%!PS-Adobe-3.0
%%BoundingBox: 75 0 595 747
%%Title: Enscript Output
%%For: Magnus Thoang
%%Creator: GNU enscript 1.6.1
%%CreationDate: Fri Oct 31 13:35:32 2003
%%Orientation: Portrait
%%Pages: 8 0
%%DocumentMedia: A4 595 842 0 () ()
%%DocumentNeededResources: (atend)
%%EndComments
%%BeginProlog
%%BeginProcSet: PStoPS 1 15
userdict begin
[/showpage/erasepage/copypage]{dup where{pop dup load
 type/operatortype eq{1 array cvx dup 0 3 index cvx put
 bind def}{pop}ifelse}{pop}ifelse}forall
[/letter/legal/executivepage/a4/a4small/b5/com10envelope
 /monarchenvelope/c5envelope/dlenvelope/lettersmall/note
 /folio/quarto/a5]{dup where{dup wcheck{exch{}put}
 {pop{}def}ifelse}{pop}ifelse}forall
/setpagedevice {pop}bind 1 index where{dup wcheck{3 1 roll put}
 {pop def}ifelse}{def}ifelse
/PStoPSmatrix matrix currentmatrix def
/PStoPSxform matrix def/PStoPSclip{clippath}def
/defaultmatrix{PStoPSmatrix exch PStoPSxform exch concatmatrix}bind def
/initmatrix{matrix defaultmatrix setmatrix}bind def
/initclip[{matrix currentmatrix PStoPSmatrix setmatrix
 [{currentpoint}stopped{$error/newerror false put{newpath}}
 {/newpath cvx 3 1 roll/moveto cvx 4 array astore cvx}ifelse]
 {[/newpath cvx{/moveto cvx}{/lineto cvx}
 {/curveto cvx}{/closepath cvx}pathforall]cvx exch pop}
 stopped{$error/errorname get/invalidaccess eq{cleartomark
 $error/newerror false put cvx exec}{stop}ifelse}if}bind aload pop
 /initclip dup load dup type dup/operatortype eq{pop exch pop}
 {dup/arraytype eq exch/packedarraytype eq or
  {dup xcheck{exch pop aload pop}{pop cvx}ifelse}
  {pop cvx}ifelse}ifelse
 {newpath PStoPSclip clip newpath exec setmatrix} bind aload pop]cvx def
/initgraphics{initmatrix newpath initclip 1 setlinewidth
 0 setlinecap 0 setlinejoin []0 setdash 0 setgray
 10 setmiterlimit}bind def
end
%%EndProcSet
%%BeginResource: procset Enscript-Prolog 1.6 1
%
% Procedures.
%

/_S {	% save current state
  /_s save def
} def
/_R {	% restore from saved state
  _s restore
} def

/S {	% showpage protecting gstate
  gsave
  showpage
  grestore
} bind def

/MF {	% fontname newfontname -> -	make a new encoded font
  /newfontname exch def
  /fontname exch def

  /fontdict fontname findfont def
  /newfont fontdict maxlength dict def

  fontdict {
    exch
    dup /FID eq {
      % skip FID pair
      pop pop
    } {
      % copy to the new font dictionary
      exch newfont 3 1 roll put
    } ifelse
  } forall

  newfont /FontName newfontname put

  % insert only valid encoding vectors
  encoding_vector length 256 eq {
    newfont /Encoding encoding_vector put
  } if

  newfontname newfont definefont pop
} def

/SF { % fontname width height -> -	set a new font
  /height exch def
  /width exch def

  findfont
  [width 0 0 height 0 0] makefont setfont
} def

/SUF { % fontname width height -> -	set a new user font
  /height exch def
  /width exch def

  /F-gs-user-font MF
  /F-gs-user-font width height SF
} def

/M {moveto} bind def
/s {show} bind def

/Box {	% x y w h -> -			define box path
  /d_h exch def /d_w exch def /d_y exch def /d_x exch def
  d_x d_y  moveto
  d_w 0 rlineto
  0 d_h rlineto
  d_w neg 0 rlineto
  closepath
} def

/bgs {	% x y height blskip gray str -> -	show string with bg color
  /str exch def
  /gray exch def
  /blskip exch def
  /height exch def
  /y exch def
  /x exch def

  gsave
    x y blskip sub str stringwidth pop height Box
    gray setgray
    fill
  grestore
  x y M str s
} def

% Highlight bars.
/highlight_bars {	% nlines lineheight output_y_margin gray -> -
  gsave
    setgray
    /ymarg exch def
    /lineheight exch def
    /nlines exch def

    % This 2 is just a magic number to sync highlight lines to text.
    0 d_header_y ymarg sub 2 sub translate

    /cw d_output_w cols div def
    /nrows d_output_h ymarg 2 mul sub lineheight div cvi def

    % for each column
    0 1 cols 1 sub {
      cw mul /xp exch def

      % for each rows
      0 1 nrows 1 sub {
        /rn exch def
        rn lineheight mul neg /yp exch def
        rn nlines idiv 2 mod 0 eq {
	  % Draw highlight bar.  4 is just a magic indentation.
	  xp 4 add yp cw 8 sub lineheight neg Box fill
	} if
      } for
    } for

  grestore
} def

% Line highlight bar.
/line_highlight {	% x y width height gray -> -
  gsave
    /gray exch def
    Box gray setgray fill
  grestore
} def

% Column separator lines.
/column_lines {
  gsave
    .1 setlinewidth
    0 d_footer_h translate
    /cw d_output_w cols div def
    1 1 cols 1 sub {
      cw mul 0 moveto
      0 d_output_h rlineto stroke
    } for
  grestore
} def

% Column borders.
/column_borders {
  gsave
    .1 setlinewidth
    0 d_footer_h moveto
    0 d_output_h rlineto
    d_output_w 0 rlineto
    0 d_output_h neg rlineto
    closepath stroke
  grestore
} def

% Do the actual underlay drawing
/draw_underlay {
  ul_style 0 eq {
    ul_str true charpath stroke
  } {
    ul_str show
  } ifelse
} def

% Underlay
/underlay {	% - -> -
  gsave
    0 d_page_h translate
    d_page_h neg d_page_w atan rotate

    ul_gray setgray
    ul_font setfont
    /dw d_page_h dup mul d_page_w dup mul add sqrt def
    ul_str stringwidth pop dw exch sub 2 div ul_h_ptsize -2 div moveto
    draw_underlay
  grestore
} def

/user_underlay {	% - -> -
  gsave
    ul_x ul_y translate
    ul_angle rotate
    ul_gray setgray
    ul_font setfont
    0 0 ul_h_ptsize 2 div sub moveto
    draw_underlay
  grestore
} def

% Page prefeed
/page_prefeed {		% bool -> -
  statusdict /prefeed known {
    statusdict exch /prefeed exch put
  } {
    pop
  } ifelse
} def

% Wrapped line markers
/wrapped_line_mark {	% x y charwith charheight type -> -
  /type exch def
  /h exch def
  /w exch def
  /y exch def
  /x exch def

  type 2 eq {
    % Black boxes (like TeX does)
    gsave
      0 setlinewidth
      x w 4 div add y M
      0 h rlineto w 2 div 0 rlineto 0 h neg rlineto
      closepath fill
    grestore
  } {
    type 3 eq {
      % Small arrows
      gsave
        .2 setlinewidth
        x w 2 div add y h 2 div add M
        w 4 div 0 rlineto
        x w 4 div add y lineto stroke

        x w 4 div add w 8 div add y h 4 div add M
        x w 4 div add y lineto
	w 4 div h 8 div rlineto stroke
      grestore
    } {
      % do nothing
    } ifelse
  } ifelse
} def

% EPSF import.

/BeginEPSF {
  /b4_Inc_state save def    		% Save state for cleanup
  /dict_count countdictstack def	% Count objects on dict stack
  /op_count count 1 sub def		% Count objects on operand stack
  userdict begin
  /showpage { } def
  0 setgray 0 setlinecap
  1 setlinewidth 0 setlinejoin
  10 setmiterlimit [ ] 0 setdash newpath
  /languagelevel where {
    pop languagelevel
    1 ne {
      false setstrokeadjust false setoverprint
    } if
  } if
} bind def

/EndEPSF {
  count op_count sub { pos } repeat	% Clean up stacks
  countdictstack dict_count sub { end } repeat
  b4_Inc_state restore
} bind def

% Check PostScript language level.
/languagelevel where {
  pop /gs_languagelevel languagelevel def
} {
  /gs_languagelevel 1 def
} ifelse
%%EndResource
%%BeginResource: procset Enscript-Encoding-88591 1.6 1
/encoding_vector [
/.notdef      	/.notdef      	/.notdef      	/.notdef      	
/.notdef      	/.notdef      	/.notdef      	/.notdef      	
/.notdef      	/.notdef      	/.notdef      	/.notdef      	
/.notdef      	/.notdef      	/.notdef      	/.notdef      	
/.notdef      	/.notdef      	/.notdef      	/.notdef      	
/.notdef      	/.notdef      	/.notdef      	/.notdef      	
/.notdef      	/.notdef      	/.notdef      	/.notdef      	
/.notdef      	/.notdef      	/.notdef      	/.notdef      	
/space        	/exclam       	/quotedbl     	/numbersign   	
/dollar       	/percent      	/ampersand    	/quoteright   	
/parenleft    	/parenright   	/asterisk     	/plus         	
/comma        	/hyphen       	/period       	/slash        	
/zero         	/one          	/two          	/three        	
/four         	/five         	/six          	/seven        	
/eight        	/nine         	/colon        	/semicolon    	
/less         	/equal        	/greater      	/question     	
/at           	/A            	/B            	/C            	
/D            	/E            	/F            	/G            	
/H            	/I            	/J            	/K            	
/L            	/M            	/N            	/O            	
/P            	/Q            	/R            	/S            	
/T            	/U            	/V            	/W            	
/X            	/Y            	/Z            	/bracketleft  	
/backslash    	/bracketright 	/asciicircum  	/underscore   	
/quoteleft    	/a            	/b            	/c            	
/d            	/e            	/f            	/g            	
/h            	/i            	/j            	/k            	
/l            	/m            	/n            	/o            	
/p            	/q            	/r            	/s            	
/t            	/u            	/v            	/w            	
/x            	/y            	/z            	/braceleft    	
/bar          	/braceright   	/tilde        	/.notdef      	
/.notdef      	/.notdef      	/.notdef      	/.notdef      	
/.notdef      	/.notdef      	/.notdef      	/.notdef      	
/.notdef      	/.notdef      	/.notdef      	/.notdef      	
/.notdef      	/.notdef      	/.notdef      	/.notdef      	
/.notdef      	/.notdef      	/.notdef      	/.notdef      	
/.notdef      	/.notdef      	/.notdef      	/.notdef      	
/.notdef      	/.notdef      	/.notdef      	/.notdef      	
/.notdef      	/.notdef      	/.notdef      	/.notdef      	
/space        	/exclamdown   	/cent         	/sterling     	
/currency     	/yen          	/brokenbar    	/section      	
/dieresis     	/copyright    	/ordfeminine  	/guillemotleft	
/logicalnot   	/hyphen       	/registered   	/macron       	
/degree       	/plusminus    	/twosuperior  	/threesuperior	
/acute        	/mu           	/paragraph    	/bullet       	
/cedilla      	/onesuperior  	/ordmasculine 	/guillemotright	
/onequarter   	/onehalf      	/threequarters	/questiondown 	
/Agrave       	/Aacute       	/Acircumflex  	/Atilde       	
/Adieresis    	/Aring        	/AE           	/Ccedilla     	
/Egrave       	/Eacute       	/Ecircumflex  	/Edieresis    	
/Igrave       	/Iacute       	/Icircumflex  	/Idieresis    	
/Eth          	/Ntilde       	/Ograve       	/Oacute       	
/Ocircumflex  	/Otilde       	/Odieresis    	/multiply     	
/Oslash       	/Ugrave       	/Uacute       	/Ucircumflex  	
/Udieresis    	/Yacute       	/Thorn        	/germandbls   	
/agrave       	/aacute       	/acircumflex  	/atilde       	
/adieresis    	/aring        	/ae           	/ccedilla     	
/egrave       	/eacute       	/ecircumflex  	/edieresis    	
/igrave       	/iacute       	/icircumflex  	/idieresis    	
/eth          	/ntilde       	/ograve       	/oacute       	
/ocircumflex  	/otilde       	/odieresis    	/divide       	
/oslash       	/ugrave       	/uacute       	/ucircumflex  	
/udieresis    	/yacute       	/thorn        	/ydieresis    	
] def
%%EndResource
%%EndProlog
%%BeginSetup
%%IncludeResource: font Courier-Bold
%%IncludeResource: font Courier
/HFpt_w 10 def
/HFpt_h 10 def
/Courier-Bold /HF-gs-font MF
/HF /HF-gs-font findfont [HFpt_w 0 0 HFpt_h 0 0] makefont def
/Courier /F-gs-font MF
/F-gs-font 10 10 SF
/#copies 1 def
/d_page_w 520 def
/d_page_h 747 def
/d_header_x 0 def
/d_header_y 747 def
/d_header_w 520 def
/d_header_h 0 def
/d_footer_x 0 def
/d_footer_y 0 def
/d_footer_w 520 def
/d_footer_h 0 def
/d_output_w 520 def
/d_output_h 747 def
/cols 1 def
userdict/PStoPSxform PStoPSmatrix matrix currentmatrix
 matrix invertmatrix matrix concatmatrix
 matrix invertmatrix put
%%EndSetup
%%Page: (0,1) 1
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 0.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
/showpage{}def/copypage{}def/erasepage{}def
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 1 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 701 M
(Network Working Group                                          T. Ylonen) s
5 690 M
(Internet-Draft                          SSH Communications Security Corp) s
5 679 M
(Expires: March 2, 2003                                    D. Moffat, Ed.) s
5 668 M
(                                                   Sun Microsystems, Inc) s
5 657 M
(                                                          September 2002) s
5 624 M
(                      SSH Authentication Protocol) s
5 613 M
(                    draft-ietf-secsh-userauth-18.txt) s
5 591 M
(Status of this Memo) s
5 569 M
(   This document is an Internet-Draft and is in full conformance with) s
5 558 M
(   all provisions of Section 10 of RFC2026.) s
5 536 M
(   Internet-Drafts are working documents of the Internet Engineering) s
5 525 M
(   Task Force \(IETF\), its areas, and its working groups. Note that other) s
5 514 M
(   groups may also distribute working documents as Internet-Drafts.) s
5 492 M
(   Internet-Drafts are draft documents valid for a maximum of six months) s
5 481 M
(   and may be updated, replaced, or obsoleted by other documents at any) s
5 470 M
(   time. It is inappropriate to use Internet-Drafts as reference) s
5 459 M
(   material or to cite them other than as "work in progress.") s
5 437 M
(   The list of current Internet-Drafts can be accessed at http://) s
5 426 M
(   www.ietf.org/ietf/1id-abstracts.txt.) s
5 404 M
(   The list of Internet-Draft Shadow Directories can be accessed at) s
5 393 M
(   http://www.ietf.org/shadow.html.) s
5 371 M
(   This Internet-Draft will expire on March 2, 2003.) s
5 349 M
(Copyright Notice) s
5 327 M
(   Copyright \(C\) The Internet Society \(2002\). All Rights Reserved.) s
5 305 M
(Abstract) s
5 283 M
(   SSH is a protocol for secure remote login and other secure network) s
5 272 M
(   services over an insecure network. This document describes the SSH) s
5 261 M
(   authentication protocol framework and public key, password, and) s
5 250 M
(   host-based client authentication methods. Additional authentication) s
5 239 M
(   methods are described in separate documents. The SSH authentication) s
5 228 M
(   protocol runs on top of the SSH transport layer protocol and provides) s
5 217 M
(   a single authenticated tunnel for the SSH connection protocol.) s
5 129 M
(Ylonen & Moffat          Expires March 2, 2003                  [Page 1]) s
_R
S
PStoPSsaved restore
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 421.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 2 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 723 M
(Internet-Draft        SSH Authentication Protocol         September 2002) s
5 690 M
(Table of Contents) s
5 668 M
(   1.    Contributors . . . . . . . . . . . . . . . . . . . . . . . .  3) s
5 657 M
(   2.    Introduction . . . . . . . . . . . . . . . . . . . . . . . .  3) s
5 646 M
(   3.    Conventions Used in This Document  . . . . . . . . . . . . .  3) s
5 635 M
(   3.1   The Authentication Protocol Framework  . . . . . . . . . . .  3) s
5 624 M
(   3.1.1 Authentication Requests  . . . . . . . . . . . . . . . . . .  4) s
5 613 M
(   3.1.2 Responses to Authentication Requests . . . . . . . . . . . .  5) s
5 602 M
(   3.1.3 The "none" Authentication Request  . . . . . . . . . . . . .  6) s
5 591 M
(   3.1.4 Completion of User Authentication  . . . . . . . . . . . . .  6) s
5 580 M
(   3.1.5 Banner Message . . . . . . . . . . . . . . . . . . . . . . .  7) s
5 569 M
(   3.2   Authentication Protocol Message Numbers  . . . . . . . . . .  7) s
5 558 M
(   3.3   Public Key Authentication Method: publickey  . . . . . . . .  8) s
5 547 M
(   3.4   Password Authentication Method: password . . . . . . . . . . 10) s
5 536 M
(   3.5   Host-Based Authentication: hostbased . . . . . . . . . . . . 11) s
5 525 M
(   4.    Security Considerations  . . . . . . . . . . . . . . . . . . 12) s
5 514 M
(         Normative  . . . . . . . . . . . . . . . . . . . . . . . . . 13) s
5 503 M
(         Informative  . . . . . . . . . . . . . . . . . . . . . . . . 13) s
5 492 M
(         Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 14) s
5 481 M
(         Intellectual Property and Copyright Statements . . . . . . . 15) s
5 129 M
(Ylonen & Moffat          Expires March 2, 2003                  [Page 2]) s
_R
S
PStoPSsaved restore
%%Page: (2,3) 2
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 0.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
/showpage{}def/copypage{}def/erasepage{}def
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 3 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 723 M
(Internet-Draft        SSH Authentication Protocol         September 2002) s
5 690 M
(1. Contributors) s
5 668 M
(   The major original contributors of this document were: Tatu Ylonen,) s
5 657 M
(   Tero Kivinen, Timo J. Rinne, Sami Lehtinen \(all of SSH Communications) s
5 646 M
(   Security Corp\), and Markku-Juhani O. Saarinen \(University of) s
5 635 M
(   Jyvaskyla\)) s
5 613 M
(   The document editor is: Darren.Moffat@Sun.COM.  Comments on this) s
5 602 M
(   internet draft should be sent to the IETF SECSH working group,) s
5 591 M
(   details at: http://ietf.org/html.charters/secsh-charter.html) s
5 569 M
(2. Introduction) s
5 547 M
(   The SSH authentication protocol is a general-purpose user) s
5 536 M
(   authentication protocol. It is intended to be run over the SSH) s
5 525 M
(   transport layer protocol [SSH-TRANS]. This protocol assumes that the) s
5 514 M
(   underlying protocols provide integrity and confidentiality) s
5 503 M
(   protection.) s
5 481 M
(   This document should be read only after reading the SSH architecture) s
5 470 M
(   document [SSH-ARCH]. This document freely uses terminology and) s
5 459 M
(   notation from the architecture document without reference or further) s
5 448 M
(   explanation.) s
5 426 M
(   The service name for this protocol is "ssh-userauth".) s
5 404 M
(   When this protocol starts, it receives the session identifier from) s
5 393 M
(   the lower-level protocol \(this is the exchange hash H from the first) s
5 382 M
(   key exchange\). The session identifier uniquely identifies this) s
5 371 M
(   session and is suitable for signing in order to prove ownership of a) s
5 360 M
(   private key. This protocol also needs to know whether the lower-level) s
5 349 M
(   protocol provides confidentiality protection.) s
5 327 M
(3. Conventions Used in This Document) s
5 305 M
(   The keywords "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT",) s
5 294 M
(   and "MAY" that appear in this document are to be interpreted as) s
5 283 M
(   described in [RFC2119]) s
5 261 M
(   The used data types and terminology are specified in the architecture) s
5 250 M
(   document [SSH-ARCH]) s
5 228 M
(   The architecture document also discusses the algorithm naming) s
5 217 M
(   conventions that MUST be used with the SSH protocols.) s
5 195 M
(3.1 The Authentication Protocol Framework) s
5 173 M
(   The server drives the authentication by telling the client which) s
5 129 M
(Ylonen & Moffat          Expires March 2, 2003                  [Page 3]) s
_R
S
PStoPSsaved restore
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 421.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 4 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 723 M
(Internet-Draft        SSH Authentication Protocol         September 2002) s
5 690 M
(   authentication methods can be used to continue the exchange at any) s
5 679 M
(   given time. The client has the freedom to try the methods listed by) s
5 668 M
(   the server in any order. This gives the server complete control over) s
5 657 M
(   the authentication process if desired, but also gives enough) s
5 646 M
(   flexibility for the client to use the methods it supports or that are) s
5 635 M
(   most convenient for the user, when multiple methods are offered by) s
5 624 M
(   the server.) s
5 602 M
(   Authentication methods are identified by their name, as defined in) s
5 591 M
(   [SSH-ARCH].  The "none" method is reserved, and MUST NOT be listed as) s
5 580 M
(   supported.  However, it MAY be sent by the client.  The server MUST) s
5 569 M
(   always reject this request, unless the client is to be allowed in) s
5 558 M
(   without any authentication, in which case the server MUST accept this) s
5 547 M
(   request.  The main purpose of sending this request is to get the list) s
5 536 M
(   of supported methods from the server.) s
5 514 M
(   The server SHOULD have a timeout for authentication, and disconnect) s
5 503 M
(   if the authentication has not been accepted within the timeout) s
5 492 M
(   period. The RECOMMENDED timeout period is 10 minutes.  Additionally,) s
5 481 M
(   the implementation SHOULD limit the number of failed authentication) s
5 470 M
(   attempts a client may perform in a single session \(the RECOMMENDED) s
5 459 M
(   limit is 20 attempts\).  If the threshold is exceeded, the server) s
5 448 M
(   SHOULD disconnect.) s
5 426 M
(3.1.1 Authentication Requests) s
5 404 M
(   All authentication requests MUST use the following message format.) s
5 393 M
(   Only the first few fields are defined; the remaining fields depend on) s
5 382 M
(   the authentication method.) s
5 360 M
(     byte      SSH_MSG_USERAUTH_REQUEST) s
5 349 M
(     string    user name \(in ISO-10646 UTF-8 encoding [RFC2279]\)) s
5 338 M
(     string    service name \(in US-ASCII\)) s
5 327 M
(     string    method name \(US-ASCII\)) s
5 316 M
(     The rest of the packet is method-specific.) s
5 294 M
(   The user name and service are repeated in every new authentication) s
5 283 M
(   attempt, and MAY change.  The server implementation MUST carefully) s
5 272 M
(   check them in every message, and MUST flush any accumulated) s
5 261 M
(   authentication states if they change.  If it is unable to flush some) s
5 250 M
(   authentication state, it MUST disconnect if the user or service name) s
5 239 M
(   changes.) s
5 217 M
(   The service name specifies the service to start after authentication.) s
5 206 M
(   There may be several different authenticated services provided.  If) s
5 195 M
(   the requested service is not available, the server MAY disconnect) s
5 184 M
(   immediately or at any later time.  Sending a proper disconnect) s
5 173 M
(   message is RECOMMENDED.  In any case, if the service does not exist,) s
5 129 M
(Ylonen & Moffat          Expires March 2, 2003                  [Page 4]) s
_R
S
PStoPSsaved restore
%%Page: (4,5) 3
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 0.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
/showpage{}def/copypage{}def/erasepage{}def
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 5 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 723 M
(Internet-Draft        SSH Authentication Protocol         September 2002) s
5 690 M
(   authentication MUST NOT be accepted.) s
5 668 M
(   If the requested user does not exist, the server MAY disconnect, or) s
5 657 M
(   MAY send a bogus list of acceptable authentication methods, but never) s
5 646 M
(   accept any.  This makes it possible for the server to avoid) s
5 635 M
(   disclosing information on which accounts exist.  In any case, if the) s
5 624 M
(   user does not exist, the authentication request MUST NOT be accepted.) s
5 602 M
(   While there is usually little point for clients to send requests that) s
5 591 M
(   the server does not list as acceptable, sending such requests is not) s
5 580 M
(   an error, and the server SHOULD simply reject requests that it does) s
5 569 M
(   not recognize.) s
5 547 M
(   An authentication request MAY result in a further exchange of) s
5 536 M
(   messages.  All such messages depend on the authentication method) s
5 525 M
(   used, and the client MAY at any time continue with a new) s
5 514 M
(   SSH_MSG_USERAUTH_REQUEST message, in which case the server MUST) s
5 503 M
(   abandon the previous authentication attempt and continue with the new) s
5 492 M
(   one.) s
5 470 M
(3.1.2 Responses to Authentication Requests) s
5 448 M
(   If the server rejects the authentication request, it MUST respond) s
5 437 M
(   with the following:) s
5 415 M
(     byte      SSH_MSG_USERAUTH_FAILURE) s
5 404 M
(     string    authentications that can continue) s
5 393 M
(     boolean   partial success) s
5 371 M
(   "Authentications that can continue" is a comma-separated list of) s
5 360 M
(   authentication method names that may productively continue the) s
5 349 M
(   authentication dialog.) s
5 327 M
(   It is RECOMMENDED that servers only include those methods in the list) s
5 316 M
(   that are actually useful.  However, it is not illegal to include) s
5 305 M
(   methods that cannot be used to authenticate the user.) s
5 283 M
(   Already successfully completed authentications SHOULD NOT be included) s
5 272 M
(   in the list, unless they really should be performed again for some) s
5 261 M
(   reason.) s
5 239 M
(   "Partial success" MUST be TRUE if the authentication request to which) s
5 228 M
(   this is a response was successful.  It MUST be FALSE if the request) s
5 217 M
(   was not successfully processed.) s
5 195 M
(   When the server accepts authentication, it MUST respond with the) s
5 184 M
(   following:) s
5 129 M
(Ylonen & Moffat          Expires March 2, 2003                  [Page 5]) s
_R
S
PStoPSsaved restore
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 421.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 6 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 723 M
(Internet-Draft        SSH Authentication Protocol         September 2002) s
5 690 M
(     byte      SSH_MSG_USERAUTH_SUCCESS) s
5 668 M
(   Note that this is not sent after each step in a multi-method) s
5 657 M
(   authentication sequence, but only when the authentication is) s
5 646 M
(   complete.) s
5 624 M
(   The client MAY send several authentication requests without waiting) s
5 613 M
(   for responses from previous requests.  The server MUST process each) s
5 602 M
(   request completely and acknowledge any failed requests with a) s
5 591 M
(   SSH_MSG_USERAUTH_FAILURE message before processing the next request.) s
5 569 M
(   A request that results in further exchange of messages will be) s
5 558 M
(   aborted by a second request. It is not possible to send a second) s
5 547 M
(   request without waiting for a response from the server, if the first) s
5 536 M
(   request will result in further exchange of messages.  No) s
5 525 M
(   SSH_MSG_USERAUTH_FAILURE message will be sent for the aborted method.) s
5 503 M
(   SSH_MSG_USERAUTH_SUCCESS MUST be sent only once. When) s
5 492 M
(   SSH_MSG_USERAUTH_SUCCESS has been sent, any further authentication) s
5 481 M
(   requests received after that SHOULD be silently ignored.) s
5 459 M
(   Any non-authentication messages sent by the client after the request) s
5 448 M
(   that resulted in SSH_MSG_USERAUTH_SUCCESS being sent MUST be passed) s
5 437 M
(   to the service being run on top of this protocol.  Such messages can) s
5 426 M
(   be identified by their message numbers \(see Section Message Numbers) s
5 415 M
(   \(Section 3.2\)\).) s
5 393 M
(3.1.3 The "none" Authentication Request) s
5 371 M
(   A client may request a list of authentication methods that may) s
5 360 M
(   continue by using the "none" authentication method.) s
5 338 M
(   If no authentication at all is needed for the user, the server MUST) s
5 327 M
(   return SSH_MSG_USERAUTH_SUCCESS.  Otherwise, the server MUST return) s
5 316 M
(   SSH_MSG_USERAUTH_FAILURE and MAY return with it a list of) s
5 305 M
(   authentication methods that can continue.) s
5 283 M
(   This method MUST NOT be listed as supported by the server.) s
5 261 M
(3.1.4 Completion of User Authentication) s
5 239 M
(   Authentication is complete when the server has responded with) s
5 228 M
(   SSH_MSG_USERAUTH_SUCCESS; all authentication related messages) s
5 217 M
(   received after sending this message SHOULD be silently ignored.) s
5 195 M
(   After sending SSH_MSG_USERAUTH_SUCCESS, the server starts the) s
5 184 M
(   requested service.) s
5 129 M
(Ylonen & Moffat          Expires March 2, 2003                  [Page 6]) s
_R
S
PStoPSsaved restore
%%Page: (6,7) 4
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 0.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
/showpage{}def/copypage{}def/erasepage{}def
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 7 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 723 M
(Internet-Draft        SSH Authentication Protocol         September 2002) s
5 690 M
(3.1.5 Banner Message) s
5 668 M
(   In some jurisdictions, sending a warning message before) s
5 657 M
(   authentication may be relevant for getting legal protection.  Many) s
5 646 M
(   UNIX machines, for example, normally display text from `/etc/issue',) s
5 635 M
(   or use "tcp wrappers" or similar software to display a banner before) s
5 624 M
(   issuing a login prompt.) s
5 602 M
(   The SSH server may send a SSH_MSG_USERAUTH_BANNER message at any time) s
5 591 M
(   before authentication is successful.  This message contains text to) s
5 580 M
(   be displayed to the client user before authentication is attempted.) s
5 569 M
(   The format is as follows:) s
5 547 M
(     byte      SSH_MSG_USERAUTH_BANNER) s
5 536 M
(     string    message \(ISO-10646 UTF-8\)) s
5 525 M
(     string    language tag \(as defined in [RFC3066]\)) s
5 503 M
(   The client SHOULD by default display the message on the screen.) s
5 492 M
(   However, since the message is likely to be sent for every login) s
5 481 M
(   attempt, and since some client software will need to open a separate) s
5 470 M
(   window for this warning, the client software may allow the user to) s
5 459 M
(   explicitly disable the display of banners from the server.  The) s
5 448 M
(   message may consist of multiple lines.) s
5 426 M
(   If the message string is displayed, control character filtering) s
5 415 M
(   discussed in [SSH-ARCH] SHOULD be used to avoid attacks by sending) s
5 404 M
(   terminal control characters.) s
5 382 M
(3.2 Authentication Protocol Message Numbers) s
5 360 M
(   All message numbers used by this authentication protocol are in the) s
5 349 M
(   range from 50 to 79, which is part of the range reserved for) s
5 338 M
(   protocols running on top of the SSH transport layer protocol.) s
5 316 M
(   Message numbers of 80 and higher are reserved for protocols running) s
5 305 M
(   after this authentication protocol, so receiving one of them before) s
5 294 M
(   authentication is complete is an error, to which the server MUST) s
5 283 M
(   respond by disconnecting \(preferably with a proper disconnect message) s
5 272 M
(   sent first to ease troubleshooting\).) s
5 250 M
(   After successful authentication, such messages are passed to the) s
5 239 M
(   higher-level service.) s
5 217 M
(   These are the general authentication message codes:) s
5 195 M
(     #define SSH_MSG_USERAUTH_REQUEST            50) s
5 184 M
(     #define SSH_MSG_USERAUTH_FAILURE            51) s
5 173 M
(     #define SSH_MSG_USERAUTH_SUCCESS            52) s
5 129 M
(Ylonen & Moffat          Expires March 2, 2003                  [Page 7]) s
_R
S
PStoPSsaved restore
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 421.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 8 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 723 M
(Internet-Draft        SSH Authentication Protocol         September 2002) s
5 690 M
(     #define SSH_MSG_USERAUTH_BANNER             53) s
5 668 M
(   In addition to the above, there is a range of message numbers) s
5 657 M
(   \(60..79\) reserved for method-specific messages.  These messages are) s
5 646 M
(   only sent by the server \(client sends only SSH_MSG_USERAUTH_REQUEST) s
5 635 M
(   messages\). Different authentication methods reuse the same message) s
5 624 M
(   numbers.) s
5 602 M
(3.3 Public Key Authentication Method: publickey) s
5 580 M
(   The only REQUIRED authentication method is public key authentication.) s
5 569 M
(   All implementations MUST support this method; however, not all users) s
5 558 M
(   need to have public keys, and most local policies are not likely to) s
5 547 M
(   require public key authentication for all users in the near future.) s
5 525 M
(   With this method, the possession of a private key serves as) s
5 514 M
(   authentication.  This method works by sending a signature created) s
5 503 M
(   with a private key of the user.  The server MUST check that the key) s
5 492 M
(   is a valid authenticator for the user, and MUST check that the) s
5 481 M
(   signature is valid.  If both hold, the authentication request MUST be) s
5 470 M
(   accepted; otherwise it MUST be rejected.  \(Note that the server MAY) s
5 459 M
(   require additional authentications after successful authentication.\)) s
5 437 M
(   Private keys are often stored in an encrypted form at the client) s
5 426 M
(   host, and the user must supply a passphrase before the signature can) s
5 415 M
(   be generated. Even if they are not, the signing operation involves) s
5 404 M
(   some expensive computation.  To avoid unnecessary processing and user) s
5 393 M
(   interaction, the following message is provided for querying whether) s
5 382 M
(   authentication using the key would be acceptable.) s
5 360 M
(     byte      SSH_MSG_USERAUTH_REQUEST) s
5 349 M
(     string    user name) s
5 338 M
(     string    service) s
5 327 M
(     string    "publickey") s
5 316 M
(     boolean   FALSE) s
5 305 M
(     string    public key algorithm name) s
5 294 M
(     string    public key blob) s
5 272 M
(   Public key algorithms are defined in the transport layer) s
5 261 M
(   specification [SSH-TRANS]. The public key blob may contain) s
5 250 M
(   certificates.) s
5 228 M
(   Any public key algorithm may be offered for use in authentication.) s
5 217 M
(   In particular, the list is not constrained by what was negotiated) s
5 206 M
(   during key exchange.  If the server does not support some algorithm,) s
5 195 M
(   it MUST simply reject the request.) s
5 173 M
(   The server MUST respond to this message with either) s
5 129 M
(Ylonen & Moffat          Expires March 2, 2003                  [Page 8]) s
_R
S
PStoPSsaved restore
%%Page: (8,9) 5
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 0.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
/showpage{}def/copypage{}def/erasepage{}def
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 9 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 723 M
(Internet-Draft        SSH Authentication Protocol         September 2002) s
5 690 M
(   SSH_MSG_USERAUTH_FAILURE or with the following:) s
5 668 M
(     byte      SSH_MSG_USERAUTH_PK_OK) s
5 657 M
(     string    public key algorithm name from the request) s
5 646 M
(     string    public key blob from the request) s
5 624 M
(   To perform actual authentication, the client MAY then send a) s
5 613 M
(   signature generated using the private key.  The client MAY send the) s
5 602 M
(   signature directly without first verifying whether the key is) s
5 591 M
(   acceptable. The signature is sent using the following packet:) s
5 569 M
(     byte      SSH_MSG_USERAUTH_REQUEST) s
5 558 M
(     string    user name) s
5 547 M
(     string    service) s
5 536 M
(     string    "publickey") s
5 525 M
(     boolean   TRUE) s
5 514 M
(     string    public key algorithm name) s
5 503 M
(     string    public key to be used for authentication) s
5 492 M
(     string    signature) s
5 470 M
(   Signature is a signature by the corresponding private key over the) s
5 459 M
(   following data, in the following order:) s
5 437 M
(     string    session identifier) s
5 426 M
(     byte      SSH_MSG_USERAUTH_REQUEST) s
5 415 M
(     string    user name) s
5 404 M
(     string    service) s
5 393 M
(     string    "publickey") s
5 382 M
(     boolean   TRUE) s
5 371 M
(     string    public key algorithm name) s
5 360 M
(     string    public key to be used for authentication) s
5 338 M
(   When the server receives this message, it MUST check whether the) s
5 327 M
(   supplied key is acceptable for authentication, and if so, it MUST) s
5 316 M
(   check whether the signature is correct.) s
5 294 M
(   If both checks succeed, this method is successful.  Note that the) s
5 283 M
(   server may require additional authentications.  The server MUST) s
5 272 M
(   respond with SSH_MSG_USERAUTH_SUCCESS \(if no more authentications are) s
5 261 M
(   needed\), or SSH_MSG_USERAUTH_FAILURE \(if the request failed, or more) s
5 250 M
(   authentications are needed\).) s
5 228 M
(   The following method-specific message numbers are used by the) s
5 217 M
(   publickey authentication method.) s
5 195 M
(     /* Key-based */) s
5 184 M
(     #define SSH_MSG_USERAUTH_PK_OK              60) s
5 129 M
(Ylonen & Moffat          Expires March 2, 2003                  [Page 9]) s
_R
S
PStoPSsaved restore
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 421.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 10 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 723 M
(Internet-Draft        SSH Authentication Protocol         September 2002) s
5 690 M
(3.4 Password Authentication Method: password) s
5 668 M
(   Password authentication uses the following packets.  Note that a) s
5 657 M
(   server MAY request the user to change the password.  All) s
5 646 M
(   implementations SHOULD support password authentication.) s
5 624 M
(     byte      SSH_MSG_USERAUTH_REQUEST) s
5 613 M
(     string    user name) s
5 602 M
(     string    service) s
5 591 M
(     string    "password") s
5 580 M
(     boolean   FALSE) s
5 569 M
(     string    plaintext password \(ISO-10646 UTF-8\)) s
5 547 M
(   Note that the password is encoded in ISO-10646 UTF-8.  It is up to) s
5 536 M
(   the server how it interprets the password and validates it against) s
5 525 M
(   the password database.  However, if the client reads the password in) s
5 514 M
(   some other encoding \(e.g., ISO 8859-1 \(ISO Latin1\)\), it MUST convert) s
5 503 M
(   the password to ISO-10646 UTF-8 before transmitting, and the server) s
5 492 M
(   MUST convert the password to the encoding used on that system for) s
5 481 M
(   passwords.) s
5 459 M
(   Note that even though the cleartext password is transmitted in the) s
5 448 M
(   packet, the entire packet is encrypted by the transport layer.  Both) s
5 437 M
(   the server and the client should check whether the underlying) s
5 426 M
(   transport layer provides confidentiality \(i.e., if encryption is) s
5 415 M
(   being used\).  If no confidentiality is provided \(none cipher\),) s
5 404 M
(   password authentication SHOULD be disabled.  If there is no) s
5 393 M
(   confidentiality or no MAC, password change SHOULD be disabled.) s
5 371 M
(   Normally, the server responds to this message with success or) s
5 360 M
(   failure. However, if the password has expired the server SHOULD) s
5 349 M
(   indicate this by responding with SSH_MSG_USERAUTH_PASSWD_CHANGEREQ.) s
5 338 M
(   In anycase the server MUST NOT allow an expired password to be used) s
5 327 M
(   for authentication.) s
5 305 M
(     byte      SSH_MSG_USERAUTH_PASSWD_CHANGEREQ) s
5 294 M
(     string    prompt \(ISO-10646 UTF-8\)) s
5 283 M
(     string    language tag \(as defined in [RFC3066]\)) s
5 261 M
(   In this case, the client MAY continue with a different authentication) s
5 250 M
(   method, or request a new password from the user and retry password) s
5 239 M
(   authentication using the following message. The client MAY also send) s
5 228 M
(   this message instead of the normal password authentication request) s
5 217 M
(   without the server asking for it.) s
5 195 M
(     byte      SSH_MSG_USERAUTH_REQUEST) s
5 184 M
(     string    user name) s
5 173 M
(     string    service) s
5 129 M
(Ylonen & Moffat          Expires March 2, 2003                 [Page 10]) s
_R
S
PStoPSsaved restore
%%Page: (10,11) 6
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 0.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
/showpage{}def/copypage{}def/erasepage{}def
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 11 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 723 M
(Internet-Draft        SSH Authentication Protocol         September 2002) s
5 690 M
(     string    "password") s
5 679 M
(     boolean   TRUE) s
5 668 M
(     string    plaintext old password \(ISO-10646 UTF-8\)) s
5 657 M
(     string    plaintext new password \(ISO-10646 UTF-8\)) s
5 635 M
(   The server must reply to request message with) s
5 624 M
(   SSH_MSG_USERAUTH_SUCCESS, SSH_MSG_USERAUTH_FAILURE, or another) s
5 613 M
(   SSH_MSG_USERAUTH_PASSWD_CHANGEREQ.  The meaning of these is as) s
5 602 M
(   follows:) s
5 580 M
(      SSH_MSG_USERAUTH_SUCCESS The password has been changed, and) s
5 569 M
(      authentication has been successfully completed.) s
5 547 M
(      SSH_MSG_USERAUTH_FAILURE with partial success The password has) s
5 536 M
(      been changed, but more authentications are needed.) s
5 514 M
(      SSH_MSG_USERAUTH_FAILURE without partial success The password has) s
5 503 M
(      not been changed.  Either password changing was not supported, or) s
5 492 M
(      the old password was bad.  Note that if the server has already) s
5 481 M
(      sent SSH_MSG_USERAUTH_PASSWD_CHANGEREQ, we know that it supports) s
5 470 M
(      changing the password.) s
5 448 M
(      SSH_MSG_USERAUTH_CHANGEREQ The password was not changed because) s
5 437 M
(      the new password was not acceptable \(e.g. too easy to guess\).) s
5 415 M
(   The following method-specific message numbers are used by the) s
5 404 M
(   password authentication method.) s
5 382 M
(     #define SSH_MSG_USERAUTH_PASSWD_CHANGEREQ   60) s
5 349 M
(3.5 Host-Based Authentication: hostbased) s
5 327 M
(   Some sites wish to allow authentication based on the host where the) s
5 316 M
(   user is coming from, and the user name on the remote host.  While) s
5 305 M
(   this form of authentication is not suitable for high-security sites,) s
5 294 M
(   it can be very convenient in many environments.  This form of) s
5 283 M
(   authentication is OPTIONAL. When used, special care SHOULD be taken) s
5 272 M
(   to prevent a regular user from obtaining the private host key.) s
5 250 M
(   The client requests this form of authentication by sending the) s
5 239 M
(   following message.  It is similar to the UNIX "rhosts" and) s
5 228 M
(   "hosts.equiv" styles of authentication, except that the identity of) s
5 217 M
(   the client host is checked more rigorously.) s
5 195 M
(   This method works by having the client send a signature created with) s
5 184 M
(   the private key of the client host, which the server checks with that) s
5 173 M
(   host's public key.  Once the client host's identity is established,) s
5 129 M
(Ylonen & Moffat          Expires March 2, 2003                 [Page 11]) s
_R
S
PStoPSsaved restore
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 421.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 12 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 723 M
(Internet-Draft        SSH Authentication Protocol         September 2002) s
5 690 M
(   authorization \(but no further authentication\) is performed based on) s
5 679 M
(   the user names on the server and the client, and the client host) s
5 668 M
(   name.) s
5 646 M
(     byte      SSH_MSG_USERAUTH_REQUEST) s
5 635 M
(     string    user name) s
5 624 M
(     string    service) s
5 613 M
(     string    "hostbased") s
5 602 M
(     string    public key algorithm for host key) s
5 591 M
(     string    public host key and certificates for client host) s
5 580 M
(     string    client host name \(FQDN; US-ASCII\)) s
5 569 M
(     string    user name on the client host \(ISO-10646 UTF-8\)) s
5 558 M
(     string    signature) s
5 536 M
(   Public key algorithm names for use in "public key algorithm for host) s
5 525 M
(   key" are defined in the transport layer specification.  The "public) s
5 514 M
(   host key for client host" may include certificates.) s
5 492 M
(   Signature is a signature with the private host key of the following) s
5 481 M
(   data, in this order:) s
5 459 M
(     string    session identifier) s
5 448 M
(     byte      SSH_MSG_USERAUTH_REQUEST) s
5 437 M
(     string    user name) s
5 426 M
(     string    service) s
5 415 M
(     string    "hostbased") s
5 404 M
(     string    public key algorithm for host key) s
5 393 M
(     string    public host key and certificates for client host) s
5 382 M
(     string    client host name \(FQDN; US-ASCII\)) s
5 371 M
(     string    user name on the client host\(ISO-10646 UTF-8\)) s
5 349 M
(   The server MUST verify that the host key actually belongs to the) s
5 338 M
(   client host named in the message, that the given user on that host is) s
5 327 M
(   allowed to log in, and that the signature is a valid signature on the) s
5 316 M
(   appropriate value by the given host key.  The server MAY ignore the) s
5 305 M
(   client user name, if it wants to authenticate only the client host.) s
5 283 M
(   It is RECOMMENDED that whenever possible, the server perform) s
5 272 M
(   additional checks to verify that the network address obtained from) s
5 261 M
(   the \(untrusted\) network matches the given client host name.  This) s
5 250 M
(   makes exploiting compromised host keys more difficult.  Note that) s
5 239 M
(   this may require special handling for connections coming through a) s
5 228 M
(   firewall.) s
5 206 M
(4. Security Considerations) s
5 184 M
(   The purpose of this protocol is to perform client user) s
5 173 M
(   authentication. It assumed that this runs over a secure transport) s
5 129 M
(Ylonen & Moffat          Expires March 2, 2003                 [Page 12]) s
_R
S
PStoPSsaved restore
%%Page: (12,13) 7
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 0.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
/showpage{}def/copypage{}def/erasepage{}def
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 13 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 723 M
(Internet-Draft        SSH Authentication Protocol         September 2002) s
5 690 M
(   layer protocol, which has already authenticated the server machine,) s
5 679 M
(   established an encrypted communications channel, and computed a) s
5 668 M
(   unique session identifier for this session. The transport layer) s
5 657 M
(   provides forward secrecy for password authentication and other) s
5 646 M
(   methods that rely on secret data.) s
5 624 M
(   Full security considerations for this protocol are provided in) s
5 613 M
(   Section 8 of [SSH-ARCH]) s
5 591 M
(Normative) s
5 569 M
(   [SSH-ARCH]) s
5 558 M
(              Ylonen, T., "SSH Protocol Architecture", I-D) s
5 547 M
(              draft-ietf-architecture-15.txt, Oct 2003.) s
5 525 M
(   [SSH-TRANS]) s
5 514 M
(              Ylonen, T., "SSH Transport Layer Protocol", I-D) s
5 503 M
(              draft-ietf-transport-17.txt, Oct 2003.) s
5 481 M
(   [SSH-USERAUTH]) s
5 470 M
(              Ylonen, T., "SSH Authentication Protocol", I-D) s
5 459 M
(              draft-ietf-userauth-18.txt, Oct 2003.) s
5 437 M
(   [SSH-CONNECT]) s
5 426 M
(              Ylonen, T., "SSH Connection Protocol", I-D) s
5 415 M
(              draft-ietf-connect-18.txt, Oct 2003.) s
5 393 M
(   [SSH-NUMBERS]) s
5 382 M
(              Lehtinen, S. and D. Moffat, "SSH Protocol Assigned) s
5 371 M
(              Numbers", I-D draft-ietf-secsh-assignednumbers-05.txt, Oct) s
5 360 M
(              2003.) s
5 338 M
(   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate) s
5 327 M
(              Requirement Levels", BCP 14, RFC 2119, March 1997.) s
5 305 M
(Informative) s
5 283 M
(   [RFC3066]  Alvestrand, H., "Tags for the Identification of) s
5 272 M
(              Languages", BCP 47, RFC 3066, January 2001.) s
5 250 M
(   [RFC2279]  Yergeau, F., "UTF-8, a transformation format of ISO) s
5 239 M
(              10646", RFC 2279, January 1998.) s
5 129 M
(Ylonen & Moffat          Expires March 2, 2003                 [Page 13]) s
_R
S
PStoPSsaved restore
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 421.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 14 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 723 M
(Internet-Draft        SSH Authentication Protocol         September 2002) s
5 690 M
(Authors' Addresses) s
5 668 M
(   Tatu Ylonen) s
5 657 M
(   SSH Communications Security Corp) s
5 646 M
(   Fredrikinkatu 42) s
5 635 M
(   HELSINKI  FIN-00100) s
5 624 M
(   Finland) s
5 602 M
(   EMail: ylo@ssh.com) s
5 569 M
(   Darren J. Moffat \(editor\)) s
5 558 M
(   Sun Microsystems, Inc) s
5 547 M
(   17 Network Circle) s
5 536 M
(   Menlo Park  95025) s
5 525 M
(   USA) s
5 503 M
(   EMail: Darren.Moffat@Sun.COM) s
5 129 M
(Ylonen & Moffat          Expires March 2, 2003                 [Page 14]) s
_R
S
PStoPSsaved restore
%%Page: (14,15) 8
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 0.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
/showpage{}def/copypage{}def/erasepage{}def
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 15 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 723 M
(Internet-Draft        SSH Authentication Protocol         September 2002) s
5 690 M
(Intellectual Property Statement) s
5 668 M
(   The IETF takes no position regarding the validity or scope of any) s
5 657 M
(   intellectual property or other rights that might be claimed to) s
5 646 M
(   pertain to the implementation or use of the technology described in) s
5 635 M
(   this document or the extent to which any license under such rights) s
5 624 M
(   might or might not be available; neither does it represent that it) s
5 613 M
(   has made any effort to identify any such rights. Information on the) s
5 602 M
(   IETF's procedures with respect to rights in standards-track and) s
5 591 M
(   standards-related documentation can be found in BCP-11. Copies of) s
5 580 M
(   claims of rights made available for publication and any assurances of) s
5 569 M
(   licenses to be made available, or the result of an attempt made to) s
5 558 M
(   obtain a general license or permission for the use of such) s
5 547 M
(   proprietary rights by implementors or users of this specification can) s
5 536 M
(   be obtained from the IETF Secretariat.) s
5 514 M
(   The IETF invites any interested party to bring to its attention any) s
5 503 M
(   copyrights, patents or patent applications, or other proprietary) s
5 492 M
(   rights which may cover technology that may be required to practice) s
5 481 M
(   this standard. Please address the information to the IETF Executive) s
5 470 M
(   Director.) s
5 448 M
(   The IETF has been notified of intellectual property rights claimed in) s
5 437 M
(   regard to some or all of the specification contained in this) s
5 426 M
(   document. For more information consult the online list of claimed) s
5 415 M
(   rights.) s
5 382 M
(Full Copyright Statement) s
5 360 M
(   Copyright \(C\) The Internet Society \(2002\). All Rights Reserved.) s
5 338 M
(   This document and translations of it may be copied and furnished to) s
5 327 M
(   others, and derivative works that comment on or otherwise explain it) s
5 316 M
(   or assist in its implementation may be prepared, copied, published) s
5 305 M
(   and distributed, in whole or in part, without restriction of any) s
5 294 M
(   kind, provided that the above copyright notice and this paragraph are) s
5 283 M
(   included on all such copies and derivative works. However, this) s
5 272 M
(   document itself may not be modified in any way, such as by removing) s
5 261 M
(   the copyright notice or references to the Internet Society or other) s
5 250 M
(   Internet organizations, except as needed for the purpose of) s
5 239 M
(   developing Internet standards in which case the procedures for) s
5 228 M
(   copyrights defined in the Internet Standards process must be) s
5 217 M
(   followed, or as required to translate it into languages other than) s
5 206 M
(   English.) s
5 184 M
(   The limited permissions granted above are perpetual and will not be) s
5 173 M
(   revoked by the Internet Society or its successors or assignees.) s
5 129 M
(Ylonen & Moffat          Expires March 2, 2003                 [Page 15]) s
_R
S
PStoPSsaved restore
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 421.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 16 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 723 M
(Internet-Draft        SSH Authentication Protocol         September 2002) s
5 690 M
(   This document and the information contained herein is provided on an) s
5 679 M
(   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING) s
5 668 M
(   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING) s
5 657 M
(   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION) s
5 646 M
(   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF) s
5 635 M
(   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.) s
5 602 M
(Acknowledgment) s
5 580 M
(   Funding for the RFC Editor function is currently provided by the) s
5 569 M
(   Internet Society.) s
5 129 M
(Ylonen & Moffat          Expires March 2, 2003                 [Page 16]) s
_R
S
PStoPSsaved restore
%%Trailer
%%Pages: 16
%%DocumentNeededResources: font Courier-Bold Courier 
%%EOF