diff options
author | Erlang/OTP <[email protected]> | 2009-11-20 14:54:40 +0000 |
---|---|---|
committer | Erlang/OTP <[email protected]> | 2009-11-20 14:54:40 +0000 |
commit | 84adefa331c4159d432d22840663c38f155cd4c1 (patch) | |
tree | bff9a9c66adda4df2106dfd0e5c053ab182a12bd /lib/ssh/doc/standard/draft-ietf-secsh-userauth-18.2.ps | |
download | otp-84adefa331c4159d432d22840663c38f155cd4c1.tar.gz otp-84adefa331c4159d432d22840663c38f155cd4c1.tar.bz2 otp-84adefa331c4159d432d22840663c38f155cd4c1.zip |
The R13B03 release.OTP_R13B03
Diffstat (limited to 'lib/ssh/doc/standard/draft-ietf-secsh-userauth-18.2.ps')
-rw-r--r-- | lib/ssh/doc/standard/draft-ietf-secsh-userauth-18.2.ps | 1881 |
1 files changed, 1881 insertions, 0 deletions
diff --git a/lib/ssh/doc/standard/draft-ietf-secsh-userauth-18.2.ps b/lib/ssh/doc/standard/draft-ietf-secsh-userauth-18.2.ps new file mode 100644 index 0000000000..be5799dbce --- /dev/null +++ b/lib/ssh/doc/standard/draft-ietf-secsh-userauth-18.2.ps @@ -0,0 +1,1881 @@ +%!PS-Adobe-3.0 +%%BoundingBox: 75 0 595 747 +%%Title: Enscript Output +%%For: Magnus Thoang +%%Creator: GNU enscript 1.6.1 +%%CreationDate: Fri Oct 31 13:35:32 2003 +%%Orientation: Portrait +%%Pages: 8 0 +%%DocumentMedia: A4 595 842 0 () () +%%DocumentNeededResources: (atend) +%%EndComments +%%BeginProlog +%%BeginProcSet: PStoPS 1 15 +userdict begin +[/showpage/erasepage/copypage]{dup where{pop dup load + type/operatortype eq{1 array cvx dup 0 3 index cvx put + bind def}{pop}ifelse}{pop}ifelse}forall +[/letter/legal/executivepage/a4/a4small/b5/com10envelope + /monarchenvelope/c5envelope/dlenvelope/lettersmall/note + /folio/quarto/a5]{dup where{dup wcheck{exch{}put} + {pop{}def}ifelse}{pop}ifelse}forall +/setpagedevice {pop}bind 1 index where{dup wcheck{3 1 roll put} + {pop def}ifelse}{def}ifelse +/PStoPSmatrix matrix currentmatrix def +/PStoPSxform matrix def/PStoPSclip{clippath}def +/defaultmatrix{PStoPSmatrix exch PStoPSxform exch concatmatrix}bind def +/initmatrix{matrix defaultmatrix setmatrix}bind def +/initclip[{matrix currentmatrix PStoPSmatrix setmatrix + [{currentpoint}stopped{$error/newerror false put{newpath}} + {/newpath cvx 3 1 roll/moveto cvx 4 array astore cvx}ifelse] + {[/newpath cvx{/moveto cvx}{/lineto cvx} + {/curveto cvx}{/closepath cvx}pathforall]cvx exch pop} + stopped{$error/errorname get/invalidaccess eq{cleartomark + $error/newerror false put cvx exec}{stop}ifelse}if}bind aload pop + /initclip dup load dup type dup/operatortype eq{pop exch pop} + {dup/arraytype eq exch/packedarraytype eq or + {dup xcheck{exch pop aload pop}{pop cvx}ifelse} + {pop cvx}ifelse}ifelse + {newpath PStoPSclip clip newpath exec setmatrix} bind aload pop]cvx def +/initgraphics{initmatrix newpath initclip 1 setlinewidth + 0 setlinecap 0 setlinejoin []0 setdash 0 setgray + 10 setmiterlimit}bind def +end +%%EndProcSet +%%BeginResource: procset Enscript-Prolog 1.6 1 +% +% Procedures. +% + +/_S { % save current state + /_s save def +} def +/_R { % restore from saved state + _s restore +} def + +/S { % showpage protecting gstate + gsave + showpage + grestore +} bind def + +/MF { % fontname newfontname -> - make a new encoded font + /newfontname exch def + /fontname exch def + + /fontdict fontname findfont def + /newfont fontdict maxlength dict def + + fontdict { + exch + dup /FID eq { + % skip FID pair + pop pop + } { + % copy to the new font dictionary + exch newfont 3 1 roll put + } ifelse + } forall + + newfont /FontName newfontname put + + % insert only valid encoding vectors + encoding_vector length 256 eq { + newfont /Encoding encoding_vector put + } if + + newfontname newfont definefont pop +} def + +/SF { % fontname width height -> - set a new font + /height exch def + /width exch def + + findfont + [width 0 0 height 0 0] makefont setfont +} def + +/SUF { % fontname width height -> - set a new user font + /height exch def + /width exch def + + /F-gs-user-font MF + /F-gs-user-font width height SF +} def + +/M {moveto} bind def +/s {show} bind def + +/Box { % x y w h -> - define box path + /d_h exch def /d_w exch def /d_y exch def /d_x exch def + d_x d_y moveto + d_w 0 rlineto + 0 d_h rlineto + d_w neg 0 rlineto + closepath +} def + +/bgs { % x y height blskip gray str -> - show string with bg color + /str exch def + /gray exch def + /blskip exch def + /height exch def + /y exch def + /x exch def + + gsave + x y blskip sub str stringwidth pop height Box + gray setgray + fill + grestore + x y M str s +} def + +% Highlight bars. +/highlight_bars { % nlines lineheight output_y_margin gray -> - + gsave + setgray + /ymarg exch def + /lineheight exch def + /nlines exch def + + % This 2 is just a magic number to sync highlight lines to text. + 0 d_header_y ymarg sub 2 sub translate + + /cw d_output_w cols div def + /nrows d_output_h ymarg 2 mul sub lineheight div cvi def + + % for each column + 0 1 cols 1 sub { + cw mul /xp exch def + + % for each rows + 0 1 nrows 1 sub { + /rn exch def + rn lineheight mul neg /yp exch def + rn nlines idiv 2 mod 0 eq { + % Draw highlight bar. 4 is just a magic indentation. + xp 4 add yp cw 8 sub lineheight neg Box fill + } if + } for + } for + + grestore +} def + +% Line highlight bar. +/line_highlight { % x y width height gray -> - + gsave + /gray exch def + Box gray setgray fill + grestore +} def + +% Column separator lines. +/column_lines { + gsave + .1 setlinewidth + 0 d_footer_h translate + /cw d_output_w cols div def + 1 1 cols 1 sub { + cw mul 0 moveto + 0 d_output_h rlineto stroke + } for + grestore +} def + +% Column borders. +/column_borders { + gsave + .1 setlinewidth + 0 d_footer_h moveto + 0 d_output_h rlineto + d_output_w 0 rlineto + 0 d_output_h neg rlineto + closepath stroke + grestore +} def + +% Do the actual underlay drawing +/draw_underlay { + ul_style 0 eq { + ul_str true charpath stroke + } { + ul_str show + } ifelse +} def + +% Underlay +/underlay { % - -> - + gsave + 0 d_page_h translate + d_page_h neg d_page_w atan rotate + + ul_gray setgray + ul_font setfont + /dw d_page_h dup mul d_page_w dup mul add sqrt def + ul_str stringwidth pop dw exch sub 2 div ul_h_ptsize -2 div moveto + draw_underlay + grestore +} def + +/user_underlay { % - -> - + gsave + ul_x ul_y translate + ul_angle rotate + ul_gray setgray + ul_font setfont + 0 0 ul_h_ptsize 2 div sub moveto + draw_underlay + grestore +} def + +% Page prefeed +/page_prefeed { % bool -> - + statusdict /prefeed known { + statusdict exch /prefeed exch put + } { + pop + } ifelse +} def + +% Wrapped line markers +/wrapped_line_mark { % x y charwith charheight type -> - + /type exch def + /h exch def + /w exch def + /y exch def + /x exch def + + type 2 eq { + % Black boxes (like TeX does) + gsave + 0 setlinewidth + x w 4 div add y M + 0 h rlineto w 2 div 0 rlineto 0 h neg rlineto + closepath fill + grestore + } { + type 3 eq { + % Small arrows + gsave + .2 setlinewidth + x w 2 div add y h 2 div add M + w 4 div 0 rlineto + x w 4 div add y lineto stroke + + x w 4 div add w 8 div add y h 4 div add M + x w 4 div add y lineto + w 4 div h 8 div rlineto stroke + grestore + } { + % do nothing + } ifelse + } ifelse +} def + +% EPSF import. + +/BeginEPSF { + /b4_Inc_state save def % Save state for cleanup + /dict_count countdictstack def % Count objects on dict stack + /op_count count 1 sub def % Count objects on operand stack + userdict begin + /showpage { } def + 0 setgray 0 setlinecap + 1 setlinewidth 0 setlinejoin + 10 setmiterlimit [ ] 0 setdash newpath + /languagelevel where { + pop languagelevel + 1 ne { + false setstrokeadjust false setoverprint + } if + } if +} bind def + +/EndEPSF { + count op_count sub { pos } repeat % Clean up stacks + countdictstack dict_count sub { end } repeat + b4_Inc_state restore +} bind def + +% Check PostScript language level. +/languagelevel where { + pop /gs_languagelevel languagelevel def +} { + /gs_languagelevel 1 def +} ifelse +%%EndResource +%%BeginResource: procset Enscript-Encoding-88591 1.6 1 +/encoding_vector [ +/.notdef /.notdef /.notdef /.notdef +/.notdef /.notdef /.notdef /.notdef +/.notdef /.notdef /.notdef /.notdef +/.notdef /.notdef /.notdef /.notdef +/.notdef /.notdef /.notdef /.notdef +/.notdef /.notdef /.notdef /.notdef +/.notdef /.notdef /.notdef /.notdef +/.notdef /.notdef /.notdef /.notdef +/space /exclam /quotedbl /numbersign +/dollar /percent /ampersand /quoteright +/parenleft /parenright /asterisk /plus +/comma /hyphen /period /slash +/zero /one /two /three +/four /five /six /seven +/eight /nine /colon /semicolon +/less /equal /greater /question +/at /A /B /C +/D /E /F /G +/H /I /J /K +/L /M /N /O +/P /Q /R /S +/T /U /V /W +/X /Y /Z /bracketleft +/backslash /bracketright /asciicircum /underscore +/quoteleft /a /b /c +/d /e /f /g +/h /i /j /k +/l /m /n /o +/p /q /r /s +/t /u /v /w +/x /y /z /braceleft +/bar /braceright /tilde /.notdef +/.notdef /.notdef /.notdef /.notdef +/.notdef /.notdef /.notdef /.notdef +/.notdef /.notdef /.notdef /.notdef +/.notdef /.notdef /.notdef /.notdef +/.notdef /.notdef /.notdef /.notdef +/.notdef /.notdef /.notdef /.notdef +/.notdef /.notdef /.notdef /.notdef +/.notdef /.notdef /.notdef /.notdef +/space /exclamdown /cent /sterling +/currency /yen /brokenbar /section +/dieresis /copyright /ordfeminine /guillemotleft +/logicalnot /hyphen /registered /macron +/degree /plusminus /twosuperior /threesuperior +/acute /mu /paragraph /bullet +/cedilla /onesuperior /ordmasculine /guillemotright +/onequarter /onehalf /threequarters /questiondown +/Agrave /Aacute /Acircumflex /Atilde +/Adieresis /Aring /AE /Ccedilla +/Egrave /Eacute /Ecircumflex /Edieresis +/Igrave /Iacute /Icircumflex /Idieresis +/Eth /Ntilde /Ograve /Oacute +/Ocircumflex /Otilde /Odieresis /multiply +/Oslash /Ugrave /Uacute /Ucircumflex +/Udieresis /Yacute /Thorn /germandbls +/agrave /aacute /acircumflex /atilde +/adieresis /aring /ae /ccedilla +/egrave /eacute /ecircumflex /edieresis +/igrave /iacute /icircumflex /idieresis +/eth /ntilde /ograve /oacute +/ocircumflex /otilde /odieresis /divide +/oslash /ugrave /uacute /ucircumflex +/udieresis /yacute /thorn /ydieresis +] def +%%EndResource +%%EndProlog +%%BeginSetup +%%IncludeResource: font Courier-Bold +%%IncludeResource: font Courier +/HFpt_w 10 def +/HFpt_h 10 def +/Courier-Bold /HF-gs-font MF +/HF /HF-gs-font findfont [HFpt_w 0 0 HFpt_h 0 0] makefont def +/Courier /F-gs-font MF +/F-gs-font 10 10 SF +/#copies 1 def +/d_page_w 520 def +/d_page_h 747 def +/d_header_x 0 def +/d_header_y 747 def +/d_header_w 520 def +/d_header_h 0 def +/d_footer_x 0 def +/d_footer_y 0 def +/d_footer_w 520 def +/d_footer_h 0 def +/d_output_w 520 def +/d_output_h 747 def +/cols 1 def +userdict/PStoPSxform PStoPSmatrix matrix currentmatrix + matrix invertmatrix matrix concatmatrix + matrix invertmatrix put +%%EndSetup +%%Page: (0,1) 1 +userdict/PStoPSsaved save put +PStoPSmatrix setmatrix +595.000000 0.271378 translate +90 rotate +0.706651 dup scale +userdict/PStoPSmatrix matrix currentmatrix put +userdict/PStoPSclip{0 0 moveto + 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto + closepath}put initclip +/showpage{}def/copypage{}def/erasepage{}def +PStoPSxform concat +%%BeginPageSetup +_S +75 0 translate +/pagenum 1 def +/fname () def +/fdir () def +/ftail () def +/user_header_p false def +%%EndPageSetup +5 701 M +(Network Working Group T. Ylonen) s +5 690 M +(Internet-Draft SSH Communications Security Corp) s +5 679 M +(Expires: March 2, 2003 D. Moffat, Ed.) s +5 668 M +( Sun Microsystems, Inc) s +5 657 M +( September 2002) s +5 624 M +( SSH Authentication Protocol) s +5 613 M +( draft-ietf-secsh-userauth-18.txt) s +5 591 M +(Status of this Memo) s +5 569 M +( This document is an Internet-Draft and is in full conformance with) s +5 558 M +( all provisions of Section 10 of RFC2026.) s +5 536 M +( Internet-Drafts are working documents of the Internet Engineering) s +5 525 M +( Task Force \(IETF\), its areas, and its working groups. Note that other) s +5 514 M +( groups may also distribute working documents as Internet-Drafts.) s +5 492 M +( Internet-Drafts are draft documents valid for a maximum of six months) s +5 481 M +( and may be updated, replaced, or obsoleted by other documents at any) s +5 470 M +( time. It is inappropriate to use Internet-Drafts as reference) s +5 459 M +( material or to cite them other than as "work in progress.") s +5 437 M +( The list of current Internet-Drafts can be accessed at http://) s +5 426 M +( www.ietf.org/ietf/1id-abstracts.txt.) s +5 404 M +( The list of Internet-Draft Shadow Directories can be accessed at) s +5 393 M +( http://www.ietf.org/shadow.html.) s +5 371 M +( This Internet-Draft will expire on March 2, 2003.) s +5 349 M +(Copyright Notice) s +5 327 M +( Copyright \(C\) The Internet Society \(2002\). All Rights Reserved.) s +5 305 M +(Abstract) s +5 283 M +( SSH is a protocol for secure remote login and other secure network) s +5 272 M +( services over an insecure network. This document describes the SSH) s +5 261 M +( authentication protocol framework and public key, password, and) s +5 250 M +( host-based client authentication methods. Additional authentication) s +5 239 M +( methods are described in separate documents. The SSH authentication) s +5 228 M +( protocol runs on top of the SSH transport layer protocol and provides) s +5 217 M +( a single authenticated tunnel for the SSH connection protocol.) s +5 129 M +(Ylonen & Moffat Expires March 2, 2003 [Page 1]) s +_R +S +PStoPSsaved restore +userdict/PStoPSsaved save put +PStoPSmatrix setmatrix +595.000000 421.271378 translate +90 rotate +0.706651 dup scale +userdict/PStoPSmatrix matrix currentmatrix put +userdict/PStoPSclip{0 0 moveto + 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto + closepath}put initclip +PStoPSxform concat +%%BeginPageSetup +_S +75 0 translate +/pagenum 2 def +/fname () def +/fdir () def +/ftail () def +/user_header_p false def +%%EndPageSetup +5 723 M +(Internet-Draft SSH Authentication Protocol September 2002) s +5 690 M +(Table of Contents) s +5 668 M +( 1. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 3) s +5 657 M +( 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3) s +5 646 M +( 3. Conventions Used in This Document . . . . . . . . . . . . . 3) s +5 635 M +( 3.1 The Authentication Protocol Framework . . . . . . . . . . . 3) s +5 624 M +( 3.1.1 Authentication Requests . . . . . . . . . . . . . . . . . . 4) s +5 613 M +( 3.1.2 Responses to Authentication Requests . . . . . . . . . . . . 5) s +5 602 M +( 3.1.3 The "none" Authentication Request . . . . . . . . . . . . . 6) s +5 591 M +( 3.1.4 Completion of User Authentication . . . . . . . . . . . . . 6) s +5 580 M +( 3.1.5 Banner Message . . . . . . . . . . . . . . . . . . . . . . . 7) s +5 569 M +( 3.2 Authentication Protocol Message Numbers . . . . . . . . . . 7) s +5 558 M +( 3.3 Public Key Authentication Method: publickey . . . . . . . . 8) s +5 547 M +( 3.4 Password Authentication Method: password . . . . . . . . . . 10) s +5 536 M +( 3.5 Host-Based Authentication: hostbased . . . . . . . . . . . . 11) s +5 525 M +( 4. Security Considerations . . . . . . . . . . . . . . . . . . 12) s +5 514 M +( Normative . . . . . . . . . . . . . . . . . . . . . . . . . 13) s +5 503 M +( Informative . . . . . . . . . . . . . . . . . . . . . . . . 13) s +5 492 M +( Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 14) s +5 481 M +( Intellectual Property and Copyright Statements . . . . . . . 15) s +5 129 M +(Ylonen & Moffat Expires March 2, 2003 [Page 2]) s +_R +S +PStoPSsaved restore +%%Page: (2,3) 2 +userdict/PStoPSsaved save put +PStoPSmatrix setmatrix +595.000000 0.271378 translate +90 rotate +0.706651 dup scale +userdict/PStoPSmatrix matrix currentmatrix put +userdict/PStoPSclip{0 0 moveto + 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto + closepath}put initclip +/showpage{}def/copypage{}def/erasepage{}def +PStoPSxform concat +%%BeginPageSetup +_S +75 0 translate +/pagenum 3 def +/fname () def +/fdir () def +/ftail () def +/user_header_p false def +%%EndPageSetup +5 723 M +(Internet-Draft SSH Authentication Protocol September 2002) s +5 690 M +(1. Contributors) s +5 668 M +( The major original contributors of this document were: Tatu Ylonen,) s +5 657 M +( Tero Kivinen, Timo J. Rinne, Sami Lehtinen \(all of SSH Communications) s +5 646 M +( Security Corp\), and Markku-Juhani O. Saarinen \(University of) s +5 635 M +( Jyvaskyla\)) s +5 613 M +( The document editor is: [email protected]. Comments on this) s +5 602 M +( internet draft should be sent to the IETF SECSH working group,) s +5 591 M +( details at: http://ietf.org/html.charters/secsh-charter.html) s +5 569 M +(2. Introduction) s +5 547 M +( The SSH authentication protocol is a general-purpose user) s +5 536 M +( authentication protocol. It is intended to be run over the SSH) s +5 525 M +( transport layer protocol [SSH-TRANS]. This protocol assumes that the) s +5 514 M +( underlying protocols provide integrity and confidentiality) s +5 503 M +( protection.) s +5 481 M +( This document should be read only after reading the SSH architecture) s +5 470 M +( document [SSH-ARCH]. This document freely uses terminology and) s +5 459 M +( notation from the architecture document without reference or further) s +5 448 M +( explanation.) s +5 426 M +( The service name for this protocol is "ssh-userauth".) s +5 404 M +( When this protocol starts, it receives the session identifier from) s +5 393 M +( the lower-level protocol \(this is the exchange hash H from the first) s +5 382 M +( key exchange\). The session identifier uniquely identifies this) s +5 371 M +( session and is suitable for signing in order to prove ownership of a) s +5 360 M +( private key. This protocol also needs to know whether the lower-level) s +5 349 M +( protocol provides confidentiality protection.) s +5 327 M +(3. Conventions Used in This Document) s +5 305 M +( The keywords "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT",) s +5 294 M +( and "MAY" that appear in this document are to be interpreted as) s +5 283 M +( described in [RFC2119]) s +5 261 M +( The used data types and terminology are specified in the architecture) s +5 250 M +( document [SSH-ARCH]) s +5 228 M +( The architecture document also discusses the algorithm naming) s +5 217 M +( conventions that MUST be used with the SSH protocols.) s +5 195 M +(3.1 The Authentication Protocol Framework) s +5 173 M +( The server drives the authentication by telling the client which) s +5 129 M +(Ylonen & Moffat Expires March 2, 2003 [Page 3]) s +_R +S +PStoPSsaved restore +userdict/PStoPSsaved save put +PStoPSmatrix setmatrix +595.000000 421.271378 translate +90 rotate +0.706651 dup scale +userdict/PStoPSmatrix matrix currentmatrix put +userdict/PStoPSclip{0 0 moveto + 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto + closepath}put initclip +PStoPSxform concat +%%BeginPageSetup +_S +75 0 translate +/pagenum 4 def +/fname () def +/fdir () def +/ftail () def +/user_header_p false def +%%EndPageSetup +5 723 M +(Internet-Draft SSH Authentication Protocol September 2002) s +5 690 M +( authentication methods can be used to continue the exchange at any) s +5 679 M +( given time. The client has the freedom to try the methods listed by) s +5 668 M +( the server in any order. This gives the server complete control over) s +5 657 M +( the authentication process if desired, but also gives enough) s +5 646 M +( flexibility for the client to use the methods it supports or that are) s +5 635 M +( most convenient for the user, when multiple methods are offered by) s +5 624 M +( the server.) s +5 602 M +( Authentication methods are identified by their name, as defined in) s +5 591 M +( [SSH-ARCH]. The "none" method is reserved, and MUST NOT be listed as) s +5 580 M +( supported. However, it MAY be sent by the client. The server MUST) s +5 569 M +( always reject this request, unless the client is to be allowed in) s +5 558 M +( without any authentication, in which case the server MUST accept this) s +5 547 M +( request. The main purpose of sending this request is to get the list) s +5 536 M +( of supported methods from the server.) s +5 514 M +( The server SHOULD have a timeout for authentication, and disconnect) s +5 503 M +( if the authentication has not been accepted within the timeout) s +5 492 M +( period. The RECOMMENDED timeout period is 10 minutes. Additionally,) s +5 481 M +( the implementation SHOULD limit the number of failed authentication) s +5 470 M +( attempts a client may perform in a single session \(the RECOMMENDED) s +5 459 M +( limit is 20 attempts\). If the threshold is exceeded, the server) s +5 448 M +( SHOULD disconnect.) s +5 426 M +(3.1.1 Authentication Requests) s +5 404 M +( All authentication requests MUST use the following message format.) s +5 393 M +( Only the first few fields are defined; the remaining fields depend on) s +5 382 M +( the authentication method.) s +5 360 M +( byte SSH_MSG_USERAUTH_REQUEST) s +5 349 M +( string user name \(in ISO-10646 UTF-8 encoding [RFC2279]\)) s +5 338 M +( string service name \(in US-ASCII\)) s +5 327 M +( string method name \(US-ASCII\)) s +5 316 M +( The rest of the packet is method-specific.) s +5 294 M +( The user name and service are repeated in every new authentication) s +5 283 M +( attempt, and MAY change. The server implementation MUST carefully) s +5 272 M +( check them in every message, and MUST flush any accumulated) s +5 261 M +( authentication states if they change. If it is unable to flush some) s +5 250 M +( authentication state, it MUST disconnect if the user or service name) s +5 239 M +( changes.) s +5 217 M +( The service name specifies the service to start after authentication.) s +5 206 M +( There may be several different authenticated services provided. If) s +5 195 M +( the requested service is not available, the server MAY disconnect) s +5 184 M +( immediately or at any later time. Sending a proper disconnect) s +5 173 M +( message is RECOMMENDED. In any case, if the service does not exist,) s +5 129 M +(Ylonen & Moffat Expires March 2, 2003 [Page 4]) s +_R +S +PStoPSsaved restore +%%Page: (4,5) 3 +userdict/PStoPSsaved save put +PStoPSmatrix setmatrix +595.000000 0.271378 translate +90 rotate +0.706651 dup scale +userdict/PStoPSmatrix matrix currentmatrix put +userdict/PStoPSclip{0 0 moveto + 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto + closepath}put initclip +/showpage{}def/copypage{}def/erasepage{}def +PStoPSxform concat +%%BeginPageSetup +_S +75 0 translate +/pagenum 5 def +/fname () def +/fdir () def +/ftail () def +/user_header_p false def +%%EndPageSetup +5 723 M +(Internet-Draft SSH Authentication Protocol September 2002) s +5 690 M +( authentication MUST NOT be accepted.) s +5 668 M +( If the requested user does not exist, the server MAY disconnect, or) s +5 657 M +( MAY send a bogus list of acceptable authentication methods, but never) s +5 646 M +( accept any. This makes it possible for the server to avoid) s +5 635 M +( disclosing information on which accounts exist. In any case, if the) s +5 624 M +( user does not exist, the authentication request MUST NOT be accepted.) s +5 602 M +( While there is usually little point for clients to send requests that) s +5 591 M +( the server does not list as acceptable, sending such requests is not) s +5 580 M +( an error, and the server SHOULD simply reject requests that it does) s +5 569 M +( not recognize.) s +5 547 M +( An authentication request MAY result in a further exchange of) s +5 536 M +( messages. All such messages depend on the authentication method) s +5 525 M +( used, and the client MAY at any time continue with a new) s +5 514 M +( SSH_MSG_USERAUTH_REQUEST message, in which case the server MUST) s +5 503 M +( abandon the previous authentication attempt and continue with the new) s +5 492 M +( one.) s +5 470 M +(3.1.2 Responses to Authentication Requests) s +5 448 M +( If the server rejects the authentication request, it MUST respond) s +5 437 M +( with the following:) s +5 415 M +( byte SSH_MSG_USERAUTH_FAILURE) s +5 404 M +( string authentications that can continue) s +5 393 M +( boolean partial success) s +5 371 M +( "Authentications that can continue" is a comma-separated list of) s +5 360 M +( authentication method names that may productively continue the) s +5 349 M +( authentication dialog.) s +5 327 M +( It is RECOMMENDED that servers only include those methods in the list) s +5 316 M +( that are actually useful. However, it is not illegal to include) s +5 305 M +( methods that cannot be used to authenticate the user.) s +5 283 M +( Already successfully completed authentications SHOULD NOT be included) s +5 272 M +( in the list, unless they really should be performed again for some) s +5 261 M +( reason.) s +5 239 M +( "Partial success" MUST be TRUE if the authentication request to which) s +5 228 M +( this is a response was successful. It MUST be FALSE if the request) s +5 217 M +( was not successfully processed.) s +5 195 M +( When the server accepts authentication, it MUST respond with the) s +5 184 M +( following:) s +5 129 M +(Ylonen & Moffat Expires March 2, 2003 [Page 5]) s +_R +S +PStoPSsaved restore +userdict/PStoPSsaved save put +PStoPSmatrix setmatrix +595.000000 421.271378 translate +90 rotate +0.706651 dup scale +userdict/PStoPSmatrix matrix currentmatrix put +userdict/PStoPSclip{0 0 moveto + 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto + closepath}put initclip +PStoPSxform concat +%%BeginPageSetup +_S +75 0 translate +/pagenum 6 def +/fname () def +/fdir () def +/ftail () def +/user_header_p false def +%%EndPageSetup +5 723 M +(Internet-Draft SSH Authentication Protocol September 2002) s +5 690 M +( byte SSH_MSG_USERAUTH_SUCCESS) s +5 668 M +( Note that this is not sent after each step in a multi-method) s +5 657 M +( authentication sequence, but only when the authentication is) s +5 646 M +( complete.) s +5 624 M +( The client MAY send several authentication requests without waiting) s +5 613 M +( for responses from previous requests. The server MUST process each) s +5 602 M +( request completely and acknowledge any failed requests with a) s +5 591 M +( SSH_MSG_USERAUTH_FAILURE message before processing the next request.) s +5 569 M +( A request that results in further exchange of messages will be) s +5 558 M +( aborted by a second request. It is not possible to send a second) s +5 547 M +( request without waiting for a response from the server, if the first) s +5 536 M +( request will result in further exchange of messages. No) s +5 525 M +( SSH_MSG_USERAUTH_FAILURE message will be sent for the aborted method.) s +5 503 M +( SSH_MSG_USERAUTH_SUCCESS MUST be sent only once. When) s +5 492 M +( SSH_MSG_USERAUTH_SUCCESS has been sent, any further authentication) s +5 481 M +( requests received after that SHOULD be silently ignored.) s +5 459 M +( Any non-authentication messages sent by the client after the request) s +5 448 M +( that resulted in SSH_MSG_USERAUTH_SUCCESS being sent MUST be passed) s +5 437 M +( to the service being run on top of this protocol. Such messages can) s +5 426 M +( be identified by their message numbers \(see Section Message Numbers) s +5 415 M +( \(Section 3.2\)\).) s +5 393 M +(3.1.3 The "none" Authentication Request) s +5 371 M +( A client may request a list of authentication methods that may) s +5 360 M +( continue by using the "none" authentication method.) s +5 338 M +( If no authentication at all is needed for the user, the server MUST) s +5 327 M +( return SSH_MSG_USERAUTH_SUCCESS. Otherwise, the server MUST return) s +5 316 M +( SSH_MSG_USERAUTH_FAILURE and MAY return with it a list of) s +5 305 M +( authentication methods that can continue.) s +5 283 M +( This method MUST NOT be listed as supported by the server.) s +5 261 M +(3.1.4 Completion of User Authentication) s +5 239 M +( Authentication is complete when the server has responded with) s +5 228 M +( SSH_MSG_USERAUTH_SUCCESS; all authentication related messages) s +5 217 M +( received after sending this message SHOULD be silently ignored.) s +5 195 M +( After sending SSH_MSG_USERAUTH_SUCCESS, the server starts the) s +5 184 M +( requested service.) s +5 129 M +(Ylonen & Moffat Expires March 2, 2003 [Page 6]) s +_R +S +PStoPSsaved restore +%%Page: (6,7) 4 +userdict/PStoPSsaved save put +PStoPSmatrix setmatrix +595.000000 0.271378 translate +90 rotate +0.706651 dup scale +userdict/PStoPSmatrix matrix currentmatrix put +userdict/PStoPSclip{0 0 moveto + 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto + closepath}put initclip +/showpage{}def/copypage{}def/erasepage{}def +PStoPSxform concat +%%BeginPageSetup +_S +75 0 translate +/pagenum 7 def +/fname () def +/fdir () def +/ftail () def +/user_header_p false def +%%EndPageSetup +5 723 M +(Internet-Draft SSH Authentication Protocol September 2002) s +5 690 M +(3.1.5 Banner Message) s +5 668 M +( In some jurisdictions, sending a warning message before) s +5 657 M +( authentication may be relevant for getting legal protection. Many) s +5 646 M +( UNIX machines, for example, normally display text from `/etc/issue',) s +5 635 M +( or use "tcp wrappers" or similar software to display a banner before) s +5 624 M +( issuing a login prompt.) s +5 602 M +( The SSH server may send a SSH_MSG_USERAUTH_BANNER message at any time) s +5 591 M +( before authentication is successful. This message contains text to) s +5 580 M +( be displayed to the client user before authentication is attempted.) s +5 569 M +( The format is as follows:) s +5 547 M +( byte SSH_MSG_USERAUTH_BANNER) s +5 536 M +( string message \(ISO-10646 UTF-8\)) s +5 525 M +( string language tag \(as defined in [RFC3066]\)) s +5 503 M +( The client SHOULD by default display the message on the screen.) s +5 492 M +( However, since the message is likely to be sent for every login) s +5 481 M +( attempt, and since some client software will need to open a separate) s +5 470 M +( window for this warning, the client software may allow the user to) s +5 459 M +( explicitly disable the display of banners from the server. The) s +5 448 M +( message may consist of multiple lines.) s +5 426 M +( If the message string is displayed, control character filtering) s +5 415 M +( discussed in [SSH-ARCH] SHOULD be used to avoid attacks by sending) s +5 404 M +( terminal control characters.) s +5 382 M +(3.2 Authentication Protocol Message Numbers) s +5 360 M +( All message numbers used by this authentication protocol are in the) s +5 349 M +( range from 50 to 79, which is part of the range reserved for) s +5 338 M +( protocols running on top of the SSH transport layer protocol.) s +5 316 M +( Message numbers of 80 and higher are reserved for protocols running) s +5 305 M +( after this authentication protocol, so receiving one of them before) s +5 294 M +( authentication is complete is an error, to which the server MUST) s +5 283 M +( respond by disconnecting \(preferably with a proper disconnect message) s +5 272 M +( sent first to ease troubleshooting\).) s +5 250 M +( After successful authentication, such messages are passed to the) s +5 239 M +( higher-level service.) s +5 217 M +( These are the general authentication message codes:) s +5 195 M +( #define SSH_MSG_USERAUTH_REQUEST 50) s +5 184 M +( #define SSH_MSG_USERAUTH_FAILURE 51) s +5 173 M +( #define SSH_MSG_USERAUTH_SUCCESS 52) s +5 129 M +(Ylonen & Moffat Expires March 2, 2003 [Page 7]) s +_R +S +PStoPSsaved restore +userdict/PStoPSsaved save put +PStoPSmatrix setmatrix +595.000000 421.271378 translate +90 rotate +0.706651 dup scale +userdict/PStoPSmatrix matrix currentmatrix put +userdict/PStoPSclip{0 0 moveto + 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto + closepath}put initclip +PStoPSxform concat +%%BeginPageSetup +_S +75 0 translate +/pagenum 8 def +/fname () def +/fdir () def +/ftail () def +/user_header_p false def +%%EndPageSetup +5 723 M +(Internet-Draft SSH Authentication Protocol September 2002) s +5 690 M +( #define SSH_MSG_USERAUTH_BANNER 53) s +5 668 M +( In addition to the above, there is a range of message numbers) s +5 657 M +( \(60..79\) reserved for method-specific messages. These messages are) s +5 646 M +( only sent by the server \(client sends only SSH_MSG_USERAUTH_REQUEST) s +5 635 M +( messages\). Different authentication methods reuse the same message) s +5 624 M +( numbers.) s +5 602 M +(3.3 Public Key Authentication Method: publickey) s +5 580 M +( The only REQUIRED authentication method is public key authentication.) s +5 569 M +( All implementations MUST support this method; however, not all users) s +5 558 M +( need to have public keys, and most local policies are not likely to) s +5 547 M +( require public key authentication for all users in the near future.) s +5 525 M +( With this method, the possession of a private key serves as) s +5 514 M +( authentication. This method works by sending a signature created) s +5 503 M +( with a private key of the user. The server MUST check that the key) s +5 492 M +( is a valid authenticator for the user, and MUST check that the) s +5 481 M +( signature is valid. If both hold, the authentication request MUST be) s +5 470 M +( accepted; otherwise it MUST be rejected. \(Note that the server MAY) s +5 459 M +( require additional authentications after successful authentication.\)) s +5 437 M +( Private keys are often stored in an encrypted form at the client) s +5 426 M +( host, and the user must supply a passphrase before the signature can) s +5 415 M +( be generated. Even if they are not, the signing operation involves) s +5 404 M +( some expensive computation. To avoid unnecessary processing and user) s +5 393 M +( interaction, the following message is provided for querying whether) s +5 382 M +( authentication using the key would be acceptable.) s +5 360 M +( byte SSH_MSG_USERAUTH_REQUEST) s +5 349 M +( string user name) s +5 338 M +( string service) s +5 327 M +( string "publickey") s +5 316 M +( boolean FALSE) s +5 305 M +( string public key algorithm name) s +5 294 M +( string public key blob) s +5 272 M +( Public key algorithms are defined in the transport layer) s +5 261 M +( specification [SSH-TRANS]. The public key blob may contain) s +5 250 M +( certificates.) s +5 228 M +( Any public key algorithm may be offered for use in authentication.) s +5 217 M +( In particular, the list is not constrained by what was negotiated) s +5 206 M +( during key exchange. If the server does not support some algorithm,) s +5 195 M +( it MUST simply reject the request.) s +5 173 M +( The server MUST respond to this message with either) s +5 129 M +(Ylonen & Moffat Expires March 2, 2003 [Page 8]) s +_R +S +PStoPSsaved restore +%%Page: (8,9) 5 +userdict/PStoPSsaved save put +PStoPSmatrix setmatrix +595.000000 0.271378 translate +90 rotate +0.706651 dup scale +userdict/PStoPSmatrix matrix currentmatrix put +userdict/PStoPSclip{0 0 moveto + 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto + closepath}put initclip +/showpage{}def/copypage{}def/erasepage{}def +PStoPSxform concat +%%BeginPageSetup +_S +75 0 translate +/pagenum 9 def +/fname () def +/fdir () def +/ftail () def +/user_header_p false def +%%EndPageSetup +5 723 M +(Internet-Draft SSH Authentication Protocol September 2002) s +5 690 M +( SSH_MSG_USERAUTH_FAILURE or with the following:) s +5 668 M +( byte SSH_MSG_USERAUTH_PK_OK) s +5 657 M +( string public key algorithm name from the request) s +5 646 M +( string public key blob from the request) s +5 624 M +( To perform actual authentication, the client MAY then send a) s +5 613 M +( signature generated using the private key. The client MAY send the) s +5 602 M +( signature directly without first verifying whether the key is) s +5 591 M +( acceptable. The signature is sent using the following packet:) s +5 569 M +( byte SSH_MSG_USERAUTH_REQUEST) s +5 558 M +( string user name) s +5 547 M +( string service) s +5 536 M +( string "publickey") s +5 525 M +( boolean TRUE) s +5 514 M +( string public key algorithm name) s +5 503 M +( string public key to be used for authentication) s +5 492 M +( string signature) s +5 470 M +( Signature is a signature by the corresponding private key over the) s +5 459 M +( following data, in the following order:) s +5 437 M +( string session identifier) s +5 426 M +( byte SSH_MSG_USERAUTH_REQUEST) s +5 415 M +( string user name) s +5 404 M +( string service) s +5 393 M +( string "publickey") s +5 382 M +( boolean TRUE) s +5 371 M +( string public key algorithm name) s +5 360 M +( string public key to be used for authentication) s +5 338 M +( When the server receives this message, it MUST check whether the) s +5 327 M +( supplied key is acceptable for authentication, and if so, it MUST) s +5 316 M +( check whether the signature is correct.) s +5 294 M +( If both checks succeed, this method is successful. Note that the) s +5 283 M +( server may require additional authentications. The server MUST) s +5 272 M +( respond with SSH_MSG_USERAUTH_SUCCESS \(if no more authentications are) s +5 261 M +( needed\), or SSH_MSG_USERAUTH_FAILURE \(if the request failed, or more) s +5 250 M +( authentications are needed\).) s +5 228 M +( The following method-specific message numbers are used by the) s +5 217 M +( publickey authentication method.) s +5 195 M +( /* Key-based */) s +5 184 M +( #define SSH_MSG_USERAUTH_PK_OK 60) s +5 129 M +(Ylonen & Moffat Expires March 2, 2003 [Page 9]) s +_R +S +PStoPSsaved restore +userdict/PStoPSsaved save put +PStoPSmatrix setmatrix +595.000000 421.271378 translate +90 rotate +0.706651 dup scale +userdict/PStoPSmatrix matrix currentmatrix put +userdict/PStoPSclip{0 0 moveto + 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto + closepath}put initclip +PStoPSxform concat +%%BeginPageSetup +_S +75 0 translate +/pagenum 10 def +/fname () def +/fdir () def +/ftail () def +/user_header_p false def +%%EndPageSetup +5 723 M +(Internet-Draft SSH Authentication Protocol September 2002) s +5 690 M +(3.4 Password Authentication Method: password) s +5 668 M +( Password authentication uses the following packets. Note that a) s +5 657 M +( server MAY request the user to change the password. All) s +5 646 M +( implementations SHOULD support password authentication.) s +5 624 M +( byte SSH_MSG_USERAUTH_REQUEST) s +5 613 M +( string user name) s +5 602 M +( string service) s +5 591 M +( string "password") s +5 580 M +( boolean FALSE) s +5 569 M +( string plaintext password \(ISO-10646 UTF-8\)) s +5 547 M +( Note that the password is encoded in ISO-10646 UTF-8. It is up to) s +5 536 M +( the server how it interprets the password and validates it against) s +5 525 M +( the password database. However, if the client reads the password in) s +5 514 M +( some other encoding \(e.g., ISO 8859-1 \(ISO Latin1\)\), it MUST convert) s +5 503 M +( the password to ISO-10646 UTF-8 before transmitting, and the server) s +5 492 M +( MUST convert the password to the encoding used on that system for) s +5 481 M +( passwords.) s +5 459 M +( Note that even though the cleartext password is transmitted in the) s +5 448 M +( packet, the entire packet is encrypted by the transport layer. Both) s +5 437 M +( the server and the client should check whether the underlying) s +5 426 M +( transport layer provides confidentiality \(i.e., if encryption is) s +5 415 M +( being used\). If no confidentiality is provided \(none cipher\),) s +5 404 M +( password authentication SHOULD be disabled. If there is no) s +5 393 M +( confidentiality or no MAC, password change SHOULD be disabled.) s +5 371 M +( Normally, the server responds to this message with success or) s +5 360 M +( failure. However, if the password has expired the server SHOULD) s +5 349 M +( indicate this by responding with SSH_MSG_USERAUTH_PASSWD_CHANGEREQ.) s +5 338 M +( In anycase the server MUST NOT allow an expired password to be used) s +5 327 M +( for authentication.) s +5 305 M +( byte SSH_MSG_USERAUTH_PASSWD_CHANGEREQ) s +5 294 M +( string prompt \(ISO-10646 UTF-8\)) s +5 283 M +( string language tag \(as defined in [RFC3066]\)) s +5 261 M +( In this case, the client MAY continue with a different authentication) s +5 250 M +( method, or request a new password from the user and retry password) s +5 239 M +( authentication using the following message. The client MAY also send) s +5 228 M +( this message instead of the normal password authentication request) s +5 217 M +( without the server asking for it.) s +5 195 M +( byte SSH_MSG_USERAUTH_REQUEST) s +5 184 M +( string user name) s +5 173 M +( string service) s +5 129 M +(Ylonen & Moffat Expires March 2, 2003 [Page 10]) s +_R +S +PStoPSsaved restore +%%Page: (10,11) 6 +userdict/PStoPSsaved save put +PStoPSmatrix setmatrix +595.000000 0.271378 translate +90 rotate +0.706651 dup scale +userdict/PStoPSmatrix matrix currentmatrix put +userdict/PStoPSclip{0 0 moveto + 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto + closepath}put initclip +/showpage{}def/copypage{}def/erasepage{}def +PStoPSxform concat +%%BeginPageSetup +_S +75 0 translate +/pagenum 11 def +/fname () def +/fdir () def +/ftail () def +/user_header_p false def +%%EndPageSetup +5 723 M +(Internet-Draft SSH Authentication Protocol September 2002) s +5 690 M +( string "password") s +5 679 M +( boolean TRUE) s +5 668 M +( string plaintext old password \(ISO-10646 UTF-8\)) s +5 657 M +( string plaintext new password \(ISO-10646 UTF-8\)) s +5 635 M +( The server must reply to request message with) s +5 624 M +( SSH_MSG_USERAUTH_SUCCESS, SSH_MSG_USERAUTH_FAILURE, or another) s +5 613 M +( SSH_MSG_USERAUTH_PASSWD_CHANGEREQ. The meaning of these is as) s +5 602 M +( follows:) s +5 580 M +( SSH_MSG_USERAUTH_SUCCESS The password has been changed, and) s +5 569 M +( authentication has been successfully completed.) s +5 547 M +( SSH_MSG_USERAUTH_FAILURE with partial success The password has) s +5 536 M +( been changed, but more authentications are needed.) s +5 514 M +( SSH_MSG_USERAUTH_FAILURE without partial success The password has) s +5 503 M +( not been changed. Either password changing was not supported, or) s +5 492 M +( the old password was bad. Note that if the server has already) s +5 481 M +( sent SSH_MSG_USERAUTH_PASSWD_CHANGEREQ, we know that it supports) s +5 470 M +( changing the password.) s +5 448 M +( SSH_MSG_USERAUTH_CHANGEREQ The password was not changed because) s +5 437 M +( the new password was not acceptable \(e.g. too easy to guess\).) s +5 415 M +( The following method-specific message numbers are used by the) s +5 404 M +( password authentication method.) s +5 382 M +( #define SSH_MSG_USERAUTH_PASSWD_CHANGEREQ 60) s +5 349 M +(3.5 Host-Based Authentication: hostbased) s +5 327 M +( Some sites wish to allow authentication based on the host where the) s +5 316 M +( user is coming from, and the user name on the remote host. While) s +5 305 M +( this form of authentication is not suitable for high-security sites,) s +5 294 M +( it can be very convenient in many environments. This form of) s +5 283 M +( authentication is OPTIONAL. When used, special care SHOULD be taken) s +5 272 M +( to prevent a regular user from obtaining the private host key.) s +5 250 M +( The client requests this form of authentication by sending the) s +5 239 M +( following message. It is similar to the UNIX "rhosts" and) s +5 228 M +( "hosts.equiv" styles of authentication, except that the identity of) s +5 217 M +( the client host is checked more rigorously.) s +5 195 M +( This method works by having the client send a signature created with) s +5 184 M +( the private key of the client host, which the server checks with that) s +5 173 M +( host's public key. Once the client host's identity is established,) s +5 129 M +(Ylonen & Moffat Expires March 2, 2003 [Page 11]) s +_R +S +PStoPSsaved restore +userdict/PStoPSsaved save put +PStoPSmatrix setmatrix +595.000000 421.271378 translate +90 rotate +0.706651 dup scale +userdict/PStoPSmatrix matrix currentmatrix put +userdict/PStoPSclip{0 0 moveto + 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto + closepath}put initclip +PStoPSxform concat +%%BeginPageSetup +_S +75 0 translate +/pagenum 12 def +/fname () def +/fdir () def +/ftail () def +/user_header_p false def +%%EndPageSetup +5 723 M +(Internet-Draft SSH Authentication Protocol September 2002) s +5 690 M +( authorization \(but no further authentication\) is performed based on) s +5 679 M +( the user names on the server and the client, and the client host) s +5 668 M +( name.) s +5 646 M +( byte SSH_MSG_USERAUTH_REQUEST) s +5 635 M +( string user name) s +5 624 M +( string service) s +5 613 M +( string "hostbased") s +5 602 M +( string public key algorithm for host key) s +5 591 M +( string public host key and certificates for client host) s +5 580 M +( string client host name \(FQDN; US-ASCII\)) s +5 569 M +( string user name on the client host \(ISO-10646 UTF-8\)) s +5 558 M +( string signature) s +5 536 M +( Public key algorithm names for use in "public key algorithm for host) s +5 525 M +( key" are defined in the transport layer specification. The "public) s +5 514 M +( host key for client host" may include certificates.) s +5 492 M +( Signature is a signature with the private host key of the following) s +5 481 M +( data, in this order:) s +5 459 M +( string session identifier) s +5 448 M +( byte SSH_MSG_USERAUTH_REQUEST) s +5 437 M +( string user name) s +5 426 M +( string service) s +5 415 M +( string "hostbased") s +5 404 M +( string public key algorithm for host key) s +5 393 M +( string public host key and certificates for client host) s +5 382 M +( string client host name \(FQDN; US-ASCII\)) s +5 371 M +( string user name on the client host\(ISO-10646 UTF-8\)) s +5 349 M +( The server MUST verify that the host key actually belongs to the) s +5 338 M +( client host named in the message, that the given user on that host is) s +5 327 M +( allowed to log in, and that the signature is a valid signature on the) s +5 316 M +( appropriate value by the given host key. The server MAY ignore the) s +5 305 M +( client user name, if it wants to authenticate only the client host.) s +5 283 M +( It is RECOMMENDED that whenever possible, the server perform) s +5 272 M +( additional checks to verify that the network address obtained from) s +5 261 M +( the \(untrusted\) network matches the given client host name. This) s +5 250 M +( makes exploiting compromised host keys more difficult. Note that) s +5 239 M +( this may require special handling for connections coming through a) s +5 228 M +( firewall.) s +5 206 M +(4. Security Considerations) s +5 184 M +( The purpose of this protocol is to perform client user) s +5 173 M +( authentication. It assumed that this runs over a secure transport) s +5 129 M +(Ylonen & Moffat Expires March 2, 2003 [Page 12]) s +_R +S +PStoPSsaved restore +%%Page: (12,13) 7 +userdict/PStoPSsaved save put +PStoPSmatrix setmatrix +595.000000 0.271378 translate +90 rotate +0.706651 dup scale +userdict/PStoPSmatrix matrix currentmatrix put +userdict/PStoPSclip{0 0 moveto + 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto + closepath}put initclip +/showpage{}def/copypage{}def/erasepage{}def +PStoPSxform concat +%%BeginPageSetup +_S +75 0 translate +/pagenum 13 def +/fname () def +/fdir () def +/ftail () def +/user_header_p false def +%%EndPageSetup +5 723 M +(Internet-Draft SSH Authentication Protocol September 2002) s +5 690 M +( layer protocol, which has already authenticated the server machine,) s +5 679 M +( established an encrypted communications channel, and computed a) s +5 668 M +( unique session identifier for this session. The transport layer) s +5 657 M +( provides forward secrecy for password authentication and other) s +5 646 M +( methods that rely on secret data.) s +5 624 M +( Full security considerations for this protocol are provided in) s +5 613 M +( Section 8 of [SSH-ARCH]) s +5 591 M +(Normative) s +5 569 M +( [SSH-ARCH]) s +5 558 M +( Ylonen, T., "SSH Protocol Architecture", I-D) s +5 547 M +( draft-ietf-architecture-15.txt, Oct 2003.) s +5 525 M +( [SSH-TRANS]) s +5 514 M +( Ylonen, T., "SSH Transport Layer Protocol", I-D) s +5 503 M +( draft-ietf-transport-17.txt, Oct 2003.) s +5 481 M +( [SSH-USERAUTH]) s +5 470 M +( Ylonen, T., "SSH Authentication Protocol", I-D) s +5 459 M +( draft-ietf-userauth-18.txt, Oct 2003.) s +5 437 M +( [SSH-CONNECT]) s +5 426 M +( Ylonen, T., "SSH Connection Protocol", I-D) s +5 415 M +( draft-ietf-connect-18.txt, Oct 2003.) s +5 393 M +( [SSH-NUMBERS]) s +5 382 M +( Lehtinen, S. and D. Moffat, "SSH Protocol Assigned) s +5 371 M +( Numbers", I-D draft-ietf-secsh-assignednumbers-05.txt, Oct) s +5 360 M +( 2003.) s +5 338 M +( [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate) s +5 327 M +( Requirement Levels", BCP 14, RFC 2119, March 1997.) s +5 305 M +(Informative) s +5 283 M +( [RFC3066] Alvestrand, H., "Tags for the Identification of) s +5 272 M +( Languages", BCP 47, RFC 3066, January 2001.) s +5 250 M +( [RFC2279] Yergeau, F., "UTF-8, a transformation format of ISO) s +5 239 M +( 10646", RFC 2279, January 1998.) s +5 129 M +(Ylonen & Moffat Expires March 2, 2003 [Page 13]) s +_R +S +PStoPSsaved restore +userdict/PStoPSsaved save put +PStoPSmatrix setmatrix +595.000000 421.271378 translate +90 rotate +0.706651 dup scale +userdict/PStoPSmatrix matrix currentmatrix put +userdict/PStoPSclip{0 0 moveto + 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto + closepath}put initclip +PStoPSxform concat +%%BeginPageSetup +_S +75 0 translate +/pagenum 14 def +/fname () def +/fdir () def +/ftail () def +/user_header_p false def +%%EndPageSetup +5 723 M +(Internet-Draft SSH Authentication Protocol September 2002) s +5 690 M +(Authors' Addresses) s +5 668 M +( Tatu Ylonen) s +5 657 M +( SSH Communications Security Corp) s +5 646 M +( Fredrikinkatu 42) s +5 635 M +( HELSINKI FIN-00100) s +5 624 M +( Finland) s +5 602 M +( EMail: [email protected]) s +5 569 M +( Darren J. Moffat \(editor\)) s +5 558 M +( Sun Microsystems, Inc) s +5 547 M +( 17 Network Circle) s +5 536 M +( Menlo Park 95025) s +5 525 M +( USA) s +5 503 M +( EMail: [email protected]) s +5 129 M +(Ylonen & Moffat Expires March 2, 2003 [Page 14]) s +_R +S +PStoPSsaved restore +%%Page: (14,15) 8 +userdict/PStoPSsaved save put +PStoPSmatrix setmatrix +595.000000 0.271378 translate +90 rotate +0.706651 dup scale +userdict/PStoPSmatrix matrix currentmatrix put +userdict/PStoPSclip{0 0 moveto + 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto + closepath}put initclip +/showpage{}def/copypage{}def/erasepage{}def +PStoPSxform concat +%%BeginPageSetup +_S +75 0 translate +/pagenum 15 def +/fname () def +/fdir () def +/ftail () def +/user_header_p false def +%%EndPageSetup +5 723 M +(Internet-Draft SSH Authentication Protocol September 2002) s +5 690 M +(Intellectual Property Statement) s +5 668 M +( The IETF takes no position regarding the validity or scope of any) s +5 657 M +( intellectual property or other rights that might be claimed to) s +5 646 M +( pertain to the implementation or use of the technology described in) s +5 635 M +( this document or the extent to which any license under such rights) s +5 624 M +( might or might not be available; neither does it represent that it) s +5 613 M +( has made any effort to identify any such rights. Information on the) s +5 602 M +( IETF's procedures with respect to rights in standards-track and) s +5 591 M +( standards-related documentation can be found in BCP-11. Copies of) s +5 580 M +( claims of rights made available for publication and any assurances of) s +5 569 M +( licenses to be made available, or the result of an attempt made to) s +5 558 M +( obtain a general license or permission for the use of such) s +5 547 M +( proprietary rights by implementors or users of this specification can) s +5 536 M +( be obtained from the IETF Secretariat.) s +5 514 M +( The IETF invites any interested party to bring to its attention any) s +5 503 M +( copyrights, patents or patent applications, or other proprietary) s +5 492 M +( rights which may cover technology that may be required to practice) s +5 481 M +( this standard. Please address the information to the IETF Executive) s +5 470 M +( Director.) s +5 448 M +( The IETF has been notified of intellectual property rights claimed in) s +5 437 M +( regard to some or all of the specification contained in this) s +5 426 M +( document. For more information consult the online list of claimed) s +5 415 M +( rights.) s +5 382 M +(Full Copyright Statement) s +5 360 M +( Copyright \(C\) The Internet Society \(2002\). All Rights Reserved.) s +5 338 M +( This document and translations of it may be copied and furnished to) s +5 327 M +( others, and derivative works that comment on or otherwise explain it) s +5 316 M +( or assist in its implementation may be prepared, copied, published) s +5 305 M +( and distributed, in whole or in part, without restriction of any) s +5 294 M +( kind, provided that the above copyright notice and this paragraph are) s +5 283 M +( included on all such copies and derivative works. However, this) s +5 272 M +( document itself may not be modified in any way, such as by removing) s +5 261 M +( the copyright notice or references to the Internet Society or other) s +5 250 M +( Internet organizations, except as needed for the purpose of) s +5 239 M +( developing Internet standards in which case the procedures for) s +5 228 M +( copyrights defined in the Internet Standards process must be) s +5 217 M +( followed, or as required to translate it into languages other than) s +5 206 M +( English.) s +5 184 M +( The limited permissions granted above are perpetual and will not be) s +5 173 M +( revoked by the Internet Society or its successors or assignees.) s +5 129 M +(Ylonen & Moffat Expires March 2, 2003 [Page 15]) s +_R +S +PStoPSsaved restore +userdict/PStoPSsaved save put +PStoPSmatrix setmatrix +595.000000 421.271378 translate +90 rotate +0.706651 dup scale +userdict/PStoPSmatrix matrix currentmatrix put +userdict/PStoPSclip{0 0 moveto + 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto + closepath}put initclip +PStoPSxform concat +%%BeginPageSetup +_S +75 0 translate +/pagenum 16 def +/fname () def +/fdir () def +/ftail () def +/user_header_p false def +%%EndPageSetup +5 723 M +(Internet-Draft SSH Authentication Protocol September 2002) s +5 690 M +( This document and the information contained herein is provided on an) s +5 679 M +( "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING) s +5 668 M +( TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING) s +5 657 M +( BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION) s +5 646 M +( HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF) s +5 635 M +( MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.) s +5 602 M +(Acknowledgment) s +5 580 M +( Funding for the RFC Editor function is currently provided by the) s +5 569 M +( Internet Society.) s +5 129 M +(Ylonen & Moffat Expires March 2, 2003 [Page 16]) s +_R +S +PStoPSsaved restore +%%Trailer +%%Pages: 16 +%%DocumentNeededResources: font Courier-Bold Courier +%%EOF |