idnits 2.17.1 

draft-ietf-secsh-architecture-17.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** It looks like you're using RFC 3978 boilerplate.  You should update this
     to the boilerplate described in the IETF Trust License Policy document
     (see https://trustee.ietf.org/license-info), which is required now.

  -- Found old boilerplate from RFC 3978, Section 5.1.a on line 16.

  -- Found old boilerplate from RFC 3978, Section 5.5 on line 1317.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1289.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1296.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1302.

  ** The document seems to lack an RFC 3978 Section 5.1 IPR Disclosure
     Acknowledgement. 

  ** This document has an original RFC 3978 Section 5.4 Copyright Line,
     instead of the newer IETF Trust Copyright according to RFC 4748.

  ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead
     of the newer disclaimer which includes the IETF Trust according to RFC
     4748.

  ** The document uses RFC 3667 boilerplate or RFC 3978-like boilerplate
     instead of verbatim RFC 3978 boilerplate.  After 6 May 2005, submission
     of drafts without verbatim RFC 3978 boilerplate is not accepted.

     The following non-3978 patterns matched text found in the document. 
     That text should be removed or replaced:

        This document is an Internet-Draft and is subject to all provisions of
        Section 3 of RFC 3667.

        By submitting this Internet-Draft, each author represents that any
        applicable patent or other IPR claims of which he or she is aware
        have been or will be disclosed, and any of which he or she
        becomes aware will be disclosed, in accordance with Section 6 of
        BCP 79.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  == No 'Intended status' indicated for this document; assuming Proposed
     Standard


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

     No issues found here.

  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not
     match the current year

  == The document seems to lack the recommended RFC 2119 boilerplate, even if
     it appears to use RFC 2119 keywords. 

     (The document does seem to have the reference to RFC 2119 which the
     ID-Checklist requires).
  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (October 24, 2004) is 7123 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  == Missing Reference: 'KAUFMAN' is mentioned on line 648, but not defined

  == Missing Reference: 'PERLMAN' is mentioned on line 648, but not defined

  == Missing Reference: 'SPECINER' is mentioned on line 648, but not defined

  == Missing Reference: 'BELLARE' is mentioned on line 660, but not defined

  == Missing Reference: 'KOHNO' is mentioned on line 660, but not defined

  == Missing Reference: 'NAMPREMPRE' is mentioned on line 660, but not defined

  == Unused Reference: 'KAUFMAN,PERLMAN,SPECINER' is defined on line 1244,
     but no explicit reference was found in the text

  == Unused Reference: 'BELLARE,KOHNO,NAMPREMPRE' is defined on line 1265,
     but no explicit reference was found in the text

  -- No information found for draft-ietf-transport - is the name correct?

  -- Possible downref: Normative reference to a draft: ref. 'SSH-TRANS' 

  -- No information found for draft-ietf-userauth - is the name correct?

  -- Possible downref: Normative reference to a draft: ref. 'SSH-USERAUTH' 

  -- No information found for draft-ietf-connect - is the name correct?

  -- Possible downref: Normative reference to a draft: ref. 'SSH-CONNECT' 

  -- No information found for draft-ietf-assignednumbers - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. 'SSH-NUMBERS' 

  -- Obsolete informational reference (is this intentional?): RFC  822
     (Obsoleted by RFC 2822)

  -- Obsolete informational reference (is this intentional?): RFC 1134
     (Obsoleted by RFC 1171)

  -- Obsolete informational reference (is this intentional?): RFC 1510
     (Obsoleted by RFC 4120, RFC 6649)

  -- Obsolete informational reference (is this intentional?): RFC 1750
     (Obsoleted by RFC 4086)

  -- Obsolete informational reference (is this intentional?): RFC 2246
     (Obsoleted by RFC 4346)

  -- Obsolete informational reference (is this intentional?): RFC 2434
     (Obsoleted by RFC 5226)

  -- Obsolete informational reference (is this intentional?): RFC 3066
     (Obsoleted by RFC 4646, RFC 4647)


     Summary: 5 errors (**), 0 flaws (~~), 11 warnings (==), 22 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	Network Working Group                                    C. Lonvick, Ed.
3	Internet-Draft                                        Cisco Systems, Inc
4	Expires: April 24, 2005                                 October 24, 2004

6	                       SSH Protocol Architecture
7	                  draft-ietf-secsh-architecture-17.txt

9	Status of this Memo

11	   This document is an Internet-Draft and is subject to all provisions
12	   of section 3 of RFC 3667.  By submitting this Internet-Draft, each
13	   author represents that any applicable patent or other IPR claims of
14	   which he or she is aware have been or will be disclosed, and any of
15	   which he or she become aware will be disclosed, in accordance with
16	   RFC 3668.

18	   Internet-Drafts are working documents of the Internet Engineering
19	   Task Force (IETF), its areas, and its working groups.  Note that
20	   other groups may also distribute working documents as
21	   Internet-Drafts.

23	   Internet-Drafts are draft documents valid for a maximum of six months
24	   and may be updated, replaced, or obsoleted by other documents at any
25	   time.  It is inappropriate to use Internet-Drafts as reference
26	   material or to cite them other than as "work in progress."

28	   The list of current Internet-Drafts can be accessed at
29	   http://www.ietf.org/ietf/1id-abstracts.txt.

31	   The list of Internet-Draft Shadow Directories can be accessed at
32	   http://www.ietf.org/shadow.html.

34	   This Internet-Draft will expire on April 24, 2005.

36	Copyright Notice

38	   Copyright (C) The Internet Society (2004).

40	Abstract

42	   SSH is a protocol for secure remote login and other secure network
43	   services over an insecure network.  This document describes the
44	   architecture of the SSH protocol, as well as the notation and
45	   terminology used in SSH protocol documents.  It also discusses the
46	   SSH algorithm naming system that allows local extensions.  The SSH
47	   protocol consists of three major components: The Transport Layer
48	   Protocol provides server authentication, confidentiality, and
49	   integrity with perfect forward secrecy.  The User Authentication
50	   Protocol authenticates the client to the server.  The Connection
51	   Protocol multiplexes the encrypted tunnel into several logical
52	   channels.  Details of these protocols are described in separate
53	   documents.

55	Table of Contents

57	   1.  Contributors . . . . . . . . . . . . . . . . . . . . . . . . .  3
58	   2.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
59	   3.  Specification of Requirements  . . . . . . . . . . . . . . . .  3
60	   4.  Architecture . . . . . . . . . . . . . . . . . . . . . . . . .  4
61	     4.1   Host Keys  . . . . . . . . . . . . . . . . . . . . . . . .  4
62	     4.2   Extensibility  . . . . . . . . . . . . . . . . . . . . . .  5
63	     4.3   Policy Issues  . . . . . . . . . . . . . . . . . . . . . .  6
64	     4.4   Security Properties  . . . . . . . . . . . . . . . . . . .  6
65	     4.5   Packet Size and Overhead . . . . . . . . . . . . . . . . .  7
66	     4.6   Localization and Character Set Support . . . . . . . . . .  7
67	   5.  Data Type Representations Used in the SSH Protocols  . . . . .  8
68	   6.  Algorithm and Method Naming  . . . . . . . . . . . . . . . . . 10
69	   7.  Message Numbers  . . . . . . . . . . . . . . . . . . . . . . . 11
70	   8.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 12
71	   9.  Security Considerations  . . . . . . . . . . . . . . . . . . . 13
72	     9.1   Pseudo-Random Number Generation  . . . . . . . . . . . . . 13
73	     9.2   Transport  . . . . . . . . . . . . . . . . . . . . . . . . 14
74	       9.2.1   Confidentiality  . . . . . . . . . . . . . . . . . . . 14
75	       9.2.2   Data Integrity . . . . . . . . . . . . . . . . . . . . 16
76	       9.2.3   Replay . . . . . . . . . . . . . . . . . . . . . . . . 16
77	       9.2.4   Man-in-the-middle  . . . . . . . . . . . . . . . . . . 17
78	       9.2.5   Denial-of-service  . . . . . . . . . . . . . . . . . . 19
79	       9.2.6   Covert Channels  . . . . . . . . . . . . . . . . . . . 20
80	       9.2.7   Forward Secrecy  . . . . . . . . . . . . . . . . . . . 20
81	       9.2.8   Ordering of Key Exchange Methods . . . . . . . . . . . 20
82	     9.3   Authentication Protocol  . . . . . . . . . . . . . . . . . 20
83	       9.3.1   Weak Transport . . . . . . . . . . . . . . . . . . . . 21
84	       9.3.2   Debug Messages . . . . . . . . . . . . . . . . . . . . 21
85	       9.3.3   Local Security Policy  . . . . . . . . . . . . . . . . 22
86	       9.3.4   Public Key Authentication  . . . . . . . . . . . . . . 22
87	       9.3.5   Password Authentication  . . . . . . . . . . . . . . . 23
88	       9.3.6   Host Based Authentication  . . . . . . . . . . . . . . 23
89	     9.4   Connection Protocol  . . . . . . . . . . . . . . . . . . . 23
90	       9.4.1   End Point Security . . . . . . . . . . . . . . . . . . 23
91	       9.4.2   Proxy Forwarding . . . . . . . . . . . . . . . . . . . 24
92	       9.4.3   X11 Forwarding . . . . . . . . . . . . . . . . . . . . 24
93	   10.   References . . . . . . . . . . . . . . . . . . . . . . . . . 25
94	   10.1  Normative References . . . . . . . . . . . . . . . . . . . . 25
95	   10.2  Informative References . . . . . . . . . . . . . . . . . . . 25
96	       Author's Address . . . . . . . . . . . . . . . . . . . . . . . 27
97	       Intellectual Property and Copyright Statements . . . . . . . . 29

99	1.  Contributors

101	   The major original contributors of this document were: Tatu Ylonen,
102	   Tero Kivinen, Timo J.  Rinne, Sami Lehtinen (all of SSH
103	   Communications Security Corp), and Markku-Juhani O.  Saarinen
104	   (University of Jyvaskyla).  Darren Moffit was the original editor of
105	   this document and also made very substantial contributions.

107	   Additional contributors to this document include [need list].
108	   Listing their names here does not mean that they endorse this
109	   document, but that they have contributed to it.

111	   Comments on this internet draft should be sent to the IETF SECSH
112	   working group, details at:
113	   http://ietf.org/html.charters/secsh-charter.html Note: This paragraph
114	   will be removed before this document progresses to become an RFC.

116	2.  Introduction

118	   SSH is a protocol for secure remote login and other secure network
119	   services over an insecure network.  It consists of three major
120	   components:
121	   o  The Transport Layer Protocol [SSH-TRANS] provides server
122	      authentication, confidentiality, and integrity.  It may optionally
123	      also provide compression.  The transport layer will typically be
124	      run over a TCP/IP connection, but might also be used on top of any
125	      other reliable data stream.
126	   o  The User Authentication Protocol [SSH-USERAUTH] authenticates the
127	      client-side user to the server.  It runs over the transport layer
128	      protocol.
129	   o  The Connection Protocol [SSH-CONNECT] multiplexes the encrypted
130	      tunnel into several logical channels.  It runs over the user
131	      authentication protocol.

133	   The client sends a service request once a secure transport layer
134	   connection has been established.  A second service request is sent
135	   after user authentication is complete.  This allows new protocols to
136	   be defined and coexist with the protocols listed above.

138	   The connection protocol provides channels that can be used for a wide
139	   range of purposes.  Standard methods are provided for setting up
140	   secure interactive shell sessions and for forwarding ("tunneling")
141	   arbitrary TCP/IP ports and X11 connections.

143	3.  Specification of Requirements

145	   All documents related to the SSH protocols shall use the keywords
146	   "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD",
147	   "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" to describe
148	   requirements.  These keywords are to be interpreted as described in
149	   [RFC2119].

151	   All documents related to the SSH protocols shall use the keywords
152	   "PRIVATE USE", "HIERARCHICAL ALLOCATION", "FIRST COME FIRST SERVED",
153	   "EXPERT REVIEW", "SPECIFICATION REQUIRED", "IESG APPROVAL", "IETF
154	   CONSENSUS", and "STANDARDS ACTION" to describe namespace allocation.
155	   These keywords are to be interpreted as described in [RFC2434].

157	4.  Architecture

159	4.1  Host Keys

161	   Each server host SHOULD have a host key.  Hosts MAY have multiple
162	   host keys using multiple different algorithms.  Multiple hosts MAY
163	   share the same host key.  If a host has keys at all, it MUST have at
164	   least one key using each REQUIRED public key algorithm (DSS
165	   [FIPS-186-2]).

167	   The server host key is used during key exchange to verify that the
168	   client is really talking to the correct server.  For this to be
169	   possible, the client must have a priori knowledge of the server's
170	   public host key.

172	   Two different trust models can be used:
173	   o  The client has a local database that associates each host name (as
174	      typed by the user) with the corresponding public host key.  This
175	      method requires no centrally administered infrastructure, and no
176	      third-party coordination.  The downside is that the database of
177	      name-to-key associations may become burdensome to maintain.
178	   o  The host name-to-key association is certified by some trusted
179	      certification authority (CA).  The client only knows the CA root
180	      key, and can verify the validity of all host keys certified by
181	      accepted CAs.

183	   The second alternative eases the maintenance problem, since ideally
184	   only a single CA key needs to be securely stored on the client.  On
185	   the other hand, each host key must be appropriately certified by a
186	   central authority before authorization is possible.  Also, a lot of
187	   trust is placed on the central infrastructure.

189	   The protocol provides the option that the server name - host key
190	   association is not checked when connecting to the host for the first
191	   time.  This allows communication without prior communication of host
192	   keys or certification.  The connection still provides protection
193	   against passive listening; however, it becomes vulnerable to active
194	   man-in-the-middle attacks.  Implementations SHOULD NOT normally allow
195	   such connections by default, as they pose a potential security
196	   problem.  However, as there is no widely deployed key infrastructure
197	   available on the Internet yet, this option makes the protocol much
198	   more usable during the transition time until such an infrastructure
199	   emerges, while still providing a much higher level of security than
200	   that offered by older solutions (e.g.  telnet [RFC0854] and rlogin
201	   [RFC1282]).

203	   Implementations SHOULD try to make the best effort to check host
204	   keys.  An example of a possible strategy is to only accept a host key
205	   without checking the first time a host is connected, save the key in
206	   a local database, and compare against that key on all future
207	   connections to that host.

209	   Implementations MAY provide additional methods for verifying the
210	   correctness of host keys, e.g., a hexadecimal fingerprint derived
211	   from the SHA-1 hash of the public key.  Such fingerprints can easily
212	   be verified by using telephone or other external communication
213	   channels.

215	   All implementations SHOULD provide an option to not accept host keys
216	   that cannot be verified.

218	   The members of this Working Group believe that 'ease of use' is
219	   critical to end-user acceptance of security solutions, and no
220	   improvement in security is gained if the new solutions are not used.
221	   Thus, providing the option not to check the server host key is
222	   believed to improve the overall security of the Internet, even though
223	   it reduces the security of the protocol in configurations where it is
224	   allowed.

226	4.2  Extensibility

228	   We believe that the protocol will evolve over time, and some
229	   organizations will want to use their own encryption, authentication
230	   and/or key exchange methods.  Central registration of all extensions
231	   is cumbersome, especially for experimental or classified features.
232	   On the other hand, having no central registration leads to conflicts
233	   in method identifiers, making interoperability difficult.

235	   We have chosen to identify algorithms, methods, formats, and
236	   extension protocols with textual names that are of a specific format.
237	   DNS names are used to create local namespaces where experimental or
238	   classified extensions can be defined without fear of conflicts with
239	   other implementations.

241	   One design goal has been to keep the base protocol as simple as
242	   possible, and to require as few algorithms as possible.  However, all
243	   implementations MUST support a minimal set of algorithms to ensure
244	   interoperability (this does not imply that the local policy on all
245	   hosts would necessary allow these algorithms).  The mandatory
246	   algorithms are specified in the relevant protocol documents.

248	   Additional algorithms, methods, formats, and extension protocols can
249	   be defined in separate drafts.  See Section Algorithm Naming (Section
250	   6) for more information.

252	4.3  Policy Issues

254	   The protocol allows full negotiation of encryption, integrity, key
255	   exchange, compression, and public key algorithms and formats.
256	   Encryption, integrity, public key, and compression algorithms can be
257	   different for each direction.

259	   The following policy issues SHOULD be addressed in the configuration
260	   mechanisms of each implementation:
261	   o  Encryption, integrity, and compression algorithms, separately for
262	      each direction.  The policy MUST specify which is the preferred
263	      algorithm (e.g., the first algorithm listed in each category).
264	   o  Public key algorithms and key exchange method to be used for host
265	      authentication.  The existence of trusted host keys for different
266	      public key algorithms also affects this choice.
267	   o  The authentication methods that are to be required by the server
268	      for each user.  The server's policy MAY require multiple
269	      authentication for some or all users.  The required algorithms MAY
270	      depend on the location where the user is trying to log in from.
271	   o  The operations that the user is allowed to perform using the
272	      connection protocol.  Some issues are related to security; for
273	      example, the policy SHOULD NOT allow the server to start sessions
274	      or run commands on the client machine, and MUST NOT allow
275	      connections to the authentication agent unless forwarding such
276	      connections has been requested.  Other issues, such as which
277	      TCP/IP ports can be forwarded and by whom, are clearly issues of
278	      local policy.  Many of these issues may involve traversing or
279	      bypassing firewalls, and are interrelated with the local security
280	      policy.

282	4.4  Security Properties

284	   The primary goal of the SSH protocol is to improve security on the
285	   Internet.  It attempts to do this in a way that is easy to deploy,
286	   even at the cost of absolute security.
287	   o  All encryption, integrity, and public key algorithms used are
288	      well-known, well-established algorithms.
289	   o  All algorithms are used with cryptographically sound key sizes
290	      that are believed to provide protection against even the strongest
291	      cryptanalytic attacks for decades.
292	   o  All algorithms are negotiated, and in case some algorithm is
293	      broken, it is easy to switch to some other algorithm without
294	      modifying the base protocol.

296	   Specific concessions were made to make wide-spread fast deployment
297	   easier.  The particular case where this comes up is verifying that
298	   the server host key really belongs to the desired host; the protocol
299	   allows the verification to be left out, but this is NOT RECOMMENDED.
300	   This is believed to significantly improve usability in the short
301	   term, until widespread Internet public key infrastructures emerge.

303	4.5  Packet Size and Overhead

305	   Some readers will worry about the increase in packet size due to new
306	   headers, padding, and Message Authentication Code (MAC).  The minimum
307	   packet size is in the order of 28 bytes (depending on negotiated
308	   algorithms).  The increase is negligible for large packets, but very
309	   significant for one-byte packets (telnet-type sessions).  There are,
310	   however, several factors that make this a non-issue in almost all
311	   cases:
312	   o  The minimum size of a TCP/IP header is 32 bytes.  Thus, the
313	      increase is actually from 33 to 51 bytes (roughly).
314	   o  The minimum size of the data field of an Ethernet packet is 46
315	      bytes [RFC0894].  Thus, the increase is no more than 5 bytes.
316	      When Ethernet headers are considered, the increase is less than 10
317	      percent.
318	   o  The total fraction of telnet-type data in the Internet is
319	      negligible, even with increased packet sizes.

321	   The only environment where the packet size increase is likely to have
322	   a significant effect is PPP [RFC1134] over slow modem lines (PPP
323	   compresses the TCP/IP headers, emphasizing the increase in packet
324	   size).  However, with modern modems, the time needed to transfer is
325	   in the order of 2 milliseconds, which is a lot faster than people can
326	   type.

328	   There are also issues related to the maximum packet size.  To
329	   minimize delays in screen updates, one does not want excessively
330	   large packets for interactive sessions.  The maximum packet size is
331	   negotiated separately for each channel.

333	4.6  Localization and Character Set Support

335	   For the most part, the SSH protocols do not directly pass text that
336	   would be displayed to the user.  However, there are some places where
337	   such data might be passed.  When applicable, the character set for
338	   the data MUST be explicitly specified.  In most places, ISO 10646
339	   with UTF-8 encoding is used [RFC3629].  When applicable, a field is
340	   also provided for a language tag [RFC3066].

342	   One big issue is the character set of the interactive session.  There
343	   is no clear solution, as different applications may display data in
344	   different formats.  Different types of terminal emulation may also be
345	   employed in the client, and the character set to be used is
346	   effectively determined by the terminal emulation.  Thus, no place is
347	   provided for directly specifying the character set or encoding for
348	   terminal session data.  However, the terminal emulation type (e.g.
349	   "vt100") is transmitted to the remote site, and it implicitly
350	   specifies the character set and encoding.  Applications typically use
351	   the terminal type to determine what character set they use, or the
352	   character set is determined using some external means.  The terminal
353	   emulation may also allow configuring the default character set.  In
354	   any case, the character set for the terminal session is considered
355	   primarily a client local issue.

357	   Internal names used to identify algorithms or protocols are normally
358	   never displayed to users, and must be in US-ASCII.

360	   The client and server user names are inherently constrained by what
361	   the server is prepared to accept.  They might, however, occasionally
362	   be displayed in logs, reports, etc.  They MUST be encoded using ISO
363	   10646 UTF-8, but other encodings may be required in some cases.  It
364	   is up to the server to decide how to map user names to accepted user
365	   names.  Straight bit-wise binary comparison is RECOMMENDED.

367	   For localization purposes, the protocol attempts to minimize the
368	   number of textual messages transmitted.  When present, such messages
369	   typically relate to errors, debugging information, or some externally
370	   configured data.  For data that is normally displayed, it SHOULD be
371	   possible to fetch a localized message instead of the transmitted
372	   message by using a numerical code.  The remaining messages SHOULD be
373	   configurable.

375	5.  Data Type Representations Used in the SSH Protocols

377	   byte

379	      A byte represents an arbitrary 8-bit value (octet).  Fixed length
380	      data is sometimes represented as an array of bytes, written
381	      byte[n], where n is the number of bytes in the array.

383	   boolean

385	      A boolean value is stored as a single byte.  The value 0
386	      represents FALSE, and the value 1 represents TRUE.  All non-zero
387	      values MUST be interpreted as TRUE; however, applications MUST NOT
388	      store values other than 0 and 1.

390	   uint32

392	      Represents a 32-bit unsigned integer.  Stored as four bytes in the
393	      order of decreasing significance (network byte order).  For
394	      example, the value 699921578 (0x29b7f4aa) is stored as 29 b7 f4
395	      aa.

397	   uint64

399	      Represents a 64-bit unsigned integer.  Stored as eight bytes in
400	      the order of decreasing significance (network byte order).
401	   string

403	      Arbitrary length binary string.  Strings are allowed to contain
404	      arbitrary binary data, including null characters and 8-bit
405	      characters.  They are stored as a uint32 containing its length
406	      (number of bytes that follow) and zero (= empty string) or more
407	      bytes that are the value of the string.  Terminating null
408	      characters are not used.

410	      Strings are also used to store text.  In that case, US-ASCII is
411	      used for internal names, and ISO-10646 UTF-8 for text that might
412	      be displayed to the user.  The terminating null character SHOULD
413	      NOT normally be stored in the string.

415	      For example, the US-ASCII string "testing" is represented as 00 00
416	      00 07 t e s t i n g.  The UTF8 mapping does not alter the encoding
417	      of US-ASCII characters.

419	   mpint

421	      Represents multiple precision integers in two's complement format,
422	      stored as a string, 8 bits per byte, MSB first.  Negative numbers
423	      have the value 1 as the most significant bit of the first byte of
424	      the data partition.  If the most significant bit would be set for
425	      a positive number, the number MUST be preceded by a zero byte.
426	      Unnecessary leading bytes with the value 0 or 255 MUST NOT be
427	      included.  The value zero MUST be stored as a string with zero
428	      bytes of data.

430	      By convention, a number that is used in modular computations in
431	      Z_n SHOULD be represented in the range 0 <= x < n.

433	       Examples:
434	       value (hex)        representation (hex)
435	       ---------------------------------------------------------------
436	       0                  00 00 00 00
437	       9a378f9b2e332a7    00 00 00 08 09 a3 78 f9 b2 e3 32 a7
438	       80                 00 00 00 02 00 80
439	       -1234              00 00 00 02 ed cc
440	       -deadbeef          00 00 00 05 ff 21 52 41 11

442	   name-list

444	      A string containing a comma separated list of names.  A name list
445	      is represented as a uint32 containing its length (number of bytes
446	      that follow) followed by a comma-separated list of zero or more
447	      names.  A name MUST be non-zero length, and it MUST NOT contain a
448	      comma (",").  Context may impose additional restrictions on the
449	      names; for example, the names in a list may have to be valid
450	      algorithm identifier (see Section 6 below), or [RFC3066] language
451	      tags.  The order of the names in a list may or may not be
452	      significant, also depending on the context where the list is is
453	      used.  Terminating NUL characters are not used, neither for the
454	      individual names, nor for the list as a whole.

456	       Examples:
457	       value              representation (hex)
458	       ---------------------------------------
459	       (), the empty list 00 00 00 00
460	       ("zlib")           00 00 00 04 7a 6c 69 62
461	       ("zlib", "none")   00 00 00 09 7a 6c 69 62 2c 6e 6f 6e 65

463	6.  Algorithm and Method Naming

465	   The SSH protocols refer to particular hash, encryption, integrity,
466	   compression, and key exchange algorithms or methods by names.  There
467	   are some standard algorithms and methods that all implementations
468	   MUST support.  There are also algorithms and methods that are defined
469	   in the protocol specification but are OPTIONAL.  Furthermore, it is
470	   expected that some organizations will want to use their own
471	   algorithms or methods.

473	   In this protocol, all algorithm and method identifiers MUST be
474	   printable US-ASCII, non-empty strings no longer than 64 characters.
475	   Names MUST be case-sensitive.

477	   There are two formats for algorithm and method names:
478	   o  Names that do not contain an at-sign ("@") are reserved to be
479	      assigned by IETF CONSENSUS.  Examples include "3des-cbc", "sha-1",
480	      "hmac-sha1", and "zlib" (the doublequotes are not part of the
481	      name).  Names of this format are only valid if they are first
482	      registered with the IANA.  Registered names MUST NOT contain an
483	      at-sign ("@"), a comma (","), or whitespace or control characters
484	      (ASCII codes 32 or less).  Names are case-sensitive, and MUST NOT
485	      be longer than 64 characters.
486	   o  Anyone can define additional algorithms or methods by using names
487	      in the format name@domainname, e.g.  "ourcipher-cbc@example.com".
488	      The format of the part preceding the at sign is not specified,
489	      however these names MUST be printable US-ASCII strings, and MUST
490	      NOT contain the comma character (","), whitespace, or control
491	      characters (ASCII codes 32 or less).  The part following the
492	      at-sign MUST be a valid, fully qualified domain name [RFC1034]
493	      controlled by the person or organization defining the name.  Names
494	      are case-sensitive, and MUST NOT be longer than 64 characters.  It
495	      is up to each domain how it manages its local namespace.  It
496	      should be noted that these names resemble [RFC0822] email
497	      addresses.  This is purely coincidental and actually has nothing
498	      to do with [RFC0822].

500	7.  Message Numbers

502	   SSH packets have message numbers in the range 1 to 255.  These
503	   numbers have been allocated as follows:

505	     Transport layer protocol:

507	       1 to 19    Transport layer generic (e.g. disconnect, ignore,
508	                  debug, etc.)
509	       20 to 29   Algorithm negotiation
510	       30 to 49   Key exchange method specific (numbers can be reused
511	                  for different authentication methods)

513	     User authentication protocol:

515	       50 to 59   User authentication generic
516	       60 to 79   User authentication method specific (numbers can be
517	                  reused for different authentication methods)

519	     Connection protocol:

521	       80 to 89   Connection protocol generic
522	       90 to 127  Channel related messages

524	     Reserved for client protocols:

526	       128 to 191 Reserved

528	     Local extensions:

530	       192 to 255 Local extensions

532	8.  IANA Considerations

534	   This document is part of a set.  The instructions for the IANA for
535	   the SSH protocol as defined in this document, [SSH-USERAUTH],
536	   [SSH-TRANS], and [SSH-CONNECT], are detailed in [SSH-NUMBERS].  The
537	   following is a brief summary for convenience, but note well that
538	   [SSH-NUMBERS] is the actual instructions to the IANA, which may be
539	   superceded in the future.

541	   Allocation of the following types of names in the SSH protocols is
542	   assigned by IETF consensus:
543	   o  Service Names
544	      *  Authentication Methods
545	      *  Connection Protocol Channel Names
546	      *  Connection Protocol Global Request Names
547	      *  Connection Protocol Channel Request Names
548	   o  Key Exchange Method Names
549	   o  Assigned Algorithm Names
550	      *  Encryption Algorithm Names
551	      *  MAC Algorithm Names
552	      *  Public Key Algorithm Names
553	      *  Compression Algorithm Names

555	   These names MUST be printable US-ASCII strings, and MUST NOT contain
556	   the characters at-sign ("@"), comma (","), or whitespace or control
557	   characters (ASCII codes 32 or less).  Names are case-sensitive, and
558	   MUST NOT be longer than 64 characters.

560	   Names with the at-sign ("@") in them are locally defined extensions
561	   and are not controlled by the IANA.

563	   Each category of names listed above has a separate namespace.
564	   However, using the same name in multiple categories SHOULD be avoided
565	   to minimize confusion.

567	   Message numbers (see Section Message Numbers (Section 7)) in the
568	   range of 0..191 are allocated via IETF CONSENSUS as described in
569	   [RFC2434].  Message numbers in the 192..255 range (the "Local
570	   extensions" set) are reserved for PRIVATE USE also as described in
571	   [RFC2434].

573	9.  Security Considerations

575	   In order to make the entire body of Security Considerations more
576	   accessible, Security Considerations for the transport,
577	   authentication, and connection documents have been gathered here.

579	   The transport protocol [SSH-TRANS] provides a confidential channel
580	   over an insecure network.  It performs server host authentication,
581	   key exchange, encryption, and integrity protection.  It also derives
582	   a unique session id that may be used by higher-level protocols.

584	   The authentication protocol [SSH-USERAUTH] provides a suite of
585	   mechanisms which can be used to authenticate the client user to the
586	   server.  Individual mechanisms specified in the in authentication
587	   protocol use the session id provided by the transport protocol and/or
588	   depend on the security and integrity guarantees of the transport
589	   protocol.

591	   The connection protocol [SSH-CONNECT] specifies a mechanism to
592	   multiplex multiple streams (channels) of data over the confidential
593	   and authenticated transport.  It also specifies channels for
594	   accessing an interactive shell, for 'proxy-forwarding' various
595	   external protocols over the secure transport (including arbitrary
596	   TCP/IP protocols), and for accessing secure 'subsystems' on the
597	   server host.

599	9.1  Pseudo-Random Number Generation

601	   This protocol binds each session key to the session by including
602	   random, session specific data in the hash used to produce session
603	   keys.  Special care should be taken to ensure that all of the random
604	   numbers are of good quality.  If the random data here (e.g.,
605	   Diffie-Hellman (DH) parameters) are pseudo-random then the
606	   pseudo-random number generator should be cryptographically secure
607	   (i.e., its next output not easily guessed even when knowing all
608	   previous outputs) and, furthermore, proper entropy needs to be added
609	   to the pseudo-random number generator.  [RFC1750] offers suggestions
610	   for sources of random numbers and entropy.  Implementors should note
611	   the importance of entropy and the well-meant, anecdotal warning about
612	   the difficulty in properly implementing pseudo-random number
613	   generating functions.

615	   The amount of entropy available to a given client or server may
616	   sometimes be less than what is required.  In this case one must
617	   either resort to pseudo-random number generation regardless of
618	   insufficient entropy or refuse to run the protocol.  The latter is
619	   preferable.

621	9.2  Transport

623	9.2.1  Confidentiality

625	   It is beyond the scope of this document and the Secure Shell Working
626	   Group to analyze or recommend specific ciphers other than the ones
627	   which have been established and accepted within the industry.  At the
628	   time of this writing, ciphers commonly in use include 3DES, ARCFOUR,
629	   twofish, serpent and blowfish.  AES has been published by The US
630	   Federal Information Processing Standards as [FIPS-197] and the
631	   cryptographic community has accepted AES as well.  As always,
632	   implementors and users should check current literature to ensure that
633	   no recent vulnerabilities have been found in ciphers used within
634	   products.  Implementors should also check to see which ciphers are
635	   considered to be relatively stronger than others and should recommend
636	   their use to users over relatively weaker ciphers.  It would be
637	   considered good form for an implementation to politely and
638	   unobtrusively notify a user that a stronger cipher is available and
639	   should be used when a weaker one is actively chosen.

641	   The "none" cipher is provided for debugging and SHOULD NOT be used
642	   except for that purpose.  Its cryptographic properties are
643	   sufficiently described in [RFC2410], which will show that its use
644	   does not meet the intent of this protocol.

646	   The relative merits of these and other ciphers may also be found in
647	   current literature.  Two references that may provide information on
648	   the subject are [SCHNEIER] and [KAUFMAN,PERLMAN,SPECINER] Both of
649	   these describe the CBC mode of operation of certain ciphers and the
650	   weakness of this scheme.  Essentially, this mode is theoretically
651	   vulnerable to chosen cipher-text attacks because of the high
652	   predictability of the start of packet sequence.  However, this attack
653	   is deemed difficult and not considered fully practicable especially
654	   if relatively longer block sizes are used.

656	   Additionally, another CBC mode attack may be mitigated through the
657	   insertion of packets containing SSH_MSG_IGNORE.  Without this
658	   technique, a specific attack may be successful.  For this attack
659	   (commonly known as the Rogaway attack [ROGAWAY], [DAI],
660	   [BELLARE,KOHNO,NAMPREMPRE],) to work, the attacker would need to know
661	   the Initialization Vector (IV) of the next block that is going to be
662	   encrypted.  In CBC mode that is the output of the encryption of the
663	   previous block.  If the attacker does not have any way to see the
664	   packet yet (i.e., it is in the internal buffers of the SSH
665	   implementation or even in the kernel) then this attack will not work.
666	   If the last packet has been sent out to the network (i.e., the
667	   attacker has access to it) then he can use the attack.

669	   In the optimal case an implementor would need to add an extra packet
670	   only if the packet has been sent out onto the network and there are
671	   no other packets waiting for transmission.  Implementors may wish to
672	   check to see if there are any unsent packets awaiting transmission,
673	   but unfortunately it is not normally easy to obtain this information
674	   from the kernel or buffers.  If there are not, then a packet
675	   containing SSH_MSG_IGNORE SHOULD be sent.  If a new packet is added
676	   to the stream every time the attacker knows the IV that is supposed
677	   to be used for the next packet, then the attacker will not be able to
678	   guess the correct IV, thus the attack will never be successful.

680	   As an example, consider the following case:

682	      Client                                                  Server
683	      ------                                                  ------
684	      TCP(seq=x, len=500)             ---->
685	       contains Record 1

687	                          [500 ms passes, no ACK]

689	      TCP(seq=x, len=1000)            ---->
690	       contains Records 1,2

692	                                                                ACK

694	   1.  The Nagle algorithm + TCP retransmits mean that the two records
695	       get coalesced into a single TCP segment.
696	   2.  Record 2 is *not* at the beginning of the TCP segment and never
697	       will be, since it gets ACKed.
698	   3.  Yet, the attack is possible because Record 1 has already been
699	       seen.

701	   As this example indicates, it's totally unsafe to use the existence
702	   of unflushed data in the TCP buffers proper as a guide to whether you
703	   need an empty packet, since when you do the second write(), the
704	   buffers will contain the un-ACKed Record 1.

706	   On the other hand, it's perfectly safe to have the following
707	   situation:

709	      Client                                                  Server
710	      ------                                                  ------
711	      TCP(seq=x, len=500)             ---->
712	         contains SSH_MSG_IGNORE

714	      TCP(seq=y, len=500)             ---->
715	         contains Data

717	      Provided that the IV for the second SSH Record is fixed after the
718	      data for the Data packet is determined, then the following should
719	      be performed:
720	           read from user
721	           encrypt null packet
722	           encrypt data packet

724	9.2.2  Data Integrity

726	   This protocol does allow the Data Integrity mechanism to be disabled.
727	   Implementors SHOULD be wary of exposing this feature for any purpose
728	   other than debugging.  Users and administrators SHOULD be explicitly
729	   warned anytime the "none" MAC is enabled.

731	   So long as the "none" MAC is not used, this protocol provides data
732	   integrity.

734	   Because MACs use a 32 bit sequence number, they might start to leak
735	   information after 2**32 packets have been sent.  However, following
736	   the rekeying recommendations should prevent this attack.  The
737	   transport protocol [SSH-TRANS] recommends rekeying after one gigabyte
738	   of data, and the smallest possible packet is 16 bytes.  Therefore,
739	   rekeying SHOULD happen after 2**28 packets at the very most.

741	9.2.3  Replay

743	   The use of a MAC other than 'none' provides integrity and
744	   authentication.  In addition, the transport protocol provides a
745	   unique session identifier (bound in part to pseudo-random data that
746	   is part of the algorithm and key exchange process) that can be used
747	   by higher level protocols to bind data to a given session and prevent
748	   replay of data from prior sessions.  For example, the authentication
749	   protocol uses this to prevent replay of signatures from previous
750	   sessions.  Because public key authentication exchanges are
751	   cryptographically bound to the session (i.e., to the initial key
752	   exchange) they cannot be successfully replayed in other sessions.
753	   Note that the session ID can be made public without harming the
754	   security of the protocol.

756	   If two sessions happen to have the same session ID (hash of key
757	   exchanges) then packets from one can be replayed against the other.
758	   It must be stressed that the chances of such an occurrence are,
759	   needless to say, minimal when using modern cryptographic methods.
760	   This is all the more so true when specifying larger hash function
761	   outputs and DH parameters.

763	   Replay detection using monotonically increasing sequence numbers as
764	   input to the MAC, or HMAC in some cases, is described in [RFC2085],
765	   [RFC2246], [RFC2743], [RFC1964], [RFC2025], and [RFC1510].  The
766	   underlying construct is discussed in [RFC2104].  Essentially a
767	   different sequence number in each packet ensures that at least this
768	   one input to the MAC function will be unique and will provide a
769	   nonrecurring MAC output that is not predictable to an attacker.  If
770	   the session stays active long enough, however, this sequence number
771	   will wrap.  This event may provide an attacker an opportunity to
772	   replay a previously recorded packet with an identical sequence number
773	   but only if the peers have not rekeyed since the transmission of the
774	   first packet with that sequence number.  If the peers have rekeyed,
775	   then the replay will be detected as the MAC check will fail.  For
776	   this reason, it must be emphasized that peers MUST rekey before a
777	   wrap of the sequence numbers.  Naturally, if an attacker does attempt
778	   to replay a captured packet before the peers have rekeyed, then the
779	   receiver of the duplicate packet will not be able to validate the MAC
780	   and it will be discarded.  The reason that the MAC will fail is
781	   because the receiver will formulate a MAC based upon the packet
782	   contents, the shared secret, and the expected sequence number.  Since
783	   the replayed packet will not be using that expected sequence number
784	   (the sequence number of the replayed packet will have already been
785	   passed by the receiver) then the calculated MAC will not match the
786	   MAC received with the packet.

788	9.2.4  Man-in-the-middle

790	   This protocol makes no assumptions nor provisions for an
791	   infrastructure or means for distributing the public keys of hosts.
792	   It is expected that this protocol will sometimes be used without
793	   first verifying the association between the server host key and the
794	   server host name.  Such usage is vulnerable to man-in-the-middle
795	   attacks.  This section describes this and encourages administrators
796	   and users to understand the importance of verifying this association
797	   before any session is initiated.

799	   There are three cases of man-in-the-middle attacks to consider.  The
800	   first is where an attacker places a device between the client and the
801	   server before the session is initiated.  In this case, the attack
802	   device is trying to mimic the legitimate server and will offer its
803	   public key to the client when the client initiates a session.  If it
804	   were to offer the public key of the server, then it would not be able
805	   to decrypt or sign the transmissions between the legitimate server
806	   and the client unless it also had access to the private-key of the
807	   host.  The attack device will also, simultaneously to this, initiate
808	   a session to the legitimate server masquerading itself as the client.
809	   If the public key of the server had been securely distributed to the
810	   client prior to that session initiation, the key offered to the
811	   client by the attack device will not match the key stored on the
812	   client.  In that case, the user SHOULD be given a warning that the
813	   offered host key does not match the host key cached on the client.
814	   As described in Section Host Keys (Section 4.1), the user may be free
815	   to accept the new key and continue the session.  It is RECOMMENDED
816	   that the warning provide sufficient information to the user of the
817	   client device so they may make an informed decision.  If the user
818	   chooses to continue the session with the stored public-key of the
819	   server (not the public-key offered at the start of the session), then
820	   the session specific data between the attacker and server will be
821	   different between the client-to-attacker session and the
822	   attacker-to-server sessions due to the randomness discussed above.
823	   From this, the attacker will not be able to make this attack work
824	   since the attacker will not be able to correctly sign packets
825	   containing this session specific data from the server since he does
826	   not have the private key of that server.

828	   The second case that should be considered is similar to the first
829	   case in that it also happens at the time of connection but this case
830	   points out the need for the secure distribution of server public
831	   keys.  If the server public keys are not securely distributed then
832	   the client cannot know if it is talking to the intended server.  An
833	   attacker may use social engineering techniques to pass off server
834	   keys to unsuspecting users and may then place a man-in-the-middle
835	   attack device between the legitimate server and the clients.  If this
836	   is allowed to happen then the clients will form client-to-attacker
837	   sessions and the attacker will form attacker-to-server sessions and
838	   will be able to monitor and manipulate all of the traffic between the
839	   clients and the legitimate servers.  Server administrators are
840	   encouraged to make host key fingerprints available for checking by
841	   some means whose security does not rely on the integrity of the
842	   actual host keys.  Possible mechanisms are discussed in Section Host
843	   Keys (Section 4.1) and may also include secured Web pages, physical
844	   pieces of paper, etc.  Implementors SHOULD provide recommendations on
845	   how best to do this with their implementation.  Because the protocol
846	   is extensible, future extensions to the protocol may provide better
847	   mechanisms for dealing with the need to know the server's host key
848	   before connecting.  For example, making the host key fingerprint
849	   available through a secure DNS lookup, or using Kerberos ([RFC1510])
850	   over GSS-API ([RFC1964]) during key exchange to authenticate the
851	   server are possibilities.

853	   In the third man-in-the-middle case, attackers may attempt to
854	   manipulate packets in transit between peers after the session has
855	   been established.  As described in the Replay part of this section, a
856	   successful attack of this nature is very improbable.  As in the
857	   Replay section, this reasoning does assume that the MAC is secure and
858	   that it is infeasible to construct inputs to a MAC algorithm to give
859	   a known output.  This is discussed in much greater detail in Section
860	   6 of [RFC2104].  If the MAC algorithm has a vulnerability or is weak
861	   enough, then the attacker may be able to specify certain inputs to
862	   yield a known MAC.  With that they may be able to alter the contents
863	   of a packet in transit.  Alternatively the attacker may be able to
864	   exploit the algorithm vulnerability or weakness to find the shared
865	   secret by reviewing the MACs from captured packets.  In either of
866	   those cases, an attacker could construct a packet or packets that
867	   could be inserted into an SSH stream.  To prevent that, implementors
868	   are encouraged to utilize commonly accepted MAC algorithms and
869	   administrators are encouraged to watch current literature and
870	   discussions of cryptography to ensure that they are not using a MAC
871	   algorithm that has a recently found vulnerability or weakness.

873	   In summary, the use of this protocol without a reliable association
874	   of the binding between a host and its host keys is inherently
875	   insecure and is NOT RECOMMENDED.  It may however be necessary in
876	   non-security critical environments, and will still provide protection
877	   against passive attacks.  Implementors of protocols and applications
878	   running on top of this protocol should keep this possibility in mind.

880	9.2.5  Denial-of-service

882	   This protocol is designed to be used over a reliable transport.  If
883	   transmission errors or message manipulation occur, the connection is
884	   closed.  The connection SHOULD be re-established if this occurs.
885	   Denial of service attacks of this type ("wire cutter") are almost
886	   impossible to avoid.

888	   In addition, this protocol is vulnerable to Denial of Service attacks
889	   because an attacker can force the server to go through the CPU and
890	   memory intensive tasks of connection setup and key exchange without
891	   authenticating.  Implementors SHOULD provide features that make this
892	   more difficult.  For example, only allowing connections from a subset
893	   of IPs known to have valid users.

895	9.2.6  Covert Channels

897	   The protocol was not designed to eliminate covert channels.  For
898	   example, the padding, SSH_MSG_IGNORE messages, and several other
899	   places in the protocol can be used to pass covert information, and
900	   the recipient has no reliable way to verify whether such information
901	   is being sent.

903	9.2.7  Forward Secrecy

905	   It should be noted that the Diffie-Hellman key exchanges may provide
906	   perfect forward secrecy (PFS).  PFS is essentially defined as the
907	   cryptographic property of a key-establishment protocol in which the
908	   compromise of a session key or long-term private key after a given
909	   session does not cause the compromise of any earlier session.  [ANSI
910	   T1.523-2001]  SSH sessions resulting from a key exchange using the
911	   diffie-hellman methods described in the section "Diffie-Hellman Key
912	   Exchange" of [SSH-TRANS] (including diffie-hellman-group1-sha1 and
913	   diffie-hellman-group14-sha1) are secure even if private
914	   keying/authentication material is later revealed, but not if the
915	   session keys are revealed.  So, given this definition of PFS, SSH
916	   does have PFS.  This property is not commuted to any of the
917	   applications or protocols using SSH as a transport however.  The
918	   transport layer of SSH provides confidentiality for password
919	   authentication and other methods that rely on secret data.

921	   Editor's Note:  diffie-hellman-group14-sha1 is controversial at the
922	   moment.  It is being discussed on the mailing list.

924	   Of course, if the DH private parameters for the client and server are
925	   revealed then the session key is revealed, but these items can be
926	   thrown away after the key exchange completes.  It's worth pointing
927	   out that these items should not be allowed to end up on swap space
928	   and that they should be erased from memory as soon as the key
929	   exchange completes.

931	9.2.8  Ordering of Key Exchange Methods

933	   As stated in the section on "Algorithm Negotiation" of [SSH-TRANS],
934	   each device will send a list of preferred methods for key exchange.
935	   The most-preferred method is the first in the list.  It is
936	   RECOMMENDED to sort the algorithms by cryptographic strength,
937	   strongest first.  Some additional guidance for this is given in
938	   [RFC3766].

940	9.3  Authentication Protocol

942	   The purpose of this protocol is to perform client user
943	   authentication.  It assumes that this run over a secure transport
944	   layer protocol, which has already authenticated the server machine,
945	   established an encrypted communications channel, and computed a
946	   unique session identifier for this session.

948	   Several authentication methods with different security
949	   characteristics are allowed.  It is up to the server's local policy
950	   to decide which methods (or combinations of methods) it is willing to
951	   accept for each user.  Authentication is no stronger than the weakest
952	   combination allowed.

954	   The server may go into a "sleep" period after repeated unsuccessful
955	   authentication attempts to make key search more difficult for
956	   attackers.  Care should be taken so that this doesn't become a
957	   self-denial of service vector.

959	9.3.1  Weak Transport

961	   If the transport layer does not provide confidentiality,
962	   authentication methods that rely on secret data SHOULD be disabled.
963	   If it does not provide strong integrity protection, requests to
964	   change authentication data (e.g.  a password change) SHOULD be
965	   disabled to prevent an attacker from modifying the ciphertext without
966	   being noticed, or rendering the new authentication data unusable
967	   (denial of service).

969	   The assumption as stated above that the Authentication Protocol only
970	   run over a secure transport that has previously authenticated the
971	   server is very important to note.  People deploying SSH are reminded
972	   of the consequences of man-in-the-middle attacks if the client does
973	   not have a very strong a priori association of the server with the
974	   host key of that server.  Specifically for the case of the
975	   Authentication Protocol the client may form a session to a
976	   man-in-the-middle attack device and divulge user credentials such as
977	   their username and password.  Even in the cases of authentication
978	   where no user credentials are divulged, an attacker may still gain
979	   information they shouldn't have by capturing key-strokes in much the
980	   same way that a honeypot works.

982	9.3.2  Debug Messages

984	   Special care should be taken when designing debug messages.  These
985	   messages may reveal surprising amounts of information about the host
986	   if not properly designed.  Debug messages can be disabled (during
987	   user authentication phase) if high security is required.
988	   Administrators of host machines should make all attempts to
989	   compartmentalize all event notification messages and protect them
990	   from unwarranted observation.  Developers should be aware of the
991	   sensitive nature of some of the normal event messages and debug
992	   messages and may want to provide guidance to administrators on ways
993	   to keep this information away from unauthorized people.  Developers
994	   should consider minimizing the amount of sensitive information
995	   obtainable by users during the authentication phase in accordance
996	   with the local policies.  For this reason, it is RECOMMENDED that
997	   debug messages be initially disabled at the time of deployment and
998	   require an active decision by an administrator to allow them to be
999	   enabled.  It is also RECOMMENDED that a message expressing this
1000	   concern be presented to the administrator of a system when the action
1001	   is taken to enable debugging messages.

1003	9.3.3  Local Security Policy

1005	   Implementer MUST ensure that the credentials provided validate the
1006	   professed user and also MUST ensure that the local policy of the
1007	   server permits the user the access requested.  In particular, because
1008	   of the flexible nature of the SSH connection protocol, it may not be
1009	   possible to determine the local security policy, if any, that should
1010	   apply at the time of authentication because the kind of service being
1011	   requested is not clear at that instant.  For example, local policy
1012	   might allow a user to access files on the server, but not start an
1013	   interactive shell.  However, during the authentication protocol, it
1014	   is not known whether the user will be accessing files or attempting
1015	   to use an interactive shell, or even both.  In any event, where local
1016	   security policy for the server host exists, it MUST be applied and
1017	   enforced correctly.

1019	   Implementors are encouraged to provide a default local policy and
1020	   make its parameters known to administrators and users.  At the
1021	   discretion of the implementors, this default policy may be along the
1022	   lines of 'anything goes' where there are no restrictions placed upon
1023	   users, or it may be along the lines of 'excessively restrictive' in
1024	   which case the administrators will have to actively make changes to
1025	   this policy to meet their needs.  Alternatively, it may be some
1026	   attempt at providing something practical and immediately useful to
1027	   the administrators of the system so they don't have to put in much
1028	   effort to get SSH working.  Whatever choice is made MUST be applied
1029	   and enforced as required above.

1031	9.3.4  Public Key Authentication

1033	   The use of public-key authentication assumes that the client host has
1034	   not been compromised.  It also assumes that the private-key of the
1035	   server host has not been compromised.

1037	   This risk can be mitigated by the use of passphrases on private keys;
1038	   however, this is not an enforceable policy.  The use of smartcards,
1039	   or other technology to make passphrases an enforceable policy is
1040	   suggested.

1042	   The server could require both password and public-key authentication,
1043	   however, this requires the client to expose its password to the
1044	   server (see section on password authentication below.)

1046	9.3.5  Password Authentication

1048	   The password mechanism as specified in the authentication protocol
1049	   assumes that the server has not been compromised.  If the server has
1050	   been compromised, using password authentication will reveal a valid
1051	   username / password combination to the attacker, which may lead to
1052	   further compromises.

1054	   This vulnerability can be mitigated by using an alternative form of
1055	   authentication.  For example, public-key authentication makes no
1056	   assumptions about security on the server.

1058	9.3.6  Host Based Authentication

1060	   Host based authentication assumes that the client has not been
1061	   compromised.  There are no mitigating strategies, other than to use
1062	   host based authentication in combination with another authentication
1063	   method.

1065	9.4  Connection Protocol

1067	9.4.1  End Point Security

1069	   End point security is assumed by the connection protocol.  If the
1070	   server has been compromised, any terminal sessions, port forwarding,
1071	   or systems accessed on the host are compromised.  There are no
1072	   mitigating factors for this.

1074	   If the client end point has been compromised, and the server fails to
1075	   stop the attacker at the authentication protocol, all services
1076	   exposed (either as subsystems or through forwarding) will be
1077	   vulnerable to attack.  Implementors SHOULD provide mechanisms for
1078	   administrators to control which services are exposed to limit the
1079	   vulnerability of other services.

1081	   These controls might include controlling which machines and ports can
1082	   be target in 'port-forwarding' operations, which users are allowed to
1083	   use interactive shell facilities, or which users are allowed to use
1084	   exposed subsystems.

1086	9.4.2  Proxy Forwarding

1088	   The SSH connection protocol allows for proxy forwarding of other
1089	   protocols such as SNMP, POP3, and HTTP.  This may be a concern for
1090	   network administrators who wish to control the access of certain
1091	   applications by users located outside of their physical location.
1092	   Essentially, the forwarding of these protocols may violate site
1093	   specific security policies as they may be undetectably tunneled
1094	   through a firewall.  Implementors SHOULD provide an administrative
1095	   mechanism to control the proxy forwarding functionality so that site
1096	   specific security policies may be upheld.

1098	   In addition, a reverse proxy forwarding functionality is available,
1099	   which again can be used to bypass firewall controls.

1101	   As indicated above, end-point security is assumed during proxy
1102	   forwarding operations.  Failure of end-point security will compromise
1103	   all data passed over proxy forwarding.

1105	9.4.3  X11 Forwarding

1107	   Another form of proxy forwarding provided by the SSH connection
1108	   protocol is the forwarding of the X11 protocol.  If end-point
1109	   security has been compromised, X11 forwarding may allow attacks
1110	   against the X11 server.  Users and administrators should, as a matter
1111	   of course, use appropriate X11 security mechanisms to prevent
1112	   unauthorized use of the X11 server.  Implementors, administrators and
1113	   users who wish to further explore the security mechanisms of X11 are
1114	   invited to read [SCHEIFLER] and analyze previously reported problems
1115	   with the interactions between SSH forwarding and X11 in CERT
1116	   vulnerabilities VU#363181 and VU#118892 [CERT].

1118	   X11 display forwarding with SSH, by itself, is not sufficient to
1119	   correct well known problems with X11 security [VENEMA].  However, X11
1120	   display forwarding in SSH (or other, secure protocols), combined with
1121	   actual and pseudo-displays which accept connections only over local
1122	   IPC mechanisms authorized by permissions or ACLs, does correct many
1123	   X11 security problems as long as the "none" MAC is not used.  It is
1124	   RECOMMENDED that X11 display implementations default to allowing
1125	   display opens only over local IPC.  It is RECOMMENDED that SSH server
1126	   implementations that support X11 forwarding default to allowing
1127	   display opens only over local IPC.  On single-user systems it might
1128	   be reasonable to default to allowing local display opens over TCP/IP.

1130	   Implementors of the X11 forwarding protocol SHOULD implement the
1131	   magic cookie access checking spoofing mechanism as described in
1132	   [SSH-CONNECT] as an additional mechanism to prevent unauthorized use
1133	   of the proxy.

1135	10.  References

1137	10.1  Normative References

1139	   [SSH-TRANS]
1140	              Ylonen, T. and C. Lonvick, "SSH Transport Layer Protocol",
1141	              I-D draft-ietf-transport-19.txt, October 2004.

1143	   [SSH-USERAUTH]
1144	              Ylonen, T. and C. Lonvick, "SSH Authentication Protocol",
1145	              I-D draft-ietf-userauth-22.txt, October 2004.

1147	   [SSH-CONNECT]
1148	              Ylonen, T. and C. Lonvick, "SSH Connection Protocol", I-D
1149	              draft-ietf-connect-20.txt, October 2004.

1151	   [SSH-NUMBERS]
1152	              Ylonen, T. and C. Lonvick, "SSH Protocol Assigned
1153	              Numbers", I-D draft-ietf-assignednumbers-07.txt, October
1154	              2004.

1156	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
1157	              Requirement Levels", BCP 14, RFC 2119, March 1997.

1159	10.2  Informative References

1161	   [FIPS-186-2]
1162	              Federal Information Processing Standards Publication,
1163	              "FIPS PUB 186-2, Digital Signature Standard (DSS)",
1164	              January 2000.

1166	   [FIPS-197]
1167	              National Institute of Standards and Technology, "FIPS 197,
1168	              Specification for the Advanced Encryption Standard",
1169	              November 2001.

1171	   [ANSI T1.523-2001]
1172	              American National Standards Institute, Inc., "Telecom
1173	              Glossary 2000", February 2001.

1175	   [SCHEIFLER]
1176	              Scheifler, R., "X Window System : The Complete Reference
1177	              to Xlib, X Protocol, Icccm, Xlfd, 3rd edition.", Digital
1178	              Press ISBN 1555580882, February 1992.

1180	   [RFC0822]  Crocker, D., "Standard for the format of ARPA Internet
1181	              text messages", STD 11, RFC 822, August 1982.

1183	   [RFC0854]  Postel, J. and J. Reynolds, "Telnet Protocol
1184	              Specification", STD 8, RFC 854, May 1983.

1186	   [RFC0894]  Hornig, C., "Standard for the transmission of IP datagrams
1187	              over Ethernet networks", STD 41, RFC 894, April 1984.

1189	   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
1190	              STD 13, RFC 1034, November 1987.

1192	   [RFC1134]  Perkins, D., "Point-to-Point Protocol: A proposal for
1193	              multi-protocol transmission of datagrams over
1194	              Point-to-Point links", RFC 1134, November 1989.

1196	   [RFC1282]  Kantor, B., "BSD Rlogin", RFC 1282, December 1991.

1198	   [RFC1510]  Kohl, J. and B. Neuman, "The Kerberos Network
1199	              Authentication Service (V5)", RFC 1510, September 1993.

1201	   [RFC1750]  Eastlake, D., Crocker, S. and J. Schiller, "Randomness
1202	              Recommendations for Security", RFC 1750, December 1994.

1204	   [RFC1964]  Linn, J., "The Kerberos Version 5 GSS-API Mechanism", RFC
1205	              1964, June 1996.

1207	   [RFC2025]  Adams, C., "The Simple Public-Key GSS-API Mechanism
1208	              (SPKM)", RFC 2025, October 1996.

1210	   [RFC2085]  Oehler, M. and R. Glenn, "HMAC-MD5 IP Authentication with
1211	              Replay Prevention", RFC 2085, February 1997.

1213	   [RFC2104]  Krawczyk, H., Bellare, M. and R. Canetti, "HMAC:
1214	              Keyed-Hashing for Message Authentication", RFC 2104,
1215	              February 1997.

1217	   [RFC2246]  Dierks, T. and C. Allen, "The TLS Protocol Version 1.0",
1218	              RFC 2246, January 1999.

1220	   [RFC2410]  Glenn, R. and S. Kent, "The NULL Encryption Algorithm and
1221	              Its Use With IPsec", RFC 2410, November 1998.

1223	   [RFC2434]  Narten, T. and H. Alvestrand, "Guidelines for Writing an
1224	              IANA Considerations Section in RFCs", BCP 26, RFC 2434,
1225	              October 1998.

1227	   [RFC2743]  Linn, J., "Generic Security Service Application Program
1228	              Interface Version 2, Update 1", RFC 2743, January 2000.

1230	   [RFC3066]  Alvestrand, H., "Tags for the Identification of
1231	              Languages", BCP 47, RFC 3066, January 2001.

1233	   [RFC3629]  Yergeau, F., "UTF-8, a transformation format of ISO
1234	              10646", STD 63, RFC 3629, November 2003.

1236	   [RFC3766]  Orman, H. and P. Hoffman, "Determining Strengths For
1237	              Public Keys Used For Exchanging Symmetric Keys", BCP 86,
1238	              RFC 3766, April 2004.

1240	   [SCHNEIER]
1241	              Schneier, B., "Applied Cryptography Second Edition:
1242	              protocols algorithms and source in code in C", 1996.

1244	   [KAUFMAN,PERLMAN,SPECINER]
1245	              Kaufman, C., Perlman, R. and M. Speciner, "Network
1246	              Security: PRIVATE Communication in a PUBLIC World", 1995.

1248	   [CERT]     CERT Coordination Center, The.,
1249	              "http://www.cert.org/nav/index_red.html".

1251	   [VENEMA]   Venema, W., "Murphy's Law and Computer Security",
1252	              Proceedings of 6th USENIX Security Symposium, San Jose CA
1253	              http://www.usenix.org/publications/library/proceedings/
1254	              sec96/venema.html, July 1996.

1256	   [ROGAWAY]  Rogaway, P., "Problems with Proposed IP Cryptography",
1257	              Unpublished paper http://www.cs.ucdavis.edu/~rogaway/
1258	              papers/draft-rogaway-ipsec-comments-00.txt, 1996.

1260	   [DAI]      Dai, W., "An attack against SSH2 protocol", Email to the
1261	              SECSH Working Group ietf-ssh@netbsd.org ftp://
1262	              ftp.ietf.org/ietf-mail-archive/secsh/2002-02.mail, Feb
1263	              2002.

1265	   [BELLARE,KOHNO,NAMPREMPRE]
1266	              Bellaire, M., Kohno, T. and C. Namprempre, "Authenticated
1267	              Encryption in SSH: Fixing the SSH Binary Packet Protocol",
1268	              , Sept 2002.

1270	Author's Address

1272	   Chris Lonvick (editor)
1273	   Cisco Systems, Inc
1274	   12515 Research Blvd.
1275	   Austin  78759
1276	   USA

1278	   EMail: clonvick@cisco.com

1280	Intellectual Property Statement

1282	   The IETF takes no position regarding the validity or scope of any
1283	   Intellectual Property Rights or other rights that might be claimed to
1284	   pertain to the implementation or use of the technology described in
1285	   this document or the extent to which any license under such rights
1286	   might or might not be available; nor does it represent that it has
1287	   made any independent effort to identify any such rights.  Information
1288	   on the procedures with respect to rights in RFC documents can be
1289	   found in BCP 78 and BCP 79.

1291	   Copies of IPR disclosures made to the IETF Secretariat and any
1292	   assurances of licenses to be made available, or the result of an
1293	   attempt made to obtain a general license or permission for the use of
1294	   such proprietary rights by implementers or users of this
1295	   specification can be obtained from the IETF on-line IPR repository at
1296	   http://www.ietf.org/ipr.

1298	   The IETF invites any interested party to bring to its attention any
1299	   copyrights, patents or patent applications, or other proprietary
1300	   rights that may cover technology that may be required to implement
1301	   this standard.  Please address the information to the IETF at
1302	   ietf-ipr@ietf.org.

1304	   The IETF has been notified of intellectual property rights claimed in
1305	   regard to some or all of the specification contained in this
1306	   document.  For more information consult the online list of claimed
1307	   rights.

1309	Disclaimer of Validity

1311	   This document and the information contained herein are provided on an
1312	   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
1313	   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
1314	   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
1315	   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
1316	   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
1317	   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

1319	Copyright Statement

1321	   Copyright (C) The Internet Society (2004).  This document is subject
1322	   to the rights, licenses and restrictions contained in BCP 78, and
1323	   except as set forth therein, the authors retain all their rights.

1325	Acknowledgment

1327	   Funding for the RFC Editor function is currently provided by the
1328	   Internet Society.