idnits 2.17.1 

draft-ietf-secsh-architecture-22.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** It looks like you're using RFC 3978 boilerplate.  You should update this
     to the boilerplate described in the IETF Trust License Policy document
     (see https://trustee.ietf.org/license-info), which is required now.

  -- Found old boilerplate from RFC 3978, Section 5.1.a on line 17.

  -- Found old boilerplate from RFC 3978, Section 5.5 on line 1342.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1314.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1321.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1327.

  ** The document seems to lack an RFC 3978 Section 5.1 IPR Disclosure
     Acknowledgement. 

  ** This document has an original RFC 3978 Section 5.4 Copyright Line,
     instead of the newer IETF Trust Copyright according to RFC 4748.

  ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead
     of the newer disclaimer which includes the IETF Trust according to RFC
     4748.

  ** The document uses RFC 3667 boilerplate or RFC 3978-like boilerplate
     instead of verbatim RFC 3978 boilerplate.  After 6 May 2005, submission
     of drafts without verbatim RFC 3978 boilerplate is not accepted.

     The following non-3978 patterns matched text found in the document. 
     That text should be removed or replaced:

        This document is an Internet-Draft and is subject to all provisions of
        Section 3 of RFC 3667.

        By submitting this Internet-Draft, each author represents that any
        applicable patent or other IPR claims of which he or she is aware
        have been or will be disclosed, and any of which he or she
        becomes aware will be disclosed, in accordance with Section 6 of
        BCP 79.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  == No 'Intended status' indicated for this document; assuming Proposed
     Standard


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

     No issues found here.

  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not
     match the current year

  == Line 168 has weird spacing: '... string    dat...'

  == The document seems to lack the recommended RFC 2119 boilerplate, even if
     it appears to use RFC 2119 keywords. 

     (The document does seem to have the reference to RFC 2119 which the
     ID-Checklist requires).
  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (March 14, 2005) is 6977 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  == Missing Reference: 'KAUFMAN' is mentioned on line 639, but not defined

  == Missing Reference: 'PERLMAN' is mentioned on line 639, but not defined

  == Missing Reference: 'SPECINER' is mentioned on line 639, but not defined

  == Missing Reference: 'BELLARE' is mentioned on line 651, but not defined

  == Missing Reference: 'KOHNO' is mentioned on line 651, but not defined

  == Missing Reference: 'NAMPREMPRE' is mentioned on line 651, but not defined

  == Unused Reference: 'KAUFMAN,PERLMAN,SPECINER' is defined on line 1242,
     but no explicit reference was found in the text

  == Unused Reference: 'BELLARE,KOHNO,NAMPREMPRE' is defined on line 1263,
     but no explicit reference was found in the text

  ** Obsolete normative reference: RFC 2434 (Obsoleted by RFC 5226)

  ** Obsolete normative reference: RFC 3066 (Obsoleted by RFC 4646, RFC 4647)

  -- Obsolete informational reference (is this intentional?): RFC  822
     (Obsoleted by RFC 2822)

  -- Obsolete informational reference (is this intentional?): RFC 1510
     (Obsoleted by RFC 4120, RFC 6649)

  -- Obsolete informational reference (is this intentional?): RFC 1750
     (Obsoleted by RFC 4086)

  -- Obsolete informational reference (is this intentional?): RFC 2246
     (Obsoleted by RFC 4346)


     Summary: 7 errors (**), 0 flaws (~~), 12 warnings (==), 11 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------

1	Network Working Group                                          T. Ylonen
2	Internet-Draft                          SSH Communications Security Corp
3	Expires: September 15, 2005                              C. Lonvick, Ed.
4	                                                     Cisco Systems, Inc.
5	                                                          March 14, 2005

7	                       SSH Protocol Architecture
8	                  draft-ietf-secsh-architecture-22.txt

10	Status of this Memo

12	   This document is an Internet-Draft and is subject to all provisions
13	   of Section 3 of RFC 3667.  By submitting this Internet-Draft, each
14	   author represents that any applicable patent or other IPR claims of
15	   which he or she is aware have been or will be disclosed, and any of
16	   which he or she become aware will be disclosed, in accordance with
17	   RFC 3668.

19	   Internet-Drafts are working documents of the Internet Engineering
20	   Task Force (IETF), its areas, and its working groups.  Note that
21	   other groups may also distribute working documents as
22	   Internet-Drafts.

24	   Internet-Drafts are draft documents valid for a maximum of six months
25	   and may be updated, replaced, or obsoleted by other documents at any
26	   time.  It is inappropriate to use Internet-Drafts as reference
27	   material or to cite them other than as "work in progress."

29	   The list of current Internet-Drafts can be accessed at
30	   http://www.ietf.org/ietf/1id-abstracts.txt.

32	   The list of Internet-Draft Shadow Directories can be accessed at
33	   http://www.ietf.org/shadow.html.

35	   This Internet-Draft will expire on September 15, 2005.

37	Copyright Notice

39	   Copyright (C) The Internet Society (2005).

41	Abstract

43	   SSH is a protocol for secure remote login and other secure network
44	   services over an insecure network.  This document describes the
45	   architecture of the SSH protocol, as well as the notation and
46	   terminology used in SSH protocol documents.  It also discusses the
47	   SSH algorithm naming system that allows local extensions.  The SSH
48	   protocol consists of three major components: The Transport Layer
49	   Protocol provides server authentication, confidentiality, and
50	   integrity with perfect forward secrecy.  The User Authentication
51	   Protocol authenticates the client to the server.  The Connection
52	   Protocol multiplexes the encrypted tunnel into several logical
53	   channels.  Details of these protocols are described in separate
54	   documents.

56	Table of Contents

58	   1.  Contributors . . . . . . . . . . . . . . . . . . . . . . . . .  4
59	   2.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
60	   3.  Conventions Used in This Document  . . . . . . . . . . . . . .  5
61	   4.  Architecture . . . . . . . . . . . . . . . . . . . . . . . . .  5
62	     4.1   Host Keys  . . . . . . . . . . . . . . . . . . . . . . . .  5
63	     4.2   Extensibility  . . . . . . . . . . . . . . . . . . . . . .  7
64	     4.3   Policy Issues  . . . . . . . . . . . . . . . . . . . . . .  7
65	     4.4   Security Properties  . . . . . . . . . . . . . . . . . . .  8
66	     4.5   Localization and Character Set Support . . . . . . . . . .  8
67	   5.  Data Type Representations Used in the SSH Protocols  . . . . .  9
68	   6.  Algorithm and Method Naming  . . . . . . . . . . . . . . . . . 11
69	   7.  Message Numbers  . . . . . . . . . . . . . . . . . . . . . . . 12
70	   8.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 13
71	   9.  Security Considerations  . . . . . . . . . . . . . . . . . . . 13
72	     9.1   Pseudo-Random Number Generation  . . . . . . . . . . . . . 14
73	     9.2   Transport  . . . . . . . . . . . . . . . . . . . . . . . . 14
74	       9.2.1   Confidentiality  . . . . . . . . . . . . . . . . . . . 14
75	       9.2.2   Data Integrity . . . . . . . . . . . . . . . . . . . . 17
76	       9.2.3   Replay . . . . . . . . . . . . . . . . . . . . . . . . 17
77	       9.2.4   Man-in-the-middle  . . . . . . . . . . . . . . . . . . 18
78	       9.2.5   Denial-of-service  . . . . . . . . . . . . . . . . . . 20
79	       9.2.6   Covert Channels  . . . . . . . . . . . . . . . . . . . 21
80	       9.2.7   Forward Secrecy  . . . . . . . . . . . . . . . . . . . 21
81	       9.2.8   Ordering of Key Exchange Methods . . . . . . . . . . . 21
82	       9.2.9   Traffic Analysis . . . . . . . . . . . . . . . . . . . 21
83	     9.3   Authentication Protocol  . . . . . . . . . . . . . . . . . 22
84	       9.3.1   Weak Transport . . . . . . . . . . . . . . . . . . . . 22
85	       9.3.2   Debug Messages . . . . . . . . . . . . . . . . . . . . 23
86	       9.3.3   Local Security Policy  . . . . . . . . . . . . . . . . 23
87	       9.3.4   Public Key Authentication  . . . . . . . . . . . . . . 24
88	       9.3.5   Password Authentication  . . . . . . . . . . . . . . . 24
89	       9.3.6   Host Based Authentication  . . . . . . . . . . . . . . 24
90	     9.4   Connection Protocol  . . . . . . . . . . . . . . . . . . . 24
91	       9.4.1   End Point Security . . . . . . . . . . . . . . . . . . 24
92	       9.4.2   Proxy Forwarding . . . . . . . . . . . . . . . . . . . 25
93	       9.4.3   X11 Forwarding . . . . . . . . . . . . . . . . . . . . 25
94	   10.   References . . . . . . . . . . . . . . . . . . . . . . . . . 26
95	     10.1  Normative References . . . . . . . . . . . . . . . . . . . 26
96	     10.2  Informative References . . . . . . . . . . . . . . . . . . 26
97	       Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 29
98	   A.  Trademark Notice . . . . . . . . . . . . . . . . . . . . . . . 29
99	       Intellectual Property and Copyright Statements . . . . . . . . 30

101	1.  Contributors

103	   The major original contributors of this set of documents have been:
104	   Tatu Ylonen, Tero Kivinen, Timo J. Rinne, Sami Lehtinen (all of SSH
105	   Communications Security Corp), and Markku-Juhani O. Saarinen
106	   (University of Jyvaskyla).  Darren Moffit was the original editor of
107	   this set of documents and also made very substantial contributions.

109	   Many people contributed to the development of this document over the
110	   years.  People who should be acknowledged include Mats Andersson, Ben
111	   Harris, Brent McClure, Niels Moller, Damien Miller, Derek Fawcus,
112	   Frank Cusack, Heikki Nousiainen, Jakob Schlyter, Jeff Van Dyke,
113	   Jeffrey Altman, Jeffrey Hutzelman, Jon Bright, Joseph Galbraith, Ken
114	   Hornstein, Markus Friedl, Martin Forssen, Nicolas Williams, Niels
115	   Provos, Perry Metzger, Peter Gutmann, Simon Josefsson, Simon Tatham,
116	   Wei Dai, Denis Bider, der Mouse, and Tadayoshi Kohno.  Listing their
117	   names here does not mean that they endorse this document, but that
118	   they have contributed to it.

120	2.  Introduction

122	   SSH is a protocol for secure remote login and other secure network
123	   services over an insecure network.  It consists of three major
124	   components:
125	   o  The Transport Layer Protocol [SSH-TRANS] provides server
126	      authentication, confidentiality, and integrity.  It may optionally
127	      also provide compression.  The transport layer will typically be
128	      run over a TCP/IP connection, but might also be used on top of any
129	      other reliable data stream.
130	   o  The User Authentication Protocol [SSH-USERAUTH] authenticates the
131	      client-side user to the server.  It runs over the transport layer
132	      protocol.
133	   o  The Connection Protocol [SSH-CONNECT] multiplexes the encrypted
134	      tunnel into several logical channels.  It runs over the user
135	      authentication protocol.

137	   The client sends a service request once a secure transport layer
138	   connection has been established.  A second service request is sent
139	   after user authentication is complete.  This allows new protocols to
140	   be defined and coexist with the protocols listed above.

142	   The connection protocol provides channels that can be used for a wide
143	   range of purposes.  Standard methods are provided for setting up
144	   secure interactive shell sessions and for forwarding ("tunneling")
145	   arbitrary TCP/IP ports and X11 connections.

147	3.  Conventions Used in This Document

149	   All documents related to the SSH protocols shall use the keywords
150	   "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD",
151	   "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" to describe
152	   requirements.  These keywords are to be interpreted as described in
153	   [RFC2119].

155	   The keywords "PRIVATE USE", "HIERARCHICAL ALLOCATION", "FIRST COME
156	   FIRST SERVED", "EXPERT REVIEW", "SPECIFICATION REQUIRED", "IESG
157	   APPROVAL", "IETF CONSENSUS", and "STANDARDS ACTION" that appear in
158	   this document when used to describe namespace allocation are to be
159	   interpreted as described in [RFC2434].

161	   Protocol fields and possible values to fill them are defined in this
162	   set of documents.  Protocol fields will be defined in the message
163	   definitions.  As an example, SSH_MSG_CHANNEL_DATA is defined as
164	   follows.

166	        byte      SSH_MSG_CHANNEL_DATA
167	        uint32    recipient channel
168	        string    data

170	   Throughout these documents, when the fields are referenced, they will
171	   appear within single quotes.  When values to fill those fields are
172	   referenced, they will appear within double quotes.  Using the above
173	   example, possible values for 'data' are "foo" and "bar".

175	4.  Architecture

177	4.1  Host Keys

179	   Each server host SHOULD have a host key.  Hosts MAY have multiple
180	   host keys using multiple different algorithms.  Multiple hosts MAY
181	   share the same host key.  If a host has keys at all, it MUST have at
182	   least one key using each REQUIRED public key algorithm (DSS
183	   [FIPS-186-2]).

185	   The server host key is used during key exchange to verify that the
186	   client is really talking to the correct server.  For this to be
187	   possible, the client must have a priori knowledge of the server's
188	   public host key.

190	   Two different trust models can be used:
191	   o  The client has a local database that associates each host name (as
192	      typed by the user) with the corresponding public host key.  This
193	      method requires no centrally administered infrastructure, and no
194	      third-party coordination.  The downside is that the database of
195	      name-to-key associations may become burdensome to maintain.
196	   o  The host name-to-key association is certified by some trusted
197	      certification authority (CA).  The client only knows the CA root
198	      key, and can verify the validity of all host keys certified by
199	      accepted CAs.

201	   The second alternative eases the maintenance problem, since ideally
202	   only a single CA key needs to be securely stored on the client.  On
203	   the other hand, each host key must be appropriately certified by a
204	   central authority before authorization is possible.  Also, a lot of
205	   trust is placed on the central infrastructure.

207	   The protocol provides the option that the server name - host key
208	   association is not checked when connecting to the host for the first
209	   time.  This allows communication without prior communication of host
210	   keys or certification.  The connection still provides protection
211	   against passive listening; however, it becomes vulnerable to active
212	   man-in-the-middle attacks.  Implementations SHOULD NOT normally allow
213	   such connections by default, as they pose a potential security
214	   problem.  However, as there is no widely deployed key infrastructure
215	   available on the Internet yet, this option makes the protocol much
216	   more usable during the transition time until such an infrastructure
217	   emerges, while still providing a much higher level of security than
218	   that offered by older solutions (e.g., telnet [RFC0854] and rlogin
219	   [RFC1282]).

221	   Implementations SHOULD try to make the best effort to check host
222	   keys.  An example of a possible strategy is to only accept a host key
223	   without checking the first time a host is connected, save the key in
224	   a local database, and compare against that key on all future
225	   connections to that host.

227	   Implementations MAY provide additional methods for verifying the
228	   correctness of host keys, e.g., a hexadecimal fingerprint derived
229	   from the SHA-1 hash [FIPS-180-2] of the public key.  Such
230	   fingerprints can easily be verified by using telephone or other
231	   external communication channels.

233	   All implementations SHOULD provide an option to not accept host keys
234	   that cannot be verified.

236	   The members of this Working Group believe that 'ease of use' is
237	   critical to end-user acceptance of security solutions, and no
238	   improvement in security is gained if the new solutions are not used.
239	   Thus, providing the option not to check the server host key is
240	   believed to improve the overall security of the Internet, even though
241	   it reduces the security of the protocol in configurations where it is
242	   allowed.

244	4.2  Extensibility

246	   We believe that the protocol will evolve over time, and some
247	   organizations will want to use their own encryption, authentication
248	   and/or key exchange methods.  Central registration of all extensions
249	   is cumbersome, especially for experimental or classified features.
250	   On the other hand, having no central registration leads to conflicts
251	   in method identifiers, making interoperability difficult.

253	   We have chosen to identify algorithms, methods, formats, and
254	   extension protocols with textual names that are of a specific format.
255	   DNS names are used to create local namespaces where experimental or
256	   classified extensions can be defined without fear of conflicts with
257	   other implementations.

259	   One design goal has been to keep the base protocol as simple as
260	   possible, and to require as few algorithms as possible.  However, all
261	   implementations MUST support a minimal set of algorithms to ensure
262	   interoperability (this does not imply that the local policy on all
263	   hosts would necessary allow these algorithms).  The mandatory
264	   algorithms are specified in the relevant protocol documents.

266	   Additional algorithms, methods, formats, and extension protocols can
267	   be defined in separate drafts.  See Section Algorithm Naming
268	   (Section 6) for more information.

270	4.3  Policy Issues

272	   The protocol allows full negotiation of encryption, integrity, key
273	   exchange, compression, and public key algorithms and formats.
274	   Encryption, integrity, public key, and compression algorithms can be
275	   different for each direction.

277	   The following policy issues SHOULD be addressed in the configuration
278	   mechanisms of each implementation:
279	   o  Encryption, integrity, and compression algorithms, separately for
280	      each direction.  The policy MUST specify which is the preferred
281	      algorithm (e.g., the first algorithm listed in each category).
282	   o  Public key algorithms and key exchange method to be used for host
283	      authentication.  The existence of trusted host keys for different
284	      public key algorithms also affects this choice.
285	   o  The authentication methods that are to be required by the server
286	      for each user.  The server's policy MAY require multiple
287	      authentication for some or all users.  The required algorithms MAY
288	      depend on the location where the user is trying to log in from.
289	   o  The operations that the user is allowed to perform using the
290	      connection protocol.  Some issues are related to security; for
291	      example, the policy SHOULD NOT allow the server to start sessions
292	      or run commands on the client machine, and MUST NOT allow
293	      connections to the authentication agent unless forwarding such
294	      connections has been requested.  Other issues, such as which
295	      TCP/IP ports can be forwarded and by whom, are clearly issues of
296	      local policy.  Many of these issues may involve traversing or
297	      bypassing firewalls, and are interrelated with the local security
298	      policy.

300	4.4  Security Properties

302	   The primary goal of the SSH protocol is to improve security on the
303	   Internet.  It attempts to do this in a way that is easy to deploy,
304	   even at the cost of absolute security.
305	   o  All encryption, integrity, and public key algorithms used are
306	      well-known, well-established algorithms.
307	   o  All algorithms are used with cryptographically sound key sizes
308	      that are believed to provide protection against even the strongest
309	      cryptanalytic attacks for decades.
310	   o  All algorithms are negotiated, and in case some algorithm is
311	      broken, it is easy to switch to some other algorithm without
312	      modifying the base protocol.

314	   Specific concessions were made to make wide-spread fast deployment
315	   easier.  The particular case where this comes up is verifying that
316	   the server host key really belongs to the desired host; the protocol
317	   allows the verification to be left out, but this is NOT RECOMMENDED.
318	   This is believed to significantly improve usability in the short
319	   term, until widespread Internet public key infrastructures emerge.

321	4.5  Localization and Character Set Support

323	   For the most part, the SSH protocols do not directly pass text that
324	   would be displayed to the user.  However, there are some places where
325	   such data might be passed.  When applicable, the character set for
326	   the data MUST be explicitly specified.  In most places, ISO 10646
327	   with UTF-8 encoding is used [RFC3629].  When applicable, a field is
328	   also provided for a language tag [RFC3066].

330	   One big issue is the character set of the interactive session.  There
331	   is no clear solution, as different applications may display data in
332	   different formats.  Different types of terminal emulation may also be
333	   employed in the client, and the character set to be used is
334	   effectively determined by the terminal emulation.  Thus, no place is
335	   provided for directly specifying the character set or encoding for
336	   terminal session data.  However, the terminal emulation type (e.g.,
337	   "vt100") is transmitted to the remote site, and it implicitly
338	   specifies the character set and encoding.  Applications typically use
339	   the terminal type to determine what character set they use, or the
340	   character set is determined using some external means.  The terminal
341	   emulation may also allow configuring the default character set.  In
342	   any case, the character set for the terminal session is considered
343	   primarily a client local issue.

345	   Internal names used to identify algorithms or protocols are normally
346	   never displayed to users, and must be in US-ASCII.

348	   The client and server user names are inherently constrained by what
349	   the server is prepared to accept.  They might, however, occasionally
350	   be displayed in logs, reports, etc.  They MUST be encoded using ISO
351	   10646 UTF-8, but other encodings may be required in some cases.  It
352	   is up to the server to decide how to map user names to accepted user
353	   names.  Straight bit-wise binary comparison is RECOMMENDED.

355	   For localization purposes, the protocol attempts to minimize the
356	   number of textual messages transmitted.  When present, such messages
357	   typically relate to errors, debugging information, or some externally
358	   configured data.  For data that is normally displayed, it SHOULD be
359	   possible to fetch a localized message instead of the transmitted
360	   message by using a numerical code.  The remaining messages SHOULD be
361	   configurable.

363	5.  Data Type Representations Used in the SSH Protocols

365	   byte

367	      A byte represents an arbitrary 8-bit value (octet).  Fixed length
368	      data is sometimes represented as an array of bytes, written
369	      byte[n], where n is the number of bytes in the array.

371	   boolean

373	      A boolean value is stored as a single byte.  The value 0
374	      represents FALSE, and the value 1 represents TRUE.  All non-zero
375	      values MUST be interpreted as TRUE; however, applications MUST NOT
376	      store values other than 0 and 1.

378	   uint32

380	      Represents a 32-bit unsigned integer.  Stored as four bytes in the
381	      order of decreasing significance (network byte order).  For
382	      example: the value 699921578 (0x29b7f4aa) is stored as 29 b7 f4
383	      aa.

385	   uint64

387	      Represents a 64-bit unsigned integer.  Stored as eight bytes in
388	      the order of decreasing significance (network byte order).

390	   string

392	      Arbitrary length binary string.  Strings are allowed to contain
393	      arbitrary binary data, including null characters and 8-bit
394	      characters.  They are stored as a uint32 containing its length
395	      (number of bytes that follow) and zero (= empty string) or more
396	      bytes that are the value of the string.  Terminating null
397	      characters are not used.

399	      Strings are also used to store text.  In that case, US-ASCII is
400	      used for internal names, and ISO-10646 UTF-8 for text that might
401	      be displayed to the user.  The terminating null character SHOULD
402	      NOT normally be stored in the string.  For example: the US-ASCII
403	      string "testing" is represented as 00 00 00 07 t e s t i n g.  The
404	      UTF-8 mapping does not alter the encoding of US-ASCII characters.

406	   mpint

408	      Represents multiple precision integers in two's complement format,
409	      stored as a string, 8 bits per byte, MSB first.  Negative numbers
410	      have the value 1 as the most significant bit of the first byte of
411	      the data partition.  If the most significant bit would be set for
412	      a positive number, the number MUST be preceded by a zero byte.
413	      Unnecessary leading bytes with the value 0 or 255 MUST NOT be
414	      included.  The value zero MUST be stored as a string with zero
415	      bytes of data.

417	      By convention, a number that is used in modular computations in
418	      Z_n SHOULD be represented in the range 0 <= x < n.

420	       Examples:
421	       value (hex)        representation (hex)
422	       -----------        --------------------
423	       0                  00 00 00 00
424	       9a378f9b2e332a7    00 00 00 08 09 a3 78 f9 b2 e3 32 a7
425	       80                 00 00 00 02 00 80
426	       -1234              00 00 00 02 ed cc
427	       -deadbeef          00 00 00 05 ff 21 52 41 11

429	   name-list

431	      A string containing a comma-separated list of names.  A name-list
432	      is represented as a uint32 containing its length (number of bytes
433	      that follow) followed by a comma-separated list of zero or more
434	      names.  A name MUST have a non-zero length, and it MUST NOT
435	      contain a comma (",").  As this is a list of names, all of the
436	      elements contained are names and MUST be in US-ASCII.  Context may
437	      impose additional restrictions on the names.  For example; the
438	      names in a name-list may have to be a list of valid algorithm
439	      identifiers (see Section 6 below), or a list of [RFC3066] language
440	      tags.  The order of the names in a name-list may or may not be
441	      significant.  Again, this depends on the context where the list is
442	      used.  Terminating null characters MUST NOT be used; neither for
443	      the individual names, nor for the list as a whole.

445	       Examples:

447	       value                      representation (hex)
448	       -----                      --------------------
449	       (), the empty name-list    00 00 00 00
450	       ("zlib")                   00 00 00 04 7a 6c 69 62
451	       ("zlib,none")              00 00 00 09 7a 6c 69 62 2c 6e 6f 6e 65

453	6.  Algorithm and Method Naming

455	   The SSH protocols refer to particular hash, encryption, integrity,
456	   compression, and key exchange algorithms or methods by names.  There
457	   are some standard algorithms and methods that all implementations
458	   MUST support.  There are also algorithms and methods that are defined
459	   in the protocol specification but are OPTIONAL.  Furthermore, it is
460	   expected that some organizations will want to use their own
461	   algorithms or methods.

463	   In this protocol, all algorithm and method identifiers MUST be
464	   printable US-ASCII, non-empty strings no longer than 64 characters.
465	   Names MUST be case-sensitive.

467	   There are two formats for algorithm and method names:
468	   o  Names that do not contain an at-sign ("@") are reserved to be
469	      assigned by IETF CONSENSUS.  Examples include "3des-cbc", "sha-1",
470	      "hmac-sha1", and "zlib" (the doublequotes are not part of the
471	      name).  Names of this format are only valid if they are first
472	      registered with the IANA.  Registered names MUST NOT contain an
473	      at-sign ("@"), a comma (","), or whitespace or control characters
474	      (ASCII codes 32 or less).  Names are case-sensitive, and MUST NOT
475	      be longer than 64 characters.

477	   o  Anyone can define additional algorithms or methods by using names
478	      in the format name@domainname, e.g., "ourcipher-cbc@example.com".
479	      The format of the part preceding the at-sign is not specified,
480	      however these names MUST be printable US-ASCII strings, and MUST
481	      NOT contain the comma character (","), whitespace, or control
482	      characters (ASCII codes 32 or less).  The part following the
483	      at-sign MUST be a valid, fully qualified domain name [RFC1034]
484	      controlled by the person or organization defining the name.  Names
485	      are case-sensitive, and MUST NOT be longer than 64 characters.  It
486	      is up to each domain how it manages its local namespace.  It
487	      should be noted that these names resemble STD 11 [RFC0822] email
488	      addresses.  This is purely coincidental and actually has nothing
489	      to do with STD 11 [RFC0822].

491	7.  Message Numbers

493	   SSH packets have message numbers in the range 1 to 255.  These
494	   numbers have been allocated as follows:

496	     Transport layer protocol:

498	       1 to 19    Transport layer generic (e.g., disconnect, ignore,
499	                  debug, etc.)
500	       20 to 29   Algorithm negotiation
501	       30 to 49   Key exchange method specific (numbers can be reused
502	                  for different authentication methods)

504	     User authentication protocol:

506	       50 to 59   User authentication generic
507	       60 to 79   User authentication method specific (numbers can be
508	                  reused for different authentication methods)

510	     Connection protocol:

512	       80 to 89   Connection protocol generic
513	       90 to 127  Channel related messages

515	     Reserved for client protocols:

517	       128 to 191 Reserved

519	     Local extensions:

521	       192 to 255 Local extensions

523	8.  IANA Considerations

525	   This document is part of a set.  The instructions for the IANA for
526	   the SSH protocol as defined in this document, [SSH-USERAUTH],
527	   [SSH-TRANS], and [SSH-CONNECT], are detailed in [SSH-NUMBERS].  The
528	   following is a brief summary for convenience, but note well that
529	   [SSH-NUMBERS] contains the actual instructions to the IANA, which may
530	   be superceded in the future.

532	   Allocation of the following types of names in the SSH protocols is
533	   assigned by IETF consensus:
534	   o  Service Names
535	      *  Authentication Methods
536	      *  Connection Protocol Channel Names
537	      *  Connection Protocol Global Request Names
538	      *  Connection Protocol Channel Request Names
539	   o  Key Exchange Method Names
540	   o  Assigned Algorithm Names
541	      *  Encryption Algorithm Names
542	      *  MAC Algorithm Names
543	      *  Public Key Algorithm Names
544	      *  Compression Algorithm Names

546	   These names MUST be printable US-ASCII strings, and MUST NOT contain
547	   the characters at-sign ("@"), comma (","), or whitespace or control
548	   characters (ASCII codes 32 or less).  Names are case-sensitive, and
549	   MUST NOT be longer than 64 characters.

551	   Names with the at-sign ("@") in them are locally defined extensions
552	   and are not controlled by the IANA.

554	   Each category of names listed above has a separate namespace.
555	   However, using the same name in multiple categories SHOULD be avoided
556	   to minimize confusion.

558	   Message numbers (see Section Message Numbers (Section 7)) in the
559	   range of 0..191 are allocated via IETF CONSENSUS as described in
560	   [RFC2434].  Message numbers in the 192..255 range (the "Local
561	   extensions" set) are reserved for PRIVATE USE also as described in
562	   [RFC2434].

564	9.  Security Considerations

566	   In order to make the entire body of Security Considerations more
567	   accessible, Security Considerations for the transport,
568	   authentication, and connection documents have been gathered here.

570	   The transport protocol [SSH-TRANS] provides a confidential channel
571	   over an insecure network.  It performs server host authentication,
572	   key exchange, encryption, and integrity protection.  It also derives
573	   a unique session id that may be used by higher-level protocols.

575	   The authentication protocol [SSH-USERAUTH] provides a suite of
576	   mechanisms which can be used to authenticate the client user to the
577	   server.  Individual mechanisms specified in the in authentication
578	   protocol use the session id provided by the transport protocol and/or
579	   depend on the security and integrity guarantees of the transport
580	   protocol.

582	   The connection protocol [SSH-CONNECT] specifies a mechanism to
583	   multiplex multiple streams (channels) of data over the confidential
584	   and authenticated transport.  It also specifies channels for
585	   accessing an interactive shell, for 'proxy-forwarding' various
586	   external protocols over the secure transport (including arbitrary
587	   TCP/IP protocols), and for accessing secure 'subsystems' on the
588	   server host.

590	9.1  Pseudo-Random Number Generation

592	   This protocol binds each session key to the session by including
593	   random, session specific data in the hash used to produce session
594	   keys.  Special care should be taken to ensure that all of the random
595	   numbers are of good quality.  If the random data here (e.g.,
596	   Diffie-Hellman (DH) parameters) are pseudo-random then the
597	   pseudo-random number generator should be cryptographically secure
598	   (i.e., its next output not easily guessed even when knowing all
599	   previous outputs) and, furthermore, proper entropy needs to be added
600	   to the pseudo-random number generator.  [RFC1750] offers suggestions
601	   for sources of random numbers and entropy.  Implementors should note
602	   the importance of entropy and the well-meant, anecdotal warning about
603	   the difficulty in properly implementing pseudo-random number
604	   generating functions.

606	   The amount of entropy available to a given client or server may
607	   sometimes be less than what is required.  In this case one must
608	   either resort to pseudo-random number generation regardless of
609	   insufficient entropy or refuse to run the protocol.  The latter is
610	   preferable.

612	9.2  Transport

614	9.2.1  Confidentiality

616	   It is beyond the scope of this document and the Secure Shell Working
617	   Group to analyze or recommend specific ciphers other than the ones
618	   which have been established and accepted within the industry.  At the
619	   time of this writing, ciphers commonly in use include 3DES, ARCFOUR,
620	   twofish, serpent and blowfish.  AES has been published by The US
621	   Federal Information Processing Standards as [FIPS-197] and the
622	   cryptographic community has accepted AES as well.  As always,
623	   implementors and users should check current literature to ensure that
624	   no recent vulnerabilities have been found in ciphers used within
625	   products.  Implementors should also check to see which ciphers are
626	   considered to be relatively stronger than others and should recommend
627	   their use to users over relatively weaker ciphers.  It would be
628	   considered good form for an implementation to politely and
629	   unobtrusively notify a user that a stronger cipher is available and
630	   should be used when a weaker one is actively chosen.

632	   The "none" cipher is provided for debugging and SHOULD NOT be used
633	   except for that purpose.  Its cryptographic properties are
634	   sufficiently described in [RFC2410], which will show that its use
635	   does not meet the intent of this protocol.

637	   The relative merits of these and other ciphers may also be found in
638	   current literature.  Two references that may provide information on
639	   the subject are [SCHNEIER] and [KAUFMAN,PERLMAN,SPECINER] Both of
640	   these describe the CBC mode of operation of certain ciphers and the
641	   weakness of this scheme.  Essentially, this mode is theoretically
642	   vulnerable to chosen cipher-text attacks because of the high
643	   predictability of the start of packet sequence.  However, this attack
644	   is deemed difficult and not considered fully practicable especially
645	   if relatively longer block sizes are used.

647	   Additionally, another CBC mode attack may be mitigated through the
648	   insertion of packets containing SSH_MSG_IGNORE.  Without this
649	   technique, a specific attack may be successful.  For this attack
650	   (commonly known as the Rogaway attack [ROGAWAY], [DAI],
651	   [BELLARE,KOHNO,NAMPREMPRE]) to work, the attacker would need to know
652	   the Initialization Vector (IV) of the next block that is going to be
653	   encrypted.  In CBC mode that is the output of the encryption of the
654	   previous block.  If the attacker does not have any way to see the
655	   packet yet (i.e., it is in the internal buffers of the SSH
656	   implementation or even in the kernel) then this attack will not work.
657	   If the last packet has been sent out to the network (i.e., the
658	   attacker has access to it) then he can use the attack.

660	   In the optimal case an implementor would need to add an extra packet
661	   only if the packet has been sent out onto the network and there are
662	   no other packets waiting for transmission.  Implementors may wish to
663	   check to see if there are any unsent packets awaiting transmission,
664	   but unfortunately it is not normally easy to obtain this information
665	   from the kernel or buffers.  If there are not, then a packet
666	   containing SSH_MSG_IGNORE SHOULD be sent.  If a new packet is added
667	   to the stream every time the attacker knows the IV that is supposed
668	   to be used for the next packet, then the attacker will not be able to
669	   guess the correct IV, thus the attack will never be successful.

671	   As an example, consider the following case:

673	      Client                                                  Server
674	      ------                                                  ------
675	      TCP(seq=x, len=500)             ---->
676	       contains Record 1

678	                          [500 ms passes, no ACK]

680	      TCP(seq=x, len=1000)            ---->
681	       contains Records 1,2

683	                                                                ACK

685	   1.  The Nagle algorithm + TCP retransmits mean that the two records
686	       get coalesced into a single TCP segment.
687	   2.  Record 2 is *not* at the beginning of the TCP segment and never
688	       will be, since it gets ACKed.
689	   3.  Yet, the attack is possible because Record 1 has already been
690	       seen.

692	   As this example indicates, it's totally unsafe to use the existence
693	   of unflushed data in the TCP buffers proper as a guide to whether you
694	   need an empty packet, since when you do the second write(), the
695	   buffers will contain the un-ACKed Record 1.

697	   On the other hand, it's perfectly safe to have the following
698	   situation:

700	      Client                                                  Server
701	      ------                                                  ------
702	      TCP(seq=x, len=500)             ---->
703	         contains SSH_MSG_IGNORE

705	      TCP(seq=y, len=500)             ---->
706	         contains Data

708	      Provided that the IV for the second SSH Record is fixed after the
709	      data for the Data packet is determined, then the following should
710	      be performed:
711	           read from user
712	           encrypt null packet
713	           encrypt data packet

715	9.2.2  Data Integrity

717	   This protocol does allow the Data Integrity mechanism to be disabled.
718	   Implementors SHOULD be wary of exposing this feature for any purpose
719	   other than debugging.  Users and administrators SHOULD be explicitly
720	   warned anytime the "none" MAC is enabled.

722	   So long as the "none" MAC is not used, this protocol provides data
723	   integrity.

725	   Because MACs use a 32-bit sequence number, they might start to leak
726	   information after 2**32 packets have been sent.  However, following
727	   the rekeying recommendations should prevent this attack.  The
728	   transport protocol [SSH-TRANS] recommends rekeying after one gigabyte
729	   of data, and the smallest possible packet is 16 bytes.  Therefore,
730	   rekeying SHOULD happen after 2**28 packets at the very most.

732	9.2.3  Replay

734	   The use of a MAC other than "none" provides integrity and
735	   authentication.  In addition, the transport protocol provides a
736	   unique session identifier (bound in part to pseudo-random data that
737	   is part of the algorithm and key exchange process) that can be used
738	   by higher level protocols to bind data to a given session and prevent
739	   replay of data from prior sessions.  For example: the authentication
740	   protocol uses this to prevent replay of signatures from previous
741	   sessions.  Because public key authentication exchanges are
742	   cryptographically bound to the session (i.e., to the initial key
743	   exchange) they cannot be successfully replayed in other sessions.
744	   Note that the session ID can be made public without harming the
745	   security of the protocol.

747	   If two sessions happen to have the same session ID (hash of key
748	   exchanges) then packets from one can be replayed against the other.
749	   It must be stressed that the chances of such an occurrence are,
750	   needless to say, minimal when using modern cryptographic methods.
751	   This is all the more so true when specifying larger hash function
752	   outputs and DH parameters.

754	   Replay detection using monotonically increasing sequence numbers as
755	   input to the MAC, or HMAC in some cases, is described in [RFC2085],
756	   [RFC2246], [RFC2743], [RFC1964], [RFC2025], and [RFC1510].  The
757	   underlying construct is discussed in [RFC2104].  Essentially a
758	   different sequence number in each packet ensures that at least this
759	   one input to the MAC function will be unique and will provide a
760	   nonrecurring MAC output that is not predictable to an attacker.  If
761	   the session stays active long enough, however, this sequence number
762	   will wrap.  This event may provide an attacker an opportunity to
763	   replay a previously recorded packet with an identical sequence number
764	   but only if the peers have not rekeyed since the transmission of the
765	   first packet with that sequence number.  If the peers have rekeyed,
766	   then the replay will be detected as the MAC check will fail.  For
767	   this reason, it must be emphasized that peers MUST rekey before a
768	   wrap of the sequence numbers.  Naturally, if an attacker does attempt
769	   to replay a captured packet before the peers have rekeyed, then the
770	   receiver of the duplicate packet will not be able to validate the MAC
771	   and it will be discarded.  The reason that the MAC will fail is
772	   because the receiver will formulate a MAC based upon the packet
773	   contents, the shared secret, and the expected sequence number.  Since
774	   the replayed packet will not be using that expected sequence number
775	   (the sequence number of the replayed packet will have already been
776	   passed by the receiver) then the calculated MAC will not match the
777	   MAC received with the packet.

779	9.2.4  Man-in-the-middle

781	   This protocol makes no assumptions nor provisions for an
782	   infrastructure or means for distributing the public keys of hosts.
783	   It is expected that this protocol will sometimes be used without
784	   first verifying the association between the server host key and the
785	   server host name.  Such usage is vulnerable to man-in-the-middle
786	   attacks.  This section describes this and encourages administrators
787	   and users to understand the importance of verifying this association
788	   before any session is initiated.

790	   There are three cases of man-in-the-middle attacks to consider.  The
791	   first is where an attacker places a device between the client and the
792	   server before the session is initiated.  In this case, the attack
793	   device is trying to mimic the legitimate server and will offer its
794	   public key to the client when the client initiates a session.  If it
795	   were to offer the public key of the server, then it would not be able
796	   to decrypt or sign the transmissions between the legitimate server
797	   and the client unless it also had access to the private-key of the
798	   host.  The attack device will also, simultaneously to this, initiate
799	   a session to the legitimate server masquerading itself as the client.
800	   If the public key of the server had been securely distributed to the
801	   client prior to that session initiation, the key offered to the
802	   client by the attack device will not match the key stored on the
803	   client.  In that case, the user SHOULD be given a warning that the
804	   offered host key does not match the host key cached on the client.
805	   As described in Section Host Keys (Section 4.1), the user may be free
806	   to accept the new key and continue the session.  It is RECOMMENDED
807	   that the warning provide sufficient information to the user of the
808	   client device so they may make an informed decision.  If the user
809	   chooses to continue the session with the stored public-key of the
810	   server (not the public-key offered at the start of the session), then
811	   the session specific data between the attacker and server will be
812	   different between the client-to-attacker session and the
813	   attacker-to-server sessions due to the randomness discussed above.
814	   From this, the attacker will not be able to make this attack work
815	   since the attacker will not be able to correctly sign packets
816	   containing this session specific data from the server since he does
817	   not have the private key of that server.

819	   The second case that should be considered is similar to the first
820	   case in that it also happens at the time of connection but this case
821	   points out the need for the secure distribution of server public
822	   keys.  If the server public keys are not securely distributed then
823	   the client cannot know if it is talking to the intended server.  An
824	   attacker may use social engineering techniques to pass off server
825	   keys to unsuspecting users and may then place a man-in-the-middle
826	   attack device between the legitimate server and the clients.  If this
827	   is allowed to happen then the clients will form client-to-attacker
828	   sessions and the attacker will form attacker-to-server sessions and
829	   will be able to monitor and manipulate all of the traffic between the
830	   clients and the legitimate servers.  Server administrators are
831	   encouraged to make host key fingerprints available for checking by
832	   some means whose security does not rely on the integrity of the
833	   actual host keys.  Possible mechanisms are discussed in Section Host
834	   Keys (Section 4.1) and may also include secured Web pages, physical
835	   pieces of paper, etc.  Implementors SHOULD provide recommendations on
836	   how best to do this with their implementation.  Because the protocol
837	   is extensible, future extensions to the protocol may provide better
838	   mechanisms for dealing with the need to know the server's host key
839	   before connecting.  For example: making the host key fingerprint
840	   available through a secure DNS lookup, or using Kerberos ([RFC1510])
841	   over GSS-API ([RFC1964]) during key exchange to authenticate the
842	   server are possibilities.

844	   In the third man-in-the-middle case, attackers may attempt to
845	   manipulate packets in transit between peers after the session has
846	   been established.  As described in the Replay part of this section, a
847	   successful attack of this nature is very improbable.  As in the
848	   Replay section, this reasoning does assume that the MAC is secure and
849	   that it is infeasible to construct inputs to a MAC algorithm to give
850	   a known output.  This is discussed in much greater detail in Section
851	   6 of [RFC2104].  If the MAC algorithm has a vulnerability or is weak
852	   enough, then the attacker may be able to specify certain inputs to
853	   yield a known MAC.  With that they may be able to alter the contents
854	   of a packet in transit.  Alternatively the attacker may be able to
855	   exploit the algorithm vulnerability or weakness to find the shared
856	   secret by reviewing the MACs from captured packets.  In either of
857	   those cases, an attacker could construct a packet or packets that
858	   could be inserted into an SSH stream.  To prevent that, implementors
859	   are encouraged to utilize commonly accepted MAC algorithms and
860	   administrators are encouraged to watch current literature and
861	   discussions of cryptography to ensure that they are not using a MAC
862	   algorithm that has a recently found vulnerability or weakness.

864	   In summary, the use of this protocol without a reliable association
865	   of the binding between a host and its host keys is inherently
866	   insecure and is NOT RECOMMENDED.  It may however be necessary in
867	   non-security critical environments, and will still provide protection
868	   against passive attacks.  Implementors of protocols and applications
869	   running on top of this protocol should keep this possibility in mind.

871	9.2.5  Denial-of-service

873	   This protocol is designed to be used over a reliable transport.  If
874	   transmission errors or message manipulation occur, the connection is
875	   closed.  The connection SHOULD be re-established if this occurs.
876	   Denial of service attacks of this type ("wire cutter") are almost
877	   impossible to avoid.

879	   In addition, this protocol is vulnerable to Denial of Service attacks
880	   because an attacker can force the server to go through the CPU and
881	   memory intensive tasks of connection setup and key exchange without
882	   authenticating.  Implementors SHOULD provide features that make this
883	   more difficult - for example: only allowing connections from a subset
884	   of IPs known to have valid users.

886	9.2.6  Covert Channels

888	   The protocol was not designed to eliminate covert channels.  For
889	   example, the padding, SSH_MSG_IGNORE messages, and several other
890	   places in the protocol can be used to pass covert information, and
891	   the recipient has no reliable way to verify whether such information
892	   is being sent.

894	9.2.7  Forward Secrecy

896	   It should be noted that the Diffie-Hellman key exchanges may provide
897	   perfect forward secrecy (PFS).  PFS is essentially defined as the
898	   cryptographic property of a key-establishment protocol in which the
899	   compromise of a session key or long-term private key after a given
900	   session does not cause the compromise of any earlier session.  [ANSI
901	   T1.523-2001]  SSH sessions resulting from a key exchange using the
902	   diffie-hellman methods described in the section "Diffie-Hellman Key
903	   Exchange" of [SSH-TRANS] (including diffie-hellman-group1-sha1 and
904	   diffie-hellman-group14-sha1) are secure even if private
905	   keying/authentication material is later revealed, but not if the
906	   session keys are revealed.  So, given this definition of PFS, SSH
907	   does have PFS.  This property is not commuted to any of the
908	   applications or protocols using SSH as a transport however.  The
909	   transport layer of SSH provides confidentiality for password
910	   authentication and other methods that rely on secret data.

912	   Of course, if the DH private parameters for the client and server are
913	   revealed then the session key is revealed, but these items can be
914	   thrown away after the key exchange completes.  It's worth pointing
915	   out that these items should not be allowed to end up on swap space
916	   and that they should be erased from memory as soon as the key
917	   exchange completes.

919	9.2.8  Ordering of Key Exchange Methods

921	   As stated in the section on "Algorithm Negotiation" of [SSH-TRANS],
922	   each device will send a list of preferred methods for key exchange.
923	   The most-preferred method is the first in the list.  It is
924	   RECOMMENDED to sort the algorithms by cryptographic strength,
925	   strongest first.  Some additional guidance for this is given in
926	   [RFC3766].

928	9.2.9  Traffic Analysis

930	   Passive monitoring of any protocol may give an attacker some
931	   information about the session, the user, or protocol specific
932	   information that they would otherwise not be able to garner.  For
933	   example, it has been shown that traffic analysis of an SSH session
934	   can yield information about the length of the password - [Openwall]
935	   and [USENIX].  Implementors should use the SSH_MSG_IGNORE packet
936	   along with the inclusion of random lengths of padding to thwart
937	   attempts of traffic analysis.  Other methods may also be found and
938	   implemented.

940	9.3  Authentication Protocol

942	   The purpose of this protocol is to perform client user
943	   authentication.  It assumes that this run over a secure transport
944	   layer protocol, which has already authenticated the server machine,
945	   established an encrypted communications channel, and computed a
946	   unique session identifier for this session.

948	   Several authentication methods with different security
949	   characteristics are allowed.  It is up to the server's local policy
950	   to decide which methods (or combinations of methods) it is willing to
951	   accept for each user.  Authentication is no stronger than the weakest
952	   combination allowed.

954	   The server may go into a "sleep" period after repeated unsuccessful
955	   authentication attempts to make key search more difficult for
956	   attackers.  Care should be taken so that this doesn't become a
957	   self-denial of service vector.

959	9.3.1  Weak Transport

961	   If the transport layer does not provide confidentiality,
962	   authentication methods that rely on secret data SHOULD be disabled.
963	   If it does not provide strong integrity protection, requests to
964	   change authentication data (e.g., a password change) SHOULD be
965	   disabled to prevent an attacker from modifying the ciphertext without
966	   being noticed, or rendering the new authentication data unusable
967	   (denial of service).

969	   The assumption as stated above that the Authentication Protocol only
970	   run over a secure transport that has previously authenticated the
971	   server is very important to note.  People deploying SSH are reminded
972	   of the consequences of man-in-the-middle attacks if the client does
973	   not have a very strong a priori association of the server with the
974	   host key of that server.  Specifically for the case of the
975	   Authentication Protocol the client may form a session to a
976	   man-in-the-middle attack device and divulge user credentials such as
977	   their username and password.  Even in the cases of authentication
978	   where no user credentials are divulged, an attacker may still gain
979	   information they shouldn't have by capturing key-strokes in much the
980	   same way that a honeypot works.

982	9.3.2  Debug Messages

984	   Special care should be taken when designing debug messages.  These
985	   messages may reveal surprising amounts of information about the host
986	   if not properly designed.  Debug messages can be disabled (during
987	   user authentication phase) if high security is required.
988	   Administrators of host machines should make all attempts to
989	   compartmentalize all event notification messages and protect them
990	   from unwarranted observation.  Developers should be aware of the
991	   sensitive nature of some of the normal event messages and debug
992	   messages and may want to provide guidance to administrators on ways
993	   to keep this information away from unauthorized people.  Developers
994	   should consider minimizing the amount of sensitive information
995	   obtainable by users during the authentication phase in accordance
996	   with the local policies.  For this reason, it is RECOMMENDED that
997	   debug messages be initially disabled at the time of deployment and
998	   require an active decision by an administrator to allow them to be
999	   enabled.  It is also RECOMMENDED that a message expressing this
1000	   concern be presented to the administrator of a system when the action
1001	   is taken to enable debugging messages.

1003	9.3.3  Local Security Policy

1005	   Implementer MUST ensure that the credentials provided validate the
1006	   professed user and also MUST ensure that the local policy of the
1007	   server permits the user the access requested.  In particular, because
1008	   of the flexible nature of the SSH connection protocol, it may not be
1009	   possible to determine the local security policy, if any, that should
1010	   apply at the time of authentication because the kind of service being
1011	   requested is not clear at that instant.  For example: local policy
1012	   might allow a user to access files on the server, but not start an
1013	   interactive shell.  However, during the authentication protocol, it
1014	   is not known whether the user will be accessing files or attempting
1015	   to use an interactive shell, or even both.  In any event, where local
1016	   security policy for the server host exists, it MUST be applied and
1017	   enforced correctly.

1019	   Implementors are encouraged to provide a default local policy and
1020	   make its parameters known to administrators and users.  At the
1021	   discretion of the implementors, this default policy may be along the
1022	   lines of 'anything goes' where there are no restrictions placed upon
1023	   users, or it may be along the lines of 'excessively restrictive' in
1024	   which case the administrators will have to actively make changes to
1025	   this policy to meet their needs.  Alternatively, it may be some
1026	   attempt at providing something practical and immediately useful to
1027	   the administrators of the system so they don't have to put in much
1028	   effort to get SSH working.  Whatever choice is made MUST be applied
1029	   and enforced as required above.

1031	9.3.4  Public Key Authentication

1033	   The use of public-key authentication assumes that the client host has
1034	   not been compromised.  It also assumes that the private-key of the
1035	   server host has not been compromised.

1037	   This risk can be mitigated by the use of passphrases on private keys;
1038	   however, this is not an enforceable policy.  The use of smartcards,
1039	   or other technology to make passphrases an enforceable policy is
1040	   suggested.

1042	   The server could require both password and public-key authentication,
1043	   however, this requires the client to expose its password to the
1044	   server (see section on password authentication below.)

1046	9.3.5  Password Authentication

1048	   The password mechanism as specified in the authentication protocol
1049	   assumes that the server has not been compromised.  If the server has
1050	   been compromised, using password authentication will reveal a valid
1051	   username / password combination to the attacker, which may lead to
1052	   further compromises.

1054	   This vulnerability can be mitigated by using an alternative form of
1055	   authentication.  For example: public-key authentication makes no
1056	   assumptions about security on the server.

1058	9.3.6  Host Based Authentication

1060	   Host based authentication assumes that the client has not been
1061	   compromised.  There are no mitigating strategies, other than to use
1062	   host based authentication in combination with another authentication
1063	   method.

1065	9.4  Connection Protocol

1067	9.4.1  End Point Security

1069	   End point security is assumed by the connection protocol.  If the
1070	   server has been compromised, any terminal sessions, port forwarding,
1071	   or systems accessed on the host are compromised.  There are no
1072	   mitigating factors for this.

1074	   If the client end point has been compromised, and the server fails to
1075	   stop the attacker at the authentication protocol, all services
1076	   exposed (either as subsystems or through forwarding) will be
1077	   vulnerable to attack.  Implementors SHOULD provide mechanisms for
1078	   administrators to control which services are exposed to limit the
1079	   vulnerability of other services.

1081	   These controls might include controlling which machines and ports can
1082	   be target in 'port-forwarding' operations, which users are allowed to
1083	   use interactive shell facilities, or which users are allowed to use
1084	   exposed subsystems.

1086	9.4.2  Proxy Forwarding

1088	   The SSH connection protocol allows for proxy forwarding of other
1089	   protocols such as SNMP, POP3, and HTTP.  This may be a concern for
1090	   network administrators who wish to control the access of certain
1091	   applications by users located outside of their physical location.
1092	   Essentially, the forwarding of these protocols may violate site
1093	   specific security policies as they may be undetectably tunneled
1094	   through a firewall.  Implementors SHOULD provide an administrative
1095	   mechanism to control the proxy forwarding functionality so that site
1096	   specific security policies may be upheld.

1098	   In addition, a reverse proxy forwarding functionality is available,
1099	   which again can be used to bypass firewall controls.

1101	   As indicated above, end-point security is assumed during proxy
1102	   forwarding operations.  Failure of end-point security will compromise
1103	   all data passed over proxy forwarding.

1105	9.4.3  X11 Forwarding

1107	   Another form of proxy forwarding provided by the SSH connection
1108	   protocol is the forwarding of the X11 protocol.  If end-point
1109	   security has been compromised, X11 forwarding may allow attacks
1110	   against the X11 server.  Users and administrators should, as a matter
1111	   of course, use appropriate X11 security mechanisms to prevent
1112	   unauthorized use of the X11 server.  Implementors, administrators and
1113	   users who wish to further explore the security mechanisms of X11 are
1114	   invited to read [SCHEIFLER] and analyze previously reported problems
1115	   with the interactions between SSH forwarding and X11 in CERT
1116	   vulnerabilities VU#363181 and VU#118892 [CERT].

1118	   X11 display forwarding with SSH, by itself, is not sufficient to
1119	   correct well known problems with X11 security [VENEMA].  However, X11
1120	   display forwarding in SSH (or other secure protocols), combined with
1121	   actual and pseudo-displays which accept connections only over local
1122	   IPC mechanisms authorized by permissions or access control lists
1123	   (ACLs), does correct many X11 security problems as long as the "none"
1124	   MAC is not used.  It is RECOMMENDED that X11 display implementations
1125	   default to allowing display opens only over local IPC.  It is
1126	   RECOMMENDED that SSH server implementations that support X11
1127	   forwarding default to allowing display opens only over local IPC.  On
1128	   single-user systems it might be reasonable to default to allowing
1129	   local display opens over TCP/IP.

1131	   Implementors of the X11 forwarding protocol SHOULD implement the
1132	   magic cookie access checking spoofing mechanism as described in
1133	   [SSH-CONNECT] as an additional mechanism to prevent unauthorized use
1134	   of the proxy.

1136	10.  References

1138	10.1  Normative References

1140	   [SSH-TRANS]
1141	              Lonvick, C., "SSH Transport Layer Protocol",
1142	              I-D draft-ietf-secsh-transport-24.txt, March 2005.

1144	   [SSH-USERAUTH]
1145	              Lonvick, C., "SSH Authentication Protocol",
1146	              I-D draft-ietf-secsh-userauth-27.txt, March 2005.

1148	   [SSH-CONNECT]
1149	              Lonvick, C., "SSH Connection Protocol",
1150	              I-D draft-ietf-secsh-connect-25.txt, March 2005.

1152	   [SSH-NUMBERS]
1153	              Lonvick, C., "SSH Protocol Assigned Numbers",
1154	              I-D draft-ietf-secsh-assignednumbers-12.txt, March 2005.

1156	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
1157	              Requirement Levels", BCP 14, RFC 2119, March 1997.

1159	   [RFC2434]  Narten, T. and H. Alvestrand, "Guidelines for Writing an
1160	              IANA Considerations Section in RFCs", BCP 26, RFC 2434,
1161	              October 1998.

1163	   [RFC3066]  Alvestrand, H., "Tags for the Identification of
1164	              Languages", BCP 47, RFC 3066, January 2001.

1166	   [RFC3629]  Yergeau, F., "UTF-8, a transformation format of ISO
1167	              10646", STD 63, RFC 3629, November 2003.

1169	10.2  Informative References

1171	   [RFC0822]  Crocker, D., "Standard for the format of ARPA Internet
1172	              text messages", STD 11, RFC 822, August 1982.

1174	   [RFC0854]  Postel, J. and J. Reynolds, "Telnet Protocol
1175	              Specification", STD 8, RFC 854, May 1983.

1177	   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
1178	              STD 13, RFC 1034, November 1987.

1180	   [RFC1282]  Kantor, B., "BSD Rlogin", RFC 1282, December 1991.

1182	   [RFC1510]  Kohl, J. and B. Neuman, "The Kerberos Network
1183	              Authentication Service (V5)", RFC 1510, September 1993.

1185	   [RFC1750]  Eastlake, D., Crocker, S. and J. Schiller, "Randomness
1186	              Recommendations for Security", RFC 1750, December 1994.

1188	   [RFC1964]  Linn, J., "The Kerberos Version 5 GSS-API Mechanism",
1189	              RFC 1964, June 1996.

1191	   [RFC2025]  Adams, C., "The Simple Public-Key GSS-API Mechanism
1192	              (SPKM)", RFC 2025, October 1996.

1194	   [RFC2085]  Oehler, M. and R. Glenn, "HMAC-MD5 IP Authentication with
1195	              Replay Prevention", RFC 2085, February 1997.

1197	   [RFC2104]  Krawczyk, H., Bellare, M. and R. Canetti, "HMAC:
1198	              Keyed-Hashing for Message Authentication", RFC 2104,
1199	              February 1997.

1201	   [RFC2246]  Dierks, T. and C. Allen, "The TLS Protocol Version 1.0",
1202	              RFC 2246, January 1999.

1204	   [RFC2410]  Glenn, R. and S. Kent, "The NULL Encryption Algorithm and
1205	              Its Use With IPsec", RFC 2410, November 1998.

1207	   [RFC2743]  Linn, J., "Generic Security Service Application Program
1208	              Interface Version 2, Update 1", RFC 2743, January 2000.

1210	   [RFC3766]  Orman, H. and P. Hoffman, "Determining Strengths For
1211	              Public Keys Used For Exchanging Symmetric Keys", BCP 86,
1212	              RFC 3766, April 2004.

1214	   [FIPS-180-2]
1215	              National Institute of Standards and Technology, "Secure
1216	              Hash Standard (SHS)", Federal Information Processing
1217	              Standards Publication 180-2, August 2002.

1219	   [FIPS-186-2]
1220	              National Institute of Standards and Technology, "Digital
1221	              Signature Standard (DSS)", Federal Information Processing
1222	              Standards Publication 186-2, January 2000.

1224	   [FIPS-197]
1225	              National Institure of Standards and Technology, "Advanced
1226	              Encryption Standard (AES)", Federal Information Processing
1227	              Standards Publication 197, November 2001.

1229	   [ANSI T1.523-2001]
1230	              American National Standards Institute, Inc.>, "Telecom
1231	              Glossary 2000", ANSI T1.523-2001, February 2001.

1233	   [SCHNEIER]
1234	              Schneier, B., "Applied Cryptography Second Edition:
1235	              protocols algorithms and source in code in C", 1996.

1237	   [SCHEIFLER]
1238	              Scheifler, R., "X Window System : The Complete Reference
1239	              to Xlib, X Protocol, Icccm, Xlfd, 3rd edition.", Digital
1240	              Press ISBN 1555580882, February 1992.

1242	   [KAUFMAN,PERLMAN,SPECINER]
1243	              Kaufman, C., Perlman, R. and M. Speciner, "Network
1244	              Security: PRIVATE Communication in a PUBLIC World", 1995.

1246	   [CERT]     CERT Coordination Center, The.,
1247	              "http://www.cert.org/nav/index_red.html".

1249	   [VENEMA]   Venema, W., "Murphy's Law and Computer Security",
1250	              Proceedings of 6th USENIX Security Symposium, San Jose
1251	              CA http://www.usenix.org/publications/library/proceedings/
1252	              sec96/venema.html, July 1996.

1254	   [ROGAWAY]  Rogaway, P., "Problems with Proposed IP Cryptography",
1255	              Unpublished paper http://www.cs.ucdavis.edu/~rogaway/
1256	              papers/draft-rogaway-ipsec-comments-00.txt, 1996.

1258	   [DAI]      Dai, W., "An attack against SSH2 protocol", Email to the
1259	              SECSH Working Group ietf-ssh@netbsd.org ftp://
1260	              ftp.ietf.org/ietf-mail-archive/secsh/2002-02.mail, Feb
1261	              2002.

1263	   [BELLARE,KOHNO,NAMPREMPRE]
1264	              Bellaire, M., Kohno, T. and C. Namprempre, "Authenticated
1265	              Encryption in SSH: Fixing the SSH Binary Packet Protocol",
1266	              Proceedings of the 9th ACM Conference on Computer and
1267	              Communications Security, Sept 2002.

1269	   [Openwall]
1270	              Solar Designer and D. Song, "SSH Traffic Analysis
1271	              Attacks", Presentation given at HAL2001 and NordU2002
1272	              Conferences, Sept 2001.

1274	   [USENIX]   Song, X.D., Wagner, D. and X. Tian, "Timing Analysis of
1275	              Keystrokes and SSH Timing Attacks", Paper given at 10th
1276	              USENIX Security Symposium, 2001.

1278	Authors' Addresses

1280	   Tatu Ylonen
1281	   SSH Communications Security Corp
1282	   Fredrikinkatu 42
1283	   HELSINKI  FIN-00100
1284	   Finland

1286	   Email: ylo@ssh.com

1288	   Chris Lonvick (editor)
1289	   Cisco Systems, Inc.
1290	   12515 Research Blvd.
1291	   Austin  78759
1292	   USA

1294	   Email: clonvick@cisco.com

1296	Appendix A.  Trademark Notice

1298	   "ssh" is a registered trademark in the United States and/or other
1299	   countries.

1301	   Note to the RFC Editor: This should be a separate section like the
1302	   subsequent ones, and not an appendix.  This paragraph to be removed
1303	   before publication.

1305	Intellectual Property Statement

1307	   The IETF takes no position regarding the validity or scope of any
1308	   Intellectual Property Rights or other rights that might be claimed to
1309	   pertain to the implementation or use of the technology described in
1310	   this document or the extent to which any license under such rights
1311	   might or might not be available; nor does it represent that it has
1312	   made any independent effort to identify any such rights.  Information
1313	   on the procedures with respect to rights in RFC documents can be
1314	   found in BCP 78 and BCP 79.

1316	   Copies of IPR disclosures made to the IETF Secretariat and any
1317	   assurances of licenses to be made available, or the result of an
1318	   attempt made to obtain a general license or permission for the use of
1319	   such proprietary rights by implementers or users of this
1320	   specification can be obtained from the IETF on-line IPR repository at
1321	   http://www.ietf.org/ipr.

1323	   The IETF invites any interested party to bring to its attention any
1324	   copyrights, patents or patent applications, or other proprietary
1325	   rights that may cover technology that may be required to implement
1326	   this standard.  Please address the information to the IETF at
1327	   ietf-ipr@ietf.org.

1329	   The IETF has been notified of intellectual property rights claimed in
1330	   regard to some or all of the specification contained in this
1331	   document.  For more information consult the online list of claimed
1332	   rights.

1334	Disclaimer of Validity

1336	   This document and the information contained herein are provided on an
1337	   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
1338	   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
1339	   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
1340	   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
1341	   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
1342	   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

1344	Copyright Statement

1346	   Copyright (C) The Internet Society (2005).  This document is subject
1347	   to the rights, licenses and restrictions contained in BCP 78, and
1348	   except as set forth therein, the authors retain all their rights.

1350	Acknowledgment

1352	   Funding for the RFC Editor function is currently provided by the
1353	   Internet Society.