blob: c2819601137a027904f8c064acfb55a4f6275592 [file] [log] [blame]
Damien Miller58a81142008-05-19 16:11:56 +10001This documents OpenSSH's deviations and extensions to the published SSH
2protocol.
3
4Note that OpenSSH's sftp and sftp-server implement revision 3 of the SSH
5filexfer protocol described in:
6
7http://www.openssh.com/txt/draft-ietf-secsh-filexfer-02.txt
8
Darren Tuckera2e10482010-01-09 22:25:14 +11009Newer versions of the draft will not be supported, though some features
10are individually implemented as extensions described below.
Damien Miller58a81142008-05-19 16:11:56 +100011
Damien Miller1e18beb2008-06-30 00:07:00 +100012The protocol used by OpenSSH's ssh-agent is described in the file
13PROTOCOL.agent
14
Damien Millereb8b60e2010-08-31 22:41:14 +1000151. Transport protocol changes
16
171.1. transport: Protocol 2 MAC algorithm "umac-64@openssh.com"
Damien Miller58a81142008-05-19 16:11:56 +100018
19This is a new transport-layer MAC method using the UMAC algorithm
20(rfc4418). This method is identical to the "umac-64" method documented
21in:
22
23http://www.openssh.com/txt/draft-miller-secsh-umac-01.txt
24
Damien Millereb8b60e2010-08-31 22:41:14 +1000251.2. transport: Protocol 2 compression algorithm "zlib@openssh.com"
Damien Miller58a81142008-05-19 16:11:56 +100026
27This transport-layer compression method uses the zlib compression
28algorithm (identical to the "zlib" method in rfc4253), but delays the
29start of compression until after authentication has completed. This
30avoids exposing compression code to attacks from unauthenticated users.
31
32The method is documented in:
33
34http://www.openssh.com/txt/draft-miller-secsh-compression-delayed-00.txt
35
Damien Millereb8b60e2010-08-31 22:41:14 +1000361.3. transport: New public key algorithms "ssh-rsa-cert-v00@openssh.com",
37 "ssh-dsa-cert-v00@openssh.com",
38 "ecdsa-sha2-nistp256-cert-v01@openssh.com",
39 "ecdsa-sha2-nistp384-cert-v01@openssh.com" and
40 "ecdsa-sha2-nistp521-cert-v01@openssh.com"
Damien Miller0a80ca12010-02-27 07:55:05 +110041
Damien Millereb8b60e2010-08-31 22:41:14 +100042OpenSSH introduces new public key algorithms to support certificate
Damien Miller0a80ca12010-02-27 07:55:05 +110043authentication for users and hostkeys. These methods are documented in
44the file PROTOCOL.certkeys
45
Damien Millereb8b60e2010-08-31 22:41:14 +1000461.4. transport: Elliptic Curve cryptography
47
48OpenSSH supports ECC key exchange and public key authentication as
49specified in RFC5656. Only the ecdsa-sha2-nistp256, ecdsa-sha2-nistp384
50and ecdsa-sha2-nistp521 curves over GF(p) are supported. Elliptic
51curve points encoded using point compression are NOT accepted or
52generated.
53
542. Connection protocol changes
55
562.1. connection: Channel write close extension "eow@openssh.com"
Damien Miller58a81142008-05-19 16:11:56 +100057
58The SSH connection protocol (rfc4254) provides the SSH_MSG_CHANNEL_EOF
59message to allow an endpoint to signal its peer that it will send no
60more data over a channel. Unfortunately, there is no symmetric way for
61an endpoint to request that its peer should cease sending data to it
62while still keeping the channel open for the endpoint to send data to
63the peer.
64
65This is desirable, since it saves the transmission of data that would
66otherwise need to be discarded and it allows an endpoint to signal local
67processes of the condition, e.g. by closing the corresponding file
68descriptor.
69
70OpenSSH implements a channel extension message to perform this
Darren Tucker1f781b12008-07-02 22:33:16 +100071signalling: "eow@openssh.com" (End Of Write). This message is sent by
72an endpoint when the local output of a session channel is closed or
73experiences a write error. The message is formatted as follows:
Damien Miller58a81142008-05-19 16:11:56 +100074
75 byte SSH_MSG_CHANNEL_REQUEST
76 uint32 recipient channel
77 string "eow@openssh.com"
78 boolean FALSE
79
80On receiving this message, the peer SHOULD cease sending data of
81the channel and MAY signal the process from which the channel data
82originates (e.g. by closing its read file descriptor).
83
84As with the symmetric SSH_MSG_CHANNEL_EOF message, the channel does
85remain open after a "eow@openssh.com" has been sent and more data may
86still be sent in the other direction. This message does not consume
87window space and may be sent even if no window space is available.
88
Damien Miller6385e752009-02-14 18:00:52 +110089NB. due to certain broken SSH implementations aborting upon receipt
90of this message (in contravention of RFC4254 section 5.4), this
91message is only sent to OpenSSH peers (identified by banner).
92Other SSH implementations may be whitelisted to receive this message
93upon request.
94
Damien Millereb8b60e2010-08-31 22:41:14 +1000952.2. connection: disallow additional sessions extension
96 "no-more-sessions@openssh.com"
Darren Tucker8901fa92008-06-11 09:34:01 +100097
98Most SSH connections will only ever request a single session, but a
99attacker may abuse a running ssh client to surreptitiously open
100additional sessions under their control. OpenSSH provides a global
101request "no-more-sessions@openssh.com" to mitigate this attack.
102
103When an OpenSSH client expects that it will never open another session
104(i.e. it has been started with connection multiplexing disabled), it
105will send the following global request:
106
107 byte SSH_MSG_GLOBAL_REQUEST
108 string "no-more-sessions@openssh.com"
109 char want-reply
110
111On receipt of such a message, an OpenSSH server will refuse to open
112future channels of type "session" and instead immediately abort the
113connection.
114
115Note that this is not a general defence against compromised clients
116(that is impossible), but it thwarts a simple attack.
117
Damien Miller6385e752009-02-14 18:00:52 +1100118NB. due to certain broken SSH implementations aborting upon receipt
119of this message, the no-more-sessions request is only sent to OpenSSH
120servers (identified by banner). Other SSH implementations may be
121whitelisted to receive this message upon request.
122
Damien Millereb8b60e2010-08-31 22:41:14 +10001232.3. connection: Tunnel forward extension "tun@openssh.com"
Darren Tuckere5d98292008-06-13 04:53:27 +1000124
Damien Millerbd45afb2008-06-30 00:04:57 +1000125OpenSSH supports layer 2 and layer 3 tunnelling via the "tun@openssh.com"
Darren Tuckere5d98292008-06-13 04:53:27 +1000126channel type. This channel type supports forwarding of network packets
Damien Millerbd45afb2008-06-30 00:04:57 +1000127with datagram boundaries intact between endpoints equipped with
Darren Tuckere5d98292008-06-13 04:53:27 +1000128interfaces like the BSD tun(4) device. Tunnel forwarding channels are
129requested by the client with the following packet:
130
131 byte SSH_MSG_CHANNEL_OPEN
132 string "tun@openssh.com"
133 uint32 sender channel
134 uint32 initial window size
135 uint32 maximum packet size
136 uint32 tunnel mode
137 uint32 remote unit number
138
139The "tunnel mode" parameter specifies whether the tunnel should forward
140layer 2 frames or layer 3 packets. It may take one of the following values:
141
142 SSH_TUNMODE_POINTOPOINT 1 /* layer 3 packets */
143 SSH_TUNMODE_ETHERNET 2 /* layer 2 frames */
144
145The "tunnel unit number" specifies the remote interface number, or may
Darren Tuckerf2705c82010-01-08 18:54:17 +1100146be 0x7fffffff to allow the server to automatically chose an interface. A
147server that is not willing to open a client-specified unit should refuse
148the request with a SSH_MSG_CHANNEL_OPEN_FAILURE error. On successful
149open, the server should reply with SSH_MSG_CHANNEL_OPEN_SUCCESS.
Darren Tuckere5d98292008-06-13 04:53:27 +1000150
151Once established the client and server may exchange packet or frames
152over the tunnel channel by encapsulating them in SSH protocol strings
153and sending them as channel data. This ensures that packet boundaries
154are kept intact. Specifically, packets are transmitted using normal
155SSH_MSG_CHANNEL_DATA packets:
156
157 byte SSH_MSG_CHANNEL_DATA
158 uint32 recipient channel
159 string data
160
161The contents of the "data" field for layer 3 packets is:
162
163 uint32 packet length
164 uint32 address family
165 byte[packet length - 4] packet data
166
167The "address family" field identifies the type of packet in the message.
168It may be one of:
169
170 SSH_TUN_AF_INET 2 /* IPv4 */
171 SSH_TUN_AF_INET6 24 /* IPv6 */
172
173The "packet data" field consists of the IPv4/IPv6 datagram itself
174without any link layer header.
175
Darren Tuckerf2705c82010-01-08 18:54:17 +1100176The contents of the "data" field for layer 2 packets is:
Darren Tuckere5d98292008-06-13 04:53:27 +1000177
178 uint32 packet length
179 byte[packet length] frame
180
Damien Millerbd45afb2008-06-30 00:04:57 +1000181The "frame" field contains an IEEE 802.3 Ethernet frame, including
Darren Tuckere5d98292008-06-13 04:53:27 +1000182header.
183
Damien Millereb8b60e2010-08-31 22:41:14 +10001843. SFTP protocol changes
185
1863.1. sftp: Reversal of arguments to SSH_FXP_SYMLINK
Damien Miller58a81142008-05-19 16:11:56 +1000187
188When OpenSSH's sftp-server was implemented, the order of the arguments
Damien Millerbd45afb2008-06-30 00:04:57 +1000189to the SSH_FXP_SYMLINK method was inadvertently reversed. Unfortunately,
Damien Miller58a81142008-05-19 16:11:56 +1000190the reversal was not noticed until the server was widely deployed. Since
191fixing this to follow the specification would cause incompatibility, the
192current order was retained. For correct operation, clients should send
193SSH_FXP_SYMLINK as follows:
194
195 uint32 id
196 string targetpath
197 string linkpath
198
Damien Millereb8b60e2010-08-31 22:41:14 +10001993.2. sftp: Server extension announcement in SSH_FXP_VERSION
Damien Miller58a81142008-05-19 16:11:56 +1000200
201OpenSSH's sftp-server lists the extensions it supports using the
202standard extension announcement mechanism in the SSH_FXP_VERSION server
203hello packet:
204
205 uint32 3 /* protocol version */
206 string ext1-name
207 string ext1-version
208 string ext2-name
209 string ext2-version
210 ...
211 string extN-name
212 string extN-version
213
214Each extension reports its integer version number as an ASCII encoded
215string, e.g. "1". The version will be incremented if the extension is
216ever changed in an incompatible way. The server MAY advertise the same
217extension with multiple versions (though this is unlikely). Clients MUST
Damien Millerbd45afb2008-06-30 00:04:57 +1000218check the version number before attempting to use the extension.
Damien Miller58a81142008-05-19 16:11:56 +1000219
Damien Millereb8b60e2010-08-31 22:41:14 +10002203.3. sftp: Extension request "posix-rename@openssh.com"
Damien Miller58a81142008-05-19 16:11:56 +1000221
222This operation provides a rename operation with POSIX semantics, which
223are different to those provided by the standard SSH_FXP_RENAME in
224draft-ietf-secsh-filexfer-02.txt. This request is implemented as a
225SSH_FXP_EXTENDED request with the following format:
226
227 uint32 id
228 string "posix-rename@openssh.com"
229 string oldpath
230 string newpath
231
232On receiving this request the server will perform the POSIX operation
233rename(oldpath, newpath) and will respond with a SSH_FXP_STATUS message.
234This extension is advertised in the SSH_FXP_VERSION hello with version
235"1".
236
Damien Millereb8b60e2010-08-31 22:41:14 +10002373.4. sftp: Extension requests "statvfs@openssh.com" and
Damien Miller58a81142008-05-19 16:11:56 +1000238 "fstatvfs@openssh.com"
239
240These requests correspond to the statvfs and fstatvfs POSIX system
241interfaces. The "statvfs@openssh.com" request operates on an explicit
242pathname, and is formatted as follows:
243
244 uint32 id
245 string "statvfs@openssh.com"
246 string path
247
Damien Millerbd45afb2008-06-30 00:04:57 +1000248The "fstatvfs@openssh.com" operates on an open file handle:
Damien Miller58a81142008-05-19 16:11:56 +1000249
250 uint32 id
251 string "fstatvfs@openssh.com"
252 string handle
253
254These requests return a SSH_FXP_STATUS reply on failure. On success they
255return the following SSH_FXP_EXTENDED_REPLY reply:
256
257 uint32 id
Darren Tuckercd2ada62008-06-09 23:49:09 +1000258 uint64 f_bsize /* file system block size */
259 uint64 f_frsize /* fundamental fs block size */
Damien Miller58a81142008-05-19 16:11:56 +1000260 uint64 f_blocks /* number of blocks (unit f_frsize) */
261 uint64 f_bfree /* free blocks in file system */
262 uint64 f_bavail /* free blocks for non-root */
263 uint64 f_files /* total file inodes */
264 uint64 f_ffree /* free file inodes */
265 uint64 f_favail /* free file inodes for to non-root */
Darren Tucker17ec5d42008-06-09 23:47:37 +1000266 uint64 f_fsid /* file system id */
Darren Tuckercd2ada62008-06-09 23:49:09 +1000267 uint64 f_flag /* bit mask of f_flag values */
268 uint64 f_namemax /* maximum filename length */
Damien Miller58a81142008-05-19 16:11:56 +1000269
270The values of the f_flag bitmask are as follows:
271
272 #define SSH_FXE_STATVFS_ST_RDONLY 0x1 /* read-only */
273 #define SSH_FXE_STATVFS_ST_NOSUID 0x2 /* no setuid */
274
Damien Millerc9c96f22008-07-05 15:17:48 +1000275Both the "statvfs@openssh.com" and "fstatvfs@openssh.com" extensions are
276advertised in the SSH_FXP_VERSION hello with version "2".
Darren Tucker17ec5d42008-06-09 23:47:37 +1000277
Darren Tuckeraf1f9092010-12-05 09:02:47 +110027810. sftp: Extension request "hardlink@openssh.com"
279
280This request is for creating a hard link to a regular file. This
281request is implemented as a SSH_FXP_EXTENDED request with the
282following format:
283
284 uint32 id
285 string "hardlink@openssh.com"
286 string oldpath
287 string newpath
288
289On receiving this request the server will perform the operation
290link(oldpath, newpath) and will respond with a SSH_FXP_STATUS message.
291This extension is advertised in the SSH_FXP_VERSION hello with version
292"1".
293
294$OpenBSD: PROTOCOL,v 1.17 2010/12/04 00:18:01 djm Exp $