draft-ietf-secsh-connect-13.txt   draft-ietf-secsh-connect-14.txt 
Network Working Group T. Ylonen Network Working Group T. Ylonen
Internet-Draft T. Kivinen Internet-Draft T. Kivinen
Expires: May 20, 2002 SSH Communications Security Corp Expires: May 22, 2002 SSH Communications Security Corp
M. Saarinen M. Saarinen
University of Jyvaskyla University of Jyvaskyla
T. Rinne T. Rinne
S. Lehtinen S. Lehtinen
SSH Communications Security Corp SSH Communications Security Corp
November 19, 2001 November 21, 2001
SSH Connection Protocol SSH Connection Protocol
draft-ietf-secsh-connect-13.txt draft-ietf-secsh-connect-14.txt
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
skipping to change at page 1, line 37 skipping to change at page 1, line 37
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on May 20, 2002. This Internet-Draft will expire on May 22, 2002.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2001). All Rights Reserved. Copyright (C) The Internet Society (2001). All Rights Reserved.
Abstract Abstract
SSH is a protocol for secure remote login and other secure network SSH is a protocol for secure remote login and other secure network
services over an insecure network. services over an insecure network.
skipping to change at page 2, line 17 skipping to change at page 2, line 17
SSH transport layer and user authentication protocols. SSH transport layer and user authentication protocols.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Global Requests . . . . . . . . . . . . . . . . . . . . . . 3 2. Global Requests . . . . . . . . . . . . . . . . . . . . . . 3
3. Channel Mechanism . . . . . . . . . . . . . . . . . . . . . 3 3. Channel Mechanism . . . . . . . . . . . . . . . . . . . . . 3
3.1 Opening a Channel . . . . . . . . . . . . . . . . . . . . . 4 3.1 Opening a Channel . . . . . . . . . . . . . . . . . . . . . 4
3.2 Data Transfer . . . . . . . . . . . . . . . . . . . . . . . 5 3.2 Data Transfer . . . . . . . . . . . . . . . . . . . . . . . 5
3.3 Closing a Channel . . . . . . . . . . . . . . . . . . . . . 6 3.3 Closing a Channel . . . . . . . . . . . . . . . . . . . . . 6
3.4 Channel-Specific Requests . . . . . . . . . . . . . . . . . 6 3.4 Channel-Specific Requests . . . . . . . . . . . . . . . . . 7
4. Interactive Sessions . . . . . . . . . . . . . . . . . . . . 7 4. Interactive Sessions . . . . . . . . . . . . . . . . . . . . 7
4.1 Opening a Session . . . . . . . . . . . . . . . . . . . . . 7 4.1 Opening a Session . . . . . . . . . . . . . . . . . . . . . 8
4.2 Requesting a Pseudo-Terminal . . . . . . . . . . . . . . . . 8 4.2 Requesting a Pseudo-Terminal . . . . . . . . . . . . . . . . 8
4.3 X11 Forwarding . . . . . . . . . . . . . . . . . . . . . . . 8 4.3 X11 Forwarding . . . . . . . . . . . . . . . . . . . . . . . 8
4.3.1 Requesting X11 Forwarding . . . . . . . . . . . . . . . . . 8 4.3.1 Requesting X11 Forwarding . . . . . . . . . . . . . . . . . 8
4.3.2 X11 Channels . . . . . . . . . . . . . . . . . . . . . . . . 9 4.3.2 X11 Channels . . . . . . . . . . . . . . . . . . . . . . . . 9
4.4 Environment Variable Passing . . . . . . . . . . . . . . . . 9 4.4 Environment Variable Passing . . . . . . . . . . . . . . . . 10
4.5 Starting a Shell or a Command . . . . . . . . . . . . . . . 10 4.5 Starting a Shell or a Command . . . . . . . . . . . . . . . 10
4.6 Session Data Transfer . . . . . . . . . . . . . . . . . . . 11 4.6 Session Data Transfer . . . . . . . . . . . . . . . . . . . 11
4.7 Window Dimension Change Message . . . . . . . . . . . . . . 11 4.7 Window Dimension Change Message . . . . . . . . . . . . . . 11
4.8 Local Flow Control . . . . . . . . . . . . . . . . . . . . . 11 4.8 Local Flow Control . . . . . . . . . . . . . . . . . . . . . 11
4.9 Signals . . . . . . . . . . . . . . . . . . . . . . . . . . 12 4.9 Signals . . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.10 Returning Exit Status . . . . . . . . . . . . . . . . . . . 12 4.10 Returning Exit Status . . . . . . . . . . . . . . . . . . . 12
5. TCP/IP Port Forwarding . . . . . . . . . . . . . . . . . . . 13 5. TCP/IP Port Forwarding . . . . . . . . . . . . . . . . . . . 13
5.1 Requesting Port Forwarding . . . . . . . . . . . . . . . . . 13 5.1 Requesting Port Forwarding . . . . . . . . . . . . . . . . . 13
5.2 TCP/IP Forwarding Channels . . . . . . . . . . . . . . . . . 14 5.2 TCP/IP Forwarding Channels . . . . . . . . . . . . . . . . . 14
6. Encoding of Terminal Modes . . . . . . . . . . . . . . . . . 15 6. Encoding of Terminal Modes . . . . . . . . . . . . . . . . . 16
7. Summary of Message Numbers . . . . . . . . . . . . . . . . . 17 7. Summary of Message Numbers . . . . . . . . . . . . . . . . . 17
8. Security Considerations . . . . . . . . . . . . . . . . . . 18 8. Security Considerations . . . . . . . . . . . . . . . . . . 18
9. Trademark Issues . . . . . . . . . . . . . . . . . . . . . . 18 9. Trademark Issues . . . . . . . . . . . . . . . . . . . . . . 19
10. Additional Information . . . . . . . . . . . . . . . . . . . 18 10. Additional Information . . . . . . . . . . . . . . . . . . . 19
References . . . . . . . . . . . . . . . . . . . . . . . . . 18 References . . . . . . . . . . . . . . . . . . . . . . . . . 19
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 19 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 20
Full Copyright Statement . . . . . . . . . . . . . . . . . . 21 Full Copyright Statement . . . . . . . . . . . . . . . . . . 21
1. Introduction 1. Introduction
The SSH Connection Protocol has been designed to run on top of the The SSH Connection Protocol has been designed to run on top of the
SSH transport layer and user authentication protocols. It provides SSH transport layer and user authentication protocols. It provides
interactive login sessions, remote execution of commands, forwarded interactive login sessions, remote execution of commands, forwarded
TCP/IP connections, and forwarded X11 connections. The service name TCP/IP connections, and forwarded X11 connections. The service name
for this protocol (after user authentication) is "ssh-connection". for this protocol (after user authentication) is "ssh-connection".
skipping to change at page 3, line 34 skipping to change at page 3, line 34
byte SSH_MSG_GLOBAL_REQUEST byte SSH_MSG_GLOBAL_REQUEST
string request name (restricted to US-ASCII) string request name (restricted to US-ASCII)
boolean want reply boolean want reply
... request-specific data follows ... request-specific data follows
Request names follow the DNS extensibility naming convention outlined Request names follow the DNS extensibility naming convention outlined
in [SSH-ARCH]. in [SSH-ARCH].
The recipient will respond to this message with The recipient will respond to this message with
SSH_MSG_REQUEST_SUCCESS, SSH_MSG_REQUEST_FAILURE or some request- SSH_MSG_REQUEST_SUCCESS or SSH_MSG_REQUEST_FAILURE if `want reply' is
specific continuation messages if `want reply' is TRUE. TRUE.
byte SSH_MSG_REQUEST_SUCCESS byte SSH_MSG_REQUEST_SUCCESS
..... response specific data
Usually the response specific data is non-existent.
If the recipient does not recognize or support the request, it simply If the recipient does not recognize or support the request, it simply
responds with SSH_MSG_REQUEST_FAILURE. responds with SSH_MSG_REQUEST_FAILURE.
byte SSH_MSG_REQUEST_FAILURE byte SSH_MSG_REQUEST_FAILURE
3. Channel Mechanism 3. Channel Mechanism
All terminal sessions, forwarded connections, etc. are channels. All terminal sessions, forwarded connections, etc. are channels.
Either side may open a channel. Multiple channels are multiplexed Either side may open a channel. Multiple channels are multiplexed
skipping to change at page 9, line 49 skipping to change at page 10, line 8
The recipient should respond with SSH_MSG_CHANNEL_OPEN_CONFIRMATION The recipient should respond with SSH_MSG_CHANNEL_OPEN_CONFIRMATION
or SSH_MSG_CHANNEL_OPEN_FAILURE. or SSH_MSG_CHANNEL_OPEN_FAILURE.
Implementations MUST reject any X11 channel open requests if they Implementations MUST reject any X11 channel open requests if they
have not requested X11 forwarding. have not requested X11 forwarding.
4.4 Environment Variable Passing 4.4 Environment Variable Passing
Environment variables may be passed to the shell/command to be Environment variables may be passed to the shell/command to be
started later. Typically, each machine will have a preconfigured set started later. Uncontrolled setting of environment variables in a
of variables that it will allow. Since uncontrolled setting of privileged process can be a security hazard. It is recommended that
environment variables can be very dangerous, it is recommended that implementations either maintain a list of allowable variable names or
implementations allow setting only variables whose names have been only set environment variables after the server process has dropped
explicitly configured to be allowed. sufficient privileges.
byte SSH_MSG_CHANNEL_REQUEST byte SSH_MSG_CHANNEL_REQUEST
uint32 recipient channel uint32 recipient channel
string "env" string "env"
boolean want reply boolean want reply
string variable name string variable name
string variable value string variable value
4.5 Starting a Shell or a Command 4.5 Starting a Shell or a Command
skipping to change at page 14, line 23 skipping to change at page 14, line 25
should be "0.0.0.0" if connections are allowed from anywhere. (Note should be "0.0.0.0" if connections are allowed from anywhere. (Note
that the client can still filter connections based on information that the client can still filter connections based on information
passed in the open request.) passed in the open request.)
Implementations should only allow forwarding privileged ports if the Implementations should only allow forwarding privileged ports if the
user has been authenticated as a privileged user. user has been authenticated as a privileged user.
Client implementations SHOULD reject these messages; they are Client implementations SHOULD reject these messages; they are
normally only sent by the client. normally only sent by the client.
If a client passes 0 as port number to bind and has want reply TRUE
then the server allocates the next available unprivileged port number
and replies with the following message, otherwise there is no
response specific data.
byte SSH_MSG_GLOBAL_REQUEST_SUCCESS
uint32 port that was bound on the server
A port forwarding can be cancelled with the following message. Note A port forwarding can be cancelled with the following message. Note
that channel open requests may be received until a reply to this that channel open requests may be received until a reply to this
message is received. message is received.
byte SSH_MSG_GLOBAL_REQUEST byte SSH_MSG_GLOBAL_REQUEST
string "cancel-tcpip-forward" string "cancel-tcpip-forward"
boolean want reply boolean want reply
string address_to_bind (e.g. "127.0.0.1") string address_to_bind (e.g. "127.0.0.1")
uint32 port number to bind uint32 port number to bind
skipping to change at page 19, line 32 skipping to change at page 19, line 48
[SSH-ARCH] Ylonen, T., "SSH Protocol Architecture", I-D draft- [SSH-ARCH] Ylonen, T., "SSH Protocol Architecture", I-D draft-
ietf-architecture-11.txt, July 2001. ietf-architecture-11.txt, July 2001.
[SSH-TRANS] Ylonen, T., "SSH Transport Layer Protocol", I-D [SSH-TRANS] Ylonen, T., "SSH Transport Layer Protocol", I-D
draft-ietf-transport-11.txt, July 2001. draft-ietf-transport-11.txt, July 2001.
[SSH-USERAUTH] Ylonen, T., "SSH Authentication Protocol", I-D draft- [SSH-USERAUTH] Ylonen, T., "SSH Authentication Protocol", I-D draft-
ietf-userauth-13.txt, July 2001. ietf-userauth-13.txt, July 2001.
[SSH-CONNECT] Ylonen, T., "SSH Connection Protocol", I-D draft- [SSH-CONNECT] Ylonen, T., "SSH Connection Protocol", I-D draft-
ietf-connect-13.txt, July 2001. ietf-connect-14.txt, July 2001.
Authors' Addresses Authors' Addresses
Tatu Ylonen Tatu Ylonen
SSH Communications Security Corp SSH Communications Security Corp
Fredrikinkatu 42 Fredrikinkatu 42
HELSINKI FIN-00100 HELSINKI FIN-00100
Finland Finland
EMail: ylo@ssh.com EMail: ylo@ssh.com
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/