xref: /freebsd/crypto/openssh/PROTOCOL (revision 78ae60b447ebf420dd5cebfec30480866fd5cef4)
1This documents OpenSSH's deviations and extensions to the published SSH
2protocol.
3
4Note that OpenSSH's sftp and sftp-server implement revision 3 of the SSH
5filexfer protocol described in:
6
7https://www.openssh.com/txt/draft-ietf-secsh-filexfer-02.txt
8
9Newer versions of the draft will not be supported, though some features
10are individually implemented as extensions described below.
11
12The protocol used by OpenSSH's ssh-agent is described in the file
13PROTOCOL.agent
14
151. Transport protocol changes
16
171.1. transport: Protocol 2 MAC algorithm "umac-64@openssh.com"
18
19This is a new transport-layer MAC method using the UMAC algorithm
20(rfc4418). This method is identical to the "umac-64" method documented
21in:
22
23https://www.openssh.com/txt/draft-miller-secsh-umac-01.txt
24
251.2. transport: Protocol 2 compression algorithm "zlib@openssh.com"
26
27This transport-layer compression method uses the zlib compression
28algorithm (identical to the "zlib" method in rfc4253), but delays the
29start of compression until after authentication has completed. This
30avoids exposing compression code to attacks from unauthenticated users.
31
32The method is documented in:
33
34https://www.openssh.com/txt/draft-miller-secsh-compression-delayed-00.txt
35
361.3. transport: New public key algorithms "ssh-rsa-cert-v01@openssh.com",
37     "ssh-dsa-cert-v01@openssh.com",
38     "ecdsa-sha2-nistp256-cert-v01@openssh.com",
39     "ecdsa-sha2-nistp384-cert-v01@openssh.com" and
40     "ecdsa-sha2-nistp521-cert-v01@openssh.com"
41
42OpenSSH introduces new public key algorithms to support certificate
43authentication for users and host keys. These methods are documented
44in the file PROTOCOL.certkeys
45
461.4. transport: Elliptic Curve cryptography
47
48OpenSSH supports ECC key exchange and public key authentication as
49specified in RFC5656. Only the ecdsa-sha2-nistp256, ecdsa-sha2-nistp384
50and ecdsa-sha2-nistp521 curves over GF(p) are supported. Elliptic
51curve points encoded using point compression are NOT accepted or
52generated.
53
541.5 transport: Protocol 2 Encrypt-then-MAC MAC algorithms
55
56OpenSSH supports MAC algorithms, whose names contain "-etm", that
57perform the calculations in a different order to that defined in RFC
584253. These variants use the so-called "encrypt then MAC" ordering,
59calculating the MAC over the packet ciphertext rather than the
60plaintext. This ordering closes a security flaw in the SSH transport
61protocol, where decryption of unauthenticated ciphertext provided a
62"decryption oracle" that could, in conjunction with cipher flaws, reveal
63session plaintext.
64
65Specifically, the "-etm" MAC algorithms modify the transport protocol
66to calculate the MAC over the packet ciphertext and to send the packet
67length unencrypted. This is necessary for the transport to obtain the
68length of the packet and location of the MAC tag so that it may be
69verified without decrypting unauthenticated data.
70
71As such, the MAC covers:
72
73      mac = MAC(key, sequence_number || packet_length || encrypted_packet)
74
75where "packet_length" is encoded as a uint32 and "encrypted_packet"
76contains:
77
78      byte      padding_length
79      byte[n1]  payload; n1 = packet_length - padding_length - 1
80      byte[n2]  random padding; n2 = padding_length
81
821.6 transport: AES-GCM
83
84OpenSSH supports the AES-GCM algorithm as specified in RFC 5647.
85Because of problems with the specification of the key exchange
86the behaviour of OpenSSH differs from the RFC as follows:
87
88AES-GCM is only negotiated as the cipher algorithms
89"aes128-gcm@openssh.com" or "aes256-gcm@openssh.com" and never as
90an MAC algorithm. Additionally, if AES-GCM is selected as the cipher
91the exchanged MAC algorithms are ignored and there doesn't have to be
92a matching MAC.
93
941.7 transport: chacha20-poly1305@openssh.com authenticated encryption
95
96OpenSSH supports authenticated encryption using ChaCha20 and Poly1305
97as described in PROTOCOL.chacha20poly1305.
98
991.8 transport: curve25519-sha256@libssh.org key exchange algorithm
100
101OpenSSH supports the use of ECDH in Curve25519 for key exchange as
102described at:
103http://git.libssh.org/users/aris/libssh.git/plain/doc/curve25519-sha256@libssh.org.txt?h=curve25519
104
105This is identical to curve25519-sha256 as later published in RFC8731.
106
1071.9 transport: ping facility
108
109OpenSSH implements a transport level ping message SSH2_MSG_PING
110and a corresponding SSH2_MSG_PONG reply.
111
112#define SSH2_MSG_PING	192
113#define SSH2_MSG_PONG	193
114
115The ping message is simply:
116
117	byte		SSH_MSG_PING
118	string		data
119
120The reply copies the data (which may be the empty string) from the
121ping:
122
123	byte		SSH_MSG_PONG
124	string		data
125
126Replies are sent in order. They are sent immediately except when rekeying
127is in progress, in which case they are queued until rekeying completes.
128
129The server advertises support for these messages using the
130SSH2_MSG_EXT_INFO mechanism (RFC8308), with the following message:
131
132	string		"ping@openssh.com"
133	string		"0" (version)
134
135The ping/reply message is implemented at the transport layer rather
136than as a named global or channel request to allow pings with very
137short packet lengths, which would not be possible with other
138approaches.
139
1401.10 transport: strict key exchange extension
141
142OpenSSH supports a number of transport-layer hardening measures under
143a "strict KEX" feature. This feature is signalled similarly to the
144RFC8308 ext-info feature: by including a additional algorithm in the
145initiial SSH2_MSG_KEXINIT kex_algorithms field. The client may append
146"kex-strict-c-v00@openssh.com" to its kex_algorithms and the server
147may append "kex-strict-s-v00@openssh.com". These pseudo-algorithms
148are only valid in the initial SSH2_MSG_KEXINIT and MUST be ignored
149if they are present in subsequent SSH2_MSG_KEXINIT packets.
150
151When an endpoint that supports this extension observes this algorithm
152name in a peer's KEXINIT packet, it MUST make the following changes to
153the the protocol:
154
155a) During initial KEX, terminate the connection if any unexpected or
156   out-of-sequence packet is received. This includes terminating the
157   connection if the first packet received is not SSH2_MSG_KEXINIT.
158   Unexpected packets for the purpose of strict KEX include messages
159   that are otherwise valid at any time during the connection such as
160   SSH2_MSG_DEBUG and SSH2_MSG_IGNORE.
161b) After sending or receiving a SSH2_MSG_NEWKEYS message, reset the
162   packet sequence number to zero. This behaviour persists for the
163   duration of the connection (i.e. not just the first
164   SSH2_MSG_NEWKEYS).
165
1661.11 transport: SSH2_MSG_EXT_INFO during user authentication
167
168This protocol extension allows the SSH2_MSG_EXT_INFO to be sent
169during user authentication. RFC8308 does allow a second
170SSH2_MSG_EXT_INFO notification, but it may only be sent at the end
171of user authentication and this is too late to signal per-user
172server signature algorithms.
173
174Support for receiving the SSH2_MSG_EXT_INFO message during user
175authentication is signalled by the client including a
176"ext-info-in-auth@openssh.com" key via its initial SSH2_MSG_EXT_INFO
177set after the SSH2_MSG_NEWKEYS message.
178
179A server that supports this extension MAY send a second
180SSH2_MSG_EXT_INFO message any time after the client's first
181SSH2_MSG_USERAUTH_REQUEST, regardless of whether it succeed or fails.
182The client SHOULD be prepared to update the server-sig-algs that
183it received during an earlier SSH2_MSG_EXT_INFO with the later one.
184
1852. Connection protocol changes
186
1872.1. connection: Channel write close extension "eow@openssh.com"
188
189The SSH connection protocol (rfc4254) provides the SSH_MSG_CHANNEL_EOF
190message to allow an endpoint to signal its peer that it will send no
191more data over a channel. Unfortunately, there is no symmetric way for
192an endpoint to request that its peer should cease sending data to it
193while still keeping the channel open for the endpoint to send data to
194the peer.
195
196This is desirable, since it saves the transmission of data that would
197otherwise need to be discarded and it allows an endpoint to signal local
198processes of the condition, e.g. by closing the corresponding file
199descriptor.
200
201OpenSSH implements a channel extension message to perform this
202signalling: "eow@openssh.com" (End Of Write). This message is sent by
203an endpoint when the local output of a session channel is closed or
204experiences a write error. The message is formatted as follows:
205
206	byte		SSH_MSG_CHANNEL_REQUEST
207	uint32		recipient channel
208	string		"eow@openssh.com"
209	boolean		FALSE
210
211On receiving this message, the peer SHOULD cease sending data of
212the channel and MAY signal the process from which the channel data
213originates (e.g. by closing its read file descriptor).
214
215As with the symmetric SSH_MSG_CHANNEL_EOF message, the channel does
216remain open after a "eow@openssh.com" has been sent and more data may
217still be sent in the other direction. This message does not consume
218window space and may be sent even if no window space is available.
219
220NB. due to certain broken SSH implementations aborting upon receipt
221of this message (in contravention of RFC4254 section 5.4), this
222message is only sent to OpenSSH peers (identified by banner).
223Other SSH implementations may be listed to receive this message
224upon request.
225
2262.2. connection: disallow additional sessions extension
227     "no-more-sessions@openssh.com"
228
229Most SSH connections will only ever request a single session, but a
230attacker may abuse a running ssh client to surreptitiously open
231additional sessions under their control. OpenSSH provides a global
232request "no-more-sessions@openssh.com" to mitigate this attack.
233
234When an OpenSSH client expects that it will never open another session
235(i.e. it has been started with connection multiplexing disabled), it
236will send the following global request:
237
238	byte		SSH_MSG_GLOBAL_REQUEST
239	string		"no-more-sessions@openssh.com"
240	char		want-reply
241
242On receipt of such a message, an OpenSSH server will refuse to open
243future channels of type "session" and instead immediately abort the
244connection.
245
246Note that this is not a general defence against compromised clients
247(that is impossible), but it thwarts a simple attack.
248
249NB. due to certain broken SSH implementations aborting upon receipt
250of this message, the no-more-sessions request is only sent to OpenSSH
251servers (identified by banner). Other SSH implementations may be
252listed to receive this message upon request.
253
2542.3. connection: Tunnel forward extension "tun@openssh.com"
255
256OpenSSH supports layer 2 and layer 3 tunnelling via the "tun@openssh.com"
257channel type. This channel type supports forwarding of network packets
258with datagram boundaries intact between endpoints equipped with
259interfaces like the BSD tun(4) device. Tunnel forwarding channels are
260requested by the client with the following packet:
261
262	byte		SSH_MSG_CHANNEL_OPEN
263	string		"tun@openssh.com"
264	uint32		sender channel
265	uint32		initial window size
266	uint32		maximum packet size
267	uint32		tunnel mode
268	uint32		remote unit number
269
270The "tunnel mode" parameter specifies whether the tunnel should forward
271layer 2 frames or layer 3 packets. It may take one of the following values:
272
273	SSH_TUNMODE_POINTOPOINT  1		/* layer 3 packets */
274	SSH_TUNMODE_ETHERNET     2		/* layer 2 frames */
275
276The "tunnel unit number" specifies the remote interface number, or may
277be 0x7fffffff to allow the server to automatically choose an interface. A
278server that is not willing to open a client-specified unit should refuse
279the request with a SSH_MSG_CHANNEL_OPEN_FAILURE error. On successful
280open, the server should reply with SSH_MSG_CHANNEL_OPEN_SUCCESS.
281
282Once established the client and server may exchange packet or frames
283over the tunnel channel by encapsulating them in SSH protocol strings
284and sending them as channel data. This ensures that packet boundaries
285are kept intact. Specifically, packets are transmitted using normal
286SSH_MSG_CHANNEL_DATA packets:
287
288	byte		SSH_MSG_CHANNEL_DATA
289	uint32		recipient channel
290	string		data
291
292The contents of the "data" field for layer 3 packets is:
293
294	uint32			packet length
295	uint32			address family
296	byte[packet length - 4]	packet data
297
298The "address family" field identifies the type of packet in the message.
299It may be one of:
300
301	SSH_TUN_AF_INET		2		/* IPv4 */
302	SSH_TUN_AF_INET6	24		/* IPv6 */
303
304The "packet data" field consists of the IPv4/IPv6 datagram itself
305without any link layer header.
306
307The contents of the "data" field for layer 2 packets is:
308
309	uint32			packet length
310	byte[packet length]	frame
311
312The "frame" field contains an IEEE 802.3 Ethernet frame, including
313header.
314
3152.4. connection: Unix domain socket forwarding
316
317OpenSSH supports local and remote Unix domain socket forwarding
318using the "streamlocal" extension.  Forwarding is initiated as per
319TCP sockets but with a single path instead of a host and port.
320
321Similar to direct-tcpip, direct-streamlocal is sent by the client
322to request that the server make a connection to a Unix domain socket.
323
324	byte		SSH_MSG_CHANNEL_OPEN
325	string		"direct-streamlocal@openssh.com"
326	uint32		sender channel
327	uint32		initial window size
328	uint32		maximum packet size
329	string		socket path
330	string		reserved
331	uint32		reserved
332
333Similar to forwarded-tcpip, forwarded-streamlocal is sent by the
334server when the client has previously send the server a streamlocal-forward
335GLOBAL_REQUEST.
336
337	byte		SSH_MSG_CHANNEL_OPEN
338	string		"forwarded-streamlocal@openssh.com"
339	uint32		sender channel
340	uint32		initial window size
341	uint32		maximum packet size
342	string		socket path
343	string		reserved for future use
344
345The reserved field is not currently defined and is ignored on the
346remote end.  It is intended to be used in the future to pass
347information about the socket file, such as ownership and mode.
348The client currently sends the empty string for this field.
349
350Similar to tcpip-forward, streamlocal-forward is sent by the client
351to request remote forwarding of a Unix domain socket.
352
353	byte		SSH2_MSG_GLOBAL_REQUEST
354	string		"streamlocal-forward@openssh.com"
355	boolean		TRUE
356	string		socket path
357
358Similar to cancel-tcpip-forward, cancel-streamlocal-forward is sent
359by the client cancel the forwarding of a Unix domain socket.
360
361	byte		SSH2_MSG_GLOBAL_REQUEST
362	string		"cancel-streamlocal-forward@openssh.com"
363	boolean		FALSE
364	string		socket path
365
3662.5. connection: hostkey update and rotation "hostkeys-00@openssh.com"
367and "hostkeys-prove-00@openssh.com"
368
369OpenSSH supports a protocol extension allowing a server to inform
370a client of all its protocol v.2 host keys after user-authentication
371has completed.
372
373	byte		SSH_MSG_GLOBAL_REQUEST
374	string		"hostkeys-00@openssh.com"
375	char		0 /* want-reply */
376	string[]	hostkeys
377
378Upon receiving this message, a client should check which of the
379supplied host keys are present in known_hosts.
380
381Note that the server may send key types that the client does not
382support. The client should disregard such keys if they are received.
383
384If the client identifies any keys that are not present for the host,
385it should send a "hostkeys-prove@openssh.com" message to request the
386server prove ownership of the private half of the key.
387
388	byte		SSH_MSG_GLOBAL_REQUEST
389	string		"hostkeys-prove-00@openssh.com"
390	char		1 /* want-reply */
391	string[]	hostkeys
392
393When a server receives this message, it should generate a signature
394using each requested key over the following:
395
396	string		"hostkeys-prove-00@openssh.com"
397	string		session identifier
398	string		hostkey
399
400These signatures should be included in the reply, in the order matching
401the hostkeys in the request:
402
403	byte		SSH_MSG_REQUEST_SUCCESS
404	string[]	signatures
405
406When the client receives this reply (and not a failure), it should
407validate the signatures and may update its known_hosts file, adding keys
408that it has not seen before and deleting keys for the server host that
409are no longer offered.
410
411These extensions let a client learn key types that it had not previously
412encountered, thereby allowing it to potentially upgrade from weaker
413key algorithms to better ones. It also supports graceful key rotation:
414a server may offer multiple keys of the same type for a period (to
415give clients an opportunity to learn them using this extension) before
416removing the deprecated key from those offered.
417
4182.6. connection: SIGINFO support for "signal" channel request
419
420The SSH channels protocol (RFC4254 section 6.9) supports sending a
421signal to a session attached to a channel. OpenSSH supports one
422extension signal "INFO@openssh.com" that allows sending SIGINFO on
423BSD-derived systems.
424
4253. Authentication protocol changes
426
4273.1. Host-bound public key authentication
428
429This is trivial change to the traditional "publickey" authentication
430method. The authentication request is identical to the original method
431but for the name and one additional field:
432
433	byte		SSH2_MSG_USERAUTH_REQUEST
434	string		username
435	string		"ssh-connection"
436	string		"publickey-hostbound-v00@openssh.com"
437	bool		has_signature
438	string		pkalg
439	string		public key
440	string		server host key
441
442Because the entire SSH2_MSG_USERAUTH_REQUEST message is included in
443the signed data, this ensures that a binding between the destination
444user, the server identity and the session identifier is visible to the
445signer. OpenSSH uses this binding via signed data to implement per-key
446restrictions in ssh-agent.
447
448A server may advertise this method using the SSH2_MSG_EXT_INFO
449mechanism (RFC8308), with the following message:
450
451	string		"publickey-hostbound@openssh.com"
452	string		"0" (version)
453
454Clients should prefer host-bound authentication when advertised by
455server.
456
4574. SFTP protocol changes
458
4594.1. sftp: Reversal of arguments to SSH_FXP_SYMLINK
460
461When OpenSSH's sftp-server was implemented, the order of the arguments
462to the SSH_FXP_SYMLINK method was inadvertently reversed. Unfortunately,
463the reversal was not noticed until the server was widely deployed. Since
464fixing this to follow the specification would cause incompatibility, the
465current order was retained. For correct operation, clients should send
466SSH_FXP_SYMLINK as follows:
467
468	uint32		id
469	string		targetpath
470	string		linkpath
471
4724.2. sftp: Server extension announcement in SSH_FXP_VERSION
473
474OpenSSH's sftp-server lists the extensions it supports using the
475standard extension announcement mechanism in the SSH_FXP_VERSION server
476hello packet:
477
478	uint32		3		/* protocol version */
479	string		ext1-name
480	string		ext1-version
481	string		ext2-name
482	string		ext2-version
483	...
484	string		extN-name
485	string		extN-version
486
487Each extension reports its integer version number as an ASCII encoded
488string, e.g. "1". The version will be incremented if the extension is
489ever changed in an incompatible way. The server MAY advertise the same
490extension with multiple versions (though this is unlikely). Clients MUST
491check the version number before attempting to use the extension.
492
4934.3. sftp: Extension request "posix-rename@openssh.com"
494
495This operation provides a rename operation with POSIX semantics, which
496are different to those provided by the standard SSH_FXP_RENAME in
497draft-ietf-secsh-filexfer-02.txt. This request is implemented as a
498SSH_FXP_EXTENDED request with the following format:
499
500	uint32		id
501	string		"posix-rename@openssh.com"
502	string		oldpath
503	string		newpath
504
505On receiving this request the server will perform the POSIX operation
506rename(oldpath, newpath) and will respond with a SSH_FXP_STATUS message.
507This extension is advertised in the SSH_FXP_VERSION hello with version
508"1".
509
5104.4. sftp: Extension requests "statvfs@openssh.com" and
511         "fstatvfs@openssh.com"
512
513These requests correspond to the statvfs and fstatvfs POSIX system
514interfaces. The "statvfs@openssh.com" request operates on an explicit
515pathname, and is formatted as follows:
516
517	uint32		id
518	string		"statvfs@openssh.com"
519	string		path
520
521The "fstatvfs@openssh.com" operates on an open file handle:
522
523	uint32		id
524	string		"fstatvfs@openssh.com"
525	string		handle
526
527These requests return a SSH_FXP_STATUS reply on failure. On success they
528return the following SSH_FXP_EXTENDED_REPLY reply:
529
530	uint32		id
531	uint64		f_bsize		/* file system block size */
532	uint64		f_frsize	/* fundamental fs block size */
533	uint64		f_blocks	/* number of blocks (unit f_frsize) */
534	uint64		f_bfree		/* free blocks in file system */
535	uint64		f_bavail	/* free blocks for non-root */
536	uint64		f_files		/* total file inodes */
537	uint64		f_ffree		/* free file inodes */
538	uint64		f_favail	/* free file inodes for to non-root */
539	uint64		f_fsid		/* file system id */
540	uint64		f_flag		/* bit mask of f_flag values */
541	uint64		f_namemax	/* maximum filename length */
542
543The values of the f_flag bitmask are as follows:
544
545	#define SSH_FXE_STATVFS_ST_RDONLY	0x1	/* read-only */
546	#define SSH_FXE_STATVFS_ST_NOSUID	0x2	/* no setuid */
547
548Both the "statvfs@openssh.com" and "fstatvfs@openssh.com" extensions are
549advertised in the SSH_FXP_VERSION hello with version "2".
550
5514.5. sftp: Extension request "hardlink@openssh.com"
552
553This request is for creating a hard link to a regular file. This
554request is implemented as a SSH_FXP_EXTENDED request with the
555following format:
556
557	uint32		id
558	string		"hardlink@openssh.com"
559	string		oldpath
560	string		newpath
561
562On receiving this request the server will perform the operation
563link(oldpath, newpath) and will respond with a SSH_FXP_STATUS message.
564This extension is advertised in the SSH_FXP_VERSION hello with version
565"1".
566
5674.6. sftp: Extension request "fsync@openssh.com"
568
569This request asks the server to call fsync(2) on an open file handle.
570
571	uint32		id
572	string		"fsync@openssh.com"
573	string		handle
574
575On receiving this request, a server will call fsync(handle_fd) and will
576respond with a SSH_FXP_STATUS message.
577
578This extension is advertised in the SSH_FXP_VERSION hello with version
579"1".
580
5814.7. sftp: Extension request "lsetstat@openssh.com"
582
583This request is like the "setstat" command, but sets file attributes on
584symlinks.  It is implemented as a SSH_FXP_EXTENDED request with the
585following format:
586
587	uint32		id
588	string		"lsetstat@openssh.com"
589	string		path
590	ATTRS		attrs
591
592See the "setstat" command for more details.
593
594This extension is advertised in the SSH_FXP_VERSION hello with version
595"1".
596
5974.8. sftp: Extension request "limits@openssh.com"
598
599This request is used to determine various limits the server might impose.
600Clients should not attempt to exceed these limits as the server might sever
601the connection immediately.
602
603	uint32		id
604	string		"limits@openssh.com"
605
606The server will respond with a SSH_FXP_EXTENDED_REPLY reply:
607
608	uint32		id
609	uint64		max-packet-length
610	uint64		max-read-length
611	uint64		max-write-length
612	uint64		max-open-handles
613
614The 'max-packet-length' applies to the total number of bytes in a
615single SFTP packet.  Servers SHOULD set this at least to 34000.
616
617The 'max-read-length' is the largest length in a SSH_FXP_READ packet.
618Even if the client requests a larger size, servers will usually respond
619with a shorter SSH_FXP_DATA packet.  Servers SHOULD set this at least to
62032768.
621
622The 'max-write-length' is the largest length in a SSH_FXP_WRITE packet
623the server will accept.  Servers SHOULD set this at least to 32768.
624
625The 'max-open-handles' is the maximum number of active handles that the
626server allows (e.g. handles created by SSH_FXP_OPEN and SSH_FXP_OPENDIR
627packets).  Servers MAY count internal file handles against this limit
628(e.g. system logging or stdout/stderr), so clients SHOULD NOT expect to
629open this many handles in practice.
630
631If the server doesn't enforce a specific limit, then the field may be
632set to 0.  This implies the server relies on the OS to enforce limits
633(e.g. available memory or file handles), and such limits might be
634dynamic.  The client SHOULD take care to not try to exceed reasonable
635limits.
636
637This extension is advertised in the SSH_FXP_VERSION hello with version
638"1".
639
6404.9. sftp: Extension request "expand-path@openssh.com"
641
642This request supports canonicalisation of relative paths and
643those that need tilde-expansion, i.e. "~", "~/..." and "~user/..."
644These paths are expanded using shell-like rules and the resultant
645path is canonicalised similarly to SSH2_FXP_REALPATH.
646
647It is implemented as a SSH_FXP_EXTENDED request with the following
648format:
649
650	uint32		id
651	string		"expand-path@openssh.com"
652	string		path
653
654Its reply is the same format as that of SSH2_FXP_REALPATH.
655
656This extension is advertised in the SSH_FXP_VERSION hello with version
657"1".
658
6594.10. sftp: Extension request "copy-data"
660
661This request asks the server to copy data from one open file handle and
662write it to a different open file handle.  This avoids needing to transfer
663the data across the network twice (a download followed by an upload).
664
665	byte		SSH_FXP_EXTENDED
666	uint32		id
667	string		"copy-data"
668	string		read-from-handle
669	uint64		read-from-offset
670	uint64		read-data-length
671	string		write-to-handle
672	uint64		write-to-offset
673
674The server will copy read-data-length bytes starting from
675read-from-offset from the read-from-handle and write them to
676write-to-handle starting from write-to-offset, and then respond with a
677SSH_FXP_STATUS message.
678
679It's equivalent to issuing a series of SSH_FXP_READ requests on
680read-from-handle and a series of requests of SSH_FXP_WRITE on
681write-to-handle.
682
683If read-from-handle and write-to-handle are the same, the server will
684fail the request and respond with a SSH_FX_INVALID_PARAMETER message.
685
686If read-data-length is 0, then the server will read data from the
687read-from-handle until EOF is reached.
688
689This extension is advertised in the SSH_FXP_VERSION hello with version
690"1".
691
692This request is identical to the "copy-data" request documented in:
693
694https://tools.ietf.org/html/draft-ietf-secsh-filexfer-extensions-00#section-7
695
6964.11. sftp: Extension request "home-directory"
697
698This request asks the server to expand the specified user's home directory.
699An empty username implies the current user.  This can be used by the client
700to expand ~/ type paths locally.
701
702	byte		SSH_FXP_EXTENDED
703	uint32		id
704	string		"home-directory"
705	string		username
706
707This extension is advertised in the SSH_FXP_VERSION hello with version
708"1".
709
710This provides similar information as the "expand-path@openssh.com" extension.
711
712This request is identical to the "home-directory" request documented in:
713
714https://datatracker.ietf.org/doc/html/draft-ietf-secsh-filexfer-extensions-00#section-5
715
7164.12. sftp: Extension request "users-groups-by-id@openssh.com"
717
718This request asks the server to return user and/or group names that
719correspond to one or more IDs (e.g. as returned from a SSH_FXP_STAT
720request). This may be used by the client to provide usernames in
721directory listings.
722
723	byte		SSH_FXP_EXTENDED
724	uint32		id
725	string		"users-groups-by-id@openssh.com"
726	string		uids
727	string		gids
728
729Where "uids" and "gids" consists of one or more integer user or group
730identifiers:
731
732	uint32		id-0
733	...
734
735The server will reply with a SSH_FXP_EXTENDED_REPLY:
736
737	byte		SSH_FXP_EXTENDED_REPLY
738	string		usernames
739	string		groupnames
740
741Where "username" and "groupnames" consists of names in identical request
742order to "uids" and "gids" respectively:
743
744	string		name-0
745	...
746
747If a name cannot be identified for a given user or group ID, an empty
748string will be returned in its place.
749
750It is acceptable for either "uids" or "gids" to be an empty set, in
751which case the respective "usernames" or "groupnames" list will also
752be empty.
753
754This extension is advertised in the SSH_FXP_VERSION hello with version
755"1".
756
7575. Miscellaneous changes
758
7595.1 Public key format
760
761OpenSSH public keys, as generated by ssh-keygen(1) and appearing in
762authorized_keys files, are formatted as a single line of text consisting
763of the public key algorithm name followed by a base64-encoded key blob.
764The public key blob (before base64 encoding) is the same format used for
765the encoding of public keys sent on the wire: as described in RFC4253
766section 6.6 for RSA and DSA keys, RFC5656 section 3.1 for ECDSA keys
767and the "New public key formats" section of PROTOCOL.certkeys for the
768OpenSSH certificate formats.
769
7705.2 Private key format
771
772OpenSSH private keys, as generated by ssh-keygen(1) use the format
773described in PROTOCOL.key by default. As a legacy option, PEM format
774(RFC7468) private keys are also supported for RSA, DSA and ECDSA keys
775and were the default format before OpenSSH 7.8.
776
7775.3 KRL format
778
779OpenSSH supports a compact format for Key Revocation Lists (KRLs). This
780format is described in the PROTOCOL.krl file.
781
7825.4 Connection multiplexing
783
784OpenSSH's connection multiplexing uses messages as described in
785PROTOCOL.mux over a Unix domain socket for communications between a
786master instance and later clients.
787
7885.5. Agent protocol extensions
789
790OpenSSH extends the usual agent protocol. These changes are documented
791in the PROTOCOL.agent file.
792
793$OpenBSD: PROTOCOL,v 1.51 2023/12/18 14:45:49 djm Exp $
794