1This documents OpenSSH's deviations and extensions to the published SSH 2protocol. 3 4Note that OpenSSH's sftp and sftp-server implement revision 3 of the SSH 5filexfer protocol described in: 6 7https://www.openssh.com/txt/draft-ietf-secsh-filexfer-02.txt 8 9Newer versions of the draft will not be supported, though some features 10are individually implemented as extensions described below. 11 12The protocol used by OpenSSH's ssh-agent is described in the file 13PROTOCOL.agent 14 151. Transport protocol changes 16 171.1. transport: Protocol 2 MAC algorithm "umac-64@openssh.com" 18 19This is a new transport-layer MAC method using the UMAC algorithm 20(rfc4418). This method is identical to the "umac-64" method documented 21in: 22 23https://www.openssh.com/txt/draft-miller-secsh-umac-01.txt 24 251.2. transport: Protocol 2 compression algorithm "zlib@openssh.com" 26 27This transport-layer compression method uses the zlib compression 28algorithm (identical to the "zlib" method in rfc4253), but delays the 29start of compression until after authentication has completed. This 30avoids exposing compression code to attacks from unauthenticated users. 31 32The method is documented in: 33 34https://www.openssh.com/txt/draft-miller-secsh-compression-delayed-00.txt 35 361.3. transport: New public key algorithms "ssh-rsa-cert-v01@openssh.com", 37 "ssh-dsa-cert-v01@openssh.com", 38 "ecdsa-sha2-nistp256-cert-v01@openssh.com", 39 "ecdsa-sha2-nistp384-cert-v01@openssh.com" and 40 "ecdsa-sha2-nistp521-cert-v01@openssh.com" 41 42OpenSSH introduces new public key algorithms to support certificate 43authentication for users and host keys. These methods are documented 44in the file PROTOCOL.certkeys 45 461.4. transport: Elliptic Curve cryptography 47 48OpenSSH supports ECC key exchange and public key authentication as 49specified in RFC5656. Only the ecdsa-sha2-nistp256, ecdsa-sha2-nistp384 50and ecdsa-sha2-nistp521 curves over GF(p) are supported. Elliptic 51curve points encoded using point compression are NOT accepted or 52generated. 53 541.5 transport: Protocol 2 Encrypt-then-MAC MAC algorithms 55 56OpenSSH supports MAC algorithms, whose names contain "-etm", that 57perform the calculations in a different order to that defined in RFC 584253. These variants use the so-called "encrypt then MAC" ordering, 59calculating the MAC over the packet ciphertext rather than the 60plaintext. This ordering closes a security flaw in the SSH transport 61protocol, where decryption of unauthenticated ciphertext provided a 62"decryption oracle" that could, in conjunction with cipher flaws, reveal 63session plaintext. 64 65Specifically, the "-etm" MAC algorithms modify the transport protocol 66to calculate the MAC over the packet ciphertext and to send the packet 67length unencrypted. This is necessary for the transport to obtain the 68length of the packet and location of the MAC tag so that it may be 69verified without decrypting unauthenticated data. 70 71As such, the MAC covers: 72 73 mac = MAC(key, sequence_number || packet_length || encrypted_packet) 74 75where "packet_length" is encoded as a uint32 and "encrypted_packet" 76contains: 77 78 byte padding_length 79 byte[n1] payload; n1 = packet_length - padding_length - 1 80 byte[n2] random padding; n2 = padding_length 81 821.6 transport: AES-GCM 83 84OpenSSH supports the AES-GCM algorithm as specified in RFC 5647. 85Because of problems with the specification of the key exchange 86the behaviour of OpenSSH differs from the RFC as follows: 87 88AES-GCM is only negotiated as the cipher algorithms 89"aes128-gcm@openssh.com" or "aes256-gcm@openssh.com" and never as 90an MAC algorithm. Additionally, if AES-GCM is selected as the cipher 91the exchanged MAC algorithms are ignored and there doesn't have to be 92a matching MAC. 93 941.7 transport: chacha20-poly1305@openssh.com authenticated encryption 95 96OpenSSH supports authenticated encryption using ChaCha20 and Poly1305 97as described in PROTOCOL.chacha20poly1305. 98 991.8 transport: curve25519-sha256@libssh.org key exchange algorithm 100 101OpenSSH supports the use of ECDH in Curve25519 for key exchange as 102described at: 103http://git.libssh.org/users/aris/libssh.git/plain/doc/curve25519-sha256@libssh.org.txt?h=curve25519 104 105This is identical to curve25519-sha256 as later published in RFC8731. 106 1072. Connection protocol changes 108 1092.1. connection: Channel write close extension "eow@openssh.com" 110 111The SSH connection protocol (rfc4254) provides the SSH_MSG_CHANNEL_EOF 112message to allow an endpoint to signal its peer that it will send no 113more data over a channel. Unfortunately, there is no symmetric way for 114an endpoint to request that its peer should cease sending data to it 115while still keeping the channel open for the endpoint to send data to 116the peer. 117 118This is desirable, since it saves the transmission of data that would 119otherwise need to be discarded and it allows an endpoint to signal local 120processes of the condition, e.g. by closing the corresponding file 121descriptor. 122 123OpenSSH implements a channel extension message to perform this 124signalling: "eow@openssh.com" (End Of Write). This message is sent by 125an endpoint when the local output of a session channel is closed or 126experiences a write error. The message is formatted as follows: 127 128 byte SSH_MSG_CHANNEL_REQUEST 129 uint32 recipient channel 130 string "eow@openssh.com" 131 boolean FALSE 132 133On receiving this message, the peer SHOULD cease sending data of 134the channel and MAY signal the process from which the channel data 135originates (e.g. by closing its read file descriptor). 136 137As with the symmetric SSH_MSG_CHANNEL_EOF message, the channel does 138remain open after a "eow@openssh.com" has been sent and more data may 139still be sent in the other direction. This message does not consume 140window space and may be sent even if no window space is available. 141 142NB. due to certain broken SSH implementations aborting upon receipt 143of this message (in contravention of RFC4254 section 5.4), this 144message is only sent to OpenSSH peers (identified by banner). 145Other SSH implementations may be listed to receive this message 146upon request. 147 1482.2. connection: disallow additional sessions extension 149 "no-more-sessions@openssh.com" 150 151Most SSH connections will only ever request a single session, but a 152attacker may abuse a running ssh client to surreptitiously open 153additional sessions under their control. OpenSSH provides a global 154request "no-more-sessions@openssh.com" to mitigate this attack. 155 156When an OpenSSH client expects that it will never open another session 157(i.e. it has been started with connection multiplexing disabled), it 158will send the following global request: 159 160 byte SSH_MSG_GLOBAL_REQUEST 161 string "no-more-sessions@openssh.com" 162 char want-reply 163 164On receipt of such a message, an OpenSSH server will refuse to open 165future channels of type "session" and instead immediately abort the 166connection. 167 168Note that this is not a general defence against compromised clients 169(that is impossible), but it thwarts a simple attack. 170 171NB. due to certain broken SSH implementations aborting upon receipt 172of this message, the no-more-sessions request is only sent to OpenSSH 173servers (identified by banner). Other SSH implementations may be 174listed to receive this message upon request. 175 1762.3. connection: Tunnel forward extension "tun@openssh.com" 177 178OpenSSH supports layer 2 and layer 3 tunnelling via the "tun@openssh.com" 179channel type. This channel type supports forwarding of network packets 180with datagram boundaries intact between endpoints equipped with 181interfaces like the BSD tun(4) device. Tunnel forwarding channels are 182requested by the client with the following packet: 183 184 byte SSH_MSG_CHANNEL_OPEN 185 string "tun@openssh.com" 186 uint32 sender channel 187 uint32 initial window size 188 uint32 maximum packet size 189 uint32 tunnel mode 190 uint32 remote unit number 191 192The "tunnel mode" parameter specifies whether the tunnel should forward 193layer 2 frames or layer 3 packets. It may take one of the following values: 194 195 SSH_TUNMODE_POINTOPOINT 1 /* layer 3 packets */ 196 SSH_TUNMODE_ETHERNET 2 /* layer 2 frames */ 197 198The "tunnel unit number" specifies the remote interface number, or may 199be 0x7fffffff to allow the server to automatically choose an interface. A 200server that is not willing to open a client-specified unit should refuse 201the request with a SSH_MSG_CHANNEL_OPEN_FAILURE error. On successful 202open, the server should reply with SSH_MSG_CHANNEL_OPEN_SUCCESS. 203 204Once established the client and server may exchange packet or frames 205over the tunnel channel by encapsulating them in SSH protocol strings 206and sending them as channel data. This ensures that packet boundaries 207are kept intact. Specifically, packets are transmitted using normal 208SSH_MSG_CHANNEL_DATA packets: 209 210 byte SSH_MSG_CHANNEL_DATA 211 uint32 recipient channel 212 string data 213 214The contents of the "data" field for layer 3 packets is: 215 216 uint32 packet length 217 uint32 address family 218 byte[packet length - 4] packet data 219 220The "address family" field identifies the type of packet in the message. 221It may be one of: 222 223 SSH_TUN_AF_INET 2 /* IPv4 */ 224 SSH_TUN_AF_INET6 24 /* IPv6 */ 225 226The "packet data" field consists of the IPv4/IPv6 datagram itself 227without any link layer header. 228 229The contents of the "data" field for layer 2 packets is: 230 231 uint32 packet length 232 byte[packet length] frame 233 234The "frame" field contains an IEEE 802.3 Ethernet frame, including 235header. 236 2372.4. connection: Unix domain socket forwarding 238 239OpenSSH supports local and remote Unix domain socket forwarding 240using the "streamlocal" extension. Forwarding is initiated as per 241TCP sockets but with a single path instead of a host and port. 242 243Similar to direct-tcpip, direct-streamlocal is sent by the client 244to request that the server make a connection to a Unix domain socket. 245 246 byte SSH_MSG_CHANNEL_OPEN 247 string "direct-streamlocal@openssh.com" 248 uint32 sender channel 249 uint32 initial window size 250 uint32 maximum packet size 251 string socket path 252 string reserved 253 uint32 reserved 254 255Similar to forwarded-tcpip, forwarded-streamlocal is sent by the 256server when the client has previously send the server a streamlocal-forward 257GLOBAL_REQUEST. 258 259 byte SSH_MSG_CHANNEL_OPEN 260 string "forwarded-streamlocal@openssh.com" 261 uint32 sender channel 262 uint32 initial window size 263 uint32 maximum packet size 264 string socket path 265 string reserved for future use 266 267The reserved field is not currently defined and is ignored on the 268remote end. It is intended to be used in the future to pass 269information about the socket file, such as ownership and mode. 270The client currently sends the empty string for this field. 271 272Similar to tcpip-forward, streamlocal-forward is sent by the client 273to request remote forwarding of a Unix domain socket. 274 275 byte SSH2_MSG_GLOBAL_REQUEST 276 string "streamlocal-forward@openssh.com" 277 boolean TRUE 278 string socket path 279 280Similar to cancel-tcpip-forward, cancel-streamlocal-forward is sent 281by the client cancel the forwarding of a Unix domain socket. 282 283 byte SSH2_MSG_GLOBAL_REQUEST 284 string "cancel-streamlocal-forward@openssh.com" 285 boolean FALSE 286 string socket path 287 2882.5. connection: hostkey update and rotation "hostkeys-00@openssh.com" 289and "hostkeys-prove-00@openssh.com" 290 291OpenSSH supports a protocol extension allowing a server to inform 292a client of all its protocol v.2 host keys after user-authentication 293has completed. 294 295 byte SSH_MSG_GLOBAL_REQUEST 296 string "hostkeys-00@openssh.com" 297 char 0 /* want-reply */ 298 string[] hostkeys 299 300Upon receiving this message, a client should check which of the 301supplied host keys are present in known_hosts. 302 303Note that the server may send key types that the client does not 304support. The client should disregard such keys if they are received. 305 306If the client identifies any keys that are not present for the host, 307it should send a "hostkeys-prove@openssh.com" message to request the 308server prove ownership of the private half of the key. 309 310 byte SSH_MSG_GLOBAL_REQUEST 311 string "hostkeys-prove-00@openssh.com" 312 char 1 /* want-reply */ 313 string[] hostkeys 314 315When a server receives this message, it should generate a signature 316using each requested key over the following: 317 318 string "hostkeys-prove-00@openssh.com" 319 string session identifier 320 string hostkey 321 322These signatures should be included in the reply, in the order matching 323the hostkeys in the request: 324 325 byte SSH_MSG_REQUEST_SUCCESS 326 string[] signatures 327 328When the client receives this reply (and not a failure), it should 329validate the signatures and may update its known_hosts file, adding keys 330that it has not seen before and deleting keys for the server host that 331are no longer offered. 332 333These extensions let a client learn key types that it had not previously 334encountered, thereby allowing it to potentially upgrade from weaker 335key algorithms to better ones. It also supports graceful key rotation: 336a server may offer multiple keys of the same type for a period (to 337give clients an opportunity to learn them using this extension) before 338removing the deprecated key from those offered. 339 3402.6. connection: SIGINFO support for "signal" channel request 341 342The SSH channels protocol (RFC4254 section 6.9) supports sending a 343signal to a session attached to a channel. OpenSSH supports one 344extension signal "INFO@openssh.com" that allows sending SIGINFO on 345BSD-derived systems. 346 3473. Authentication protocol changes 348 3493.1. Host-bound public key authentication 350 351This is trivial change to the traditional "publickey" authentication 352method. The authentication request is identical to the original method 353but for the name and one additional field: 354 355 byte SSH2_MSG_USERAUTH_REQUEST 356 string username 357 string "ssh-connection" 358 string "publickey-hostbound-v00@openssh.com" 359 bool has_signature 360 string pkalg 361 string public key 362 string server host key 363 364Because the entire SSH2_MSG_USERAUTH_REQUEST message is included in 365the signed data, this ensures that a binding between the destination 366user, the server identity and the session identifier is visible to the 367signer. OpenSSH uses this binding via signed data to implement per-key 368restrictions in ssh-agent. 369 370A server may advertise this method using the SSH2_MSG_EXT_INFO 371mechanism (RFC8308), with the following message: 372 373 string "publickey-hostbound@openssh.com" 374 string "0" (version) 375 376Clients should prefer host-bound authentication when advertised by 377server. 378 3794. SFTP protocol changes 380 3814.1. sftp: Reversal of arguments to SSH_FXP_SYMLINK 382 383When OpenSSH's sftp-server was implemented, the order of the arguments 384to the SSH_FXP_SYMLINK method was inadvertently reversed. Unfortunately, 385the reversal was not noticed until the server was widely deployed. Since 386fixing this to follow the specification would cause incompatibility, the 387current order was retained. For correct operation, clients should send 388SSH_FXP_SYMLINK as follows: 389 390 uint32 id 391 string targetpath 392 string linkpath 393 3944.2. sftp: Server extension announcement in SSH_FXP_VERSION 395 396OpenSSH's sftp-server lists the extensions it supports using the 397standard extension announcement mechanism in the SSH_FXP_VERSION server 398hello packet: 399 400 uint32 3 /* protocol version */ 401 string ext1-name 402 string ext1-version 403 string ext2-name 404 string ext2-version 405 ... 406 string extN-name 407 string extN-version 408 409Each extension reports its integer version number as an ASCII encoded 410string, e.g. "1". The version will be incremented if the extension is 411ever changed in an incompatible way. The server MAY advertise the same 412extension with multiple versions (though this is unlikely). Clients MUST 413check the version number before attempting to use the extension. 414 4154.3. sftp: Extension request "posix-rename@openssh.com" 416 417This operation provides a rename operation with POSIX semantics, which 418are different to those provided by the standard SSH_FXP_RENAME in 419draft-ietf-secsh-filexfer-02.txt. This request is implemented as a 420SSH_FXP_EXTENDED request with the following format: 421 422 uint32 id 423 string "posix-rename@openssh.com" 424 string oldpath 425 string newpath 426 427On receiving this request the server will perform the POSIX operation 428rename(oldpath, newpath) and will respond with a SSH_FXP_STATUS message. 429This extension is advertised in the SSH_FXP_VERSION hello with version 430"1". 431 4324.4. sftp: Extension requests "statvfs@openssh.com" and 433 "fstatvfs@openssh.com" 434 435These requests correspond to the statvfs and fstatvfs POSIX system 436interfaces. The "statvfs@openssh.com" request operates on an explicit 437pathname, and is formatted as follows: 438 439 uint32 id 440 string "statvfs@openssh.com" 441 string path 442 443The "fstatvfs@openssh.com" operates on an open file handle: 444 445 uint32 id 446 string "fstatvfs@openssh.com" 447 string handle 448 449These requests return a SSH_FXP_STATUS reply on failure. On success they 450return the following SSH_FXP_EXTENDED_REPLY reply: 451 452 uint32 id 453 uint64 f_bsize /* file system block size */ 454 uint64 f_frsize /* fundamental fs block size */ 455 uint64 f_blocks /* number of blocks (unit f_frsize) */ 456 uint64 f_bfree /* free blocks in file system */ 457 uint64 f_bavail /* free blocks for non-root */ 458 uint64 f_files /* total file inodes */ 459 uint64 f_ffree /* free file inodes */ 460 uint64 f_favail /* free file inodes for to non-root */ 461 uint64 f_fsid /* file system id */ 462 uint64 f_flag /* bit mask of f_flag values */ 463 uint64 f_namemax /* maximum filename length */ 464 465The values of the f_flag bitmask are as follows: 466 467 #define SSH_FXE_STATVFS_ST_RDONLY 0x1 /* read-only */ 468 #define SSH_FXE_STATVFS_ST_NOSUID 0x2 /* no setuid */ 469 470Both the "statvfs@openssh.com" and "fstatvfs@openssh.com" extensions are 471advertised in the SSH_FXP_VERSION hello with version "2". 472 4734.5. sftp: Extension request "hardlink@openssh.com" 474 475This request is for creating a hard link to a regular file. This 476request is implemented as a SSH_FXP_EXTENDED request with the 477following format: 478 479 uint32 id 480 string "hardlink@openssh.com" 481 string oldpath 482 string newpath 483 484On receiving this request the server will perform the operation 485link(oldpath, newpath) and will respond with a SSH_FXP_STATUS message. 486This extension is advertised in the SSH_FXP_VERSION hello with version 487"1". 488 4894.6. sftp: Extension request "fsync@openssh.com" 490 491This request asks the server to call fsync(2) on an open file handle. 492 493 uint32 id 494 string "fsync@openssh.com" 495 string handle 496 497On receiving this request, a server will call fsync(handle_fd) and will 498respond with a SSH_FXP_STATUS message. 499 500This extension is advertised in the SSH_FXP_VERSION hello with version 501"1". 502 5034.7. sftp: Extension request "lsetstat@openssh.com" 504 505This request is like the "setstat" command, but sets file attributes on 506symlinks. It is implemented as a SSH_FXP_EXTENDED request with the 507following format: 508 509 uint32 id 510 string "lsetstat@openssh.com" 511 string path 512 ATTRS attrs 513 514See the "setstat" command for more details. 515 516This extension is advertised in the SSH_FXP_VERSION hello with version 517"1". 518 5194.8. sftp: Extension request "limits@openssh.com" 520 521This request is used to determine various limits the server might impose. 522Clients should not attempt to exceed these limits as the server might sever 523the connection immediately. 524 525 uint32 id 526 string "limits@openssh.com" 527 528The server will respond with a SSH_FXP_EXTENDED_REPLY reply: 529 530 uint32 id 531 uint64 max-packet-length 532 uint64 max-read-length 533 uint64 max-write-length 534 uint64 max-open-handles 535 536The 'max-packet-length' applies to the total number of bytes in a 537single SFTP packet. Servers SHOULD set this at least to 34000. 538 539The 'max-read-length' is the largest length in a SSH_FXP_READ packet. 540Even if the client requests a larger size, servers will usually respond 541with a shorter SSH_FXP_DATA packet. Servers SHOULD set this at least to 54232768. 543 544The 'max-write-length' is the largest length in a SSH_FXP_WRITE packet 545the server will accept. Servers SHOULD set this at least to 32768. 546 547The 'max-open-handles' is the maximum number of active handles that the 548server allows (e.g. handles created by SSH_FXP_OPEN and SSH_FXP_OPENDIR 549packets). Servers MAY count internal file handles against this limit 550(e.g. system logging or stdout/stderr), so clients SHOULD NOT expect to 551open this many handles in practice. 552 553If the server doesn't enforce a specific limit, then the field may be 554set to 0. This implies the server relies on the OS to enforce limits 555(e.g. available memory or file handles), and such limits might be 556dynamic. The client SHOULD take care to not try to exceed reasonable 557limits. 558 559This extension is advertised in the SSH_FXP_VERSION hello with version 560"1". 561 5624.9. sftp: Extension request "expand-path@openssh.com" 563 564This request supports canonicalisation of relative paths and 565those that need tilde-expansion, i.e. "~", "~/..." and "~user/..." 566These paths are expanded using shell-like rules and the resultant 567path is canonicalised similarly to SSH2_FXP_REALPATH. 568 569It is implemented as a SSH_FXP_EXTENDED request with the following 570format: 571 572 uint32 id 573 string "expand-path@openssh.com" 574 string path 575 576Its reply is the same format as that of SSH2_FXP_REALPATH. 577 578This extension is advertised in the SSH_FXP_VERSION hello with version 579"1". 580 5814.10. sftp: Extension request "copy-data" 582 583This request asks the server to copy data from one open file handle and 584write it to a different open file handle. This avoids needing to transfer 585the data across the network twice (a download followed by an upload). 586 587 byte SSH_FXP_EXTENDED 588 uint32 id 589 string "copy-data" 590 string read-from-handle 591 uint64 read-from-offset 592 uint64 read-data-length 593 string write-to-handle 594 uint64 write-to-offset 595 596The server will copy read-data-length bytes starting from 597read-from-offset from the read-from-handle and write them to 598write-to-handle starting from write-to-offset, and then respond with a 599SSH_FXP_STATUS message. 600 601It's equivalent to issuing a series of SSH_FXP_READ requests on 602read-from-handle and a series of requests of SSH_FXP_WRITE on 603write-to-handle. 604 605If read-from-handle and write-to-handle are the same, the server will 606fail the request and respond with a SSH_FX_INVALID_PARAMETER message. 607 608If read-data-length is 0, then the server will read data from the 609read-from-handle until EOF is reached. 610 611This extension is advertised in the SSH_FXP_VERSION hello with version 612"1". 613 614This request is identical to the "copy-data" request documented in: 615 616https://tools.ietf.org/html/draft-ietf-secsh-filexfer-extensions-00#section-7 617 6184.11. sftp: Extension request "home-directory" 619 620This request asks the server to expand the specified user's home directory. 621An empty username implies the current user. This can be used by the client 622to expand ~/ type paths locally. 623 624 byte SSH_FXP_EXTENDED 625 uint32 id 626 string "home-directory" 627 string username 628 629This extension is advertised in the SSH_FXP_VERSION hello with version 630"1". 631 632This provides similar information as the "expand-path@openssh.com" extension. 633 634This request is identical to the "home-directory" request documented in: 635 636https://datatracker.ietf.org/doc/html/draft-ietf-secsh-filexfer-extensions-00#section-5 637 6384.12. sftp: Extension request "users-groups-by-id@openssh.com" 639 640This request asks the server to returns user and/or group names that 641correspond to one or more IDs (e.g. as returned from a SSH_FXP_STAT 642request). This may be used by the client to provide usernames in 643directory listings. 644 645 byte SSH_FXP_EXTENDED 646 uint32 id 647 string "users-groups-by-id@openssh.com" 648 string uids 649 string gids 650 651Where "uids" and "gids" consists of one or more integer user or group 652identifiers: 653 654 uint32 id-0 655 ... 656 657The server will reply with a SSH_FXP_EXTENDED_REPLY: 658 659 byte SSH_FXP_EXTENDED_REPLY 660 string usernames 661 string groupnames 662 663Where "username" and "groupnames" consists of names in identical request 664order to "uids" and "gids" respectively: 665 666 string name-0 667 ... 668 669If a name cannot be identified for a given user or group ID, an empty 670string will be returned in its place. 671 672It is acceptable for either "uids" or "gids" to be an empty set, in 673which case the respective "usernames" or "groupnames" list will also 674be empty. 675 676This extension is advertised in the SSH_FXP_VERSION hello with version 677"1". 678 6795. Miscellaneous changes 680 6815.1 Public key format 682 683OpenSSH public keys, as generated by ssh-keygen(1) and appearing in 684authorized_keys files, are formatted as a single line of text consisting 685of the public key algorithm name followed by a base64-encoded key blob. 686The public key blob (before base64 encoding) is the same format used for 687the encoding of public keys sent on the wire: as described in RFC4253 688section 6.6 for RSA and DSA keys, RFC5656 section 3.1 for ECDSA keys 689and the "New public key formats" section of PROTOCOL.certkeys for the 690OpenSSH certificate formats. 691 6925.2 Private key format 693 694OpenSSH private keys, as generated by ssh-keygen(1) use the format 695described in PROTOCOL.key by default. As a legacy option, PEM format 696(RFC7468) private keys are also supported for RSA, DSA and ECDSA keys 697and were the default format before OpenSSH 7.8. 698 6995.3 KRL format 700 701OpenSSH supports a compact format for Key Revocation Lists (KRLs). This 702format is described in the PROTOCOL.krl file. 703 7045.4 Connection multiplexing 705 706OpenSSH's connection multiplexing uses messages as described in 707PROTOCOL.mux over a Unix domain socket for communications between a 708master instance and later clients. 709 7105.5. Agent protocol extensions 711 712OpenSSH extends the usual agent protocol. These changes are documented 713in the PROTOCOL.agent file. 714 715$OpenBSD: PROTOCOL,v 1.47 2022/09/19 10:40:52 djm Exp $ 716