Skip to main content

Extensions to Secure Shell Public Key Subsystem

Document Type Replaced Internet-Draft (individual)
Expired & archived
Authors Mark Joseph, Jim Susoy
Last updated 2013-05-31 (Latest revision 2013-05-16)
Replaced by RFC 7076
RFC stream Independent Submission
Intended RFC status (None)
Stream ISE state No Longer In Independent Submission Stream
Consensus boilerplate Unknown
Document shepherd (None)
IESG IESG state Replaced by draft-joseph-pkix-p6rsshextension
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


The Secure Shell Public Key Subsystem protocol defines a key distribution protocol to provision an SSH server with user's public keys. However, that protocol is limited to provisioning an SSH server. This document describes extensions to this protocol to allow the provisioning of keys and certificates to a server using the SSH transport. The defined protocol extensions allow the calling client to organize keys and certificates in different namespaces on a server. These namespaces can be used by the server to allow a client to configure any application running on the server (e.g., SSH, KMIP, SNMP). The defined extensions provide a server-independent mechanism for clients to add public keys, remove public keys, add certificates, remove certificates, and list the current set of keys and certificates known by the server by namespace (e.g., list all public keys in the SSH namespace). Rights to manage keys and certificates in a specific namespace are specific and limited to the authorized user and are defined as part of the server's implementation. The described protocol is backward compatible to version 2 defined by RFC 4819.


Mark Joseph
Jim Susoy

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)