xref: /freebsd/crypto/openssh/PROTOCOL (revision 370e009188ba90c3290b1479aa06ec98b66e140a)
1This documents OpenSSH's deviations and extensions to the published SSH
2protocol.
3
4Note that OpenSSH's sftp and sftp-server implement revision 3 of the SSH
5filexfer protocol described in:
6
7https://www.openssh.com/txt/draft-ietf-secsh-filexfer-02.txt
8
9Newer versions of the draft will not be supported, though some features
10are individually implemented as extensions described below.
11
12The protocol used by OpenSSH's ssh-agent is described in the file
13PROTOCOL.agent
14
151. Transport protocol changes
16
171.1. transport: Protocol 2 MAC algorithm "umac-64@openssh.com"
18
19This is a new transport-layer MAC method using the UMAC algorithm
20(rfc4418). This method is identical to the "umac-64" method documented
21in:
22
23https://www.openssh.com/txt/draft-miller-secsh-umac-01.txt
24
251.2. transport: Protocol 2 compression algorithm "zlib@openssh.com"
26
27This transport-layer compression method uses the zlib compression
28algorithm (identical to the "zlib" method in rfc4253), but delays the
29start of compression until after authentication has completed. This
30avoids exposing compression code to attacks from unauthenticated users.
31
32The method is documented in:
33
34https://www.openssh.com/txt/draft-miller-secsh-compression-delayed-00.txt
35
361.3. transport: New public key algorithms "ssh-rsa-cert-v01@openssh.com",
37     "ssh-dsa-cert-v01@openssh.com",
38     "ecdsa-sha2-nistp256-cert-v01@openssh.com",
39     "ecdsa-sha2-nistp384-cert-v01@openssh.com" and
40     "ecdsa-sha2-nistp521-cert-v01@openssh.com"
41
42OpenSSH introduces new public key algorithms to support certificate
43authentication for users and host keys. These methods are documented
44in the file PROTOCOL.certkeys
45
461.4. transport: Elliptic Curve cryptography
47
48OpenSSH supports ECC key exchange and public key authentication as
49specified in RFC5656. Only the ecdsa-sha2-nistp256, ecdsa-sha2-nistp384
50and ecdsa-sha2-nistp521 curves over GF(p) are supported. Elliptic
51curve points encoded using point compression are NOT accepted or
52generated.
53
541.5 transport: Protocol 2 Encrypt-then-MAC MAC algorithms
55
56OpenSSH supports MAC algorithms, whose names contain "-etm", that
57perform the calculations in a different order to that defined in RFC
584253. These variants use the so-called "encrypt then MAC" ordering,
59calculating the MAC over the packet ciphertext rather than the
60plaintext. This ordering closes a security flaw in the SSH transport
61protocol, where decryption of unauthenticated ciphertext provided a
62"decryption oracle" that could, in conjunction with cipher flaws, reveal
63session plaintext.
64
65Specifically, the "-etm" MAC algorithms modify the transport protocol
66to calculate the MAC over the packet ciphertext and to send the packet
67length unencrypted. This is necessary for the transport to obtain the
68length of the packet and location of the MAC tag so that it may be
69verified without decrypting unauthenticated data.
70
71As such, the MAC covers:
72
73      mac = MAC(key, sequence_number || packet_length || encrypted_packet)
74
75where "packet_length" is encoded as a uint32 and "encrypted_packet"
76contains:
77
78      byte      padding_length
79      byte[n1]  payload; n1 = packet_length - padding_length - 1
80      byte[n2]  random padding; n2 = padding_length
81
821.6 transport: AES-GCM
83
84OpenSSH supports the AES-GCM algorithm as specified in RFC 5647.
85Because of problems with the specification of the key exchange
86the behaviour of OpenSSH differs from the RFC as follows:
87
88AES-GCM is only negotiated as the cipher algorithms
89"aes128-gcm@openssh.com" or "aes256-gcm@openssh.com" and never as
90an MAC algorithm. Additionally, if AES-GCM is selected as the cipher
91the exchanged MAC algorithms are ignored and there doesn't have to be
92a matching MAC.
93
941.7 transport: chacha20-poly1305@openssh.com authenticated encryption
95
96OpenSSH supports authenticated encryption using ChaCha20 and Poly1305
97as described in PROTOCOL.chacha20poly1305.
98
991.8 transport: curve25519-sha256@libssh.org key exchange algorithm
100
101OpenSSH supports the use of ECDH in Curve25519 for key exchange as
102described at:
103http://git.libssh.org/users/aris/libssh.git/plain/doc/curve25519-sha256@libssh.org.txt?h=curve25519
104
105This is identical to curve25519-sha256 as later published in RFC8731.
106
1072. Connection protocol changes
108
1092.1. connection: Channel write close extension "eow@openssh.com"
110
111The SSH connection protocol (rfc4254) provides the SSH_MSG_CHANNEL_EOF
112message to allow an endpoint to signal its peer that it will send no
113more data over a channel. Unfortunately, there is no symmetric way for
114an endpoint to request that its peer should cease sending data to it
115while still keeping the channel open for the endpoint to send data to
116the peer.
117
118This is desirable, since it saves the transmission of data that would
119otherwise need to be discarded and it allows an endpoint to signal local
120processes of the condition, e.g. by closing the corresponding file
121descriptor.
122
123OpenSSH implements a channel extension message to perform this
124signalling: "eow@openssh.com" (End Of Write). This message is sent by
125an endpoint when the local output of a session channel is closed or
126experiences a write error. The message is formatted as follows:
127
128	byte		SSH_MSG_CHANNEL_REQUEST
129	uint32		recipient channel
130	string		"eow@openssh.com"
131	boolean		FALSE
132
133On receiving this message, the peer SHOULD cease sending data of
134the channel and MAY signal the process from which the channel data
135originates (e.g. by closing its read file descriptor).
136
137As with the symmetric SSH_MSG_CHANNEL_EOF message, the channel does
138remain open after a "eow@openssh.com" has been sent and more data may
139still be sent in the other direction. This message does not consume
140window space and may be sent even if no window space is available.
141
142NB. due to certain broken SSH implementations aborting upon receipt
143of this message (in contravention of RFC4254 section 5.4), this
144message is only sent to OpenSSH peers (identified by banner).
145Other SSH implementations may be listed to receive this message
146upon request.
147
1482.2. connection: disallow additional sessions extension
149     "no-more-sessions@openssh.com"
150
151Most SSH connections will only ever request a single session, but a
152attacker may abuse a running ssh client to surreptitiously open
153additional sessions under their control. OpenSSH provides a global
154request "no-more-sessions@openssh.com" to mitigate this attack.
155
156When an OpenSSH client expects that it will never open another session
157(i.e. it has been started with connection multiplexing disabled), it
158will send the following global request:
159
160	byte		SSH_MSG_GLOBAL_REQUEST
161	string		"no-more-sessions@openssh.com"
162	char		want-reply
163
164On receipt of such a message, an OpenSSH server will refuse to open
165future channels of type "session" and instead immediately abort the
166connection.
167
168Note that this is not a general defence against compromised clients
169(that is impossible), but it thwarts a simple attack.
170
171NB. due to certain broken SSH implementations aborting upon receipt
172of this message, the no-more-sessions request is only sent to OpenSSH
173servers (identified by banner). Other SSH implementations may be
174listed to receive this message upon request.
175
1762.3. connection: Tunnel forward extension "tun@openssh.com"
177
178OpenSSH supports layer 2 and layer 3 tunnelling via the "tun@openssh.com"
179channel type. This channel type supports forwarding of network packets
180with datagram boundaries intact between endpoints equipped with
181interfaces like the BSD tun(4) device. Tunnel forwarding channels are
182requested by the client with the following packet:
183
184	byte		SSH_MSG_CHANNEL_OPEN
185	string		"tun@openssh.com"
186	uint32		sender channel
187	uint32		initial window size
188	uint32		maximum packet size
189	uint32		tunnel mode
190	uint32		remote unit number
191
192The "tunnel mode" parameter specifies whether the tunnel should forward
193layer 2 frames or layer 3 packets. It may take one of the following values:
194
195	SSH_TUNMODE_POINTOPOINT  1		/* layer 3 packets */
196	SSH_TUNMODE_ETHERNET     2		/* layer 2 frames */
197
198The "tunnel unit number" specifies the remote interface number, or may
199be 0x7fffffff to allow the server to automatically choose an interface. A
200server that is not willing to open a client-specified unit should refuse
201the request with a SSH_MSG_CHANNEL_OPEN_FAILURE error. On successful
202open, the server should reply with SSH_MSG_CHANNEL_OPEN_SUCCESS.
203
204Once established the client and server may exchange packet or frames
205over the tunnel channel by encapsulating them in SSH protocol strings
206and sending them as channel data. This ensures that packet boundaries
207are kept intact. Specifically, packets are transmitted using normal
208SSH_MSG_CHANNEL_DATA packets:
209
210	byte		SSH_MSG_CHANNEL_DATA
211	uint32		recipient channel
212	string		data
213
214The contents of the "data" field for layer 3 packets is:
215
216	uint32			packet length
217	uint32			address family
218	byte[packet length - 4]	packet data
219
220The "address family" field identifies the type of packet in the message.
221It may be one of:
222
223	SSH_TUN_AF_INET		2		/* IPv4 */
224	SSH_TUN_AF_INET6	24		/* IPv6 */
225
226The "packet data" field consists of the IPv4/IPv6 datagram itself
227without any link layer header.
228
229The contents of the "data" field for layer 2 packets is:
230
231	uint32			packet length
232	byte[packet length]	frame
233
234The "frame" field contains an IEEE 802.3 Ethernet frame, including
235header.
236
2372.4. connection: Unix domain socket forwarding
238
239OpenSSH supports local and remote Unix domain socket forwarding
240using the "streamlocal" extension.  Forwarding is initiated as per
241TCP sockets but with a single path instead of a host and port.
242
243Similar to direct-tcpip, direct-streamlocal is sent by the client
244to request that the server make a connection to a Unix domain socket.
245
246	byte		SSH_MSG_CHANNEL_OPEN
247	string		"direct-streamlocal@openssh.com"
248	uint32		sender channel
249	uint32		initial window size
250	uint32		maximum packet size
251	string		socket path
252	string		reserved
253	uint32		reserved
254
255Similar to forwarded-tcpip, forwarded-streamlocal is sent by the
256server when the client has previously send the server a streamlocal-forward
257GLOBAL_REQUEST.
258
259	byte		SSH_MSG_CHANNEL_OPEN
260	string		"forwarded-streamlocal@openssh.com"
261	uint32		sender channel
262	uint32		initial window size
263	uint32		maximum packet size
264	string		socket path
265	string		reserved for future use
266
267The reserved field is not currently defined and is ignored on the
268remote end.  It is intended to be used in the future to pass
269information about the socket file, such as ownership and mode.
270The client currently sends the empty string for this field.
271
272Similar to tcpip-forward, streamlocal-forward is sent by the client
273to request remote forwarding of a Unix domain socket.
274
275	byte		SSH2_MSG_GLOBAL_REQUEST
276	string		"streamlocal-forward@openssh.com"
277	boolean		TRUE
278	string		socket path
279
280Similar to cancel-tcpip-forward, cancel-streamlocal-forward is sent
281by the client cancel the forwarding of a Unix domain socket.
282
283	byte		SSH2_MSG_GLOBAL_REQUEST
284	string		"cancel-streamlocal-forward@openssh.com"
285	boolean		FALSE
286	string		socket path
287
2882.5. connection: hostkey update and rotation "hostkeys-00@openssh.com"
289and "hostkeys-prove-00@openssh.com"
290
291OpenSSH supports a protocol extension allowing a server to inform
292a client of all its protocol v.2 host keys after user-authentication
293has completed.
294
295	byte		SSH_MSG_GLOBAL_REQUEST
296	string		"hostkeys-00@openssh.com"
297	char		0 /* want-reply */
298	string[]	hostkeys
299
300Upon receiving this message, a client should check which of the
301supplied host keys are present in known_hosts.
302
303Note that the server may send key types that the client does not
304support. The client should disregard such keys if they are received.
305
306If the client identifies any keys that are not present for the host,
307it should send a "hostkeys-prove@openssh.com" message to request the
308server prove ownership of the private half of the key.
309
310	byte		SSH_MSG_GLOBAL_REQUEST
311	string		"hostkeys-prove-00@openssh.com"
312	char		1 /* want-reply */
313	string[]	hostkeys
314
315When a server receives this message, it should generate a signature
316using each requested key over the following:
317
318	string		"hostkeys-prove-00@openssh.com"
319	string		session identifier
320	string		hostkey
321
322These signatures should be included in the reply, in the order matching
323the hostkeys in the request:
324
325	byte		SSH_MSG_REQUEST_SUCCESS
326	string[]	signatures
327
328When the client receives this reply (and not a failure), it should
329validate the signatures and may update its known_hosts file, adding keys
330that it has not seen before and deleting keys for the server host that
331are no longer offered.
332
333These extensions let a client learn key types that it had not previously
334encountered, thereby allowing it to potentially upgrade from weaker
335key algorithms to better ones. It also supports graceful key rotation:
336a server may offer multiple keys of the same type for a period (to
337give clients an opportunity to learn them using this extension) before
338removing the deprecated key from those offered.
339
3402.6. connection: SIGINFO support for "signal" channel request
341
342The SSH channels protocol (RFC4254 section 6.9) supports sending a
343signal to a session attached to a channel. OpenSSH supports one
344extension signal "INFO@openssh.com" that allows sending SIGINFO on
345BSD-derived systems.
346
3473. Authentication protocol changes
348
3493.1. Host-bound public key authentication
350
351This is trivial change to the traditional "publickey" authentication
352method. The authentication request is identical to the original method
353but for the name and one additional field:
354
355	byte		SSH2_MSG_USERAUTH_REQUEST
356	string		username
357	string		"ssh-connection"
358	string		"publickey-hostbound-v00@openssh.com"
359	bool		has_signature
360	string		pkalg
361	string		public key
362	string		server host key
363
364Because the entire SSH2_MSG_USERAUTH_REQUEST message is included in
365the signed data, this ensures that a binding between the destination
366user, the server identity and the session identifier is visible to the
367signer. OpenSSH uses this binding via signed data to implement per-key
368restrictions in ssh-agent.
369
370A server may advertise this method using the SSH2_MSG_EXT_INFO
371mechanism (RFC8308), with the following message:
372
373	string		"publickey-hostbound@openssh.com"
374	string		"0" (version)
375
376Clients should prefer host-bound authentication when advertised by
377server.
378
3794. SFTP protocol changes
380
3814.1. sftp: Reversal of arguments to SSH_FXP_SYMLINK
382
383When OpenSSH's sftp-server was implemented, the order of the arguments
384to the SSH_FXP_SYMLINK method was inadvertently reversed. Unfortunately,
385the reversal was not noticed until the server was widely deployed. Since
386fixing this to follow the specification would cause incompatibility, the
387current order was retained. For correct operation, clients should send
388SSH_FXP_SYMLINK as follows:
389
390	uint32		id
391	string		targetpath
392	string		linkpath
393
3944.2. sftp: Server extension announcement in SSH_FXP_VERSION
395
396OpenSSH's sftp-server lists the extensions it supports using the
397standard extension announcement mechanism in the SSH_FXP_VERSION server
398hello packet:
399
400	uint32		3		/* protocol version */
401	string		ext1-name
402	string		ext1-version
403	string		ext2-name
404	string		ext2-version
405	...
406	string		extN-name
407	string		extN-version
408
409Each extension reports its integer version number as an ASCII encoded
410string, e.g. "1". The version will be incremented if the extension is
411ever changed in an incompatible way. The server MAY advertise the same
412extension with multiple versions (though this is unlikely). Clients MUST
413check the version number before attempting to use the extension.
414
4154.3. sftp: Extension request "posix-rename@openssh.com"
416
417This operation provides a rename operation with POSIX semantics, which
418are different to those provided by the standard SSH_FXP_RENAME in
419draft-ietf-secsh-filexfer-02.txt. This request is implemented as a
420SSH_FXP_EXTENDED request with the following format:
421
422	uint32		id
423	string		"posix-rename@openssh.com"
424	string		oldpath
425	string		newpath
426
427On receiving this request the server will perform the POSIX operation
428rename(oldpath, newpath) and will respond with a SSH_FXP_STATUS message.
429This extension is advertised in the SSH_FXP_VERSION hello with version
430"1".
431
4324.4. sftp: Extension requests "statvfs@openssh.com" and
433         "fstatvfs@openssh.com"
434
435These requests correspond to the statvfs and fstatvfs POSIX system
436interfaces. The "statvfs@openssh.com" request operates on an explicit
437pathname, and is formatted as follows:
438
439	uint32		id
440	string		"statvfs@openssh.com"
441	string		path
442
443The "fstatvfs@openssh.com" operates on an open file handle:
444
445	uint32		id
446	string		"fstatvfs@openssh.com"
447	string		handle
448
449These requests return a SSH_FXP_STATUS reply on failure. On success they
450return the following SSH_FXP_EXTENDED_REPLY reply:
451
452	uint32		id
453	uint64		f_bsize		/* file system block size */
454	uint64		f_frsize	/* fundamental fs block size */
455	uint64		f_blocks	/* number of blocks (unit f_frsize) */
456	uint64		f_bfree		/* free blocks in file system */
457	uint64		f_bavail	/* free blocks for non-root */
458	uint64		f_files		/* total file inodes */
459	uint64		f_ffree		/* free file inodes */
460	uint64		f_favail	/* free file inodes for to non-root */
461	uint64		f_fsid		/* file system id */
462	uint64		f_flag		/* bit mask of f_flag values */
463	uint64		f_namemax	/* maximum filename length */
464
465The values of the f_flag bitmask are as follows:
466
467	#define SSH_FXE_STATVFS_ST_RDONLY	0x1	/* read-only */
468	#define SSH_FXE_STATVFS_ST_NOSUID	0x2	/* no setuid */
469
470Both the "statvfs@openssh.com" and "fstatvfs@openssh.com" extensions are
471advertised in the SSH_FXP_VERSION hello with version "2".
472
4734.5. sftp: Extension request "hardlink@openssh.com"
474
475This request is for creating a hard link to a regular file. This
476request is implemented as a SSH_FXP_EXTENDED request with the
477following format:
478
479	uint32		id
480	string		"hardlink@openssh.com"
481	string		oldpath
482	string		newpath
483
484On receiving this request the server will perform the operation
485link(oldpath, newpath) and will respond with a SSH_FXP_STATUS message.
486This extension is advertised in the SSH_FXP_VERSION hello with version
487"1".
488
4894.6. sftp: Extension request "fsync@openssh.com"
490
491This request asks the server to call fsync(2) on an open file handle.
492
493	uint32		id
494	string		"fsync@openssh.com"
495	string		handle
496
497On receiving this request, a server will call fsync(handle_fd) and will
498respond with a SSH_FXP_STATUS message.
499
500This extension is advertised in the SSH_FXP_VERSION hello with version
501"1".
502
5034.7. sftp: Extension request "lsetstat@openssh.com"
504
505This request is like the "setstat" command, but sets file attributes on
506symlinks.  It is implemented as a SSH_FXP_EXTENDED request with the
507following format:
508
509	uint32		id
510	string		"lsetstat@openssh.com"
511	string		path
512	ATTRS		attrs
513
514See the "setstat" command for more details.
515
516This extension is advertised in the SSH_FXP_VERSION hello with version
517"1".
518
5194.8. sftp: Extension request "limits@openssh.com"
520
521This request is used to determine various limits the server might impose.
522Clients should not attempt to exceed these limits as the server might sever
523the connection immediately.
524
525	uint32		id
526	string		"limits@openssh.com"
527
528The server will respond with a SSH_FXP_EXTENDED_REPLY reply:
529
530	uint32		id
531	uint64		max-packet-length
532	uint64		max-read-length
533	uint64		max-write-length
534	uint64		max-open-handles
535
536The 'max-packet-length' applies to the total number of bytes in a
537single SFTP packet.  Servers SHOULD set this at least to 34000.
538
539The 'max-read-length' is the largest length in a SSH_FXP_READ packet.
540Even if the client requests a larger size, servers will usually respond
541with a shorter SSH_FXP_DATA packet.  Servers SHOULD set this at least to
54232768.
543
544The 'max-write-length' is the largest length in a SSH_FXP_WRITE packet
545the server will accept.  Servers SHOULD set this at least to 32768.
546
547The 'max-open-handles' is the maximum number of active handles that the
548server allows (e.g. handles created by SSH_FXP_OPEN and SSH_FXP_OPENDIR
549packets).  Servers MAY count internal file handles against this limit
550(e.g. system logging or stdout/stderr), so clients SHOULD NOT expect to
551open this many handles in practice.
552
553If the server doesn't enforce a specific limit, then the field may be
554set to 0.  This implies the server relies on the OS to enforce limits
555(e.g. available memory or file handles), and such limits might be
556dynamic.  The client SHOULD take care to not try to exceed reasonable
557limits.
558
559This extension is advertised in the SSH_FXP_VERSION hello with version
560"1".
561
5624.9. sftp: Extension request "expand-path@openssh.com"
563
564This request supports canonicalisation of relative paths and
565those that need tilde-expansion, i.e. "~", "~/..." and "~user/..."
566These paths are expanded using shell-like rules and the resultant
567path is canonicalised similarly to SSH2_FXP_REALPATH.
568
569It is implemented as a SSH_FXP_EXTENDED request with the following
570format:
571
572	uint32		id
573	string		"expand-path@openssh.com"
574	string		path
575
576Its reply is the same format as that of SSH2_FXP_REALPATH.
577
578This extension is advertised in the SSH_FXP_VERSION hello with version
579"1".
580
5814.10. sftp: Extension request "copy-data"
582
583This request asks the server to copy data from one open file handle and
584write it to a different open file handle.  This avoids needing to transfer
585the data across the network twice (a download followed by an upload).
586
587	byte		SSH_FXP_EXTENDED
588	uint32		id
589	string		"copy-data"
590	string		read-from-handle
591	uint64		read-from-offset
592	uint64		read-data-length
593	string		write-to-handle
594	uint64		write-to-offset
595
596The server will copy read-data-length bytes starting from
597read-from-offset from the read-from-handle and write them to
598write-to-handle starting from write-to-offset, and then respond with a
599SSH_FXP_STATUS message.
600
601It's equivalent to issuing a series of SSH_FXP_READ requests on
602read-from-handle and a series of requests of SSH_FXP_WRITE on
603write-to-handle.
604
605If read-from-handle and write-to-handle are the same, the server will
606fail the request and respond with a SSH_FX_INVALID_PARAMETER message.
607
608If read-data-length is 0, then the server will read data from the
609read-from-handle until EOF is reached.
610
611This extension is advertised in the SSH_FXP_VERSION hello with version
612"1".
613
614This request is identical to the "copy-data" request documented in:
615
616https://tools.ietf.org/html/draft-ietf-secsh-filexfer-extensions-00#section-7
617
6184.11. sftp: Extension request "home-directory"
619
620This request asks the server to expand the specified user's home directory.
621An empty username implies the current user.  This can be used by the client
622to expand ~/ type paths locally.
623
624	byte		SSH_FXP_EXTENDED
625	uint32		id
626	string		"home-directory"
627	string		username
628
629This extension is advertised in the SSH_FXP_VERSION hello with version
630"1".
631
632This provides similar information as the "expand-path@openssh.com" extension.
633
634This request is identical to the "home-directory" request documented in:
635
636https://datatracker.ietf.org/doc/html/draft-ietf-secsh-filexfer-extensions-00#section-5
637
6384.12. sftp: Extension request "users-groups-by-id@openssh.com"
639
640This request asks the server to return user and/or group names that
641correspond to one or more IDs (e.g. as returned from a SSH_FXP_STAT
642request). This may be used by the client to provide usernames in
643directory listings.
644
645	byte		SSH_FXP_EXTENDED
646	uint32		id
647	string		"users-groups-by-id@openssh.com"
648	string		uids
649	string		gids
650
651Where "uids" and "gids" consists of one or more integer user or group
652identifiers:
653
654	uint32		id-0
655	...
656
657The server will reply with a SSH_FXP_EXTENDED_REPLY:
658
659	byte		SSH_FXP_EXTENDED_REPLY
660	string		usernames
661	string		groupnames
662
663Where "username" and "groupnames" consists of names in identical request
664order to "uids" and "gids" respectively:
665
666	string		name-0
667	...
668
669If a name cannot be identified for a given user or group ID, an empty
670string will be returned in its place.
671
672It is acceptable for either "uids" or "gids" to be an empty set, in
673which case the respective "usernames" or "groupnames" list will also
674be empty.
675
676This extension is advertised in the SSH_FXP_VERSION hello with version
677"1".
678
6795. Miscellaneous changes
680
6815.1 Public key format
682
683OpenSSH public keys, as generated by ssh-keygen(1) and appearing in
684authorized_keys files, are formatted as a single line of text consisting
685of the public key algorithm name followed by a base64-encoded key blob.
686The public key blob (before base64 encoding) is the same format used for
687the encoding of public keys sent on the wire: as described in RFC4253
688section 6.6 for RSA and DSA keys, RFC5656 section 3.1 for ECDSA keys
689and the "New public key formats" section of PROTOCOL.certkeys for the
690OpenSSH certificate formats.
691
6925.2 Private key format
693
694OpenSSH private keys, as generated by ssh-keygen(1) use the format
695described in PROTOCOL.key by default. As a legacy option, PEM format
696(RFC7468) private keys are also supported for RSA, DSA and ECDSA keys
697and were the default format before OpenSSH 7.8.
698
6995.3 KRL format
700
701OpenSSH supports a compact format for Key Revocation Lists (KRLs). This
702format is described in the PROTOCOL.krl file.
703
7045.4 Connection multiplexing
705
706OpenSSH's connection multiplexing uses messages as described in
707PROTOCOL.mux over a Unix domain socket for communications between a
708master instance and later clients.
709
7105.5. Agent protocol extensions
711
712OpenSSH extends the usual agent protocol. These changes are documented
713in the PROTOCOL.agent file.
714
715$OpenBSD: PROTOCOL,v 1.48 2022/11/07 01:53:01 dtucker Exp $
716