draft-ietf-secsh-userauth-02.txt   draft-ietf-secsh-userauth-03.txt 
Network Working Group T. Ylonen Network Working Group T. Ylonen
INTERNET-DRAFT T. Kivinen INTERNET-DRAFT T. Kivinen
draft-ietf-secsh-userauth-02.txt M. Saarinen draft-ietf-secsh-userauth-03.txt M. Saarinen
Expires in six months SSH Expires in six months SSH
14 October 1997 7 November 1997
SSH Authentication Protocol SSH Authentication Protocol
Status of This memo Status of This memo
This document is an Internet-Draft. Internet-Drafts are working This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas, documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts. working documents as Internet-Drafts.
skipping to change at page 1, line 30 skipping to change at page 1, line 30
material or to cite them other than as ``work in progress.'' material or to cite them other than as ``work in progress.''
To learn the current status of any Internet-Draft, please check To learn the current status of any Internet-Draft, please check
the ``1id-abstracts.txt'' listing contained in the Internet-Drafts the ``1id-abstracts.txt'' listing contained in the Internet-Drafts
Shadow Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe), Shadow Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe),
munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast),
or ftp.isi.edu (US West Coast). or ftp.isi.edu (US West Coast).
Abstract Abstract
SSH is a protocol for secure remote login and other secure network ser- SSH is a protocol for secure remote login and other secure network
vices over an insecure network. services over an insecure network.
This document describes the SSH authentication protocol framework and This document describes the SSH authentication protocol framework and
public key, password, and host-based client authentication methods. public key, password, and host-based client authentication methods.
Additional authentication methods are deferred to separate documents. Additional authentication methods are deferred to separate documents.
The SSH authentication protocol runs on top the SSH transport layer The SSH authentication protocol runs on top the SSH transport layer
protocol and provides a single authenticated tunnel for the SSH protocol and provides a single authenticated tunnel for the SSH
connection protocol. connection protocol.
Table of Contents Table of Contents
skipping to change at page 2, line 20 skipping to change at page 2, line 20
2.2. Responses to Authentication Requests . . . . . . . . . . . . 3 2.2. Responses to Authentication Requests . . . . . . . . . . . . 3
2.3. The none Authentication Request . . . . . . . . . . . . . . 4 2.3. The none Authentication Request . . . . . . . . . . . . . . 4
2.4. Completion of User Authentication . . . . . . . . . . . . . 5 2.4. Completion of User Authentication . . . . . . . . . . . . . 5
2.5. Banner Message . . . . . . . . . . . . . . . . . . . . . . . 5 2.5. Banner Message . . . . . . . . . . . . . . . . . . . . . . . 5
3. Authentication Protocol Message Numbers . . . . . . . . . . . . 5 3. Authentication Protocol Message Numbers . . . . . . . . . . . . 5
4. Public Key Authentication Method: publickey . . . . . . . . . . 6 4. Public Key Authentication Method: publickey . . . . . . . . . . 6
5. Password Authentication Method: password . . . . . . . . . . . . 7 5. Password Authentication Method: password . . . . . . . . . . . . 7
6. Host-Based Authentication: hostbased . . . . . . . . . . . . . . 9 6. Host-Based Authentication: hostbased . . . . . . . . . . . . . . 9
7. Security Considerations . . . . . . . . . . . . . . . . . . . . 10 7. Security Considerations . . . . . . . . . . . . . . . . . . . . 10
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
9. Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 10 9. Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 11
1. Introduction 1. Introduction
The SSH authentication protocol is a general-purpose user authentication The SSH authentication protocol is a general-purpose user authentication
protocol. It is intended to be run over the SSH transport layer protocol. It is intended to be run over the SSH transport layer
protocol [SSH-TRANS]. This protocol assumes that the underlying protocol [SSH-TRANS]. This protocol assumes that the underlying
protocols provide integrity and confidentiality protection. protocols provide integrity and confidentiality protection.
This document should be read only after reading the SSH architecture This document should be read only after reading the SSH architecture
document [SSH-ARCH]. This document freely uses terminology and notation document [SSH-ARCH]. This document freely uses terminology and notation
skipping to change at page 10, line 22 skipping to change at page 10, line 22
7. Security Considerations 7. Security Considerations
The purpose of this protocol is to perform client user authentication. The purpose of this protocol is to perform client user authentication.
It assumed that this runs over a secure transport layer protocol, which It assumed that this runs over a secure transport layer protocol, which
has already authenticated the server machine, established an encrypted has already authenticated the server machine, established an encrypted
communications channel, and computed a unique session identifier for communications channel, and computed a unique session identifier for
this session. The transport layer provides forward secrecy for password this session. The transport layer provides forward secrecy for password
authentication and other methods that rely on secret data. authentication and other methods that rely on secret data.
The server may go into a "sleep" period after repeated unsuccesful
authentications to make key search harder.
If the transport layer does not provide encryption, authentication If the transport layer does not provide encryption, authentication
methods that rely on secret data SHOULD be disabled. If it does not methods that rely on secret data SHOULD be disabled. If it does not
provide MAC protection, requests to change authentication data (e.g. provide MAC protection, requests to change authentication data (e.g.
password change) SHOULD be disabled to avoid an attacker from modifying password change) SHOULD be disabled to avoid an attacker from modifying
the ciphertext without being noticed, rendering the new authentication the ciphertext without being noticed, rendering the new authentication
data unusable (denial of service). data unusable (denial of service).
Several authentication methods with different security characteristics Several authentication methods with different security characteristics
are allowed. It is up to the server's local policy to decide which are allowed. It is up to the server's local policy to decide which
methods (or combinations of methods) it is willing to accept for each methods (or combinations of methods) it is willing to accept for each
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/