1180750SdesThis documents OpenSSH's deviations and extensions to the published SSH 2180750Sdesprotocol. 3180750Sdes 4180750SdesNote that OpenSSH's sftp and sftp-server implement revision 3 of the SSH 5180750Sdesfilexfer protocol described in: 6180750Sdes 7180750Sdeshttp://www.openssh.com/txt/draft-ietf-secsh-filexfer-02.txt 8180750Sdes 9204917SdesNewer versions of the draft will not be supported, though some features 10204917Sdesare individually implemented as extensions described below. 11180750Sdes 12180750SdesThe protocol used by OpenSSH's ssh-agent is described in the file 13180750SdesPROTOCOL.agent 14180750Sdes 15221420Sdes1. Transport protocol changes 16180750Sdes 17221420Sdes1.1. transport: Protocol 2 MAC algorithm "umac-64@openssh.com" 18221420Sdes 19180750SdesThis is a new transport-layer MAC method using the UMAC algorithm 20180750Sdes(rfc4418). This method is identical to the "umac-64" method documented 21180750Sdesin: 22180750Sdes 23180750Sdeshttp://www.openssh.com/txt/draft-miller-secsh-umac-01.txt 24180750Sdes 25221420Sdes1.2. transport: Protocol 2 compression algorithm "zlib@openssh.com" 26180750Sdes 27180750SdesThis transport-layer compression method uses the zlib compression 28180750Sdesalgorithm (identical to the "zlib" method in rfc4253), but delays the 29180750Sdesstart of compression until after authentication has completed. This 30180750Sdesavoids exposing compression code to attacks from unauthenticated users. 31180750Sdes 32180750SdesThe method is documented in: 33180750Sdes 34180750Sdeshttp://www.openssh.com/txt/draft-miller-secsh-compression-delayed-00.txt 35180750Sdes 36221420Sdes1.3. transport: New public key algorithms "ssh-rsa-cert-v00@openssh.com", 37221420Sdes "ssh-dsa-cert-v00@openssh.com", 38221420Sdes "ecdsa-sha2-nistp256-cert-v01@openssh.com", 39221420Sdes "ecdsa-sha2-nistp384-cert-v01@openssh.com" and 40221420Sdes "ecdsa-sha2-nistp521-cert-v01@openssh.com" 41180750Sdes 42221420SdesOpenSSH introduces new public key algorithms to support certificate 43204917Sdesauthentication for users and hostkeys. These methods are documented in 44204917Sdesthe file PROTOCOL.certkeys 45204917Sdes 46221420Sdes1.4. transport: Elliptic Curve cryptography 47204917Sdes 48221420SdesOpenSSH supports ECC key exchange and public key authentication as 49221420Sdesspecified in RFC5656. Only the ecdsa-sha2-nistp256, ecdsa-sha2-nistp384 50221420Sdesand ecdsa-sha2-nistp521 curves over GF(p) are supported. Elliptic 51221420Sdescurve points encoded using point compression are NOT accepted or 52221420Sdesgenerated. 53221420Sdes 54248619Sdes1.5 transport: Protocol 2 Encrypt-then-MAC MAC algorithms 55248619Sdes 56248619SdesOpenSSH supports MAC algorithms, whose names contain "-etm", that 57248619Sdesperform the calculations in a different order to that defined in RFC 58248619Sdes4253. These variants use the so-called "encrypt then MAC" ordering, 59248619Sdescalculating the MAC over the packet ciphertext rather than the 60248619Sdesplaintext. This ordering closes a security flaw in the SSH transport 61248619Sdesprotocol, where decryption of unauthenticated ciphertext provided a 62248619Sdes"decryption oracle" that could, in conjunction with cipher flaws, reveal 63248619Sdessession plaintext. 64248619Sdes 65248619SdesSpecifically, the "-etm" MAC algorithms modify the transport protocol 66248619Sdesto calculate the MAC over the packet ciphertext and to send the packet 67248619Sdeslength unencrypted. This is necessary for the transport to obtain the 68248619Sdeslength of the packet and location of the MAC tag so that it may be 69248619Sdesverified without decrypting unauthenticated data. 70248619Sdes 71248619SdesAs such, the MAC covers: 72248619Sdes 73248619Sdes mac = MAC(key, sequence_number || packet_length || encrypted_packet) 74248619Sdes 75248619Sdeswhere "packet_length" is encoded as a uint32 and "encrypted_packet" 76248619Sdescontains: 77248619Sdes 78248619Sdes byte padding_length 79248619Sdes byte[n1] payload; n1 = packet_length - padding_length - 1 80248619Sdes byte[n2] random padding; n2 = padding_length 81248619Sdes 82248619Sdes1.6 transport: AES-GCM 83248619Sdes 84248619SdesOpenSSH supports the AES-GCM algorithm as specified in RFC 5647. 85248619SdesBecause of problems with the specification of the key exchange 86248619Sdesthe behaviour of OpenSSH differs from the RFC as follows: 87248619Sdes 88248619SdesAES-GCM is only negotiated as the cipher algorithms 89248619Sdes"aes128-gcm@openssh.com" or "aes256-gcm@openssh.com" and never as 90248619Sdesan MAC algorithm. Additionally, if AES-GCM is selected as the cipher 91248619Sdesthe exchanged MAC algorithms are ignored and there doesn't have to be 92248619Sdesa matching MAC. 93248619Sdes 94262566Sdes1.7 transport: chacha20-poly1305@openssh.com authenticated encryption 95262566Sdes 96262566SdesOpenSSH supports authenticated encryption using ChaCha20 and Poly1305 97262566Sdesas described in PROTOCOL.chacha20poly1305. 98262566Sdes 99262566Sdes1.8 transport: curve25519-sha256@libssh.org key exchange algorithm 100262566Sdes 101262566SdesOpenSSH supports the use of ECDH in Curve25519 for key exchange as 102262566Sdesdescribed at: 103262566Sdeshttp://git.libssh.org/users/aris/libssh.git/plain/doc/curve25519-sha256@libssh.org.txt?h=curve25519 104262566Sdes 105221420Sdes2. Connection protocol changes 106221420Sdes 107221420Sdes2.1. connection: Channel write close extension "eow@openssh.com" 108221420Sdes 109180750SdesThe SSH connection protocol (rfc4254) provides the SSH_MSG_CHANNEL_EOF 110180750Sdesmessage to allow an endpoint to signal its peer that it will send no 111180750Sdesmore data over a channel. Unfortunately, there is no symmetric way for 112180750Sdesan endpoint to request that its peer should cease sending data to it 113180750Sdeswhile still keeping the channel open for the endpoint to send data to 114180750Sdesthe peer. 115180750Sdes 116180750SdesThis is desirable, since it saves the transmission of data that would 117180750Sdesotherwise need to be discarded and it allows an endpoint to signal local 118180750Sdesprocesses of the condition, e.g. by closing the corresponding file 119180750Sdesdescriptor. 120180750Sdes 121180750SdesOpenSSH implements a channel extension message to perform this 122180750Sdessignalling: "eow@openssh.com" (End Of Write). This message is sent by 123180750Sdesan endpoint when the local output of a session channel is closed or 124180750Sdesexperiences a write error. The message is formatted as follows: 125180750Sdes 126180750Sdes byte SSH_MSG_CHANNEL_REQUEST 127180750Sdes uint32 recipient channel 128180750Sdes string "eow@openssh.com" 129180750Sdes boolean FALSE 130180750Sdes 131180750SdesOn receiving this message, the peer SHOULD cease sending data of 132180750Sdesthe channel and MAY signal the process from which the channel data 133180750Sdesoriginates (e.g. by closing its read file descriptor). 134180750Sdes 135180750SdesAs with the symmetric SSH_MSG_CHANNEL_EOF message, the channel does 136180750Sdesremain open after a "eow@openssh.com" has been sent and more data may 137180750Sdesstill be sent in the other direction. This message does not consume 138180750Sdeswindow space and may be sent even if no window space is available. 139180750Sdes 140192595SdesNB. due to certain broken SSH implementations aborting upon receipt 141192595Sdesof this message (in contravention of RFC4254 section 5.4), this 142192595Sdesmessage is only sent to OpenSSH peers (identified by banner). 143192595SdesOther SSH implementations may be whitelisted to receive this message 144192595Sdesupon request. 145192595Sdes 146221420Sdes2.2. connection: disallow additional sessions extension 147221420Sdes "no-more-sessions@openssh.com" 148180750Sdes 149180750SdesMost SSH connections will only ever request a single session, but a 150180750Sdesattacker may abuse a running ssh client to surreptitiously open 151180750Sdesadditional sessions under their control. OpenSSH provides a global 152180750Sdesrequest "no-more-sessions@openssh.com" to mitigate this attack. 153180750Sdes 154180750SdesWhen an OpenSSH client expects that it will never open another session 155180750Sdes(i.e. it has been started with connection multiplexing disabled), it 156180750Sdeswill send the following global request: 157180750Sdes 158180750Sdes byte SSH_MSG_GLOBAL_REQUEST 159180750Sdes string "no-more-sessions@openssh.com" 160180750Sdes char want-reply 161180750Sdes 162180750SdesOn receipt of such a message, an OpenSSH server will refuse to open 163180750Sdesfuture channels of type "session" and instead immediately abort the 164180750Sdesconnection. 165180750Sdes 166180750SdesNote that this is not a general defence against compromised clients 167180750Sdes(that is impossible), but it thwarts a simple attack. 168180750Sdes 169192595SdesNB. due to certain broken SSH implementations aborting upon receipt 170192595Sdesof this message, the no-more-sessions request is only sent to OpenSSH 171192595Sdesservers (identified by banner). Other SSH implementations may be 172192595Sdeswhitelisted to receive this message upon request. 173192595Sdes 174221420Sdes2.3. connection: Tunnel forward extension "tun@openssh.com" 175180750Sdes 176180750SdesOpenSSH supports layer 2 and layer 3 tunnelling via the "tun@openssh.com" 177180750Sdeschannel type. This channel type supports forwarding of network packets 178180750Sdeswith datagram boundaries intact between endpoints equipped with 179180750Sdesinterfaces like the BSD tun(4) device. Tunnel forwarding channels are 180180750Sdesrequested by the client with the following packet: 181180750Sdes 182180750Sdes byte SSH_MSG_CHANNEL_OPEN 183180750Sdes string "tun@openssh.com" 184180750Sdes uint32 sender channel 185180750Sdes uint32 initial window size 186180750Sdes uint32 maximum packet size 187180750Sdes uint32 tunnel mode 188180750Sdes uint32 remote unit number 189180750Sdes 190180750SdesThe "tunnel mode" parameter specifies whether the tunnel should forward 191180750Sdeslayer 2 frames or layer 3 packets. It may take one of the following values: 192180750Sdes 193180750Sdes SSH_TUNMODE_POINTOPOINT 1 /* layer 3 packets */ 194180750Sdes SSH_TUNMODE_ETHERNET 2 /* layer 2 frames */ 195180750Sdes 196180750SdesThe "tunnel unit number" specifies the remote interface number, or may 197204917Sdesbe 0x7fffffff to allow the server to automatically chose an interface. A 198204917Sdesserver that is not willing to open a client-specified unit should refuse 199204917Sdesthe request with a SSH_MSG_CHANNEL_OPEN_FAILURE error. On successful 200204917Sdesopen, the server should reply with SSH_MSG_CHANNEL_OPEN_SUCCESS. 201180750Sdes 202180750SdesOnce established the client and server may exchange packet or frames 203180750Sdesover the tunnel channel by encapsulating them in SSH protocol strings 204180750Sdesand sending them as channel data. This ensures that packet boundaries 205180750Sdesare kept intact. Specifically, packets are transmitted using normal 206180750SdesSSH_MSG_CHANNEL_DATA packets: 207180750Sdes 208180750Sdes byte SSH_MSG_CHANNEL_DATA 209180750Sdes uint32 recipient channel 210180750Sdes string data 211180750Sdes 212180750SdesThe contents of the "data" field for layer 3 packets is: 213180750Sdes 214180750Sdes uint32 packet length 215180750Sdes uint32 address family 216180750Sdes byte[packet length - 4] packet data 217180750Sdes 218180750SdesThe "address family" field identifies the type of packet in the message. 219180750SdesIt may be one of: 220180750Sdes 221180750Sdes SSH_TUN_AF_INET 2 /* IPv4 */ 222180750Sdes SSH_TUN_AF_INET6 24 /* IPv6 */ 223180750Sdes 224180750SdesThe "packet data" field consists of the IPv4/IPv6 datagram itself 225180750Sdeswithout any link layer header. 226180750Sdes 227204917SdesThe contents of the "data" field for layer 2 packets is: 228180750Sdes 229180750Sdes uint32 packet length 230180750Sdes byte[packet length] frame 231180750Sdes 232180750SdesThe "frame" field contains an IEEE 802.3 Ethernet frame, including 233180750Sdesheader. 234180750Sdes 235221420Sdes3. SFTP protocol changes 236180750Sdes 237221420Sdes3.1. sftp: Reversal of arguments to SSH_FXP_SYMLINK 238221420Sdes 239180750SdesWhen OpenSSH's sftp-server was implemented, the order of the arguments 240180750Sdesto the SSH_FXP_SYMLINK method was inadvertently reversed. Unfortunately, 241180750Sdesthe reversal was not noticed until the server was widely deployed. Since 242180750Sdesfixing this to follow the specification would cause incompatibility, the 243180750Sdescurrent order was retained. For correct operation, clients should send 244180750SdesSSH_FXP_SYMLINK as follows: 245180750Sdes 246180750Sdes uint32 id 247180750Sdes string targetpath 248180750Sdes string linkpath 249180750Sdes 250221420Sdes3.2. sftp: Server extension announcement in SSH_FXP_VERSION 251180750Sdes 252180750SdesOpenSSH's sftp-server lists the extensions it supports using the 253180750Sdesstandard extension announcement mechanism in the SSH_FXP_VERSION server 254180750Sdeshello packet: 255180750Sdes 256180750Sdes uint32 3 /* protocol version */ 257180750Sdes string ext1-name 258180750Sdes string ext1-version 259180750Sdes string ext2-name 260180750Sdes string ext2-version 261180750Sdes ... 262180750Sdes string extN-name 263180750Sdes string extN-version 264180750Sdes 265180750SdesEach extension reports its integer version number as an ASCII encoded 266180750Sdesstring, e.g. "1". The version will be incremented if the extension is 267180750Sdesever changed in an incompatible way. The server MAY advertise the same 268180750Sdesextension with multiple versions (though this is unlikely). Clients MUST 269180750Sdescheck the version number before attempting to use the extension. 270180750Sdes 271221420Sdes3.3. sftp: Extension request "posix-rename@openssh.com" 272180750Sdes 273180750SdesThis operation provides a rename operation with POSIX semantics, which 274180750Sdesare different to those provided by the standard SSH_FXP_RENAME in 275180750Sdesdraft-ietf-secsh-filexfer-02.txt. This request is implemented as a 276180750SdesSSH_FXP_EXTENDED request with the following format: 277180750Sdes 278180750Sdes uint32 id 279180750Sdes string "posix-rename@openssh.com" 280180750Sdes string oldpath 281180750Sdes string newpath 282180750Sdes 283180750SdesOn receiving this request the server will perform the POSIX operation 284180750Sdesrename(oldpath, newpath) and will respond with a SSH_FXP_STATUS message. 285180750SdesThis extension is advertised in the SSH_FXP_VERSION hello with version 286180750Sdes"1". 287180750Sdes 288221420Sdes3.4. sftp: Extension requests "statvfs@openssh.com" and 289180750Sdes "fstatvfs@openssh.com" 290180750Sdes 291180750SdesThese requests correspond to the statvfs and fstatvfs POSIX system 292180750Sdesinterfaces. The "statvfs@openssh.com" request operates on an explicit 293180750Sdespathname, and is formatted as follows: 294180750Sdes 295180750Sdes uint32 id 296180750Sdes string "statvfs@openssh.com" 297180750Sdes string path 298180750Sdes 299180750SdesThe "fstatvfs@openssh.com" operates on an open file handle: 300180750Sdes 301180750Sdes uint32 id 302180750Sdes string "fstatvfs@openssh.com" 303180750Sdes string handle 304180750Sdes 305180750SdesThese requests return a SSH_FXP_STATUS reply on failure. On success they 306180750Sdesreturn the following SSH_FXP_EXTENDED_REPLY reply: 307180750Sdes 308180750Sdes uint32 id 309180750Sdes uint64 f_bsize /* file system block size */ 310180750Sdes uint64 f_frsize /* fundamental fs block size */ 311180750Sdes uint64 f_blocks /* number of blocks (unit f_frsize) */ 312180750Sdes uint64 f_bfree /* free blocks in file system */ 313180750Sdes uint64 f_bavail /* free blocks for non-root */ 314180750Sdes uint64 f_files /* total file inodes */ 315180750Sdes uint64 f_ffree /* free file inodes */ 316180750Sdes uint64 f_favail /* free file inodes for to non-root */ 317180750Sdes uint64 f_fsid /* file system id */ 318180750Sdes uint64 f_flag /* bit mask of f_flag values */ 319180750Sdes uint64 f_namemax /* maximum filename length */ 320180750Sdes 321180750SdesThe values of the f_flag bitmask are as follows: 322180750Sdes 323180750Sdes #define SSH_FXE_STATVFS_ST_RDONLY 0x1 /* read-only */ 324180750Sdes #define SSH_FXE_STATVFS_ST_NOSUID 0x2 /* no setuid */ 325180750Sdes 326180750SdesBoth the "statvfs@openssh.com" and "fstatvfs@openssh.com" extensions are 327180750Sdesadvertised in the SSH_FXP_VERSION hello with version "2". 328180750Sdes 329221420Sdes10. sftp: Extension request "hardlink@openssh.com" 330221420Sdes 331221420SdesThis request is for creating a hard link to a regular file. This 332221420Sdesrequest is implemented as a SSH_FXP_EXTENDED request with the 333221420Sdesfollowing format: 334221420Sdes 335221420Sdes uint32 id 336221420Sdes string "hardlink@openssh.com" 337221420Sdes string oldpath 338221420Sdes string newpath 339221420Sdes 340221420SdesOn receiving this request the server will perform the operation 341221420Sdeslink(oldpath, newpath) and will respond with a SSH_FXP_STATUS message. 342221420SdesThis extension is advertised in the SSH_FXP_VERSION hello with version 343221420Sdes"1". 344221420Sdes 345262566Sdes10. sftp: Extension request "fsync@openssh.com" 346262566Sdes 347262566SdesThis request asks the server to call fsync(2) on an open file handle. 348262566Sdes 349262566Sdes uint32 id 350262566Sdes string "fsync@openssh.com" 351262566Sdes string handle 352262566Sdes 353262566SdesOne receiving this request, a server will call fsync(handle_fd) and will 354262566Sdesrespond with a SSH_FXP_STATUS message. 355262566Sdes 356262566SdesThis extension is advertised in the SSH_FXP_VERSION hello with version 357262566Sdes"1". 358262566Sdes 359262566Sdes$OpenBSD: PROTOCOL,v 1.23 2013/12/01 23:19:05 djm Exp $ 360