draft-ietf-secsh-userauth-08.txt   draft-ietf-secsh-userauth-09.txt 
Network Working Group T. Ylonen Network Working Group T. Ylonen
INTERNET-DRAFT T. Kivinen INTERNET-DRAFT T. Kivinen
draft-ietf-secsh-userauth-08.txt M. Saarinen draft-ietf-secsh-userauth-09.txt M. Saarinen
Expires in six months T. Rinne Expires: 9 July, 2001 T. Rinne
S. Lehtinen S. Lehtinen
SSH Communications Security SSH Communications Security
21 Nov, 2000 9 January, 2001
SSH Authentication Protocol SSH Authentication Protocol
Status of This memo Status of This Memo
This document is an Internet-Draft and is in full conformance This document is an Internet-Draft and is in full conformance
with all provisions of Section 10 of RFC2026. with all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as other groups may also distribute working documents as
Internet-Drafts. Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six Internet-Drafts are draft documents valid for a maximum of six
skipping to change at page 3, line 24 skipping to change at page 3, line 24
a client may perform in a single session (the RECOMMENDED limit is 20 a client may perform in a single session (the RECOMMENDED limit is 20
attempts). If the threshold is exceeded, the server SHOULD disconnect. attempts). If the threshold is exceeded, the server SHOULD disconnect.
2.1. Authentication Requests 2.1. Authentication Requests
All authentication requests MUST use the following message format. Only All authentication requests MUST use the following message format. Only
the first few fields are defined; the remaining fields depend on the the first few fields are defined; the remaining fields depend on the
authentication method. authentication method.
byte SSH_MSG_USERAUTH_REQUEST byte SSH_MSG_USERAUTH_REQUEST
string user name (in ISO-10646 UTF-8 encoding) string user name (in ISO-10646 UTF-8 encoding [RFC-2279])
string service name (in US-ASCII) string service name (in US-ASCII)
string method name (US-ASCII) string method name (US-ASCII)
The rest of the packet is method-specific. The rest of the packet is method-specific.
The user name and service are repeated in every new authentication The user name and service are repeated in every new authentication
attempt, and MAY change. The server implementation MUST carefully check attempt, and MAY change. The server implementation MUST carefully check
them in every message, and MUST flush any accumulated authentication them in every message, and MUST flush any accumulated authentication
states if they change. If it is unable to flush some authentication states if they change. If it is unable to flush some authentication
state, it MUST disconnect if the user or service name changes. state, it MUST disconnect if the user or service name changes.
skipping to change at page 5, line 30 skipping to change at page 5, line 30
example, normally display text from `/etc/issue', or use "tcp wrappers" example, normally display text from `/etc/issue', or use "tcp wrappers"
or similar software to display a banner before issuing a login prompt. or similar software to display a banner before issuing a login prompt.
The SSH server may send a SSH_MSG_USERAUTH_BANNER message at any time The SSH server may send a SSH_MSG_USERAUTH_BANNER message at any time
before authentication is successful. This message contains text to be before authentication is successful. This message contains text to be
displayed to the client user before authentication is attempted. The displayed to the client user before authentication is attempted. The
format is as follows: format is as follows:
byte SSH_MSG_USERAUTH_BANNER byte SSH_MSG_USERAUTH_BANNER
string message (ISO-10646 UTF-8) string message (ISO-10646 UTF-8)
string language tag (as defined in RFC 1766) string language tag (as defined in [RFC-1766])
The client SHOULD by default display the message on the screen. The client SHOULD by default display the message on the screen.
However, since the message is likely to be sent for every login attempt, However, since the message is likely to be sent for every login attempt,
and since some client software will need to open a separate window for and since some client software will need to open a separate window for
this warning, the client software may allow the user to explicitly this warning, the client software may allow the user to explicitly
disable the display of banners from the server. The message may consist disable the display of banners from the server. The message may consist
of multiple lines. of multiple lines.
If the message string is displayed, control character filtering If the message string is displayed, control character filtering
discussed in [SSH-ARCH] SHOULD be used to avoid attacks by sending discussed in [SSH-ARCH] SHOULD be used to avoid attacks by sending
skipping to change at page 8, line 30 skipping to change at page 8, line 30
no confidentiality is provided (none cipher), password authentication no confidentiality is provided (none cipher), password authentication
SHOULD be disabled. If there is no confidentiality or no MAC, password SHOULD be disabled. If there is no confidentiality or no MAC, password
change SHOULD be disabled. change SHOULD be disabled.
Normally, the server responds to this message with success or failure. Normally, the server responds to this message with success or failure.
However, the server MAY also respond with However, the server MAY also respond with
SSH_MSG_USERAUTH_PASSWD_CHANGEREQ. SSH_MSG_USERAUTH_PASSWD_CHANGEREQ.
byte SSH_MSG_USERAUTH_PASSWD_CHANGEREQ byte SSH_MSG_USERAUTH_PASSWD_CHANGEREQ
string prompt (ISO-10646 UTF-8) string prompt (ISO-10646 UTF-8)
string language tag (as defined in RFC 1766) string language tag (as defined in [RFC-1766])
In this case, the software client SHOULD request a new password from the In this case, the software client SHOULD request a new password from the
user, and send a new request using the following message. The client user, and send a new request using the following message. The client
may also send this message instead of the normal password authentication may also send this message instead of the normal password authentication
request without the server asking for it. request without the server asking for it.
byte SSH_MSG_USERAUTH_REQUEST byte SSH_MSG_USERAUTH_REQUEST
string user name string user name
string service string service
string "password" string "password"
skipping to change at page 11, line 20 skipping to change at page 11, line 20
Shell is a trademark of SSH Communications Security Corp Shell is a trademark of SSH Communications Security Corp
(www.ssh.com)''. These trademarks may not be used as part of a product (www.ssh.com)''. These trademarks may not be used as part of a product
name or in otherwise confusing manner without prior written permission name or in otherwise confusing manner without prior written permission
of SSH Communications Security Corp. of SSH Communications Security Corp.
9. References 9. References
[RFC-1766] Alvestrand, H: "Tags for the Identification of Languages", [RFC-1766] Alvestrand, H: "Tags for the Identification of Languages",
March 1995. March 1995.
[RFC-2044] Yergeau, F: "UTF-8, a Transformation Format of Unicode and [RFC-2279] Yergeau, F: "UTF-8, a transformation format of ISO 10646",
ISO 10646", October 1996. January 1998.
[SSH-ARCH] Ylonen, T., et al: "SSH Protocol Architecture", Internet [SSH-ARCH] Ylonen, T., et al: "SSH Protocol Architecture", Internet-
Draft, draft-secsh-architecture-05.txt Draft, draft-secsh-architecture-07.txt
[SSH-TRANS] Ylonen, T., et al: "SSH Transport Layer Protocol", Internet [SSH-TRANS] Ylonen, T., et al: "SSH Transport Layer Protocol", Internet-
Draft, draft-secsh-transport-07.txt Draft, draft-secsh-transport-09.txt
[SSH-CONNECT] Ylonen, T., et al: "SSH Connection Protocol", Internet [SSH-CONNECT] Ylonen, T., et al: "SSH Connection Protocol", Internet-
Draft, draft-secsh-connect-07.txt Draft, draft-secsh-connect-09.txt
10. Authors' Addresses 10. Authors' Addresses
Tatu Ylonen Tatu Ylonen
SSH Communications Security Corp SSH Communications Security Corp
Fredrikinkatu 42 Fredrikinkatu 42
FIN-00100 HELSINKI FIN-00100 HELSINKI
Finland Finland
E-mail: ylo@ssh.com E-mail: ylo@ssh.com
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/