Network Working Group J. Galbraith
Request for Comments: 4819 J. Van Dyke
Category: Standards Track VanDyke Software
J. Bright
Silicon Circus
March 2007
Secure Shell Public Key Subsystem
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The IETF Trust (2007).
Abstract
Secure Shell defines a user authentication mechanism that is based on
public keys, but does not define any mechanism for key distribution.
No common key management solution exists in current implementations.
This document describes a protocol that can be used to configure
public keys in an implementation-independent fashion, allowing client
software to take on the burden of this configuration.
The Public Key Subsystem provides a server-independent mechanism for
clients to add public keys, remove public keys, and list the current
public keys known by the server. Rights to manage public keys are
specific and limited to the authenticated user.
A public key may also be associated with various restrictions,
including a mandatory command or subsystem.
Galbraith, et al. Standards Track [Page 1]
RFC 4819 Secure Shell Public Key Subsystem March 2007
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Public Key Subsystem Overview . . . . . . . . . . . . . . . . 3
3.1. Opening the Public Key Subsystem . . . . . . . . . . . . . 4
3.2. Requests and Responses . . . . . . . . . . . . . . . . . . 5
3.3. The Status Message . . . . . . . . . . . . . . . . . . . . 5
3.3.1. Status Codes . . . . . . . . . . . . . . . . . . . . . 5
3.4. The Version Packet . . . . . . . . . . . . . . . . . . . . 6
4. Public Key Subsystem Operations . . . . . . . . . . . . . . . 7
4.1. Adding a Public Key . . . . . . . . . . . . . . . . . . . 7
4.2. Removing a Public Key . . . . . . . . . . . . . . . . . . 10
4.3. Listing Public Keys . . . . . . . . . . . . . . . . . . . 10
4.4. Listing Server Capabilities . . . . . . . . . . . . . . . 10
5. Security Considerations . . . . . . . . . . . . . . . . . . . 11
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
6.1. Registrations . . . . . . . . . . . . . . . . . . . . . . 12
6.2. Names . . . . . . . . . . . . . . . . . . . . . . . . . . 12
6.2.1. Conventions for Names . . . . . . . . . . . . . . . . 12
6.2.2. Future Assignments of Names . . . . . . . . . . . . . 13
6.3. Public Key Subsystem Request Names . . . . . . . . . . . . 13
6.4. Public Key Subsystem Response Names . . . . . . . . . . . 13
6.5. Public Key Subsystem Attribute Names . . . . . . . . . . . 13
6.6. Public Key Subsystem Status Codes . . . . . . . . . . . . 14
6.6.1. Conventions . . . . . . . . . . . . . . . . . . . . . 14
6.6.2. Initial Assignments . . . . . . . . . . . . . . . . . 14
6.6.3. Future Assignments . . . . . . . . . . . . . . . . . . 15
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 15
7.1. Normative References . . . . . . . . . . . . . . . . . . . 15
7.2. Informative References . . . . . . . . . . . . . . . . . . 15
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 16
Galbraith, et al. Standards Track [Page 2]
RFC 4819 Secure Shell Public Key Subsystem March 2007
1. Introduction
Secure Shell (SSH) is a protocol for secure remote login and other
secure network services over an insecure network. Secure Shell
defines a user authentication mechanism that is based on public keys,
but does not define any mechanism for key distribution. Common
practice is to authenticate once with password authentication and
transfer the public key to the server. However, to date no two
implementations use the same mechanism to configure a public key for
use.
This document describes a subsystem that can be used to configure
datatracker.ietf.org