1 1.1 christos This documents OpenSSH's deviations and extensions to the published SSH 2 1.1 christos protocol. 3 1.1 christos 4 1.1 christos Note that OpenSSH's sftp and sftp-server implement revision 3 of the SSH 5 1.1 christos filexfer protocol described in: 6 1.1 christos 7 1.26 christos https://www.openssh.com/txt/draft-ietf-secsh-filexfer-02.txt 8 1.1 christos 9 1.2 christos Newer versions of the draft will not be supported, though some features 10 1.2 christos are individually implemented as extensions described below. 11 1.1 christos 12 1.1 christos The protocol used by OpenSSH's ssh-agent is described in the file 13 1.1 christos PROTOCOL.agent 14 1.1 christos 15 1.2 christos 1. Transport protocol changes 16 1.2 christos 17 1.2 christos 1.1. transport: Protocol 2 MAC algorithm "umac-64 (a] openssh.com" 18 1.1 christos 19 1.1 christos This is a new transport-layer MAC method using the UMAC algorithm 20 1.1 christos (rfc4418). This method is identical to the "umac-64" method documented 21 1.1 christos in: 22 1.1 christos 23 1.26 christos https://www.openssh.com/txt/draft-miller-secsh-umac-01.txt 24 1.1 christos 25 1.2 christos 1.2. transport: Protocol 2 compression algorithm "zlib (a] openssh.com" 26 1.1 christos 27 1.1 christos This transport-layer compression method uses the zlib compression 28 1.1 christos algorithm (identical to the "zlib" method in rfc4253), but delays the 29 1.1 christos start of compression until after authentication has completed. This 30 1.1 christos avoids exposing compression code to attacks from unauthenticated users. 31 1.1 christos 32 1.1 christos The method is documented in: 33 1.1 christos 34 1.26 christos https://www.openssh.com/txt/draft-miller-secsh-compression-delayed-00.txt 35 1.1 christos 36 1.25 christos 1.3. transport: Certificate key algorithms 37 1.2 christos 38 1.2 christos OpenSSH introduces new public key algorithms to support certificate 39 1.5 christos authentication for users and host keys. These methods are documented 40 1.25 christos in at https://datatracker.ietf.org/doc/draft-miller-ssh-cert/ 41 1.2 christos 42 1.2 christos 1.4. transport: Elliptic Curve cryptography 43 1.2 christos 44 1.2 christos OpenSSH supports ECC key exchange and public key authentication as 45 1.2 christos specified in RFC5656. Only the ecdsa-sha2-nistp256, ecdsa-sha2-nistp384 46 1.2 christos and ecdsa-sha2-nistp521 curves over GF(p) are supported. Elliptic 47 1.2 christos curve points encoded using point compression are NOT accepted or 48 1.2 christos generated. 49 1.2 christos 50 1.3 christos 1.5 transport: Protocol 2 Encrypt-then-MAC MAC algorithms 51 1.3 christos 52 1.3 christos OpenSSH supports MAC algorithms, whose names contain "-etm", that 53 1.3 christos perform the calculations in a different order to that defined in RFC 54 1.3 christos 4253. These variants use the so-called "encrypt then MAC" ordering, 55 1.3 christos calculating the MAC over the packet ciphertext rather than the 56 1.3 christos plaintext. This ordering closes a security flaw in the SSH transport 57 1.3 christos protocol, where decryption of unauthenticated ciphertext provided a 58 1.3 christos "decryption oracle" that could, in conjunction with cipher flaws, reveal 59 1.3 christos session plaintext. 60 1.3 christos 61 1.3 christos Specifically, the "-etm" MAC algorithms modify the transport protocol 62 1.3 christos to calculate the MAC over the packet ciphertext and to send the packet 63 1.3 christos length unencrypted. This is necessary for the transport to obtain the 64 1.3 christos length of the packet and location of the MAC tag so that it may be 65 1.3 christos verified without decrypting unauthenticated data. 66 1.3 christos 67 1.3 christos As such, the MAC covers: 68 1.3 christos 69 1.3 christos mac = MAC(key, sequence_number || packet_length || encrypted_packet) 70 1.3 christos 71 1.3 christos where "packet_length" is encoded as a uint32 and "encrypted_packet" 72 1.3 christos contains: 73 1.3 christos 74 1.3 christos byte padding_length 75 1.3 christos byte[n1] payload; n1 = packet_length - padding_length - 1 76 1.3 christos byte[n2] random padding; n2 = padding_length 77 1.3 christos 78 1.3 christos 1.6 transport: AES-GCM 79 1.3 christos 80 1.3 christos OpenSSH supports the AES-GCM algorithm as specified in RFC 5647. 81 1.25 christos Because of problems with the design of the algorithm negotiation in this 82 1.25 christos RFC, OpenSSH (and other SSH implementations) use different rules as 83 1.25 christos described in: 84 1.3 christos 85 1.25 christos https://datatracker.ietf.org/doc/draft-miller-sshm-aes-gcm/ 86 1.3 christos 87 1.4 christos 1.7 transport: chacha20-poly1305 (a] openssh.com authenticated encryption 88 1.4 christos 89 1.4 christos OpenSSH supports authenticated encryption using ChaCha20 and Poly1305 90 1.25 christos as described in: 91 1.4 christos 92 1.25 christos https://datatracker.ietf.org/doc/draft-ietf-sshm-chacha20-poly1305/ 93 1.4 christos 94 1.25 christos 1.8 transport: ping facility 95 1.22 christos 96 1.22 christos OpenSSH implements a transport level ping message SSH2_MSG_PING 97 1.22 christos and a corresponding SSH2_MSG_PONG reply. 98 1.22 christos 99 1.22 christos #define SSH2_MSG_PING 192 100 1.22 christos #define SSH2_MSG_PONG 193 101 1.22 christos 102 1.22 christos The ping message is simply: 103 1.22 christos 104 1.22 christos byte SSH_MSG_PING 105 1.22 christos string data 106 1.22 christos 107 1.22 christos The reply copies the data (which may be the empty string) from the 108 1.22 christos ping: 109 1.22 christos 110 1.22 christos byte SSH_MSG_PONG 111 1.22 christos string data 112 1.22 christos 113 1.22 christos Replies are sent in order. They are sent immediately except when rekeying 114 1.22 christos is in progress, in which case they are queued until rekeying completes. 115 1.22 christos 116 1.22 christos The server advertises support for these messages using the 117 1.22 christos SSH2_MSG_EXT_INFO mechanism (RFC8308), with the following message: 118 1.22 christos 119 1.22 christos string "ping (a] openssh.com" 120 1.22 christos string "0" (version) 121 1.22 christos 122 1.22 christos The ping/reply message is implemented at the transport layer rather 123 1.22 christos than as a named global or channel request to allow pings with very 124 1.22 christos short packet lengths, which would not be possible with other 125 1.22 christos approaches. 126 1.22 christos 127 1.25 christos 1.9 transport: strict key exchange extension 128 1.25 christos 129 1.25 christos OpenSSH supports a number of transport-layer hardening measures 130 1.25 christos designed to thwart the so-called "Terrapin" attack against the 131 1.25 christos early SSH protocol. These are collectively referred to as 132 1.25 christos "strict KEX" and documented in an Internet-Draft: 133 1.23 christos 134 1.25 christos https://datatracker.ietf.org/doc/draft-miller-sshm-strict-kex/ 135 1.23 christos 136 1.25 christos 1.10 transport: SSH2_MSG_EXT_INFO during user authentication 137 1.23 christos 138 1.23 christos This protocol extension allows the SSH2_MSG_EXT_INFO to be sent 139 1.23 christos during user authentication. RFC8308 does allow a second 140 1.23 christos SSH2_MSG_EXT_INFO notification, but it may only be sent at the end 141 1.23 christos of user authentication and this is too late to signal per-user 142 1.23 christos server signature algorithms. 143 1.23 christos 144 1.23 christos Support for receiving the SSH2_MSG_EXT_INFO message during user 145 1.23 christos authentication is signalled by the client including a 146 1.23 christos "ext-info-in-auth (a] openssh.com" key via its initial SSH2_MSG_EXT_INFO 147 1.23 christos set after the SSH2_MSG_NEWKEYS message. 148 1.23 christos 149 1.23 christos A server that supports this extension MAY send a second 150 1.23 christos SSH2_MSG_EXT_INFO message any time after the client's first 151 1.23 christos SSH2_MSG_USERAUTH_REQUEST, regardless of whether it succeed or fails. 152 1.23 christos The client SHOULD be prepared to update the server-sig-algs that 153 1.23 christos it received during an earlier SSH2_MSG_EXT_INFO with the later one. 154 1.23 christos 155 1.2 christos 2. Connection protocol changes 156 1.2 christos 157 1.2 christos 2.1. connection: Channel write close extension "eow (a] openssh.com" 158 1.1 christos 159 1.1 christos The SSH connection protocol (rfc4254) provides the SSH_MSG_CHANNEL_EOF 160 1.1 christos message to allow an endpoint to signal its peer that it will send no 161 1.1 christos more data over a channel. Unfortunately, there is no symmetric way for 162 1.1 christos an endpoint to request that its peer should cease sending data to it 163 1.1 christos while still keeping the channel open for the endpoint to send data to 164 1.1 christos the peer. 165 1.1 christos 166 1.1 christos This is desirable, since it saves the transmission of data that would 167 1.1 christos otherwise need to be discarded and it allows an endpoint to signal local 168 1.1 christos processes of the condition, e.g. by closing the corresponding file 169 1.1 christos descriptor. 170 1.1 christos 171 1.1 christos OpenSSH implements a channel extension message to perform this 172 1.1 christos signalling: "eow (a] openssh.com" (End Of Write). This message is sent by 173 1.1 christos an endpoint when the local output of a session channel is closed or 174 1.1 christos experiences a write error. The message is formatted as follows: 175 1.1 christos 176 1.1 christos byte SSH_MSG_CHANNEL_REQUEST 177 1.1 christos uint32 recipient channel 178 1.1 christos string "eow (a] openssh.com" 179 1.1 christos boolean FALSE 180 1.1 christos 181 1.1 christos On receiving this message, the peer SHOULD cease sending data of 182 1.1 christos the channel and MAY signal the process from which the channel data 183 1.1 christos originates (e.g. by closing its read file descriptor). 184 1.1 christos 185 1.1 christos As with the symmetric SSH_MSG_CHANNEL_EOF message, the channel does 186 1.1 christos remain open after a "eow (a] openssh.com" has been sent and more data may 187 1.1 christos still be sent in the other direction. This message does not consume 188 1.1 christos window space and may be sent even if no window space is available. 189 1.1 christos 190 1.1 christos NB. due to certain broken SSH implementations aborting upon receipt 191 1.1 christos of this message (in contravention of RFC4254 section 5.4), this 192 1.1 christos message is only sent to OpenSSH peers (identified by banner). 193 1.15 christos Other SSH implementations may be listed to receive this message 194 1.1 christos upon request. 195 1.1 christos 196 1.2 christos 2.2. connection: disallow additional sessions extension 197 1.2 christos "no-more-sessions (a] openssh.com" 198 1.1 christos 199 1.1 christos Most SSH connections will only ever request a single session, but a 200 1.1 christos attacker may abuse a running ssh client to surreptitiously open 201 1.1 christos additional sessions under their control. OpenSSH provides a global 202 1.1 christos request "no-more-sessions (a] openssh.com" to mitigate this attack. 203 1.1 christos 204 1.1 christos When an OpenSSH client expects that it will never open another session 205 1.1 christos (i.e. it has been started with connection multiplexing disabled), it 206 1.1 christos will send the following global request: 207 1.1 christos 208 1.1 christos byte SSH_MSG_GLOBAL_REQUEST 209 1.1 christos string "no-more-sessions (a] openssh.com" 210 1.1 christos char want-reply 211 1.1 christos 212 1.1 christos On receipt of such a message, an OpenSSH server will refuse to open 213 1.1 christos future channels of type "session" and instead immediately abort the 214 1.1 christos connection. 215 1.1 christos 216 1.1 christos Note that this is not a general defence against compromised clients 217 1.1 christos (that is impossible), but it thwarts a simple attack. 218 1.1 christos 219 1.1 christos NB. due to certain broken SSH implementations aborting upon receipt 220 1.1 christos of this message, the no-more-sessions request is only sent to OpenSSH 221 1.1 christos servers (identified by banner). Other SSH implementations may be 222 1.15 christos listed to receive this message upon request. 223 1.1 christos 224 1.2 christos 2.3. connection: Tunnel forward extension "tun (a] openssh.com" 225 1.1 christos 226 1.1 christos OpenSSH supports layer 2 and layer 3 tunnelling via the "tun (a] openssh.com" 227 1.1 christos channel type. This channel type supports forwarding of network packets 228 1.6 christos with datagram boundaries intact between endpoints equipped with 229 1.1 christos interfaces like the BSD tun(4) device. Tunnel forwarding channels are 230 1.1 christos requested by the client with the following packet: 231 1.1 christos 232 1.1 christos byte SSH_MSG_CHANNEL_OPEN 233 1.1 christos string "tun (a] openssh.com" 234 1.1 christos uint32 sender channel 235 1.1 christos uint32 initial window size 236 1.1 christos uint32 maximum packet size 237 1.1 christos uint32 tunnel mode 238 1.1 christos uint32 remote unit number 239 1.1 christos 240 1.1 christos The "tunnel mode" parameter specifies whether the tunnel should forward 241 1.1 christos layer 2 frames or layer 3 packets. It may take one of the following values: 242 1.1 christos 243 1.1 christos SSH_TUNMODE_POINTOPOINT 1 /* layer 3 packets */ 244 1.1 christos SSH_TUNMODE_ETHERNET 2 /* layer 2 frames */ 245 1.1 christos 246 1.1 christos The "tunnel unit number" specifies the remote interface number, or may 247 1.14 christos be 0x7fffffff to allow the server to automatically choose an interface. A 248 1.2 christos server that is not willing to open a client-specified unit should refuse 249 1.2 christos the request with a SSH_MSG_CHANNEL_OPEN_FAILURE error. On successful 250 1.2 christos open, the server should reply with SSH_MSG_CHANNEL_OPEN_SUCCESS. 251 1.1 christos 252 1.1 christos Once established the client and server may exchange packet or frames 253 1.1 christos over the tunnel channel by encapsulating them in SSH protocol strings 254 1.1 christos and sending them as channel data. This ensures that packet boundaries 255 1.1 christos are kept intact. Specifically, packets are transmitted using normal 256 1.1 christos SSH_MSG_CHANNEL_DATA packets: 257 1.1 christos 258 1.1 christos byte SSH_MSG_CHANNEL_DATA 259 1.1 christos uint32 recipient channel 260 1.1 christos string data 261 1.1 christos 262 1.1 christos The contents of the "data" field for layer 3 packets is: 263 1.1 christos 264 1.1 christos uint32 packet length 265 1.1 christos uint32 address family 266 1.1 christos byte[packet length - 4] packet data 267 1.1 christos 268 1.1 christos The "address family" field identifies the type of packet in the message. 269 1.1 christos It may be one of: 270 1.1 christos 271 1.1 christos SSH_TUN_AF_INET 2 /* IPv4 */ 272 1.1 christos SSH_TUN_AF_INET6 24 /* IPv6 */ 273 1.1 christos 274 1.1 christos The "packet data" field consists of the IPv4/IPv6 datagram itself 275 1.1 christos without any link layer header. 276 1.1 christos 277 1.2 christos The contents of the "data" field for layer 2 packets is: 278 1.1 christos 279 1.1 christos uint32 packet length 280 1.1 christos byte[packet length] frame 281 1.1 christos 282 1.1 christos The "frame" field contains an IEEE 802.3 Ethernet frame, including 283 1.1 christos header. 284 1.1 christos 285 1.4 christos 2.4. connection: Unix domain socket forwarding 286 1.4 christos 287 1.4 christos OpenSSH supports local and remote Unix domain socket forwarding 288 1.4 christos using the "streamlocal" extension. Forwarding is initiated as per 289 1.4 christos TCP sockets but with a single path instead of a host and port. 290 1.4 christos 291 1.4 christos Similar to direct-tcpip, direct-streamlocal is sent by the client 292 1.4 christos to request that the server make a connection to a Unix domain socket. 293 1.4 christos 294 1.4 christos byte SSH_MSG_CHANNEL_OPEN 295 1.4 christos string "direct-streamlocal (a] openssh.com" 296 1.4 christos uint32 sender channel 297 1.4 christos uint32 initial window size 298 1.4 christos uint32 maximum packet size 299 1.4 christos string socket path 300 1.8 christos string reserved 301 1.8 christos uint32 reserved 302 1.4 christos 303 1.4 christos Similar to forwarded-tcpip, forwarded-streamlocal is sent by the 304 1.4 christos server when the client has previously send the server a streamlocal-forward 305 1.4 christos GLOBAL_REQUEST. 306 1.4 christos 307 1.4 christos byte SSH_MSG_CHANNEL_OPEN 308 1.4 christos string "forwarded-streamlocal (a] openssh.com" 309 1.4 christos uint32 sender channel 310 1.4 christos uint32 initial window size 311 1.4 christos uint32 maximum packet size 312 1.4 christos string socket path 313 1.4 christos string reserved for future use 314 1.4 christos 315 1.4 christos The reserved field is not currently defined and is ignored on the 316 1.4 christos remote end. It is intended to be used in the future to pass 317 1.4 christos information about the socket file, such as ownership and mode. 318 1.4 christos The client currently sends the empty string for this field. 319 1.4 christos 320 1.4 christos Similar to tcpip-forward, streamlocal-forward is sent by the client 321 1.4 christos to request remote forwarding of a Unix domain socket. 322 1.4 christos 323 1.4 christos byte SSH2_MSG_GLOBAL_REQUEST 324 1.4 christos string "streamlocal-forward (a] openssh.com" 325 1.4 christos boolean TRUE 326 1.4 christos string socket path 327 1.4 christos 328 1.4 christos Similar to cancel-tcpip-forward, cancel-streamlocal-forward is sent 329 1.4 christos by the client cancel the forwarding of a Unix domain socket. 330 1.4 christos 331 1.4 christos byte SSH2_MSG_GLOBAL_REQUEST 332 1.4 christos string "cancel-streamlocal-forward (a] openssh.com" 333 1.4 christos boolean FALSE 334 1.4 christos string socket path 335 1.4 christos 336 1.5 christos 2.5. connection: hostkey update and rotation "hostkeys-00 (a] openssh.com" 337 1.5 christos and "hostkeys-prove-00 (a] openssh.com" 338 1.5 christos 339 1.5 christos OpenSSH supports a protocol extension allowing a server to inform 340 1.5 christos a client of all its protocol v.2 host keys after user-authentication 341 1.25 christos has completed. This is documented in an Internet-Draft 342 1.5 christos 343 1.25 christos https://datatracker.ietf.org/doc/draft-miller-sshm-hostkey-update/ 344 1.5 christos 345 1.13 christos 2.6. connection: SIGINFO support for "signal" channel request 346 1.13 christos 347 1.13 christos The SSH channels protocol (RFC4254 section 6.9) supports sending a 348 1.13 christos signal to a session attached to a channel. OpenSSH supports one 349 1.13 christos extension signal "INFO (a] openssh.com" that allows sending SIGINFO on 350 1.13 christos BSD-derived systems. 351 1.13 christos 352 1.18 christos 3. Authentication protocol changes 353 1.2 christos 354 1.18 christos 3.1. Host-bound public key authentication 355 1.18 christos 356 1.18 christos This is trivial change to the traditional "publickey" authentication 357 1.18 christos method. The authentication request is identical to the original method 358 1.18 christos but for the name and one additional field: 359 1.18 christos 360 1.18 christos byte SSH2_MSG_USERAUTH_REQUEST 361 1.18 christos string username 362 1.18 christos string "ssh-connection" 363 1.18 christos string "publickey-hostbound-v00 (a] openssh.com" 364 1.18 christos bool has_signature 365 1.18 christos string pkalg 366 1.18 christos string public key 367 1.18 christos string server host key 368 1.18 christos 369 1.18 christos Because the entire SSH2_MSG_USERAUTH_REQUEST message is included in 370 1.18 christos the signed data, this ensures that a binding between the destination 371 1.18 christos user, the server identity and the session identifier is visible to the 372 1.18 christos signer. OpenSSH uses this binding via signed data to implement per-key 373 1.18 christos restrictions in ssh-agent. 374 1.18 christos 375 1.18 christos A server may advertise this method using the SSH2_MSG_EXT_INFO 376 1.18 christos mechanism (RFC8308), with the following message: 377 1.18 christos 378 1.18 christos string "publickey-hostbound (a] openssh.com" 379 1.18 christos string "0" (version) 380 1.18 christos 381 1.18 christos Clients should prefer host-bound authentication when advertised by 382 1.18 christos server. 383 1.18 christos 384 1.18 christos 4. SFTP protocol changes 385 1.18 christos 386 1.18 christos 4.1. sftp: Reversal of arguments to SSH_FXP_SYMLINK 387 1.1 christos 388 1.1 christos When OpenSSH's sftp-server was implemented, the order of the arguments 389 1.1 christos to the SSH_FXP_SYMLINK method was inadvertently reversed. Unfortunately, 390 1.1 christos the reversal was not noticed until the server was widely deployed. Since 391 1.1 christos fixing this to follow the specification would cause incompatibility, the 392 1.1 christos current order was retained. For correct operation, clients should send 393 1.1 christos SSH_FXP_SYMLINK as follows: 394 1.1 christos 395 1.1 christos uint32 id 396 1.1 christos string targetpath 397 1.1 christos string linkpath 398 1.1 christos 399 1.18 christos 4.2. sftp: Server extension announcement in SSH_FXP_VERSION 400 1.1 christos 401 1.1 christos OpenSSH's sftp-server lists the extensions it supports using the 402 1.1 christos standard extension announcement mechanism in the SSH_FXP_VERSION server 403 1.1 christos hello packet: 404 1.1 christos 405 1.1 christos uint32 3 /* protocol version */ 406 1.1 christos string ext1-name 407 1.1 christos string ext1-version 408 1.1 christos string ext2-name 409 1.1 christos string ext2-version 410 1.1 christos ... 411 1.1 christos string extN-name 412 1.1 christos string extN-version 413 1.1 christos 414 1.1 christos Each extension reports its integer version number as an ASCII encoded 415 1.1 christos string, e.g. "1". The version will be incremented if the extension is 416 1.1 christos ever changed in an incompatible way. The server MAY advertise the same 417 1.1 christos extension with multiple versions (though this is unlikely). Clients MUST 418 1.1 christos check the version number before attempting to use the extension. 419 1.1 christos 420 1.18 christos 4.3. sftp: Extension request "posix-rename (a] openssh.com" 421 1.1 christos 422 1.1 christos This operation provides a rename operation with POSIX semantics, which 423 1.1 christos are different to those provided by the standard SSH_FXP_RENAME in 424 1.1 christos draft-ietf-secsh-filexfer-02.txt. This request is implemented as a 425 1.1 christos SSH_FXP_EXTENDED request with the following format: 426 1.1 christos 427 1.1 christos uint32 id 428 1.1 christos string "posix-rename (a] openssh.com" 429 1.1 christos string oldpath 430 1.1 christos string newpath 431 1.1 christos 432 1.1 christos On receiving this request the server will perform the POSIX operation 433 1.1 christos rename(oldpath, newpath) and will respond with a SSH_FXP_STATUS message. 434 1.1 christos This extension is advertised in the SSH_FXP_VERSION hello with version 435 1.1 christos "1". 436 1.1 christos 437 1.18 christos 4.4. sftp: Extension requests "statvfs (a] openssh.com" and 438 1.1 christos "fstatvfs (a] openssh.com" 439 1.1 christos 440 1.1 christos These requests correspond to the statvfs and fstatvfs POSIX system 441 1.1 christos interfaces. The "statvfs (a] openssh.com" request operates on an explicit 442 1.1 christos pathname, and is formatted as follows: 443 1.1 christos 444 1.1 christos uint32 id 445 1.1 christos string "statvfs (a] openssh.com" 446 1.1 christos string path 447 1.1 christos 448 1.1 christos The "fstatvfs (a] openssh.com" operates on an open file handle: 449 1.1 christos 450 1.1 christos uint32 id 451 1.1 christos string "fstatvfs (a] openssh.com" 452 1.1 christos string handle 453 1.1 christos 454 1.1 christos These requests return a SSH_FXP_STATUS reply on failure. On success they 455 1.1 christos return the following SSH_FXP_EXTENDED_REPLY reply: 456 1.1 christos 457 1.1 christos uint32 id 458 1.1 christos uint64 f_bsize /* file system block size */ 459 1.1 christos uint64 f_frsize /* fundamental fs block size */ 460 1.1 christos uint64 f_blocks /* number of blocks (unit f_frsize) */ 461 1.1 christos uint64 f_bfree /* free blocks in file system */ 462 1.1 christos uint64 f_bavail /* free blocks for non-root */ 463 1.1 christos uint64 f_files /* total file inodes */ 464 1.1 christos uint64 f_ffree /* free file inodes */ 465 1.1 christos uint64 f_favail /* free file inodes for to non-root */ 466 1.1 christos uint64 f_fsid /* file system id */ 467 1.1 christos uint64 f_flag /* bit mask of f_flag values */ 468 1.1 christos uint64 f_namemax /* maximum filename length */ 469 1.1 christos 470 1.1 christos The values of the f_flag bitmask are as follows: 471 1.1 christos 472 1.1 christos #define SSH_FXE_STATVFS_ST_RDONLY 0x1 /* read-only */ 473 1.1 christos #define SSH_FXE_STATVFS_ST_NOSUID 0x2 /* no setuid */ 474 1.1 christos 475 1.1 christos Both the "statvfs (a] openssh.com" and "fstatvfs (a] openssh.com" extensions are 476 1.1 christos advertised in the SSH_FXP_VERSION hello with version "2". 477 1.1 christos 478 1.18 christos 4.5. sftp: Extension request "hardlink (a] openssh.com" 479 1.2 christos 480 1.2 christos This request is for creating a hard link to a regular file. This 481 1.2 christos request is implemented as a SSH_FXP_EXTENDED request with the 482 1.2 christos following format: 483 1.2 christos 484 1.2 christos uint32 id 485 1.2 christos string "hardlink (a] openssh.com" 486 1.2 christos string oldpath 487 1.2 christos string newpath 488 1.2 christos 489 1.2 christos On receiving this request the server will perform the operation 490 1.2 christos link(oldpath, newpath) and will respond with a SSH_FXP_STATUS message. 491 1.2 christos This extension is advertised in the SSH_FXP_VERSION hello with version 492 1.2 christos "1". 493 1.2 christos 494 1.18 christos 4.6. sftp: Extension request "fsync (a] openssh.com" 495 1.4 christos 496 1.4 christos This request asks the server to call fsync(2) on an open file handle. 497 1.4 christos 498 1.4 christos uint32 id 499 1.4 christos string "fsync (a] openssh.com" 500 1.4 christos string handle 501 1.4 christos 502 1.19 christos On receiving this request, a server will call fsync(handle_fd) and will 503 1.4 christos respond with a SSH_FXP_STATUS message. 504 1.4 christos 505 1.4 christos This extension is advertised in the SSH_FXP_VERSION hello with version 506 1.4 christos "1". 507 1.4 christos 508 1.18 christos 4.7. sftp: Extension request "lsetstat (a] openssh.com" 509 1.16 christos 510 1.16 christos This request is like the "setstat" command, but sets file attributes on 511 1.16 christos symlinks. It is implemented as a SSH_FXP_EXTENDED request with the 512 1.16 christos following format: 513 1.16 christos 514 1.16 christos uint32 id 515 1.16 christos string "lsetstat (a] openssh.com" 516 1.16 christos string path 517 1.16 christos ATTRS attrs 518 1.16 christos 519 1.16 christos See the "setstat" command for more details. 520 1.16 christos 521 1.16 christos This extension is advertised in the SSH_FXP_VERSION hello with version 522 1.16 christos "1". 523 1.16 christos 524 1.18 christos 4.8. sftp: Extension request "limits (a] openssh.com" 525 1.16 christos 526 1.16 christos This request is used to determine various limits the server might impose. 527 1.16 christos Clients should not attempt to exceed these limits as the server might sever 528 1.16 christos the connection immediately. 529 1.16 christos 530 1.16 christos uint32 id 531 1.16 christos string "limits (a] openssh.com" 532 1.16 christos 533 1.16 christos The server will respond with a SSH_FXP_EXTENDED_REPLY reply: 534 1.16 christos 535 1.16 christos uint32 id 536 1.16 christos uint64 max-packet-length 537 1.16 christos uint64 max-read-length 538 1.16 christos uint64 max-write-length 539 1.16 christos uint64 max-open-handles 540 1.16 christos 541 1.16 christos The 'max-packet-length' applies to the total number of bytes in a 542 1.16 christos single SFTP packet. Servers SHOULD set this at least to 34000. 543 1.16 christos 544 1.16 christos The 'max-read-length' is the largest length in a SSH_FXP_READ packet. 545 1.16 christos Even if the client requests a larger size, servers will usually respond 546 1.16 christos with a shorter SSH_FXP_DATA packet. Servers SHOULD set this at least to 547 1.16 christos 32768. 548 1.16 christos 549 1.16 christos The 'max-write-length' is the largest length in a SSH_FXP_WRITE packet 550 1.16 christos the server will accept. Servers SHOULD set this at least to 32768. 551 1.16 christos 552 1.16 christos The 'max-open-handles' is the maximum number of active handles that the 553 1.16 christos server allows (e.g. handles created by SSH_FXP_OPEN and SSH_FXP_OPENDIR 554 1.16 christos packets). Servers MAY count internal file handles against this limit 555 1.16 christos (e.g. system logging or stdout/stderr), so clients SHOULD NOT expect to 556 1.16 christos open this many handles in practice. 557 1.16 christos 558 1.16 christos If the server doesn't enforce a specific limit, then the field may be 559 1.16 christos set to 0. This implies the server relies on the OS to enforce limits 560 1.16 christos (e.g. available memory or file handles), and such limits might be 561 1.16 christos dynamic. The client SHOULD take care to not try to exceed reasonable 562 1.16 christos limits. 563 1.16 christos 564 1.16 christos This extension is advertised in the SSH_FXP_VERSION hello with version 565 1.16 christos "1". 566 1.16 christos 567 1.18 christos 4.9. sftp: Extension request "expand-path (a] openssh.com" 568 1.17 christos 569 1.17 christos This request supports canonicalisation of relative paths and 570 1.17 christos those that need tilde-expansion, i.e. "~", "~/..." and "~user/..." 571 1.17 christos These paths are expanded using shell-like rules and the resultant 572 1.17 christos path is canonicalised similarly to SSH2_FXP_REALPATH. 573 1.17 christos 574 1.17 christos It is implemented as a SSH_FXP_EXTENDED request with the following 575 1.17 christos format: 576 1.17 christos 577 1.17 christos uint32 id 578 1.17 christos string "expand-path (a] openssh.com" 579 1.17 christos string path 580 1.17 christos 581 1.17 christos Its reply is the same format as that of SSH2_FXP_REALPATH. 582 1.17 christos 583 1.17 christos This extension is advertised in the SSH_FXP_VERSION hello with version 584 1.17 christos "1". 585 1.17 christos 586 1.19 christos 4.10. sftp: Extension request "copy-data" 587 1.19 christos 588 1.19 christos This request asks the server to copy data from one open file handle and 589 1.19 christos write it to a different open file handle. This avoids needing to transfer 590 1.19 christos the data across the network twice (a download followed by an upload). 591 1.19 christos 592 1.19 christos byte SSH_FXP_EXTENDED 593 1.19 christos uint32 id 594 1.19 christos string "copy-data" 595 1.19 christos string read-from-handle 596 1.19 christos uint64 read-from-offset 597 1.19 christos uint64 read-data-length 598 1.19 christos string write-to-handle 599 1.19 christos uint64 write-to-offset 600 1.19 christos 601 1.19 christos The server will copy read-data-length bytes starting from 602 1.19 christos read-from-offset from the read-from-handle and write them to 603 1.19 christos write-to-handle starting from write-to-offset, and then respond with a 604 1.19 christos SSH_FXP_STATUS message. 605 1.19 christos 606 1.19 christos It's equivalent to issuing a series of SSH_FXP_READ requests on 607 1.19 christos read-from-handle and a series of requests of SSH_FXP_WRITE on 608 1.19 christos write-to-handle. 609 1.19 christos 610 1.19 christos If read-from-handle and write-to-handle are the same, the server will 611 1.19 christos fail the request and respond with a SSH_FX_INVALID_PARAMETER message. 612 1.19 christos 613 1.19 christos If read-data-length is 0, then the server will read data from the 614 1.19 christos read-from-handle until EOF is reached. 615 1.19 christos 616 1.19 christos This extension is advertised in the SSH_FXP_VERSION hello with version 617 1.19 christos "1". 618 1.19 christos 619 1.19 christos This request is identical to the "copy-data" request documented in: 620 1.19 christos 621 1.19 christos https://tools.ietf.org/html/draft-ietf-secsh-filexfer-extensions-00#section-7 622 1.19 christos 623 1.20 christos 4.11. sftp: Extension request "home-directory" 624 1.20 christos 625 1.20 christos This request asks the server to expand the specified user's home directory. 626 1.20 christos An empty username implies the current user. This can be used by the client 627 1.20 christos to expand ~/ type paths locally. 628 1.20 christos 629 1.20 christos byte SSH_FXP_EXTENDED 630 1.20 christos uint32 id 631 1.20 christos string "home-directory" 632 1.20 christos string username 633 1.20 christos 634 1.20 christos This extension is advertised in the SSH_FXP_VERSION hello with version 635 1.20 christos "1". 636 1.20 christos 637 1.20 christos This provides similar information as the "expand-path (a] openssh.com" extension. 638 1.20 christos 639 1.20 christos This request is identical to the "home-directory" request documented in: 640 1.20 christos 641 1.20 christos https://datatracker.ietf.org/doc/html/draft-ietf-secsh-filexfer-extensions-00#section-5 642 1.20 christos 643 1.20 christos 4.12. sftp: Extension request "users-groups-by-id (a] openssh.com" 644 1.20 christos 645 1.21 christos This request asks the server to return user and/or group names that 646 1.20 christos correspond to one or more IDs (e.g. as returned from a SSH_FXP_STAT 647 1.20 christos request). This may be used by the client to provide usernames in 648 1.20 christos directory listings. 649 1.20 christos 650 1.20 christos byte SSH_FXP_EXTENDED 651 1.20 christos uint32 id 652 1.20 christos string "users-groups-by-id (a] openssh.com" 653 1.20 christos string uids 654 1.20 christos string gids 655 1.20 christos 656 1.20 christos Where "uids" and "gids" consists of one or more integer user or group 657 1.20 christos identifiers: 658 1.20 christos 659 1.20 christos uint32 id-0 660 1.20 christos ... 661 1.20 christos 662 1.20 christos The server will reply with a SSH_FXP_EXTENDED_REPLY: 663 1.20 christos 664 1.20 christos byte SSH_FXP_EXTENDED_REPLY 665 1.24 christos uint32 id 666 1.20 christos string usernames 667 1.20 christos string groupnames 668 1.20 christos 669 1.20 christos Where "username" and "groupnames" consists of names in identical request 670 1.20 christos order to "uids" and "gids" respectively: 671 1.20 christos 672 1.20 christos string name-0 673 1.20 christos ... 674 1.20 christos 675 1.20 christos If a name cannot be identified for a given user or group ID, an empty 676 1.20 christos string will be returned in its place. 677 1.20 christos 678 1.20 christos It is acceptable for either "uids" or "gids" to be an empty set, in 679 1.20 christos which case the respective "usernames" or "groupnames" list will also 680 1.20 christos be empty. 681 1.20 christos 682 1.20 christos This extension is advertised in the SSH_FXP_VERSION hello with version 683 1.20 christos "1". 684 1.20 christos 685 1.18 christos 5. Miscellaneous changes 686 1.12 christos 687 1.18 christos 5.1 Public key format 688 1.12 christos 689 1.12 christos OpenSSH public keys, as generated by ssh-keygen(1) and appearing in 690 1.12 christos authorized_keys files, are formatted as a single line of text consisting 691 1.12 christos of the public key algorithm name followed by a base64-encoded key blob. 692 1.12 christos The public key blob (before base64 encoding) is the same format used for 693 1.12 christos the encoding of public keys sent on the wire: as described in RFC4253 694 1.25 christos section 6.6 for RSA keys, RFC5656 section 3.1 for ECDSA keys and 695 1.25 christos https://datatracker.ietf.org/doc/draft-miller-ssh-cert/ 696 1.25 christos for the OpenSSH certificate formats. 697 1.12 christos 698 1.18 christos 5.2 Private key format 699 1.12 christos 700 1.12 christos OpenSSH private keys, as generated by ssh-keygen(1) use the format 701 1.12 christos described in PROTOCOL.key by default. As a legacy option, PEM format 702 1.25 christos (RFC7468) private keys are also supported for RSA and ECDSA keys 703 1.12 christos and were the default format before OpenSSH 7.8. 704 1.12 christos 705 1.18 christos 5.3 KRL format 706 1.12 christos 707 1.12 christos OpenSSH supports a compact format for Key Revocation Lists (KRLs). This 708 1.12 christos format is described in the PROTOCOL.krl file. 709 1.12 christos 710 1.18 christos 5.4 Connection multiplexing 711 1.12 christos 712 1.12 christos OpenSSH's connection multiplexing uses messages as described in 713 1.12 christos PROTOCOL.mux over a Unix domain socket for communications between a 714 1.12 christos master instance and later clients. 715 1.12 christos 716 1.18 christos 5.5. Agent protocol extensions 717 1.18 christos 718 1.18 christos OpenSSH extends the usual agent protocol. These changes are documented 719 1.18 christos in the PROTOCOL.agent file. 720 1.18 christos 721 1.26 christos $OpenBSD: PROTOCOL,v 1.60 2026/02/09 22:09:48 dtucker Exp $ 722 1.3 christos $NetBSD: PROTOCOL,v 1.26 2026/04/08 18:58:40 christos Exp $ 723