Extended authentication information in Secure Shell (SSH)

Document Type Active Internet-Draft (individual)
Last updated 2018-03-18
Stream (None)
Intended RFC status (None)
Formats plain text pdf html bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
Internet-Draft                                                  D. Bider
Intended status: Standards Track                         Bitvise Limited
Expires: September 18, 2018                               March 18, 2018

       Extended authentication information in Secure Shell (SSH)


  This memo defines a way for SSH server applications to send additional
  information to clients as part of authentication failure. A mechanism
  to relay such information can reduce the need for end user support in
  situations where a client would successfully authenticate, but cannot
  log in for a policy reason, such as password age or public key size.


  This Internet-Draft is submitted in full conformance with the
  provisions of BCP 78 and BCP 79.

  Internet-Drafts are working documents of the Internet Engineering Task
  Force (IETF), its areas, and its working groups.  Note that other
  groups may also distribute working documents as Internet-Drafts.

  Internet-Drafts are draft documents valid for a maximum of six months
  and may be updated, replaced, or obsoleted by other documents at any
  time. It is inappropriate to use Internet-Drafts as reference material
  or to cite them other than as "work in progress."

  The list of current Internet-Drafts can be accessed at

  The list of Internet-Draft Shadow Directories can be accessed at


  Copyright (c) 2018 IETF Trust and the persons identified as the
  document authors.  All rights reserved.

  This document is subject to BCP 78 and the IETF Trust's Legal
  Provisions Relating to IETF Documents
  (http://trustee.ietf.org/license-info) in effect on the date of
  publication of this document.  Please review these documents
  carefully, as they describe your rights and restrictions with respect
  to this document.  Code Components extracted from this document must
  include Simplified BSD License text as described in Section 4.e of
  the Trust Legal Provisions and are provided without warranty as
  described in the Simplified BSD License.

Bider                                                           [Page 1]
Internet-Draft   Extended authentication information in SSH   March 2018

1.  Overview and Rationale

  Secure Shell (SSH) is a common protocol for secure communication on
  the Internet. In [RFC4252], SSH defines a standard failure message,
  SSH_MSG_USERAUTH_FAILURE, for use with "password", "publickey", and
  other authentication methods.

  The SSH_MSG_USERAUTH_FAILURE message was designed under the assumption
  that the server never needs to inform the client about exact reasons
  behind an authentication failure. In practice, there are situations
  where revealing such information is beneficial, and is not a risk. In
  these situations, not revealing the cause of failure deprives client
  software and end users of information needed to appropriately respond.

  This memo describes a mechanism which leverages [SSH-EXT-INFO] for
  client software to signal that it is willing to receive extra
  information as part of the SSH_MSG_USERAUTH_FAILURE message. A format
  for the additional information is described, as well as definitions
  for a number of common status codes.

1.1.  Requirements Terminology

  The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
  document are to be interpreted as described in [RFC2119].

2.  Indicating Support

  Extended information cannot be sent to clients that do not indicate
  support: widely used clients disconnect on unexpected data. Therefore,
  SSH clients and servers that support this extension SHALL implement
  [SSH-EXT-INFO]. When sending SSH_MSG_EXT_INFO to a server that signals
  support for that message, a client MAY include this extension:

    string extension-name  = "ext-auth-info"
    string extension-value = (empty)

  The client MUST send an empty extension value. A server that does not
  expect an extension value MUST ignore it, regardless of the value.
  Future specifications MAY define new meanings for this value.

Bider                                                           [Page 2]
Internet-Draft   Extended authentication information in SSH   March 2018

3.  Extended Format of SSH_MSG_USERAUTH_FAILURE

  When sending SSH_MSG_USERAUTH_FAILURE to a client that signals support
  for this mechanism as per Section 2, the server MAY send the message
  in original format, as specified in [RFC4252]:

      byte          SSH_MSG_USERAUTH_FAILURE
      name-list     authentications that can continue
      boolean       partial success

  If the server decides additional information is safe to send, the
  server MAY extend the format of SSH_MSG_USERAUTH_FAILURE as follows:
Show full document text