Home | History | Annotate | Line # | Download | only in dist
PROTOCOL revision 1.20.2.3
      1 This documents OpenSSH's deviations and extensions to the published SSH
      2 protocol.
      3 
      4 Note that OpenSSH's sftp and sftp-server implement revision 3 of the SSH
      5 filexfer protocol described in:
      6 
      7 http://www.openssh.com/txt/draft-ietf-secsh-filexfer-02.txt
      8 
      9 Newer versions of the draft will not be supported, though some features
     10 are individually implemented as extensions described below.
     11 
     12 The protocol used by OpenSSH's ssh-agent is described in the file
     13 PROTOCOL.agent
     14 
     15 1. Transport protocol changes
     16 
     17 1.1. transport: Protocol 2 MAC algorithm "umac-64 (a] openssh.com"
     18 
     19 This is a new transport-layer MAC method using the UMAC algorithm
     20 (rfc4418). This method is identical to the "umac-64" method documented
     21 in:
     22 
     23 http://www.openssh.com/txt/draft-miller-secsh-umac-01.txt
     24 
     25 1.2. transport: Protocol 2 compression algorithm "zlib (a] openssh.com"
     26 
     27 This transport-layer compression method uses the zlib compression
     28 algorithm (identical to the "zlib" method in rfc4253), but delays the
     29 start of compression until after authentication has completed. This
     30 avoids exposing compression code to attacks from unauthenticated users.
     31 
     32 The method is documented in:
     33 
     34 http://www.openssh.com/txt/draft-miller-secsh-compression-delayed-00.txt
     35 
     36 1.3. transport: New public key algorithms "ssh-rsa-cert-v01 (a] openssh.com",
     37      "ssh-dsa-cert-v01 (a] openssh.com",
     38      "ecdsa-sha2-nistp256-cert-v01 (a] openssh.com",
     39      "ecdsa-sha2-nistp384-cert-v01 (a] openssh.com" and
     40      "ecdsa-sha2-nistp521-cert-v01 (a] openssh.com"
     41 
     42 OpenSSH introduces new public key algorithms to support certificate
     43 authentication for users and host keys. These methods are documented
     44 in the file PROTOCOL.certkeys
     45 
     46 1.4. transport: Elliptic Curve cryptography
     47 
     48 OpenSSH supports ECC key exchange and public key authentication as
     49 specified in RFC5656. Only the ecdsa-sha2-nistp256, ecdsa-sha2-nistp384
     50 and ecdsa-sha2-nistp521 curves over GF(p) are supported. Elliptic
     51 curve points encoded using point compression are NOT accepted or
     52 generated.
     53 
     54 1.5 transport: Protocol 2 Encrypt-then-MAC MAC algorithms
     55 
     56 OpenSSH supports MAC algorithms, whose names contain "-etm", that
     57 perform the calculations in a different order to that defined in RFC
     58 4253. These variants use the so-called "encrypt then MAC" ordering,
     59 calculating the MAC over the packet ciphertext rather than the
     60 plaintext. This ordering closes a security flaw in the SSH transport
     61 protocol, where decryption of unauthenticated ciphertext provided a
     62 "decryption oracle" that could, in conjunction with cipher flaws, reveal
     63 session plaintext.
     64 
     65 Specifically, the "-etm" MAC algorithms modify the transport protocol
     66 to calculate the MAC over the packet ciphertext and to send the packet
     67 length unencrypted. This is necessary for the transport to obtain the
     68 length of the packet and location of the MAC tag so that it may be
     69 verified without decrypting unauthenticated data.
     70 
     71 As such, the MAC covers:
     72 
     73       mac = MAC(key, sequence_number || packet_length || encrypted_packet)
     74 
     75 where "packet_length" is encoded as a uint32 and "encrypted_packet"
     76 contains:
     77 
     78       byte      padding_length
     79       byte[n1]  payload; n1 = packet_length - padding_length - 1
     80       byte[n2]  random padding; n2 = padding_length
     81 
     82 1.6 transport: AES-GCM
     83 
     84 OpenSSH supports the AES-GCM algorithm as specified in RFC 5647.
     85 Because of problems with the specification of the key exchange
     86 the behaviour of OpenSSH differs from the RFC as follows:
     87 
     88 AES-GCM is only negotiated as the cipher algorithms
     89 "aes128-gcm (a] openssh.com" or "aes256-gcm (a] openssh.com" and never as
     90 an MAC algorithm. Additionally, if AES-GCM is selected as the cipher
     91 the exchanged MAC algorithms are ignored and there doesn't have to be
     92 a matching MAC.
     93 
     94 1.7 transport: chacha20-poly1305 (a] openssh.com authenticated encryption
     95 
     96 OpenSSH supports authenticated encryption using ChaCha20 and Poly1305
     97 as described in PROTOCOL.chacha20poly1305.
     98 
     99 1.8 transport: curve25519-sha256 (a] libssh.org key exchange algorithm
    100 
    101 OpenSSH supports the use of ECDH in Curve25519 for key exchange as
    102 described at:
    103 http://git.libssh.org/users/aris/libssh.git/plain/doc/curve25519-sha256@libssh.org.txt?h=curve25519
    104 
    105 This is identical to curve25519-sha256 as later published in RFC8731.
    106 
    107 1.9 transport: ping facility
    108 
    109 OpenSSH implements a transport level ping message SSH2_MSG_PING
    110 and a corresponding SSH2_MSG_PONG reply.
    111 
    112 #define SSH2_MSG_PING	192
    113 #define SSH2_MSG_PONG	193
    114 
    115 The ping message is simply:
    116 
    117 	byte		SSH_MSG_PING
    118 	string		data
    119 
    120 The reply copies the data (which may be the empty string) from the
    121 ping:
    122 
    123 	byte		SSH_MSG_PONG
    124 	string		data
    125 
    126 Replies are sent in order. They are sent immediately except when rekeying
    127 is in progress, in which case they are queued until rekeying completes.
    128 
    129 The server advertises support for these messages using the
    130 SSH2_MSG_EXT_INFO mechanism (RFC8308), with the following message:
    131 
    132 	string		"ping (a] openssh.com"
    133 	string		"0" (version)
    134 
    135 The ping/reply message is implemented at the transport layer rather
    136 than as a named global or channel request to allow pings with very
    137 short packet lengths, which would not be possible with other
    138 approaches.
    139 
    140 1.9 transport: strict key exchange extension
    141 
    142 OpenSSH supports a number of transport-layer hardening measures under
    143 a "strict KEX" feature. This feature is signalled similarly to the
    144 RFC8308 ext-info feature: by including a additional algorithm in the
    145 initiial SSH2_MSG_KEXINIT kex_algorithms field. The client may append
    146 "kex-strict-c-v00 (a] openssh.com" to its kex_algorithms and the server
    147 may append "kex-strict-s-v00 (a] openssh.com". These pseudo-algorithms
    148 are only valid in the initial SSH2_MSG_KEXINIT and MUST be ignored
    149 if they are present in subsequent SSH2_MSG_KEXINIT packets.
    150 
    151 When an endpoint that supports this extension observes this algorithm
    152 name in a peer's KEXINIT packet, it MUST make the following changes to
    153 the the protocol:
    154 
    155 a) During initial KEX, terminate the connection if any unexpected or
    156    out-of-sequence packet is received. This includes terminating the
    157    connection if the first packet received is not SSH2_MSG_KEXINIT.
    158    Unexpected packets for the purpose of strict KEX include messages
    159    that are otherwise valid at any time during the connection such as
    160    SSH2_MSG_DEBUG and SSH2_MSG_IGNORE.
    161 b) After sending or receiving a SSH2_MSG_NEWKEYS message, reset the
    162    packet sequence number to zero. This behaviour persists for the
    163    duration of the connection (i.e. not just the first
    164    SSH2_MSG_NEWKEYS).
    165 
    166 1.10 transport: SSH2_MSG_EXT_INFO during user authentication
    167 
    168 This protocol extension allows the SSH2_MSG_EXT_INFO to be sent
    169 during user authentication. RFC8308 does allow a second
    170 SSH2_MSG_EXT_INFO notification, but it may only be sent at the end
    171 of user authentication and this is too late to signal per-user
    172 server signature algorithms.
    173 
    174 Support for receiving the SSH2_MSG_EXT_INFO message during user
    175 authentication is signalled by the client including a
    176 "ext-info-in-auth (a] openssh.com" key via its initial SSH2_MSG_EXT_INFO
    177 set after the SSH2_MSG_NEWKEYS message.
    178 
    179 A server that supports this extension MAY send a second
    180 SSH2_MSG_EXT_INFO message any time after the client's first
    181 SSH2_MSG_USERAUTH_REQUEST, regardless of whether it succeed or fails.
    182 The client SHOULD be prepared to update the server-sig-algs that
    183 it received during an earlier SSH2_MSG_EXT_INFO with the later one.
    184 
    185 2. Connection protocol changes
    186 
    187 2.1. connection: Channel write close extension "eow (a] openssh.com"
    188 
    189 The SSH connection protocol (rfc4254) provides the SSH_MSG_CHANNEL_EOF
    190 message to allow an endpoint to signal its peer that it will send no
    191 more data over a channel. Unfortunately, there is no symmetric way for
    192 an endpoint to request that its peer should cease sending data to it
    193 while still keeping the channel open for the endpoint to send data to
    194 the peer.
    195 
    196 This is desirable, since it saves the transmission of data that would
    197 otherwise need to be discarded and it allows an endpoint to signal local
    198 processes of the condition, e.g. by closing the corresponding file
    199 descriptor.
    200 
    201 OpenSSH implements a channel extension message to perform this
    202 signalling: "eow (a] openssh.com" (End Of Write). This message is sent by
    203 an endpoint when the local output of a session channel is closed or
    204 experiences a write error. The message is formatted as follows:
    205 
    206 	byte		SSH_MSG_CHANNEL_REQUEST
    207 	uint32		recipient channel
    208 	string		"eow (a] openssh.com"
    209 	boolean		FALSE
    210 
    211 On receiving this message, the peer SHOULD cease sending data of
    212 the channel and MAY signal the process from which the channel data
    213 originates (e.g. by closing its read file descriptor).
    214 
    215 As with the symmetric SSH_MSG_CHANNEL_EOF message, the channel does
    216 remain open after a "eow (a] openssh.com" has been sent and more data may
    217 still be sent in the other direction. This message does not consume
    218 window space and may be sent even if no window space is available.
    219 
    220 NB. due to certain broken SSH implementations aborting upon receipt
    221 of this message (in contravention of RFC4254 section 5.4), this
    222 message is only sent to OpenSSH peers (identified by banner).
    223 Other SSH implementations may be listed to receive this message
    224 upon request.
    225 
    226 2.2. connection: disallow additional sessions extension
    227      "no-more-sessions (a] openssh.com"
    228 
    229 Most SSH connections will only ever request a single session, but a
    230 attacker may abuse a running ssh client to surreptitiously open
    231 additional sessions under their control. OpenSSH provides a global
    232 request "no-more-sessions (a] openssh.com" to mitigate this attack.
    233 
    234 When an OpenSSH client expects that it will never open another session
    235 (i.e. it has been started with connection multiplexing disabled), it
    236 will send the following global request:
    237 
    238 	byte		SSH_MSG_GLOBAL_REQUEST
    239 	string		"no-more-sessions (a] openssh.com"
    240 	char		want-reply
    241 
    242 On receipt of such a message, an OpenSSH server will refuse to open
    243 future channels of type "session" and instead immediately abort the
    244 connection.
    245 
    246 Note that this is not a general defence against compromised clients
    247 (that is impossible), but it thwarts a simple attack.
    248 
    249 NB. due to certain broken SSH implementations aborting upon receipt
    250 of this message, the no-more-sessions request is only sent to OpenSSH
    251 servers (identified by banner). Other SSH implementations may be
    252 listed to receive this message upon request.
    253 
    254 2.3. connection: Tunnel forward extension "tun (a] openssh.com"
    255 
    256 OpenSSH supports layer 2 and layer 3 tunnelling via the "tun (a] openssh.com"
    257 channel type. This channel type supports forwarding of network packets
    258 with datagram boundaries intact between endpoints equipped with
    259 interfaces like the BSD tun(4) device. Tunnel forwarding channels are
    260 requested by the client with the following packet:
    261 
    262 	byte		SSH_MSG_CHANNEL_OPEN
    263 	string		"tun (a] openssh.com"
    264 	uint32		sender channel
    265 	uint32		initial window size
    266 	uint32		maximum packet size
    267 	uint32		tunnel mode
    268 	uint32		remote unit number
    269 
    270 The "tunnel mode" parameter specifies whether the tunnel should forward
    271 layer 2 frames or layer 3 packets. It may take one of the following values:
    272 
    273 	SSH_TUNMODE_POINTOPOINT  1		/* layer 3 packets */
    274 	SSH_TUNMODE_ETHERNET     2		/* layer 2 frames */
    275 
    276 The "tunnel unit number" specifies the remote interface number, or may
    277 be 0x7fffffff to allow the server to automatically choose an interface. A
    278 server that is not willing to open a client-specified unit should refuse
    279 the request with a SSH_MSG_CHANNEL_OPEN_FAILURE error. On successful
    280 open, the server should reply with SSH_MSG_CHANNEL_OPEN_SUCCESS.
    281 
    282 Once established the client and server may exchange packet or frames
    283 over the tunnel channel by encapsulating them in SSH protocol strings
    284 and sending them as channel data. This ensures that packet boundaries
    285 are kept intact. Specifically, packets are transmitted using normal
    286 SSH_MSG_CHANNEL_DATA packets:
    287 
    288 	byte		SSH_MSG_CHANNEL_DATA
    289 	uint32		recipient channel
    290 	string		data
    291 
    292 The contents of the "data" field for layer 3 packets is:
    293 
    294 	uint32			packet length
    295 	uint32			address family
    296 	byte[packet length - 4]	packet data
    297 
    298 The "address family" field identifies the type of packet in the message.
    299 It may be one of:
    300 
    301 	SSH_TUN_AF_INET		2		/* IPv4 */
    302 	SSH_TUN_AF_INET6	24		/* IPv6 */
    303 
    304 The "packet data" field consists of the IPv4/IPv6 datagram itself
    305 without any link layer header.
    306 
    307 The contents of the "data" field for layer 2 packets is:
    308 
    309 	uint32			packet length
    310 	byte[packet length]	frame
    311 
    312 The "frame" field contains an IEEE 802.3 Ethernet frame, including
    313 header.
    314 
    315 2.4. connection: Unix domain socket forwarding
    316 
    317 OpenSSH supports local and remote Unix domain socket forwarding
    318 using the "streamlocal" extension.  Forwarding is initiated as per
    319 TCP sockets but with a single path instead of a host and port.
    320 
    321 Similar to direct-tcpip, direct-streamlocal is sent by the client
    322 to request that the server make a connection to a Unix domain socket.
    323 
    324 	byte		SSH_MSG_CHANNEL_OPEN
    325 	string		"direct-streamlocal (a] openssh.com"
    326 	uint32		sender channel
    327 	uint32		initial window size
    328 	uint32		maximum packet size
    329 	string		socket path
    330 	string		reserved
    331 	uint32		reserved
    332 
    333 Similar to forwarded-tcpip, forwarded-streamlocal is sent by the
    334 server when the client has previously send the server a streamlocal-forward
    335 GLOBAL_REQUEST.
    336 
    337 	byte		SSH_MSG_CHANNEL_OPEN
    338 	string		"forwarded-streamlocal (a] openssh.com"
    339 	uint32		sender channel
    340 	uint32		initial window size
    341 	uint32		maximum packet size
    342 	string		socket path
    343 	string		reserved for future use
    344 
    345 The reserved field is not currently defined and is ignored on the
    346 remote end.  It is intended to be used in the future to pass
    347 information about the socket file, such as ownership and mode.
    348 The client currently sends the empty string for this field.
    349 
    350 Similar to tcpip-forward, streamlocal-forward is sent by the client
    351 to request remote forwarding of a Unix domain socket.
    352 
    353 	byte		SSH2_MSG_GLOBAL_REQUEST
    354 	string		"streamlocal-forward (a] openssh.com"
    355 	boolean		TRUE
    356 	string		socket path
    357 
    358 Similar to cancel-tcpip-forward, cancel-streamlocal-forward is sent
    359 by the client cancel the forwarding of a Unix domain socket.
    360 
    361 	byte		SSH2_MSG_GLOBAL_REQUEST
    362 	string		"cancel-streamlocal-forward (a] openssh.com"
    363 	boolean		FALSE
    364 	string		socket path
    365 
    366 2.5. connection: hostkey update and rotation "hostkeys-00 (a] openssh.com"
    367 and "hostkeys-prove-00 (a] openssh.com"
    368 
    369 OpenSSH supports a protocol extension allowing a server to inform
    370 a client of all its protocol v.2 host keys after user-authentication
    371 has completed.
    372 
    373 	byte		SSH_MSG_GLOBAL_REQUEST
    374 	string		"hostkeys-00 (a] openssh.com"
    375 	char		0 /* want-reply */
    376 	string[]	hostkeys
    377 
    378 Upon receiving this message, a client should check which of the
    379 supplied host keys are present in known_hosts.
    380 
    381 Note that the server may send key types that the client does not
    382 support. The client should disregard such keys if they are received.
    383 
    384 If the client identifies any keys that are not present for the host,
    385 it should send a "hostkeys-prove (a] openssh.com" message to request the
    386 server prove ownership of the private half of the key.
    387 
    388 	byte		SSH_MSG_GLOBAL_REQUEST
    389 	string		"hostkeys-prove-00 (a] openssh.com"
    390 	char		1 /* want-reply */
    391 	string[]	hostkeys
    392 
    393 When a server receives this message, it should generate a signature
    394 using each requested key over the following:
    395 
    396 	string		"hostkeys-prove-00 (a] openssh.com"
    397 	string		session identifier
    398 	string		hostkey
    399 
    400 These signatures should be included in the reply, in the order matching
    401 the hostkeys in the request:
    402 
    403 	byte		SSH_MSG_REQUEST_SUCCESS
    404 	string[]	signatures
    405 
    406 When the client receives this reply (and not a failure), it should
    407 validate the signatures and may update its known_hosts file, adding keys
    408 that it has not seen before and deleting keys for the server host that
    409 are no longer offered.
    410 
    411 These extensions let a client learn key types that it had not previously
    412 encountered, thereby allowing it to potentially upgrade from weaker
    413 key algorithms to better ones. It also supports graceful key rotation:
    414 a server may offer multiple keys of the same type for a period (to
    415 give clients an opportunity to learn them using this extension) before
    416 removing the deprecated key from those offered.
    417 
    418 2.6. connection: SIGINFO support for "signal" channel request
    419 
    420 The SSH channels protocol (RFC4254 section 6.9) supports sending a
    421 signal to a session attached to a channel. OpenSSH supports one
    422 extension signal "INFO (a] openssh.com" that allows sending SIGINFO on
    423 BSD-derived systems.
    424 
    425 3. Authentication protocol changes
    426 
    427 3.1. Host-bound public key authentication
    428 
    429 This is trivial change to the traditional "publickey" authentication
    430 method. The authentication request is identical to the original method
    431 but for the name and one additional field:
    432 
    433 	byte		SSH2_MSG_USERAUTH_REQUEST
    434 	string		username
    435 	string		"ssh-connection"
    436 	string		"publickey-hostbound-v00 (a] openssh.com"
    437 	bool		has_signature
    438 	string		pkalg
    439 	string		public key
    440 	string		server host key
    441 
    442 Because the entire SSH2_MSG_USERAUTH_REQUEST message is included in
    443 the signed data, this ensures that a binding between the destination
    444 user, the server identity and the session identifier is visible to the
    445 signer. OpenSSH uses this binding via signed data to implement per-key
    446 restrictions in ssh-agent.
    447 
    448 A server may advertise this method using the SSH2_MSG_EXT_INFO
    449 mechanism (RFC8308), with the following message:
    450 
    451 	string		"publickey-hostbound (a] openssh.com"
    452 	string		"0" (version)
    453 
    454 Clients should prefer host-bound authentication when advertised by
    455 server.
    456 
    457 4. SFTP protocol changes
    458 
    459 4.1. sftp: Reversal of arguments to SSH_FXP_SYMLINK
    460 
    461 When OpenSSH's sftp-server was implemented, the order of the arguments
    462 to the SSH_FXP_SYMLINK method was inadvertently reversed. Unfortunately,
    463 the reversal was not noticed until the server was widely deployed. Since
    464 fixing this to follow the specification would cause incompatibility, the
    465 current order was retained. For correct operation, clients should send
    466 SSH_FXP_SYMLINK as follows:
    467 
    468 	uint32		id
    469 	string		targetpath
    470 	string		linkpath
    471 
    472 4.2. sftp: Server extension announcement in SSH_FXP_VERSION
    473 
    474 OpenSSH's sftp-server lists the extensions it supports using the
    475 standard extension announcement mechanism in the SSH_FXP_VERSION server
    476 hello packet:
    477 
    478 	uint32		3		/* protocol version */
    479 	string		ext1-name
    480 	string		ext1-version
    481 	string		ext2-name
    482 	string		ext2-version
    483 	...
    484 	string		extN-name
    485 	string		extN-version
    486 
    487 Each extension reports its integer version number as an ASCII encoded
    488 string, e.g. "1". The version will be incremented if the extension is
    489 ever changed in an incompatible way. The server MAY advertise the same
    490 extension with multiple versions (though this is unlikely). Clients MUST
    491 check the version number before attempting to use the extension.
    492 
    493 4.3. sftp: Extension request "posix-rename (a] openssh.com"
    494 
    495 This operation provides a rename operation with POSIX semantics, which
    496 are different to those provided by the standard SSH_FXP_RENAME in
    497 draft-ietf-secsh-filexfer-02.txt. This request is implemented as a
    498 SSH_FXP_EXTENDED request with the following format:
    499 
    500 	uint32		id
    501 	string		"posix-rename (a] openssh.com"
    502 	string		oldpath
    503 	string		newpath
    504 
    505 On receiving this request the server will perform the POSIX operation
    506 rename(oldpath, newpath) and will respond with a SSH_FXP_STATUS message.
    507 This extension is advertised in the SSH_FXP_VERSION hello with version
    508 "1".
    509 
    510 4.4. sftp: Extension requests "statvfs (a] openssh.com" and
    511          "fstatvfs (a] openssh.com"
    512 
    513 These requests correspond to the statvfs and fstatvfs POSIX system
    514 interfaces. The "statvfs (a] openssh.com" request operates on an explicit
    515 pathname, and is formatted as follows:
    516 
    517 	uint32		id
    518 	string		"statvfs (a] openssh.com"
    519 	string		path
    520 
    521 The "fstatvfs (a] openssh.com" operates on an open file handle:
    522 
    523 	uint32		id
    524 	string		"fstatvfs (a] openssh.com"
    525 	string		handle
    526 
    527 These requests return a SSH_FXP_STATUS reply on failure. On success they
    528 return the following SSH_FXP_EXTENDED_REPLY reply:
    529 
    530 	uint32		id
    531 	uint64		f_bsize		/* file system block size */
    532 	uint64		f_frsize	/* fundamental fs block size */
    533 	uint64		f_blocks	/* number of blocks (unit f_frsize) */
    534 	uint64		f_bfree		/* free blocks in file system */
    535 	uint64		f_bavail	/* free blocks for non-root */
    536 	uint64		f_files		/* total file inodes */
    537 	uint64		f_ffree		/* free file inodes */
    538 	uint64		f_favail	/* free file inodes for to non-root */
    539 	uint64		f_fsid		/* file system id */
    540 	uint64		f_flag		/* bit mask of f_flag values */
    541 	uint64		f_namemax	/* maximum filename length */
    542 
    543 The values of the f_flag bitmask are as follows:
    544 
    545 	#define SSH_FXE_STATVFS_ST_RDONLY	0x1	/* read-only */
    546 	#define SSH_FXE_STATVFS_ST_NOSUID	0x2	/* no setuid */
    547 
    548 Both the "statvfs (a] openssh.com" and "fstatvfs (a] openssh.com" extensions are
    549 advertised in the SSH_FXP_VERSION hello with version "2".
    550 
    551 4.5. sftp: Extension request "hardlink (a] openssh.com"
    552 
    553 This request is for creating a hard link to a regular file. This
    554 request is implemented as a SSH_FXP_EXTENDED request with the
    555 following format:
    556 
    557 	uint32		id
    558 	string		"hardlink (a] openssh.com"
    559 	string		oldpath
    560 	string		newpath
    561 
    562 On receiving this request the server will perform the operation
    563 link(oldpath, newpath) and will respond with a SSH_FXP_STATUS message.
    564 This extension is advertised in the SSH_FXP_VERSION hello with version
    565 "1".
    566 
    567 4.6. sftp: Extension request "fsync (a] openssh.com"
    568 
    569 This request asks the server to call fsync(2) on an open file handle.
    570 
    571 	uint32		id
    572 	string		"fsync (a] openssh.com"
    573 	string		handle
    574 
    575 On receiving this request, a server will call fsync(handle_fd) and will
    576 respond with a SSH_FXP_STATUS message.
    577 
    578 This extension is advertised in the SSH_FXP_VERSION hello with version
    579 "1".
    580 
    581 4.7. sftp: Extension request "lsetstat (a] openssh.com"
    582 
    583 This request is like the "setstat" command, but sets file attributes on
    584 symlinks.  It is implemented as a SSH_FXP_EXTENDED request with the
    585 following format:
    586 
    587 	uint32		id
    588 	string		"lsetstat (a] openssh.com"
    589 	string		path
    590 	ATTRS		attrs
    591 
    592 See the "setstat" command for more details.
    593 
    594 This extension is advertised in the SSH_FXP_VERSION hello with version
    595 "1".
    596 
    597 4.8. sftp: Extension request "limits (a] openssh.com"
    598 
    599 This request is used to determine various limits the server might impose.
    600 Clients should not attempt to exceed these limits as the server might sever
    601 the connection immediately.
    602 
    603 	uint32		id
    604 	string		"limits (a] openssh.com"
    605 
    606 The server will respond with a SSH_FXP_EXTENDED_REPLY reply:
    607 
    608 	uint32		id
    609 	uint64		max-packet-length
    610 	uint64		max-read-length
    611 	uint64		max-write-length
    612 	uint64		max-open-handles
    613 
    614 The 'max-packet-length' applies to the total number of bytes in a
    615 single SFTP packet.  Servers SHOULD set this at least to 34000.
    616 
    617 The 'max-read-length' is the largest length in a SSH_FXP_READ packet.
    618 Even if the client requests a larger size, servers will usually respond
    619 with a shorter SSH_FXP_DATA packet.  Servers SHOULD set this at least to
    620 32768.
    621 
    622 The 'max-write-length' is the largest length in a SSH_FXP_WRITE packet
    623 the server will accept.  Servers SHOULD set this at least to 32768.
    624 
    625 The 'max-open-handles' is the maximum number of active handles that the
    626 server allows (e.g. handles created by SSH_FXP_OPEN and SSH_FXP_OPENDIR
    627 packets).  Servers MAY count internal file handles against this limit
    628 (e.g. system logging or stdout/stderr), so clients SHOULD NOT expect to
    629 open this many handles in practice.
    630 
    631 If the server doesn't enforce a specific limit, then the field may be
    632 set to 0.  This implies the server relies on the OS to enforce limits
    633 (e.g. available memory or file handles), and such limits might be
    634 dynamic.  The client SHOULD take care to not try to exceed reasonable
    635 limits.
    636 
    637 This extension is advertised in the SSH_FXP_VERSION hello with version
    638 "1".
    639 
    640 4.9. sftp: Extension request "expand-path (a] openssh.com"
    641 
    642 This request supports canonicalisation of relative paths and
    643 those that need tilde-expansion, i.e. "~", "~/..." and "~user/..."
    644 These paths are expanded using shell-like rules and the resultant
    645 path is canonicalised similarly to SSH2_FXP_REALPATH.
    646 
    647 It is implemented as a SSH_FXP_EXTENDED request with the following
    648 format:
    649 
    650 	uint32		id
    651 	string		"expand-path (a] openssh.com"
    652 	string		path
    653 
    654 Its reply is the same format as that of SSH2_FXP_REALPATH.
    655 
    656 This extension is advertised in the SSH_FXP_VERSION hello with version
    657 "1".
    658 
    659 4.10. sftp: Extension request "copy-data"
    660 
    661 This request asks the server to copy data from one open file handle and
    662 write it to a different open file handle.  This avoids needing to transfer
    663 the data across the network twice (a download followed by an upload).
    664 
    665 	byte		SSH_FXP_EXTENDED
    666 	uint32		id
    667 	string		"copy-data"
    668 	string		read-from-handle
    669 	uint64		read-from-offset
    670 	uint64		read-data-length
    671 	string		write-to-handle
    672 	uint64		write-to-offset
    673 
    674 The server will copy read-data-length bytes starting from
    675 read-from-offset from the read-from-handle and write them to
    676 write-to-handle starting from write-to-offset, and then respond with a
    677 SSH_FXP_STATUS message.
    678 
    679 It's equivalent to issuing a series of SSH_FXP_READ requests on
    680 read-from-handle and a series of requests of SSH_FXP_WRITE on
    681 write-to-handle.
    682 
    683 If read-from-handle and write-to-handle are the same, the server will
    684 fail the request and respond with a SSH_FX_INVALID_PARAMETER message.
    685 
    686 If read-data-length is 0, then the server will read data from the
    687 read-from-handle until EOF is reached.
    688 
    689 This extension is advertised in the SSH_FXP_VERSION hello with version
    690 "1".
    691 
    692 This request is identical to the "copy-data" request documented in:
    693 
    694 https://tools.ietf.org/html/draft-ietf-secsh-filexfer-extensions-00#section-7
    695 
    696 4.11. sftp: Extension request "home-directory"
    697 
    698 This request asks the server to expand the specified user's home directory.
    699 An empty username implies the current user.  This can be used by the client
    700 to expand ~/ type paths locally.
    701 
    702 	byte		SSH_FXP_EXTENDED
    703 	uint32		id
    704 	string		"home-directory"
    705 	string		username
    706 
    707 This extension is advertised in the SSH_FXP_VERSION hello with version
    708 "1".
    709 
    710 This provides similar information as the "expand-path (a] openssh.com" extension.
    711 
    712 This request is identical to the "home-directory" request documented in:
    713 
    714 https://datatracker.ietf.org/doc/html/draft-ietf-secsh-filexfer-extensions-00#section-5
    715 
    716 4.12. sftp: Extension request "users-groups-by-id (a] openssh.com"
    717 
    718 This request asks the server to return user and/or group names that
    719 correspond to one or more IDs (e.g. as returned from a SSH_FXP_STAT
    720 request). This may be used by the client to provide usernames in
    721 directory listings.
    722 
    723 	byte		SSH_FXP_EXTENDED
    724 	uint32		id
    725 	string		"users-groups-by-id (a] openssh.com"
    726 	string		uids
    727 	string		gids
    728 
    729 Where "uids" and "gids" consists of one or more integer user or group
    730 identifiers:
    731 
    732 	uint32		id-0
    733 	...
    734 
    735 The server will reply with a SSH_FXP_EXTENDED_REPLY:
    736 
    737 	byte		SSH_FXP_EXTENDED_REPLY
    738 	string		usernames
    739 	string		groupnames
    740 
    741 Where "username" and "groupnames" consists of names in identical request
    742 order to "uids" and "gids" respectively:
    743 
    744 	string		name-0
    745 	...
    746 
    747 If a name cannot be identified for a given user or group ID, an empty
    748 string will be returned in its place.
    749 
    750 It is acceptable for either "uids" or "gids" to be an empty set, in
    751 which case the respective "usernames" or "groupnames" list will also
    752 be empty.
    753 
    754 This extension is advertised in the SSH_FXP_VERSION hello with version
    755 "1".
    756 
    757 5. Miscellaneous changes
    758 
    759 5.1 Public key format
    760 
    761 OpenSSH public keys, as generated by ssh-keygen(1) and appearing in
    762 authorized_keys files, are formatted as a single line of text consisting
    763 of the public key algorithm name followed by a base64-encoded key blob.
    764 The public key blob (before base64 encoding) is the same format used for
    765 the encoding of public keys sent on the wire: as described in RFC4253
    766 section 6.6 for RSA and DSA keys, RFC5656 section 3.1 for ECDSA keys
    767 and the "New public key formats" section of PROTOCOL.certkeys for the
    768 OpenSSH certificate formats.
    769 
    770 5.2 Private key format
    771 
    772 OpenSSH private keys, as generated by ssh-keygen(1) use the format
    773 described in PROTOCOL.key by default. As a legacy option, PEM format
    774 (RFC7468) private keys are also supported for RSA, DSA and ECDSA keys
    775 and were the default format before OpenSSH 7.8.
    776 
    777 5.3 KRL format
    778 
    779 OpenSSH supports a compact format for Key Revocation Lists (KRLs). This
    780 format is described in the PROTOCOL.krl file.
    781 
    782 5.4 Connection multiplexing
    783 
    784 OpenSSH's connection multiplexing uses messages as described in
    785 PROTOCOL.mux over a Unix domain socket for communications between a
    786 master instance and later clients.
    787 
    788 5.5. Agent protocol extensions
    789 
    790 OpenSSH extends the usual agent protocol. These changes are documented
    791 in the PROTOCOL.agent file.
    792 
    793 $OpenBSD: PROTOCOL,v 1.51 2023/12/18 14:45:49 djm Exp $
    794 $NetBSD: PROTOCOL,v 1.20.2.3 2023/12/25 12:22:55 martin Exp $
    795