draft-ietf-secsh-userauth-19.txt   draft-ietf-secsh-userauth-20.txt 
Network Working Group T. Ylonen Network Working Group T. Ylonen
Internet-Draft SSH Communications Security Corp Internet-Draft SSH Communications Security Corp
Expires: November 17, 2004 C. Lonvick, Ed. Expires: November 23, 2004 C. Lonvick, Ed.
Cisco Systems, Inc Cisco Systems, Inc
May 19, 2004 May 25, 2004
SSH Authentication Protocol SSH Authentication Protocol
draft-ietf-secsh-userauth-19.txt draft-ietf-secsh-userauth-20.txt
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as other groups may also distribute working documents as
Internet-Drafts. Internet-Drafts.
skipping to change at page 1, line 33 skipping to change at page 1, line 33
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on November 17, 2004. This Internet-Draft will expire on November 23, 2004.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2004). All Rights Reserved. Copyright (C) The Internet Society (2004). All Rights Reserved.
Abstract Abstract
SSH is a protocol for secure remote login and other secure network SSH is a protocol for secure remote login and other secure network
services over an insecure network. This document describes the SSH services over an insecure network. This document describes the SSH
authentication protocol framework and public key, password, and authentication protocol framework and public key, password, and
skipping to change at page 2, line 14 skipping to change at page 2, line 14
Table of Contents Table of Contents
1. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Conventions Used in This Document . . . . . . . . . . . . . . 3 3. Conventions Used in This Document . . . . . . . . . . . . . . 3
3.1 The Authentication Protocol Framework . . . . . . . . . . 4 3.1 The Authentication Protocol Framework . . . . . . . . . . 4
3.1.1 Authentication Requests . . . . . . . . . . . . . . . 4 3.1.1 Authentication Requests . . . . . . . . . . . . . . . 4
3.1.2 Responses to Authentication Requests . . . . . . . . . 5 3.1.2 Responses to Authentication Requests . . . . . . . . . 5
3.1.3 The "none" Authentication Request . . . . . . . . . . 6 3.1.3 The "none" Authentication Request . . . . . . . . . . 6
3.1.4 Completion of User Authentication . . . . . . . . . . 6 3.1.4 Completion of User Authentication . . . . . . . . . . 7
3.1.5 Banner Message . . . . . . . . . . . . . . . . . . . . 7 3.1.5 Banner Message . . . . . . . . . . . . . . . . . . . . 7
3.2 Authentication Protocol Message Numbers . . . . . . . . . 7 3.2 Authentication Protocol Message Numbers . . . . . . . . . 7
3.3 Public Key Authentication Method: publickey . . . . . . . 8 3.3 Public Key Authentication Method: publickey . . . . . . . 8
3.4 Password Authentication Method: password . . . . . . . . . 10 3.4 Password Authentication Method: password . . . . . . . . . 10
3.5 Host-Based Authentication: hostbased . . . . . . . . . . . 11 3.5 Host-Based Authentication: hostbased . . . . . . . . . . . 11
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13
5. Security Considerations . . . . . . . . . . . . . . . . . . . 13 5. Security Considerations . . . . . . . . . . . . . . . . . . . 13
6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13
6.1 Normative . . . . . . . . . . . . . . . . . . . . . . . . . 13 6.1 Normative . . . . . . . . . . . . . . . . . . . . . . . . . 13
6.2 Informative . . . . . . . . . . . . . . . . . . . . . . . . 13 6.2 Informative . . . . . . . . . . . . . . . . . . . . . . . . 14
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 14 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 14
Intellectual Property and Copyright Statements . . . . . . . . 15 Intellectual Property and Copyright Statements . . . . . . . . 15
1. Contributors 1. Contributors
The major original contributors of this document were: Tatu Ylonen, The major original contributors of this document were: Tatu Ylonen,
Tero Kivinen, Timo J. Rinne, Sami Lehtinen (all of SSH Tero Kivinen, Timo J. Rinne, Sami Lehtinen (all of SSH
Communications Security Corp), and Markku-Juhani O. Saarinen Communications Security Corp), and Markku-Juhani O. Saarinen
(University of Jyvaskyla). Darren Moffit was the original editor of (University of Jyvaskyla). Darren Moffit was the original editor of
this document and also made very substantial contributions. this document and also made very substantial contributions.
skipping to change at page 4, line 41 skipping to change at page 4, line 41
limit is 20 attempts). If the threshold is exceeded, the server limit is 20 attempts). If the threshold is exceeded, the server
SHOULD disconnect. SHOULD disconnect.
3.1.1 Authentication Requests 3.1.1 Authentication Requests
All authentication requests MUST use the following message format. All authentication requests MUST use the following message format.
Only the first few fields are defined; the remaining fields depend on Only the first few fields are defined; the remaining fields depend on
the authentication method. the authentication method.
byte SSH_MSG_USERAUTH_REQUEST byte SSH_MSG_USERAUTH_REQUEST
string user name (in ISO-10646 UTF-8 encoding [RFC2279]) string user name (in ISO-10646 UTF-8 encoding
[RFC2279]
)
string service name (in US-ASCII) string service name (in US-ASCII)
string method name (US-ASCII) string method name (US-ASCII)
The rest of the packet is method-specific. The rest of the packet is method-specific.
The user name and service are repeated in every new authentication The user name and service are repeated in every new authentication
attempt, and MAY change. The server implementation MUST carefully attempt, and MAY change. The server implementation MUST carefully
check them in every message, and MUST flush any accumulated check them in every message, and MUST flush any accumulated
authentication states if they change. If it is unable to flush some authentication states if they change. If it is unable to flush some
authentication state, it MUST disconnect if the user or service name authentication state, it MUST disconnect if the user or service name
changes. changes.
skipping to change at page 7, line 24 skipping to change at page 7, line 29
or use "tcp wrappers" or similar software to display a banner before or use "tcp wrappers" or similar software to display a banner before
issuing a login prompt. issuing a login prompt.
The SSH server may send a SSH_MSG_USERAUTH_BANNER message at any time The SSH server may send a SSH_MSG_USERAUTH_BANNER message at any time
before authentication is successful. This message contains text to before authentication is successful. This message contains text to
be displayed to the client user before authentication is attempted. be displayed to the client user before authentication is attempted.
The format is as follows: The format is as follows:
byte SSH_MSG_USERAUTH_BANNER byte SSH_MSG_USERAUTH_BANNER
string message (ISO-10646 UTF-8) string message (ISO-10646 UTF-8)
string language tag (as defined in [RFC3066]) string language tag (as defined in
[RFC3066]
)
The client SHOULD by default display the message on the screen. The client SHOULD by default display the message on the screen.
However, since the message is likely to be sent for every login However, since the message is likely to be sent for every login
attempt, and since some client software will need to open a separate attempt, and since some client software will need to open a separate
window for this warning, the client software may allow the user to window for this warning, the client software may allow the user to
explicitly disable the display of banners from the server. The explicitly disable the display of banners from the server. The
message may consist of multiple lines. message may consist of multiple lines.
If the message string is displayed, control character filtering If the message string is displayed, control character filtering
discussed in [SSH-ARCH] SHOULD be used to avoid attacks by sending discussed in [SSH-ARCH] SHOULD be used to avoid attacks by sending
skipping to change at page 10, line 46 skipping to change at page 11, line 4
confidentiality or no MAC, password change SHOULD be disabled. confidentiality or no MAC, password change SHOULD be disabled.
Normally, the server responds to this message with success or Normally, the server responds to this message with success or
failure. However, if the password has expired the server SHOULD failure. However, if the password has expired the server SHOULD
indicate this by responding with SSH_MSG_USERAUTH_PASSWD_CHANGEREQ. indicate this by responding with SSH_MSG_USERAUTH_PASSWD_CHANGEREQ.
In anycase the server MUST NOT allow an expired password to be used In anycase the server MUST NOT allow an expired password to be used
for authentication. for authentication.
byte SSH_MSG_USERAUTH_PASSWD_CHANGEREQ byte SSH_MSG_USERAUTH_PASSWD_CHANGEREQ
string prompt (ISO-10646 UTF-8) string prompt (ISO-10646 UTF-8)
string language tag (as defined in [RFC3066]) string language tag (as defined in
[RFC3066]
)
In this case, the client MAY continue with a different authentication In this case, the client MAY continue with a different authentication
method, or request a new password from the user and retry password method, or request a new password from the user and retry password
authentication using the following message. The client MAY also send authentication using the following message. The client MAY also send
this message instead of the normal password authentication request this message instead of the normal password authentication request
without the server asking for it. without the server asking for it.
byte SSH_MSG_USERAUTH_REQUEST byte SSH_MSG_USERAUTH_REQUEST
string user name string user name
string service string service
skipping to change at page 13, line 31 skipping to change at page 13, line 38
Full security considerations for this protocol are provided in Full security considerations for this protocol are provided in
Section 8 of [SSH-ARCH] Section 8 of [SSH-ARCH]
6. References 6. References
6.1 Normative 6.1 Normative
[SSH-ARCH] [SSH-ARCH]
Ylonen, T. and C. Lonvick, "SSH Protocol Architecture", Ylonen, T. and C. Lonvick, "SSH Protocol Architecture",
I-D draft-ietf-architecture-16.txt, May 2004. I-D draft-ietf-architecture-17.txt, May 2004.
[SSH-CONNECT] [SSH-CONNECT]
Ylonen, T. and C. Lonvick, "SSH Connection Protocol", I-D Ylonen, T. and C. Lonvick, "SSH Connection Protocol", I-D
draft-ietf-connect-19.txt, May 2004. draft-ietf-connect-20.txt, May 2004.
[SSH-TRANS] [SSH-TRANS]
Ylonen, T. and C. Lonvick, "SSH Transport Layer Protocol", Ylonen, T. and C. Lonvick, "SSH Transport Layer Protocol",
I-D draft-ietf-transport-18.txt, May 2004. I-D draft-ietf-transport-19.txt, May 2004.
[SSH-NUMBERS] [SSH-NUMBERS]
Ylonen, T. and C. Lonvick, "SSH Protocol Assigned Ylonen, T. and C. Lonvick, "SSH Protocol Assigned
Numbers", I-D draft-ietf-assignednumbers-06.txt, May 2004. Numbers", I-D draft-ietf-assignednumbers-07.txt, May 2004.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
6.2 Informative 6.2 Informative
[RFC3066] Alvestrand, H., "Tags for the Identification of
Languages", BCP 47, RFC 3066, January 2001.
[RFC2279] Yergeau, F., "UTF-8, a transformation format of ISO [RFC2279] Yergeau, F., "UTF-8, a transformation format of ISO
10646", RFC 2279, January 1998. 10646", RFC 2279, January 1998.
[RFC3066] Alvestrand, H., "Tags for the Identification of
Languages", BCP 47, RFC 3066, January 2001.
Authors' Addresses Authors' Addresses
Tatu Ylonen Tatu Ylonen
SSH Communications Security Corp SSH Communications Security Corp
Fredrikinkatu 42 Fredrikinkatu 42
HELSINKI FIN-00100 HELSINKI FIN-00100
Finland Finland
EMail: ylo@ssh.com EMail: ylo@ssh.com
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/