draft-ietf-secsh-userauth-14.txt   draft-ietf-secsh-userauth-15.txt 
Network Working Group T. Ylonen Network Working Group T. Ylonen
Internet-Draft T. Kivinen Internet-Draft T. Kivinen
Expires: August 1, 2002 SSH Communications Security Corp Expires: August 29, 2002 SSH Communications Security Corp
M. Saarinen M. Saarinen
University of Jyvaskyla University of Jyvaskyla
T. Rinne T. Rinne
S. Lehtinen S. Lehtinen
SSH Communications Security Corp SSH Communications Security Corp
January 31, 2002 February 28, 2002
SSH Authentication Protocol SSH Authentication Protocol
draft-ietf-secsh-userauth-14.txt draft-ietf-secsh-userauth-15.txt
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
skipping to change at page 1, line 37 skipping to change at page 1, line 37
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on August 1, 2002. This Internet-Draft will expire on August 29, 2002.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2002). All Rights Reserved. Copyright (C) The Internet Society (2002). All Rights Reserved.
Abstract Abstract
SSH is a protocol for secure remote login and other secure network SSH is a protocol for secure remote login and other secure network
services over an insecure network. This document describes the SSH services over an insecure network. This document describes the SSH
authentication protocol framework and public key, password, and host- authentication protocol framework and public key, password, and host-
skipping to change at page 2, line 20 skipping to change at page 2, line 20
2.1 Authentication Requests . . . . . . . . . . . . . . . . . . . 4 2.1 Authentication Requests . . . . . . . . . . . . . . . . . . . 4
2.2 Responses to Authentication Requests . . . . . . . . . . . . . 4 2.2 Responses to Authentication Requests . . . . . . . . . . . . . 4
2.3 The "none" Authentication Request . . . . . . . . . . . . . . 6 2.3 The "none" Authentication Request . . . . . . . . . . . . . . 6
2.4 Completion of User Authentication . . . . . . . . . . . . . . 6 2.4 Completion of User Authentication . . . . . . . . . . . . . . 6
2.5 Banner Message . . . . . . . . . . . . . . . . . . . . . . . . 6 2.5 Banner Message . . . . . . . . . . . . . . . . . . . . . . . . 6
3. Authentication Protocol Message Numbers . . . . . . . . . . . 7 3. Authentication Protocol Message Numbers . . . . . . . . . . . 7
4. Public Key Authentication Method: publickey . . . . . . . . . 7 4. Public Key Authentication Method: publickey . . . . . . . . . 7
5. Password Authentication Method: password . . . . . . . . . . . 9 5. Password Authentication Method: password . . . . . . . . . . . 9
6. Host-Based Authentication: hostbased . . . . . . . . . . . . . 11 6. Host-Based Authentication: hostbased . . . . . . . . . . . . . 11
7. Security Considerations . . . . . . . . . . . . . . . . . . . 12 7. Security Considerations . . . . . . . . . . . . . . . . . . . 12
8. Trademark Issues . . . . . . . . . . . . . . . . . . . . . . . 12 8. Trademark Issues . . . . . . . . . . . . . . . . . . . . . . . 13
9. Additional Information . . . . . . . . . . . . . . . . . . . . 13 9. Additional Information . . . . . . . . . . . . . . . . . . . . 13
References . . . . . . . . . . . . . . . . . . . . . . . . . . 13 References . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 13 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 13
Full Copyright Statement . . . . . . . . . . . . . . . . . . . 15 Full Copyright Statement . . . . . . . . . . . . . . . . . . . 15
1. Introduction 1. Introduction
The SSH authentication protocol is a general-purpose user The SSH authentication protocol is a general-purpose user
authentication protocol. It is intended to be run over the SSH authentication protocol. It is intended to be run over the SSH
transport layer protocol [SSH-TRANS]. This protocol assumes that the transport layer protocol [SSH-TRANS]. This protocol assumes that the
skipping to change at page 10, line 10 skipping to change at page 10, line 10
Note that even though the cleartext password is transmitted in the Note that even though the cleartext password is transmitted in the
packet, the entire packet is encrypted by the transport layer. Both packet, the entire packet is encrypted by the transport layer. Both
the server and the client should check whether the underlying the server and the client should check whether the underlying
transport layer provides confidentiality (i.e., if encryption is transport layer provides confidentiality (i.e., if encryption is
being used). If no confidentiality is provided (none cipher), being used). If no confidentiality is provided (none cipher),
password authentication SHOULD be disabled. If there is no password authentication SHOULD be disabled. If there is no
confidentiality or no MAC, password change SHOULD be disabled. confidentiality or no MAC, password change SHOULD be disabled.
Normally, the server responds to this message with success or Normally, the server responds to this message with success or
failure. However, the server MAY also respond with failure. However, if the password has expired the server SHOULD
SSH_MSG_USERAUTH_PASSWD_CHANGEREQ. indicate this by responding with SSH_MSG_USERAUTH_PASSWD_CHANGEREQ.
In anycase the server MUST NOT allow an expired password to be used
for authentication.
byte SSH_MSG_USERAUTH_PASSWD_CHANGEREQ byte SSH_MSG_USERAUTH_PASSWD_CHANGEREQ
string prompt (ISO-10646 UTF-8) string prompt (ISO-10646 UTF-8)
string language tag (as defined in [RFC1766]) string language tag (as defined in [RFC1766])
In this case, the software client SHOULD request a new password from In this case, the client MAY continue with a different authentication
the user, and send a new request using the following message. The method, or request a new password from the user and retry password
client may also send this message instead of the normal password authentication using the following message. The client MAY also send
authentication request without the server asking for it. this message instead of the normal password authentication request
without the server asking for it.
byte SSH_MSG_USERAUTH_REQUEST byte SSH_MSG_USERAUTH_REQUEST
string user name string user name
string service string service
string "password" string "password"
boolean TRUE boolean TRUE
string plaintext old password (ISO-10646 UTF-8) string plaintext old password (ISO-10646 UTF-8)
string plaintext new password (ISO-10646 UTF-8) string plaintext new password (ISO-10646 UTF-8)
The server must reply to request message with The server must reply to request message with
skipping to change at page 13, line 24 skipping to change at page 13, line 30
[RFC1766] Alvestrand, H., "Tags for the Identification of [RFC1766] Alvestrand, H., "Tags for the Identification of
Languages", RFC 1766, March 1995. Languages", RFC 1766, March 1995.
[RFC2279] Yergeau, F., "UTF-8, a transformation format of ISO [RFC2279] Yergeau, F., "UTF-8, a transformation format of ISO
10646", RFC 2279, January 1998. 10646", RFC 2279, January 1998.
[SSH-ARCH] Ylonen, T., "SSH Protocol Architecture", I-D draft- [SSH-ARCH] Ylonen, T., "SSH Protocol Architecture", I-D draft-
ietf-architecture-12.txt, July 2001. ietf-architecture-12.txt, July 2001.
[SSH-TRANS] Ylonen, T., "SSH Transport Layer Protocol", I-D [SSH-TRANS] Ylonen, T., "SSH Transport Layer Protocol", I-D
draft-ietf-transport-12.txt, July 2001. draft-ietf-transport-13.txt, July 2001.
[SSH-USERAUTH] Ylonen, T., "SSH Authentication Protocol", I-D draft- [SSH-USERAUTH] Ylonen, T., "SSH Authentication Protocol", I-D draft-
ietf-userauth-14.txt, July 2001. ietf-userauth-15.txt, July 2001.
[SSH-CONNECT] Ylonen, T., "SSH Connection Protocol", I-D draft- [SSH-CONNECT] Ylonen, T., "SSH Connection Protocol", I-D draft-
ietf-connect-15.txt, July 2001. ietf-connect-15.txt, July 2001.
Authors' Addresses Authors' Addresses
Tatu Ylonen Tatu Ylonen
SSH Communications Security Corp SSH Communications Security Corp
Fredrikinkatu 42 Fredrikinkatu 42
HELSINKI FIN-00100 HELSINKI FIN-00100
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/