The Secure Shell (SSH) Protocol Architecture
RFC 4251
|
| Document |
Type |
|
RFC - Proposed Standard
(January 2006; No errata)
|
|
Last updated |
|
2015-10-14
|
|
Stream |
|
IETF
|
|
Formats |
|
plain text
pdf
html
bibtex
|
| Stream |
WG state
|
|
WG Document
|
|
Document shepherd |
|
No shepherd assigned
|
| IESG |
IESG state |
|
RFC 4251 (Proposed Standard)
|
|
Consensus Boilerplate |
|
Unknown
|
|
Telechat date |
|
|
|
Responsible AD |
|
Russ Housley
|
|
Send notices to |
|
(None)
|
Network Working Group T. Ylonen
Request for Comments: 4251 SSH Communications Security Corp
Category: Standards Track C. Lonvick, Ed.
Cisco Systems, Inc.
January 2006
The Secure Shell (SSH) Protocol Architecture
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2006).
Abstract
The Secure Shell (SSH) Protocol is a protocol for secure remote login
and other secure network services over an insecure network. This
document describes the architecture of the SSH protocol, as well as
the notation and terminology used in SSH protocol documents. It also
discusses the SSH algorithm naming system that allows local
extensions. The SSH protocol consists of three major components: The
Transport Layer Protocol provides server authentication,
confidentiality, and integrity with perfect forward secrecy. The
User Authentication Protocol authenticates the client to the server.
The Connection Protocol multiplexes the encrypted tunnel into several
logical channels. Details of these protocols are described in
separate documents.
Ylonen & Lonvick Standards Track [Page 1]
RFC 4251 SSH Protocol Architecture January 2006
Table of Contents
1. Introduction ....................................................3
2. Contributors ....................................................3
3. Conventions Used in This Document ...............................4
4. Architecture ....................................................4
4.1. Host Keys ..................................................4
4.2. Extensibility ..............................................6
4.3. Policy Issues ..............................................6
4.4. Security Properties ........................................7
4.5. Localization and Character Set Support .....................7
5. Data Type Representations Used in the SSH Protocols .............8
6. Algorithm and Method Naming ....................................10
7. Message Numbers ................................................11
8. IANA Considerations ............................................12
9. Security Considerations ........................................13
9.1. Pseudo-Random Number Generation ...........................13
9.2. Control Character Filtering ...............................14
9.3. Transport .................................................14
9.3.1. Confidentiality ....................................14
9.3.2. Data Integrity .....................................16
9.3.3. Replay .............................................16
9.3.4. Man-in-the-middle ..................................17
9.3.5. Denial of Service ..................................19
9.3.6. Covert Channels ....................................20
9.3.7. Forward Secrecy ....................................20
9.3.8. Ordering of Key Exchange Methods ...................20
9.3.9. Traffic Analysis ...................................21
9.4. Authentication Protocol ...................................21
9.4.1. Weak Transport .....................................21
9.4.2. Debug Messages .....................................22
9.4.3. Local Security Policy ..............................22
9.4.4. Public Key Authentication ..........................23
9.4.5. Password Authentication ............................23
9.4.6. Host-Based Authentication ..........................23
9.5. Connection Protocol .......................................24
9.5.1. End Point Security .................................24
9.5.2. Proxy Forwarding ...................................24
9.5.3. X11 Forwarding .....................................24
10. References ....................................................26
10.1. Normative References .....................................26
10.2. Informative References ...................................26
Authors' Addresses ................................................29
Trademark Notice ..................................................29
Show full document text