xref: /freebsd/crypto/openssh/PROTOCOL (revision a90b9d0159070121c221b966469c3e36d912bf82)
1This documents OpenSSH's deviations and extensions to the published SSH
2protocol.
3
4Note that OpenSSH's sftp and sftp-server implement revision 3 of the SSH
5filexfer protocol described in:
6
7https://www.openssh.com/txt/draft-ietf-secsh-filexfer-02.txt
8
9Newer versions of the draft will not be supported, though some features
10are individually implemented as extensions described below.
11
12The protocol used by OpenSSH's ssh-agent is described in the file
13PROTOCOL.agent
14
151. Transport protocol changes
16
171.1. transport: Protocol 2 MAC algorithm "umac-64@openssh.com"
18
19This is a new transport-layer MAC method using the UMAC algorithm
20(rfc4418). This method is identical to the "umac-64" method documented
21in:
22
23https://www.openssh.com/txt/draft-miller-secsh-umac-01.txt
24
251.2. transport: Protocol 2 compression algorithm "zlib@openssh.com"
26
27This transport-layer compression method uses the zlib compression
28algorithm (identical to the "zlib" method in rfc4253), but delays the
29start of compression until after authentication has completed. This
30avoids exposing compression code to attacks from unauthenticated users.
31
32The method is documented in:
33
34https://www.openssh.com/txt/draft-miller-secsh-compression-delayed-00.txt
35
361.3. transport: New public key algorithms "ssh-rsa-cert-v01@openssh.com",
37     "ssh-dsa-cert-v01@openssh.com",
38     "ecdsa-sha2-nistp256-cert-v01@openssh.com",
39     "ecdsa-sha2-nistp384-cert-v01@openssh.com" and
40     "ecdsa-sha2-nistp521-cert-v01@openssh.com"
41
42OpenSSH introduces new public key algorithms to support certificate
43authentication for users and host keys. These methods are documented
44in the file PROTOCOL.certkeys
45
461.4. transport: Elliptic Curve cryptography
47
48OpenSSH supports ECC key exchange and public key authentication as
49specified in RFC5656. Only the ecdsa-sha2-nistp256, ecdsa-sha2-nistp384
50and ecdsa-sha2-nistp521 curves over GF(p) are supported. Elliptic
51curve points encoded using point compression are NOT accepted or
52generated.
53
541.5 transport: Protocol 2 Encrypt-then-MAC MAC algorithms
55
56OpenSSH supports MAC algorithms, whose names contain "-etm", that
57perform the calculations in a different order to that defined in RFC
584253. These variants use the so-called "encrypt then MAC" ordering,
59calculating the MAC over the packet ciphertext rather than the
60plaintext. This ordering closes a security flaw in the SSH transport
61protocol, where decryption of unauthenticated ciphertext provided a
62"decryption oracle" that could, in conjunction with cipher flaws, reveal
63session plaintext.
64
65Specifically, the "-etm" MAC algorithms modify the transport protocol
66to calculate the MAC over the packet ciphertext and to send the packet
67length unencrypted. This is necessary for the transport to obtain the
68length of the packet and location of the MAC tag so that it may be
69verified without decrypting unauthenticated data.
70
71As such, the MAC covers:
72
73      mac = MAC(key, sequence_number || packet_length || encrypted_packet)
74
75where "packet_length" is encoded as a uint32 and "encrypted_packet"
76contains:
77
78      byte      padding_length
79      byte[n1]  payload; n1 = packet_length - padding_length - 1
80      byte[n2]  random padding; n2 = padding_length
81
821.6 transport: AES-GCM
83
84OpenSSH supports the AES-GCM algorithm as specified in RFC 5647.
85Because of problems with the specification of the key exchange
86the behaviour of OpenSSH differs from the RFC as follows:
87
88AES-GCM is only negotiated as the cipher algorithms
89"aes128-gcm@openssh.com" or "aes256-gcm@openssh.com" and never as
90an MAC algorithm. Additionally, if AES-GCM is selected as the cipher
91the exchanged MAC algorithms are ignored and there doesn't have to be
92a matching MAC.
93
941.7 transport: chacha20-poly1305@openssh.com authenticated encryption
95
96OpenSSH supports authenticated encryption using ChaCha20 and Poly1305
97as described in PROTOCOL.chacha20poly1305.
98
991.8 transport: curve25519-sha256@libssh.org key exchange algorithm
100
101OpenSSH supports the use of ECDH in Curve25519 for key exchange as
102described at:
103http://git.libssh.org/users/aris/libssh.git/plain/doc/curve25519-sha256@libssh.org.txt?h=curve25519
104
105This is identical to curve25519-sha256 as later published in RFC8731.
106
1071.9 transport: ping facility
108
109OpenSSH implements a transport level ping message SSH2_MSG_PING
110and a corresponding SSH2_MSG_PONG reply.
111
112#define SSH2_MSG_PING	192
113#define SSH2_MSG_PONG	193
114
115The ping message is simply:
116
117	byte		SSH_MSG_PING
118	string		data
119
120The reply copies the data (which may be the empty string) from the
121ping:
122
123	byte		SSH_MSG_PONG
124	string		data
125
126Replies are sent in order. They are sent immediately except when rekeying
127is in progress, in which case they are queued until rekeying completes.
128
129The server advertises support for these messages using the
130SSH2_MSG_EXT_INFO mechanism (RFC8308), with the following message:
131
132	string		"ping@openssh.com"
133	string		"0" (version)
134
135The ping/reply message is implemented at the transport layer rather
136than as a named global or channel request to allow pings with very
137short packet lengths, which would not be possible with other
138approaches.
139
1401.10 transport: strict key exchange extension
141
142OpenSSH supports a number of transport-layer hardening measures under
143a "strict KEX" feature. This feature is signalled similarly to the
144RFC8308 ext-info feature: by including a additional algorithm in the
145initial SSH2_MSG_KEXINIT kex_algorithms field. The client may append
146"kex-strict-c-v00@openssh.com" to its kex_algorithms and the server
147may append "kex-strict-s-v00@openssh.com". These pseudo-algorithms
148are only valid in the initial SSH2_MSG_KEXINIT and MUST be ignored
149if they are present in subsequent SSH2_MSG_KEXINIT packets.
150
151When an endpoint that supports this extension observes this algorithm
152name in a peer's KEXINIT packet, it MUST make the following changes to
153the protocol:
154
155a) During initial KEX, terminate the connection if out-of-sequence
156   packet or any message that is not strictly required by KEX is
157   received. This includes terminating the connection if the first
158   packet received is not SSH2_MSG_KEXINIT. Unexpected packets for
159   the purpose of strict KEX include messages that are otherwise
160   valid at any time during the connection such as SSH2_MSG_DEBUG,
161   SSH2_MSG_IGNORE or SSH2_MSG_UNIMPLEMENTED.
162b) After sending or receiving a SSH2_MSG_NEWKEYS message, reset the
163   packet sequence number to zero. This behaviour persists for the
164   duration of the connection (i.e. not just the first
165   SSH2_MSG_NEWKEYS).
166
1671.11 transport: SSH2_MSG_EXT_INFO during user authentication
168
169This protocol extension allows the SSH2_MSG_EXT_INFO to be sent
170during user authentication. RFC8308 does allow a second
171SSH2_MSG_EXT_INFO notification, but it may only be sent at the end
172of user authentication and this is too late to signal per-user
173server signature algorithms.
174
175Support for receiving the SSH2_MSG_EXT_INFO message during user
176authentication is signalled by the client including a
177"ext-info-in-auth@openssh.com" key via its initial SSH2_MSG_EXT_INFO
178set after the SSH2_MSG_NEWKEYS message.
179
180A server that supports this extension MAY send a second
181SSH2_MSG_EXT_INFO message any time after the client's first
182SSH2_MSG_USERAUTH_REQUEST, regardless of whether it succeed or fails.
183The client SHOULD be prepared to update the server-sig-algs that
184it received during an earlier SSH2_MSG_EXT_INFO with the later one.
185
1862. Connection protocol changes
187
1882.1. connection: Channel write close extension "eow@openssh.com"
189
190The SSH connection protocol (rfc4254) provides the SSH_MSG_CHANNEL_EOF
191message to allow an endpoint to signal its peer that it will send no
192more data over a channel. Unfortunately, there is no symmetric way for
193an endpoint to request that its peer should cease sending data to it
194while still keeping the channel open for the endpoint to send data to
195the peer.
196
197This is desirable, since it saves the transmission of data that would
198otherwise need to be discarded and it allows an endpoint to signal local
199processes of the condition, e.g. by closing the corresponding file
200descriptor.
201
202OpenSSH implements a channel extension message to perform this
203signalling: "eow@openssh.com" (End Of Write). This message is sent by
204an endpoint when the local output of a session channel is closed or
205experiences a write error. The message is formatted as follows:
206
207	byte		SSH_MSG_CHANNEL_REQUEST
208	uint32		recipient channel
209	string		"eow@openssh.com"
210	boolean		FALSE
211
212On receiving this message, the peer SHOULD cease sending data of
213the channel and MAY signal the process from which the channel data
214originates (e.g. by closing its read file descriptor).
215
216As with the symmetric SSH_MSG_CHANNEL_EOF message, the channel does
217remain open after a "eow@openssh.com" has been sent and more data may
218still be sent in the other direction. This message does not consume
219window space and may be sent even if no window space is available.
220
221NB. due to certain broken SSH implementations aborting upon receipt
222of this message (in contravention of RFC4254 section 5.4), this
223message is only sent to OpenSSH peers (identified by banner).
224Other SSH implementations may be listed to receive this message
225upon request.
226
2272.2. connection: disallow additional sessions extension
228     "no-more-sessions@openssh.com"
229
230Most SSH connections will only ever request a single session, but a
231attacker may abuse a running ssh client to surreptitiously open
232additional sessions under their control. OpenSSH provides a global
233request "no-more-sessions@openssh.com" to mitigate this attack.
234
235When an OpenSSH client expects that it will never open another session
236(i.e. it has been started with connection multiplexing disabled), it
237will send the following global request:
238
239	byte		SSH_MSG_GLOBAL_REQUEST
240	string		"no-more-sessions@openssh.com"
241	char		want-reply
242
243On receipt of such a message, an OpenSSH server will refuse to open
244future channels of type "session" and instead immediately abort the
245connection.
246
247Note that this is not a general defence against compromised clients
248(that is impossible), but it thwarts a simple attack.
249
250NB. due to certain broken SSH implementations aborting upon receipt
251of this message, the no-more-sessions request is only sent to OpenSSH
252servers (identified by banner). Other SSH implementations may be
253listed to receive this message upon request.
254
2552.3. connection: Tunnel forward extension "tun@openssh.com"
256
257OpenSSH supports layer 2 and layer 3 tunnelling via the "tun@openssh.com"
258channel type. This channel type supports forwarding of network packets
259with datagram boundaries intact between endpoints equipped with
260interfaces like the BSD tun(4) device. Tunnel forwarding channels are
261requested by the client with the following packet:
262
263	byte		SSH_MSG_CHANNEL_OPEN
264	string		"tun@openssh.com"
265	uint32		sender channel
266	uint32		initial window size
267	uint32		maximum packet size
268	uint32		tunnel mode
269	uint32		remote unit number
270
271The "tunnel mode" parameter specifies whether the tunnel should forward
272layer 2 frames or layer 3 packets. It may take one of the following values:
273
274	SSH_TUNMODE_POINTOPOINT  1		/* layer 3 packets */
275	SSH_TUNMODE_ETHERNET     2		/* layer 2 frames */
276
277The "tunnel unit number" specifies the remote interface number, or may
278be 0x7fffffff to allow the server to automatically choose an interface. A
279server that is not willing to open a client-specified unit should refuse
280the request with a SSH_MSG_CHANNEL_OPEN_FAILURE error. On successful
281open, the server should reply with SSH_MSG_CHANNEL_OPEN_SUCCESS.
282
283Once established the client and server may exchange packet or frames
284over the tunnel channel by encapsulating them in SSH protocol strings
285and sending them as channel data. This ensures that packet boundaries
286are kept intact. Specifically, packets are transmitted using normal
287SSH_MSG_CHANNEL_DATA packets:
288
289	byte		SSH_MSG_CHANNEL_DATA
290	uint32		recipient channel
291	string		data
292
293The contents of the "data" field for layer 3 packets is:
294
295	uint32			packet length
296	uint32			address family
297	byte[packet length - 4]	packet data
298
299The "address family" field identifies the type of packet in the message.
300It may be one of:
301
302	SSH_TUN_AF_INET		2		/* IPv4 */
303	SSH_TUN_AF_INET6	24		/* IPv6 */
304
305The "packet data" field consists of the IPv4/IPv6 datagram itself
306without any link layer header.
307
308The contents of the "data" field for layer 2 packets is:
309
310	uint32			packet length
311	byte[packet length]	frame
312
313The "frame" field contains an IEEE 802.3 Ethernet frame, including
314header.
315
3162.4. connection: Unix domain socket forwarding
317
318OpenSSH supports local and remote Unix domain socket forwarding
319using the "streamlocal" extension.  Forwarding is initiated as per
320TCP sockets but with a single path instead of a host and port.
321
322Similar to direct-tcpip, direct-streamlocal is sent by the client
323to request that the server make a connection to a Unix domain socket.
324
325	byte		SSH_MSG_CHANNEL_OPEN
326	string		"direct-streamlocal@openssh.com"
327	uint32		sender channel
328	uint32		initial window size
329	uint32		maximum packet size
330	string		socket path
331	string		reserved
332	uint32		reserved
333
334Similar to forwarded-tcpip, forwarded-streamlocal is sent by the
335server when the client has previously send the server a streamlocal-forward
336GLOBAL_REQUEST.
337
338	byte		SSH_MSG_CHANNEL_OPEN
339	string		"forwarded-streamlocal@openssh.com"
340	uint32		sender channel
341	uint32		initial window size
342	uint32		maximum packet size
343	string		socket path
344	string		reserved for future use
345
346The reserved field is not currently defined and is ignored on the
347remote end.  It is intended to be used in the future to pass
348information about the socket file, such as ownership and mode.
349The client currently sends the empty string for this field.
350
351Similar to tcpip-forward, streamlocal-forward is sent by the client
352to request remote forwarding of a Unix domain socket.
353
354	byte		SSH2_MSG_GLOBAL_REQUEST
355	string		"streamlocal-forward@openssh.com"
356	boolean		TRUE
357	string		socket path
358
359Similar to cancel-tcpip-forward, cancel-streamlocal-forward is sent
360by the client cancel the forwarding of a Unix domain socket.
361
362	byte		SSH2_MSG_GLOBAL_REQUEST
363	string		"cancel-streamlocal-forward@openssh.com"
364	boolean		FALSE
365	string		socket path
366
3672.5. connection: hostkey update and rotation "hostkeys-00@openssh.com"
368and "hostkeys-prove-00@openssh.com"
369
370OpenSSH supports a protocol extension allowing a server to inform
371a client of all its protocol v.2 host keys after user-authentication
372has completed.
373
374	byte		SSH_MSG_GLOBAL_REQUEST
375	string		"hostkeys-00@openssh.com"
376	char		0 /* want-reply */
377	string[]	hostkeys
378
379Upon receiving this message, a client should check which of the
380supplied host keys are present in known_hosts.
381
382Note that the server may send key types that the client does not
383support. The client should disregard such keys if they are received.
384
385If the client identifies any keys that are not present for the host,
386it should send a "hostkeys-prove@openssh.com" message to request the
387server prove ownership of the private half of the key.
388
389	byte		SSH_MSG_GLOBAL_REQUEST
390	string		"hostkeys-prove-00@openssh.com"
391	char		1 /* want-reply */
392	string[]	hostkeys
393
394When a server receives this message, it should generate a signature
395using each requested key over the following:
396
397	string		"hostkeys-prove-00@openssh.com"
398	string		session identifier
399	string		hostkey
400
401These signatures should be included in the reply, in the order matching
402the hostkeys in the request:
403
404	byte		SSH_MSG_REQUEST_SUCCESS
405	string[]	signatures
406
407When the client receives this reply (and not a failure), it should
408validate the signatures and may update its known_hosts file, adding keys
409that it has not seen before and deleting keys for the server host that
410are no longer offered.
411
412These extensions let a client learn key types that it had not previously
413encountered, thereby allowing it to potentially upgrade from weaker
414key algorithms to better ones. It also supports graceful key rotation:
415a server may offer multiple keys of the same type for a period (to
416give clients an opportunity to learn them using this extension) before
417removing the deprecated key from those offered.
418
4192.6. connection: SIGINFO support for "signal" channel request
420
421The SSH channels protocol (RFC4254 section 6.9) supports sending a
422signal to a session attached to a channel. OpenSSH supports one
423extension signal "INFO@openssh.com" that allows sending SIGINFO on
424BSD-derived systems.
425
4263. Authentication protocol changes
427
4283.1. Host-bound public key authentication
429
430This is trivial change to the traditional "publickey" authentication
431method. The authentication request is identical to the original method
432but for the name and one additional field:
433
434	byte		SSH2_MSG_USERAUTH_REQUEST
435	string		username
436	string		"ssh-connection"
437	string		"publickey-hostbound-v00@openssh.com"
438	bool		has_signature
439	string		pkalg
440	string		public key
441	string		server host key
442
443Because the entire SSH2_MSG_USERAUTH_REQUEST message is included in
444the signed data, this ensures that a binding between the destination
445user, the server identity and the session identifier is visible to the
446signer. OpenSSH uses this binding via signed data to implement per-key
447restrictions in ssh-agent.
448
449A server may advertise this method using the SSH2_MSG_EXT_INFO
450mechanism (RFC8308), with the following message:
451
452	string		"publickey-hostbound@openssh.com"
453	string		"0" (version)
454
455Clients should prefer host-bound authentication when advertised by
456server.
457
4584. SFTP protocol changes
459
4604.1. sftp: Reversal of arguments to SSH_FXP_SYMLINK
461
462When OpenSSH's sftp-server was implemented, the order of the arguments
463to the SSH_FXP_SYMLINK method was inadvertently reversed. Unfortunately,
464the reversal was not noticed until the server was widely deployed. Since
465fixing this to follow the specification would cause incompatibility, the
466current order was retained. For correct operation, clients should send
467SSH_FXP_SYMLINK as follows:
468
469	uint32		id
470	string		targetpath
471	string		linkpath
472
4734.2. sftp: Server extension announcement in SSH_FXP_VERSION
474
475OpenSSH's sftp-server lists the extensions it supports using the
476standard extension announcement mechanism in the SSH_FXP_VERSION server
477hello packet:
478
479	uint32		3		/* protocol version */
480	string		ext1-name
481	string		ext1-version
482	string		ext2-name
483	string		ext2-version
484	...
485	string		extN-name
486	string		extN-version
487
488Each extension reports its integer version number as an ASCII encoded
489string, e.g. "1". The version will be incremented if the extension is
490ever changed in an incompatible way. The server MAY advertise the same
491extension with multiple versions (though this is unlikely). Clients MUST
492check the version number before attempting to use the extension.
493
4944.3. sftp: Extension request "posix-rename@openssh.com"
495
496This operation provides a rename operation with POSIX semantics, which
497are different to those provided by the standard SSH_FXP_RENAME in
498draft-ietf-secsh-filexfer-02.txt. This request is implemented as a
499SSH_FXP_EXTENDED request with the following format:
500
501	uint32		id
502	string		"posix-rename@openssh.com"
503	string		oldpath
504	string		newpath
505
506On receiving this request the server will perform the POSIX operation
507rename(oldpath, newpath) and will respond with a SSH_FXP_STATUS message.
508This extension is advertised in the SSH_FXP_VERSION hello with version
509"1".
510
5114.4. sftp: Extension requests "statvfs@openssh.com" and
512         "fstatvfs@openssh.com"
513
514These requests correspond to the statvfs and fstatvfs POSIX system
515interfaces. The "statvfs@openssh.com" request operates on an explicit
516pathname, and is formatted as follows:
517
518	uint32		id
519	string		"statvfs@openssh.com"
520	string		path
521
522The "fstatvfs@openssh.com" operates on an open file handle:
523
524	uint32		id
525	string		"fstatvfs@openssh.com"
526	string		handle
527
528These requests return a SSH_FXP_STATUS reply on failure. On success they
529return the following SSH_FXP_EXTENDED_REPLY reply:
530
531	uint32		id
532	uint64		f_bsize		/* file system block size */
533	uint64		f_frsize	/* fundamental fs block size */
534	uint64		f_blocks	/* number of blocks (unit f_frsize) */
535	uint64		f_bfree		/* free blocks in file system */
536	uint64		f_bavail	/* free blocks for non-root */
537	uint64		f_files		/* total file inodes */
538	uint64		f_ffree		/* free file inodes */
539	uint64		f_favail	/* free file inodes for to non-root */
540	uint64		f_fsid		/* file system id */
541	uint64		f_flag		/* bit mask of f_flag values */
542	uint64		f_namemax	/* maximum filename length */
543
544The values of the f_flag bitmask are as follows:
545
546	#define SSH_FXE_STATVFS_ST_RDONLY	0x1	/* read-only */
547	#define SSH_FXE_STATVFS_ST_NOSUID	0x2	/* no setuid */
548
549Both the "statvfs@openssh.com" and "fstatvfs@openssh.com" extensions are
550advertised in the SSH_FXP_VERSION hello with version "2".
551
5524.5. sftp: Extension request "hardlink@openssh.com"
553
554This request is for creating a hard link to a regular file. This
555request is implemented as a SSH_FXP_EXTENDED request with the
556following format:
557
558	uint32		id
559	string		"hardlink@openssh.com"
560	string		oldpath
561	string		newpath
562
563On receiving this request the server will perform the operation
564link(oldpath, newpath) and will respond with a SSH_FXP_STATUS message.
565This extension is advertised in the SSH_FXP_VERSION hello with version
566"1".
567
5684.6. sftp: Extension request "fsync@openssh.com"
569
570This request asks the server to call fsync(2) on an open file handle.
571
572	uint32		id
573	string		"fsync@openssh.com"
574	string		handle
575
576On receiving this request, a server will call fsync(handle_fd) and will
577respond with a SSH_FXP_STATUS message.
578
579This extension is advertised in the SSH_FXP_VERSION hello with version
580"1".
581
5824.7. sftp: Extension request "lsetstat@openssh.com"
583
584This request is like the "setstat" command, but sets file attributes on
585symlinks.  It is implemented as a SSH_FXP_EXTENDED request with the
586following format:
587
588	uint32		id
589	string		"lsetstat@openssh.com"
590	string		path
591	ATTRS		attrs
592
593See the "setstat" command for more details.
594
595This extension is advertised in the SSH_FXP_VERSION hello with version
596"1".
597
5984.8. sftp: Extension request "limits@openssh.com"
599
600This request is used to determine various limits the server might impose.
601Clients should not attempt to exceed these limits as the server might sever
602the connection immediately.
603
604	uint32		id
605	string		"limits@openssh.com"
606
607The server will respond with a SSH_FXP_EXTENDED_REPLY reply:
608
609	uint32		id
610	uint64		max-packet-length
611	uint64		max-read-length
612	uint64		max-write-length
613	uint64		max-open-handles
614
615The 'max-packet-length' applies to the total number of bytes in a
616single SFTP packet.  Servers SHOULD set this at least to 34000.
617
618The 'max-read-length' is the largest length in a SSH_FXP_READ packet.
619Even if the client requests a larger size, servers will usually respond
620with a shorter SSH_FXP_DATA packet.  Servers SHOULD set this at least to
62132768.
622
623The 'max-write-length' is the largest length in a SSH_FXP_WRITE packet
624the server will accept.  Servers SHOULD set this at least to 32768.
625
626The 'max-open-handles' is the maximum number of active handles that the
627server allows (e.g. handles created by SSH_FXP_OPEN and SSH_FXP_OPENDIR
628packets).  Servers MAY count internal file handles against this limit
629(e.g. system logging or stdout/stderr), so clients SHOULD NOT expect to
630open this many handles in practice.
631
632If the server doesn't enforce a specific limit, then the field may be
633set to 0.  This implies the server relies on the OS to enforce limits
634(e.g. available memory or file handles), and such limits might be
635dynamic.  The client SHOULD take care to not try to exceed reasonable
636limits.
637
638This extension is advertised in the SSH_FXP_VERSION hello with version
639"1".
640
6414.9. sftp: Extension request "expand-path@openssh.com"
642
643This request supports canonicalisation of relative paths and
644those that need tilde-expansion, i.e. "~", "~/..." and "~user/..."
645These paths are expanded using shell-like rules and the resultant
646path is canonicalised similarly to SSH2_FXP_REALPATH.
647
648It is implemented as a SSH_FXP_EXTENDED request with the following
649format:
650
651	uint32		id
652	string		"expand-path@openssh.com"
653	string		path
654
655Its reply is the same format as that of SSH2_FXP_REALPATH.
656
657This extension is advertised in the SSH_FXP_VERSION hello with version
658"1".
659
6604.10. sftp: Extension request "copy-data"
661
662This request asks the server to copy data from one open file handle and
663write it to a different open file handle.  This avoids needing to transfer
664the data across the network twice (a download followed by an upload).
665
666	byte		SSH_FXP_EXTENDED
667	uint32		id
668	string		"copy-data"
669	string		read-from-handle
670	uint64		read-from-offset
671	uint64		read-data-length
672	string		write-to-handle
673	uint64		write-to-offset
674
675The server will copy read-data-length bytes starting from
676read-from-offset from the read-from-handle and write them to
677write-to-handle starting from write-to-offset, and then respond with a
678SSH_FXP_STATUS message.
679
680It's equivalent to issuing a series of SSH_FXP_READ requests on
681read-from-handle and a series of requests of SSH_FXP_WRITE on
682write-to-handle.
683
684If read-from-handle and write-to-handle are the same, the server will
685fail the request and respond with a SSH_FX_INVALID_PARAMETER message.
686
687If read-data-length is 0, then the server will read data from the
688read-from-handle until EOF is reached.
689
690This extension is advertised in the SSH_FXP_VERSION hello with version
691"1".
692
693This request is identical to the "copy-data" request documented in:
694
695https://tools.ietf.org/html/draft-ietf-secsh-filexfer-extensions-00#section-7
696
6974.11. sftp: Extension request "home-directory"
698
699This request asks the server to expand the specified user's home directory.
700An empty username implies the current user.  This can be used by the client
701to expand ~/ type paths locally.
702
703	byte		SSH_FXP_EXTENDED
704	uint32		id
705	string		"home-directory"
706	string		username
707
708This extension is advertised in the SSH_FXP_VERSION hello with version
709"1".
710
711This provides similar information as the "expand-path@openssh.com" extension.
712
713This request is identical to the "home-directory" request documented in:
714
715https://datatracker.ietf.org/doc/html/draft-ietf-secsh-filexfer-extensions-00#section-5
716
7174.12. sftp: Extension request "users-groups-by-id@openssh.com"
718
719This request asks the server to return user and/or group names that
720correspond to one or more IDs (e.g. as returned from a SSH_FXP_STAT
721request). This may be used by the client to provide usernames in
722directory listings.
723
724	byte		SSH_FXP_EXTENDED
725	uint32		id
726	string		"users-groups-by-id@openssh.com"
727	string		uids
728	string		gids
729
730Where "uids" and "gids" consists of one or more integer user or group
731identifiers:
732
733	uint32		id-0
734	...
735
736The server will reply with a SSH_FXP_EXTENDED_REPLY:
737
738	byte		SSH_FXP_EXTENDED_REPLY
739	uint32		id
740	string		usernames
741	string		groupnames
742
743Where "username" and "groupnames" consists of names in identical request
744order to "uids" and "gids" respectively:
745
746	string		name-0
747	...
748
749If a name cannot be identified for a given user or group ID, an empty
750string will be returned in its place.
751
752It is acceptable for either "uids" or "gids" to be an empty set, in
753which case the respective "usernames" or "groupnames" list will also
754be empty.
755
756This extension is advertised in the SSH_FXP_VERSION hello with version
757"1".
758
7595. Miscellaneous changes
760
7615.1 Public key format
762
763OpenSSH public keys, as generated by ssh-keygen(1) and appearing in
764authorized_keys files, are formatted as a single line of text consisting
765of the public key algorithm name followed by a base64-encoded key blob.
766The public key blob (before base64 encoding) is the same format used for
767the encoding of public keys sent on the wire: as described in RFC4253
768section 6.6 for RSA and DSA keys, RFC5656 section 3.1 for ECDSA keys
769and the "New public key formats" section of PROTOCOL.certkeys for the
770OpenSSH certificate formats.
771
7725.2 Private key format
773
774OpenSSH private keys, as generated by ssh-keygen(1) use the format
775described in PROTOCOL.key by default. As a legacy option, PEM format
776(RFC7468) private keys are also supported for RSA, DSA and ECDSA keys
777and were the default format before OpenSSH 7.8.
778
7795.3 KRL format
780
781OpenSSH supports a compact format for Key Revocation Lists (KRLs). This
782format is described in the PROTOCOL.krl file.
783
7845.4 Connection multiplexing
785
786OpenSSH's connection multiplexing uses messages as described in
787PROTOCOL.mux over a Unix domain socket for communications between a
788master instance and later clients.
789
7905.5. Agent protocol extensions
791
792OpenSSH extends the usual agent protocol. These changes are documented
793in the PROTOCOL.agent file.
794
795$OpenBSD: PROTOCOL,v 1.55 2024/01/08 05:05:15 djm Exp $
796