draft-ietf-secsh-connect-12.txt   draft-ietf-secsh-connect-13.txt 
Network Working Group T. Ylonen Network Working Group T. Ylonen
Internet-Draft T. Kivinen Internet-Draft T. Kivinen
Expires: May 10, 2002 SSH Communications Security Corp Expires: May 20, 2002 SSH Communications Security Corp
M. Saarinen M. Saarinen
University of Jyvaskyla University of Jyvaskyla
T. Rinne T. Rinne
S. Lehtinen S. Lehtinen
SSH Communications Security Corp SSH Communications Security Corp
November 9, 2001 November 19, 2001
SSH Connection Protocol SSH Connection Protocol
draft-ietf-secsh-connect-12.txt draft-ietf-secsh-connect-13.txt
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
skipping to change at page 1, line 37 skipping to change at page 1, line 37
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on May 10, 2002. This Internet-Draft will expire on May 20, 2002.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2001). All Rights Reserved. Copyright (C) The Internet Society (2001). All Rights Reserved.
Abstract Abstract
SSH is a protocol for secure remote login and other secure network SSH is a protocol for secure remote login and other secure network
services over an insecure network. services over an insecure network.
skipping to change at page 2, line 38 skipping to change at page 2, line 38
4.8 Local Flow Control . . . . . . . . . . . . . . . . . . . . . 11 4.8 Local Flow Control . . . . . . . . . . . . . . . . . . . . . 11
4.9 Signals . . . . . . . . . . . . . . . . . . . . . . . . . . 12 4.9 Signals . . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.10 Returning Exit Status . . . . . . . . . . . . . . . . . . . 12 4.10 Returning Exit Status . . . . . . . . . . . . . . . . . . . 12
5. TCP/IP Port Forwarding . . . . . . . . . . . . . . . . . . . 13 5. TCP/IP Port Forwarding . . . . . . . . . . . . . . . . . . . 13
5.1 Requesting Port Forwarding . . . . . . . . . . . . . . . . . 13 5.1 Requesting Port Forwarding . . . . . . . . . . . . . . . . . 13
5.2 TCP/IP Forwarding Channels . . . . . . . . . . . . . . . . . 14 5.2 TCP/IP Forwarding Channels . . . . . . . . . . . . . . . . . 14
6. Encoding of Terminal Modes . . . . . . . . . . . . . . . . . 15 6. Encoding of Terminal Modes . . . . . . . . . . . . . . . . . 15
7. Summary of Message Numbers . . . . . . . . . . . . . . . . . 17 7. Summary of Message Numbers . . . . . . . . . . . . . . . . . 17
8. Security Considerations . . . . . . . . . . . . . . . . . . 18 8. Security Considerations . . . . . . . . . . . . . . . . . . 18
9. Trademark Issues . . . . . . . . . . . . . . . . . . . . . . 18 9. Trademark Issues . . . . . . . . . . . . . . . . . . . . . . 18
10. Additional Information . . . . . . . . . . . . . . . . . . . 19 10. Additional Information . . . . . . . . . . . . . . . . . . . 18
References . . . . . . . . . . . . . . . . . . . . . . . . . 19 References . . . . . . . . . . . . . . . . . . . . . . . . . 18
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 19 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 19
Full Copyright Statement . . . . . . . . . . . . . . . . . . 21 Full Copyright Statement . . . . . . . . . . . . . . . . . . 21
1. Introduction 1. Introduction
The SSH Connection Protocol has been designed to run on top of the The SSH Connection Protocol has been designed to run on top of the
SSH transport layer and user authentication protocols. It provides SSH transport layer and user authentication protocols. It provides
interactive login sessions, remote execution of commands, forwarded interactive login sessions, remote execution of commands, forwarded
TCP/IP connections, and forwarded X11 connections. The service name TCP/IP connections, and forwarded X11 connections. The service name
for this protocol (after user authentication) is "ssh-connection". for this protocol (after user authentication) is "ssh-connection".
skipping to change at page 3, line 30 skipping to change at page 3, line 30
There are several kinds of requests that affect the state of the There are several kinds of requests that affect the state of the
remote end "globally", independent of any channels. An example is a remote end "globally", independent of any channels. An example is a
request to start TCP/IP forwarding for a specific port. All such request to start TCP/IP forwarding for a specific port. All such
requests use the following format. requests use the following format.
byte SSH_MSG_GLOBAL_REQUEST byte SSH_MSG_GLOBAL_REQUEST
string request name (restricted to US-ASCII) string request name (restricted to US-ASCII)
boolean want reply boolean want reply
... request-specific data follows ... request-specific data follows
request names follow the DNS extensibility naming convention outlined Request names follow the DNS extensibility naming convention outlined
in [SSH-ARCH] in [SSH-ARCH].
The recipient will respond to this message with The recipient will respond to this message with
SSH_MSG_REQUEST_SUCCESS, SSH_MSG_REQUEST_FAILURE, or some request- SSH_MSG_REQUEST_SUCCESS, SSH_MSG_REQUEST_FAILURE or some request-
specific continuation messages if `want reply' is TRUE. specific continuation messages if `want reply' is TRUE.
byte SSH_MSG_REQUEST_SUCCESS byte SSH_MSG_REQUEST_SUCCESS
If the recipient does not recognize or support the request, it simply If the recipient does not recognize or support the request, it simply
responds with SSH_MSG_REQUEST_FAILURE. responds with SSH_MSG_REQUEST_FAILURE.
byte SSH_MSG_REQUEST_FAILURE byte SSH_MSG_REQUEST_FAILURE
3. Channel Mechanism 3. Channel Mechanism
skipping to change at page 11, line 16 skipping to change at page 11, line 16
etc. This spurious output from the shell may be filtered out either etc. This spurious output from the shell may be filtered out either
at the server or at the client. at the server or at the client.
The server SHOULD not halt the execution of the protocol stack when The server SHOULD not halt the execution of the protocol stack when
starting a shell or a program. All input and output from these starting a shell or a program. All input and output from these
SHOULD be redirected to the channel or to the encrypted tunnel. SHOULD be redirected to the channel or to the encrypted tunnel.
It is RECOMMENDED to request and check the reply for these messages. It is RECOMMENDED to request and check the reply for these messages.
The client SHOULD ignore these messages. The client SHOULD ignore these messages.
subsystem names follow the DNS extensibility naming convention Subsystem names follow the DNS extensibility naming convention
outlined in [SSH-ARCH] outlined in [SSH-ARCH].
4.6 Session Data Transfer 4.6 Session Data Transfer
Data transfer for a session is done using SSH_MSG_CHANNEL_DATA and Data transfer for a session is done using SSH_MSG_CHANNEL_DATA and
SSH_MSG_CHANNEL_EXTENDED_DATA packets and the window mechanism. The SSH_MSG_CHANNEL_EXTENDED_DATA packets and the window mechanism. The
extended data type SSH_EXTENDED_DATA_STDERR has been defined for extended data type SSH_EXTENDED_DATA_STDERR has been defined for
stderr data. stderr data.
4.7 Window Dimension Change Message 4.7 Window Dimension Change Message
skipping to change at page 14, line 20 skipping to change at page 14, line 20
`Address to bind' and `port number to bind' specify the IP address `Address to bind' and `port number to bind' specify the IP address
and port to which the socket to be listened is bound. The address and port to which the socket to be listened is bound. The address
should be "0.0.0.0" if connections are allowed from anywhere. (Note should be "0.0.0.0" if connections are allowed from anywhere. (Note
that the client can still filter connections based on information that the client can still filter connections based on information
passed in the open request.) passed in the open request.)
Implementations should only allow forwarding privileged ports if the Implementations should only allow forwarding privileged ports if the
user has been authenticated as a privileged user. user has been authenticated as a privileged user.
The client may send 0 as the port to bind to, in this case the server
should interpret this as meaning it should allocate the next availble
non privileged port and return the value in the response packet.
Client implementations SHOULD reject these messages; they are Client implementations SHOULD reject these messages; they are
normally only sent by the client. normally only sent by the client.
The response to an SSH_MSG_GLOBAL_REQUEST is of the form:
bytes SSH_MSG_GLOBAL_REQUEST_SUCCESS
string "tcpip-forward"
unint32 port that was bound on the server
A port forwarding can be cancelled with the following message. Note A port forwarding can be cancelled with the following message. Note
that channel open requests may be received until a reply to this that channel open requests may be received until a reply to this
message is received. message is received.
byte SSH_MSG_GLOBAL_REQUEST byte SSH_MSG_GLOBAL_REQUEST
string "cancel-tcpip-forward" string "cancel-tcpip-forward"
boolean want reply boolean want reply
string address_to_bind (e.g. "127.0.0.1") string address_to_bind (e.g. "127.0.0.1")
uint32 port number to bind uint32 port number to bind
skipping to change at page 19, line 33 skipping to change at page 19, line 23
Reference to Xlib, X Protocol, Icccm, Xlfd, 3rd Reference to Xlib, X Protocol, Icccm, Xlfd, 3rd
edition.", Digital Press ISBN 1555580882, Feburary edition.", Digital Press ISBN 1555580882, Feburary
1992. 1992.
[POSIX] ISO/IEC, 9945-1., "Information technology -- Portable [POSIX] ISO/IEC, 9945-1., "Information technology -- Portable
Operating System Interface (POSIX)-Part 1: System Operating System Interface (POSIX)-Part 1: System
Application Program Interface (API) C Language", Application Program Interface (API) C Language",
ANSI/IEE Std 1003.1, July 1996. ANSI/IEE Std 1003.1, July 1996.
[SSH-ARCH] Ylonen, T., "SSH Protocol Architecture", I-D draft- [SSH-ARCH] Ylonen, T., "SSH Protocol Architecture", I-D draft-
ietf-architecture-09.txt, July 2001. ietf-architecture-11.txt, July 2001.
[SSH-TRANS] Ylonen, T., "SSH Transport Layer Protocol", I-D [SSH-TRANS] Ylonen, T., "SSH Transport Layer Protocol", I-D
draft-ietf-transport-11.txt, July 2001. draft-ietf-transport-11.txt, July 2001.
[SSH-USERAUTH] Ylonen, T., "SSH Authentication Protocol", I-D draft- [SSH-USERAUTH] Ylonen, T., "SSH Authentication Protocol", I-D draft-
ietf-userauth-11.txt, July 2001. ietf-userauth-13.txt, July 2001.
[SSH-CONNECT] Ylonen, T., "SSH Connection Protocol", I-D draft- [SSH-CONNECT] Ylonen, T., "SSH Connection Protocol", I-D draft-
ietf-connect-11.txt, July 2001. ietf-connect-13.txt, July 2001.
Authors' Addresses Authors' Addresses
Tatu Ylonen Tatu Ylonen
SSH Communications Security Corp SSH Communications Security Corp
Fredrikinkatu 42 Fredrikinkatu 42
HELSINKI FIN-00100 HELSINKI FIN-00100
Finland Finland
EMail: ylo@ssh.com EMail: ylo@ssh.com
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/