idnits 2.17.1 

draft-ietf-secsh-architecture-21.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** It looks like you're using RFC 3978 boilerplate.  You should update this
     to the boilerplate described in the IETF Trust License Policy document
     (see https://trustee.ietf.org/license-info), which is required now.

  -- Found old boilerplate from RFC 3978, Section 5.1.a on line 16.

  -- Found old boilerplate from RFC 3978, Section 5.5 on line 1317.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1289.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1296.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1302.

  ** The document seems to lack an RFC 3978 Section 5.1 IPR Disclosure
     Acknowledgement. 

  ** This document has an original RFC 3978 Section 5.4 Copyright Line,
     instead of the newer IETF Trust Copyright according to RFC 4748.

  ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead
     of the newer disclaimer which includes the IETF Trust according to RFC
     4748.

  ** The document uses RFC 3667 boilerplate or RFC 3978-like boilerplate
     instead of verbatim RFC 3978 boilerplate.  After 6 May 2005, submission
     of drafts without verbatim RFC 3978 boilerplate is not accepted.

     The following non-3978 patterns matched text found in the document. 
     That text should be removed or replaced:

        This document is an Internet-Draft and is subject to all provisions of
        Section 3 of RFC 3667.

        By submitting this Internet-Draft, each author represents that any
        applicable patent or other IPR claims of which he or she is aware
        have been or will be disclosed, and any of which he or she
        becomes aware will be disclosed, in accordance with Section 6 of
        BCP 79.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  == No 'Intended status' indicated for this document; assuming Proposed
     Standard


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

     No issues found here.

  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not
     match the current year

  == Line 164 has weird spacing: '... string    dat...'

  == The document seems to lack the recommended RFC 2119 boilerplate, even if
     it appears to use RFC 2119 keywords. 

     (The document does seem to have the reference to RFC 2119 which the
     ID-Checklist requires).
  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (February 17, 2005) is 7001 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  == Missing Reference: 'KAUFMAN' is mentioned on line 635, but not defined

  == Missing Reference: 'PERLMAN' is mentioned on line 635, but not defined

  == Missing Reference: 'SPECINER' is mentioned on line 635, but not defined

  == Missing Reference: 'BELLARE' is mentioned on line 647, but not defined

  == Missing Reference: 'KOHNO' is mentioned on line 647, but not defined

  == Missing Reference: 'NAMPREMPRE' is mentioned on line 647, but not defined

  == Unused Reference: 'KAUFMAN,PERLMAN,SPECINER' is defined on line 1234,
     but no explicit reference was found in the text

  == Unused Reference: 'BELLARE,KOHNO,NAMPREMPRE' is defined on line 1255,
     but no explicit reference was found in the text

  == Outdated reference: A later version (-24) exists of
     draft-ietf-secsh-transport-23

  == Outdated reference: A later version (-27) exists of
     draft-ietf-secsh-userauth-26

  == Outdated reference: A later version (-25) exists of
     draft-ietf-secsh-connect-24

  == Outdated reference: A later version (-12) exists of
     draft-ietf-secsh-assignednumbers-11

  ** Obsolete normative reference: RFC 2434 (Obsoleted by RFC 5226)

  ** Obsolete normative reference: RFC 3066 (Obsoleted by RFC 4646, RFC 4647)

  -- Obsolete informational reference (is this intentional?): RFC  822
     (Obsoleted by RFC 2822)

  -- Obsolete informational reference (is this intentional?): RFC 1510
     (Obsoleted by RFC 4120, RFC 6649)

  -- Obsolete informational reference (is this intentional?): RFC 1750
     (Obsoleted by RFC 4086)

  -- Obsolete informational reference (is this intentional?): RFC 2246
     (Obsoleted by RFC 4346)


     Summary: 7 errors (**), 0 flaws (~~), 16 warnings (==), 11 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	Network Working Group                                    C. Lonvick, Ed.
3	Internet-Draft                                       Cisco Systems, Inc.
4	Expires: August 21, 2005                               February 17, 2005

6	                       SSH Protocol Architecture
7	                  draft-ietf-secsh-architecture-21.txt

9	Status of this Memo

11	   This document is an Internet-Draft and is subject to all provisions
12	   of Section 3 of RFC 3667.  By submitting this Internet-Draft, each
13	   author represents that any applicable patent or other IPR claims of
14	   which he or she is aware have been or will be disclosed, and any of
15	   which he or she become aware will be disclosed, in accordance with
16	   RFC 3668.

18	   Internet-Drafts are working documents of the Internet Engineering
19	   Task Force (IETF), its areas, and its working groups.  Note that
20	   other groups may also distribute working documents as
21	   Internet-Drafts.

23	   Internet-Drafts are draft documents valid for a maximum of six months
24	   and may be updated, replaced, or obsoleted by other documents at any
25	   time.  It is inappropriate to use Internet-Drafts as reference
26	   material or to cite them other than as "work in progress."

28	   The list of current Internet-Drafts can be accessed at
29	   http://www.ietf.org/ietf/1id-abstracts.txt.

31	   The list of Internet-Draft Shadow Directories can be accessed at
32	   http://www.ietf.org/shadow.html.

34	   This Internet-Draft will expire on August 21, 2005.

36	Copyright Notice

38	   Copyright (C) The Internet Society (2005).

40	Abstract

42	   SSH is a protocol for secure remote login and other secure network
43	   services over an insecure network.  This document describes the
44	   architecture of the SSH protocol, as well as the notation and
45	   terminology used in SSH protocol documents.  It also discusses the
46	   SSH algorithm naming system that allows local extensions.  The SSH
47	   protocol consists of three major components: The Transport Layer
48	   Protocol provides server authentication, confidentiality, and
49	   integrity with perfect forward secrecy.  The User Authentication
50	   Protocol authenticates the client to the server.  The Connection
51	   Protocol multiplexes the encrypted tunnel into several logical
52	   channels.  Details of these protocols are described in separate
53	   documents.

55	Table of Contents

57	   1.  Contributors . . . . . . . . . . . . . . . . . . . . . . . . .  4
58	   2.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
59	   3.  Conventions Used in This Document  . . . . . . . . . . . . . .  4
60	   4.  Architecture . . . . . . . . . . . . . . . . . . . . . . . . .  5
61	     4.1   Host Keys  . . . . . . . . . . . . . . . . . . . . . . . .  5
62	     4.2   Extensibility  . . . . . . . . . . . . . . . . . . . . . .  6
63	     4.3   Policy Issues  . . . . . . . . . . . . . . . . . . . . . .  7
64	     4.4   Security Properties  . . . . . . . . . . . . . . . . . . .  8
65	     4.5   Localization and Character Set Support . . . . . . . . . .  8
66	   5.  Data Type Representations Used in the SSH Protocols  . . . . .  9
67	   6.  Algorithm and Method Naming  . . . . . . . . . . . . . . . . . 11
68	   7.  Message Numbers  . . . . . . . . . . . . . . . . . . . . . . . 12
69	   8.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 12
70	   9.  Security Considerations  . . . . . . . . . . . . . . . . . . . 13
71	     9.1   Pseudo-Random Number Generation  . . . . . . . . . . . . . 14
72	     9.2   Transport  . . . . . . . . . . . . . . . . . . . . . . . . 14
73	       9.2.1   Confidentiality  . . . . . . . . . . . . . . . . . . . 14
74	       9.2.2   Data Integrity . . . . . . . . . . . . . . . . . . . . 17
75	       9.2.3   Replay . . . . . . . . . . . . . . . . . . . . . . . . 17
76	       9.2.4   Man-in-the-middle  . . . . . . . . . . . . . . . . . . 18
77	       9.2.5   Denial-of-service  . . . . . . . . . . . . . . . . . . 20
78	       9.2.6   Covert Channels  . . . . . . . . . . . . . . . . . . . 21
79	       9.2.7   Forward Secrecy  . . . . . . . . . . . . . . . . . . . 21
80	       9.2.8   Ordering of Key Exchange Methods . . . . . . . . . . . 21
81	       9.2.9   Traffic Analysis . . . . . . . . . . . . . . . . . . . 21
82	     9.3   Authentication Protocol  . . . . . . . . . . . . . . . . . 22
83	       9.3.1   Weak Transport . . . . . . . . . . . . . . . . . . . . 22
84	       9.3.2   Debug Messages . . . . . . . . . . . . . . . . . . . . 23
85	       9.3.3   Local Security Policy  . . . . . . . . . . . . . . . . 23
86	       9.3.4   Public Key Authentication  . . . . . . . . . . . . . . 24
87	       9.3.5   Password Authentication  . . . . . . . . . . . . . . . 24
88	       9.3.6   Host Based Authentication  . . . . . . . . . . . . . . 24
89	     9.4   Connection Protocol  . . . . . . . . . . . . . . . . . . . 24
90	       9.4.1   End Point Security . . . . . . . . . . . . . . . . . . 24
91	       9.4.2   Proxy Forwarding . . . . . . . . . . . . . . . . . . . 25
92	       9.4.3   X11 Forwarding . . . . . . . . . . . . . . . . . . . . 25
93	   10.   References . . . . . . . . . . . . . . . . . . . . . . . . . 26
94	     10.1  Normative References . . . . . . . . . . . . . . . . . . . 26
95	     10.2  Informative References . . . . . . . . . . . . . . . . . . 26
96	       Author's Address . . . . . . . . . . . . . . . . . . . . . . . 29
97	       Intellectual Property and Copyright Statements . . . . . . . . 30

99	1.  Contributors

101	   The major original contributors of this set of documents have been:
102	   Tatu Ylonen, Tero Kivinen, Timo J. Rinne, Sami Lehtinen (all of SSH
103	   Communications Security Corp), and Markku-Juhani O. Saarinen
104	   (University of Jyvaskyla).  Darren Moffit was the original editor of
105	   this set of documents and also made very substantial contributions.

107	   Additional contributors to this document include [need list].
108	   Listing their names here does not mean that they endorse this
109	   document, but that they have contributed to it.

111	   Comments on this internet draft should be sent to the IETF SECSH
112	   working group, details at:
113	   http://ietf.org/html.charters/secsh-charter.html Note: This paragraph
114	   will be removed before this document progresses to become an RFC.

116	2.  Introduction

118	   SSH is a protocol for secure remote login and other secure network
119	   services over an insecure network.  It consists of three major
120	   components:
121	   o  The Transport Layer Protocol [SSH-TRANS] provides server
122	      authentication, confidentiality, and integrity.  It may optionally
123	      also provide compression.  The transport layer will typically be
124	      run over a TCP/IP connection, but might also be used on top of any
125	      other reliable data stream.
126	   o  The User Authentication Protocol [SSH-USERAUTH] authenticates the
127	      client-side user to the server.  It runs over the transport layer
128	      protocol.
129	   o  The Connection Protocol [SSH-CONNECT] multiplexes the encrypted
130	      tunnel into several logical channels.  It runs over the user
131	      authentication protocol.

133	   The client sends a service request once a secure transport layer
134	   connection has been established.  A second service request is sent
135	   after user authentication is complete.  This allows new protocols to
136	   be defined and coexist with the protocols listed above.

138	   The connection protocol provides channels that can be used for a wide
139	   range of purposes.  Standard methods are provided for setting up
140	   secure interactive shell sessions and for forwarding ("tunneling")
141	   arbitrary TCP/IP ports and X11 connections.

143	3.  Conventions Used in This Document

145	   All documents related to the SSH protocols shall use the keywords
146	   "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD",
147	   "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" to describe
148	   requirements.  These keywords are to be interpreted as described in
149	   [RFC2119].

151	   The keywords "PRIVATE USE", "HIERARCHICAL ALLOCATION", "FIRST COME
152	   FIRST SERVED", "EXPERT REVIEW", "SPECIFICATION REQUIRED", "IESG
153	   APPROVAL", "IETF CONSENSUS", and "STANDARDS ACTION" that appear in
154	   this document when used to describe namespace allocation are to be
155	   interpreted as described in [RFC2434].

157	   Protocol fields and possible values to fill them are defined in this
158	   set of documents.  Protocol fields will be defined in the message
159	   definitions.  As an example, SSH_MSG_CHANNEL_DATA is defined as
160	   follows.

162	        byte      SSH_MSG_CHANNEL_DATA
163	        uint32    recipient channel
164	        string    data

166	   Throughout these documents, when the fields are referenced, they will
167	   appear within single quotes.  When values to fill those fields are
168	   referenced, they will appear within double quotes.  Using the above
169	   example, possible values for 'data' are "foo" and "bar".

171	4.  Architecture

173	4.1  Host Keys

175	   Each server host SHOULD have a host key.  Hosts MAY have multiple
176	   host keys using multiple different algorithms.  Multiple hosts MAY
177	   share the same host key.  If a host has keys at all, it MUST have at
178	   least one key using each REQUIRED public key algorithm (DSS
179	   [FIPS-186-2]).

181	   The server host key is used during key exchange to verify that the
182	   client is really talking to the correct server.  For this to be
183	   possible, the client must have a priori knowledge of the server's
184	   public host key.

186	   Two different trust models can be used:
187	   o  The client has a local database that associates each host name (as
188	      typed by the user) with the corresponding public host key.  This
189	      method requires no centrally administered infrastructure, and no
190	      third-party coordination.  The downside is that the database of
191	      name-to-key associations may become burdensome to maintain.
192	   o  The host name-to-key association is certified by some trusted
193	      certification authority (CA).  The client only knows the CA root
194	      key, and can verify the validity of all host keys certified by
195	      accepted CAs.

197	   The second alternative eases the maintenance problem, since ideally
198	   only a single CA key needs to be securely stored on the client.  On
199	   the other hand, each host key must be appropriately certified by a
200	   central authority before authorization is possible.  Also, a lot of
201	   trust is placed on the central infrastructure.

203	   The protocol provides the option that the server name - host key
204	   association is not checked when connecting to the host for the first
205	   time.  This allows communication without prior communication of host
206	   keys or certification.  The connection still provides protection
207	   against passive listening; however, it becomes vulnerable to active
208	   man-in-the-middle attacks.  Implementations SHOULD NOT normally allow
209	   such connections by default, as they pose a potential security
210	   problem.  However, as there is no widely deployed key infrastructure
211	   available on the Internet yet, this option makes the protocol much
212	   more usable during the transition time until such an infrastructure
213	   emerges, while still providing a much higher level of security than
214	   that offered by older solutions (e.g., telnet [RFC0854] and rlogin
215	   [RFC1282]).

217	   Implementations SHOULD try to make the best effort to check host
218	   keys.  An example of a possible strategy is to only accept a host key
219	   without checking the first time a host is connected, save the key in
220	   a local database, and compare against that key on all future
221	   connections to that host.

223	   Implementations MAY provide additional methods for verifying the
224	   correctness of host keys, e.g., a hexadecimal fingerprint derived
225	   from the SHA-1 hash of the public key.  Such fingerprints can easily
226	   be verified by using telephone or other external communication
227	   channels.

229	   All implementations SHOULD provide an option to not accept host keys
230	   that cannot be verified.

232	   The members of this Working Group believe that 'ease of use' is
233	   critical to end-user acceptance of security solutions, and no
234	   improvement in security is gained if the new solutions are not used.
235	   Thus, providing the option not to check the server host key is
236	   believed to improve the overall security of the Internet, even though
237	   it reduces the security of the protocol in configurations where it is
238	   allowed.

240	4.2  Extensibility

242	   We believe that the protocol will evolve over time, and some
243	   organizations will want to use their own encryption, authentication
244	   and/or key exchange methods.  Central registration of all extensions
245	   is cumbersome, especially for experimental or classified features.
246	   On the other hand, having no central registration leads to conflicts
247	   in method identifiers, making interoperability difficult.

249	   We have chosen to identify algorithms, methods, formats, and
250	   extension protocols with textual names that are of a specific format.
251	   DNS names are used to create local namespaces where experimental or
252	   classified extensions can be defined without fear of conflicts with
253	   other implementations.

255	   One design goal has been to keep the base protocol as simple as
256	   possible, and to require as few algorithms as possible.  However, all
257	   implementations MUST support a minimal set of algorithms to ensure
258	   interoperability (this does not imply that the local policy on all
259	   hosts would necessary allow these algorithms).  The mandatory
260	   algorithms are specified in the relevant protocol documents.

262	   Additional algorithms, methods, formats, and extension protocols can
263	   be defined in separate drafts.  See Section Algorithm Naming
264	   (Section 6) for more information.

266	4.3  Policy Issues

268	   The protocol allows full negotiation of encryption, integrity, key
269	   exchange, compression, and public key algorithms and formats.
270	   Encryption, integrity, public key, and compression algorithms can be
271	   different for each direction.

273	   The following policy issues SHOULD be addressed in the configuration
274	   mechanisms of each implementation:
275	   o  Encryption, integrity, and compression algorithms, separately for
276	      each direction.  The policy MUST specify which is the preferred
277	      algorithm (e.g., the first algorithm listed in each category).
278	   o  Public key algorithms and key exchange method to be used for host
279	      authentication.  The existence of trusted host keys for different
280	      public key algorithms also affects this choice.
281	   o  The authentication methods that are to be required by the server
282	      for each user.  The server's policy MAY require multiple
283	      authentication for some or all users.  The required algorithms MAY
284	      depend on the location where the user is trying to log in from.
285	   o  The operations that the user is allowed to perform using the
286	      connection protocol.  Some issues are related to security; for
287	      example, the policy SHOULD NOT allow the server to start sessions
288	      or run commands on the client machine, and MUST NOT allow
289	      connections to the authentication agent unless forwarding such
290	      connections has been requested.  Other issues, such as which
291	      TCP/IP ports can be forwarded and by whom, are clearly issues of
292	      local policy.  Many of these issues may involve traversing or
293	      bypassing firewalls, and are interrelated with the local security
294	      policy.

296	4.4  Security Properties

298	   The primary goal of the SSH protocol is to improve security on the
299	   Internet.  It attempts to do this in a way that is easy to deploy,
300	   even at the cost of absolute security.
301	   o  All encryption, integrity, and public key algorithms used are
302	      well-known, well-established algorithms.
303	   o  All algorithms are used with cryptographically sound key sizes
304	      that are believed to provide protection against even the strongest
305	      cryptanalytic attacks for decades.
306	   o  All algorithms are negotiated, and in case some algorithm is
307	      broken, it is easy to switch to some other algorithm without
308	      modifying the base protocol.

310	   Specific concessions were made to make wide-spread fast deployment
311	   easier.  The particular case where this comes up is verifying that
312	   the server host key really belongs to the desired host; the protocol
313	   allows the verification to be left out, but this is NOT RECOMMENDED.
314	   This is believed to significantly improve usability in the short
315	   term, until widespread Internet public key infrastructures emerge.

317	4.5  Localization and Character Set Support

319	   For the most part, the SSH protocols do not directly pass text that
320	   would be displayed to the user.  However, there are some places where
321	   such data might be passed.  When applicable, the character set for
322	   the data MUST be explicitly specified.  In most places, ISO 10646
323	   with UTF-8 encoding is used [RFC3629].  When applicable, a field is
324	   also provided for a language tag [RFC3066].

326	   One big issue is the character set of the interactive session.  There
327	   is no clear solution, as different applications may display data in
328	   different formats.  Different types of terminal emulation may also be
329	   employed in the client, and the character set to be used is
330	   effectively determined by the terminal emulation.  Thus, no place is
331	   provided for directly specifying the character set or encoding for
332	   terminal session data.  However, the terminal emulation type (e.g.,
333	   "vt100") is transmitted to the remote site, and it implicitly
334	   specifies the character set and encoding.  Applications typically use
335	   the terminal type to determine what character set they use, or the
336	   character set is determined using some external means.  The terminal
337	   emulation may also allow configuring the default character set.  In
338	   any case, the character set for the terminal session is considered
339	   primarily a client local issue.

341	   Internal names used to identify algorithms or protocols are normally
342	   never displayed to users, and must be in US-ASCII.

344	   The client and server user names are inherently constrained by what
345	   the server is prepared to accept.  They might, however, occasionally
346	   be displayed in logs, reports, etc.  They MUST be encoded using ISO
347	   10646 UTF-8, but other encodings may be required in some cases.  It
348	   is up to the server to decide how to map user names to accepted user
349	   names.  Straight bit-wise binary comparison is RECOMMENDED.

351	   For localization purposes, the protocol attempts to minimize the
352	   number of textual messages transmitted.  When present, such messages
353	   typically relate to errors, debugging information, or some externally
354	   configured data.  For data that is normally displayed, it SHOULD be
355	   possible to fetch a localized message instead of the transmitted
356	   message by using a numerical code.  The remaining messages SHOULD be
357	   configurable.

359	5.  Data Type Representations Used in the SSH Protocols

361	   byte

363	      A byte represents an arbitrary 8-bit value (octet).  Fixed length
364	      data is sometimes represented as an array of bytes, written
365	      byte[n], where n is the number of bytes in the array.

367	   boolean

369	      A boolean value is stored as a single byte.  The value 0
370	      represents FALSE, and the value 1 represents TRUE.  All non-zero
371	      values MUST be interpreted as TRUE; however, applications MUST NOT
372	      store values other than 0 and 1.

374	   uint32

376	      Represents a 32-bit unsigned integer.  Stored as four bytes in the
377	      order of decreasing significance (network byte order).  For
378	      example: the value 699921578 (0x29b7f4aa) is stored as 29 b7 f4
379	      aa.

381	   uint64

383	      Represents a 64-bit unsigned integer.  Stored as eight bytes in
384	      the order of decreasing significance (network byte order).

386	   string

388	      Arbitrary length binary string.  Strings are allowed to contain
389	      arbitrary binary data, including null characters and 8-bit
390	      characters.  They are stored as a uint32 containing its length
391	      (number of bytes that follow) and zero (= empty string) or more
392	      bytes that are the value of the string.  Terminating null
393	      characters are not used.

395	      Strings are also used to store text.  In that case, US-ASCII is
396	      used for internal names, and ISO-10646 UTF-8 for text that might
397	      be displayed to the user.  The terminating null character SHOULD
398	      NOT normally be stored in the string.  For example: the US-ASCII
399	      string "testing" is represented as 00 00 00 07 t e s t i n g.  The
400	      UTF-8 mapping does not alter the encoding of US-ASCII characters.

402	   mpint

404	      Represents multiple precision integers in two's complement format,
405	      stored as a string, 8 bits per byte, MSB first.  Negative numbers
406	      have the value 1 as the most significant bit of the first byte of
407	      the data partition.  If the most significant bit would be set for
408	      a positive number, the number MUST be preceded by a zero byte.
409	      Unnecessary leading bytes with the value 0 or 255 MUST NOT be
410	      included.  The value zero MUST be stored as a string with zero
411	      bytes of data.

413	      By convention, a number that is used in modular computations in
414	      Z_n SHOULD be represented in the range 0 <= x < n.

416	       Examples:
417	       value (hex)        representation (hex)
418	       -----------        --------------------
419	       0                  00 00 00 00
420	       9a378f9b2e332a7    00 00 00 08 09 a3 78 f9 b2 e3 32 a7
421	       80                 00 00 00 02 00 80
422	       -1234              00 00 00 02 ed cc
423	       -deadbeef          00 00 00 05 ff 21 52 41 11

425	   name-list

427	      A string containing a comma-separated list of names.  A name-list
428	      is represented as a uint32 containing its length (number of bytes
429	      that follow) followed by a comma-separated list of zero or more
430	      names.  A name MUST have a non-zero length, and it MUST NOT
431	      contain a comma (",").  As this is a list of names, all of the
432	      elements contained are names and MUST be in US-ASCII.  Context may
433	      impose additional restrictions on the names.  For example; the
434	      names in a name-list may have to be a list of valid algorithm
435	      identifiers (see Section 6 below), or a list of [RFC3066] language
436	      tags.  The order of the names in a name-list may or may not be
437	      significant.  Again, this depends on the context where the list is
438	      used.  Terminating null characters MUST NOT be used; neither for
439	      the individual names, nor for the list as a whole.

441	       Examples:

443	       value                      representation (hex)
444	       -----                      --------------------
445	       (), the empty name-list    00 00 00 00
446	       ("zlib")                   00 00 00 04 7a 6c 69 62
447	       ("zlib,none")              00 00 00 09 7a 6c 69 62 2c 6e 6f 6e 65

449	6.  Algorithm and Method Naming

451	   The SSH protocols refer to particular hash, encryption, integrity,
452	   compression, and key exchange algorithms or methods by names.  There
453	   are some standard algorithms and methods that all implementations
454	   MUST support.  There are also algorithms and methods that are defined
455	   in the protocol specification but are OPTIONAL.  Furthermore, it is
456	   expected that some organizations will want to use their own
457	   algorithms or methods.

459	   In this protocol, all algorithm and method identifiers MUST be
460	   printable US-ASCII, non-empty strings no longer than 64 characters.
461	   Names MUST be case-sensitive.

463	   There are two formats for algorithm and method names:
464	   o  Names that do not contain an at-sign ("@") are reserved to be
465	      assigned by IETF CONSENSUS.  Examples include "3des-cbc", "sha-1",
466	      "hmac-sha1", and "zlib" (the doublequotes are not part of the
467	      name).  Names of this format are only valid if they are first
468	      registered with the IANA.  Registered names MUST NOT contain an
469	      at-sign ("@"), a comma (","), or whitespace or control characters
470	      (ASCII codes 32 or less).  Names are case-sensitive, and MUST NOT
471	      be longer than 64 characters.
472	   o  Anyone can define additional algorithms or methods by using names
473	      in the format name@domainname, e.g., "ourcipher-cbc@example.com".
474	      The format of the part preceding the at-sign is not specified,
475	      however these names MUST be printable US-ASCII strings, and MUST
476	      NOT contain the comma character (","), whitespace, or control
477	      characters (ASCII codes 32 or less).  The part following the
478	      at-sign MUST be a valid, fully qualified domain name [RFC1034]
479	      controlled by the person or organization defining the name.  Names
480	      are case-sensitive, and MUST NOT be longer than 64 characters.  It
481	      is up to each domain how it manages its local namespace.  It
482	      should be noted that these names resemble STD 11 [RFC0822] email
483	      addresses.  This is purely coincidental and actually has nothing
484	      to do with STD 11 [RFC0822].

486	7.  Message Numbers

488	   SSH packets have message numbers in the range 1 to 255.  These
489	   numbers have been allocated as follows:

491	     Transport layer protocol:

493	       1 to 19    Transport layer generic (e.g., disconnect, ignore,
494	                  debug, etc.)
495	       20 to 29   Algorithm negotiation
496	       30 to 49   Key exchange method specific (numbers can be reused
497	                  for different authentication methods)

499	     User authentication protocol:

501	       50 to 59   User authentication generic
502	       60 to 79   User authentication method specific (numbers can be
503	                  reused for different authentication methods)

505	     Connection protocol:

507	       80 to 89   Connection protocol generic
508	       90 to 127  Channel related messages

510	     Reserved for client protocols:

512	       128 to 191 Reserved

514	     Local extensions:

516	       192 to 255 Local extensions

518	8.  IANA Considerations

520	   This document is part of a set.  The instructions for the IANA for
521	   the SSH protocol as defined in this document, [SSH-USERAUTH],
522	   [SSH-TRANS], and [SSH-CONNECT], are detailed in [SSH-NUMBERS].  The
523	   following is a brief summary for convenience, but note well that

525	   [SSH-NUMBERS] contains the actual instructions to the IANA, which may
526	   be superceded in the future.

528	   Allocation of the following types of names in the SSH protocols is
529	   assigned by IETF consensus:
530	   o  Service Names
531	      *  Authentication Methods
532	      *  Connection Protocol Channel Names
533	      *  Connection Protocol Global Request Names
534	      *  Connection Protocol Channel Request Names
535	   o  Key Exchange Method Names
536	   o  Assigned Algorithm Names
537	      *  Encryption Algorithm Names
538	      *  MAC Algorithm Names
539	      *  Public Key Algorithm Names
540	      *  Compression Algorithm Names

542	   These names MUST be printable US-ASCII strings, and MUST NOT contain
543	   the characters at-sign ("@"), comma (","), or whitespace or control
544	   characters (ASCII codes 32 or less).  Names are case-sensitive, and
545	   MUST NOT be longer than 64 characters.

547	   Names with the at-sign ("@") in them are locally defined extensions
548	   and are not controlled by the IANA.

550	   Each category of names listed above has a separate namespace.
551	   However, using the same name in multiple categories SHOULD be avoided
552	   to minimize confusion.

554	   Message numbers (see Section Message Numbers (Section 7)) in the
555	   range of 0..191 are allocated via IETF CONSENSUS as described in
556	   [RFC2434].  Message numbers in the 192..255 range (the "Local
557	   extensions" set) are reserved for PRIVATE USE also as described in
558	   [RFC2434].

560	9.  Security Considerations

562	   In order to make the entire body of Security Considerations more
563	   accessible, Security Considerations for the transport,
564	   authentication, and connection documents have been gathered here.

566	   The transport protocol [SSH-TRANS] provides a confidential channel
567	   over an insecure network.  It performs server host authentication,
568	   key exchange, encryption, and integrity protection.  It also derives
569	   a unique session id that may be used by higher-level protocols.

571	   The authentication protocol [SSH-USERAUTH] provides a suite of
572	   mechanisms which can be used to authenticate the client user to the
573	   server.  Individual mechanisms specified in the in authentication
574	   protocol use the session id provided by the transport protocol and/or
575	   depend on the security and integrity guarantees of the transport
576	   protocol.

578	   The connection protocol [SSH-CONNECT] specifies a mechanism to
579	   multiplex multiple streams (channels) of data over the confidential
580	   and authenticated transport.  It also specifies channels for
581	   accessing an interactive shell, for 'proxy-forwarding' various
582	   external protocols over the secure transport (including arbitrary
583	   TCP/IP protocols), and for accessing secure 'subsystems' on the
584	   server host.

586	9.1  Pseudo-Random Number Generation

588	   This protocol binds each session key to the session by including
589	   random, session specific data in the hash used to produce session
590	   keys.  Special care should be taken to ensure that all of the random
591	   numbers are of good quality.  If the random data here (e.g.,
592	   Diffie-Hellman (DH) parameters) are pseudo-random then the
593	   pseudo-random number generator should be cryptographically secure
594	   (i.e., its next output not easily guessed even when knowing all
595	   previous outputs) and, furthermore, proper entropy needs to be added
596	   to the pseudo-random number generator.  [RFC1750] offers suggestions
597	   for sources of random numbers and entropy.  Implementors should note
598	   the importance of entropy and the well-meant, anecdotal warning about
599	   the difficulty in properly implementing pseudo-random number
600	   generating functions.

602	   The amount of entropy available to a given client or server may
603	   sometimes be less than what is required.  In this case one must
604	   either resort to pseudo-random number generation regardless of
605	   insufficient entropy or refuse to run the protocol.  The latter is
606	   preferable.

608	9.2  Transport

610	9.2.1  Confidentiality

612	   It is beyond the scope of this document and the Secure Shell Working
613	   Group to analyze or recommend specific ciphers other than the ones
614	   which have been established and accepted within the industry.  At the
615	   time of this writing, ciphers commonly in use include 3DES, ARCFOUR,
616	   twofish, serpent and blowfish.  AES has been published by The US
617	   Federal Information Processing Standards as [FIPS-197] and the
618	   cryptographic community has accepted AES as well.  As always,
619	   implementors and users should check current literature to ensure that
620	   no recent vulnerabilities have been found in ciphers used within
621	   products.  Implementors should also check to see which ciphers are
622	   considered to be relatively stronger than others and should recommend
623	   their use to users over relatively weaker ciphers.  It would be
624	   considered good form for an implementation to politely and
625	   unobtrusively notify a user that a stronger cipher is available and
626	   should be used when a weaker one is actively chosen.

628	   The "none" cipher is provided for debugging and SHOULD NOT be used
629	   except for that purpose.  Its cryptographic properties are
630	   sufficiently described in [RFC2410], which will show that its use
631	   does not meet the intent of this protocol.

633	   The relative merits of these and other ciphers may also be found in
634	   current literature.  Two references that may provide information on
635	   the subject are [SCHNEIER] and [KAUFMAN,PERLMAN,SPECINER] Both of
636	   these describe the CBC mode of operation of certain ciphers and the
637	   weakness of this scheme.  Essentially, this mode is theoretically
638	   vulnerable to chosen cipher-text attacks because of the high
639	   predictability of the start of packet sequence.  However, this attack
640	   is deemed difficult and not considered fully practicable especially
641	   if relatively longer block sizes are used.

643	   Additionally, another CBC mode attack may be mitigated through the
644	   insertion of packets containing SSH_MSG_IGNORE.  Without this
645	   technique, a specific attack may be successful.  For this attack
646	   (commonly known as the Rogaway attack [ROGAWAY], [DAI],
647	   [BELLARE,KOHNO,NAMPREMPRE]) to work, the attacker would need to know
648	   the Initialization Vector (IV) of the next block that is going to be
649	   encrypted.  In CBC mode that is the output of the encryption of the
650	   previous block.  If the attacker does not have any way to see the
651	   packet yet (i.e., it is in the internal buffers of the SSH
652	   implementation or even in the kernel) then this attack will not work.
653	   If the last packet has been sent out to the network (i.e., the
654	   attacker has access to it) then he can use the attack.

656	   In the optimal case an implementor would need to add an extra packet
657	   only if the packet has been sent out onto the network and there are
658	   no other packets waiting for transmission.  Implementors may wish to
659	   check to see if there are any unsent packets awaiting transmission,
660	   but unfortunately it is not normally easy to obtain this information
661	   from the kernel or buffers.  If there are not, then a packet
662	   containing SSH_MSG_IGNORE SHOULD be sent.  If a new packet is added
663	   to the stream every time the attacker knows the IV that is supposed
664	   to be used for the next packet, then the attacker will not be able to
665	   guess the correct IV, thus the attack will never be successful.

667	   As an example, consider the following case:

669	      Client                                                  Server
670	      ------                                                  ------
671	      TCP(seq=x, len=500)             ---->
672	       contains Record 1

674	                          [500 ms passes, no ACK]

676	      TCP(seq=x, len=1000)            ---->
677	       contains Records 1,2

679	                                                                ACK

681	   1.  The Nagle algorithm + TCP retransmits mean that the two records
682	       get coalesced into a single TCP segment.
683	   2.  Record 2 is *not* at the beginning of the TCP segment and never
684	       will be, since it gets ACKed.
685	   3.  Yet, the attack is possible because Record 1 has already been
686	       seen.

688	   As this example indicates, it's totally unsafe to use the existence
689	   of unflushed data in the TCP buffers proper as a guide to whether you
690	   need an empty packet, since when you do the second write(), the
691	   buffers will contain the un-ACKed Record 1.

693	   On the other hand, it's perfectly safe to have the following
694	   situation:

696	      Client                                                  Server
697	      ------                                                  ------
698	      TCP(seq=x, len=500)             ---->
699	         contains SSH_MSG_IGNORE

701	      TCP(seq=y, len=500)             ---->
702	         contains Data

704	      Provided that the IV for the second SSH Record is fixed after the
705	      data for the Data packet is determined, then the following should
706	      be performed:
707	           read from user
708	           encrypt null packet
709	           encrypt data packet

711	9.2.2  Data Integrity

713	   This protocol does allow the Data Integrity mechanism to be disabled.
714	   Implementors SHOULD be wary of exposing this feature for any purpose
715	   other than debugging.  Users and administrators SHOULD be explicitly
716	   warned anytime the "none" MAC is enabled.

718	   So long as the "none" MAC is not used, this protocol provides data
719	   integrity.

721	   Because MACs use a 32 bit sequence number, they might start to leak
722	   information after 2**32 packets have been sent.  However, following
723	   the rekeying recommendations should prevent this attack.  The
724	   transport protocol [SSH-TRANS] recommends rekeying after one gigabyte
725	   of data, and the smallest possible packet is 16 bytes.  Therefore,
726	   rekeying SHOULD happen after 2**28 packets at the very most.

728	9.2.3  Replay

730	   The use of a MAC other than "none" provides integrity and
731	   authentication.  In addition, the transport protocol provides a
732	   unique session identifier (bound in part to pseudo-random data that
733	   is part of the algorithm and key exchange process) that can be used
734	   by higher level protocols to bind data to a given session and prevent
735	   replay of data from prior sessions.  For example: the authentication
736	   protocol uses this to prevent replay of signatures from previous
737	   sessions.  Because public key authentication exchanges are
738	   cryptographically bound to the session (i.e., to the initial key
739	   exchange) they cannot be successfully replayed in other sessions.
740	   Note that the session ID can be made public without harming the
741	   security of the protocol.

743	   If two sessions happen to have the same session ID (hash of key
744	   exchanges) then packets from one can be replayed against the other.
745	   It must be stressed that the chances of such an occurrence are,
746	   needless to say, minimal when using modern cryptographic methods.
747	   This is all the more so true when specifying larger hash function
748	   outputs and DH parameters.

750	   Replay detection using monotonically increasing sequence numbers as
751	   input to the MAC, or HMAC in some cases, is described in [RFC2085],
752	   [RFC2246], [RFC2743], [RFC1964], [RFC2025], and [RFC1510].  The
753	   underlying construct is discussed in [RFC2104].  Essentially a
754	   different sequence number in each packet ensures that at least this
755	   one input to the MAC function will be unique and will provide a
756	   nonrecurring MAC output that is not predictable to an attacker.  If
757	   the session stays active long enough, however, this sequence number
758	   will wrap.  This event may provide an attacker an opportunity to
759	   replay a previously recorded packet with an identical sequence number
760	   but only if the peers have not rekeyed since the transmission of the
761	   first packet with that sequence number.  If the peers have rekeyed,
762	   then the replay will be detected as the MAC check will fail.  For
763	   this reason, it must be emphasized that peers MUST rekey before a
764	   wrap of the sequence numbers.  Naturally, if an attacker does attempt
765	   to replay a captured packet before the peers have rekeyed, then the
766	   receiver of the duplicate packet will not be able to validate the MAC
767	   and it will be discarded.  The reason that the MAC will fail is
768	   because the receiver will formulate a MAC based upon the packet
769	   contents, the shared secret, and the expected sequence number.  Since
770	   the replayed packet will not be using that expected sequence number
771	   (the sequence number of the replayed packet will have already been
772	   passed by the receiver) then the calculated MAC will not match the
773	   MAC received with the packet.

775	9.2.4  Man-in-the-middle

777	   This protocol makes no assumptions nor provisions for an
778	   infrastructure or means for distributing the public keys of hosts.
779	   It is expected that this protocol will sometimes be used without
780	   first verifying the association between the server host key and the
781	   server host name.  Such usage is vulnerable to man-in-the-middle
782	   attacks.  This section describes this and encourages administrators
783	   and users to understand the importance of verifying this association
784	   before any session is initiated.

786	   There are three cases of man-in-the-middle attacks to consider.  The
787	   first is where an attacker places a device between the client and the
788	   server before the session is initiated.  In this case, the attack
789	   device is trying to mimic the legitimate server and will offer its
790	   public key to the client when the client initiates a session.  If it
791	   were to offer the public key of the server, then it would not be able
792	   to decrypt or sign the transmissions between the legitimate server
793	   and the client unless it also had access to the private-key of the
794	   host.  The attack device will also, simultaneously to this, initiate
795	   a session to the legitimate server masquerading itself as the client.
796	   If the public key of the server had been securely distributed to the
797	   client prior to that session initiation, the key offered to the
798	   client by the attack device will not match the key stored on the
799	   client.  In that case, the user SHOULD be given a warning that the
800	   offered host key does not match the host key cached on the client.
801	   As described in Section Host Keys (Section 4.1), the user may be free
802	   to accept the new key and continue the session.  It is RECOMMENDED
803	   that the warning provide sufficient information to the user of the
804	   client device so they may make an informed decision.  If the user
805	   chooses to continue the session with the stored public-key of the
806	   server (not the public-key offered at the start of the session), then
807	   the session specific data between the attacker and server will be
808	   different between the client-to-attacker session and the
809	   attacker-to-server sessions due to the randomness discussed above.
810	   From this, the attacker will not be able to make this attack work
811	   since the attacker will not be able to correctly sign packets
812	   containing this session specific data from the server since he does
813	   not have the private key of that server.

815	   The second case that should be considered is similar to the first
816	   case in that it also happens at the time of connection but this case
817	   points out the need for the secure distribution of server public
818	   keys.  If the server public keys are not securely distributed then
819	   the client cannot know if it is talking to the intended server.  An
820	   attacker may use social engineering techniques to pass off server
821	   keys to unsuspecting users and may then place a man-in-the-middle
822	   attack device between the legitimate server and the clients.  If this
823	   is allowed to happen then the clients will form client-to-attacker
824	   sessions and the attacker will form attacker-to-server sessions and
825	   will be able to monitor and manipulate all of the traffic between the
826	   clients and the legitimate servers.  Server administrators are
827	   encouraged to make host key fingerprints available for checking by
828	   some means whose security does not rely on the integrity of the
829	   actual host keys.  Possible mechanisms are discussed in Section Host
830	   Keys (Section 4.1) and may also include secured Web pages, physical
831	   pieces of paper, etc.  Implementors SHOULD provide recommendations on
832	   how best to do this with their implementation.  Because the protocol
833	   is extensible, future extensions to the protocol may provide better
834	   mechanisms for dealing with the need to know the server's host key
835	   before connecting.  For example: making the host key fingerprint
836	   available through a secure DNS lookup, or using Kerberos ([RFC1510])
837	   over GSS-API ([RFC1964]) during key exchange to authenticate the
838	   server are possibilities.

840	   In the third man-in-the-middle case, attackers may attempt to
841	   manipulate packets in transit between peers after the session has
842	   been established.  As described in the Replay part of this section, a
843	   successful attack of this nature is very improbable.  As in the
844	   Replay section, this reasoning does assume that the MAC is secure and
845	   that it is infeasible to construct inputs to a MAC algorithm to give
846	   a known output.  This is discussed in much greater detail in Section
847	   6 of [RFC2104].  If the MAC algorithm has a vulnerability or is weak
848	   enough, then the attacker may be able to specify certain inputs to
849	   yield a known MAC.  With that they may be able to alter the contents
850	   of a packet in transit.  Alternatively the attacker may be able to
851	   exploit the algorithm vulnerability or weakness to find the shared
852	   secret by reviewing the MACs from captured packets.  In either of
853	   those cases, an attacker could construct a packet or packets that
854	   could be inserted into an SSH stream.  To prevent that, implementors
855	   are encouraged to utilize commonly accepted MAC algorithms and
856	   administrators are encouraged to watch current literature and
857	   discussions of cryptography to ensure that they are not using a MAC
858	   algorithm that has a recently found vulnerability or weakness.

860	   In summary, the use of this protocol without a reliable association
861	   of the binding between a host and its host keys is inherently
862	   insecure and is NOT RECOMMENDED.  It may however be necessary in
863	   non-security critical environments, and will still provide protection
864	   against passive attacks.  Implementors of protocols and applications
865	   running on top of this protocol should keep this possibility in mind.

867	9.2.5  Denial-of-service

869	   This protocol is designed to be used over a reliable transport.  If
870	   transmission errors or message manipulation occur, the connection is
871	   closed.  The connection SHOULD be re-established if this occurs.
872	   Denial of service attacks of this type ("wire cutter") are almost
873	   impossible to avoid.

875	   In addition, this protocol is vulnerable to Denial of Service attacks
876	   because an attacker can force the server to go through the CPU and
877	   memory intensive tasks of connection setup and key exchange without
878	   authenticating.  Implementors SHOULD provide features that make this
879	   more difficult - for example: only allowing connections from a subset
880	   of IPs known to have valid users.

882	9.2.6  Covert Channels

884	   The protocol was not designed to eliminate covert channels.  For
885	   example, the padding, SSH_MSG_IGNORE messages, and several other
886	   places in the protocol can be used to pass covert information, and
887	   the recipient has no reliable way to verify whether such information
888	   is being sent.

890	9.2.7  Forward Secrecy

892	   It should be noted that the Diffie-Hellman key exchanges may provide
893	   perfect forward secrecy (PFS).  PFS is essentially defined as the
894	   cryptographic property of a key-establishment protocol in which the
895	   compromise of a session key or long-term private key after a given
896	   session does not cause the compromise of any earlier session.  [ANSI
897	   T1.523-2001]  SSH sessions resulting from a key exchange using the
898	   diffie-hellman methods described in the section "Diffie-Hellman Key
899	   Exchange" of [SSH-TRANS] (including diffie-hellman-group1-sha1 and
900	   diffie-hellman-group14-sha1) are secure even if private
901	   keying/authentication material is later revealed, but not if the
902	   session keys are revealed.  So, given this definition of PFS, SSH
903	   does have PFS.  This property is not commuted to any of the
904	   applications or protocols using SSH as a transport however.  The
905	   transport layer of SSH provides confidentiality for password
906	   authentication and other methods that rely on secret data.

908	   Of course, if the DH private parameters for the client and server are
909	   revealed then the session key is revealed, but these items can be
910	   thrown away after the key exchange completes.  It's worth pointing
911	   out that these items should not be allowed to end up on swap space
912	   and that they should be erased from memory as soon as the key
913	   exchange completes.

915	9.2.8  Ordering of Key Exchange Methods

917	   As stated in the section on "Algorithm Negotiation" of [SSH-TRANS],
918	   each device will send a list of preferred methods for key exchange.
919	   The most-preferred method is the first in the list.  It is
920	   RECOMMENDED to sort the algorithms by cryptographic strength,
921	   strongest first.  Some additional guidance for this is given in
922	   [RFC3766].

924	9.2.9  Traffic Analysis

926	   Passive monitoring of any protocol may give an attacker some
927	   information about the session, the user, or protocol specific
928	   information that they would otherwise not be able to garner.  For
929	   example, it has been shown that traffic analysis of an SSH session
930	   can yield information about the length of the password - [Openwall]
931	   and [USENIX].  Implementors should use the SSH_MSG_IGNORE packet
932	   along with the inclusion of random lengths of padding to thwart
933	   attempts of traffic analysis.  Other methods may also be found and
934	   implemented.

936	9.3  Authentication Protocol

938	   The purpose of this protocol is to perform client user
939	   authentication.  It assumes that this run over a secure transport
940	   layer protocol, which has already authenticated the server machine,
941	   established an encrypted communications channel, and computed a
942	   unique session identifier for this session.

944	   Several authentication methods with different security
945	   characteristics are allowed.  It is up to the server's local policy
946	   to decide which methods (or combinations of methods) it is willing to
947	   accept for each user.  Authentication is no stronger than the weakest
948	   combination allowed.

950	   The server may go into a "sleep" period after repeated unsuccessful
951	   authentication attempts to make key search more difficult for
952	   attackers.  Care should be taken so that this doesn't become a
953	   self-denial of service vector.

955	9.3.1  Weak Transport

957	   If the transport layer does not provide confidentiality,
958	   authentication methods that rely on secret data SHOULD be disabled.
959	   If it does not provide strong integrity protection, requests to
960	   change authentication data (e.g., a password change) SHOULD be
961	   disabled to prevent an attacker from modifying the ciphertext without
962	   being noticed, or rendering the new authentication data unusable
963	   (denial of service).

965	   The assumption as stated above that the Authentication Protocol only
966	   run over a secure transport that has previously authenticated the
967	   server is very important to note.  People deploying SSH are reminded
968	   of the consequences of man-in-the-middle attacks if the client does
969	   not have a very strong a priori association of the server with the
970	   host key of that server.  Specifically for the case of the
971	   Authentication Protocol the client may form a session to a
972	   man-in-the-middle attack device and divulge user credentials such as
973	   their username and password.  Even in the cases of authentication
974	   where no user credentials are divulged, an attacker may still gain
975	   information they shouldn't have by capturing key-strokes in much the
976	   same way that a honeypot works.

978	9.3.2  Debug Messages

980	   Special care should be taken when designing debug messages.  These
981	   messages may reveal surprising amounts of information about the host
982	   if not properly designed.  Debug messages can be disabled (during
983	   user authentication phase) if high security is required.
984	   Administrators of host machines should make all attempts to
985	   compartmentalize all event notification messages and protect them
986	   from unwarranted observation.  Developers should be aware of the
987	   sensitive nature of some of the normal event messages and debug
988	   messages and may want to provide guidance to administrators on ways
989	   to keep this information away from unauthorized people.  Developers
990	   should consider minimizing the amount of sensitive information
991	   obtainable by users during the authentication phase in accordance
992	   with the local policies.  For this reason, it is RECOMMENDED that
993	   debug messages be initially disabled at the time of deployment and
994	   require an active decision by an administrator to allow them to be
995	   enabled.  It is also RECOMMENDED that a message expressing this
996	   concern be presented to the administrator of a system when the action
997	   is taken to enable debugging messages.

999	9.3.3  Local Security Policy

1001	   Implementer MUST ensure that the credentials provided validate the
1002	   professed user and also MUST ensure that the local policy of the
1003	   server permits the user the access requested.  In particular, because
1004	   of the flexible nature of the SSH connection protocol, it may not be
1005	   possible to determine the local security policy, if any, that should
1006	   apply at the time of authentication because the kind of service being
1007	   requested is not clear at that instant.  For example: local policy
1008	   might allow a user to access files on the server, but not start an
1009	   interactive shell.  However, during the authentication protocol, it
1010	   is not known whether the user will be accessing files or attempting
1011	   to use an interactive shell, or even both.  In any event, where local
1012	   security policy for the server host exists, it MUST be applied and
1013	   enforced correctly.

1015	   Implementors are encouraged to provide a default local policy and
1016	   make its parameters known to administrators and users.  At the
1017	   discretion of the implementors, this default policy may be along the
1018	   lines of 'anything goes' where there are no restrictions placed upon
1019	   users, or it may be along the lines of 'excessively restrictive' in
1020	   which case the administrators will have to actively make changes to
1021	   this policy to meet their needs.  Alternatively, it may be some
1022	   attempt at providing something practical and immediately useful to
1023	   the administrators of the system so they don't have to put in much
1024	   effort to get SSH working.  Whatever choice is made MUST be applied
1025	   and enforced as required above.

1027	9.3.4  Public Key Authentication

1029	   The use of public-key authentication assumes that the client host has
1030	   not been compromised.  It also assumes that the private-key of the
1031	   server host has not been compromised.

1033	   This risk can be mitigated by the use of passphrases on private keys;
1034	   however, this is not an enforceable policy.  The use of smartcards,
1035	   or other technology to make passphrases an enforceable policy is
1036	   suggested.

1038	   The server could require both password and public-key authentication,
1039	   however, this requires the client to expose its password to the
1040	   server (see section on password authentication below.)

1042	9.3.5  Password Authentication

1044	   The password mechanism as specified in the authentication protocol
1045	   assumes that the server has not been compromised.  If the server has
1046	   been compromised, using password authentication will reveal a valid
1047	   username / password combination to the attacker, which may lead to
1048	   further compromises.

1050	   This vulnerability can be mitigated by using an alternative form of
1051	   authentication.  For example: public-key authentication makes no
1052	   assumptions about security on the server.

1054	9.3.6  Host Based Authentication

1056	   Host based authentication assumes that the client has not been
1057	   compromised.  There are no mitigating strategies, other than to use
1058	   host based authentication in combination with another authentication
1059	   method.

1061	9.4  Connection Protocol

1063	9.4.1  End Point Security

1065	   End point security is assumed by the connection protocol.  If the
1066	   server has been compromised, any terminal sessions, port forwarding,
1067	   or systems accessed on the host are compromised.  There are no
1068	   mitigating factors for this.

1070	   If the client end point has been compromised, and the server fails to
1071	   stop the attacker at the authentication protocol, all services
1072	   exposed (either as subsystems or through forwarding) will be
1073	   vulnerable to attack.  Implementors SHOULD provide mechanisms for
1074	   administrators to control which services are exposed to limit the
1075	   vulnerability of other services.

1077	   These controls might include controlling which machines and ports can
1078	   be target in 'port-forwarding' operations, which users are allowed to
1079	   use interactive shell facilities, or which users are allowed to use
1080	   exposed subsystems.

1082	9.4.2  Proxy Forwarding

1084	   The SSH connection protocol allows for proxy forwarding of other
1085	   protocols such as SNMP, POP3, and HTTP.  This may be a concern for
1086	   network administrators who wish to control the access of certain
1087	   applications by users located outside of their physical location.
1088	   Essentially, the forwarding of these protocols may violate site
1089	   specific security policies as they may be undetectably tunneled
1090	   through a firewall.  Implementors SHOULD provide an administrative
1091	   mechanism to control the proxy forwarding functionality so that site
1092	   specific security policies may be upheld.

1094	   In addition, a reverse proxy forwarding functionality is available,
1095	   which again can be used to bypass firewall controls.

1097	   As indicated above, end-point security is assumed during proxy
1098	   forwarding operations.  Failure of end-point security will compromise
1099	   all data passed over proxy forwarding.

1101	9.4.3  X11 Forwarding

1103	   Another form of proxy forwarding provided by the SSH connection
1104	   protocol is the forwarding of the X11 protocol.  If end-point
1105	   security has been compromised, X11 forwarding may allow attacks
1106	   against the X11 server.  Users and administrators should, as a matter
1107	   of course, use appropriate X11 security mechanisms to prevent
1108	   unauthorized use of the X11 server.  Implementors, administrators and
1109	   users who wish to further explore the security mechanisms of X11 are
1110	   invited to read [SCHEIFLER] and analyze previously reported problems
1111	   with the interactions between SSH forwarding and X11 in CERT
1112	   vulnerabilities VU#363181 and VU#118892 [CERT].

1114	   X11 display forwarding with SSH, by itself, is not sufficient to
1115	   correct well known problems with X11 security [VENEMA].  However, X11
1116	   display forwarding in SSH (or other secure protocols), combined with
1117	   actual and pseudo-displays which accept connections only over local
1118	   IPC mechanisms authorized by permissions or access control lists
1119	   (ACLs), does correct many X11 security problems as long as the "none"
1120	   MAC is not used.  It is RECOMMENDED that X11 display implementations
1121	   default to allowing display opens only over local IPC.  It is
1122	   RECOMMENDED that SSH server implementations that support X11
1123	   forwarding default to allowing display opens only over local IPC.  On
1124	   single-user systems it might be reasonable to default to allowing
1125	   local display opens over TCP/IP.

1127	   Implementors of the X11 forwarding protocol SHOULD implement the
1128	   magic cookie access checking spoofing mechanism as described in
1129	   [SSH-CONNECT] as an additional mechanism to prevent unauthorized use
1130	   of the proxy.

1132	10.  References

1134	10.1  Normative References

1136	   [SSH-TRANS]
1137	              Lonvick, C., "SSH Transport Layer Protocol",
1138	              I-D draft-ietf-secsh-transport-23.txt, February 2005.

1140	   [SSH-USERAUTH]
1141	              Lonvick, C., "SSH Authentication Protocol",
1142	              I-D draft-ietf-secsh-userauth-26.txt, February 2005.

1144	   [SSH-CONNECT]
1145	              Lonvick, C., "SSH Connection Protocol",
1146	              I-D draft-ietf-secsh-connect-24.txt, February 2005.

1148	   [SSH-NUMBERS]
1149	              Lonvick, C., "SSH Protocol Assigned Numbers",
1150	              I-D draft-ietf-secsh-assignednumbers-11.txt, February
1151	              2005.

1153	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
1154	              Requirement Levels", BCP 14, RFC 2119, March 1997.

1156	   [RFC2434]  Narten, T. and H. Alvestrand, "Guidelines for Writing an
1157	              IANA Considerations Section in RFCs", BCP 26, RFC 2434,
1158	              October 1998.

1160	   [RFC3066]  Alvestrand, H., "Tags for the Identification of
1161	              Languages", BCP 47, RFC 3066, January 2001.

1163	   [RFC3629]  Yergeau, F., "UTF-8, a transformation format of ISO
1164	              10646", STD 63, RFC 3629, November 2003.

1166	10.2  Informative References

1168	   [FIPS-186-2]
1169	              Federal Information Processing Standards Publication,
1170	              "FIPS PUB 186-2, Digital Signature Standard (DSS)",
1171	              January 2000.

1173	   [FIPS-197]
1174	              National Institute of Standards and Technology, "FIPS 197,
1175	              Specification for the Advanced Encryption Standard",
1176	              November 2001.

1178	   [ANSI T1.523-2001]
1179	              American National Standards Institute, Inc., "Telecom
1180	              Glossary 2000", February 2001.

1182	   [SCHEIFLER]
1183	              Scheifler, R., "X Window System : The Complete Reference
1184	              to Xlib, X Protocol, Icccm, Xlfd, 3rd edition.", Digital
1185	              Press ISBN 1555580882, February 1992.

1187	   [RFC0822]  Crocker, D., "Standard for the format of ARPA Internet
1188	              text messages", STD 11, RFC 822, August 1982.

1190	   [RFC0854]  Postel, J. and J. Reynolds, "Telnet Protocol
1191	              Specification", STD 8, RFC 854, May 1983.

1193	   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
1194	              STD 13, RFC 1034, November 1987.

1196	   [RFC1282]  Kantor, B., "BSD Rlogin", RFC 1282, December 1991.

1198	   [RFC1510]  Kohl, J. and B. Neuman, "The Kerberos Network
1199	              Authentication Service (V5)", RFC 1510, September 1993.

1201	   [RFC1750]  Eastlake, D., Crocker, S. and J. Schiller, "Randomness
1202	              Recommendations for Security", RFC 1750, December 1994.

1204	   [RFC1964]  Linn, J., "The Kerberos Version 5 GSS-API Mechanism",
1205	              RFC 1964, June 1996.

1207	   [RFC2025]  Adams, C., "The Simple Public-Key GSS-API Mechanism
1208	              (SPKM)", RFC 2025, October 1996.

1210	   [RFC2085]  Oehler, M. and R. Glenn, "HMAC-MD5 IP Authentication with
1211	              Replay Prevention", RFC 2085, February 1997.

1213	   [RFC2104]  Krawczyk, H., Bellare, M. and R. Canetti, "HMAC:
1214	              Keyed-Hashing for Message Authentication", RFC 2104,
1215	              February 1997.

1217	   [RFC2246]  Dierks, T. and C. Allen, "The TLS Protocol Version 1.0",
1218	              RFC 2246, January 1999.

1220	   [RFC2410]  Glenn, R. and S. Kent, "The NULL Encryption Algorithm and
1221	              Its Use With IPsec", RFC 2410, November 1998.

1223	   [RFC2743]  Linn, J., "Generic Security Service Application Program
1224	              Interface Version 2, Update 1", RFC 2743, January 2000.

1226	   [RFC3766]  Orman, H. and P. Hoffman, "Determining Strengths For
1227	              Public Keys Used For Exchanging Symmetric Keys", BCP 86,
1228	              RFC 3766, April 2004.

1230	   [SCHNEIER]
1231	              Schneier, B., "Applied Cryptography Second Edition:
1232	              protocols algorithms and source in code in C", 1996.

1234	   [KAUFMAN,PERLMAN,SPECINER]
1235	              Kaufman, C., Perlman, R. and M. Speciner, "Network
1236	              Security: PRIVATE Communication in a PUBLIC World", 1995.

1238	   [CERT]     CERT Coordination Center, The.,
1239	              "http://www.cert.org/nav/index_red.html".

1241	   [VENEMA]   Venema, W., "Murphy's Law and Computer Security",
1242	              Proceedings of 6th USENIX Security Symposium, San Jose
1243	              CA http://www.usenix.org/publications/library/proceedings/
1244	              sec96/venema.html, July 1996.

1246	   [ROGAWAY]  Rogaway, P., "Problems with Proposed IP Cryptography",
1247	              Unpublished paper http://www.cs.ucdavis.edu/~rogaway/
1248	              papers/draft-rogaway-ipsec-comments-00.txt, 1996.

1250	   [DAI]      Dai, W., "An attack against SSH2 protocol", Email to the
1251	              SECSH Working Group ietf-ssh@netbsd.org ftp://
1252	              ftp.ietf.org/ietf-mail-archive/secsh/2002-02.mail, Feb
1253	              2002.

1255	   [BELLARE,KOHNO,NAMPREMPRE]
1256	              Bellaire, M., Kohno, T. and C. Namprempre, "Authenticated
1257	              Encryption in SSH: Fixing the SSH Binary Packet Protocol",
1258	              Proceedings of the 9th ACM Conference on Computer and
1259	              Communications Security, Sept 2002.

1261	   [Openwall]
1262	              Solar Designer and D. Song, "SSH Traffic Analysis
1263	              Attacks", Presentation given at HAL2001 and NordU2002
1264	              Conferences, Sept 2001.

1266	   [USENIX]   Song, X.D., Wagner, D. and X. Tian, "Timing Analysis of
1267	              Keystrokes and SSH Timing Attacks", Paper given at 10th
1268	              USENIX Security Symposium, 2001.

1270	Author's Address

1272	   Chris Lonvick (editor)
1273	   Cisco Systems, Inc.
1274	   12515 Research Blvd.
1275	   Austin  78759
1276	   USA

1278	   Email: clonvick@cisco.com

1280	Intellectual Property Statement

1282	   The IETF takes no position regarding the validity or scope of any
1283	   Intellectual Property Rights or other rights that might be claimed to
1284	   pertain to the implementation or use of the technology described in
1285	   this document or the extent to which any license under such rights
1286	   might or might not be available; nor does it represent that it has
1287	   made any independent effort to identify any such rights.  Information
1288	   on the procedures with respect to rights in RFC documents can be
1289	   found in BCP 78 and BCP 79.

1291	   Copies of IPR disclosures made to the IETF Secretariat and any
1292	   assurances of licenses to be made available, or the result of an
1293	   attempt made to obtain a general license or permission for the use of
1294	   such proprietary rights by implementers or users of this
1295	   specification can be obtained from the IETF on-line IPR repository at
1296	   http://www.ietf.org/ipr.

1298	   The IETF invites any interested party to bring to its attention any
1299	   copyrights, patents or patent applications, or other proprietary
1300	   rights that may cover technology that may be required to implement
1301	   this standard.  Please address the information to the IETF at
1302	   ietf-ipr@ietf.org.

1304	   The IETF has been notified of intellectual property rights claimed in
1305	   regard to some or all of the specification contained in this
1306	   document.  For more information consult the online list of claimed
1307	   rights.

1309	Disclaimer of Validity

1311	   This document and the information contained herein are provided on an
1312	   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
1313	   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
1314	   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
1315	   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
1316	   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
1317	   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

1319	Copyright Statement

1321	   Copyright (C) The Internet Society (2005).  This document is subject
1322	   to the rights, licenses and restrictions contained in BCP 78, and
1323	   except as set forth therein, the authors retain all their rights.

1325	Acknowledgment

1327	   Funding for the RFC Editor function is currently provided by the
1328	   Internet Society.