diff options
Diffstat (limited to 'doc/draft-ietf-secsh-connect-17.txt')
-rw-r--r-- | doc/draft-ietf-secsh-connect-17.txt | 1232 |
1 files changed, 0 insertions, 1232 deletions
diff --git a/doc/draft-ietf-secsh-connect-17.txt b/doc/draft-ietf-secsh-connect-17.txt deleted file mode 100644 index 5a8a43e..0000000 --- a/doc/draft-ietf-secsh-connect-17.txt +++ /dev/null @@ -1,1232 +0,0 @@ - - -Network Working Group T. Ylonen -Internet-Draft T. Kivinen -Expires: January 12, 2004 SSH Communications Security Corp - M. Saarinen - University of Jyvaskyla - T. Rinne - S. Lehtinen - SSH Communications Security Corp - July 14, 2003 - - - SSH Connection Protocol - draft-ietf-secsh-connect-17.txt - -Status of this Memo - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC2026. - - Internet-Drafts are working documents of the Internet Engineering - Task Force (IETF), its areas, and its working groups. Note that - other groups may also distribute working documents as Internet- - Drafts. - - Internet-Drafts are draft documents valid for a maximum of six - months and may be updated, replaced, or obsoleted by other - documents at any time. It is inappropriate to use Internet-Drafts - as reference material or to cite them other than as "work in - progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt. - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - - This Internet-Draft will expire on January 12, 2004. - -Copyright Notice - - Copyright (C) The Internet Society (2003). All Rights Reserved. - -Abstract - - SSH is a protocol for secure remote login and other secure network - services over an insecure network. - - This document describes the SSH Connection Protocol. It provides - interactive login sessions, remote execution of commands, - - - -Ylonen, et. al. Expires January 12, 2004 [Page 1] - -Internet-Draft SSH Connection Protocol July 2003 - - - forwarded TCP/IP connections, and forwarded X11 connections. All - of these channels are multiplexed into a single encrypted tunnel. - - The SSH Connection Protocol has been designed to run on top of the - SSH transport layer and user authentication protocols. - -Table of Contents - - 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 - 2. Global Requests . . . . . . . . . . . . . . . . . . . . . . 3 - 3. Channel Mechanism . . . . . . . . . . . . . . . . . . . . . 3 - 3.1 Opening a Channel . . . . . . . . . . . . . . . . . . . . . 4 - 3.2 Data Transfer . . . . . . . . . . . . . . . . . . . . . . . 5 - 3.3 Closing a Channel . . . . . . . . . . . . . . . . . . . . . 6 - 3.4 Channel-Specific Requests . . . . . . . . . . . . . . . . . 7 - 4. Interactive Sessions . . . . . . . . . . . . . . . . . . . . 8 - 4.1 Opening a Session . . . . . . . . . . . . . . . . . . . . . 8 - 4.2 Requesting a Pseudo-Terminal . . . . . . . . . . . . . . . . 8 - 4.3 X11 Forwarding . . . . . . . . . . . . . . . . . . . . . . . 9 - 4.3.1 Requesting X11 Forwarding . . . . . . . . . . . . . . . . . 9 - 4.3.2 X11 Channels . . . . . . . . . . . . . . . . . . . . . . . . 9 - 4.4 Environment Variable Passing . . . . . . . . . . . . . . . . 10 - 4.5 Starting a Shell or a Command . . . . . . . . . . . . . . . 10 - 4.6 Session Data Transfer . . . . . . . . . . . . . . . . . . . 11 - 4.7 Window Dimension Change Message . . . . . . . . . . . . . . 11 - 4.8 Local Flow Control . . . . . . . . . . . . . . . . . . . . . 12 - 4.9 Signals . . . . . . . . . . . . . . . . . . . . . . . . . . 12 - 4.10 Returning Exit Status . . . . . . . . . . . . . . . . . . . 12 - 5. TCP/IP Port Forwarding . . . . . . . . . . . . . . . . . . . 14 - 5.1 Requesting Port Forwarding . . . . . . . . . . . . . . . . . 14 - 5.2 TCP/IP Forwarding Channels . . . . . . . . . . . . . . . . . 15 - 6. Encoding of Terminal Modes . . . . . . . . . . . . . . . . . 16 - 7. Summary of Message Numbers . . . . . . . . . . . . . . . . . 18 - 8. Security Considerations . . . . . . . . . . . . . . . . . . 18 - 9. Intellectual Property . . . . . . . . . . . . . . . . . . . 18 - 10. Additional Information . . . . . . . . . . . . . . . . . . . 19 - References . . . . . . . . . . . . . . . . . . . . . . . . . 19 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 20 - Full Copyright Statement . . . . . . . . . . . . . . . . . . 22 - - - - - - - - - - - - -Ylonen, et. al. Expires January 12, 2004 [Page 2] - -Internet-Draft SSH Connection Protocol July 2003 - - - 1. Introduction - - The SSH Connection Protocol has been designed to run on top of the - SSH transport layer and user authentication protocols. It - provides interactive login sessions, remote execution of commands, - forwarded TCP/IP connections, and forwarded X11 connections. The - service name for this protocol (after user authentication) is - "ssh-connection". - - This document should be read only after reading the SSH - architecture document [SSH-ARCH]. This document freely uses - terminology and notation from the architecture document without - reference or further explanation. - - 2. Global Requests - - There are several kinds of requests that affect the state of the - remote end "globally", independent of any channels. An example is - a request to start TCP/IP forwarding for a specific port. All - such requests use the following format. - - byte SSH_MSG_GLOBAL_REQUEST - string request name (restricted to US-ASCII) - boolean want reply - ... request-specific data follows - - Request names follow the DNS extensibility naming convention - outlined in [SSH-ARCH]. - - The recipient will respond to this message with - SSH_MSG_REQUEST_SUCCESS or SSH_MSG_REQUEST_FAILURE if `want reply' - is TRUE. - - byte SSH_MSG_REQUEST_SUCCESS - ..... response specific data - - Usually the response specific data is non-existent. - - If the recipient does not recognize or support the request, it - simply responds with SSH_MSG_REQUEST_FAILURE. - - byte SSH_MSG_REQUEST_FAILURE - - - 3. Channel Mechanism - - All terminal sessions, forwarded connections, etc. are channels. - Either side may open a channel. Multiple channels are multiplexed - - - -Ylonen, et. al. Expires January 12, 2004 [Page 3] - -Internet-Draft SSH Connection Protocol July 2003 - - - into a single connection. - - Channels are identified by numbers at each end. The number - referring to a channel may be different on each side. Requests to - open a channel contain the sender's channel number. Any other - channel-related messages contain the recipient's channel number - for the channel. - - Channels are flow-controlled. No data may be sent to a channel - until a message is received to indicate that window space is - available. - - 3.1 Opening a Channel - - When either side wishes to open a new channel, it allocates a - local number for the channel. It then sends the following message - to the other side, and includes the local channel number and - initial window size in the message. - - byte SSH_MSG_CHANNEL_OPEN - string channel type (restricted to US-ASCII) - uint32 sender channel - uint32 initial window size - uint32 maximum packet size - ... channel type specific data follows - - The channel type is a name as described in the SSH architecture - document, with similar extension mechanisms. `sender channel' is - a local identifier for the channel used by the sender of this - message. `initial window size' specifies how many bytes of - channel data can be sent to the sender of this message without - adjusting the window. `Maximum packet size' specifies the maximum - size of an individual data packet that can be sent to the sender - (for example, one might want to use smaller packets for - interactive connections to get better interactive response on slow - links). - - The remote side then decides whether it can open the channel, and - responds with either - - byte SSH_MSG_CHANNEL_OPEN_CONFIRMATION - uint32 recipient channel - uint32 sender channel - uint32 initial window size - uint32 maximum packet size - ... channel type specific data follows - - where `recipient channel' is the channel number given in the - - - -Ylonen, et. al. Expires January 12, 2004 [Page 4] - -Internet-Draft SSH Connection Protocol July 2003 - - - original open request, and `sender channel' is the channel number - allocated by the other side, or - - byte SSH_MSG_CHANNEL_OPEN_FAILURE - uint32 recipient channel - uint32 reason code - string additional textual information (ISO-10646 UTF-8 [RFC2279]) - string language tag (as defined in [RFC1766]) - - If the recipient of the SSH_MSG_CHANNEL_OPEN message does not - support the specified channel type, it simply responds with - SSH_MSG_CHANNEL_OPEN_FAILURE. The client MAY show the additional - information to the user. If this is done, the client software - should take the precautions discussed in [SSH-ARCH]. - - The following reason codes are defined: - - #define SSH_OPEN_ADMINISTRATIVELY_PROHIBITED 1 - #define SSH_OPEN_CONNECT_FAILED 2 - #define SSH_OPEN_UNKNOWN_CHANNEL_TYPE 3 - #define SSH_OPEN_RESOURCE_SHORTAGE 4 - - - 3.2 Data Transfer - - The window size specifies how many bytes the other party can send - before it must wait for the window to be adjusted. Both parties - use the following message to adjust the window. - - byte SSH_MSG_CHANNEL_WINDOW_ADJUST - uint32 recipient channel - uint32 bytes to add - - After receiving this message, the recipient MAY send the given - number of bytes more than it was previously allowed to send; the - window size is incremented. - - Data transfer is done with messages of the following type. - - byte SSH_MSG_CHANNEL_DATA - uint32 recipient channel - string data - - The maximum amount of data allowed is the current window size. - The window size is decremented by the amount of data sent. Both - parties MAY ignore all extra data sent after the allowed window is - empty. - - - - -Ylonen, et. al. Expires January 12, 2004 [Page 5] - -Internet-Draft SSH Connection Protocol July 2003 - - - Additionally, some channels can transfer several types of data. - An example of this is stderr data from interactive sessions. Such - data can be passed with SSH_MSG_CHANNEL_EXTENDED_DATA messages, - where a separate integer specifies the type of the data. The - available types and their interpretation depend on the type of the - channel. - - byte SSH_MSG_CHANNEL_EXTENDED_DATA - uint32 recipient_channel - uint32 data_type_code - string data - - Data sent with these messages consumes the same window as ordinary - data. - - Currently, only the following type is defined. - - #define SSH_EXTENDED_DATA_STDERR 1 - - - 3.3 Closing a Channel - - When a party will no longer send more data to a channel, it SHOULD - send SSH_MSG_CHANNEL_EOF. - - byte SSH_MSG_CHANNEL_EOF - uint32 recipient_channel - - No explicit response is sent to this message; however, the - application may send EOF to whatever is at the other end of the - channel. Note that the channel remains open after this message, - and more data may still be sent in the other direction. This - message does not consume window space and can be sent even if no - window space is available. - - When either party wishes to terminate the channel, it sends - SSH_MSG_CHANNEL_CLOSE. Upon receiving this message, a party MUST - send back a SSH_MSG_CHANNEL_CLOSE unless it has already sent this - message for the channel. The channel is considered closed for a - party when it has both sent and received SSH_MSG_CHANNEL_CLOSE, - and the party may then reuse the channel number. A party MAY send - SSH_MSG_CHANNEL_CLOSE without having sent or received - SSH_MSG_CHANNEL_EOF. - - byte SSH_MSG_CHANNEL_CLOSE - uint32 recipient_channel - - This message does not consume window space and can be sent even if - - - -Ylonen, et. al. Expires January 12, 2004 [Page 6] - -Internet-Draft SSH Connection Protocol July 2003 - - - no window space is available. - - It is recommended that any data sent before this message is - delivered to the actual destination, if possible. - - 3.4 Channel-Specific Requests - - Many channel types have extensions that are specific to that - particular channel type. An example is requesting a pty (pseudo - terminal) for an interactive session. - - All channel-specific requests use the following format. - - byte SSH_MSG_CHANNEL_REQUEST - uint32 recipient channel - string request type (restricted to US-ASCII) - boolean want reply - ... type-specific data - - If want reply is FALSE, no response will be sent to the request. - Otherwise, the recipient responds with either - SSH_MSG_CHANNEL_SUCCESS or SSH_MSG_CHANNEL_FAILURE, or request- - specific continuation messages. If the request is not recognized - or is not supported for the channel, SSH_MSG_CHANNEL_FAILURE is - returned. - - This message does not consume window space and can be sent even if - no window space is available. Request types are local to each - channel type. - - The client is allowed to send further messages without waiting for - the response to the request. - - request type names follow the DNS extensibility naming convention - outlined in [SSH-ARCH] - - byte SSH_MSG_CHANNEL_SUCCESS - uint32 recipient_channel - - - byte SSH_MSG_CHANNEL_FAILURE - uint32 recipient_channel - - These messages do not consume window space and can be sent even if - no window space is available. - - - - - - -Ylonen, et. al. Expires January 12, 2004 [Page 7] - -Internet-Draft SSH Connection Protocol July 2003 - - - 4. Interactive Sessions - - A session is a remote execution of a program. The program may be - a shell, an application, a system command, or some built-in - subsystem. It may or may not have a tty, and may or may not - involve X11 forwarding. Multiple sessions can be active - simultaneously. - - 4.1 Opening a Session - - A session is started by sending the following message. - - byte SSH_MSG_CHANNEL_OPEN - string "session" - uint32 sender channel - uint32 initial window size - uint32 maximum packet size - - Client implementations SHOULD reject any session channel open - requests to make it more difficult for a corrupt server to attack - the client. - - 4.2 Requesting a Pseudo-Terminal - - A pseudo-terminal can be allocated for the session by sending the - following message. - - byte SSH_MSG_CHANNEL_REQUEST - uint32 recipient_channel - string "pty-req" - boolean want_reply - string TERM environment variable value (e.g., vt100) - uint32 terminal width, characters (e.g., 80) - uint32 terminal height, rows (e.g., 24) - uint32 terminal width, pixels (e.g., 640) - uint32 terminal height, pixels (e.g., 480) - string encoded terminal modes - - The encoding of terminal modes is described in Section Encoding of - Terminal Modes (Section 6). Zero dimension parameters MUST be - ignored. The character/row dimensions override the pixel - dimensions (when nonzero). Pixel dimensions refer to the drawable - area of the window. - - The dimension parameters are only informational. - - The client SHOULD ignore pty requests. - - - - -Ylonen, et. al. Expires January 12, 2004 [Page 8] - -Internet-Draft SSH Connection Protocol July 2003 - - - 4.3 X11 Forwarding - - 4.3.1 Requesting X11 Forwarding - - X11 forwarding may be requested for a session by sending - - byte SSH_MSG_CHANNEL_REQUEST - uint32 recipient channel - string "x11-req" - boolean want reply - boolean single connection - string x11 authentication protocol - string x11 authentication cookie - uint32 x11 screen number - - It is recommended that the authentication cookie that is sent be a - fake, random cookie, and that the cookie is checked and replaced - by the real cookie when a connection request is received. - - X11 connection forwarding should stop when the session channel is - closed; however, already opened forwardings should not be - automatically closed when the session channel is closed. - - If `single connection' is TRUE, only a single connection should be - forwarded. No more connections will be forwarded after the first, - or after the session channel has been closed. - - The `x11 authentication protocol' is the name of the X11 - authentication method used, e.g. "MIT-MAGIC-COOKIE-1". - - The x11 authentication cookie MUST be hexadecimal encoded. - - X Protocol is documented in [SCHEIFLER]. - - 4.3.2 X11 Channels - - X11 channels are opened with a channel open request. The - resulting channels are independent of the session, and closing the - session channel does not close the forwarded X11 channels. - - byte SSH_MSG_CHANNEL_OPEN - string "x11" - uint32 sender channel - uint32 initial window size - uint32 maximum packet size - string originator address (e.g. "192.168.7.38") - uint32 originator port - - - - -Ylonen, et. al. Expires January 12, 2004 [Page 9] - -Internet-Draft SSH Connection Protocol July 2003 - - - The recipient should respond with - SSH_MSG_CHANNEL_OPEN_CONFIRMATION or SSH_MSG_CHANNEL_OPEN_FAILURE. - - Implementations MUST reject any X11 channel open requests if they - have not requested X11 forwarding. - - 4.4 Environment Variable Passing - - Environment variables may be passed to the shell/command to be - started later. Uncontrolled setting of environment variables in a - privileged process can be a security hazard. It is recommended - that implementations either maintain a list of allowable variable - names or only set environment variables after the server process - has dropped sufficient privileges. - - byte SSH_MSG_CHANNEL_REQUEST - uint32 recipient channel - string "env" - boolean want reply - string variable name - string variable value - - - 4.5 Starting a Shell or a Command - - Once the session has been set up, a program is started at the - remote end. The program can be a shell, an application program or - a subsystem with a host-independent name. Only one of these - requests can succeed per channel. - - byte SSH_MSG_CHANNEL_REQUEST - uint32 recipient channel - string "shell" - boolean want reply - - This message will request the user's default shell (typically - defined in /etc/passwd in UNIX systems) to be started at the other - end. - - byte SSH_MSG_CHANNEL_REQUEST - uint32 recipient channel - string "exec" - boolean want reply - string command - - This message will request the server to start the execution of the - given command. The command string may contain a path. Normal - precautions MUST be taken to prevent the execution of unauthorized - - - -Ylonen, et. al. Expires January 12, 2004 [Page 10] - -Internet-Draft SSH Connection Protocol July 2003 - - - commands. - - byte SSH_MSG_CHANNEL_REQUEST - uint32 recipient channel - string "subsystem" - boolean want reply - string subsystem name - - This last form executes a predefined subsystem. It is expected - that these will include a general file transfer mechanism, and - possibly other features. Implementations may also allow - configuring more such mechanisms. As the user's shell is usually - used to execute the subsystem, it is advisable for the subsystem - protocol to have a "magic cookie" at the beginning of the protocol - transaction to distinguish it from arbitrary output generated by - shell initialization scripts etc. This spurious output from the - shell may be filtered out either at the server or at the client. - - The server SHOULD not halt the execution of the protocol stack - when starting a shell or a program. All input and output from - these SHOULD be redirected to the channel or to the encrypted - tunnel. - - It is RECOMMENDED to request and check the reply for these - messages. The client SHOULD ignore these messages. - - Subsystem names follow the DNS extensibility naming convention - outlined in [SSH-ARCH]. - - 4.6 Session Data Transfer - - Data transfer for a session is done using SSH_MSG_CHANNEL_DATA and - SSH_MSG_CHANNEL_EXTENDED_DATA packets and the window mechanism. - The extended data type SSH_EXTENDED_DATA_STDERR has been defined - for stderr data. - - 4.7 Window Dimension Change Message - - When the window (terminal) size changes on the client side, it MAY - send a message to the other side to inform it of the new - dimensions. - - byte SSH_MSG_CHANNEL_REQUEST - uint32 recipient_channel - string "window-change" - boolean FALSE - uint32 terminal width, columns - uint32 terminal height, rows - - - -Ylonen, et. al. Expires January 12, 2004 [Page 11] - -Internet-Draft SSH Connection Protocol July 2003 - - - uint32 terminal width, pixels - uint32 terminal height, pixels - - No response SHOULD be sent to this message. - - 4.8 Local Flow Control - - On many systems, it is possible to determine if a pseudo-terminal - is using control-S/control-Q flow control. When flow control is - allowed, it is often desirable to do the flow control at the - client end to speed up responses to user requests. This is - facilitated by the following notification. Initially, the server - is responsible for flow control. (Here, again, client means the - side originating the session, and server means the other side.) - - The message below is used by the server to inform the client when - it can or cannot perform flow control (control-S/control-Q - processing). If `client can do' is TRUE, the client is allowed to - do flow control using control-S and control-Q. The client MAY - ignore this message. - - byte SSH_MSG_CHANNEL_REQUEST - uint32 recipient channel - string "xon-xoff" - boolean FALSE - boolean client can do - - No response is sent to this message. - - 4.9 Signals - - A signal can be delivered to the remote process/service using the - following message. Some systems may not implement signals, in - which case they SHOULD ignore this message. - - byte SSH_MSG_CHANNEL_REQUEST - uint32 recipient channel - string "signal" - boolean FALSE - string signal name without the "SIG" prefix. - - Signal names will be encoded as discussed in the "exit-signal" - SSH_MSG_CHANNEL_REQUEST. - - 4.10 Returning Exit Status - - When the command running at the other end terminates, the - following message can be sent to return the exit status of the - - - -Ylonen, et. al. Expires January 12, 2004 [Page 12] - -Internet-Draft SSH Connection Protocol July 2003 - - - command. Returning the status is RECOMMENDED. No acknowledgment - is sent for this message. The channel needs to be closed with - SSH_MSG_CHANNEL_CLOSE after this message. - - The client MAY ignore these messages. - - byte SSH_MSG_CHANNEL_REQUEST - uint32 recipient_channel - string "exit-status" - boolean FALSE - uint32 exit_status - - The remote command may also terminate violently due to a signal. - Such a condition can be indicated by the following message. A - zero exit_status usually means that the command terminated - successfully. - - byte SSH_MSG_CHANNEL_REQUEST - uint32 recipient channel - string "exit-signal" - boolean FALSE - string signal name without the "SIG" prefix. - boolean core dumped - string error message (ISO-10646 UTF-8) - string language tag (as defined in [RFC1766]) - - The signal name is one of the following (these are from [POSIX]) - - ABRT - ALRM - FPE - HUP - ILL - INT - KILL - PIPE - QUIT - SEGV - TERM - USR1 - USR2 - - Additional signal names MAY be sent in the format "sig-name@xyz", - where `sig-name' and `xyz' may be anything a particular - implementor wants (except the `@' sign). However, it is suggested - that if a `configure' script is used, the non-standard signal - names it finds be encoded as "SIG@xyz.config.guess", where `SIG' - is the signal name without the "SIG" prefix, and `xyz' be the host - - - -Ylonen, et. al. Expires January 12, 2004 [Page 13] - -Internet-Draft SSH Connection Protocol July 2003 - - - type, as determined by `config.guess'. - - The `error message' contains an additional explanation of the - error message. The message may consist of multiple lines. The - client software MAY display this message to the user. If this is - done, the client software should take the precautions discussed in - [SSH-ARCH]. - - 5. TCP/IP Port Forwarding - - 5.1 Requesting Port Forwarding - - A party need not explicitly request forwardings from its own end - to the other direction. However, if it wishes that connections to - a port on the other side be forwarded to the local side, it must - explicitly request this. - - - byte SSH_MSG_GLOBAL_REQUEST - string "tcpip-forward" - boolean want reply - string address to bind (e.g. "0.0.0.0") - uint32 port number to bind - - `Address to bind' and `port number to bind' specify the IP address - and port to which the socket to be listened is bound. The address - should be "0.0.0.0" if connections are allowed from anywhere. - (Note that the client can still filter connections based on - information passed in the open request.) - - Implementations should only allow forwarding privileged ports if - the user has been authenticated as a privileged user. - - Client implementations SHOULD reject these messages; they are - normally only sent by the client. - - - If a client passes 0 as port number to bind and has want reply - TRUE then the server allocates the next available unprivileged - port number and replies with the following message, otherwise - there is no response specific data. - - - byte SSH_MSG_GLOBAL_REQUEST_SUCCESS - uint32 port that was bound on the server - - A port forwarding can be cancelled with the following message. - Note that channel open requests may be received until a reply to - - - -Ylonen, et. al. Expires January 12, 2004 [Page 14] - -Internet-Draft SSH Connection Protocol July 2003 - - - this message is received. - - byte SSH_MSG_GLOBAL_REQUEST - string "cancel-tcpip-forward" - boolean want reply - string address_to_bind (e.g. "127.0.0.1") - uint32 port number to bind - - Client implementations SHOULD reject these messages; they are - normally only sent by the client. - - 5.2 TCP/IP Forwarding Channels - - When a connection comes to a port for which remote forwarding has - been requested, a channel is opened to forward the port to the - other side. - - byte SSH_MSG_CHANNEL_OPEN - string "forwarded-tcpip" - uint32 sender channel - uint32 initial window size - uint32 maximum packet size - string address that was connected - uint32 port that was connected - string originator IP address - uint32 originator port - - Implementations MUST reject these messages unless they have - previously requested a remote TCP/IP port forwarding with the - given port number. - - When a connection comes to a locally forwarded TCP/IP port, the - following packet is sent to the other side. Note that these - messages MAY be sent also for ports for which no forwarding has - been explicitly requested. The receiving side must decide whether - to allow the forwarding. - - byte SSH_MSG_CHANNEL_OPEN - string "direct-tcpip" - uint32 sender channel - uint32 initial window size - uint32 maximum packet size - string host to connect - uint32 port to connect - string originator IP address - uint32 originator port - - `Host to connect' and `port to connect' specify the TCP/IP host - - - -Ylonen, et. al. Expires January 12, 2004 [Page 15] - -Internet-Draft SSH Connection Protocol July 2003 - - - and port where the recipient should connect the channel. `Host to - connect' may be either a domain name or a numeric IP address. - - `Originator IP address' is the numeric IP address of the machine - where the connection request comes from, and `originator port' is - the port on the originator host from where the connection came - from. - - Forwarded TCP/IP channels are independent of any sessions, and - closing a session channel does not in any way imply that forwarded - connections should be closed. - - Client implementations SHOULD reject direct TCP/IP open requests - for security reasons. - - 6. Encoding of Terminal Modes - - Terminal modes (as passed in a pty request) are encoded into a - byte stream. It is intended that the coding be portable across - different environments. - - The tty mode description is a stream of bytes. The stream - consists of opcode-argument pairs. It is terminated by opcode - TTY_OP_END (0). Opcodes 1 to 159 have a single uint32 argument. - Opcodes 160 to 255 are not yet defined, and cause parsing to stop - (they should only be used after any other data). - - The client SHOULD put in the stream any modes it knows about, and - the server MAY ignore any modes it does not know about. This - allows some degree of machine-independence, at least between - systems that use a POSIX-like tty interface. The protocol can - support other systems as well, but the client may need to fill - reasonable values for a number of parameters so the server pty - gets set to a reasonable mode (the server leaves all unspecified - mode bits in their default values, and only some combinations make - sense). - - The following opcodes have been defined. The naming of opcodes - mostly follows the POSIX terminal mode flags. - - 0 TTY_OP_END Indicates end of options. - 1 VINTR Interrupt character; 255 if none. Similarly for the - other characters. Not all of these characters are - supported on all systems. - 2 VQUIT The quit character (sends SIGQUIT signal on POSIX - systems). - 3 VERASE Erase the character to left of the cursor. - 4 VKILL Kill the current input line. - - - -Ylonen, et. al. Expires January 12, 2004 [Page 16] - -Internet-Draft SSH Connection Protocol July 2003 - - - 5 VEOF End-of-file character (sends EOF from the terminal). - 6 VEOL End-of-line character in addition to carriage return - and/or linefeed. - 7 VEOL2 Additional end-of-line character. - 8 VSTART Continues paused output (normally control-Q). - 9 VSTOP Pauses output (normally control-S). - 10 VSUSP Suspends the current program. - 11 VDSUSP Another suspend character. - 12 VREPRINT Reprints the current input line. - 13 VWERASE Erases a word left of cursor. - 14 VLNEXT Enter the next character typed literally, even if it - is a special character - 15 VFLUSH Character to flush output. - 16 VSWTCH Switch to a different shell layer. - 17 VSTATUS Prints system status line (load, command, pid etc). - 18 VDISCARD Toggles the flushing of terminal output. - 30 IGNPAR The ignore parity flag. The parameter SHOULD be 0 if - this flag is FALSE set, and 1 if it is TRUE. - 31 PARMRK Mark parity and framing errors. - 32 INPCK Enable checking of parity errors. - 33 ISTRIP Strip 8th bit off characters. - 34 INLCR Map NL into CR on input. - 35 IGNCR Ignore CR on input. - 36 ICRNL Map CR to NL on input. - 37 IUCLC Translate uppercase characters to lowercase. - 38 IXON Enable output flow control. - 39 IXANY Any char will restart after stop. - 40 IXOFF Enable input flow control. - 41 IMAXBEL Ring bell on input queue full. - 50 ISIG Enable signals INTR, QUIT, [D]SUSP. - 51 ICANON Canonicalize input lines. - 52 XCASE Enable input and output of uppercase characters by - preceding their lowercase equivalents with `\'. - 53 ECHO Enable echoing. - 54 ECHOE Visually erase chars. - 55 ECHOK Kill character discards current line. - 56 ECHONL Echo NL even if ECHO is off. - 57 NOFLSH Don't flush after interrupt. - 58 TOSTOP Stop background jobs from output. - 59 IEXTEN Enable extensions. - 60 ECHOCTL Echo control characters as ^(Char). - 61 ECHOKE Visual erase for line kill. - 62 PENDIN Retype pending input. - 70 OPOST Enable output processing. - 71 OLCUC Convert lowercase to uppercase. - 72 ONLCR Map NL to CR-NL. - 73 OCRNL Translate carriage return to newline (output). - 74 ONOCR Translate newline to carriage return-newline - - - -Ylonen, et. al. Expires January 12, 2004 [Page 17] - -Internet-Draft SSH Connection Protocol July 2003 - - - (output). - 75 ONLRET Newline performs a carriage return (output). - 90 CS7 7 bit mode. - 91 CS8 8 bit mode. - 92 PARENB Parity enable. - 93 PARODD Odd parity, else even. - - 128 TTY_OP_ISPEED Specifies the input baud rate in bits per second. - 129 TTY_OP_OSPEED Specifies the output baud rate in bits per second. - - - 7. Summary of Message Numbers - - #define SSH_MSG_GLOBAL_REQUEST 80 - #define SSH_MSG_REQUEST_SUCCESS 81 - #define SSH_MSG_REQUEST_FAILURE 82 - #define SSH_MSG_CHANNEL_OPEN 90 - #define SSH_MSG_CHANNEL_OPEN_CONFIRMATION 91 - #define SSH_MSG_CHANNEL_OPEN_FAILURE 92 - #define SSH_MSG_CHANNEL_WINDOW_ADJUST 93 - #define SSH_MSG_CHANNEL_DATA 94 - #define SSH_MSG_CHANNEL_EXTENDED_DATA 95 - #define SSH_MSG_CHANNEL_EOF 96 - #define SSH_MSG_CHANNEL_CLOSE 97 - #define SSH_MSG_CHANNEL_REQUEST 98 - #define SSH_MSG_CHANNEL_SUCCESS 99 - #define SSH_MSG_CHANNEL_FAILURE 100 - - - 8. Security Considerations - - This protocol is assumed to run on top of a secure, authenticated - transport. User authentication and protection against network- - level attacks are assumed to be provided by the underlying - protocols. - - It is RECOMMENDED that implementations disable all the potentially - dangerous features (e.g. agent forwarding, X11 forwarding, and - TCP/IP forwarding) if the host key has changed. - - Full security considerations for this protocol are provided in - Section 8 of [SSH-ARCH] - - 9. Intellectual Property - - The IETF takes no position regarding the validity or scope of any - intellectual property or other rights that might be claimed to - pertain to the implementation or use of the technology described - - - -Ylonen, et. al. Expires January 12, 2004 [Page 18] - -Internet-Draft SSH Connection Protocol July 2003 - - - in this document or the extent to which any license under such - rights might or might not be available; neither does it represent - that it has made any effort to identify any such rights. - Information on the IETF's procedures with respect to rights in - standards-track and standards-related documentation can be found - in BCP-11. Copies of claims of rights made available for - publication and any assurances of licenses to be made available, - or the result of an attempt made to obtain a general license or - permission for the use of such proprietary rights by implementers - or users of this specification can be obtained from the IETF - Secretariat. - - The IETF has been notified of intellectual property rights claimed - in regard to some or all of the specification contained in this - document. For more information consult the online list of claimed - rights. - - 10. Additional Information - - The current document editor is: Darren.Moffat@Sun.COM. Comments - on this internet draft should be sent to the IETF SECSH working - group, details at: http://ietf.org/html.charters/secsh- - charter.html - -References - - [RFC1766] Alvestrand, H., "Tags for the Identification of - Languages", RFC 1766, March 1995. - - [RFC1884] Hinden, R., Deering, S. and Editors, "IP Version 6 - Addressing Architecture", RFC 1884, December 1995. - - [RFC2279] Yergeau, F., "UTF-8, a transformation format of - ISO 10646", RFC 2279, January 1998. - - [SCHEIFLER] Scheifler, R., "X Window System : The Complete - Reference to Xlib, X Protocol, Icccm, Xlfd, 3rd - edition.", Digital Press ISBN 1555580882, Feburary - 1992. - - [POSIX] ISO/IEC, 9945-1., "Information technology -- - Portable Operating System Interface (POSIX)-Part - 1: System Application Program Interface (API) C - Language", ANSI/IEE Std 1003.1, July 1996. - - [SSH-ARCH] Ylonen, T., "SSH Protocol Architecture", I-D - draft-ietf-architecture-14.txt, July 2003. - - - - -Ylonen, et. al. Expires January 12, 2004 [Page 19] - -Internet-Draft SSH Connection Protocol July 2003 - - - [SSH-TRANS] Ylonen, T., "SSH Transport Layer Protocol", I-D - draft-ietf-transport-16.txt, July 2003. - - [SSH-USERAUTH] Ylonen, T., "SSH Authentication Protocol", I-D - draft-ietf-userauth-17.txt, July 2003. - - [SSH-CONNECT] Ylonen, T., "SSH Connection Protocol", I-D draft- - ietf-connect-17.txt, July 2003. - - [SSH-NUMBERS] Lehtinen, S. and D. Moffat, "SSH Protocol Assigned - Numbers", I-D draft-ietf-secsh-assignednumbers- - 03.txt, July 2003. - - -Authors' Addresses - - Tatu Ylonen - SSH Communications Security Corp - Fredrikinkatu 42 - HELSINKI FIN-00100 - Finland - - EMail: ylo@ssh.com - - - Tero Kivinen - SSH Communications Security Corp - Fredrikinkatu 42 - HELSINKI FIN-00100 - Finland - - EMail: kivinen@ssh.com - - - Markku-Juhani O. Saarinen - University of Jyvaskyla - - - Timo J. Rinne - SSH Communications Security Corp - Fredrikinkatu 42 - HELSINKI FIN-00100 - Finland - - EMail: tri@ssh.com - - - - - - -Ylonen, et. al. Expires January 12, 2004 [Page 20] - -Internet-Draft SSH Connection Protocol July 2003 - - - Sami Lehtinen - SSH Communications Security Corp - Fredrikinkatu 42 - HELSINKI FIN-00100 - Finland - - EMail: sjl@ssh.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Ylonen, et. al. Expires January 12, 2004 [Page 21] - -Internet-Draft SSH Connection Protocol July 2003 - - -Full Copyright Statement - - Copyright (C) The Internet Society (2003). All Rights Reserved. - - This document and translations of it may be copied and furnished - to others, and derivative works that comment on or otherwise - explain it or assist in its implementation may be prepared, - copied, published and distributed, in whole or in part, without - restriction of any kind, provided that the above copyright notice - and this paragraph are included on all such copies and derivative - works. However, this document itself may not be modified in any - way, such as by removing the copyright notice or references to the - Internet Society or other Internet organizations, except as needed - for the purpose of developing Internet standards in which case the - procedures for copyrights defined in the Internet Standards - process must be followed, or as required to translate it into - languages other than English. - - The limited permissions granted above are perpetual and will not - be revoked by the Internet Society or its successors or assigns. - - This document and the information contained herein is provided on - an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET - ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR - IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF - THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED - WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. - -Acknowledgement - - Funding for the RFC Editor function is currently provided by the - Internet Society. - - - - - - - - - - - - - - - - - - - -Ylonen, et. al. Expires January 12, 2004 [Page 22] - |