draft-ietf-secsh-filexfer-00.txt   draft-ietf-secsh-filexfer-01.txt 
Network Working Group T. Ylonen and S. Lehtinen Network Working Group T. Ylonen and S. Lehtinen
INTERNET-DRAFT SSH Communications Security INTERNET-DRAFT SSH Communications Security
Expires: 9 July, 2001 Expires: 2 September, 2001
SSH File Transfer Protocol Secure Shell File Transfer Protocol
Status of This Memo Status of This Memo
This document is an Internet-Draft and is in full conformance This document is an Internet-Draft and is in full conformance
with all provisions of Section 10 of RFC2026. with all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as other groups may also distribute working documents as
Internet-Drafts. Internet-Drafts.
skipping to change at page 1, line 33 skipping to change at page 1, line 33
"work in progress." "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
Abstract Abstract
The SSH File Transfer Protocol provides secure file transfer functional- The Secure Shell File Transfer Protocol provides secure file transfer
ity over any reliable data stream. It is the standard file transfer functionality over any reliable data stream. It is the standard file
protocol for use with the SSH2 protocol. This document describes the transfer protocol for use with the Secure Shell Remote Login Protocol.
file transfer protocol and its interface to the SSH2 protocol suite. This document describes the file transfer protocol and its interface to
the Secure Shell protocol suite.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Use with the SSH Connection Protocol . . . . . . . . . . . . . . 3 2. Use with the Secure Shell Connection Protocol . . . . . . . . . 3
3. General Packet Format . . . . . . . . . . . . . . . . . . . . . 3 3. General Packet Format . . . . . . . . . . . . . . . . . . . . . 3
4. Protocol Initialization . . . . . . . . . . . . . . . . . . . . 4 4. Protocol Initialization . . . . . . . . . . . . . . . . . . . . 4
5. File Attributes . . . . . . . . . . . . . . . . . . . . . . . . 5 5. File Attributes . . . . . . . . . . . . . . . . . . . . . . . . 5
6. Requests From the Client to the Server . . . . . . . . . . . . . 6 6. Responses from the Server to the Client . . . . . . . . . . . . 6
6.1. Request Synchronization and Reordering . . . . . . . . . . . 7 7. Requests From the Client to the Server . . . . . . . . . . . . . 9
6.2. File Names . . . . . . . . . . . . . . . . . . . . . . . . . 7 7.1. Request Synchronization and Reordering . . . . . . . . . . . 10
6.3. Opening, Creating, and Closing Files . . . . . . . . . . . . 8 7.2. File Names . . . . . . . . . . . . . . . . . . . . . . . . . 10
6.4. Reading and Writing . . . . . . . . . . . . . . . . . . . . 9 7.3. Opening, Creating, and Closing Files . . . . . . . . . . . . 11
6.5. Removing and Renaming Files . . . . . . . . . . . . . . . . 10 7.4. Reading and Writing . . . . . . . . . . . . . . . . . . . . 12
6.6. Creating and Deleting Directories . . . . . . . . . . . . . 10 7.5. Removing and Renaming Files . . . . . . . . . . . . . . . . 13
6.7. Scanning Directories . . . . . . . . . . . . . . . . . . . . 11 7.6. Creating and Deleting Directories . . . . . . . . . . . . . 14
6.8. Retrieving File Attributes . . . . . . . . . . . . . . . . . 12 7.7. Scanning Directories . . . . . . . . . . . . . . . . . . . . 14
6.9. Setting File Attributes . . . . . . . . . . . . . . . . . . 12 7.8. Retrieving File Attributes . . . . . . . . . . . . . . . . . 15
6.10. Canonicalizing the Server-Side Path Name . . . . . . . . . 13 7.9. Setting File Attributes . . . . . . . . . . . . . . . . . . 16
7. Responses from the Server to the Client . . . . . . . . . . . . 13 7.10. Dealing with Symbolic links . . . . . . . . . . . . . . . . 16
8. Vendor-Specific Extensions . . . . . . . . . . . . . . . . . . . 16 7.11. Canonicalizing the Server-Side Path Name . . . . . . . . . 17
9. Security Considerations . . . . . . . . . . . . . . . . . . . . 17 8. Vendor-Specific Extensions . . . . . . . . . . . . . . . . . . . 17
10. Trademark Issues . . . . . . . . . . . . . . . . . . . . . . . 17 9. Security Considerations . . . . . . . . . . . . . . . . . . . . 18
11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 17 10. Changes from previous protocol versions . . . . . . . . . . . . 18
12. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 18 10.1. Changes between versions 3 and 2 . . . . . . . . . . . . . 18
10.2. Changes between versions 2 and 1 . . . . . . . . . . . . . 18
10.3. Changes between versions 1 and 0 . . . . . . . . . . . . . 18
11. Trademark Issues . . . . . . . . . . . . . . . . . . . . . . . 18
12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19
13. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 19
1. Introduction 1. Introduction
This protocol provides secure file transfer (and more generally file This protocol provides secure file transfer (and more generally file
system access) functionality over a reliable data stream, such as a system access) functionality over a reliable data stream, such as a
channel in the SSH2 protocol [SSH-ARCH]. channel in the Secure Shell Remote Login Protocol [SECSH-ARCH].
This protocol is designed so that it could be used to implement a secure This protocol is designed so that it could be used to implement a secure
remote file system service, as well as a secure file transfer service. remote file system service, as well as a secure file transfer service.
This protocol assumes that it runs over a secure channel, and that the This protocol assumes that it runs over a secure channel, and that the
server has already authenticated the user at the client end, and that server has already authenticated the user at the client end, and that
the identity of the client user is externally available to the server the identity of the client user is externally available to the server
implementation. implementation.
In general, this protocol follows a simple request-response model. Each In general, this protocol follows a simple request-response model. Each
request and response contains a sequence number and multiple requests request and response contains a sequence number and multiple requests
may be pending simultaneously. There are a relatively large number of may be pending simultaneously. There are a relatively large number of
different request messages, but a small number of possible response different request messages, but a small number of possible response
messages. Each request has one or more response messages that may be messages. Each request has one or more response messages that may be
returned in result (e.g., a read either returns data or reports error returned in result (e.g., a read either returns data or reports error
status). status).
The packet format descriptions in this specification follow the notation The packet format descriptions in this specification follow the notation
presented in [SSH-ARCH]. presented in [SECSH-ARCH].
Even though this protocol is described in the context of the SSH2
protocol, this protocol is general and independent of the rest of the Even though this protocol is described in the context of the Secure
SSH2 protocol suite. It could be used in a number of different Shell Remote Login Protocol, this protocol is general and independent of
applications, such as secure file transfer over TLS [RFC-2246] and the rest of the Secure Shell protocol suite. It could be used in a
transfer of management information in VPN applications. number of different applications, such as secure file transfer over TLS
[RFC-2246] and transfer of management information in VPN applications.
2. Use with the SSH Connection Protocol 2. Use with the Secure Shell Connection Protocol
When used with the SSH2 Protocol suite, this protocol is intended to be When used with the Secure Shell protocol suite, this protocol is
used from the SSH Connection Protocol as a subsystem, as described in intended to be used from the Secure Shell Connection Protocol as a
[SSH-CONN], Section ``Starting a Shell or a Command''. The subsystem subsystem, as described in [SECSH-CONN], Section ``Starting a Shell or a
name used with this protocol is "sftp". Command''. The subsystem name used with this protocol is "sftp".
3. General Packet Format 3. General Packet Format
All packets transmitted over the secure connection are of the following All packets transmitted over the secure connection are of the following
format: format:
uint32 length uint32 length
byte type byte type
byte[length - 1] data payload byte[length - 1] data payload
skipping to change at page 4, line 18 skipping to change at page 4, line 23
#define SSH_FXP_SETSTAT 9 #define SSH_FXP_SETSTAT 9
#define SSH_FXP_FSETSTAT 10 #define SSH_FXP_FSETSTAT 10
#define SSH_FXP_OPENDIR 11 #define SSH_FXP_OPENDIR 11
#define SSH_FXP_READDIR 12 #define SSH_FXP_READDIR 12
#define SSH_FXP_REMOVE 13 #define SSH_FXP_REMOVE 13
#define SSH_FXP_MKDIR 14 #define SSH_FXP_MKDIR 14
#define SSH_FXP_RMDIR 15 #define SSH_FXP_RMDIR 15
#define SSH_FXP_REALPATH 16 #define SSH_FXP_REALPATH 16
#define SSH_FXP_STAT 17 #define SSH_FXP_STAT 17
#define SSH_FXP_RENAME 18 #define SSH_FXP_RENAME 18
#define SSH_FXP_READLINK 19
#define SSH_FXP_SYMLINK 20
#define SSH_FXP_STATUS 101 #define SSH_FXP_STATUS 101
#define SSH_FXP_HANDLE 102 #define SSH_FXP_HANDLE 102
#define SSH_FXP_DATA 103 #define SSH_FXP_DATA 103
#define SSH_FXP_NAME 104 #define SSH_FXP_NAME 104
#define SSH_FXP_ATTRS 105 #define SSH_FXP_ATTRS 105
#define SSH_FXP_EXTENDED 200 #define SSH_FXP_EXTENDED 200
#define SSH_FXP_EXTENDED_REPLY 201 #define SSH_FXP_EXTENDED_REPLY 201
Additional packet types should only be defined if the protocol version Additional packet types should only be defined if the protocol version
number (see Section ``Protocol Initialization'') is incremented, and number (see Section ``Protocol Initialization'') is incremented, and
skipping to change at page 5, line 53 skipping to change at page 6, line 4
uint32 extended_count present only if flag uint32 extended_count present only if flag
SSH_FILEXFER_ATTR_EXTENDED SSH_FILEXFER_ATTR_EXTENDED
string extended_type string extended_type
string extended_data string extended_data
... more extended data (extended_type - extended_data pairs), ... more extended data (extended_type - extended_data pairs),
so that number of pairs equals extended_count so that number of pairs equals extended_count
The `flags' specify which of the fields are present. Those fields for The `flags' specify which of the fields are present. Those fields for
which the corresponding flag is not set are not present (not included in which the corresponding flag is not set are not present (not included in
the packet). New flags can only be added by incrementing the protocol the packet). New flags can only be added by incrementing the protocol
version number (or by using the extension mechanism described below). version number (or by using the extension mechanism described below).
The `size' field specifies the size of the file in bytes. The `size' field specifies the size of the file in bytes.
The `uid' and `gid' fields contain numeric Unix-like user and group The `uid' and `gid' fields contain numeric Unix-like user and group
identifiers, respectively. identifiers, respectively.
The `permissions' field contains a bit mask of file permissions as The `permissions' field contains a bit mask of file permissions as
defined by [POSIX]. defined by [POSIX].
The `atime' and `mtime' contain the access and modification times of the The `atime' and `mtime' contain the access and modification times of the
files, respectively. They are represented as seconds from Jan 1, 1970. files, respectively. They are represented as seconds from Jan 1, 1970
in UTC.
The SSH_FILEXFER_ATTR_EXTENDED flag provides a general extension The SSH_FILEXFER_ATTR_EXTENDED flag provides a general extension
mechanism for vendor-specific extensions. If the flag is specified, mechanism for vendor-specific extensions. If the flag is specified,
then the `extended_count' field is present. It specifies the number of then the `extended_count' field is present. It specifies the number of
extended_type-extended_data pairs that follow. Each of these pairs extended_type-extended_data pairs that follow. Each of these pairs
specifies an extended attribute. For each of the attributes, the specifies an extended attribute. For each of the attributes, the
extended_type field should be a string of the format "name@domain", extended_type field should be a string of the format "name@domain",
where "domain" is a valid, registered domain name and "name" identifies where "domain" is a valid, registered domain name and "name" identifies
the method. The IETF may later standardize certain names that deviate the method. The IETF may later standardize certain names that deviate
from this format (e.g., that do not contain the "@" sign). The from this format (e.g., that do not contain the "@" sign). The
skipping to change at page 6, line 42 skipping to change at page 6, line 48
if a packet with unsupported protocol bits is received. if a packet with unsupported protocol bits is received.
The flags bits are defined to have the following values: The flags bits are defined to have the following values:
#define SSH_FILEXFER_ATTR_SIZE 0x00000001 #define SSH_FILEXFER_ATTR_SIZE 0x00000001
#define SSH_FILEXFER_ATTR_UIDGID 0x00000002 #define SSH_FILEXFER_ATTR_UIDGID 0x00000002
#define SSH_FILEXFER_ATTR_PERMISSIONS 0x00000004 #define SSH_FILEXFER_ATTR_PERMISSIONS 0x00000004
#define SSH_FILEXFER_ATTR_ACMODTIME 0x00000008 #define SSH_FILEXFER_ATTR_ACMODTIME 0x00000008
#define SSH_FILEXFER_ATTR_EXTENDED 0x80000000 #define SSH_FILEXFER_ATTR_EXTENDED 0x80000000
6. Requests From the Client to the Server 6. Responses from the Server to the Client
The server responds to the client using one of a few response packets.
All requests can return a SSH_FXP_STATUS response upon failure. When
the operation is successful, any of the responses may be returned
(depending on the operation). If no data needs to be returned to the
client, the SSH_FXP_STATUS response with SSH_FX_OK status is
appropriate. Otherwise, the SSH_FXP_HANDLE message is used to return a
file handle (for SSH_FXP_OPEN and SSH_FXP_OPENDIR requests),
SSH_FXP_DATA is used to return data from SSH_FXP_READ, SSH_FXP_NAME is
used to return one or more file names from a SSH_FXP_READDIR or
SSH_FXP_REALPATH request, and SSH_FXP_ATTRS is used to return file
attributes from SSH_FXP_STAT, SSH_FXP_LSTAT, and SSH_FXP_FSTAT requests.
Exactly one response will be returned for each request. Each response
packet contains a request identifier which can be used to match each
response with the corresponding request. Note that it is legal to have
several requests outstanding simultaneously, and the server is allowed
to send responses to them in a different order from the order in which
the requests were sent (the result of their execution, however, is
guaranteed to be as if they had been processed one at a time in the
order in which the requests were sent).
Response packets are of the same general format as request packets.
Each response packet begins with the request identifier.
The format of the data portion of the SSH_FXP_STATUS response is as
follows:
uint32 id
uint32 error/status code
string error message (ISO-10646 UTF-8 [RFC-2279])
string language tag (as defined in [RFC-1766])
where `id' is the request identifier, and `error/status code' indicates
the result of the requested operation. The value SSH_FX_OK indicates
success, and all other values indicate failure. Currently, the follow-
ing values are defined (other values may be defined by future versions
of this protocol):
#define SSH_FX_OK 0
#define SSH_FX_EOF 1
#define SSH_FX_NO_SUCH_FILE 2
#define SSH_FX_PERMISSION_DENIED 3
#define SSH_FX_FAILURE 4
#define SSH_FX_BAD_MESSAGE 5
#define SSH_FX_NO_CONNECTION 6
#define SSH_FX_CONNECTION_LOST 7
#define SSH_FX_OP_UNSUPPORTED 8
SSH_FX_OK
Indicates successful completion of the operation.
SSH_FX_EOF
indicates end-of-file condition; for SSH_FX_READ it means that no
more data is available in the file, and for SSH_FX_READDIR it
indicates that no more files are contained in the directory.
SSH_FX_NO_SUCH_FILE
is returned when a reference is made to a file which should exist
but doesn't.
SSH_FX_PERMISSION_DENIED
is returned when the authenticated user does not have sufficient
permissions to perform the operation.
SSH_FX_FAILURE
is a generic catch-all error message; it should be returned if an
error occurs for which there is no more specific error code
defined.
SSH_FX_BAD_MESSAGE
may be returned if a badly formatted packet or protocol
incompatibility is detected.
SSH_FX_NO_CONNECTION
is a pseudo-error which indicates that the client has no
connection to the server (it can only be generated locally by the
client, and MUST NOT be returned by servers).
SSH_FX_CONNECTION_LOST
is a pseudo-error which indicates that the connection to the
server has been lost (it can only be generated locally by the
client, and MUST NOT be returned by servers).
SSH_FX_OP_UNSUPPORTED
indicates that an attempt was made to perform an operation which
is not supported for the server (it may be generated locally by
the client if e.g. the version number exchange indicates that a
required feature is not supported by the server, or it may be
returned by the server if the server does not implement an
operation).
The SSH_FXP_HANDLE response has the following format:
uint32 id
string handle
where `id' is the request identifier, and `handle' is an arbitrary
string that identifies an open file or directory on the server. The
handle is opaque to the client; the client MUST NOT attempt to interpret
or modify it in any way. The length of the handle string MUST NOT
exceed 256 data bytes.
The SSH_FXP_DATA response has the following format:
uint32 id
string data
where `id' is the request identifier, and `data' is an arbitrary byte
string containing the requested data. The data string may be at most
the number of bytes requested in a SSH_FXP_READ request, but may also be
shorter if end of file is reached or if the read is from something other
than a regular file.
The SSH_FXP_NAME response has the following format:
uint32 id
uint32 count
repeats count times:
string filename
string longname
ATTRS attrs
where `id' is the request identifier, `count' is the number of names
returned in this response, and the remaining fields repeat `count' times
(so that all three fields are first included for the first file, then
for the second file, etc). In the repeated part, `filename' is a file
name being returned (for SSH_FXP_READDIR, it will be a relative name
within the directory, without any path components; for SSH_FXP_REALPATH
it will be an absolute path name), `longname' is an expanded format for
the file name, similar to what is returned by "ls -l" on Unix systems,
and `attrs' is the attributes of the file as described in Section ``File
Attributes''.
The format of the `longname' field is unspecified by this protocol. It
MUST be suitable for use in the output of a directory listing command
(in fact, the recommended operation for a directory listing command is
to simply display this data). However, clients SHOULD NOT attempt to
parse the longname field for file attributes; they SHOULD use the attrs
field instead.
The recommended format for the longname field is as follows:
-rwxr-xr-x 1 mjos staff 348911 Mar 25 14:29 t-filexfer
1234567890 123 12345678 12345678 12345678 123456789012
Here, the first line is sample output, and the second field indicates
widths of the various fields. Fields are separated by spaces. The
first field lists file permissions for user, group, and others; the sec-
ond field is link count; the third field is the name of the user who
owns the file; the fourth field is the name of the group that owns the
file; the fifth field is the size of the file in bytes; the sixth field
(which actually may contain spaces, but is fixed to 12 characters) is
the file modification time, and the seventh field is the file name.
Each field is specified to be a minimum of certain number of character
positions (indicated by the second line above), but may also be longer
if the data does not fit in the specified length.
The SSH_FXP_ATTRS response has the following format:
uint32 id
ATTRS attrs
where `id' is the request identifier, and `attrs' is the returned file
attributes as described in Section ``File Attributes''.
7. Requests From the Client to the Server
Requests from the client to the server represent the various file system Requests from the client to the server represent the various file system
operations. Each request begins with an `id' field, which is a 32-bit operations. Each request begins with an `id' field, which is a 32-bit
identifier identifying the request (selected by the client). The same identifier identifying the request (selected by the client). The same
identifier will be returned in the response to the request. One identifier will be returned in the response to the request. One
possible implementation of it is a monotonically increasing request possible implementation of it is a monotonically increasing request
sequence number (modulo 2^32). sequence number (modulo 2^32).
Many operations in the protocol operate on open files. The SSH_FXP_OPEN Many operations in the protocol operate on open files. The SSH_FXP_OPEN
request can return a file handle (which is an opaque variable-length request can return a file handle (which is an opaque variable-length
string) which may be used to access the file later (e.g. in a read string) which may be used to access the file later (e.g. in a read
operation). The client MUST NOT send requests the server with bogus or operation). The client MUST NOT send requests the server with bogus or
skipping to change at page 7, line 13 skipping to change at page 10, line 26
handle in order to avoid security risks due to fabricated handles. handle in order to avoid security risks due to fabricated handles.
This design allows either stateful and stateless server implementation, This design allows either stateful and stateless server implementation,
as well as an implementation which caches state between requests but may as well as an implementation which caches state between requests but may
also flush it. The contents of the file handle string are entirely up also flush it. The contents of the file handle string are entirely up
to the server and its design. The client should not modify or attempt to the server and its design. The client should not modify or attempt
to interpret the file handle strings. to interpret the file handle strings.
The file handle strings MUST NOT be longer than 256 bytes. The file handle strings MUST NOT be longer than 256 bytes.
6.1. Request Synchronization and Reordering 7.1. Request Synchronization and Reordering
The protocol and implementations MUST process requests relating to the The protocol and implementations MUST process requests relating to the
same file in the order in which they are received. In other words, if same file in the order in which they are received. In other words, if
an application submits multiple requests to the server, the results in an application submits multiple requests to the server, the results in
the responses will be the same as if it had sent the requests one at a the responses will be the same as if it had sent the requests one at a
time and waited for the response in each case. For example, the server time and waited for the response in each case. For example, the server
may process non-overlapping read/write requests to the same file in may process non-overlapping read/write requests to the same file in
parallel, but overlapping reads and writes cannot be reordered or parallel, but overlapping reads and writes cannot be reordered or
parallelized. However, there are no ordering restrictions on the server parallelized. However, there are no ordering restrictions on the server
for processing requests from two different file transfer connections. for processing requests from two different file transfer connections.
The server may interleave and parallelize them at will. The server may interleave and parallelize them at will.
There are no restrictions on the order in which responses to outstanding There are no restrictions on the order in which responses to outstanding
requests are delivered to the client, except that the server must ensure requests are delivered to the client, except that the server must ensure
fairness in the sense that processing of no request will be indefinitely fairness in the sense that processing of no request will be indefinitely
delayed even if the client is sending other requests so that there are delayed even if the client is sending other requests so that there are
multiple outstanding requests all the time. multiple outstanding requests all the time.
6.2. File Names 7.2. File Names
This protocol represents file names as strings. File names are assumed This protocol represents file names as strings. File names are assumed
to use the slash ('/') character as a directory separator. to use the slash ('/') character as a directory separator.
File names starting with a slash are "absolute", and are relative to the File names starting with a slash are "absolute", and are relative to the
root of the file system. Names starting with any other character are root of the file system. Names starting with any other character are
relative to the user's default directory (home directory). Note that relative to the user's default directory (home directory). Note that
identifying the user is assumed to take place outside of this protocol. identifying the user is assumed to take place outside of this protocol.
Servers SHOULD interpret a path name component ".." as referring to the Servers SHOULD interpret a path name component ".." as referring to the
skipping to change at page 8, line 4 skipping to change at page 11, line 18
An empty path name is valid, and it refers to the user's default An empty path name is valid, and it refers to the user's default
directory (usually the user's home directory). directory (usually the user's home directory).
Otherwise, no syntax is defined for file names by this specification. Otherwise, no syntax is defined for file names by this specification.
Clients should not make any other assumptions; however, they can splice Clients should not make any other assumptions; however, they can splice
path name components returned by SSH_FXP_READDIR together using a slash path name components returned by SSH_FXP_READDIR together using a slash
('/') as the separator, and that will work as expected. ('/') as the separator, and that will work as expected.
It is understood that the lack of well-defined semantics for file names It is understood that the lack of well-defined semantics for file names
may cause interoperability problems between clients and servers using may cause interoperability problems between clients and servers using
radically different operating systems. However, this approach is known radically different operating systems. However, this approach is known
to work acceptably with most systems, and alternative approaches that to work acceptably with most systems, and alternative approaches that
e.g. treat file names as sequences of structured components are quite e.g. treat file names as sequences of structured components are quite
complicated. complicated.
6.3. Opening, Creating, and Closing Files 7.3. Opening, Creating, and Closing Files
Files are opened and created using the SSH_FXP_OPEN message, whose data Files are opened and created using the SSH_FXP_OPEN message, whose data
part is as follows: part is as follows:
uint32 id uint32 id
string filename string filename
uint32 pflags uint32 pflags
ATTRS attrs ATTRS attrs
The `id' field is the request identifier as for all requests. The `id' field is the request identifier as for all requests.
skipping to change at page 9, line 27 skipping to change at page 12, line 40
A file is closed by using the SSH_FXP_CLOSE request. Its data field has A file is closed by using the SSH_FXP_CLOSE request. Its data field has
the following format: the following format:
uint32 id uint32 id
string handle string handle
where `id' is the request identifier, and `handle' is a handle previ- where `id' is the request identifier, and `handle' is a handle previ-
ously returned in the response to SSH_FXP_OPEN or SSH_FXP_OPENDIR. The ously returned in the response to SSH_FXP_OPEN or SSH_FXP_OPENDIR. The
handle becomes invalid immediately after this request has been sent. handle becomes invalid immediately after this request has been sent.
The response to this request will be a SSH_FXP_STATUS message. One The response to this request will be a SSH_FXP_STATUS message. One
should note that on some server platforms even a close can fail. This should note that on some server platforms even a close can fail. This
can happen e.g. if the server operating system caches writes, and an can happen e.g. if the server operating system caches writes, and an
error occurs while flushing cached writes during the close. error occurs while flushing cached writes during the close.
6.4. Reading and Writing 7.4. Reading and Writing
Once a file has been opened, it can be read using the SSH_FXP_READ Once a file has been opened, it can be read using the SSH_FXP_READ
message, which has the following format: message, which has the following format:
uint32 id uint32 id
string handle string handle
uint64 offset uint64 offset
uint32 len uint32 len
where `id' is the request identifier, `handle' is an open file handle where `id' is the request identifier, `handle' is an open file handle
skipping to change at page 10, line 22 skipping to change at page 13, line 37
the file where to start writing, and `data' is the data to be written. the file where to start writing, and `data' is the data to be written.
The write will extend the file if writing beyond the end of the file. The write will extend the file if writing beyond the end of the file.
It is legal to write way beyond the end of the file; the semantics are It is legal to write way beyond the end of the file; the semantics are
to write zeroes from the end of the file to the specified offset and to write zeroes from the end of the file to the specified offset and
then the data. On most operating systems, such writes do not allocate then the data. On most operating systems, such writes do not allocate
disk space but instead leave "holes" in the file. disk space but instead leave "holes" in the file.
The server responds to a write request with a SSH_FXP_STATUS message. The server responds to a write request with a SSH_FXP_STATUS message.
6.5. Removing and Renaming Files 7.5. Removing and Renaming Files
Files can be removed using the SSH_FXP_REMOVE message. It has the Files can be removed using the SSH_FXP_REMOVE message. It has the
following format: following format:
uint32 id uint32 id
string filename string filename
where `id' is the request identifier and `filename' is the name of the where `id' is the request identifier and `filename' is the name of the
file to be removed. See Section ``File Names'' for more information. file to be removed. See Section ``File Names'' for more information.
This request cannot be used to remove directories. This request cannot be used to remove directories.
skipping to change at page 10, line 52 skipping to change at page 14, line 14
where `id' is the request identifier, `oldpath' is the name of an exist- where `id' is the request identifier, `oldpath' is the name of an exist-
ing file or directory, and `newpath' is the new name for the file or ing file or directory, and `newpath' is the new name for the file or
directory. It is an error if there already exists a file with the name directory. It is an error if there already exists a file with the name
specified by newpath. The server may also fail rename requests in other specified by newpath. The server may also fail rename requests in other
situations, for example if `oldpath' and `newpath' point to different situations, for example if `oldpath' and `newpath' point to different
file systems on the server. file systems on the server.
The server will respond to this request with a SSH_FXP_STATUS message. The server will respond to this request with a SSH_FXP_STATUS message.
6.6. Creating and Deleting Directories 7.6. Creating and Deleting Directories
New directories can be created using the SSH_FXP_MKDIR request. It has New directories can be created using the SSH_FXP_MKDIR request. It has
the following format: the following format:
uint32 id uint32 id
string path string path
ATTRS attrs
where `id' is the request identifier and `path' specifies the directory where `id' is the request identifier, `path'and `attrs' specifies the
to be created. See Section ``File Names'' for more information on file modifications to be made to its attributes. See Section ``File Names''
names. An error will be returned if a file or directory with the speci- for more information on file names. Attributes are discussed in more
fied path already exists. The server will respond to this request with detail in Section ``File Attributes''. specifies the directory to be
a SSH_FXP_STATUS message. created. An error will be returned if a file or directory with the
specified path already exists. The server will respond to this request
with a SSH_FXP_STATUS message.
Directories can be removed using the SSH_FXP_RMDIR request, which has Directories can be removed using the SSH_FXP_RMDIR request, which has
the following format: the following format:
uint32 id uint32 id
string path string path
where `id' is the request identifier, and `path' specifies the directory where `id' is the request identifier, and `path' specifies the directory
to be removed. See Section ``File Names'' for more information on file to be removed. See Section ``File Names'' for more information on file
names. An error will be returned if no directory with the specified names. An error will be returned if no directory with the specified
path exists, or if the specified directory is not empty, or if the path path exists, or if the specified directory is not empty, or if the path
specified a file system object other than a directory. The server specified a file system object other than a directory. The server
responds to this request with a SSH_FXP_STATUS message. responds to this request with a SSH_FXP_STATUS message.
6.7. Scanning Directories 7.7. Scanning Directories
The files in a directory can be listed using the SSH_FXP_OPENDIR and The files in a directory can be listed using the SSH_FXP_OPENDIR and
SSH_FXP_READDIR requests. Each SSH_FXP_READDIR request returns one or SSH_FXP_READDIR requests. Each SSH_FXP_READDIR request returns one or
more file names with full file attributes for each file. The client more file names with full file attributes for each file. The client
should call SSH_FXP_READDIR repeatedly until it has found the file it is should call SSH_FXP_READDIR repeatedly until it has found the file it is
looking for or until the server responds with a SSH_FXP_STATUS message looking for or until the server responds with a SSH_FXP_STATUS message
indicating an error (normally SSH_FX_EOF if there are no more files in indicating an error (normally SSH_FX_EOF if there are no more files in
the directory). The client should then close the handle using the the directory). The client should then close the handle using the
SSH_FXP_CLOSE request. SSH_FXP_CLOSE request.
skipping to change at page 12, line 17 skipping to change at page 15, line 35
The server responds to this request with either a SSH_FXP_NAME or a The server responds to this request with either a SSH_FXP_NAME or a
SSH_FXP_STATUS message. One or more names may be returned at a time. SSH_FXP_STATUS message. One or more names may be returned at a time.
Full status information is returned for each name in order to speed up Full status information is returned for each name in order to speed up
typical directory listings. typical directory listings.
When the client no longer wishes to read more names from the directory, When the client no longer wishes to read more names from the directory,
it SHOULD call SSH_FXP_CLOSE for the handle. The handle should be it SHOULD call SSH_FXP_CLOSE for the handle. The handle should be
closed regardless of whether an error has occurred or not. closed regardless of whether an error has occurred or not.
6.8. Retrieving File Attributes 7.8. Retrieving File Attributes
Very often, file attributes are automatically returned by Very often, file attributes are automatically returned by
SSH_FXP_READDIR. However, sometimes there is need to specifically SSH_FXP_READDIR. However, sometimes there is need to specifically
retrieve the attributes for a named file. This can be done using the retrieve the attributes for a named file. This can be done using the
SSH_FXP_STAT, SSH_FXP_LSTAT and SSH_FXP_FSTAT requests. SSH_FXP_STAT, SSH_FXP_LSTAT and SSH_FXP_FSTAT requests.
SSH_FXP_STAT and SSH_FXP_LSTAT only differ in that SSH_FXP_STAT follows SSH_FXP_STAT and SSH_FXP_LSTAT only differ in that SSH_FXP_STAT follows
symbolic links on the server, whereas SSH_FXP_LSTAT does not follow symbolic links on the server, whereas SSH_FXP_LSTAT does not follow
symbolic links. Both have the same format: symbolic links. Both have the same format:
skipping to change at page 12, line 46 skipping to change at page 16, line 10
information for an open file (identified by the file handle). Its information for an open file (identified by the file handle). Its
format is as follows: format is as follows:
uint32 id uint32 id
string handle string handle
where `id' is the request identifier and `handle' is a file handle where `id' is the request identifier and `handle' is a file handle
returned by SSH_FXP_OPEN. The server responds to this request with returned by SSH_FXP_OPEN. The server responds to this request with
SSH_FXP_ATTRS or SSH_FXP_STATUS. SSH_FXP_ATTRS or SSH_FXP_STATUS.
6.9. Setting File Attributes 7.9. Setting File Attributes
File attributes may be modified using the SSH_FXP_SETSTAT and File attributes may be modified using the SSH_FXP_SETSTAT and
SSH_FXP_FSETSTAT requests. These requests are used for operations such SSH_FXP_FSETSTAT requests. These requests are used for operations such
as changing the ownership, permissions or access times, as well as for as changing the ownership, permissions or access times, as well as for
truncating a file. truncating a file.
The SSH_FXP_SETSTAT request is of the following format: The SSH_FXP_SETSTAT request is of the following format:
uint32 id uint32 id
string path string path
skipping to change at page 13, line 28 skipping to change at page 16, line 46
uint32 id uint32 id
string handle string handle
ATTRS attrs ATTRS attrs
where `id' is the request identifier, `handle' (MUST be returned by where `id' is the request identifier, `handle' (MUST be returned by
SSH_FXP_OPEN) identifies the file whose attributes are to be modified, SSH_FXP_OPEN) identifies the file whose attributes are to be modified,
and `attrs' specifies the modifications to be made to its attributes. and `attrs' specifies the modifications to be made to its attributes.
Attributes are discussed in more detail in Section ``File Attributes''. Attributes are discussed in more detail in Section ``File Attributes''.
The server will respond to this request with SSH_FXP_STATUS. The server will respond to this request with SSH_FXP_STATUS.
6.10. Canonicalizing the Server-Side Path Name 7.10. Dealing with Symbolic links
The SSH_FXP_REALPATH request can be used to have the server canonicalize The SSH_FXP_READLINK request may be used to read the target of a
any given path name to an absolute path. This is useful for converting symbolic link. It would have a data part as follows:
path names containing ".." components or relative pathnames without a
leading slash into absolute paths. The format of the request is as
follows:
uint32 id uint32 id
string path string path
where `id' is the request identifier and `path' specifies the path name where `id' is the request identifier and `path' specifies the path name
to be canonicalized. The server will respond with a SSH_FXP_NAME packet of the symlink to be read.
containing only one name and a dummy attributes value. The name is the
returned packet will be in canonical form. If an error occurs, the
server may also respond with SSH_FXP_STATUS.
7. Responses from the Server to the Client
The server responds to the client using one of a few response packets.
All requests can return a SSH_FXP_STATUS response upon failure. When
the operation is successful, any of the responses may be returned
(depending on the operation). If no data needs to be returned to the
client, the SSH_FXP_STATUS response with SSH_FX_OK status is
appropriate. Otherwise, the SSH_FXP_HANDLE message is used to return a
file handle (for SSH_FXP_OPEN and SSH_FXP_OPENDIR requests),
SSH_FXP_DATA is used to return data from SSH_FXP_READ, SSH_FXP_NAME is
used to return one or more file names from a SSH_FXP_READDIR or
SSH_FXP_REALPATH request, and SSH_FXP_ATTRS is used to return file
attributes from SSH_FXP_STAT, SSH_FXP_LSTAT, and SSH_FXP_FSTAT requests.
Exactly one response will be returned for each request. Each response
packet contains a request identifier which can be used to match each
response with the corresponding request. Note that it is legal to have
several requests outstanding simultaneously, and the server is allowed
to send responses to them in a different order from the order in which
the requests were sent (the result of their execution, however, is
guaranteed to be as if they had been processed one at a time in the
order in which the requests were sent).
Response packets are of the same general format as request packets.
Each response packet begins with the request identifier.
The format of the data portion of the SSH_FXP_STATUS response is as
follows:
uint32 id
uint32 error/status code
where `id' is the request identifier, and `error/status code' indicates
the result of the requested operation. The value SSH_FX_OK indicates
success, and all other values indicate failure. Currently, the follow-
ing values are defined (other values may be defined by future versions
of this protocol):
#define SSH_FX_OK 0
#define SSH_FX_EOF 1
#define SSH_FX_NO_SUCH_FILE 2
#define SSH_FX_PERMISSION_DENIED 3
#define SSH_FX_FAILURE 4
#define SSH_FX_BAD_MESSAGE 5
#define SSH_FX_NO_CONNECTION 6
#define SSH_FX_CONNECTION_LOST 7
#define SSH_FX_OP_UNSUPPORTED 8
SSH_FX_OK
Indicates successful completion of the operation.
SSH_FX_EOF
indicates end-of-file condition; for SSH_FX_READ it means that no
more data is available in the file, and for SSH_FX_READDIR it
indicates that no more files are contained in the directory.
SSH_FX_NO_SUCH_FILE
is returned when a reference is made to a file which should exist
but doesn't.
SSH_FX_PERMISSION_DENIED
is returned when the authenticated user does not have sufficient
permissions to perform the operation.
SSH_FX_FAILURE
is a generic catch-all error message; it should be returned if an
error occurs for which there is no more specific error code
defined.
SSH_FX_BAD_MESSAGE
may be returned if a badly formatted packet or protocol
incompatibility is detected.
SSH_FX_NO_CONNECTION
is a pseudo-error which indicates that the client has no
connection to the server (it can only be generated locally by the
client, and MUST NOT be returned by servers).
SSH_FX_CONNECTION_LOST
is a pseudo-error which indicates that the connection to the
server has been lost (it can only be generated locally by the
client, and MUST NOT be returned by servers).
SSH_FX_OP_UNSUPPORTED
indicates that an attempt was made to perform an operation which
is not supported for the server (it may be generated locally by
the client if e.g. the version number exchange indicates that a
required feature is not supported by the server, or it may be
returned by the server if the server does not implement an
operation).
The SSH_FXP_HANDLE response has the following format:
uint32 id
string handle
where `id' is the request identifier, and `handle' is an arbitrary
string that identifies an open file or directory on the server. The
handle is opaque to the client; the client MUST NOT attempt to interpret
or modify it in any way. The length of the handle string MUST NOT
exceed 256 data bytes.
The SSH_FXP_DATA response has the following format:
uint32 id
string data
where `id' is the request identifier, and `data' is an arbitrary byte The server will respond with a SSH_FXP_NAME packet containing only one
string containing the requested data. The data string may be at most name and a dummy attributes value. The name in the returned packet
the number of bytes requested in a SSH_FXP_READ request, but may also be contains the target of the link. If an error occurs, the server may
shorter if end of file is reached or if the read is from something other respond with SSH_FXP_STATUS.
than a regular file.
The SSH_FXP_NAME response has the following format: The SSH_FXP_SYMLINK request will create a symbolic link on the server.
It is of the following format
uint32 id uint32 id
uint32 count string linkpath
repeats count times: string targetpath
string filename
string longname
ATTRS attrs
where `id' is the request identifier, `count' is the number of names
returned in this response, and the remaining fields repeat `count' times
(so that all three fields are first included for the first file, then
for the second file, etc). In the repeated part, `filename' is a file
name being returned (for SSH_FXP_READDIR, it will be a relative name
within the directory, without any path components; for SSH_FXP_REALPATH
it will be an absolute path name), `longname' is an expanded format for
the file name, similar to what is returned by "ls -l" on Unix systems,
and `attrs' is the attributes of the file as described in Section ``File
Attributes''.
The format of the `longname' field is unspecified by this protocol. It
MUST be suitable for use in the output of a directory listing command
(in fact, the recommended operation for a directory listing command is
to simply display this data). However, clients SHOULD NOT attempt to
parse the longname field for file attributes; they SHOULD use the attrs
field instead.
The recommended format for the longname field is as follows:
-rwxr-xr-x 1 mjos staff 348911 Mar 25 14:29 t-filexfer where `id' is the request identifier, `linkpath' specifies the path name
1234567890 123 12345678 12345678 12345678 123456789012 of the symlink to be created and `targetpath' specifies the target of
the symlink. The server shall respond with a SSH_FXP_STATUS indicating
either success (SSH_FX_OK) or an error condition.
Here, the first line is sample output, and the second field indicates 7.11. Canonicalizing the Server-Side Path Name
widths of the various fields. Fields are separated by spaces. The
first field lists file permissions for user, group, and others; the sec-
ond field is link count; the third field is the name of the user who
owns the file; the fourth field is the name of the group that owns the
file; the fifth field is the size of the file in bytes; the sixth field
(which actually may contain spaces, but is fixed to 12 characters) is
the file modification time, and the seventh field is the file name.
Each file is specified to be a minimum of certain number of character
positions (indicated by the second line above), but may also be longer
if the data does not fit in the specified length.
The SSH_FXP_ATTRS response has the following format: The SSH_FXP_REALPATH request can be used to have the server canonicalize
any given path name to an absolute path. This is useful for converting
path names containing ".." components or relative pathnames without a
leading slash into absolute paths. The format of the request is as
follows:
uint32 id uint32 id
ATTRS attrs string path
where `id' is the request identifier, and `attrs' is the returned file where `id' is the request identifier and `path' specifies the path name
attributes as described in Section ``File Attributes''. to be canonicalized. The server will respond with a SSH_FXP_NAME packet
containing only one name and a dummy attributes value. The name is the
returned packet will be in canonical form. If an error occurs, the
server may also respond with SSH_FXP_STATUS.
8. Vendor-Specific Extensions 8. Vendor-Specific Extensions
The SSH_FXP_EXTENDED request provides a generic extension mechanism for The SSH_FXP_EXTENDED request provides a generic extension mechanism for
adding vendor-specific commands. The request has the following format: adding vendor-specific commands. The request has the following format:
uint32 id uint32 id
string extended-request string extended-request
... any request-specific data ... ... any request-specific data ...
skipping to change at page 17, line 35 skipping to change at page 18, line 26
This protocol assumes that it is run over a secure channel and that the This protocol assumes that it is run over a secure channel and that the
endpoints of the channel have been authenticated. Thus, this protocol endpoints of the channel have been authenticated. Thus, this protocol
assumes that it is externally protected from network-level attacks. assumes that it is externally protected from network-level attacks.
This protocol provides file system access to arbitrary files on the This protocol provides file system access to arbitrary files on the
server (only constrained by the server implementation). It is the server (only constrained by the server implementation). It is the
responsibility of the server implementation to enforce any access responsibility of the server implementation to enforce any access
controls that may be required to limit the access allowed for any controls that may be required to limit the access allowed for any
particular user (the user being authenticated externally to this particular user (the user being authenticated externally to this
protocol, typically using the SSH User Authentication Protocol [SSH- protocol, typically using the Secure Shell User Authentication Protocol
USERAUTH]. [SECSH-USERAUTH].
Care must be taken in the server implementation to check the validity of Care must be taken in the server implementation to check the validity of
received file handle strings. The server should not rely on them received file handle strings. The server should not rely on them
directly; it MUST check the validity of each handle before relying on directly; it MUST check the validity of each handle before relying on
it. it.
10. Trademark Issues 10. Changes from previous protocol versions
SSH is a registered trademark and Secure Shell is a trademark of SSH The Secure Shell File Transfer Protocol has changed over time, before
Communications Security Corp. SSH Communications Security Corp permits it's standardization. The following is a description of the
the use of these trademarks as the name of this standard and protocol, incompatible changes between different versions.
and permits their use to describe that a product conforms to this
standard, provided that the following acknowledgement is included where
the trademarks are used: ``SSH is a registered trademark and Secure
Shell is a trademark of SSH Communications Security Corp
(www.ssh.com)''. These trademarks may not be used as part of a product
name or in otherwise confusing manner without prior written permission
of SSH Communications Security Corp.
11. References 10.1. Changes between versions 3 and 2
o The SSH_FXP_READLINK and SSH_FXP_SYMLINK mesages were added.
o The SSH_FXP_EXTENDED and SSH_FXP_EXTENDED_REPLY messages were added.
o The SSH_FXP_STATUS message was changed to include fields `error
message' and `language tag'.
10.2. Changes between versions 2 and 1
o The SSH_FXP_RENAME message was added.
10.3. Changes between versions 1 and 0
o Implementation changes, no actual protocol changes.
11. Trademark Issues
"ssh" is a registered trademark of SSH Communications Security Corp in
the United States and/or other countries.
12. References
[RFC-2246] Dierks, T. and Allen, C.: "The TLS Protocol Version 1.0", [RFC-2246] Dierks, T. and Allen, C.: "The TLS Protocol Version 1.0",
January 1999 January 1999
[POSIX] ISO/IEC Std 9945-1, ANSI/IEEE Std 1003.1 Information technology [POSIX] ISO/IEC Std 9945-1, ANSI/IEEE Std 1003.1 Information technology
-- Portable Operating System Interface (POSIX)-Part 1: System -- Portable Operating System Interface (POSIX)-Part 1: System
Application Program Interface (API) [C Language], July 1996. Application Program Interface (API) [C Language], July 1996.
[SSH-ARCH] Ylonen, T., et al: "SSH Protocol Architecture", Internet- [SECSH-ARCH] Ylonen, T., et al: "Secure Shell Protocol Architecture",
Draft, draft-ietf-secsh-architecture-07.txt Internet-Draft, draft-ietf-secsh-architecture-08.txt
[SSH-TRANSPORT] Ylonen, T., et al: "SSH Transport Protocol", Internet- [SECSH-TRANSPORT] Ylonen, T., et al: "Secure Shell Transport Protocol",
Draft, draft-ietf-secsh-transport-09.txt Internet-Draft, draft-ietf-secsh-transport-10.txt
[SSH-USERAUTH] Ylonen, T., et al: "SSH Authentication Protocol", [SECSH-USERAUTH] Ylonen, T., et al: "Secure Shell Authentication
Internet-Draft, draft-ietf-secsh-userauth-09.txt Protocol", Internet-Draft, draft-ietf-secsh-userauth-10.txt
[SSH-CONNECT] Ylonen, T., et al: "SSH Connection Protocol", Internet- [SECSH-CONNECT] Ylonen, T., et al: "Secure Shell Connection Protocol",
Draft, draft-ietf-secsh-connect-09.txt Internet-Draft, draft-ietf-secsh-connect-10.txt
12. Authors' Addresses 13. Authors' Addresses
Tatu Ylonen Tatu Ylonen
SSH Communications Security Corp SSH Communications Security Corp
Fredrikinkatu 42 Fredrikinkatu 42
FIN-00100 HELSINKI FIN-00100 HELSINKI
Finland Finland
E-mail: ylo@ssh.com E-mail: ylo@ssh.com
Sami Lehtinen Sami Lehtinen
SSH Communications Security Corp SSH Communications Security Corp
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/