draft-ietf-secsh-auth-kbdinteract-06.txt   draft-ietf-secsh-auth-kbdinteract-07.txt 
Network Working Group F. Cusack Network Working Group F. Cusack
INTERNET-DRAFT Google, Inc. INTERNET-DRAFT Google, Inc.
Expires November 1, 2004 M. Forssen Expires September 21, 2005 M. Forssen
Appgate AB Appgate AB
May 1, 2004 March 21, 2005
Generic Message Exchange Authentication For SSH Generic Message Exchange Authentication For SSH
<draft-ietf-secsh-auth-kbdinteract-06.txt> <draft-ietf-secsh-auth-kbdinteract-07.txt>
Status of this Memo Status of this Memo
This document is an Internet-Draft and is subject to all provisions This document is an Internet-Draft and is subject to all provisions
of Section 10 of RFC2026. of Section 3 of RFC 3667. By submitting this Internet-Draft, each
author represents that any applicable patent or other IPR claims of
which he or she is aware have been or will be disclosed, and any of
which he or she become aware will be disclosed, in accordance with
RFC 3668.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as other groups may also distribute working documents as
Internet-Drafts. Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
<http://www.ietf.org/ietf/1id-abstracts.txt>. <http://www.ietf.org/1id-abstracts.html>.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
<http://www.ietf.org/shadow.html>. <http://www.ietf.org/shadow.html>.
This Internet-Draft will expire on November 1, 2004. This Internet-Draft will expire on September 21, 2005.
Copyright Notice
Copyright (C) The Internet Society (2005).
Abstract Abstract
SSH is a protocol for secure remote login and other secure network SSH is a protocol for secure remote login and other secure network
services over an insecure network. This document describes a general services over an insecure network. This document describes a general
purpose authentication method for the SSH protocol, suitable for purpose authentication method for the SSH protocol, suitable for
interactive authentications where the authentication data should be interactive authentications where the authentication data should be
entered via a keyboard. The major goal of this method is to allow entered via a keyboard (or equivalent alphanumeric input device).
the SSH client to support a whole class of authentication The major goal of this method is to allow the SSH client to support a
mechanism(s) without knowing the specifics of the actual whole class of authentication mechanism(s) without knowing the
authentication mechanism(s). specifics of the actual authentication mechanism(s).
1. Introduction 1. Introduction
The SSH authentication protocol [SSH-USERAUTH] is a general-purpose The SSH authentication protocol [SSH-USERAUTH] is a general-purpose
user authentication protocol. It is intended to be run over the SSH user authentication protocol. It is intended to be run over the SSH
transport layer protocol [SSH-TRANS]. The authentication protocol transport layer protocol [SSH-TRANS]. The authentication protocol
assumes that the underlying protocols provide integrity and assumes that the underlying protocols provide integrity and
confidentiality protection. confidentiality protection.
This document describes a general purpose authentication method for This document describes a general purpose authentication method for
skipping to change at page 7, line 21 skipping to change at page 7, line 21
string response[1] (ISO-10646 UTF-8) string response[1] (ISO-10646 UTF-8)
... ...
string response[num-responses] (ISO-10646 UTF-8) string response[num-responses] (ISO-10646 UTF-8)
Note that the responses are encoded in ISO-10646 UTF-8. It is up to Note that the responses are encoded in ISO-10646 UTF-8. It is up to
the server how it interprets the responses and validates them. the server how it interprets the responses and validates them.
However, if the client reads the responses in some other encoding However, if the client reads the responses in some other encoding
(e.g., ISO 8859-1), it MUST convert the responses to ISO-10646 UTF-8 (e.g., ISO 8859-1), it MUST convert the responses to ISO-10646 UTF-8
before transmitting. before transmitting.
From an internationalization standpoint, it is desired that if a user
enters responses the authentication process will work regardless of
what OS and client software they are using. Doing so requires
normalization. Systems supporting non-ASCII passwords SHOULD always
normalize passwords and usernames whenever they are added to the
database, or compared (with or without hashing) to existing entries
in the database. SSH implementations that both store the passwords
and compare them SHOULD use [SASLPREP] for normalization.
If the num-responses field does not match the num-prompts field in If the num-responses field does not match the num-prompts field in
the request message, the server MUST send a failure message. the request message, the server MUST send a failure message.
In the case that the server sends a `0' num-prompts field in the In the case that the server sends a `0' num-prompts field in the
request message, the client MUST send a response message with a `0' request message, the client MUST send a response message with a `0'
num-responses field. num-responses field to complete the exchange.
The responses MUST be ordered as the prompts were ordered. That is, The responses MUST be ordered as the prompts were ordered. That is,
response[n] MUST be the answer to prompt[n]. response[n] MUST be the answer to prompt[n].
After receiving the response, the server MUST send either a After receiving the response, the server MUST send either a
SSH_MSG_USERAUTH_SUCCESS, SSH_MSG_USERAUTH_FAILURE, or another SSH_MSG_USERAUTH_SUCCESS, SSH_MSG_USERAUTH_FAILURE, or another
SSH_MSG_USERAUTH_INFO_REQUEST message. SSH_MSG_USERAUTH_INFO_REQUEST message.
If the server fails to authenticate the user (through the underlying If the server fails to authenticate the user (through the underlying
authentication mechanism(s)), it SHOULD NOT send another request authentication mechanism(s)), it SHOULD NOT send another request
skipping to change at page 10, line 29 skipping to change at page 10, line 44
[RFC-2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC-2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Level", BCP 14, RFC 2119, March 1997. Requirement Level", BCP 14, RFC 2119, March 1997.
[RFC-3629] Yergeau, F., "UTF-8, a transformation format of [RFC-3629] Yergeau, F., "UTF-8, a transformation format of
Unicode and ISO 10646", RFC 3629, November 2003. Unicode and ISO 10646", RFC 3629, November 2003.
[RFC-3066] Alvestrand, H., "Tags for the Identification of [RFC-3066] Alvestrand, H., "Tags for the Identification of
Languages", BCP 47, RFC 3066, January 2001. Languages", BCP 47, RFC 3066, January 2001.
[SSH-ARCH] Ylonen, T., Kivinen, T, Saarinen, M., Rinne, T., and [SSH-ARCH] Lonvick, C., "SSH Protocol Architecture", work in
Lehtinen, S., "SSH Protocol Architecture", work in progress, draft-ietf-secsh-architecture-22.txt, March
progress, draft-ietf-secsh-architecture-15.txt, 2005.
October, 2003.
[SSH-CONNECT] Ylonen, T., Kivinen, T, Saarinen, M., Rinne, T., and [SSH-CONNECT] Lonvick, C., "SSH Connection Protocol", work in
Lehtinen, S., "SSH Connection Protocol", work in progress, draft-ietf-secsh-connect-25.txt, March
progress, draft-ietf-secsh-connect-18.txt, October, 2005.
2003.
[SSH-TRANS] Ylonen, T., Kivinen, T, Saarinen, M., Rinne, T., and [SSH-TRANS] Lonvick, C., "SSH Transport Layer Protocol", work in
Lehtinen, S., "SSH Transport Layer Protocol", work in progress, draft-ietf-secsh-transport-24.txt, March
progress, draft-ietf-secsh-transport-17.txt, October, 2005.
2003.
[SSH-USERAUTH] Ylonen, T., Kivinen, T, Saarinen, M., Rinne, T., and [SSH-USERAUTH] Lonvick, C., "SSH Authentication Protocol", work in
Lehtinen, S., "SSH Authentication Protocol", work in progress, draft-ietf-secsh-userauth-27.txt, March
progress, draft-ietf-secsh-userauth-18.txt, 2005.
September, 2002.
[SASLPREP] Zeilenga, K., "SASLprep: Stringprep profile for user
names and passwords", work in progress,
draft-ietf-sasl-saslprep-10, July 2004.
7.2 Informative References 7.2 Informative References
[PAM] Samar, V., Schemers, R., "Unified Login With [PAM] Samar, V., Schemers, R., "Unified Login With
Pluggable Authentication Modules (PAM)", OSF RFC Pluggable Authentication Modules (PAM)", OSF RFC
86.0, October 1995 86.0, October 1995
8. Authors' Addresses 8. Authors' Addresses
Frank Cusack Frank Cusack
Google, Inc. Google, Inc.
2400 Bayshore Parkway 1600 Amphitheatre Parkway
Mountain View, CA 94043 Mountain View, CA 94043
Email: frank@google.com Email: frank@google.com
Martin Forssen Martin Forssen
Appgate AB Appgate AB
Stora Badhusgatan 18-20 Stora Badhusgatan 18-20
SE-411 21 Gothenburg SE-411 21 Gothenburg
SWEDEN SWEDEN
Email: maf@appgate.com Email: maf@appgate.com
9. Intellectual Property and Copyright Statements 9. Intellectual Property and Copyright Statements
9.1. Intellectual Property Statement 9.1 IPR Disclosure Acknowlegement
By submitting this Internet-Draft, I certify that any applicable patent
or other IPR claims of which I am aware have been disclosed, and any of
which I become aware will be disclosed, in accordance with RFC 3668.
9.2 Full Copyright Statement
Copyright (C) The Internet Society (2005). This document is subject to
the rights, licenses and restrictions contained in BCP 78 and except as
set forth therein, the authors retain all their rights.
This document and the information contained herein are provided on an "AS
IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS
SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT
NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL
NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR
FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to Intellectual Property Rights or other rights that might be claimed
pertain to the implementation or use of the technology described in to pertain to the implementation or use of the technology described
this document or the extent to which any license under such rights in this document or the extent to which any license under such rights
might or might not be available; neither does it represent that it might or might not be available; nor does it represent that it has made
has made any effort to identify any such rights. Information on the any independent effort to identify any such rights. Information on the
IETF's procedures with respect to rights in standards-track and procedures with respect to rights in RFC documents can be found in BCP
standards-related documentation can be found in BCP-11. Copies of 78 and BCP 79.
claims of rights made available for publication and any assurances of
licenses to be made available, or the result of an attempt made to Copies of IPR disclosures made to the IETF Secretariat and any assurances
obtain a general license or permission for the use of such of licenses to be made available, or the result of an attempt made to
proprietary rights by implementors or users of this specification can obtain a general license or permission for the use of such proprietary
be obtained from the IETF Secretariat. rights by implementers or users of this specification can be obtained
from the IETF on-line IPR repository at <http://www.ietf.org/ipr>.
The IETF invites any interested party to bring to its attention any The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary copyrights, patents or patent applications, or other proprietary rights
rights which may cover technology that may be required to practice that may cover technology that may be required to implement this standard.
this standard. Please address the information to the IETF Executive Please address the information to the IETF at <ietf-ipr@ietf.org>.
Director.
The IETF has been notified of intellectual property rights claimed in The IETF has been notified of intellectual property rights claimed in
regard to some or all of the specification contained in this regard to some or all of the specification contained in this
document. For more information consult the online list of claimed document. For more information consult the online list of claimed
rights. rights.
9.2 Full Copyright Statement
Copyright (C) The Internet Society (2003). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assignees.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement Acknowledgement
Funding for the RFC Editor function is currently provided by the Funding for the RFC Editor function is currently provided by the
Internet Society. Internet Society.
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/