PROTOCOL revision 1.1.1.23 1 This documents OpenSSH's deviations and extensions to the published SSH
2 protocol.
3
4 Note that OpenSSH's sftp and sftp-server implement revision 3 of the SSH
5 filexfer protocol described in:
6
7 http://www.openssh.com/txt/draft-ietf-secsh-filexfer-02.txt
8
9 Newer versions of the draft will not be supported, though some features
10 are individually implemented as extensions described below.
11
12 The protocol used by OpenSSH's ssh-agent is described in the file
13 PROTOCOL.agent
14
15 1. Transport protocol changes
16
17 1.1. transport: Protocol 2 MAC algorithm "umac-64 (a] openssh.com"
18
19 This is a new transport-layer MAC method using the UMAC algorithm
20 (rfc4418). This method is identical to the "umac-64" method documented
21 in:
22
23 http://www.openssh.com/txt/draft-miller-secsh-umac-01.txt
24
25 1.2. transport: Protocol 2 compression algorithm "zlib (a] openssh.com"
26
27 This transport-layer compression method uses the zlib compression
28 algorithm (identical to the "zlib" method in rfc4253), but delays the
29 start of compression until after authentication has completed. This
30 avoids exposing compression code to attacks from unauthenticated users.
31
32 The method is documented in:
33
34 http://www.openssh.com/txt/draft-miller-secsh-compression-delayed-00.txt
35
36 1.3. transport: New public key algorithms "ssh-rsa-cert-v01 (a] openssh.com",
37 "ssh-dsa-cert-v01 (a] openssh.com",
38 "ecdsa-sha2-nistp256-cert-v01 (a] openssh.com",
39 "ecdsa-sha2-nistp384-cert-v01 (a] openssh.com" and
40 "ecdsa-sha2-nistp521-cert-v01 (a] openssh.com"
41
42 OpenSSH introduces new public key algorithms to support certificate
43 authentication for users and host keys. These methods are documented
44 in the file PROTOCOL.certkeys
45
46 1.4. transport: Elliptic Curve cryptography
47
48 OpenSSH supports ECC key exchange and public key authentication as
49 specified in RFC5656. Only the ecdsa-sha2-nistp256, ecdsa-sha2-nistp384
50 and ecdsa-sha2-nistp521 curves over GF(p) are supported. Elliptic
51 curve points encoded using point compression are NOT accepted or
52 generated.
53
54 1.5 transport: Protocol 2 Encrypt-then-MAC MAC algorithms
55
56 OpenSSH supports MAC algorithms, whose names contain "-etm", that
57 perform the calculations in a different order to that defined in RFC
58 4253. These variants use the so-called "encrypt then MAC" ordering,
59 calculating the MAC over the packet ciphertext rather than the
60 plaintext. This ordering closes a security flaw in the SSH transport
61 protocol, where decryption of unauthenticated ciphertext provided a
62 "decryption oracle" that could, in conjunction with cipher flaws, reveal
63 session plaintext.
64
65 Specifically, the "-etm" MAC algorithms modify the transport protocol
66 to calculate the MAC over the packet ciphertext and to send the packet
67 length unencrypted. This is necessary for the transport to obtain the
68 length of the packet and location of the MAC tag so that it may be
69 verified without decrypting unauthenticated data.
70
71 As such, the MAC covers:
72
73 mac = MAC(key, sequence_number || packet_length || encrypted_packet)
74
75 where "packet_length" is encoded as a uint32 and "encrypted_packet"
76 contains:
77
78 byte padding_length
79 byte[n1] payload; n1 = packet_length - padding_length - 1
80 byte[n2] random padding; n2 = padding_length
81
82 1.6 transport: AES-GCM
83
84 OpenSSH supports the AES-GCM algorithm as specified in RFC 5647.
85 Because of problems with the specification of the key exchange
86 the behaviour of OpenSSH differs from the RFC as follows:
87
88 AES-GCM is only negotiated as the cipher algorithms
89 "aes128-gcm (a] openssh.com" or "aes256-gcm (a] openssh.com" and never as
90 an MAC algorithm. Additionally, if AES-GCM is selected as the cipher
91 the exchanged MAC algorithms are ignored and there doesn't have to be
92 a matching MAC.
93
94 1.7 transport: chacha20-poly1305 (a] openssh.com authenticated encryption
95
96 OpenSSH supports authenticated encryption using ChaCha20 and Poly1305
97 as described in PROTOCOL.chacha20poly1305.
98
99 1.8 transport: curve25519-sha256 (a] libssh.org key exchange algorithm
100
101 OpenSSH supports the use of ECDH in Curve25519 for key exchange as
102 described at:
103 http://git.libssh.org/users/aris/libssh.git/plain/doc/curve25519-sha256@libssh.org.txt?h=curve25519
104
105 This is identical to curve25519-sha256 as later published in RFC8731.
106
107 1.9 transport: ping facility
108
109 OpenSSH implements a transport level ping message SSH2_MSG_PING
110 and a corresponding SSH2_MSG_PONG reply.
111
112 #define SSH2_MSG_PING 192
113 #define SSH2_MSG_PONG 193
114
115 The ping message is simply:
116
117 byte SSH_MSG_PING
118 string data
119
120 The reply copies the data (which may be the empty string) from the
121 ping:
122
123 byte SSH_MSG_PONG
124 string data
125
126 Replies are sent in order. They are sent immediately except when rekeying
127 is in progress, in which case they are queued until rekeying completes.
128
129 The server advertises support for these messages using the
130 SSH2_MSG_EXT_INFO mechanism (RFC8308), with the following message:
131
132 string "ping (a] openssh.com"
133 string "0" (version)
134
135 The ping/reply message is implemented at the transport layer rather
136 than as a named global or channel request to allow pings with very
137 short packet lengths, which would not be possible with other
138 approaches.
139
140 1.9 transport: strict key exchange extension
141
142 OpenSSH supports a number of transport-layer hardening measures under
143 a "strict KEX" feature. This feature is signalled similarly to the
144 RFC8308 ext-info feature: by including a additional algorithm in the
145 initiial SSH2_MSG_KEXINIT kex_algorithms field. The client may append
146 "kex-strict-c-v00 (a] openssh.com" to its kex_algorithms and the server
147 may append "kex-strict-s-v00 (a] openssh.com". These pseudo-algorithms
148 are only valid in the initial SSH2_MSG_KEXINIT and MUST be ignored
149 if they are present in subsequent SSH2_MSG_KEXINIT packets.
150
151 When an endpoint that supports this extension observes this algorithm
152 name in a peer's KEXINIT packet, it MUST make the following changes to
153 the the protocol:
154
155 a) During initial KEX, terminate the connection if any unexpected or
156 out-of-sequence packet is received. This includes terminating the
157 connection if the first packet received is not SSH2_MSG_KEXINIT.
158 Unexpected packets for the purpose of strict KEX include messages
159 that are otherwise valid at any time during the connection such as
160 SSH2_MSG_DEBUG and SSH2_MSG_IGNORE.
161 b) After sending or receiving a SSH2_MSG_NEWKEYS message, reset the
162 packet sequence number to zero. This behaviour persists for the
163 duration of the connection (i.e. not just the first
164 SSH2_MSG_NEWKEYS).
165
166 1.10 transport: SSH2_MSG_EXT_INFO during user authentication
167
168 This protocol extension allows the SSH2_MSG_EXT_INFO to be sent
169 during user authentication. RFC8308 does allow a second
170 SSH2_MSG_EXT_INFO notification, but it may only be sent at the end
171 of user authentication and this is too late to signal per-user
172 server signature algorithms.
173
174 Support for receiving the SSH2_MSG_EXT_INFO message during user
175 authentication is signalled by the client including a
176 "ext-info-in-auth (a] openssh.com" key via its initial SSH2_MSG_EXT_INFO
177 set after the SSH2_MSG_NEWKEYS message.
178
179 A server that supports this extension MAY send a second
180 SSH2_MSG_EXT_INFO message any time after the client's first
181 SSH2_MSG_USERAUTH_REQUEST, regardless of whether it succeed or fails.
182 The client SHOULD be prepared to update the server-sig-algs that
183 it received during an earlier SSH2_MSG_EXT_INFO with the later one.
184
185 2. Connection protocol changes
186
187 2.1. connection: Channel write close extension "eow (a] openssh.com"
188
189 The SSH connection protocol (rfc4254) provides the SSH_MSG_CHANNEL_EOF
190 message to allow an endpoint to signal its peer that it will send no
191 more data over a channel. Unfortunately, there is no symmetric way for
192 an endpoint to request that its peer should cease sending data to it
193 while still keeping the channel open for the endpoint to send data to
194 the peer.
195
196 This is desirable, since it saves the transmission of data that would
197 otherwise need to be discarded and it allows an endpoint to signal local
198 processes of the condition, e.g. by closing the corresponding file
199 descriptor.
200
201 OpenSSH implements a channel extension message to perform this
202 signalling: "eow (a] openssh.com" (End Of Write). This message is sent by
203 an endpoint when the local output of a session channel is closed or
204 experiences a write error. The message is formatted as follows:
205
206 byte SSH_MSG_CHANNEL_REQUEST
207 uint32 recipient channel
208 string "eow (a] openssh.com"
209 boolean FALSE
210
211 On receiving this message, the peer SHOULD cease sending data of
212 the channel and MAY signal the process from which the channel data
213 originates (e.g. by closing its read file descriptor).
214
215 As with the symmetric SSH_MSG_CHANNEL_EOF message, the channel does
216 remain open after a "eow (a] openssh.com" has been sent and more data may
217 still be sent in the other direction. This message does not consume
218 window space and may be sent even if no window space is available.
219
220 NB. due to certain broken SSH implementations aborting upon receipt
221 of this message (in contravention of RFC4254 section 5.4), this
222 message is only sent to OpenSSH peers (identified by banner).
223 Other SSH implementations may be listed to receive this message
224 upon request.
225
226 2.2. connection: disallow additional sessions extension
227 "no-more-sessions (a] openssh.com"
228
229 Most SSH connections will only ever request a single session, but a
230 attacker may abuse a running ssh client to surreptitiously open
231 additional sessions under their control. OpenSSH provides a global
232 request "no-more-sessions (a] openssh.com" to mitigate this attack.
233
234 When an OpenSSH client expects that it will never open another session
235 (i.e. it has been started with connection multiplexing disabled), it
236 will send the following global request:
237
238 byte SSH_MSG_GLOBAL_REQUEST
239 string "no-more-sessions (a] openssh.com"
240 char want-reply
241
242 On receipt of such a message, an OpenSSH server will refuse to open
243 future channels of type "session" and instead immediately abort the
244 connection.
245
246 Note that this is not a general defence against compromised clients
247 (that is impossible), but it thwarts a simple attack.
248
249 NB. due to certain broken SSH implementations aborting upon receipt
250 of this message, the no-more-sessions request is only sent to OpenSSH
251 servers (identified by banner). Other SSH implementations may be
252 listed to receive this message upon request.
253
254 2.3. connection: Tunnel forward extension "tun (a] openssh.com"
255
256 OpenSSH supports layer 2 and layer 3 tunnelling via the "tun (a] openssh.com"
257 channel type. This channel type supports forwarding of network packets
258 with datagram boundaries intact between endpoints equipped with
259 interfaces like the BSD tun(4) device. Tunnel forwarding channels are
260 requested by the client with the following packet:
261
262 byte SSH_MSG_CHANNEL_OPEN
263 string "tun (a] openssh.com"
264 uint32 sender channel
265 uint32 initial window size
266 uint32 maximum packet size
267 uint32 tunnel mode
268 uint32 remote unit number
269
270 The "tunnel mode" parameter specifies whether the tunnel should forward
271 layer 2 frames or layer 3 packets. It may take one of the following values:
272
273 SSH_TUNMODE_POINTOPOINT 1 /* layer 3 packets */
274 SSH_TUNMODE_ETHERNET 2 /* layer 2 frames */
275
276 The "tunnel unit number" specifies the remote interface number, or may
277 be 0x7fffffff to allow the server to automatically choose an interface. A
278 server that is not willing to open a client-specified unit should refuse
279 the request with a SSH_MSG_CHANNEL_OPEN_FAILURE error. On successful
280 open, the server should reply with SSH_MSG_CHANNEL_OPEN_SUCCESS.
281
282 Once established the client and server may exchange packet or frames
283 over the tunnel channel by encapsulating them in SSH protocol strings
284 and sending them as channel data. This ensures that packet boundaries
285 are kept intact. Specifically, packets are transmitted using normal
286 SSH_MSG_CHANNEL_DATA packets:
287
288 byte SSH_MSG_CHANNEL_DATA
289 uint32 recipient channel
290 string data
291
292 The contents of the "data" field for layer 3 packets is:
293
294 uint32 packet length
295 uint32 address family
296 byte[packet length - 4] packet data
297
298 The "address family" field identifies the type of packet in the message.
299 It may be one of:
300
301 SSH_TUN_AF_INET 2 /* IPv4 */
302 SSH_TUN_AF_INET6 24 /* IPv6 */
303
304 The "packet data" field consists of the IPv4/IPv6 datagram itself
305 without any link layer header.
306
307 The contents of the "data" field for layer 2 packets is:
308
309 uint32 packet length
310 byte[packet length] frame
311
312 The "frame" field contains an IEEE 802.3 Ethernet frame, including
313 header.
314
315 2.4. connection: Unix domain socket forwarding
316
317 OpenSSH supports local and remote Unix domain socket forwarding
318 using the "streamlocal" extension. Forwarding is initiated as per
319 TCP sockets but with a single path instead of a host and port.
320
321 Similar to direct-tcpip, direct-streamlocal is sent by the client
322 to request that the server make a connection to a Unix domain socket.
323
324 byte SSH_MSG_CHANNEL_OPEN
325 string "direct-streamlocal (a] openssh.com"
326 uint32 sender channel
327 uint32 initial window size
328 uint32 maximum packet size
329 string socket path
330 string reserved
331 uint32 reserved
332
333 Similar to forwarded-tcpip, forwarded-streamlocal is sent by the
334 server when the client has previously send the server a streamlocal-forward
335 GLOBAL_REQUEST.
336
337 byte SSH_MSG_CHANNEL_OPEN
338 string "forwarded-streamlocal (a] openssh.com"
339 uint32 sender channel
340 uint32 initial window size
341 uint32 maximum packet size
342 string socket path
343 string reserved for future use
344
345 The reserved field is not currently defined and is ignored on the
346 remote end. It is intended to be used in the future to pass
347 information about the socket file, such as ownership and mode.
348 The client currently sends the empty string for this field.
349
350 Similar to tcpip-forward, streamlocal-forward is sent by the client
351 to request remote forwarding of a Unix domain socket.
352
353 byte SSH2_MSG_GLOBAL_REQUEST
354 string "streamlocal-forward (a] openssh.com"
355 boolean TRUE
356 string socket path
357
358 Similar to cancel-tcpip-forward, cancel-streamlocal-forward is sent
359 by the client cancel the forwarding of a Unix domain socket.
360
361 byte SSH2_MSG_GLOBAL_REQUEST
362 string "cancel-streamlocal-forward (a] openssh.com"
363 boolean FALSE
364 string socket path
365
366 2.5. connection: hostkey update and rotation "hostkeys-00 (a] openssh.com"
367 and "hostkeys-prove-00 (a] openssh.com"
368
369 OpenSSH supports a protocol extension allowing a server to inform
370 a client of all its protocol v.2 host keys after user-authentication
371 has completed.
372
373 byte SSH_MSG_GLOBAL_REQUEST
374 string "hostkeys-00 (a] openssh.com"
375 char 0 /* want-reply */
376 string[] hostkeys
377
378 Upon receiving this message, a client should check which of the
379 supplied host keys are present in known_hosts.
380
381 Note that the server may send key types that the client does not
382 support. The client should disregard such keys if they are received.
383
384 If the client identifies any keys that are not present for the host,
385 it should send a "hostkeys-prove (a] openssh.com" message to request the
386 server prove ownership of the private half of the key.
387
388 byte SSH_MSG_GLOBAL_REQUEST
389 string "hostkeys-prove-00 (a] openssh.com"
390 char 1 /* want-reply */
391 string[] hostkeys
392
393 When a server receives this message, it should generate a signature
394 using each requested key over the following:
395
396 string "hostkeys-prove-00 (a] openssh.com"
397 string session identifier
398 string hostkey
399
400 These signatures should be included in the reply, in the order matching
401 the hostkeys in the request:
402
403 byte SSH_MSG_REQUEST_SUCCESS
404 string[] signatures
405
406 When the client receives this reply (and not a failure), it should
407 validate the signatures and may update its known_hosts file, adding keys
408 that it has not seen before and deleting keys for the server host that
409 are no longer offered.
410
411 These extensions let a client learn key types that it had not previously
412 encountered, thereby allowing it to potentially upgrade from weaker
413 key algorithms to better ones. It also supports graceful key rotation:
414 a server may offer multiple keys of the same type for a period (to
415 give clients an opportunity to learn them using this extension) before
416 removing the deprecated key from those offered.
417
418 2.6. connection: SIGINFO support for "signal" channel request
419
420 The SSH channels protocol (RFC4254 section 6.9) supports sending a
421 signal to a session attached to a channel. OpenSSH supports one
422 extension signal "INFO (a] openssh.com" that allows sending SIGINFO on
423 BSD-derived systems.
424
425 3. Authentication protocol changes
426
427 3.1. Host-bound public key authentication
428
429 This is trivial change to the traditional "publickey" authentication
430 method. The authentication request is identical to the original method
431 but for the name and one additional field:
432
433 byte SSH2_MSG_USERAUTH_REQUEST
434 string username
435 string "ssh-connection"
436 string "publickey-hostbound-v00 (a] openssh.com"
437 bool has_signature
438 string pkalg
439 string public key
440 string server host key
441
442 Because the entire SSH2_MSG_USERAUTH_REQUEST message is included in
443 the signed data, this ensures that a binding between the destination
444 user, the server identity and the session identifier is visible to the
445 signer. OpenSSH uses this binding via signed data to implement per-key
446 restrictions in ssh-agent.
447
448 A server may advertise this method using the SSH2_MSG_EXT_INFO
449 mechanism (RFC8308), with the following message:
450
451 string "publickey-hostbound (a] openssh.com"
452 string "0" (version)
453
454 Clients should prefer host-bound authentication when advertised by
455 server.
456
457 4. SFTP protocol changes
458
459 4.1. sftp: Reversal of arguments to SSH_FXP_SYMLINK
460
461 When OpenSSH's sftp-server was implemented, the order of the arguments
462 to the SSH_FXP_SYMLINK method was inadvertently reversed. Unfortunately,
463 the reversal was not noticed until the server was widely deployed. Since
464 fixing this to follow the specification would cause incompatibility, the
465 current order was retained. For correct operation, clients should send
466 SSH_FXP_SYMLINK as follows:
467
468 uint32 id
469 string targetpath
470 string linkpath
471
472 4.2. sftp: Server extension announcement in SSH_FXP_VERSION
473
474 OpenSSH's sftp-server lists the extensions it supports using the
475 standard extension announcement mechanism in the SSH_FXP_VERSION server
476 hello packet:
477
478 uint32 3 /* protocol version */
479 string ext1-name
480 string ext1-version
481 string ext2-name
482 string ext2-version
483 ...
484 string extN-name
485 string extN-version
486
487 Each extension reports its integer version number as an ASCII encoded
488 string, e.g. "1". The version will be incremented if the extension is
489 ever changed in an incompatible way. The server MAY advertise the same
490 extension with multiple versions (though this is unlikely). Clients MUST
491 check the version number before attempting to use the extension.
492
493 4.3. sftp: Extension request "posix-rename (a] openssh.com"
494
495 This operation provides a rename operation with POSIX semantics, which
496 are different to those provided by the standard SSH_FXP_RENAME in
497 draft-ietf-secsh-filexfer-02.txt. This request is implemented as a
498 SSH_FXP_EXTENDED request with the following format:
499
500 uint32 id
501 string "posix-rename (a] openssh.com"
502 string oldpath
503 string newpath
504
505 On receiving this request the server will perform the POSIX operation
506 rename(oldpath, newpath) and will respond with a SSH_FXP_STATUS message.
507 This extension is advertised in the SSH_FXP_VERSION hello with version
508 "1".
509
510 4.4. sftp: Extension requests "statvfs (a] openssh.com" and
511 "fstatvfs (a] openssh.com"
512
513 These requests correspond to the statvfs and fstatvfs POSIX system
514 interfaces. The "statvfs (a] openssh.com" request operates on an explicit
515 pathname, and is formatted as follows:
516
517 uint32 id
518 string "statvfs (a] openssh.com"
519 string path
520
521 The "fstatvfs (a] openssh.com" operates on an open file handle:
522
523 uint32 id
524 string "fstatvfs (a] openssh.com"
525 string handle
526
527 These requests return a SSH_FXP_STATUS reply on failure. On success they
528 return the following SSH_FXP_EXTENDED_REPLY reply:
529
530 uint32 id
531 uint64 f_bsize /* file system block size */
532 uint64 f_frsize /* fundamental fs block size */
533 uint64 f_blocks /* number of blocks (unit f_frsize) */
534 uint64 f_bfree /* free blocks in file system */
535 uint64 f_bavail /* free blocks for non-root */
536 uint64 f_files /* total file inodes */
537 uint64 f_ffree /* free file inodes */
538 uint64 f_favail /* free file inodes for to non-root */
539 uint64 f_fsid /* file system id */
540 uint64 f_flag /* bit mask of f_flag values */
541 uint64 f_namemax /* maximum filename length */
542
543 The values of the f_flag bitmask are as follows:
544
545 #define SSH_FXE_STATVFS_ST_RDONLY 0x1 /* read-only */
546 #define SSH_FXE_STATVFS_ST_NOSUID 0x2 /* no setuid */
547
548 Both the "statvfs (a] openssh.com" and "fstatvfs (a] openssh.com" extensions are
549 advertised in the SSH_FXP_VERSION hello with version "2".
550
551 4.5. sftp: Extension request "hardlink (a] openssh.com"
552
553 This request is for creating a hard link to a regular file. This
554 request is implemented as a SSH_FXP_EXTENDED request with the
555 following format:
556
557 uint32 id
558 string "hardlink (a] openssh.com"
559 string oldpath
560 string newpath
561
562 On receiving this request the server will perform the operation
563 link(oldpath, newpath) and will respond with a SSH_FXP_STATUS message.
564 This extension is advertised in the SSH_FXP_VERSION hello with version
565 "1".
566
567 4.6. sftp: Extension request "fsync (a] openssh.com"
568
569 This request asks the server to call fsync(2) on an open file handle.
570
571 uint32 id
572 string "fsync (a] openssh.com"
573 string handle
574
575 On receiving this request, a server will call fsync(handle_fd) and will
576 respond with a SSH_FXP_STATUS message.
577
578 This extension is advertised in the SSH_FXP_VERSION hello with version
579 "1".
580
581 4.7. sftp: Extension request "lsetstat (a] openssh.com"
582
583 This request is like the "setstat" command, but sets file attributes on
584 symlinks. It is implemented as a SSH_FXP_EXTENDED request with the
585 following format:
586
587 uint32 id
588 string "lsetstat (a] openssh.com"
589 string path
590 ATTRS attrs
591
592 See the "setstat" command for more details.
593
594 This extension is advertised in the SSH_FXP_VERSION hello with version
595 "1".
596
597 4.8. sftp: Extension request "limits (a] openssh.com"
598
599 This request is used to determine various limits the server might impose.
600 Clients should not attempt to exceed these limits as the server might sever
601 the connection immediately.
602
603 uint32 id
604 string "limits (a] openssh.com"
605
606 The server will respond with a SSH_FXP_EXTENDED_REPLY reply:
607
608 uint32 id
609 uint64 max-packet-length
610 uint64 max-read-length
611 uint64 max-write-length
612 uint64 max-open-handles
613
614 The 'max-packet-length' applies to the total number of bytes in a
615 single SFTP packet. Servers SHOULD set this at least to 34000.
616
617 The 'max-read-length' is the largest length in a SSH_FXP_READ packet.
618 Even if the client requests a larger size, servers will usually respond
619 with a shorter SSH_FXP_DATA packet. Servers SHOULD set this at least to
620 32768.
621
622 The 'max-write-length' is the largest length in a SSH_FXP_WRITE packet
623 the server will accept. Servers SHOULD set this at least to 32768.
624
625 The 'max-open-handles' is the maximum number of active handles that the
626 server allows (e.g. handles created by SSH_FXP_OPEN and SSH_FXP_OPENDIR
627 packets). Servers MAY count internal file handles against this limit
628 (e.g. system logging or stdout/stderr), so clients SHOULD NOT expect to
629 open this many handles in practice.
630
631 If the server doesn't enforce a specific limit, then the field may be
632 set to 0. This implies the server relies on the OS to enforce limits
633 (e.g. available memory or file handles), and such limits might be
634 dynamic. The client SHOULD take care to not try to exceed reasonable
635 limits.
636
637 This extension is advertised in the SSH_FXP_VERSION hello with version
638 "1".
639
640 4.9. sftp: Extension request "expand-path (a] openssh.com"
641
642 This request supports canonicalisation of relative paths and
643 those that need tilde-expansion, i.e. "~", "~/..." and "~user/..."
644 These paths are expanded using shell-like rules and the resultant
645 path is canonicalised similarly to SSH2_FXP_REALPATH.
646
647 It is implemented as a SSH_FXP_EXTENDED request with the following
648 format:
649
650 uint32 id
651 string "expand-path (a] openssh.com"
652 string path
653
654 Its reply is the same format as that of SSH2_FXP_REALPATH.
655
656 This extension is advertised in the SSH_FXP_VERSION hello with version
657 "1".
658
659 4.10. sftp: Extension request "copy-data"
660
661 This request asks the server to copy data from one open file handle and
662 write it to a different open file handle. This avoids needing to transfer
663 the data across the network twice (a download followed by an upload).
664
665 byte SSH_FXP_EXTENDED
666 uint32 id
667 string "copy-data"
668 string read-from-handle
669 uint64 read-from-offset
670 uint64 read-data-length
671 string write-to-handle
672 uint64 write-to-offset
673
674 The server will copy read-data-length bytes starting from
675 read-from-offset from the read-from-handle and write them to
676 write-to-handle starting from write-to-offset, and then respond with a
677 SSH_FXP_STATUS message.
678
679 It's equivalent to issuing a series of SSH_FXP_READ requests on
680 read-from-handle and a series of requests of SSH_FXP_WRITE on
681 write-to-handle.
682
683 If read-from-handle and write-to-handle are the same, the server will
684 fail the request and respond with a SSH_FX_INVALID_PARAMETER message.
685
686 If read-data-length is 0, then the server will read data from the
687 read-from-handle until EOF is reached.
688
689 This extension is advertised in the SSH_FXP_VERSION hello with version
690 "1".
691
692 This request is identical to the "copy-data" request documented in:
693
694 https://tools.ietf.org/html/draft-ietf-secsh-filexfer-extensions-00#section-7
695
696 4.11. sftp: Extension request "home-directory"
697
698 This request asks the server to expand the specified user's home directory.
699 An empty username implies the current user. This can be used by the client
700 to expand ~/ type paths locally.
701
702 byte SSH_FXP_EXTENDED
703 uint32 id
704 string "home-directory"
705 string username
706
707 This extension is advertised in the SSH_FXP_VERSION hello with version
708 "1".
709
710 This provides similar information as the "expand-path (a] openssh.com" extension.
711
712 This request is identical to the "home-directory" request documented in:
713
714 https://datatracker.ietf.org/doc/html/draft-ietf-secsh-filexfer-extensions-00#section-5
715
716 4.12. sftp: Extension request "users-groups-by-id (a] openssh.com"
717
718 This request asks the server to return user and/or group names that
719 correspond to one or more IDs (e.g. as returned from a SSH_FXP_STAT
720 request). This may be used by the client to provide usernames in
721 directory listings.
722
723 byte SSH_FXP_EXTENDED
724 uint32 id
725 string "users-groups-by-id (a] openssh.com"
726 string uids
727 string gids
728
729 Where "uids" and "gids" consists of one or more integer user or group
730 identifiers:
731
732 uint32 id-0
733 ...
734
735 The server will reply with a SSH_FXP_EXTENDED_REPLY:
736
737 byte SSH_FXP_EXTENDED_REPLY
738 string usernames
739 string groupnames
740
741 Where "username" and "groupnames" consists of names in identical request
742 order to "uids" and "gids" respectively:
743
744 string name-0
745 ...
746
747 If a name cannot be identified for a given user or group ID, an empty
748 string will be returned in its place.
749
750 It is acceptable for either "uids" or "gids" to be an empty set, in
751 which case the respective "usernames" or "groupnames" list will also
752 be empty.
753
754 This extension is advertised in the SSH_FXP_VERSION hello with version
755 "1".
756
757 5. Miscellaneous changes
758
759 5.1 Public key format
760
761 OpenSSH public keys, as generated by ssh-keygen(1) and appearing in
762 authorized_keys files, are formatted as a single line of text consisting
763 of the public key algorithm name followed by a base64-encoded key blob.
764 The public key blob (before base64 encoding) is the same format used for
765 the encoding of public keys sent on the wire: as described in RFC4253
766 section 6.6 for RSA and DSA keys, RFC5656 section 3.1 for ECDSA keys
767 and the "New public key formats" section of PROTOCOL.certkeys for the
768 OpenSSH certificate formats.
769
770 5.2 Private key format
771
772 OpenSSH private keys, as generated by ssh-keygen(1) use the format
773 described in PROTOCOL.key by default. As a legacy option, PEM format
774 (RFC7468) private keys are also supported for RSA, DSA and ECDSA keys
775 and were the default format before OpenSSH 7.8.
776
777 5.3 KRL format
778
779 OpenSSH supports a compact format for Key Revocation Lists (KRLs). This
780 format is described in the PROTOCOL.krl file.
781
782 5.4 Connection multiplexing
783
784 OpenSSH's connection multiplexing uses messages as described in
785 PROTOCOL.mux over a Unix domain socket for communications between a
786 master instance and later clients.
787
788 5.5. Agent protocol extensions
789
790 OpenSSH extends the usual agent protocol. These changes are documented
791 in the PROTOCOL.agent file.
792
793 $OpenBSD: PROTOCOL,v 1.51 2023/12/18 14:45:49 djm Exp $
794