The Secure Shell (SSH) Protocol Architecture
RFC 4251
Document | Type |
RFC - Proposed Standard
(January 2006; No errata)
Updated by RFC 8308
|
|
---|---|---|---|
Last updated | 2015-10-14 | ||
Stream | IETF | ||
Formats | plain text pdf html bibtex | ||
Stream | WG state | WG Document | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 4251 (Proposed Standard) | |
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | Russ Housley | ||
Send notices to | (None) |
Network Working Group T. Ylonen Request for Comments: 4251 SSH Communications Security Corp Category: Standards Track C. Lonvick, Ed. Cisco Systems, Inc. January 2006 The Secure Shell (SSH) Protocol Architecture Status of This Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2006). Abstract The Secure Shell (SSH) Protocol is a protocol for secure remote login and other secure network services over an insecure network. This document describes the architecture of the SSH protocol, as well as the notation and terminology used in SSH protocol documents. It also discusses the SSH algorithm naming system that allows local extensions. The SSH protocol consists of three major components: The Transport Layer Protocol provides server authentication, confidentiality, and integrity with perfect forward secrecy. The User Authentication Protocol authenticates the client to the server. The Connection Protocol multiplexes the encrypted tunnel into several logical channels. Details of these protocols are described in separate documents. Ylonen & Lonvick Standards Track [Page 1] RFC 4251 SSH Protocol Architecture January 2006 Table of Contents 1. Introduction ....................................................3 2. Contributors ....................................................3 3. Conventions Used in This Document ...............................4 4. Architecture ....................................................4 4.1. Host Keys ..................................................4 4.2. Extensibility ..............................................6 4.3. Policy Issues ..............................................6 4.4. Security Properties ........................................7 4.5. Localization and Character Set Support .....................7 5. Data Type Representations Used in the SSH Protocols .............8 6. Algorithm and Method Naming ....................................10 7. Message Numbers ................................................11 8. IANA Considerations ............................................12 9. Security Considerations ........................................13 9.1. Pseudo-Random Number Generation ...........................13 9.2. Control Character Filtering ...............................14 9.3. Transport .................................................14 9.3.1. Confidentiality ....................................14 9.3.2. Data Integrity .....................................16 9.3.3. Replay .............................................16 9.3.4. Man-in-the-middle ..................................17 9.3.5. Denial of Service ..................................19 9.3.6. Covert Channels ....................................20 9.3.7. Forward Secrecy ....................................20 9.3.8. Ordering of Key Exchange Methods ...................20 9.3.9. Traffic Analysis ...................................21 9.4. Authentication Protocol ...................................21 9.4.1. Weak Transport .....................................21 9.4.2. Debug Messages .....................................22 9.4.3. Local Security Policy ..............................22 9.4.4. Public Key Authentication ..........................23 9.4.5. Password Authentication ............................23 9.4.6. Host-Based Authentication ..........................23 9.5. Connection Protocol .......................................24 9.5.1. End Point Security .................................24 9.5.2. Proxy Forwarding ...................................24 9.5.3. X11 Forwarding .....................................24 10. References ....................................................26 10.1. Normative References .....................................26 10.2. Informative References ...................................26 Authors' Addresses ................................................29 Trademark Notice ..................................................29 Ylonen & Lonvick Standards Track [Page 2]Show full document text