authentication methods are identified by their name, as defined in) s
+5 591 M
+( [SSH-ARCH]. The "none" method is reserved, and MUST NOT be listed as) s
+5 580 M
+( supported. However, it MAY be sent by the client. The server MUST) s
+5 569 M
+( always reject this request, unless the client is to be allowed in) s
+5 558 M
+( without any authentication, in which case the server MUST accept this) s
+5 547 M
+( request. The main purpose of sending this request is to get the list) s
+5 536 M
+( of supported methods from the server.) s
+5 514 M
+( The server SHOULD have a timeout for authentication, and disconnect) s
+5 503 M
+( if the authentication has not been accepted within the timeout) s
+5 492 M
+( period. The RECOMMENDED timeout period is 10 minutes. Additionally,) s
+5 481 M
+( the implementation SHOULD limit the number of failed authentication) s
+5 470 M
+( attempts a client may perform in a single session \(the RECOMMENDED) s
+5 459 M
+( limit is 20 attempts\). If the threshold is exceeded, the server) s
+5 448 M
+( SHOULD disconnect.) s
+5 426 M
+(3.1.1 Authentication Requests) s
+5 404 M
+( All authentication requests MUST use the following message format.) s
+5 393 M
+( Only the first few fields are defined; the remaining fields depend on) s
+5 382 M
+( the authentication method.) s
+5 360 M
+( byte SSH_MSG_USERAUTH_REQUEST) s
+5 349 M
+( string user name \(in ISO-10646 UTF-8 encoding [RFC2279]\)) s
+5 338 M
+( string service name \(in US-ASCII\)) s
+5 327 M
+( string method name \(US-ASCII\)) s
+5 316 M
+( The rest of the packet is method-specific.) s
+5 294 M
+( The user name and service are repeated in every new authentication) s
+5 283 M
+( attempt, and MAY change. The server implementation MUST carefully) s
+5 272 M
+( check them in every message, and MUST flush any accumulated) s
+5 261 M
+( authentication states if they change. If it is unable to flush some) s
+5 250 M
+( authentication state, it MUST disconnect if the user or service name) s
+5 239 M
+( changes.) s
+5 217 M
+( The service name specifies the service to start after authentication.) s
+5 206 M
+( There may be several different authenticated services provided. If) s
+5 195 M
+( the requested service is not available, the server MAY disconnect) s
+5 184 M
+( immediately or at any later time. Sending a proper disconnect) s
+5 173 M
+( message is RECOMMENDED. In any case, if the service does not exist,) s
+5 129 M
+(Ylonen & Moffat Expires March 2, 2003 [Page 4]) s
+_R
+S
+PStoPSsaved restore
+%%Page: (4,5) 3
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 0.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+/showpage{}def/copypage{}def/erasepage{}def
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 5 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Authentication Protocol September 2002) s
+5 690 M
+( authentication MUST NOT be accepted.) s
+5 668 M
+( If the requested user does not exist, the server MAY disconnect, or) s
+5 657 M
+( MAY send a bogus list of acceptable authentication methods, but never) s
+5 646 M
+( accept any. This makes it possible for the server to avoid) s
+5 635 M
+( disclosing information on which accounts exist. In any case, if the) s
+5 624 M
+( user does not exist, the authentication request MUST NOT be accepted.) s
+5 602 M
+( While there is usually little point for clients to send requests that) s
+5 591 M
+( the server does not list as acceptable, sending such requests is not) s
+5 580 M
+( an error, and the server SHOULD simply reject requests that it does) s
+5 569 M
+( not recognize.) s
+5 547 M
+( An authentication request MAY result in a further exchange of) s
+5 536 M
+( messages. All such messages depend on the authentication method) s
+5 525 M
+( used, and the client MAY at any time continue with a new) s
+5 514 M
+( SSH_MSG_USERAUTH_REQUEST message, in which case the server MUST) s
+5 503 M
+( abandon the previous authentication attempt and continue with the new) s
+5 492 M
+( one.) s
+5 470 M
+(3.1.2 Responses to Authentication Requests) s
+5 448 M
+( If the server rejects the authentication request, it MUST respond) s
+5 437 M
+( with the following:) s
+5 415 M
+( byte SSH_MSG_USERAUTH_FAILURE) s
+5 404 M
+( string authentications that can continue) s
+5 393 M
+( boolean partial success) s
+5 371 M
+( "Authentications that can continue" is a comma-separated list of) s
+5 360 M
+( authentication method names that may productively continue the) s
+5 349 M
+( authentication dialog.) s
+5 327 M
+( It is RECOMMENDED that servers only include those methods in the list) s
+5 316 M
+( that are actually useful. However, it is not illegal to include) s
+5 305 M
+( methods that cannot be used to authenticate the user.) s
+5 283 M
+( Already successfully completed authentications SHOULD NOT be included) s
+5 272 M
+( in the list, unless they really should be performed again for some) s
+5 261 M
+( reason.) s
+5 239 M
+( "Partial success" MUST be TRUE if the authentication request to which) s
+5 228 M
+( this is a response was successful. It MUST be FALSE if the request) s
+5 217 M
+( was not successfully processed.) s
+5 195 M
+( When the server accepts authentication, it MUST respond with the) s
+5 184 M
+( following:) s
+5 129 M
+(Ylonen & Moffat Expires March 2, 2003 [Page 5]) s
+_R
+S
+PStoPSsaved restore
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 421.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 6 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Authentication Protocol September 2002) s
+5 690 M
+( byte SSH_MSG_USERAUTH_SUCCESS) s
+5 668 M
+( Note that this is not sent after each step in a multi-method) s
+5 657 M
+( authentication sequence, but only when the authentication is) s
+5 646 M
+( complete.) s
+5 624 M
+( The client MAY send several authentication requests without waiting) s
+5 613 M
+( for responses from previous requests. The server MUST process each) s
+5 602 M
+( request completely and acknowledge any failed requests with a) s
+5 591 M
+( SSH_MSG_USERAUTH_FAILURE message before processing the next request.) s
+5 569 M
+( A request that results in further exchange of messages will be) s
+5 558 M
+( aborted by a second request. It is not possible to send a second) s
+5 547 M
+( request without waiting for a response from the server, if the first) s
+5 536 M
+( request will result in further exchange of messages. No) s
+5 525 M
+( SSH_MSG_USERAUTH_FAILURE message will be sent for the aborted method.) s
+5 503 M
+( SSH_MSG_USERAUTH_SUCCESS MUST be sent only once. When) s
+5 492 M
+( SSH_MSG_USERAUTH_SUCCESS has been sent, any further authentication) s
+5 481 M
+( requests received after that SHOULD be silently ignored.) s
+5 459 M
+( Any non-authentication messages sent by the client after the request) s
+5 448 M
+( that resulted in SSH_MSG_USERAUTH_SUCCESS being sent MUST be passed) s
+5 437 M
+( to the service being run on top of this protocol. Such messages can) s
+5 426 M
+( be identified by their message numbers \(see Section Message Numbers) s
+5 415 M
+( \(Section 3.2\)\).) s
+5 393 M
+(3.1.3 The "none" Authentication Request) s
+5 371 M
+( A client may request a list of authentication methods that may) s
+5 360 M
+( continue by using the "none" authentication method.) s
+5 338 M
+( If no authentication at all is needed for the user, the server MUST) s
+5 327 M
+( return SSH_MSG_USERAUTH_SUCCESS. Otherwise, the server MUST return) s
+5 316 M
+( SSH_MSG_USERAUTH_FAILURE and MAY return with it a list of) s
+5 305 M
+( authentication methods that can continue.) s
+5 283 M
+( This method MUST NOT be listed as supported by the server.) s
+5 261 M
+(3.1.4 Completion of User Authentication) s
+5 239 M
+( Authentication is complete when the server has responded with) s
+5 228 M
+( SSH_MSG_USERAUTH_SUCCESS; all authentication related messages) s
+5 217 M
+( received after sending this message SHOULD be silently ignored.) s
+5 195 M
+( After sending SSH_MSG_USERAUTH_SUCCESS, the server starts the) s
+5 184 M
+( requested service.) s
+5 129 M
+(Ylonen & Moffat Expires March 2, 2003 [Page 6]) s
+_R
+S
+PStoPSsaved restore
+%%Page: (6,7) 4
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 0.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+/showpage{}def/copypage{}def/erasepage{}def
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 7 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Authentication Protocol September 2002) s
+5 690 M
+(3.1.5 Banner Message) s
+5 668 M
+( In some jurisdictions, sending a warning message before) s
+5 657 M
+( authentication may be relevant for getting legal protection. Many) s
+5 646 M
+( UNIX machines, for example, normally display text from `/etc/issue',) s
+5 635 M
+( or use "tcp wrappers" or similar software to display a banner before) s
+5 624 M
+( issuing a login prompt.) s
+5 602 M
+( The SSH server may send a SSH_MSG_USERAUTH_BANNER message at any time) s
+5 591 M
+( before authentication is successful. This message contains text to) s
+5 580 M
+( be displayed to the client user before authentication is attempted.) s
+5 569 M
+( The format is as follows:) s
+5 547 M
+( byte SSH_MSG_USERAUTH_BANNER) s
+5 536 M
+( string message \(ISO-10646 UTF-8\)) s
+5 525 M
+( string language tag \(as defined in [RFC3066]\)) s
+5 503 M
+( The client SHOULD by default display the message on the screen.) s
+5 492 M
+( However, since the message is likely to be sent for every login) s
+5 481 M
+( attempt, and since some client software will need to open a separate) s
+5 470 M
+( window for this warning, the client software may allow the user to) s
+5 459 M
+( explicitly disable the display of banners from the server. The) s
+5 448 M
+( message may consist of multiple lines.) s
+5 426 M
+( If the message string is displayed, control character filtering) s
+5 415 M
+( discussed in [SSH-ARCH] SHOULD be used to avoid attacks by sending) s
+5 404 M
+( terminal control characters.) s
+5 382 M
+(3.2 Authentication Protocol Message Numbers) s
+5 360 M
+( All message numbers used by this authentication protocol are in the) s
+5 349 M
+( range from 50 to 79, which is part of the range reserved for) s
+5 338 M
+( protocols running on top of the SSH transport layer protocol.) s
+5 316 M
+( Message numbers of 80 and higher are reserved for protocols running) s
+5 305 M
+( after this authentication protocol, so receiving one of them before) s
+5 294 M
+( authentication is complete is an error, to which the server MUST) s
+5 283 M
+( respond by disconnecting \(preferably with a proper disconnect message) s
+5 272 M
+( sent first to ease troubleshooting\).) s
+5 250 M
+( After successful authentication, such messages are passed to the) s
+5 239 M
+( higher-level service.) s
+5 217 M
+( These are the general authentication message codes:) s
+5 195 M
+( #define SSH_MSG_USERAUTH_REQUEST 50) s
+5 184 M
+( #define SSH_MSG_USERAUTH_FAILURE 51) s
+5 173 M
+( #define SSH_MSG_USERAUTH_SUCCESS 52) s
+5 129 M
+(Ylonen & Moffat Expires March 2, 2003 [Page 7]) s
+_R
+S
+PStoPSsaved restore
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 421.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 8 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Authentication Protocol September 2002) s
+5 690 M
+( #define SSH_MSG_USERAUTH_BANNER 53) s
+5 668 M
+( In addition to the above, there is a range of message numbers) s
+5 657 M
+( \(60..79\) reserved for method-specific messages. These messages are) s
+5 646 M
+( only sent by the server \(client sends only SSH_MSG_USERAUTH_REQUEST) s
+5 635 M
+( messages\). Different authentication methods reuse the same message) s
+5 624 M
+( numbers.) s
+5 602 M
+(3.3 Public Key Authentication Method: publickey) s
+5 580 M
+( The only REQUIRED authentication method is public key authentication.) s
+5 569 M
+( All implementations MUST support this method; however, not all users) s
+5 558 M
+( need to have public keys, and most local policies are not likely to) s
+5 547 M
+( require public key authentication for all users in the near future.) s
+5 525 M
+( With this method, the possession of a private key serves as) s
+5 514 M
+( authentication. This method works by sending a signature created) s
+5 503 M
+( with a private key of the user. The server MUST check that the key) s
+5 492 M
+( is a valid authenticator for the user, and MUST check that the) s
+5 481 M
+( signature is valid. If both hold, the authentication request MUST be) s
+5 470 M
+( accepted; otherwise it MUST be rejected. \(Note that the server MAY) s
+5 459 M
+( require additional authentications after successful authentication.\)) s
+5 437 M
+( Private keys are often stored in an encrypted form at the client) s
+5 426 M
+( host, and the user must supply a passphrase before the signature can) s
+5 415 M
+( be generated. Even if they are not, the signing operation involves) s
+5 404 M
+( some expensive computation. To avoid unnecessary processing and user) s
+5 393 M
+( interaction, the following message is provided for querying whether) s
+5 382 M
+( authentication using the key would be acceptable.) s
+5 360 M
+( byte SSH_MSG_USERAUTH_REQUEST) s
+5 349 M
+( string user name) s
+5 338 M
+( string service) s
+5 327 M
+( string "publickey") s
+5 316 M
+( boolean FALSE) s
+5 305 M
+( string public key algorithm name) s
+5 294 M
+( string public key blob) s
+5 272 M
+( Public key algorithms are defined in the transport layer) s
+5 261 M
+( specification [SSH-TRANS]. The public key blob may contain) s
+5 250 M
+( certificates.) s
+5 228 M
+( Any public key algorithm may be offered for use in authentication.) s
+5 217 M
+( In particular, the list is not constrained by what was negotiated) s
+5 206 M
+( during key exchange. If the server does not support some algorithm,) s
+5 195 M
+( it MUST simply reject the request.) s
+5 173 M
+( The server MUST respond to this message with either) s
+5 129 M
+(Ylonen & Moffat Expires March 2, 2003 [Page 8]) s
+_R
+S
+PStoPSsaved restore
+%%Page: (8,9) 5
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 0.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+/showpage{}def/copypage{}def/erasepage{}def
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 9 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Authentication Protocol September 2002) s
+5 690 M
+( SSH_MSG_USERAUTH_FAILURE or with the following:) s
+5 668 M
+( byte SSH_MSG_USERAUTH_PK_OK) s
+5 657 M
+( string public key algorithm name from the request) s
+5 646 M
+( string public key blob from the request) s
+5 624 M
+( To perform actual authentication, the client MAY then send a) s
+5 613 M
+( signature generated using the private key. The client MAY send the) s
+5 602 M
+( signature directly without first verifying whether the key is) s
+5 591 M
+( acceptable. The signature is sent using the following packet:) s
+5 569 M
+( byte SSH_MSG_USERAUTH_REQUEST) s
+5 558 M
+( string user name) s
+5 547 M
+( string service) s
+5 536 M
+( string "publickey") s
+5 525 M
+( boolean TRUE) s
+5 514 M
+( string public key algorithm name) s
+5 503 M
+( string public key to be used for authentication) s
+5 492 M
+( string signature) s
+5 470 M
+( Signature is a signature by the corresponding private key over the) s
+5 459 M
+( following data, in the following order:) s
+5 437 M
+( string session identifier) s
+5 426 M
+( byte SSH_MSG_USERAUTH_REQUEST) s
+5 415 M
+( string user name) s
+5 404 M
+( string service) s
+5 393 M
+( string "publickey") s
+5 382 M
+( boolean TRUE) s
+5 371 M
+( string public key algorithm name) s
+5 360 M
+( string public key to be used for authentication) s
+5 338 M
+( When the server receives this message, it MUST check whether the) s
+5 327 M
+( supplied key is acceptable for authentication, and if so, it MUST) s
+5 316 M
+( check whether the signature is correct.) s
+5 294 M
+( If both checks succeed, this method is successful. Note that the) s
+5 283 M
+( server may require additional authentications. The server MUST) s
+5 272 M
+( respond with SSH_MSG_USERAUTH_SUCCESS \(if no more authentications are) s
+5 261 M
+( needed\), or SSH_MSG_USERAUTH_FAILURE \(if the request failed, or more) s
+5 250 M
+( authentications are needed\).) s
+5 228 M
+( The following method-specific message numbers are used by the) s
+5 217 M
+( publickey authentication method.) s
+5 195 M
+( /* Key-based */) s
+5 184 M
+( #define SSH_MSG_USERAUTH_PK_OK 60) s
+5 129 M
+(Ylonen & Moffat Expires March 2, 2003 [Page 9]) s
+_R
+S
+PStoPSsaved restore
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 421.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 10 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Authentication Protocol September 2002) s
+5 690 M
+(3.4 Password Authentication Method: password) s
+5 668 M
+( Password authentication uses the following packets. Note that a) s
+5 657 M
+( server MAY request the user to change the password. All) s
+5 646 M
+( implementations SHOULD support password authentication.) s
+5 624 M
+( byte SSH_MSG_USERAUTH_REQUEST) s
+5 613 M
+( string user name) s
+5 602 M
+( string service) s
+5 591 M
+( string "password") s
+5 580 M
+( boolean FALSE) s
+5 569 M
+( string plaintext password \(ISO-10646 UTF-8\)) s
+5 547 M
+( Note that the password is encoded in ISO-10646 UTF-8. It is up to) s
+5 536 M
+( the server how it interprets the password and validates it against) s
+5 525 M
+( the password database. However, if the client reads the password in) s
+5 514 M
+( some other encoding \(e.g., ISO 8859-1 \(ISO Latin1\)\), it MUST convert) s
+5 503 M
+( the password to ISO-10646 UTF-8 before transmitting, and the server) s
+5 492 M
+( MUST convert the password to the encoding used on that system for) s
+5 481 M
+( passwords.) s
+5 459 M
+( Note that even though the cleartext password is transmitted in the) s
+5 448 M
+( packet, the entire packet is encrypted by the transport layer. Both) s
+5 437 M
+( the server and the client should check whether the underlying) s
+5 426 M
+( transport layer provides confidentiality \(i.e., if encryption is) s
+5 415 M
+( being used\). If no confidentiality is provided \(none cipher\),) s
+5 404 M
+( password authentication SHOULD be disabled. If there is no) s
+5 393 M
+( confidentiality or no MAC, password change SHOULD be disabled.) s
+5 371 M
+( Normally, the server responds to this message with success or) s
+5 360 M
+( failure. However, if the password has expired the server SHOULD) s
+5 349 M
+( indicate this by responding with SSH_MSG_USERAUTH_PASSWD_CHANGEREQ.) s
+5 338 M
+( In anycase the server MUST NOT allow an expired password to be used) s
+5 327 M
+( for authentication.) s
+5 305 M
+( byte SSH_MSG_USERAUTH_PASSWD_CHANGEREQ) s
+5 294 M
+( string prompt \(ISO-10646 UTF-8\)) s
+5 283 M
+( string language tag \(as defined in [RFC3066]\)) s
+5 261 M
+( In this case, the client MAY continue with a different authentication) s
+5 250 M
+( method, or request a new password from the user and retry password) s
+5 239 M
+( authentication using the following message. The client MAY also send) s
+5 228 M
+( this message instead of the normal password authentication request) s
+5 217 M
+( without the server asking for it.) s
+5 195 M
+( byte SSH_MSG_USERAUTH_REQUEST) s
+5 184 M
+( string user name) s
+5 173 M
+( string service) s
+5 129 M
+(Ylonen & Moffat Expires March 2, 2003 [Page 10]) s
+_R
+S
+PStoPSsaved restore
+%%Page: (10,11) 6
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 0.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+/showpage{}def/copypage{}def/erasepage{}def
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 11 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Authentication Protocol September 2002) s
+5 690 M
+( string "password") s
+5 679 M
+( boolean TRUE) s
+5 668 M
+( string plaintext old password \(ISO-10646 UTF-8\)) s
+5 657 M
+( string plaintext new password \(ISO-10646 UTF-8\)) s
+5 635 M
+( The server must reply to request message with) s
+5 624 M
+( SSH_MSG_USERAUTH_SUCCESS, SSH_MSG_USERAUTH_FAILURE, or another) s
+5 613 M
+( SSH_MSG_USERAUTH_PASSWD_CHANGEREQ. The meaning of these is as) s
+5 602 M
+( follows:) s
+5 580 M
+( SSH_MSG_USERAUTH_SUCCESS The password has been changed, and) s
+5 569 M
+( authentication has been successfully completed.) s
+5 547 M
+( SSH_MSG_USERAUTH_FAILURE with partial success The password has) s
+5 536 M
+( been changed, but more authentications are needed.) s
+5 514 M
+( SSH_MSG_USERAUTH_FAILURE without partial success The password has) s
+5 503 M
+( not been changed. Either password changing was not supported, or) s
+5 492 M
+( the old password was bad. Note that if the server has already) s
+5 481 M
+( sent SSH_MSG_USERAUTH_PASSWD_CHANGEREQ, we know that it supports) s
+5 470 M
+( changing the password.) s
+5 448 M
+( SSH_MSG_USERAUTH_CHANGEREQ The password was not changed because) s
+5 437 M
+( the new password was not acceptable \(e.g. too easy to guess\).) s
+5 415 M
+( The following method-specific message numbers are used by the) s
+5 404 M
+( password authentication method.) s
+5 382 M
+( #define SSH_MSG_USERAUTH_PASSWD_CHANGEREQ 60) s
+5 349 M
+(3.5 Host-Based Authentication: hostbased) s
+5 327 M
+( Some sites wish to allow authentication based on the host where the) s
+5 316 M
+( user is coming from, and the user name on the remote host. While) s
+5 305 M
+( this form of authentication is not suitable for high-security sites,) s
+5 294 M
+( it can be very convenient in many environments. This form of) s
+5 283 M
+( authentication is OPTIONAL. When used, special care SHOULD be taken) s
+5 272 M
+( to prevent a regular user from obtaining the private host key.) s
+5 250 M
+( The client requests this form of authentication by sending the) s
+5 239 M
+( following message. It is similar to the UNIX "rhosts" and) s
+5 228 M
+( "hosts.equiv" styles of authentication, except that the identity of) s
+5 217 M
+( the client host is checked more rigorously.) s
+5 195 M
+( This method works by having the client send a signature created with) s
+5 184 M
+( the private key of the client host, which the server checks with that) s
+5 173 M
+( host's public key. Once the client host's identity is established,) s
+5 129 M
+(Ylonen & Moffat Expires March 2, 2003 [Page 11]) s
+_R
+S
+PStoPSsaved restore
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 421.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 12 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Authentication Protocol September 2002) s
+5 690 M
+( authorization \(but no further authentication\) is performed based on) s
+5 679 M
+( the user names on the server and the client, and the client host) s
+5 668 M
+( name.) s
+5 646 M
+( byte SSH_MSG_USERAUTH_REQUEST) s
+5 635 M
+( string user name) s
+5 624 M
+( string service) s
+5 613 M
+( string "hostbased") s
+5 602 M
+( string public key algorithm for host key) s
+5 591 M
+( string public host key and certificates for client host) s
+5 580 M
+( string client host name \(FQDN; US-ASCII\)) s
+5 569 M
+( string user name on the client host \(ISO-10646 UTF-8\)) s
+5 558 M
+( string signature) s
+5 536 M
+( Public key algorithm names for use in "public key algorithm for host) s
+5 525 M
+( key" are defined in the transport layer specification. The "public) s
+5 514 M
+( host key for client host" may include certificates.) s
+5 492 M
+( Signature is a signature with the private host key of the following) s
+5 481 M
+( data, in this order:) s
+5 459 M
+( string session identifier) s
+5 448 M
+( byte SSH_MSG_USERAUTH_REQUEST) s
+5 437 M
+( string user name) s
+5 426 M
+( string service) s
+5 415 M
+( string "hostbased") s
+5 404 M
+( string public key algorithm for host key) s
+5 393 M
+( string public host key and certificates for client host) s
+5 382 M
+( string client host name \(FQDN; US-ASCII\)) s
+5 371 M
+( string user name on the client host\(ISO-10646 UTF-8\)) s
+5 349 M
+( The server MUST verify that the host key actually belongs to the) s
+5 338 M
+( client host named in the message, that the given user on that host is) s
+5 327 M
+( allowed to log in, and that the signature is a valid signature on the) s
+5 316 M
+( appropriate value by the given host key. The server MAY ignore the) s
+5 305 M
+( client user name, if it wants to authenticate only the client host.) s
+5 283 M
+( It is RECOMMENDED that whenever possible, the server perform) s
+5 272 M
+( additional checks to verify that the network address obtained from) s
+5 261 M
+( the \(untrusted\) network matches the given client host name. This) s
+5 250 M
+( makes exploiting compromised host keys more difficult. Note that) s
+5 239 M
+( this may require special handling for connections coming through a) s
+5 228 M
+( firewall.) s
+5 206 M
+(4. Security Considerations) s
+5 184 M
+( The purpose of this protocol is to perform client user) s
+5 173 M
+( authentication. It assumed that this runs over a secure transport) s
+5 129 M
+(Ylonen & Moffat Expires March 2, 2003 [Page 12]) s
+_R
+S
+PStoPSsaved restore
+%%Page: (12,13) 7
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 0.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+/showpage{}def/copypage{}def/erasepage{}def
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 13 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Authentication Protocol September 2002) s
+5 690 M
+( layer protocol, which has already authenticated the server machine,) s
+5 679 M
+( established an encrypted communications channel, and computed a) s
+5 668 M
+( unique session identifier for this session. The transport layer) s
+5 657 M
+( provides forward secrecy for password authentication and other) s
+5 646 M
+( methods that rely on secret data.) s
+5 624 M
+( Full security considerations for this protocol are provided in) s
+5 613 M
+( Section 8 of [SSH-ARCH]) s
+5 591 M
+(Normative) s
+5 569 M
+( [SSH-ARCH]) s
+5 558 M
+( Ylonen, T., "SSH Protocol Architecture", I-D) s
+5 547 M
+( draft-ietf-architecture-15.txt, Oct 2003.) s
+5 525 M
+( [SSH-TRANS]) s
+5 514 M
+( Ylonen, T., "SSH Transport Layer Protocol", I-D) s
+5 503 M
+( draft-ietf-transport-17.txt, Oct 2003.) s
+5 481 M
+( [SSH-USERAUTH]) s
+5 470 M
+( Ylonen, T., "SSH Authentication Protocol", I-D) s
+5 459 M
+( draft-ietf-userauth-18.txt, Oct 2003.) s
+5 437 M
+( [SSH-CONNECT]) s
+5 426 M
+( Ylonen, T., "SSH Connection Protocol", I-D) s
+5 415 M
+( draft-ietf-connect-18.txt, Oct 2003.) s
+5 393 M
+( [SSH-NUMBERS]) s
+5 382 M
+( Lehtinen, S. and D. Moffat, "SSH Protocol Assigned) s
+5 371 M
+( Numbers", I-D draft-ietf-secsh-assignednumbers-05.txt, Oct) s
+5 360 M
+( 2003.) s
+5 338 M
+( [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate) s
+5 327 M
+( Requirement Levels", BCP 14, RFC 2119, March 1997.) s
+5 305 M
+(Informative) s
+5 283 M
+( [RFC3066] Alvestrand, H., "Tags for the Identification of) s
+5 272 M
+( Languages", BCP 47, RFC 3066, January 2001.) s
+5 250 M
+( [RFC2279] Yergeau, F., "UTF-8, a transformation format of ISO) s
+5 239 M
+( 10646", RFC 2279, January 1998.) s
+5 129 M
+(Ylonen & Moffat Expires March 2, 2003 [Page 13]) s
+_R
+S
+PStoPSsaved restore
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 421.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 14 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Authentication Protocol September 2002) s
+5 690 M
+(Authors' Addresses) s
+5 668 M
+( Tatu Ylonen) s
+5 657 M
+( SSH Communications Security Corp) s
+5 646 M
+( Fredrikinkatu 42) s
+5 635 M
+( HELSINKI FIN-00100) s
+5 624 M
+( Finland) s
+5 602 M
+( EMail: [email protected]) s
+5 569 M
+( Darren J. Moffat \(editor\)) s
+5 558 M
+( Sun Microsystems, Inc) s
+5 547 M
+( 17 Network Circle) s
+5 536 M
+( Menlo Park 95025) s
+5 525 M
+( USA) s
+5 503 M
+( EMail: [email protected]) s
+5 129 M
+(Ylonen & Moffat Expires March 2, 2003 [Page 14]) s
+_R
+S
+PStoPSsaved restore
+%%Page: (14,15) 8
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 0.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+/showpage{}def/copypage{}def/erasepage{}def
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 15 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Authentication Protocol September 2002) s
+5 690 M
+(Intellectual Property Statement) s
+5 668 M
+( The IETF takes no position regarding the validity or scope of any) s
+5 657 M
+( intellectual property or other rights that might be claimed to) s
+5 646 M
+( pertain to the implementation or use of the technology described in) s
+5 635 M
+( this document or the extent to which any license under such rights) s
+5 624 M
+( might or might not be available; neither does it represent that it) s
+5 613 M
+( has made any effort to identify any such rights. Information on the) s
+5 602 M
+( IETF's procedures with respect to rights in standards-track and) s
+5 591 M
+( standards-related documentation can be found in BCP-11. Copies of) s
+5 580 M
+( claims of rights made available for publication and any assurances of) s
+5 569 M
+( licenses to be made available, or the result of an attempt made to) s
+5 558 M
+( obtain a general license or permission for the use of such) s
+5 547 M
+( proprietary rights by implementors or users of this specification can) s
+5 536 M
+( be obtained from the IETF Secretariat.) s
+5 514 M
+( The IETF invites any interested party to bring to its attention any) s
+5 503 M
+( copyrights, patents or patent applications, or other proprietary) s
+5 492 M
+( rights which may cover technology that may be required to practice) s
+5 481 M
+( this standard. Please address the information to the IETF Executive) s
+5 470 M
+( Director.) s
+5 448 M
+( The IETF has been notified of intellectual property rights claimed in) s
+5 437 M
+( regard to some or all of the specification contained in this) s
+5 426 M
+( document. For more information consult the online list of claimed) s
+5 415 M
+( rights.) s
+5 382 M
+(Full Copyright Statement) s
+5 360 M
+( Copyright \(C\) The Internet Society \(2002\). All Rights Reserved.) s
+5 338 M
+( This document and translations of it may be copied and furnished to) s
+5 327 M
+( others, and derivative works that comment on or otherwise explain it) s
+5 316 M
+( or assist in its implementation may be prepared, copied, published) s
+5 305 M
+( and distributed, in whole or in part, without restriction of any) s
+5 294 M
+( kind, provided that the above copyright notice and this paragraph are) s
+5 283 M
+( included on all such copies and derivative works. However, this) s
+5 272 M
+( document itself may not be modified in any way, such as by removing) s
+5 261 M
+( the copyright notice or references to the Internet Society or other) s
+5 250 M
+( Internet organizations, except as needed for the purpose of) s
+5 239 M
+( developing Internet standards in which case the procedures for) s
+5 228 M
+( copyrights defined in the Internet Standards process must be) s
+5 217 M
+( followed, or as required to translate it into languages other than) s
+5 206 M
+( English.) s
+5 184 M
+( The limited permissions granted above are perpetual and will not be) s
+5 173 M
+( revoked by the Internet Society or its successors or assignees.) s
+5 129 M
+(Ylonen & Moffat Expires March 2, 2003 [Page 15]) s
+_R
+S
+PStoPSsaved restore
+userdict/PStoPSsaved save put
+PStoPSmatrix setmatrix
+595.000000 421.271378 translate
+90 rotate
+0.706651 dup scale
+userdict/PStoPSmatrix matrix currentmatrix put
+userdict/PStoPSclip{0 0 moveto
+ 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
+ closepath}put initclip
+PStoPSxform concat
+%%BeginPageSetup
+_S
+75 0 translate
+/pagenum 16 def
+/fname () def
+/fdir () def
+/ftail () def
+/user_header_p false def
+%%EndPageSetup
+5 723 M
+(Internet-Draft SSH Authentication Protocol September 2002) s
+5 690 M
+( This document and the information contained herein is provided on an) s
+5 679 M
+( "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING) s
+5 668 M
+( TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING) s
+5 657 M
+( BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION) s
+5 646 M
+( HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF) s
+5 635 M
+( MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.) s
+5 602 M
+(Acknowledgment) s
+5 580 M
+( Funding for the RFC Editor function is currently provided by the) s
+5 569 M
+( Internet Society.) s
+5 129 M
+(Ylonen & Moffat Expires March 2, 2003 [Page 16]) s
+_R
+S
+PStoPSsaved restore
+%%Trailer
+%%Pages: 16
+%%DocumentNeededResources: font Courier-Bold Courier
+%%EOF